|
In March of 2004, members of the NTRCFL began a project to incorporate several concepts which are ultimately
aimed at the following goals:
Reducing Case Backlog
Streamlining Examinations
Standardizing Reports
This project involved several complex facets that had to be addressed in order to bring about the desired
results. First of which was the security audit for the FBI’s Review Net concept which originated at the NTRCFL and has been approved for global application. This system allows investigators to
review their evidence in a virtual environment from an on-site or remote location.
The first technology that had to be validated was the Storage Area Network ( SAN ) for forensic examinations.
Special Agent Charles Mallery of the NTRCFL saddled on that project and has worked with vendors, technicians, security experts and examiners to custom design a concept that is fast becoming the
state-of-the-art in the large scale computer forensic community.
Once that was completed, the ability to serve derivative evidence to investigators followed. Without being too
technical or stepping on classification issues, it is simply the ability to access pre-processed evidence in an environment that is useful and could not possibly alter the evidence images.
The next step was to develop a forensic suite of tools that would give the investigator the ability to look at, sort, search, identify and create a report of useful information and evidentiary data. Several forensic software companies were approached, but only one stepped up to the plate and agreed to work with us on developing the concept. Access Data owner, Eric Thompson agreed to work with the FBI and NTRCFL to modify the Forensic Toolkit ( FTK ) suite and add a module called “ Case Agent ” where investigators could use the modified forensic suite to access and review the files on the subject computer(s) and yet not alter the integrity of the physical image that was copied by examiners. ( Accomplished with the Review Net security issues and the forensic software code )
Following the Review Net concept came the Forensic Report Project which involved meeting with investigators
and state/federal prosecutors to ascertain which files and items were necessary to separate from the entire image for certain types of cases. Once the items were identified, a review of the
forensic capabilities of various software suites utilized by the lab was performed.
The conclusion was to streamline the forensic report by performing only certain functions that would reveal both evidentiary and exculpatory items, including registry reports, virus/trojan detection, intrusion detection, comparison file hashing and the complete export of all relevant files into categories that would be readily identifiable and useful to the investigator. Other functions would only be performed if requested by the prosecutor or in furtherance of the investigation.
As a final result, the NTRCFL should realize a 30% reduction in the backlog of certain types of cases while
standardizing reports due to the standardization of how these cases are examined. In the end, the NTRCFL will offer training to prosecutors and investigators within its service area on how to utilize the
on-site Review Net and understand the forensic report. This project is in the final stages of completion as of June 9th.
|
