| Introduction | | | | associated with this step-change. |
| The ability of criminals and terrorists to maximise the | | | | Therefore, developing solutions that are fully scalable, |
| opportunities offered by new technology is | | | | supporting capability and user expansion / contraction |
| constantly evolving. Burying incriminating data within | | | | through modularised technology is essential as these |
| the increasing storage capacity of PCs and laptops | | | | can be designed to scale up to a PetaByte of |
| presents the police and security forces with new and | | | | storage from the start and can be further increased |
| demanding challenges; challenges that are | | | | if required. There is no theoretical limit on the number |
| exacerbated by the very short space of time in | | | | of users that can be hosted. |
| which examinations of seized assets can take place. | | | | In addition, as the majority of forensic applications |
| Through experience gained delivering solutions across | | | | are served, thin-clients can be deployed within |
| the UK Security & Resilience community, | | | | minutes anywhere, with the full set of forensic tools |
| Andrew Nanson presents the Top 10 challenges that | | | | required for any investigation. |
| organisations are likely to face when implementing | | | | 5. Malware protection |
| digital forensics solutions. | | | | One of the biggest issues for forensic laboratories is |
| 1. Storage | | | | unknown malware. To understand what an |
| When each suspect can store over 10 terabytes of | | | | unidentified piece of software can do, analysts |
| information on home equipment, a forensic laboratory | | | | sometimes need to reverse engineer it, or execute it |
| must be able to cope with the uploading, retention | | | | and monitor what it does. If it transpires to be |
| and manipulation of that data. It's no longer viable to | | | | unknown malware, there is the potential of corrupting |
| rely on local storage for each analyst. | | | | the entire forensic laboratory and calling into doubt |
| Centralised-storage is becoming a necessity. | | | | the integrity of the environment used to produce |
| To address this issue, we have looked at the | | | | evidence. |
| advantages offered by Fibre-Channel storage for the | | | | Even the best anti-virus programmes only mitigate |
| initial uploading and subsequent retention of data. | | | | known risks and attack-vectors. Therefore, a series |
| Fibre-Channel storage is fast, reliable and supports | | | | of security-enforcing functions should always be built |
| very high levels of input-output for multiple | | | | that are invisible to the user and enable forensic |
| applications and intensive processes, such as indexing. | | | | analysts to examine unknown code without risk to |
| This is ideal for forensic laboratories that must | | | | the integrity of the forensic laboratory. |
| perform to timescales and can't afford for their | | | | 6. Accreditation |
| capability to fail. | | | | The high profile data losses of recent years have |
| In addition, we believe it is advisable to complement | | | | propelled the issue of information assurance to the |
| the Fibre-Channel storage with very large amounts of | | | | top of the political agenda. Having devised secure |
| Serial Advanced Technology Attachment (SATA) | | | | systems for the most sensitive parts of UK |
| storage. SATA is cheap and reliable. By providing both | | | | Government, we have the experience to create a |
| Fibre-Channel and SATA disk storage, it is possible to | | | | solution that complies with HMG Manual of Protective |
| balance the real needs of a forensic laboratory, at | | | | Security, as well as JSP440. The security enforcing |
| the best possible price. | | | | functions mitigate against high confidentiality, integrity |
| The solution has been proven working alongside | | | | and availability requirements. |
| forensic-analysts using real data at a ListX facility in | | | | 7. System Integration |
| Bristol. | | | | Forensic laboratories are normally isolated technical |
| 2. Backup / archive | | | | units that use an air-gap between themselves and |
| Forensic laboratories are often now scaled to hold up | | | | the main desktop infrastructure. A solution can include |
| to one PetaByte of online storage. We have devised | | | | secure and reliable integration methods that enable |
| a manageable solution that guarantees against loss of | | | | organisations to transfer data safely, between |
| data. Furthermore, it does this without impacting on | | | | corporate systems and laboratories. This is based on |
| the performance of a system; a system that has to | | | | devising methods to bring multiple sources of |
| be operational 24/7/365. | | | | information together, to provide a seamless system |
| By taking a 'snapshot' of the data before it's sent to | | | | that meets accreditation requirements, as well as |
| offline media, the performance of the live storage is | | | | extends the information available to users. |
| never degraded. This provides the users and the | | | | 8. Support |
| business with what it needs: a system without | | | | It is unacceptable for forensic laboratories to require |
| planned downtime. | | | | a high level of maintenance. Specialist understand this |
| 3. Application performance | | | | and have created a solution based on Commercial |
| The effectiveness of forensic laboratories is often | | | | Off The Shelf (COTS) products, which means clients |
| down to the performance of the applications that are | | | | are not tied into any supplier for long-term support, |
| used by the forensic analysts. This is either because | | | | since the skills required are readily available. |
| the applications donot yet take advantage of modern | | | | 9. Longevity |
| hardware, or because the nature of their function is | | | | The rapid development of information technology and |
| such that they will never perform as quickly as the | | | | the ability of criminals and terrorists to use them to |
| business would like. To address this issue, VEGA can | | | | their advantage, demands that any digital forensic |
| devise solutions that allows the most intensive | | | | solution is able to evolve quickly and with minimum |
| forensic applications to be served from | | | | disruption. We work with leading forensic application |
| powerful-servers. This enables applications to operate | | | | providers to ensure that we understand how best to |
| with as little 'lag' as possible. | | | | improve capability for users now and in the future. |
| By providing multiple variables of the same application, | | | | Solutions should take account of the latest hardware |
| forensic analysts can initiate multiple actions from a | | | | in production, software development, and the |
| single workstation. This results in greatly increased | | | | ever-increasing burden on forensic analysts and that |
| productivity, removing 'dead-time' where analysts | | | | of the business. This long-term planning and |
| may have traditionally had to wait hours before | | | | investment demonstrates our commitment to this |
| undertaking other activities. | | | | field. |
| 4. Scalability | | | | 10. Ensuring best value-for-money |
| All technology solutions have their limits, often | | | | As public sector budgets come under increasing |
| requiring a step-change in hardware or software to | | | | pressure, and expenditure faces intense scrutiny, |
| expand or contract. This can be a prohibitive factor in | | | | organisations must ensure investment in IT provides |
| gradual expansion of capabilities due to the cost | | | | value-for-money. |