Digital Forensics – Top 10 Challenges


The ability of criminals and terrorists to maximise the opportunities offered by new technology is constantly evolving. Burying incriminating data within the increasing storage capacity of PCs and laptops presents the police and security forces with new and demanding challenges; challenges that are exacerbated by the very short space of time in which examinations of seized assets can take place. Through experience gained delivering solutions across the UK Security & Resilience community, Andrew Nanson presents the Top 10 challenges that organisations are likely to face when implementing digital forensics solutions.

1. Storage

When each suspect can store over 10 terabytes of information on home equipment, a forensic laboratory must be able to cope with the uploading, retention and manipulation of that data. It’s no longer viable to rely on local storage for each analyst. Centralised-storage is becoming a necessity.

To address this issue, we have looked at the advantages offered by Fibre-Channel storage for the initial uploading and subsequent retention of data. Fibre-Channel storage is fast, reliable and supports very high levels of input-output for multiple applications and intensive processes, such as indexing. This is ideal for forensic laboratories that must perform to timescales and can’t afford for their capability to fail.

In addition, we believe it is advisable to complement the Fibre-Channel storage with very large amounts of Serial Advanced Technology Attachment (SATA) storage. SATA is cheap and reliable. By providing both Fibre-Channel and SATA disk storage, it is possible to balance the real needs of a forensic laboratory, at the best possible price.

The solution has been proven working alongside forensic-analysts using real data at a ListX facility in Bristol.

2. Backup / archive

Forensic laboratories are often now scaled to hold up to one PetaByte of online storage. We have devised a manageable solution that guarantees against loss of data. Furthermore, it does this without impacting on the performance of a system; a system that has to be operational 24/7/365.

By taking a ‘snapshot’ of the data before it’s sent to offline media, the performance of the live storage is never degraded. This provides the users and the business with what it needs: a system without planned downtime.

3. Application performance

The effectiveness of forensic laboratories is often down to the performance of the applications that are used by the forensic analysts. This is either because the applications do

not yet take advantage of modern hardware, or because the nature of their function is such that they will never perform as quickly as the business would like. To address this issue, VEGA can devise solutions that allows the most intensive forensic applications to be served from powerful-servers. This enables applications to operate with as little ‘lag’ as possible.

By providing multiple variables of the same application, forensic analysts can initiate multiple actions from a single workstation. This results in greatly increased productivity, removing ‘dead-time’ where analysts may have traditionally had to wait hours before undertaking other activities.

4. Scalability

All technology solutions have their limits, often requiring a step-change in hardware or software to expand or contract. This can be a prohibitive factor in gradual expansion of capabilities due to the cost associated with this step-change.

Therefore, developing solutions that are fully scalable, supporting capability and user expansion / contraction through modularised technology is essential as these can be designed to scale up to a PetaByte of storage from the start and can be further increased if required. There is no theoretical limit on the number of users that can be hosted.

In addition, as the majority of forensic applications are served, thin-clients can be deployed within minutes anywhere, with the full set of forensic tools required for any investigation.

5. Malware protection

One of the biggest issues for forensic laboratories is unknown malware. To understand what an unidentified piece of software can do, analysts sometimes need to reverse engineer it, or execute it and monitor what it does. If it transpires to be unknown malware, there is the potential of corrupting the entire forensic laboratory and calling into doubt the integrity of the environment used to produce evidence.

Even the best anti-virus programmes only mitigate known risks and attack-vectors. Therefore, a series of security-enforcing functions should always be built that are invisible to the user and enable forensic analysts to examine unknown code without risk to the integrity of the forensic laboratory.

6. Accreditation

The high profile data losses of recent years have propelled the issue of information assurance to the top of the political agenda. Having devised secure systems for the most sensitive parts of UK Government, we have the experience to create a solution that complies with HMG Manual of Protective Security, as well as JSP440. The security enforcing functions mitigate against high confidentiality, integrity and availability requirements.

7. System Integration

Forensic laboratories are normally isolated technical units that use an air-gap between themselves and the main desktop infrastructure. A solution can include secure and reliable integration methods that enable organisations to transfer data safely, between corporate systems and laboratories. This is based on devising methods to bring multiple sources of information together, to provide a seamless system that meets accreditation requirements, as well as extends the information available to users.

8. Support

It is unacceptable for forensic laboratories to require a high level of maintenance. Specialist understand this and have created a solution based on Commercial Off The Shelf (COTS) products, which means clients are not tied into any supplier for long-term support, since the skills required are readily available.

9. Longevity

The rapid development of information technology and the ability of criminals and terrorists to use them to their advantage, demands that any digital forensic solution is able to evolve quickly and with minimum disruption. We work with leading forensic application providers to ensure that we understand how best to improve capability for users now and in the future. Solutions should take account of the latest hardware in production, software development, and the ever-increasing burden on forensic analysts and that of the business. This long-term planning and investment demonstrates our commitment to this field.

10. Ensuring best value-for-money

As public sector budgets come under increasing pressure, and expenditure faces intense scrutiny, organisations must ensure investment in IT provides value-for-money.