FID3 Blog

Recently, I’ve given some presentations on Dark Data. Back in May, I talked about “Dark Data in Live Forensics“, for the TechPoint – New Economy New Rules breakfast. Last month, I covered the topic in more detail with a presentation called, “Dark Data and Missing Evidence“. This was presented at the Indianapolis Chapter meeting of the ASDFED. A week later, I explained how this issue impacts records managers, at the Indianapolis chapter meeting of ARMA. That presentation was titled, “Dark Data Hiding in your Records – Opportunity or Danger?”

What exactly is Dark Data, and why should you be concerned? In 2005, Paul Chin wrote about Dark Data hiding on corporate networks. He said, “There’s often a large unseen – and in some cases, unknown – portion of corporate content that never reaches the general user community. This is what’s known as dark data.“ In 2007, Thomas Goetz wrote an article for Wired Magazine that discussed scientific data that is lost, because it didn’t produce popular results. He said that Dark Data, “ends up stuffed in some lab drawer. The result is a vast body of squandered knowledge that represents a waste of resources and a drag on scientific progress. This information – call it dark data – must be set free.“ Finally in 2008, Malcolm Chisholm compared Dark Data to “dark matter” in the universe, and applied the term to Enterprise Information Management (EIM).  He wrote, “When it comes to data, just how much of it is hidden within the enterprise is extremely difficult to ascertain. Yet we all know it is out there.”

Do these people know something that we don’t? If you’ve ever searched for a lost document, or experienced the loss of data that you put a lot of work into, you know the feeling that your data assets are somewhere just outside your reach. You may not have attached an appropriate term to this, but you know that there is data hiding somewhere.

Well, there is more data hiding than people realize. Every time you create a document, delete an image file or format a hard drive, something is recorded or left behind. You can either igonore this, and accept the risks, or deal with it head on. Whether you have employees deleting evidence subject to a legal hold and embezzling data to your competitors, or your credit card numbers are lingering on your personal PC at home, there is obvious risk of someone discovering your Dark Data and using it against you.

Step 1: Find out what kinds of data are hiding from you.

Step 2: Learn how to find and manage the hidden data that you care about.

Step 3: Develop best practices to address your risks from Dark Data moving forward.

Step 4: Obtain the tools you need to protect your valuable data from others.

Over the coming months, I will be covering the different types of Dark Data that affect us. My business tends to focus more towards Digital Forensics Investigators, but I promise to cover each topic from entry level to the detail that investigators would appreciate. For a preview of what will be covered, take a look at one of my presentations listed above. If you would like me to speak to your organization, on this topic, feel free to contact me at Rob.Zirnstein (at) ForensicInnovations.com.

In my previous blog, I mentioned a new product called FI Data Profiler Portable.  This portable software tool is aimed at reducing the backlog of digital evidence weighing down on Forensics Labs.  The idea is to filter out computer/hard drives that have no potential for containing the evidence pertinent to a case.  The best time to do that is on the scene before confiscating equipment & media, or when a device is being prepared for analysis by a highly trained investigator.  Let’s try to use the time, of these skilled investigators, as wisely as possible.

This tool is designed to be simple for first responders without the benefits of extensive training, yet highly configurable so that advanced investigators can fine tune it to their exact needs.  It utilizes our proven File Investigator file identification engine, to catch 3,410 different types of files with high accuracy.  The result is a statistical analysis of what types of data, and how much of each, is on each computer/hard drive.  All of this is performed while running from a USB thumb drive or CD ROM.

Will you help us test this tool, and tell us what you think?  We want the tool to be a good fit for investigators.  In order to accomplish that, we need to include all of the necessary features and functionality.  Here’s how you can help:

Quick Look Steps (just 2 minutes):

1. Go to http://www.forensicinnovations.com/download/fidpp105.exe with your browser.
2. You may need to click on a browser warning dialog/ribbon to allow the download.
3. Click the “Run” button, and a 937KB file will download.
4. Click the “Run” button on the security warning dialog. (Vista & Windows 7 only)
5. Click the “README.TXT” button for details on this tool. (optional)
6. Click the “OK” button.
7. Ignore the Case Details fields, and click the “Start Analysis” button.
8. Select the “File” > “Save Summary Report” menu option to save the statistics to a text file. 
9. Select the “File” > “Exit” menu option when you are done.

You should see bar charts displaying quantities of files found on your local hard drive.  This will continue for 15 minutes to 3 hours depending on how many files you have and the speed of your computer. Try the different “View” menu settings, to display charts by Platforms, Storage and File Types. The downloaded files will be automatically removed when you exit the application. Please send your comments to Support@ForensicInnovations.com. All feedback is welcome.

Testing Steps:

1. Go to http://www.forensicinnovations.com/download/fidpp105.exe with your browser.
2. You may need to click on a browser warning dialog/ribbon to allow the download.
3. Click the “Save” button, and select a folder to save the 937KB file to.
4. Rename the file’s extension to “.ZIP” and click the “Save” button.
5. UnZip the contents to a test folder, and run FIProfilerPortable.exe.
6. Click the “Run” button on the security warning dialog. (Vista & Windows 7 only)
7. Click the “README.TXT” button for details on this tool.
8. Click the “OK” button.
9. Fill in any Case Details fields that pertain to you.
   1. The Target Path will default to “C:” if you leave it blank.
10. Click the “OK” button to continue to the main window.
11. Select the “File” > “Start Analysis” menu option to start the process.

When you finish testing on one or more computers, we would appreciate any feedback that you can provide:

• How useful is this tool for you?
• What features would make it more useful?
• Did you run into any problems?
• What needs to be improved?

Please send your feedback to Support@ForensicInnovations.com. If you are willing, we would also like to receive saved Data Profiles for the computers that you test. These profiles only contain the information that you enter into the Case Details dialog and the charts that you see on the screen.  Here are the steps for sending the Data Profiles:

1. Select “File” > “SaveAs Analysis”, after each test completes the analysis.
2. Attach the saved .FIS file(s) to an email addressed to Support@ForensicInnovations.com.

We appreciate your time and we value your opinion.

The best approach to a Digital Forensics (aka Computer Forensics or Cyber Forensics) investigation has been to perform a “Dead” analysis of the data storage devices.  This requires the imaging (or copying) of hard drives, flash drives, discs, etc. for further analysis in a controlled lab environment.  An even simpler approach is to simply take the entire computer to the lab and let someone else image its contents there.  When the evidence may be presented in court, you want to make sure that every step of the investigation was conducted correctly and is well documented.  Its best to perform this process in a lab where you have access to all of your equipment, software, references and trusted advisors as well as time to figure out complex issues, re-search with new terms and maybe even crack encryption codes.

But, now investigators are being pushed into performing “Live” analysis.  If you find a computer turned on, turning it off may prevent you from ever accessing its data again.  Whole disk encryption typically prompts you for an encryption key each time the computer is turned on.  While it is still on, you can capture an image of its RAM and analyze it later for encryption keys and any evidence of outside tampering.  Then you can image the hard drive and/or turn the computer off and take it to the lab, right?  Not any more!

The Ninth U.S. Circuit Court of Appeals in San Francisco recently made a ruling that may prevent us from performing Dead Forensics.  It says that evidence needs to be gathered on location, and that taking entire hard drives infringes on a person’s rights.  For example, if you’re searching for evidence on one crime and happen to notice child pornography (CP), then you have to just ignore it.  Normally, you could stop your investigation and quickly obtain a second search warrant for CP, because it was “in plain view”.  Then, you could continue your investigations under two warrants and find evidence for both crimes.  In plain view will no longer work for computer investigations, and large collections of computer data will not be allowed to leave the site.

Does this mean that all equipment and software needs to be brought to the scene, and your most talented investigators have to come to each site and perform their analysis there?  So much for the idea of first responders collecting the data and more senior investigators performing the detailed analysis!  What happens when you have some new terms to search for, as a case progresses?  Do you then have to revisit the site and perform another search on data that may have been changed outside of your control?

We are about to send out a prerelease version of our FI Data Profiler Portable product, that will assess each computer/storage device and display charts of what types of data are there.  We have been targeting this product at reducing the backlog on the labs, by eliminating computers and hard drives that have no potential for containing the evidence specified in a search warrant.  But, maybe this new tool will also help the investigators on site to quickly target just the computers that will contain the pertinent data.