Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital...
Transcript of Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital...
![Page 1: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/1.jpg)
Digital Evidence DashboardThe organisation of digital forensics in investigations
Hans Henseler* and Adrie Stander**
DFRWS EU 2016, March 29-31 2016
Lausanne, Switzerland
* Amsterdam University of Applied Sciences & Tracks Inspector
** University of Cape Town
![Page 2: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/2.jpg)
A collaboration between:
This project has been made possible by the Municipality of The Hague and the Hague Security Delta.
Project members: Involved:
Oost-NederlandNoord-West HollandDen Haag
![Page 3: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/3.jpg)
Why did we do this project?
• Enormous growth of data per device
• Growth of number of devices per person andlocation
• Growing volume of digital case data
• Limited capacity for investigations
x
=
Solution: Enable All detetives to investigate digital evidence.
![Page 4: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/4.jpg)
Project goals: realise …
• An overview of alternative working ways (processorganisation, assignment of tasks
• Present information in a non-technical manner: dashboard with a simple interface.
• Support continuous reporting and progressmonitoring.
• Facilicate collaboration between detectives andexperts.
![Page 5: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/5.jpg)
Project approach
Explore
Design
Ontwikkelfase
• Ways to improve and change working processes andresponsibilities.
• Desired / required functionality
• Concepts for the DED
• (Screen)designs (“Powerpoint”)Proof of Concept 1
• Software DED in Tracks Inspector• Proof of Concept: website and
demonstration case
Proof of Concept 2
![Page 6: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/6.jpg)
Scope DED‘Fast response’
• Live investigationwith consent of suspect
• No (initial) seizure of evidence
• Police report is sufficient forprosecutor
‘Expert’ adversary
• Hidden information and booby traps more likely
• For instance organisedfraud, childpornography, computer crime
• Requires specalistknowledge and tools
‘Normal’ adversary
• No or little digital expertise
• At most deleted files
• Acquire forensic copy or
image of evidence
• Forensic image as source of
the investigation
Everyone Detective Digital forensics expert
![Page 7: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/7.jpg)
IntakePrioritize &
assignInvestigate
Report / Statement
Dig
ital
Exp
ert
Coordinateinvestigation
IntakePrioritize &
assignInvestigate
Report / Statement
InvestigationquestionsD
etec
tive
Dig
ital
Exp
ert
File / Final report
Current
Coordinateinvestigation
InvestigationquestionsD
etec
tive
File / Final report
InvestigateRapport /
PV
Future
![Page 8: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/8.jpg)
Digital investigation processes
Forensic preparationPreparedevices
Make forensic copy
Back-up & archiving
Setup case
Case configurationAutoriza-
tionsLegal privilege
review
Formulate investi-gation questions
InvestigationInvestigatedigital data
Investigate specialist questions (by expert)
Reporting
![Page 9: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/9.jpg)
Different variations in processes
• In large and middle large organisations: detective doesn’t play any role
at all without digital expert.
• Local law enforcement ìs suffering from delays due to distance and
back logs. This is a “Bottleneck”
• Small organisations are completely self-supporting, but are taking
risks. They have no support at all from digital experts.
![Page 10: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/10.jpg)
Implementation choicesFocus on efficiency in terms of:
• Distance between dectetive and expert
• Reducing turn-around time
Also focus on content:
• Understanding the case & context is necessary for the
investigation
• When using the DED: roles and job separation
(e.g. ‘case manager’ role, legal privilege review, technical
preparation, investigation questionsetc.)
![Page 11: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/11.jpg)
Organisational choices
2 choices: exist for locally organising the investigation of digital
materials:
• Organise digital expertise close to the process (but is there enough
capacity?)
• Enable detectives so that they can perform digital investigations
themselves:
• This is what the Digital Evidence Dashboard is intended for
• Requires (some) training
![Page 12: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/12.jpg)
Interesting facts about investigations
• At the start
• Verification cases (eg. a known story that needs to be verified)
• Search cases (eg. a victim with an unknown story)
This was used as guidance for the concepts and the design
![Page 13: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/13.jpg)
Interesting facts about investigations
• Fear to destroy evidence (by accident)
• Clues are not (yet) evidence
• Detectives seem restrained in their report narrative when digital
media is involved
Causes: - Limited skills,
- Attitude towards digital media
![Page 14: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/14.jpg)
(Part of the) Solution
Non-technical dectives should (also) investigatedigital media:
1. Increase investigation capacity
2. Get results faster
3. Aim for bulk cases (no expert ‘adversary’)
4. Look for clues (that are relevant for theentire investigation)
Threats:
• Lacking ICT-knowledge / aversion
• Fear of making mistakes/ unable to find information
• Draw premature conclusions
Opportunities:
• Being involved directlyincreases efficiency & effectiveness
• Investigation by expert is stillpossible
![Page 15: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/15.jpg)
… the case manager to oversee the digital investigation so that he can monitor the
progress more easily and adjust the investigation in a timely manner.
… the detective to perform perform the investigation in an indepedent manner so
that he can prioritize, search, analyse en record findings.
… the digital expert to be involved in a natural way on complex and relevant digital
issues so that his expertise is used in the most efficient way.
… the investigation team to conduct the investigation of digital media and
collaborate in order to have the proces run smoothly and quickly.
Design Goals: The DED enables…
![Page 16: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/16.jpg)
DED building blocks
Keeping Oversight Analysing Data Recording Findings
Detectives collaborate with each other and with digital experts
“Digital case
dashboard” “Evidence locker” “Drawing board”
![Page 17: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/17.jpg)
Storyboard
Using the functions in the
Digital Evidence Dashboard
![Page 18: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/18.jpg)
WELCOME
My cases Completed
Case
manager
Detective
Digital
Expert
START
![Page 19: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/19.jpg)
Case info
Investigation Questions
Detector
Teaminfo
Formulate
investigation
questions
![Page 20: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/20.jpg)
Refine
Search results
Search
TermLoca-
tionDATE
Search
digital
media
![Page 21: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/21.jpg)
Analyse
![Page 22: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/22.jpg)
COMMENT
Label clues
![Page 23: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/23.jpg)
Investigation Question 3
RECORDED FINDINGSINVESTIGATION QUESTIONS
MY ALL
Recording
Findings
![Page 24: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/24.jpg)
Investigation Questions
ACTIVE
ACTIVE
ACTIVE
Progress &
briefing
![Page 25: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/25.jpg)
Investigation Questions
DETECTORS
ENCRYPTION
Expert
assistance
![Page 26: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/26.jpg)
Investigation Questions
Investigation Question 1
Investigation Question 2Active
Active
Active
COPY
PASTE
Report
Export to
Report
![Page 27: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/27.jpg)
EvaluationMultiple workshops with end users
Judging: Effectiveness, efficiency,
working processes and points for improvement
Feedback via questionaires,
discussion & assignments
![Page 28: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/28.jpg)
Handy! I can put away my little notebook
Feedback from end usersAs a case manager you stay informed about searches, make
adjustments and add new questions. Great!
Very clear. I can see what’s on there in no time.
Entities and analysis are notoriously difficult areas. The
DED adds value because it offers easy to understand
investigation questions and dashboards
As an expert I look in exactly the same system that
the detective is referring to. We are on the same page!
![Page 29: Digital Evidence Dashboard - dfrws.org · Digital Evidence Dashboard The organisation of digital forensics in investigations Hans Henseler* and Adrie Stander** DFRWS EU 2016, March](https://reader030.fdocuments.net/reader030/viewer/2022040706/5e04bf8e0114913dc75b7d8a/html5/thumbnails/29.jpg)
Demonstration websitehttps://www.digitalevidencedashboard.com
• DED video
• Login to prototype
• Simple verification case
scenario