All the gear! ! and no idea

Scalable, fast & forensically sound

incident response using “NOOBS”

Andrew Sheldon MSc.

There are 3 BIG issues

Annual computer sales since 1986 Source: www.guardian.co.uk

1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

75

150

225

300

Mill

ions

of u

nits

per

yea

r

The number of “POTENTIAL CRIME

SCENES” increase every year

Growth in hard disk capacity Source: www.guardian.co.uk

1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

500

1000

1500

2000

Cap

acity

in G

IGA

BYT

ES

Crime scenes keep getting BIGGER

Size of disks

There’re not enough FORENSIC ANALYSTS

The number of examinations will grow even faster

What does the future hold?

TIME

The number of analysts will continue

to grow over time

results in a high proportion of UNNECESSARY EXAMINATIONS

Ratio of front-line

“responders”

to back-room “experts”

THE SECONDARY CAUSE?

It also results in

MORE TRAVEL

HIGHER COSTS

WASTED TIME

WHAT DOES ALL THIS

MEAN

We’ll KEEP getting what we’ve always had

If we KEEP doing what we’ve always done!

Too much work & too little time

Say HELLO to the ”NOOBS”

Perhaps we should EMPOWER THE FRONT LINE To make informed decisions

THE BREATHALYSER ANALOGY

Effective at the FRONT LINE

Limited SKILLS required

Easy to DEPLOY

Supports SUSPICIONS

There are some very good precedents

THE A&E ANALOGY

Not all BRAIN SURGEONS

Few SIMPLE tools

Limited TRAINING

Prioritises CASELOAD

So, how do we do it?!

A formal & controlled process for...

•  Assessing risk •  Identifying targets •  Collecting data •  Filtering information •  Classifying results •  Prioritising actions •  Allocating resources

High Call in the experts

Medium Seek advice from experts

Low Perform triage or imaging

WE KNOW HOW TO APPLY THE

RULES

Which help filter the RELEVENT

Prioritise RESOURCES

BUT !

We must control the NOOBS

with more than just a BOOT CD or thumb drive

we have to

PACKAGE THE

SCIENCE

Play time ;-)

Live demos

• Remote Forensics –  Respond to an incident in the USA, using Encase, via a mobile

phone

• Digital Triage –  Demonstrate how a NOOB can find the evidence forensically

(and avoid giving you unnecessary work)

Forensic Incident Management Server

(FIMS)

Case Manager In USA

Forensic Analyst In LONDON

Request forensic Assistance for job in New York

Reviews CASE request Authorises

Analyst Downloads Credentials

Accesses evidence Using credentials

Accepts CASE

Remote Forensics Process

NOOB Does the

“hands on” task

Forensic analyst Sends instructions

from FIMS to NOOB

Evidence In USA

POD

QUESTIONS?

Thank You

Andrew Sheldon MSc. Evidence Talks Ltd

andrew@evidencetalks.com Tel: 0845 125 4400

54 68 61 6E 6B 20 59 6F 75