Digital Forensic Investigative Tools: Preventing Data Loss When Seizing Electronic Devices of Interest
Important digital evidence such as operating system data, networking information, recent social networking activity, web history and recently accessed, created and modified files can be erased or encrypted when the device is turned off.
Investigators need to acquire this type of information, known as volatile or live data, but they must still turn off devices to transport them to law enforcement facilities. For this reason, tools are needed to support the acquisition of live data at crime scenes.
Developing Live Data Acquisition Tools
NIJ is funding the development of a tool at WetStone Technologies, Inc., that could be used at crime scenes, prior to shutdown of computer devices, to:
- Obtain information about the device's hardware and peripherals (such as printers and portable hard drives).
- Acquire critical details about networking information, storage and contents of the device's memory.
- Determine the need for a "live image," a replica of the device's contents that would be stored on a secondary storage device.
This new software tool, called the USB Live Acquisition and Triage Tool (US-LATT), resides on a customized USB device that can launch applications. US-LATT automatically captures and stores evidence from suspects' computers.
The tool is also intended to be:
- Used in conjunction with currently available technologies.
- Run with minimal specialized training.
- Mostly automated, without much need for investigator interaction.
- Easily customized to include other digital forensics tools such as "Trait Analytic Program Search" (TAPS).
Learn more about TAPS on Identifying Intrusion and Unauthorized Activities.
During the process of digital evidence collection, the US-LATT tool logs any changes that were made to the computer system or files and why those changes were made. This reduces the risk of creating files that are not admissible in court. However, standards and legal procedures still need to be established for live data acquisition and courtroom admissibility.