Digital Evidence Investigative Tools: Acquiring Data From Networked Computers

On this page, find:

The Challenge of Collecting Digital Evidence From Network Environments

Acquiring data from a computer network environment presents a major challenge for investigators. This challenge is compounded now that home computer networks, through which interconnected devices are able to share files and resources, are becoming increasingly common as the popularity of wireless Internet usage rises.

Evidence from networks and network-attached hardware needs to be "imaged" (copied) during an investigation so that it is kept forensically sound. Without tools and training, it is impossible for a first responder to gather digital evidence, let alone identify and find all the components in a home network such as printers and external hard drives.

Law enforcement also needs tools for gathering data spread across numerous storage devices. However, currently available tools fail to match capabilities of new network and storage technologies.

More Robust Tools Could Solve Problems Gathering "Live" Network Evidence

NIJ is supporting the development of two new network forensics tools. Though the tools acquire similar types of information, their methods are different.

Network Boot Disk - Gathering data from networks at the crime scene

The first tool, the Network Boot Disk, is designed to be used at a crime scene to gather information from Web and e-mail servers, hard drives and routers. The tool is being designed to:

  • Identify which operating systems and applications are associated with the devices.
  • Install and access drivers at crime scenes in order to access newly developed hardware.
  • Access boot servers and storage controllers in order to collect data without having the actual physical hardware device.
  • Prevent data alteration through write-blocking software that is compatible with the data-transfer technology used most frequently by servers today, Serial Attached SCSI (SAS). (Most current write blockers do not support SAS.)
  • Image RAID (Redundant Array of Independent Disks) volumes as a unit instead of having to individually image each drive. RAID volumes, seen less frequently in home computer networks, allow the division and replication of data among several hard disks.
  • Establish who has rights to particular information in a computer network or directory.

The designers also plan to run training sessions with mock networks, introducing law enforcement officers to new tools and materials.

Automated Acquisition of Network Device Evidence

The second tool, Acquisition of Network Device Evidence System (ANDES), is a set of software tools that will allow investigators to automatically acquire and analyze relevant data from network devices without requiring device-specific training. Once developed, it will be distributed for free to state and local law enforcement.

ANDES is capable of running on handheld mobile computers. This capability is useful in network attack forensics, where data from network devices must be acquired without losing volatile data or shutting down the network, and in computer crime investigation, where forensic data from network devices, such as wireless routers, can support an investigation. ANDES will allow computer forensic investigators to capture evidence that otherwise would be ignored or be impractical to gather.

Date Created: November 5, 2010