Computer Crime Consultants have been using applications like Assure for several years and through conversations, we have become aware of the increasing need for some form of semi-automated, guided process that non-specialists from a variety of backgrounds could have to hand, that would allow them to acquire images of data storage devices should the need arise and where the cost is not prohibitive.
We have also been made aware of individuals who would also have benefited from having immediate access to a tool or application like Assure.
Examples of those who have commented and the circumstances surrounding those comments are paraphrased below:
Members of the legal profession including Investigators
Who having been urgently contacted by clients were either unable to obtain the forensic services they needed at short notice or as mentioned above, found the cost of the service disproportionate to their needs?
Employers & Compliance officers and System Administrators
All have stories to tell, one of the more common themes being company sensitive information leaking to competitors. The problem employers and those they trust frequently come up against, is that they know that someone from a particular group or department must be responsible. The issue is, how to identify that person without potentially upsetting or causing disquiet within the rest of the group.
Frequently, the perception is that an investigation with computers being examined would become public knowledge, which in turn would potentially be counter-productive for the company. And so, not be warranted, leading to additional company confidential information being disclosed.
In some of the cases we have been involved with directly, there have been occasions where the culprit tried to cover their tracks. It may sound obvious but there is little doubt that had these investigations, including the covert imaging of computers been undertaken earlier. Evidence relating to the recipient would have been available, which could have led to steps being taken to prevent the disclosed information being used.
Parents and Guardians
We have been made aware of and encountered situations where the parents or guardians of children have become concerned that their ward(s) may be the victim of ‘social crimes’ such as bullying or grooming. Where again, an overt analysis of a computer or laptop is likely to be resisted and counterproductive. Straining relationships and potentially prompting the ward to delete significant evidence.
In such cases obtaining a covert copy of the device may be the only sensible solution. As it would then allow for an analysis to take place without the ward’s knowledge, hopefully providing answers to the questions raised. Then, if a parent or guardian’s suspicions are unfounded no further action need be taken and the ward need never know. Conversely, if evidence is found, then a decision as to the best course of action for all parties needs to be taken.
It may even be possible for the parent or guardian to undertake the analysis themselves using Autopsy.
If you have used Assure to obtain an image and do attempt this, make a copy of all the files created by Assure and use those for the analysis. You can always make another copy if something goes wrong.
Is COVID an issue when getting forensic images?
If COVID has affected your ability to travel freely as much as it has ours it will have inhibited the way in which you obtain evidential copies of data for examination. If you can’t go and get a copy of the exhibit and the client can’t or won’t send the original nothing is going to happen.
As a possible solution, it made sense to us to modify some of the applications we had been using so that they could simply send them to a client to use and then return.
If you have found yourself in similar circumstances then it may be worth considering using Assure.