Authors: Frank Adelstein, Ph.D. (ATC-NY)
DFRWS USA 2002
Digital forensics experts perform investigations of machines for “triage” to see if there is a problem, as well as to gather evidence and run analyses. When the machines to be examined are geographically distributed, an investigator could benefit greatly if he could conduct the investigation, or even its initial stages, remotely. The Mobile Forensic Platform (MFP) is a tool for performing remote network forensics. With it, investigators can gather evidence on a remote running system, maintain a copy of the original evidence (protected by a cryptographic hash), and run various analyses on the data to determine the next steps in the investigation (e.g., seize the machine, run tests, look elsewhere). The MFP maintains audit logs on all tasks it performs. ATC-NY (formerly Odyssey Research Associates) has designed the framework for, and implemented a prototype of, the MFP. We have modeled the investigative process to define the tasks investigators perform. The framework defines the interface for each modular component in the process. The prototype serves as a proof-of-concept to demonstrate how the different components of the system will function together. We implemented the MFP on a laptop computer with a platform-independent web interface serving as the GUI. The investigator runs a web browser on his desktop computer, connecting remotely to the MFP’s web server to perform the investigative tasks. The preliminary version of the MFP supports a small set of analysis tools that illustrate the potential of the MFP. In particular, we created 3 sample logfile analysis tools. They detect if the data in a log file has been tampered, and also served to define how the analysis tools fit into the overall MFP framework. We describe each of the tools.