Saturday, December 11, 2010

TinyCore: A Mighty Platform (Part 1)

Last week I rediscovered TinyCore Linux.  I had taken a look at it about 6 months ago and was intrigued, but didn't have the time to explore it further.  However, I have been seeking a small Linux distribution on which to build a specialized forensics distro, and last week I gave TinyCore another look.

Background

I believe there is a need in computer forensics for an investigator with limited training to be able to search for and seized digital evidence from storage devices.  Some of the reason's I believe this are:

  1. There are not enough trained forensic computer examiners to keep pace with the number of cases involving digital evidence.
  2. The backlog created by a lack of examiners means cases don't get filed for month or even years after the discovery of the crime.  Meanwhile, the perpetrator is free to commit more crimes.
  3. Prosecutors are less likely to pursue older cases, in part because witness recall becomes unreliable.
  4. The majority of charges filed against perpetrators are settled out of court through plea bargaining.  

Therefore, in most circumstances digital storage devices are taken to computer forensics laboratories to search for evidence to support a filing of criminal charges.  But the labs are too busy to get to the examinations very quickly, and by the time they do, Prosecutors are reluctant to file charges because of the delayed filing and/or the perpetrators have been committing additional crimes.  I know this doesn't describe all situations, but it should ring true with most people in some manner.

Solution

The obvious solution is to increase the number of forensic computer examiners and computer forensics laboratories.  However, that isn't going to happen, at least not in the near and not-so-near futures.  And, since I'm a "work with what I've got" kind of guy, I've been working on another solution:

Criminal investigators need simple but effective tools to search for and seize evidence from digital storage devices.  The tools need to be forensically sound, i.e., they do not alter the original media in any way, but easy enough to use that a basic computer user can feel comfortable and conduct effective examinations.

Think about it this way: If a criminal investigator could retrieve his own digital evidence, he could file charges immediately, and most of the cases filed would be settled without the need of further forensic computer examination.  In cases that do not settle because the digital evidence is disputed, the storage devices could be sent to the computer forensics labs for more traditional analysis.

More cases filed, more perpetrators convicted, less workload at the lab!

But how do we create such tools?  Forensic boot discs like CAInE are great for experience investigators, and the latest version contains nautilus scripts to make live examinations like I'm contemplating here possible.  But the operating system is resource heavy, slow to boot from CD, and still to complicated for basic criminal investigators (for example, it is confusing and difficult for most basic users to mount a storage device read-write to collect evidence because the CAInE mounting policies rightly auto-mount devices read-only).  In other words, CAInE and other existing boot discs are not the right tool for users with limited computer forensics training.

TinyCore

I believe the best tool for criminal investigators with basic computer skills will:

  1. Boot quickly (Criminal investigators may be in the field without the luxury of time.
  2. Work in nearly any machine (basic video drivers, e.g., xvesa)
  3. Not alter the media being examined (i.e., mount devices read-only)
  4. Create an writeable storage location automatically (no command line or confusing the evidence device for the storage device)
  5. Contain programs or scripts that are easily accessible to find evidence files (e.g., nautilus-scripts)
  6. Create reports about files saved as evidence containing file metadata (so evidence can be commented upon by trained investigators, if needed)
  7. Allow for the creation of forensic images (in the event the device cannot be seized).
TinyCore linux appears to be an ideal platform from which to build this tool.  And, I'll explain why in Part 2...