Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Sept 2016 Digital Edition
Aug 2016 Digital Edition
July 2016 Digital Edition
Voom Technologies’ Shadow 3 said to provide a quick way to investigate computers without compromising evidence
Editor’s note: Voom Technologies of Lakeland, MN has provided this description of its Shadow 3 technology, which the company says can quickly view and navigate a suspect’s computer using its operating system, applications, and files to speed investigations and improve evidentiary presentations.
To access a suspect’s computer, traditional procedure involves removing the hard drive, creating a forensic image (a duplicate copy) and then analyzing that copy using sophisticated industry-specific software.
Although effective, this process takes many hours and allows investigators to view and present information only in a raw state -- one that non-computer experts such as attorneys and juries can find difficult to understand.
As a result, computer forensic investigators are increasingly adopting a complimentary tool that allows them to turn on and operate the suspect’s computer without altering its contents in any way.
By doing so, investigators are able to review and navigate the computer as if the suspect turned it on and then stepped aside. This includes utilizing whatever operating system is installed, launching programs, opening files, viewing recent e-mails or images, Web history, etc. Literally anything the computer’s owner can see or do, can be accessed without risk of altering the evidence.
This ability to view the computer in its natural state is speeding investigations and increasing the likelihood that the case will be resolved prior to trial.
Because the tool -- the Shadow 3 from Voom Technologies -- can be installed within minutes rather than the half day or more to copy a hard drive and run forensic software, critical evidence can be accessed more quickly for time-sensitive cases such as abductions, child abuse, and homicides.
In addition, any evidence discovered can be copied to an external storage device such as a thumb drive, printed, or captured as a screenshot or screen video. Because this evidence is presented in a more relatable way, it is often more easily understood by attorneys, investigators, judges, and juries.
Accessing, without altering
When a computer is turned on, thousands of changes are made in the background automatically. The operating system runs updates, anti-virus scans are conducted, bit logs are changed, Internet files purged -- all of which can potentially overwrite or alter evidence.
To protect against this, digital forensic experts vigorously avoid turning on the computer. Instead, they remove the hard drive and make several copies before returning the original to the computer and storing it as evidence.
Next, they utilize existing forensic software tools on the market, such as EnCase, Forensic Imager, PTK Forensics, NetAnalysis Forensic Toolkit, and FTK, to index and categorize the contents of the drive copies.
Depending on the size of the hard drive, the process of copying and indexing can take 10-12 hours. Once completed, the information is available only in a raw data format with file, folder, metadata and time stamp information, and the like.
The information, though extremely detailed, “can be like a second language,” says one 14 year computer forensic examiner that has worked as a law enforcement officer, corporate investigator, government investigator, and industry consultant.
The Shadow 3, on the other hand, is a small portable hardware device that is inserted between the hard drive and the motherboard. Originally introduced in 2004, the Shadow product is currently deployed worldwide, in over 100 local, state, and federal law enforcement and justice agencies.
Once the Shadow 3 is properly connected, the computer can be safely turned on. All “write” commands (changes intended for the hard drive) are stored within the Shadow 3 device, never making it to the hard drive. “Read-only” commands that access, but do not change information, are still allowed.
During the course of the investigation, any saved “write” commands stored in the Shadow 3 device are still available to the processor as if they reside on the hard drive.
With this approach, no changes from boot up through operation ever reach the hard drive. Because it is repeatable, evidence produced using the Shadow has already been proven in court to be valid and admissible.
“Prior to using the Shadow 3, I didn’t have a reliable method of looking at a suspect’s computer the same way the suspect would be using it,” says Craig Cilley, a computer forensics expert for the Washington County (Minnesota) Sheriff’s Office since 2006.
Cilley is responsible for cyber crime and ICAC (Internet Crimes Against Children) cases. The agency also assists the probation department, the county attorney’s office, Internal Affairs, and social services with computer related issues on occasion.
He initially heard about the digital forensics tool two years ago, which was in use at several other agencies in Minnesota. After a trial of the product, he recommended purchasing it to his superior officer.
“I showed him the capabilities of the Shadow 3 and how we could use it and the time savings it would bring to me,” says Cilley. “In my business, time is money.”
For Cilley, the Shadow 3 represents a “scalpel forensics” mode that saves time because he can access data without having to review every bit of information on the computer.
The information in the form of screenshots, printed e-mails, etc. can be retrieved quickly enough to be shown to suspects during questioning, to secure arrest warrants, or to rule out a suspect.