Pre-1990 investigators could just look under the mattress and in a few drawers to find enough evidence to charge a suspect. Perpetrators got wise and figured out that it’s much more efficient and secure to hide evidence on a computer. As things evolved, law enforcement agencies learned how to transfer evidence from the suspect’s desktop to their own — but there were still two problems:
- The evidence needed to be processed very quickly. As it was, downloading and transferring the graphics-heavy contents of a suspect’s desktop was taking days.
- The chain of evidence needed to be preserved in such a way that it would hold up in court — otherwise it was essentially useless. There needed to be a way to prove that the contents from the suspect’s device hadn’t been corrupted in any way.
Nearly all forensic investigations today involve digital evidence. But with current forensic workstations, what used to take days to download can now be accomplished in a matter of hours. This is extremely important when you consider that, in many cases, the suspect can’t be charged and remains on the street until the contents are downloaded and reviewed. Also, forensic workstation builders, working with the legal community, learned how to configure hardware and software to preserve the chain of evidence in a way that is acceptable in court.
So, exactly what is digital forensics? It is the acquisition, scientific examination and analysis of data retrieved from digital devices (computers, smart phones, game consoles, memory sticks, etcetera) so that the information can be used in court, or for the purposes of the retriever, without disturbing that evidence.
And what exactly are forensic workstations? They are very high-level computers with the power and storage capacity to process, preserve, document and make available the contents of confiscated digital devices. For example, the U.S. Security and Exchange Commission (SEC) uses forensic workstations to routinely and efficiently download an unimaginably large amount of data from financial institutions under investigation. But much smaller law enforcement entities use them as well.
So, why aren’t more technology builders in this market? Configuring these machines is extremely complex. A lot of processing power and associated components need to be arranged into a relatively small space. Another issue is that preserving and documenting the chain of evidence requires experience with specialized components, such as write-blockers.
A key design decision is the workstation’s purpose: data acquisition, processing or both. Many systems are multi-purpose and can perform forensic data acquisition and processing equally well. Another important consideration is the required processing speed and the number of processors, processor cores and amount of memory. Yet another consideration is the type of media the system needs to acquire data from. After this is established, the next step is to plan and incorporate write-protected data acquisition methods.
Once the data can be read in an evidentiary safe manner, the data needs to be stored on either a target drive, a RAID array or both. With the storage system defined, the design of the RAID system or the allowance of destination drive bays needs to be specified.
Another decision is whether graphics processing units (GPUs) — for assistance in breaking passwords — need to be included. Normally, systems are shipped with a single graphics card used for display purposes, but users can also leverage the intense processing power of the GPU for assistance in password cracking. Specialized password/decryption servers and clusters with multiple GPU-optimized systems designed for 24-7 operation are also available.
So, unlike most desktops, and even high performance computers, forensic workstations have a specific purpose in life — to let investigators know as quickly as possible whether or not a suspect will be charged and to ensure that the prosecutor has the strongest possible digital evidence to bring into court.
John Samborski is CEO Ace Computers.