Why is acquiring artifacts from remote endpoints a challenge in forensic investigations

A customer recently told me they could be at search warrants every day of the year and never make a dent in their case load. That’s a sad, sobering statement. There are so many child exploitation cases that law enforcement cannot even begin to get to them all.  Combine the sheer number of cases with the amount of digital evidence that needs to be examined in each case and the fact that investigation teams are buckling under the weight of decreased funding, increased resignations and fewer prospective investigators coming up through the ranks. The picture does not seem very pretty.

A similar situation exists with corporate investigations.  We are hopefully headed towards a post-pandemic world, but the remote work challenges are still at play. IT and HR teams are faced with the challenges of investigating both internal threats and external bad actors, both within the office and from remote locations. 

But there is hope.

Introducing support for the Advanced Forensics File (AFF4) format

The speed at which an investigator can get through his or her case is paramount in digital forensic investigations. This means using tools that not only deliver fast performance but also increased efficiency.  The OpenTextTM teams continue to innovate and deliver features that help investigators find evidence faster, more reliably and more efficiently. One such efficiency innovation comes from the Advanced Forensics File Format (AFF4) format, now supported in OpenTextTM EnCaseTM Forensic and OpenTextTM EnCaseTM Endpoint Investigator Cloud Edition (CE) 22.3. 

Consolidating evidence collected from multiple tools into a single case file

AFF4 is a forensic container that enables the creation of forensic images. The reality of today’s digital forensics environment is that, just like a carpenter has an entire toolkit to build a nice piece of furniture, it is not uncommon for a digital forensic investigator to have a toolkit of assorted products to help build a reliable case. The ability to collaborate and bring all of those different evidence types into your EnCase investigation improves efficiency and ensures you can deliver the highest quality investigation results. Because AFF4 is an industry standard, this provides the ability to have more comprehensive investigation capabilities and improves ease of use for any level of investigator. 

There are two types of AFF4 images – physical and logical. EnCase Forensic and EnCase Endpoint Investigator began supporting logical images in CE 22.1. Logical images collect only the data that is visible to the file system and typically do not recover deleted items, data that may be contained in deleted areas of a device, or file fragments. A logical device collection focuses on “active” files on a device. Logical forensic collections are typically less expensive and may give an investigator less data to deal with, but these types of collections do not provide insight into deleted files, which is critical when tracing the digital footprint of a bad actor. 

Improving the speed and accuracy of investigations

With the release of CE 22.3, EnCase Forensic and EnCase Endpoint Investigator support physical images.  A physical device collection is a bit-by-bit copy of the device – an exact copy. Conducting physical imaging is the most thorough approach and acquires the greatest amount of data. It is used to acquire the entire physical volume of a drive. Physical forensic images capture deleted space, file fragments and provide access to deleted and encrypted data. This type of imaging provides full access to device artifacts, including event logs, files and timestamps. 

For high stakes situations such as internal investigations or criminal matters, the most defensible and forensically sound device collection method is acquiring a physical forensic image of the device in question. 

As the pioneer in digital forensic investigations, EnCase is the solution of choice for law enforcement, government agency and corporate investigations across the globe. EnCase is well-recognized for providing the innovation needed to perform deep-dive forensic investigations and superior search capabilities. Likewise, EnCase users experience up to 75% faster evidence processing compared to other forensic tools.  And now, with the release of CE 22.3, EnCase Forensic and EnCase Endpoint Investigator customers can ingest evidence collected with other tools into the EnCase platform to speed the pace of and improve the accuracy of their investigations, closing cases faster and reducing case backlogs. This collaboration and increased efficiency give digital forensic investigators the information advantage needed to create a safer, more secure world.  For more information, visit us at https://security.opentext.com.