Digital forensics is the application of science and engineering for the retrieval of digital evidence using legally acceptable methods. Today’s modern digital forensics lab provides reliable and efficient data acquisition, preservation, processing, and analysis solutions to support litigation and law enforcement operations. The body of collected digital evidence inevitably moves to a storage repository, which is increasingly an Open Storage platform that delivers the features of proprietary systems at a fraction of the investment.
According to Ovie Carroll, the Director of the Computer Crime & Intellectual Property Section (CCIPS) at the US Department of Justice, “Digital investigative analysts no longer limit their analysis to standard computer systems.
Today, analysts examine everything ‘digital,’ including desktop computers, laptops, mobile devices (cell phones and tablets), GPS navigation devices, vehicle computer systems, Internet of Things (IoT) devices, and much more. We are still in the infancy of the digital age, but developers of many products—from shoes and sports bras to lightbulbs and doorbells—are already incorporating technology into their products to collect, store, and transmit information about the user that they can analyze and hopefully monetize.”
With the proliferation of Internet-connected devices and the increased quantity and resolution of digital forensic imagery, eDiscovery creates increasingly vast amounts of data. Open Source Storage, otherwise known as “Open Storage”, has become increasingly popular in forensic labs as a cost-effective method of harnessing data growth.
Open Storage has evolved over the past decade and now embraces next-generation software-defined storage (SDS) capabilities, making it a strong contender in the cost versus capacity challenge facing forensic lab IT administrators. The developers delivering the advanced capabilities to Open Source storage produce features previously only available from proprietary storage providers such as snapshots and replication, which are now standard items with OpenZFS storage.
There are a range of Open Storage solutions, including Red Hat Ceph, iXsystems TrueNAS, Minio, and Apache Hadoop. Open Storage is developed in a public, collaborative manner under a license that permits the free use, distribution, and modification of the source code. Open Source storage platforms are flexible in that they are not limited to single storage infrastructure and can be used in structured data, unstructured network-attached storage (NAS) environments, or for object storage at a fraction of the price of proprietary storage without giving up major features.
In an effort to control storage costs without sacrificing features or capacity, forensic labs are increasingly moving toward Open Storage platforms such as TrueNAS, which uses the OpenZFS file system, renowned for long-term preservation of data while safeguarding it against corruption and bit rot. FAST Forensics, a nationwide forensics-focused provider of these systems, is regularly involved in Open Storage deployments at law enforcement and forensic lab environments. The organization’s TrueNAS storage implementations provide a reliable hardware platform that ensures secure, reliable and cost-effective data availability as required.
According to Mark Vogel, Owner of FAST Forensics, “TrueNAS Open Storage systems and software allow for full-featured storage at a fraction of the price of proprietary commercial-grade storage systems which have historically been used in forensic environments. An important advantage of Open Storage is that it eliminates the costly coin-operated feature approach of traditional systems and allows for tighter financial controls. TrueNAS systems ship with a full suite of features that have no artificial capacity limits, meaning that forensic professionals have fewer limits and can deploy storage with the same set of features across their entire operation, including both production and backup environments. Support costs are minimized and neither manual workload placement nor convoluted migration strategies are required to work around licensing restrictions.”
Forensic facilities employ stringent digital collection and storage protocols to ensure a chain of custody that minimizes the potential for tampering or degradation. While a secure storage system is critical in these environments, so is the ability to support compliance with stringent regulations, including the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) and ISO 17025. Once the digitized evidence has been seized and securely preserved within the TrueNAS storage system, the forensics team can then begin its review.
“An important capability provided by TrueNAS storage systems is the secure, reliable access they provide to investigators and detectives during forensic analysis. When those involved in the process need to access the storage system, they simply access their share via user permissions to authenticate through Active Directory. This then allows for needed files to be accessed quickly and efficiently. And because the preservation of personal privacy is important for innocent parties involved in the investigation, there are a variety of processes involved to ensure irrelevant personal information is excluded during examination – protecting sensitive data,” added Vogel.
Open Storage offers the flexibility, reliability, and stability to take full control over both the architecture and the destiny of data storage, with the agility to handle a large number of forensic workloads. More sophisticated storage requirements are easily achieved as Open Storage environments enable the low or no-cost addition of compelling new features due to Open Source community support. Furthermore, the flexibility of these systems helps with the integration into any forensic operation, ensuring that investigations can proceed without delay. This class of Open Source storage makes the examination of important digital evidence possible without sacrificing features, compromising resiliency, or sacrificing privacy.
About the Author
Morgan Littlewood serves as SVP TrueNAS Product Management for iXsystems. Prior to joining iXsystems, Morgan held executive posts with Cisco and Violin Memory in support of enterprise storage and networking.