Cyber Security
Hybrid Forensics: Dealing with massive data volumes and large networks
P By Richard Adams
ractitioners working in the fields of forensics, eDiscovery and IT security are faced with several issues when dealing with multiple endpoint processing. If the typical eDiscovery/forensics approach is adopted then this has a significant negative impact on network infrastructure, due to the collection of massive amounts of (mostly useless) index data to a central point. Notwithstanding the unreliability of indexing, this is also a very slow process and requires network administrators to allow ‘agents’ to be installed on the targeted endpoints. A further problem with this approach is that the tools interact directly with the host operating systems and therefore may be denied access to certain files being used by the system or other applications. Hybrid Forensics is an approach designed to address these problems. It combines the ability to process multiple endpoints as a single task together with the ability to target system and application artefacts, without interference by the operating system, e.g. registry information, locked files (such as email containers) and unknown executable files.
38 | Australian Cyber Security Magazine
A key aspect of the Hybrid Forensics approach is to run a collection tool with the capability to undertake literal string searches at a disk level (rather than an operating system level), with the code running entirely in memory on each custodian, i.e. it is not installed. This provides four significant benefits: 1. Deployment is fast, easy and doesn’t require the participation of custodians. 2. Only responsive data is ever moved across the network, reducing the effect on network infrastructure. 3. The search process is much more effective and will find responsive material missed by the index approach, e.g. because of language issues or other indexing restrictions. 4. The speed of collection is increased, as all processing and collection is carried out in parallel, rather than individually or in small batches (a typical approach to reduce network load by queuing up jobs).