OnLineDFSTM is next generation software for computer investigations in enterprises. Our software enables in-depth analysis of computer systems in order to identify behavior that is at variance with policies, regulations or laws, and to gather data in a forensically sound manner.
We have designed OnLineDFS to fit the requirements of IT security professionals in corporations and government agencies and for computer investigators in law enforcement. OnLineDFS enables IT security personnel to make a rapid but forensically sound determination about whether an issue exists in a computer so that quick action can be taken to stop the problem.
Because OnLineDFS enables non-disruptive but forensically-sound examination and information-gathering, as well as data gathering from systems which are geographically remote from the investigator, it is ideal for auditing running systems for compliance assurance and for gathering data for e-discovery.
OnLineDFS Features and Benefits
OnLineDFS is a broad and deep framework for rapid, to-the-point incident response, compliance auditing and e-discovery. We provide an extensive array of supporting analytical and data acquisition tools, excellent logging and reporting, and an open environment enabling the use of other tools to examine the data we gather. The features are developed and installed on a modular basis.
OnLineDFS Feature Summary
Key benefits and features of OnLineDFS include:
Examines running systems: The fundamental goal of OnLineDFS is to capture information from a running system - volatile information that is lost when traditional disk duplication approaches are used. This information includes open ports, running processes, related applications and files, network connections, listening servers and memory. There are several vital benefits:
Information is gathered about the running state of the target computer that cannot be gained any other way;
This information can be critical to quickly identifying a potential problem and initiating corrective action in time to make a difference
Information can be gathered cost-effectively, without disrupting the operations of the target computer.
Begins with "triage" of the target computer, and enables an investigation to proceed wherever the initial results lead: Because OnLineDFS is designed for use on running systems, the investigative framework assumes that the first decision an investigator must make is whether there are indications of items of interest on the target computer. Therefore, the first step is to collect volatile data on current operations. If this discloses possible items of interest, OnLineDFS provides tools to enable the investigator to dig deeper in a specific, focused way.
Minimizes impact to and disruption of the target system: Because we are examining running systems, we want to minimize any disruption to normal operation (for many reasons such as avoiding tipping off a suspect to keeping a mission-critical server up and running). We also want to minimize changes on the target in order to preserve potential evidence.
Operates as inconspicuously as possible: The initial acquisition of volatile data is very fast and difficult to notice. Few of the target's CPU resources are utilized, and the impact on network utilization is well within routine fluctuations. OnLineDFS processes running on the target computer are small (60K or less), run briefly and are named so as not to stand out.
Offers protection from unauthorized investigations: An OnLineDFS investigation requires credentials such as administrative login password, system name or IP address of the target. This prevents misuse of the technology and protects the enterprise from unauthorized investigations.
Requires no preloaded software: OnLineDFS provides all software required to execute on the target at the time of the investigation. No pre-installed software of any kind is required on a target computer prior to the initiation of an investigation. Because a machine may be compromised, we do not trust the software on the target machine and instead provide our own clean versions. This includes statically linked binaries where applicable. The software does not overwrite the system binaries, but is placed in a temporary directory and later is deleted.
Supports secure remote investigation: The investigator's time is a scarce resource. OnLineDFS was designed to increase the efficient use of this time. The web-based interface allows the investigator to connect to OnLineDFS and manage an investigation using OnLineDFS from anywhere. The investigator can use a wide variety of web browsers and any OS platform and IP-based network that connects to OnLineDFS. This connection need not be high speed. The web pages are small by design to facilitate communication between OnLineDFS and a remote investigator. The connection to the investigator is secured through the use of secure http (https); all data sent across this connection is encrypted.
Adheres to forensic best practices: We have designed OnLineDFS with the following best practices in mind:
Minimize evidence contamination. By storing evidence on an external, removable drive, we eliminate the possibility of evidence from one investigation contaminating another. We recommend that external disks are properly zeroed before use. In addition, analyses are performed on copies of the data to minimize the number of times evidence is read on the target system. OnLineDFS is designed to minimize interaction with the target machine.
Work from copies of evidence. We perform analyses only on acquired data - that is, data that has been copied and resides in OnLineDFS storage. This allows us to maintain control of all acquired evidence. Data copied and stored on the OnLineDFS machine includes data from the target that resided on its internal disk as well as any external disk (including non-volatile memory sticks, etc.). Storing data on an external disk allows the investigator to isolate all the data relating to one case on one physical device.
Record file MAC times: File MAC times, including the access time, are recorded before files on the target machine are read.
Avoid duplication or overwriting of acquired data. OnLineDFS data is organized into "Cases," which consist of discrete "Inquiries." Many tasks can only be performed once in a given inquiry, such as acquiring a particular file or getting a list of running processes. Because the target is a running system, processes and files in memory change over time. To avoid confusion about whether a specific action (e.g., acquire a file) should overwrite the previous instance, or whether an analysis applies to a current or previous action, we allow only one instance of a particular piece of acquired data to exist within each Inquiry.
Gather evidence in order of volatility. The tasks in the initial data acquisition step are performed in the order of volatility, with the most volatile data being acquired first.
Document all actions. All activities on OnLineDFS are logged. Each log entry includes the investigator, his location, the time, and the activity. For acquisitions, the activity is logged as the command line equivalent, including all flags and command line options. The investigator can compute an MD5 hash, reflecting the current state of the log, at any time. The hash is appended to the end of the log.
Preserve integrity of the evidence. The integrity of all acquired data is preserved through MD5 hashes. Hashes are computed both on the target and on OnLineDFS to ensure that no changes occurred during network transfer.
Maintain chain of custody. Because all evidence can be stored on an external disk, standard chain of custody practices can be employed, such as use of evidence lockers with sign-in and sign-out procedures.
Provides an easy-to-use user interface: The OnLineDFS web interface is simple and easy to use. Each page has context-sensitive help. All tables have a standard "look and feel." The overall flow of the web pages supports the order typically used by investigators. Whenever possible, essential information appears at the top of the page, in plain sight. For some pages, we provide automatic scrolling for pages that generate output that exceeds the viewing area. OnLineDFS does not require any special browser configurations, such as cookies, JavaScript, ActiveX, etc. The majority of the interface is text based. While this may give a more austere appearance, our experience is that investigators prefer content and fast response over intense graphic formatting and presentation.
Allows for use of third-party tools: OnLineDFS data is stored in non-proprietary formats. This facilitates the use of third-party tools to analyze data acquired during an investigation. Acquired disk images, for instance, are in the standard dd format. Raw data for which no standard exists are recorded in human-readable files or XML.
