If you don't have trained digital forensics analysts on staff, and you need computer forensic analysis for an incident or other event, what do you do? The usual choice is hire a consultant. But there are some potential inefficiencies in doing that.
So, are there any other options? What if you could take an image and send the image to a consultant for analysis? Or, better yet, what if you could have a forensically sound peek at the computers involved in the incident and decide which ones you need images of? Or, live partial captures might be just the ticket. And, of course, you don't want to pay for anything until you are satisfied that the analysis is going to – likely – bear some fruit. That would be just what the doctor ordered. And that is exactly what our First Look this month offers.
The idea behind BitFlare is that you use a free CD to examine a computer. You decide what you need to preserve, preserve it, and send it to SunBlock Systems after choosing the analysis services you want. You may not need to pay for those services if they are trivial, but the cost can get up there if you want a lot. However, if you have only occasional need for computer forensics just about no matter what the cost of your options, it will be a lot less expensive than hiring/training a specialist and buying top-end digital forensic tools.
The way that BitFlare operates is simplicity itself. There is a very simple-to-follow process chart on the BitFlare website. You go out to that site (https://www.bitflare.com/) and download the BitFlare ISO image. This image creates a bootable CD. A bootable CD is necessary to capture a forensically clean image. During the forensic process, we never want to be able to write to the evidence. When we take an image, we want to work from an external operating system that runs our acquisition program. The BitFlare bootable CD provides exactly that functionality.
Your next step is to organize the data on the target disk. Part of this step creates appropriate chain of custody. The chain of custody is maintained in a number of ways, most of which are tied to encryption and hashing. Files encrypted by the software during the acquisition process can only be unencrypted by SunBlock. That, in addition to appropriate hashing, means that SunBlock Systems can, if necessary, testify as to the chain of custody of the image.
Once the data on the target disk is organized, you can use the BitFlare tools to examine what you've found. This includes such things as searches, the most common computer forensics function. If you see things of interest – and, remember, you haven't spent a nickel yet – you can extract the data for which you need deeper analysis. Now you likely are going to start spending some money. SunBlock says, however, that costs average around $400 per computer, although the price certainly can go much higher depending on the complexity of the required analysis.
This step requires that you purchase one or more evidence discovery packs (EDPs). The EDPs gather up the evidence, do a bit of chain of custody magic and lead to your last step: saving the evidence. Off it goes to SunBlock and you get all of the chain of custody logs. Give the folks at SunBlock a bit of time and you get your results back. If you need SunBlock forensics experts to testify in court, they will be happy to provide that service – for a reasonable fee, of course.
BitFlare can be used as a full computer forensics tool in an eDiscovery mode that does not perform all of the hashing and chain of custody functionally that the preservation – full forensic – mode does. There are lots of neat little functions that forensics experts like included in BitFlare. For example, the tool calculates the clock skew between the target computer and a time standard so that all evidence has a correlated time base. Every step is logged and the logs are stored in an encrypted audit trail. You can identify leads uncovered by the tool and save those leads to a “leads list.”My overall impression of this approach is that it is just what is needed by most small- and medium-sized organizations. Even for some larger organizations there may be unique ways that BitFlare fits into an incident response triage program. Is it court-tested? Not yet. Of course, the main reason for that is that nobody has yet to challenge it. That will come, I'm sure, and I would bet that, with SunBlock's long experience in computer forensics, BitFlare will hold up just fine.
Product: BitFlare v1.3.3
AT A GLANCE
Company: SunBlock Systems
Price: Free until you perform analysis, then pricing varies with services purchased.
What it does: Allows engineers not well-versed in computer forensics to perform first response forensics.
What we liked: This is a very creative solution to a difficult problem: forensic first response when there are no trained forensic analysts.
What we didn't like: I had to put myself in the position of a forensics novice and when I did I couldn't find anything not to like. As a digital forensics specialist, I would like a court-tested product. However, as this product/service has never been challenged, we will have to wait a while for that.