National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Overview of Live Computer System Capture and Triage Tool (CCTT)

National Center for Supercomputing Applications Enabling Initial Computer Investigations by Non-Expert Law Enforcement Personnel NCSA led project with collaboration from the FBI & local law enforcement Guide LE through initial investigation of computer related crimes Consent based complaints Work on live systems Gather evidence/information from SOHO Windows systems Support on-site investigation USB memory stick form factor (keep it in your glove box) National Institute Of Justice Funded Project

Motivations How critical are the actions of the law enforcement first responder to any crime? How well prepared is the typical LEFR to answer computer related complaints such as; I received an based threat. I responded to an about my inheritance but ended up loosing my life savings. My young son is getting indecent proposals from someone over IM. My daughter did not come home last night and I think it might be related to something she is doing on-line. How many LEFR resort to taking notes and referring the case on to the department’s computer investigation expert? How overloaded is that expert? Live Computer System Capture and Triage Tool

Is your force ready to tackle computer crimes How many LEFR understand the differences between different browsers and know how to capture evidence from them? Say IE versus Firefox versus Safari? How many LEFR know their way around more than one client? How many LEFR know how to capture the logs off any of the handful of popular IM clients? How many LEFR know their way around MySpace and Facebook? Live Computer System Capture and Triage Tool

Project Goals Enable non-experts LEFR to gather evidence/information from a Windows™ system and perform a preliminary examination. Preserve evidence for subsequent investigation. Lessen the number of computer based investigative situations in which an expert is required. Increase the actions a LEFR can take by providing them with on-site triage of the information. Provide configuration guidance, i.e. enable history and log caching for on-going investigations. Live Computer System Capture and Triage Tool

Driving Scenarios Threats Fraud Missing persons Suicide pacts Theft Additional evidence and or information for non-computer cases Live Computer System Capture and Triage Tool

Technology Challenges & Opportunities New forms of communication present new challenges Electronic Mail, Instant Messaging, Social Networking, Virtual Worlds, not to mention multiple client and service options. Technology can be intimidating yet it also may provide opportunities that previously did not exist. Before and social networks people still communicated only those conversations were often times not recorded. There is a potential treasure trove of information available on-line that may provide valuable time sensitive information Live Computer System Capture and Triage Tool

Live Computer Capture and Triage Tool (CCTT) Live Computer System Capture and Triage Tool Provides law enforcement personnel a simple, easy-to-use mechanism for capturing live data via step-by-step assistance. Ensures that the evidence is collected from the initial contact and provides the investigator with something to analyze. Provides a triage tool to aid the first responder in the initial examination and next step determination.

What Makes CCTT Unique? The last thing we need is another forensics tool. Wizard that guides LEFR through a collection of “typical” complaints. On-site triage of the available information for immediate action. Capture of web-based information/evidence. Live Computer System Capture and Triage Tool

What is Microsoft COFEE? From Microsoft’s website: Announced in April of this year. Focused on the extraction of “live” data from a Windows™ system before turning off the machine. Preconfigured, automated, fast tool. Up to 150 commands; previously would have taken a forensics expert hours to execute. Over 2,000 LE officers have registered COFEE in over 15 countries. Live Computer System Capture and Triage Tool

How does CCTT work with COFEE? Live Computer System Capture and Triage Tool Immediate Action

Live Computer System Capture and Triage Tool

Software Distribution and Upgrades Exploring options for software distribution via the FBI PD downloads software over the Internet Software upgrades Added support features New capabilities Live Computer System Capture and Triage Tool

Prototype Feedback Live Computer System Capture and Triage Tool “I definitely see the need for this tool in my line of work. The live capture alone is helpful, but the CCTT wizard really helps my guys to target the specific kind of information I need, like headers or instant messaging conversation logs. It’s simple to use, and that’s a good thing. We were excited to try it out, and you guys didn’t disappoint!” --Investigator Shaun Cook, Urbana, Illinois Police Department

Future Work Social Networking support This is our focus area right now Capture, present and utilize browser cookies, passwords and history information to discover and collect web-based information Automate as much as possible Automatically find the social network service and login. Collect the most relevant information and present in a straight- forward way – recent communications, to whom, content, friends, social network, blogs, pictures, and more Support for Virtual Worlds Live Computer System Capture and Triage Tool

Contact Information Randy Butler Live Computer System Capture and Triage Tool