Skip to main content
SpringerLink
Log in

SEAKER: A Tool for Fast Digital Forensic Triage

  • Conference paper
  • First Online:
Advances in Information and Communication (FICC 2019)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 70))

Included in the following conference series:

Abstract

Faced with a preponderance of high capacity digital media devices, forensic investigators must be able to review them quickly, and establish which devices merit further attention. This early stage of an investigation is called triage and it is a chief part of evidence assessment; see [1, Chap. 2]. In this paper we present a digital forensic device, which we named SEAKER (Storage Evaluator and Knowledge Extraction Reader), which enables forensic investigators to perform triage on many digital devices very quickly. Instead of imaging the drives, which takes hours, SEAKER does a search for files with names that conform to pre-established patterns. The search is done by mounting the devices in read-only mode (to preserve evidence) and listing the contents of the device. Unlike imaging, this approach takes minutes rather than hours. Also, SEAKER’s hardware consists principally of a Raspberry Pi (RP) and so it is very inexpensive—this is crucial in this era of budgetary constraints; see [2]. Once SEAKER has identified media devices of interest, those can be confiscated for further investigation in a lab. But devices that do not have hits can be left at the scene. This has two principal benefits: forensic examiners can concentrate on those devices that are promising in terms of evidence for the given investigation, and devices without hits are not confiscated from legitimate users.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The main bash script for SEAKER is available on GitHub at https://github.com/michaelsoltys/seaker.

  2. 2.

    Technically, free for the students. Some services required nominal payments; for example, the fourth author has a GitHub subscription which allows for development with private repositories—anyone can open a GitHub account, but a free plan only allows public repositories. Similarly, the fourth author has an AWS subscription; we used Amazon Web Services (AWS) S3 buckets to have a staging repository for ready to use software, our beta versions.

  3. 3.

    We used GitHub to collaborate on this paper—which allows us to work together while hardly meeting in person.

References

  1. Hart, S.V.: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. U.S. Department of Justice (2004)

    Google Scholar 

  2. Hitchcock, B., Le-Khac, N., Scanlon, M.: Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digit. Investig. 16, S75–S85 (2016)

    Article  Google Scholar 

  3. James, J.I.: A survey of digital forensic investigator decision process and measurement of decision based on enhanced preview. Digit. Investig. 10, 148–157 (2013)

    Article  Google Scholar 

Download references

Acknowledgements

This work arose from a fruitful collaboration between SoCal HTTF (Southern California High Technology Task Force, Ventura County) and CSUCI (California State University at Channel Islands). We are very grateful for the opportunity to work on such an interesting and eminently applicable problem. We are especially grateful to Senior Investigator Adam Wittkins who facilitated this collaboration. The SEAKER development work was undertaken as a final project for a graduate course in Cybersecurity at CSUCI (COMP524: “Cybersecurity”). The first and third authors were students in this course, and they emerged as leaders of the project, but we are very grateful for the contribution of the rest of the class (in alphabetical order): Geetanjali Agarwal, Nick Avina, Jesus Bamford, Jack Bension, Apurva Gopal Bharaswadkar, Amanda Campbell, Christopher Devlin, Nicholas Dolan-Stern, Manjunath Narendra Hampole, Mei Chun Lo, Christopher Long, Clifton Porter, Deepa Suryawanshi, Mason U’Ren and Zhe Zhang (see http://soltys.cs.csuci.edu/blog/?p=2713).

Author information

Authors and Affiliations

  1. California Statue University Channel Islands, Camarillo, CA, 93012, USA

    Eric Gentry, Ryan McIntyre & Michael Soltys

  2. SoCal High Technology Task Force (SCHTTF), Camarillo, USA

    Frank Lyu

Authors
  1. Eric Gentry
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ryan McIntyre
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Soltys
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frank Lyu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Soltys .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, UK

    Rahul Bhatia

Instructions for Setting Up SEAKER

Instructions for Setting Up SEAKER

This section contains step by step instructions to build a SEAKER:

  1. 1.

    Prepare the MicroSD card

    1. (a)

      Download latest version of Raspbian Lite Image to a local computer (https://goo.gl/eNvdMu)

    2. (b)

      Download Etcher software for writing the image to the MicroSD card (https://goo.gl/f6LHBU)

    3. (c)

      Download PuTTY if using a Windows based local computer (https://goo.gl/Tvifot)

    4. (d)

      Write the image to the MicroSD card (at least 8GB) using Etcher (https://goo.gl/FTvTVx)

    5. (e)

      Before removing the MicroSD card from the computer, add a file named ‘ssh’ (no quotes, no extension, no contents) to the root of the MicroSD card (https://goo.gl/tTs2vd).

  2. 2.

    Plug in and boot the Raspberry Pi (RP)

    1. (a)

      Connect the RP to your network using the Ethernet port (Do not connect using WiFi)

    2. (b)

      Plug in power to the RP and wait 10–20 s for the Raspbian Lite operating system to boot.

  3. 3.

    Find the RP’s IP address and connect to it

    1. (a)

      Find and make a note of the IP Address and substitute it in the rest of setup when RASPBERRYPI_IP is used; this can be done by tools like “Advanced IP Scanner” or by accessing your router administration page

    2. (b)

      Use ssh (or PuTTY for Windows) to start a secure shell for example: ssh -l pi RASPBERRYPI_IP

    3. (c)

      When logging in, the default login is username: ‘pi’, password: ‘raspberry’.

  4. 4.

    Get the prep script and run it

    1. (a)

      At the RP prompt, download the prep.sh script: wget -O prep.sh https://goo.gl/5RU1Yv

    2. (b)

      Modify the first few lines to prevent collisions with other SEAKERs: PI_PASSWORD (line 18) - Sets the RP’s password WIFI_NAME (line 19) - Sets the WiFi access point name WIFI_PASSWORD (line 20) - Sets the WiFi WPA2 password WIFI_ROUTER_IP (line 21) - Sets the WiFi access point IP address (must always end in .1) WIFI_ROUTER_DHCP_RANGE (line 22) - Sets the DHCP address range (must have the same prefix)

    3. (c)

      Set the permissions of prep.sh to 744: chmod 744  /prep.sh

    4. (d)

      Run the prep script: ./prep.sh

    5. (e)

      The script will automatically reboot when finished.

  5. 5.

    Verify that SEAKER is working

    1. (a)

      After the reboot, use a separate WiFi enabled handheld phone or tablet (look for a new WIFI access point named using the WIFI_NAME setting in the prep.h script)

    2. (b)

      Type in the WiFi password (from the WIFI_PASSWORD setting)

    3. (c)

      Use a web browser from the handheld phone or tablet and type in the WIFI_NAME or new SEAKER IP address after “http://”; for example: http://SEAKER03.local.

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gentry, E., McIntyre, R., Soltys, M., Lyu, F. (2020). SEAKER: A Tool for Fast Digital Forensic Triage. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_87

Download citation

Publish with us

Policies and ethics

Search

Navigation