Abstract
Faced with a preponderance of high capacity digital media devices, forensic investigators must be able to review them quickly, and establish which devices merit further attention. This early stage of an investigation is called triage and it is a chief part of evidence assessment; see [1, Chap. 2]. In this paper we present a digital forensic device, which we named SEAKER (Storage Evaluator and Knowledge Extraction Reader), which enables forensic investigators to perform triage on many digital devices very quickly. Instead of imaging the drives, which takes hours, SEAKER does a search for files with names that conform to pre-established patterns. The search is done by mounting the devices in read-only mode (to preserve evidence) and listing the contents of the device. Unlike imaging, this approach takes minutes rather than hours. Also, SEAKER’s hardware consists principally of a Raspberry Pi (RP) and so it is very inexpensive—this is crucial in this era of budgetary constraints; see [2]. Once SEAKER has identified media devices of interest, those can be confiscated for further investigation in a lab. But devices that do not have hits can be left at the scene. This has two principal benefits: forensic examiners can concentrate on those devices that are promising in terms of evidence for the given investigation, and devices without hits are not confiscated from legitimate users.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The main bash script for SEAKER is available on GitHub at https://github.com/michaelsoltys/seaker.
- 2.
Technically, free for the students. Some services required nominal payments; for example, the fourth author has a GitHub subscription which allows for development with private repositories—anyone can open a GitHub account, but a free plan only allows public repositories. Similarly, the fourth author has an AWS subscription; we used Amazon Web Services (AWS) S3 buckets to have a staging repository for ready to use software, our beta versions.
- 3.
We used GitHub to collaborate on this paper—which allows us to work together while hardly meeting in person.
References
Hart, S.V.: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. U.S. Department of Justice (2004)
Hitchcock, B., Le-Khac, N., Scanlon, M.: Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digit. Investig. 16, S75–S85 (2016)
James, J.I.: A survey of digital forensic investigator decision process and measurement of decision based on enhanced preview. Digit. Investig. 10, 148–157 (2013)
Acknowledgements
This work arose from a fruitful collaboration between SoCal HTTF (Southern California High Technology Task Force, Ventura County) and CSUCI (California State University at Channel Islands). We are very grateful for the opportunity to work on such an interesting and eminently applicable problem. We are especially grateful to Senior Investigator Adam Wittkins who facilitated this collaboration. The SEAKER development work was undertaken as a final project for a graduate course in Cybersecurity at CSUCI (COMP524: “Cybersecurity”). The first and third authors were students in this course, and they emerged as leaders of the project, but we are very grateful for the contribution of the rest of the class (in alphabetical order): Geetanjali Agarwal, Nick Avina, Jesus Bamford, Jack Bension, Apurva Gopal Bharaswadkar, Amanda Campbell, Christopher Devlin, Nicholas Dolan-Stern, Manjunath Narendra Hampole, Mei Chun Lo, Christopher Long, Clifton Porter, Deepa Suryawanshi, Mason U’Ren and Zhe Zhang (see http://soltys.cs.csuci.edu/blog/?p=2713).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Instructions for Setting Up SEAKER
Instructions for Setting Up SEAKER
This section contains step by step instructions to build a SEAKER:
-
1.
Prepare the MicroSD card
-
(a)
Download latest version of Raspbian Lite Image to a local computer (https://goo.gl/eNvdMu)
-
(b)
Download Etcher software for writing the image to the MicroSD card (https://goo.gl/f6LHBU)
-
(c)
Download PuTTY if using a Windows based local computer (https://goo.gl/Tvifot)
-
(d)
Write the image to the MicroSD card (at least 8GB) using Etcher (https://goo.gl/FTvTVx)
-
(e)
Before removing the MicroSD card from the computer, add a file named ‘ssh’ (no quotes, no extension, no contents) to the root of the MicroSD card (https://goo.gl/tTs2vd).
-
(a)
-
2.
Plug in and boot the Raspberry Pi (RP)
-
(a)
Connect the RP to your network using the Ethernet port (Do not connect using WiFi)
-
(b)
Plug in power to the RP and wait 10–20 s for the Raspbian Lite operating system to boot.
-
(a)
-
3.
Find the RP’s IP address and connect to it
-
(a)
Find and make a note of the IP Address and substitute it in the rest of setup when RASPBERRYPI_IP is used; this can be done by tools like “Advanced IP Scanner” or by accessing your router administration page
-
(b)
Use ssh (or PuTTY for Windows) to start a secure shell for example: ssh -l pi RASPBERRYPI_IP
-
(c)
When logging in, the default login is username: ‘pi’, password: ‘raspberry’.
-
(a)
-
4.
Get the prep script and run it
-
(a)
At the RP prompt, download the prep.sh script: wget -O prep.sh https://goo.gl/5RU1Yv
-
(b)
Modify the first few lines to prevent collisions with other SEAKERs: PI_PASSWORD (line 18) - Sets the RP’s password WIFI_NAME (line 19) - Sets the WiFi access point name WIFI_PASSWORD (line 20) - Sets the WiFi WPA2 password WIFI_ROUTER_IP (line 21) - Sets the WiFi access point IP address (must always end in .1) WIFI_ROUTER_DHCP_RANGE (line 22) - Sets the DHCP address range (must have the same prefix)
-
(c)
Set the permissions of prep.sh to 744: chmod 744 /prep.sh
-
(d)
Run the prep script: ./prep.sh
-
(e)
The script will automatically reboot when finished.
-
(a)
-
5.
Verify that SEAKER is working
-
(a)
After the reboot, use a separate WiFi enabled handheld phone or tablet (look for a new WIFI access point named using the WIFI_NAME setting in the prep.h script)
-
(b)
Type in the WiFi password (from the WIFI_PASSWORD setting)
-
(c)
Use a web browser from the handheld phone or tablet and type in the WIFI_NAME or new SEAKER IP address after “http://”; for example: http://SEAKER03.local.
-
(a)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Gentry, E., McIntyre, R., Soltys, M., Lyu, F. (2020). SEAKER: A Tool for Fast Digital Forensic Triage. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_87
Download citation
DOI: https://doi.org/10.1007/978-3-030-12385-7_87
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12384-0
Online ISBN: 978-3-030-12385-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)