Dutch develop computer forensics app for botnet investigations

The Netherlands Forensic Institute is working on a Linux-based forensic operating system that will enable the police to secure and remotely analyze evidence related to botnets, project leader Ruud Schramp told Security.NL. Securing and analyzing digital evidence related to botnets is a costly and time-intensive operation for both the police and the data centers where the data is located. With this project, which received financial incentives from the National Coordinator for Counter Terrorism and Security, the NFI hopes to streamline this process. To make the process more efficient, it is important that the police are able to work remotely - this would save manpower. Early analysis also enables the police to determine if a botnet server contains interesting data before trying to secure the information. For this the NFI has come up with a forensic operating system. Once a botnet server has been identified and the Public Prosecutor has given the data center a court order, the forensic OS can be started on that server from a CD, USB drive or PXE. Once the OS is loaded, it seeks a connection with a police acquisition system. Through this system it is possible to send requests to the forensic OS or perform certain investigations on the data. The data is then copied to the police system. With this information the police can determine at an early stage whether further investigation is possible, whether further data needs to be copied and whether the data center has to do a comprehensive forensic analysis. The system is primarily intended for cases where operational security errors is searched for and cases of high importance where the police already expect that there is important information on the machine. Schramp points out that the OS can only be started with the cooperation of the hosting party and that there is no permanent access to the hosting environment. He hopes that it will be in preproduction later this year.