Your browser does not support JavaScript. Please to enable it.

Terms & Conditions

The idea you wish to view belongs to a community that requires acceptance of terms and conditions.


    Help to Improve This Idea.


    Prev | Next

    A Plug-and-Play Forensicator System for Live Forensics

    by Weihan Goh 11/15/2019 05:23 AM GMT

    • {{:upVoteCount}}
    Username * ()

        Move idea from "Submission and Collaboration" stage to:


          Which workspace template do you wish to use?

          I accept the terms and conditions (see side bar). I understand all content I am submitting must be licensed under an open-source software or Creative Commons license as described in the Terms and Conditions:




          We have developed a prototype plug-and-play forensics system consisting of a USB Bash Bunny evidence extractor and a Windows-based analysis software, that analyzes the data gathered by the extractor. The solution allows first responders, and by extension member states, to identify digital terrorist activities, in a more timely manner.


          The increasing use of technology by terrorists to facilitate or commit acts of terrorism is a cause for concern. With the widespread availability of computing devices and the ubiquity of the internet, terrorist organizations such as ISIS and Al-Qaeda have taken to technology to reach out to audiences far and wide, and increasingly, building capability and engaging in cyber-offensive activities against their targets.

          The use of technology by terrorists also leave behind an increasing amount of digital artifacts on the computing systems used. The use of a web browser to post terrorist-related communications, for example, leaves behind traces in the form of browser history, cached data, and at times, saved passwords and personal information. Emails and messages sent from a terrorist's computer or mobile device may be cached, and installed software may reveal what the system is used for. Specialized software such as cryptocurrency wallets or hacking tools may indicate the user's use of such capability. Such information, when obtained by law enforcement agents or the military, can be useful in identifying terrorist activities and hindering future terrorist actions.

          Under normal circumstances, the process of obtaining and analyzing such data is typically the responsibility of a digital forensic investigator, or forensic analyst. Their job, upon receiving digital devices secured by first responders, is to acquire evidence from the devices and present the evidence to relevant stakeholders to act upon. All this requires time, specialized training, and is typically done in a forensics lab with specialized tools that can be quite costly.

          In the case of terrorism and terrorist-related activities, the time delay and multistage process may not be desirable. In particular, the following issues may be observed

          • Computing systems may be discovered live and powered on; powering down such systems causes volatile memory to be lost, data to be potentially modified, and anti-forensic mechanisms to potentially activate

          • First responders tasked to handle terrorist-related incidents are typically trained more for combat and law enforcement than digital forensics; these individuals may miss out potential valuable evidence containers when securing the scene, or worse, damage devices that has evidence value

          • The time taken between identifying a device that may contain evidence, to actually obtaining digital information of interest, is rather not timely hence giving terrorist organizations time to react; if such information of interest reveals presence of other devices or information, it may be too late to recover them

          • In a conflict zone, it is often not practical to secure and retrieve all devices of interest due to practical limitations on the field

          A common approach on the scene is to conduct triage inspection of digital evidence sources at the scene. This allows first responders to prioritize preservation efforts on the scene, on the basis of volatility and importance of data. However, this still requires training and specialized knowledge for the responders, which apart from time, has an element of consistency in terms of quality.

          We hence propose a technical solution for first responders to obtain actionable information about digital terrorist activity on the field in a plug-and-play manner. Our solution, currently as a prototype, consists of a USB Bash Bunny device that functions as an evidence extractor and a Windows laptop or tablet running our analysis software, that analyzes the data gathered by the extractor. The solution allows first responders, and by extension member states, to identify digital terrorist activities, in a more timely manner.

          One of our goal is for such solution to be mass-adoptable, hence the hardware used in the solution are commercial-off-the-shelf, and software being both custom and community code integrated into our framework.

          Co-authors to your solution

          Tan Guan Hong, Roysten Ng Kiang Ann, Muhammad Farid Bin Shafie

          Link to your documentation or presentation.

          Link to an online working solution or prototype

          Link to a video or screencast of your proposal or prototype.

          Link to your source code, data, images, or other assets.


          Move this Idea

          Select a Category

          Close this idea

          When closing an idea, you must determine whether the idea has exited successfully or unsuccessfully.

          Copy idea to another community

          Add Team Members

            Maximum number of team members allowed: 15

            Help to Improve This Idea.

            User Tasks ?
            Required for graduation.
            Task Assigned to Due Date Status
            Review Panel 12/30/2019 Incomplete
            No ideas found!
            No activities yet.