Findings and methodology are presented for the evaluation of the forensic electronic data collection tool called "Wide-scale, Agentless and Rapid collection of Digital Evidence from Networks" (WARDEN) developed by Assured Information Security, Inc.
The evaluation determined 1) how WARDEN identifies, acquires, and preserves data of investigative value; 2) WARDEN's analysis and reporting capabilities regarding investigative data; 3) whether WARDEN's functions operate as intended; 4) whether WARDEN is forensically sound, and if not, how it can be improved to achieve this; and 5) the pros and cons of other forensic solutions. An initial technical review of WARDEN conducted to understand and document its capabilities determined that it is not forensically sound; e.g., it does not encrypt stored information or create an audit trail to assist with chain-of-custody control. In addition, WARDEN data analysis does not apparently meet the needs of law enforcement personnel, since it provides summarized information that does not permit organization of data by case. Because of these initial findings, the evaluation of WARDEN focused on explaining the shortcomings of WARDEN and possible improvements. Also, a legal opinion was documented on the requirements for a forensically sound digital evidence-collection tool. The legal opinion is appended and notes that WARDEN will likely provide data and information that is admissible in court, but since it does not allow for adequate chain-of-custody control, the resulting data and information is less valuable as persuasive evidence. Although WARDEN does not produce information of probative value, it may be useful as an investigative tool in identifying entities for formal search. 28 tables, 15 figures, and 13 references