SUMURI needed a way to transfer and image large amounts of volatile data from a running system as quickly as possible and then facilitate the transfer of that data to forensic workstations outside the scene of an active investigation — all within a device that could easily be ported from location to location in all environments and use patterns. A rugged and durable, yet easily portable solution was in high demand.
The Challenge
The Solution
SUMURI’s product, RECON TRIAGE, is a “Swiss army knife” of forensics based on Samsung T5 portable solid state drives (SSDs), which can be plugged in via included USB Type-C or USB Type-C to Type-A cables directly into a subject machine. It’s specifically targeted at cases where Macintosh computers are implicated or otherwise involved in crimes, and disputes where active investigation and analysis need to happen quickly. RECON TRIAGE automates live imaging, volatile data collections, RAM imaging and more, and it’s designed to be up and running in seconds. This allows it to capture potentially invaluable information about an active attack or offense before the operations are shut down and actionable evidence is lost forever. RECON TRIAGE is built to automate much of the forensics process so that information is gathered and saved rapidly, even if the forensic investigator is not familiar with Mac operating systems and Mac forensics in particular.
The T5's durability, portability, and capacity create an optimum device for field investigations that require always-on capabilities.
The Results
RECON TRIAGE allows SUMURI’s clients to access Mac computers involved in potential crimes and dangerous situations and recover complete forensic evidence quickly and reliably. The Samsung T5 drives used in the solution are reliable, remarkably fast, portable, and rugged, helping investigative professionals capture critical information and potentially save lives. In fact, the SUMURI solution is so competitive and attractive that one of their main clients has adopted it to assist with their investigations. Digital Shield, a consultancy that employs security professionals with an extensive background in conducting forensic examinations for both government agencies and private corporations, uses the RECON TRIAGE product in response to requests for assistance with forensic investigations. In a scenario where every second counts, where lives are in danger, or where perpetrators are attempting to cover their electronic tracks, SUMURI’s tools and Digital Shield are able to lock down the evidence and help the pursuit of justice.
About SUMURI Forensics
SUMURI develops forensic analysis hardware tooling and software kits that can be used in investigations of crimes committed on computers. SUMURI’s end-user customers are forensic investigators around the world. SUMURI manufactures both hardware workstations and portable software packages to aid investigations and recovery of sensitive information on computers.
The Challenge
Forensics Require Quick, Reliable Real-Time Capture
SUMURI was founded to help law enforcement and corporate clients investigate potential electronic wrongdoing. In particular, the technologies SUMURI developed — both software- and hardware-based — are mainly used to fight sexual exploitation and other crimes. SUMURI’s product offerings include custom cryptanalysis workstations for password recovery, forensic recovery workstations to capture evidence in potential investigations, e-discovery workstations and more. SUMURI’s clients range from small law enforcement agencies to larger metropolitan agencies, states and large governmental clients like Homeland Security, NASA, and Intel.
Law enforcement and other actors often require access to computers used by parties involved in an investigation. With the strong encryption and data protection schemes built into systems today, often investigators’ only chance at recovering evidence from a machine, if they don’t possess its passwords, is if the machine is found live, running and logged in. Experienced forensic investigation personnel need a solution to ensure the data is collected quickly enough that its evidentiary value is preserved while also providing an assurance of integrity that the data was not modified and is suitable to be presented in a court of law.
When investigations are happening out in the field, timing matters — and when investigators happen upon a potential crime scene with computers either running or not, being able to depend upon a forensic solution is critical. “If it’s something of this importance, basically, you don’t want it to fail,” said Steve Whalen, SUMURI’s cofounder. “Between the speed and reliability, those are two of the main things we’re looking for when it comes to in-the-field technology.”
SUMURI has tried non-Samsung drives in the past as part of an effort to secure licensing for its products. While they experienced limited success at first, the drive vendor ultimately migrated to an inferior chipset. “We had nothing but a nightmare that we were trying for a long time to find our way out of,” says Whalen.
The Solution
A Fast Forensics Software Solution Backed by Reliable Samsung SSDs
For its Macintosh forensics application, RECON TRIAGE, SUMURI chose to partner with Samsung and use the tech giant’s T5 SSDs for three primary reasons: speed, reliability and portability. SUMURI’s software and hardware is based around Samsung products “wherever we can get it in,” said Whalen, because “they are top of the line when it comes to SSD technology.”
“One of our specialties is in Mac forensics,” says Whalen. “And so I developed a lot of software that focuses around the forensic acquisition, triage and analysis of Mac products.” The T5 is the reliable solution needed for even the latest Macs where privacy features and encryption end up meaning investigators have a limited opportunity to acquire useful evidence.
There were many other advantages to the Samsung T5:
- The T5 is a blazing fast drive that transfers data up to 540MB per second, allowing capture of a running machine in under a minute, even with today’s large capacity hard drives.
- Samsung has the most consistent results across the board with read/write speeds, so how that input and output is handled, with a stable speed, is critically important.
- The T5, being the size of a business card, is portable and practical and can be transported to the scene of a crime, to a lab, to a courtroom, or wherever else the data may need to go with no problem or hassle.
- Samsung drives have a much longer time between failures compared to other solutions.
“Time is always of the essence. We deal with a lot of cases on the law enforcement side where you may have a missing child that they’re trying to find,” says Whalen. “And they may have phones or computers from relatives where they think information is. We can’t have that computer go down. We don’t have time to ship out another SSD when a child’s life is at stake.” SUMURI has found Samsung’s legendary reliability to be a critical benefit.
The Technology
Portable SSD T5 1TB
Ultra fast data transfer speeds. Compact, solid and secure design.
Portable SSD T5 500GB
Ultra fast data transfer speeds. Compact, solid and secure design.
The Results
Fast, Portable, Reliable Drives Preserve Critical Evidence
SUMURI’s customers agree. Joe Church is the founder of Digital Shield, a consultancy that assists in forensic investigations for law enforcement and commercial applications. When engaged to assist in an investigation, Digital Shield typically has a very limited amount of time to get in and off the scene while gathering as much evidence as possible before trying to find out what’s going on.
“We were having a lot of issues with some of the other triage tools we were using in the field,” said Church. Those tools weren’t very configurable and the speeds at which Digital Shield was gathering evidence and forensics with those other tools wasn’t satisfactory. “We ended up spending too much time at the crime scene, which began causing other issues,” he added.
Church began running tests and found RECON TRIAGE’s speed to be significantly faster than other tools in addition to its configurability, which allows Digital Shield to gather the right information the first time.
Reliability was also key. “We weren’t getting the drive failures that we were with other solutions,” said Church. “This is truly forensics evidence that needs to be protected, and some of the other solutions we were using, when we would actually try to bring that evidence up later, some of the drives were actually failing and the evidence that was being gathered on the scene was lost.”
Using the Samsung T5 portable drives with SUMURI’s RECON TRIAGE product improves Digital Shield’s ability to get to the scene of a cybercrime quickly, gather and secure potential evidence as fast as possible and preserve the chain of custody to pursue leads, recover victims and bring perpetrators to justice.
“With RECON TRIAGE and Samsung drives, we haven’t had failures at all. Each time we’ve gone out to crime scenes, I’ve had the confidence that I can release the product onto the crime scene, be able to image multiple machines at the same time, and know that the images are going to be good when I come back because I’ve not had a failure,” said Church.
“We found the best results with Samsung’s line of products over any of the others — the fastest results and least failures,” added Whalen.
SUMURI’s RECON TRIAGE product with the Samsung T5 portable drive is a powerful combination not just for run-of-the-mill technology products, but also when critical needs arise and lives are in danger.
“Protection of children and peoples’ lives — I can’t think of anything more important,” added Church.