rule relevant evidence
chain of custody
software write blocker
hardware write blocker
What are two general ways in which computers are involved in security violations?
What is computer evidence?
What is an incident response team?
What is real evidence?
What is demonstrative evidence?
What is a subpoena?
What is a search
What is the chain of custody?
The goal of computer forensics is to get to the truth. You get to the truth by identifying and acquiring sufficient evidence to
You will learn the basic
This chapter addresses common tasks that are common to computer investigations.
Your initial task in an investigation is to identify the evidence you need for your case. Remember, without evidence you don't really have much more than an opinion. Every case is different, so you will likely need different types of evidence for each case. Knowing what evidence you will need is an integral part of a successful investigation. The rule of thumb is to take everything. Unfortunately, there are substantial legal and
You should treat every computer forensics investigation as if the case you build will end up in court. The case in question does not need to involve criminal activity to
distributed denial of service (DDoS) attack
An attack that uses one or more systems to flood another system with so much traffic that the
targetedsystem is unable to respond to legitimate requests.
Suppose you were called to investigate possible stolen credit cards. The law enforcement officers who are working on this case expect to find incriminating evidence on the suspect's home computer. They have interviewed some of the suspect's coworkers and have found that he talked about a 'database of
When you enter a crime scene,
Notes, photographs, drawings, and any other documentation that describes the state and condition of a scene.
Don't get too caught up in finding specific evidence. Rather, treat an investigation like a large puzzle. Avoid fixating on the picture (on the puzzle's box); instead, look at the
You would expect that the primary focus of a computer forensics investigation is computer hardware; however, that's not always true. Often, much more evidence than just physical hardware can be found. Although not the only type of evidence, hardware is a crucial type of evidence you must consider.
Take a look around your own office. How many types of computer hardware do you see? Chapter 2, 'Preparation,' covered different types of hardware and encouraged you to know what you use in your organization. You probably use several different types of hardware on a daily basis. Physical hardware is a great place to get fingerprints. If part of your case depends on proving that a certain person used specific hardware,
Personal digital assistant (PDA) cradle (
Keyboard-video-monitor (KVM) switches (if your office has more computers than
Media storage units (CD/DVDs, tape, floppy cases, and drawers)
And the list goes on. Your investigation may not require you to establish that a
Pay attention to all clues that hardware provides. If you find an expensive, high-speed scanner attached to a suspect's computer, you should probably find a repository of scanned documents on the computer or server. If you are investigating possible confidential information disclosure and you do not find many scanned documents on the computer in question, find out where the documents are. Few people invest in an expensive scanner unless they plan to use it. Look in not-so-obvious places for the scanned documents.
After you have the proper authorization, you will need to start cataloging the physical evidence. Different people choose different starting points. Some examiners start with the most prominent computer, normally the one in the center of the workspace. Others choose a point of reference, such as the entry door, as a starting point. Regardless of where you start, you should move through the scene carefully and document your actions as you proceed. Start where you are most comfortable. The goal is to consider all physical evidence. Choosing a starting point and moving through the scene in a methodical manner makes it more
Follow all communications links. If a computer you are examining is connected to a network, follow the cable or scan for the wireless access point (WAP) . Know how this computer is connected to other computers. Your investigation might need to expand to other computers connected to the investigation target. Be careful to avoid unnecessarily expanding the scope of your investigation, though. You might not need to examine all of the computers to which the target is connected, but you do need to know about any network connections.
wireless access point (WAP)
Network device that contains a radio transmitter/receiver and that is connected to another network. A WAP provides wireless devices access to a regular wired network.
The crown jewel of most computer investigations is the hard disk drive. By and large, most evidence lives on a hard drive somewhere. Issues surrounding hard disk
Let's apply our discussion to the real world. Suppose you arrive at the home of the suspected credit card
Removable storage is commonly used for several purposes. You'll find files of all kinds lying around if you look. Refer to Chapter 2, 'Preparation-What to Do Before You Start,' for more detailed information about different types of hardware. Removable media are also common repositories for evidence. Take the time to carefully inspect all removable media you find for possible value to your investigation. Think about how most people use removable media. It
Computer forensics examiners are sometimes called upon to locate missing individuals. One day I was contacted by the Chief Executive Officer of an Internet startup company and asked if I could come to his office to discuss a matter of some importance. Because his office was located only a few miles from my lab, I told him I would be there within the
As soon as I arrived, the CEO greeted me, took me into his office, and closed the door. (This is always the sign that I am about to hear a really good story.) The CEO explained that the Vice President of Sales for the company had not
The CEO asked me to examine the VP's desktop computer to see if I could locate any information as to where the VP might have gone and why he might have left. At this point, I asked the CEO if he had contacted the police yet. He said he had, but because there was no evidence of foul play, they only took a report and 'would get back to him.' The VP was not married and had no family, so there was really no one else looking for the VP besides the CEO. He went on to explain the VP had handled all of the sales, marketing, and collections for the company and really handled a large portion of running the business. Now without him, the company was suffering.
The CEO escorted me to the VP's office and unlocked the door. I located the VP's desktop computer sitting on the desk and noted that it was
After creating a forensically sound image of the hard drive, I imported the image into a commercial forensics utility, the Forensics Toolkit from AccessData, and
I had located the VP. Well, that was the good news. Now it was time to find out what the VP had been up to just prior to his
Before I informed the CEO of my findings, I had to ask him a few questions. I let him know I thought I knew exactly where the VP was and why he left so quickly. I told him about the e-mail messages and asked him about the 'Service Tech' division and the address change for billing. As I had thought, the CEO had no idea what I was talking about. There was no 'Service Tech' and the billing address had been the same since the company was founded.
At that point I informed the CEO that it would be best if we contacted the police again, and he did so. The investigation ultimately found that the VP had opened a bank account in Grand Cayman in the
This definitely isn't an example of a 'normal day at the office,' but it shows that the work we do can often times be very exciting and worthwhile.
The first two uses of removable storage are of the most interest to us. Although you may not be successful in finding the evidence you need on a hard disk drive, always look for backups or other secondary copies. Be especially persistent when looking for historical evidence. Removable storage devices come in many shapes and sizes. In
CDs and DVDs
USB drives and storage devices
Flash memory cards
Generally, you will find two types of files on removable media: intentionally archived and transient. Intentionally archived files are copied to removable media to keep as extra copies, or they are copied prior to deleting the
Many organizations that process large
The other type of files you tend to find on removable media is transient. Transient files are files, or file remnants, that have been temporarily copied onto removable media. Such media is often used to transport data from one computer to another. Although files are commonly deleted from the removable media after they have
Removable media analysis is painstakingly slow. Most offices usually have a lot of CDs and floppies lying around, and the devices used to read them are typically far slower than most hard drives. Take your time and look at what is on each disk, tape, and device. Your persistence might pay off by producing evidence that cannot be found
The rule of thumb with respect to removable media is to take all that you can legally find and seize. Subsequent analysis will be slow, but it can yield evidence you will not find anywhere else.
The last type of common evidence is hard-copy documents. A hard-copy document is anything written that you can touch and hold. Evidence that consists of documents is called
The most important characteristic of documentary evidence is that it cannot stand on its own. It must be authenticated. When you find suspicious files on a hard drive (or removable media), you must
Take pictures of all white boards and other writings. Carefully examine the crime scene for any documents that might be
Back at the credit card investigation scene, you notice a white board on the wall during your site survey. It looks like it has been used a lot but it has been wiped clean. Fortunately for you, no one took the time to use cleaning fluid to clean the board. If you look closely, you can still read some of what was written and then erased. It looks like a list of filenames. You write them down for later use.
Most people keep some notes handy to jog their memories. Sit down at the subject's desk and carefully look around. Every scrap of paper could
Encryption key or pass code
Uniform Resource Locator (URL)
This list is just a sampling of information that could assist your investigation. Anything that helps point you toward or helps you access evidence is valuable information. Most people have to write some things down to remember them. Look for those notes. They can help direct you to more evidence in a fraction of the time it would take to perform an exhaustive search.