Forensics

When certain incidents occur, you need to fix the immediate problem, but you will also need to investigate the person and cause behind it. Companies can find their Web sites or networks hacked by outside parties, receive threats via e-mail, or fall victim to any number of cybercrimes. In other cases, an administrator could discover that people internal to the organization are committing crimes or violating policies. Once systems are secure from further intrusion, you'll need to acquire information that's useful in finding and prosecuting the culprit responsible. Because any facts you acquire could become evidence in court, computer forensics must be used.

Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence. It involves collecting, examining, preserving, and presenting evidence that is stored or transmitted in an electronic format. Because the purpose of computer forensics is its possible use in court, strict procedures must be followed for evidence to be admissible.

Even when an incident isn't criminal in nature, forensic procedures are important to follow. You could encounter incidents in which employees have violated policies. For example, an employee might have violated a company's acceptable use policy and spent considerable time viewing Internet pornography sites during work hours. Using forensic procedures to investigate the incident, you can create a tighter case against the employee. Because every action you took followed established guidelines and acquired evidence properly, the employee will have a more difficult time arguing against the facts. In addition, if during your investigation you find evidence of illegal activities (such as the employee possessing child pornography), the internal investigation could become a criminal one. Any actions you took in your investigation would be scrutinized, and anything you found could be used as evidence in court.

As we'll see in the sections that follow, a number of standards must be met to ensure that evidence isn't compromised and information has been obtained correctly. If forensic procedures aren't followed, judges may deem evidence inadmissible, defense lawyers may argue its validity, and the case could be damaged significantly. In many cases, the only evidence available is that which exists in a digital format. This could mean that the ability to punish an offender rests with your abilities to collect, examine, preserve, and present evidence.

Conceptual Knowledge

Computer forensics is a relatively new field that emerged in law enforcement in the 1980s. Since then, it has become an important investigative practice for both police and corporations. It uses scientific methods to retrieve and document evidence located on computers and other electronic devices. This retrieved information could be the only evidence available to convict a culprit, or it could enhance more traditional evidence obtained through other investigative techniques.

Computer forensics uses specialized tools and techniques that have been developed over the years and are accepted in court. Using these tools, you can retrieve digital evidence in a variety of ways. Electronic evidence could reside on hard disks and other devices, have been deleted so it is no longer visible through normal functions of the computer, or hidden in other ways. Although that evidence is invisible through normal channels, forensic software can reveal this data and restore it to a previous state.

Your Role

Law enforcement agencies perform investigations and gather evidence with the understanding that their goal is to find, arrest, prosecute, and convict a suspect, but the investigator's motivation isn't always clear in business cases. A network administrator's job is to ensure that the network gets back up and running after an incident; similarly, a Webmaster works to get an e-commerce site resuming business. Why would computer forensics be important to these jobs? The reason is that if a hacker takes down a Web site or network, he or she could continue to do so until they're caught. Identifying and dealing with threats is a cornerstone of security, whether those threats are electronic or physical in nature.

Even when police have been called in to investigate a crime, a number of company employees will be involved. Members of the IT staff assigned to an incident response team will generally be the first people to respond to the incident; they will then work with investigators to provide expertise and access to systems. Senior staff should be notified to deal with the effect of the incident and any resulting inability to conduct normal business.

If police aren't called in and the matter is to be handled internally, members of the incident response team will have a much broader range of roles. Not only will they deal with the initial response to the incident, they will conduct the investigation and provide evidence to an internal authority. This authority could be senior staff or, in the case of law enforcement, an internal affairs department. Even if no police are involved in the situation, the procedures used in the forensic examination should be the same.

When conducting the investigation, a person must be designated as being in charge of the scene. This person should be knowledgeable in forensics and directly involved in the investigation. In other words, just because the owner of the company is available, she should not be in charge if she's computer illiterate and/or unfamiliar with procedures. The person in charge should have authority to make final decisions on how the scene is secured and how evidence is searched, handled, and processed.

There are three specific roles that employees perform when conducting an investigation. The first responder is the first person to arrive at a crime scene. This doesn't mean the janitor who notices a server is making funny noises, but rather someone who has the knowledge and skill to deal with the incident. The first responder may be an officer, security personnel, a member of the IT staff or incident response team, or any number of other individuals. The first responder is responsible for identifying the scope of the crime scene, securing it, and preserving fragile evidence.

Identifying the scope of a crime scene refers to establishing its scale. What is affected, and where could evidence exist? When arriving on the scene, it is the first responder's role to identify the systems that have been affected, because these will be used to collect evidence. If these systems are located in one room, the scope of the crime scene is the room itself. If it is a single server in a closet, the closet is the crime scene. If a system of networked computers is involved, the crime scene could extend to several buildings.

Once the crime scene has been identified, the first responder must then establish a perimeter and protect it. Protecting the crime scene requires cordoning off the area where evidence resides. Until it is established what equipment can be excluded, everything in an area should be considered a possible source of evidence. This includes functioning and nonfunctioning workstations, laptops, servers, handheld personal digital assistants (PDAs), manuals, and anything else in the area of the crime. Until the scene has been processed, no one should be allowed to enter the area, and the first responder should document a list of people who were in the area at the time of the crime.

The first responder shouldn't touch anything within the crime scene. Depending on how the crime was committed, traditional forensics, such as fingerprint analysis, might also be used to determine the identity of the person behind the crime. In the course of the investigation, police could collect DNA, fingerprints, hair, fibers, or other physical evidence. In terms of digital evidence, too, it is important for the first responder not to touch anything, since doing so could alter, damage, or destroy data or other identifying factors.

Preserving fragile evidence is another important duty of the first responder. If a source of evidence, such as a server, is on, the first responder should take steps to preserve and document relevant data so it isn't lost. For example, a computer that could contain evidence might have been left on and have programs opened on the screen. If a power outage occurred, the computer would shut down and any unsaved information in memory would be lost. Photographing the screen or documenting what appeared on it would provide a record of what was displayed and could be used later as evidence.

When investigators arrive on the scene, it is important that the first responder provide as much information to them as possible. If the first responder touched anything, it is important that the investigator be notified so that information can be added to the report. Any of the first responder's observations should be mentioned because this information might provide insight into resolving the incident.

The investigator could be a member of law enforcement or the incident response team. If a member of the incident response team arrives first and collects some evidence, and the police arrive or are called later, it is important that the person in charge of the team hand over all evidence and information dealing with the incident. If more than one member of the team was involved in the collection of evidence, documentation dealing with what each person saw and did must be provided to the investigator.

A chain of command should be established when the person investigating the incident arrives at the scene. The investigator should make it clear that he or she is in charge so that he or she is told of important decisions that have been made. A chain of custody should also be established, documenting who handled or possessed evidence during the course of the investigation. Once the investigation begins, anyone handling the evidence is required to sign it in and out, so that there is a clear understanding and record of who possessed the evidence at any given time.

Even if the first responder has conducted an initial search for evidence, the investigator will need to establish what constitutes evidence and where it resides. If additional evidence is discovered, the perimeter securing the crime scene may be changed. Once the scene is established, the investigator will have crime scene technicians either begin to process the scene or perform the duties of a technician. The investigator or a designated person in charge remains at the scene until all evidence has been properly collected and transported.

Crime scene technicians are individuals who have been trained in computer forensics and have the knowledge, skills, and tools necessary to process a crime scene. The technician is responsible for preserving evidence and will take great efforts to do so. The technician may acquire data from a system's memory, make images of hard disks before shutting them down, and ensure that systems are properly shut down before transport. Before transporting, all evidence will be sealed in bags and/or tagged to identify it as particular pieces of evidence. The information identifying the evidence is added to a log so that a proper inventory of each piece exists. Evidence is further packaged to reduce the risk of damage, such as from electrostatic discharge or jostling during transport. Once transported, the evidence is then stored under lock and key to prevent tampering until such time that it can be properly examined and analyzed.

As you can see, the roles involved in an investigation have varying responsibilities and require special knowledge to perform properly. This section provides an overview of what's involved, but we still need to look at the specific tasks to understand how certain duties are carried out. Understanding these aspects of forensic procedure are not only vital to an investigation—you need to understand them for success in the exam.

Exam 70-124: Objective 6.3.1: Chain of Custody

Because of the importance of evidence, it is essential that its continuity is maintained and documented. Toward this end, a chain of custody must be established to show how evidence made it from the crime scene to the courtroom. The chain of custody proves where a piece of evidence was at any given time and who was responsible for it. By documenting this information, you can establish that the integrity of your evidence wasn't compromised.

If the chain of custody is broken, it could be argued in court that the evidence fell into the wrong hands and might have been tampered with or other evidence substituted. This brings the value of evidence into question and could make it inadmissible in court. To avoid this situation, you must adhere to established policies and procedures dealing with the management of evidence.

Evidence management begins at the crime scene, where the evidence is bagged and/or tagged. When the crime scene is being processed, each piece of evidence should be sealed inside an evidence bag. An evidence bag is a sturdy bag with two-sided tape that allows it to be sealed shut. Once the bag is sealed, the only way to open it is to damage the bag, such as by ripping or cutting it open. The bag should then be marked or a tag should be affixed to it, showing the person who initially took it into custody. The tag provides such information as a number to identify the evidence, a case number (which shows the case with which the evidence is associated), the date and time the evidence was collected, and the name or badge number of the person taking it into custody.

Information on the tag is also written in an evidence log, which is a document that inventories all evidence collected in a case. In addition to the data available on the tag, the evidence log includes a description of each piece of evidence, serial numbers, identifying marks or numbers, and other information that's required by policy or local law.

The evidence log also provides a details of the chain of custody. This document will be used to describe who had possession of the evidence after it was initially tagged, transported, and locked in storage. To obtain possession of the evidence, a person needs to sign evidence in and out. Information is added to a chain of custody log to show who had possession of the evidence and for how long. The chain of custody log specifies the person's name, department, date, time, and other pertinent information.

In many cases, the investigator will follow the evidence from crime scene to court, documenting who else had possession along the way. Each time possession is transferred to another person, it is written in the log. For example, the log would show that the investigator had initial custody, while the next line in the log shows that a computer forensic examiner took ownership on a particular date and time. Once the forensic examination is complete, the next line in the log would show that the investigator again took custody. Even though custody is transferred back to the investigator, this fact is indicated in the log so that there is no confusion over who was responsible on any date or time.

Evidence Collection

Collection is a practice consisting of the identification, processing, and documentation of evidence. When collecting evidence, you start by identifying the evidence that is present and where it is located. For example, if someone broke into the server room and changed permissions on the server, the room and server would be where you would find evidence. When establishing this fact, you would secure the scene, preventing others from entering the area and accessing the evidence. If the area wasn't secured, suspects could enter the area and alter or corrupt evidence. For example, if fingerprints were being taken to determine who broke into the server room, someone merely touching the door and other items would distort any findings. Maybe the person left the fingerprints when he broke in, or maybe they were left when the crime scene was insecure? Such confusion can corrupt your attempt to find the culprit responsible for the crime.

Once you've identified the evidence that is present, you are then able to identify how the evidence can be recovered. Evidence on computers can be obtained in a variety of ways, from viewing log files to recovering the data with special software. If data recovery is required, you'll need to identify the operating system being used and/or the media used to store the evidence. Once you've determined this information, you can then decide on the methodology and tools needed to recover the data.

Processing the crime scene also requires preventing any data from being damaged or lost before it can be examined and recorded. This involves taking precautions mentioned in the section dealing with preservation of evidence. Someone should take photographs of the screen of the computer, so that any information displayed there can be analyzed at a later time. Photographs should also be taken of any other evidence and the scene itself. These pictures will provide a visual record that may also be presented as evidence.

Photographs should also be made of how the equipment is set up. When technicians have transported the equipment to a lab and are ready to begin examining it, they will need to set it up exactly as it was at the crime scene. After the case is completed, the original setup information could also be required if the equipment is returned to the owner. To ensure that the equipment is set up properly, photograph the front and back of the machine as it was found. Photographs or diagrams should be made, showing how cables and wires were attached.

It is important that you document everything possible. Identify all persons who were present at the crime scene previous to securing it or at the time of the incident. These people might be able to provide crucial information that they witnessed, or they could be suspects themselves. You should also document any comments that were made, anything you witnessed, and any actions that were performed.

When evidence is collected, it is important that each piece is tagged with an identifying number and that information about the evidence is added to a log. The evidence also needs to be bagged properly to preserve it. For example, hard disks are stored in antistatic bags to prevent damage and data corruption. Once placed in an antistatic bag, hard disks should then be placed in a sealed bag to ensure that no one can tamper with them. The evidence should then be placed in a locked storage facility so that access to the evidence can be properly controlled.

Forensics is a science in which the examined evidence could identify or convict a culprit. Because of the weight this evidence could present in a trial or an internal investigation, you must ensure that the evidence hasn't been compromised in any way. If evidence is compromised, it can mean that someone who you're certain committed a crime cannot be convicted or an employee who threatened your company's security will go unpunished.

A commonality in forensics is practicing due care. You need to be extremely careful how evidence is handled and make sure that every action is documented and accountable. At no time should there be any confusion as to who had possession of evidence or what was done to that evidence during that time. By taking precautions to protect the data, you will ensure that it isn't compromised in any way.