Chapter 2: Processing the Digital Crime Scene

Overview

The digital crime scene consists of any location, logical or physical, where evidence of the crime in question may be present. Locations where digital evidence may be found include the following:

• The suspect's machine

• In the case of a hacking incident, the target machine

• Switches, routers, firewalls, and other network devices

• Log servers (proxy logs, DHCP logs, and Windows event logs)

• Media (floppy disks, CD-Rs, CompactFlash cards)

• Other electronic devices (PDAs, cell phones, digital cameras )

The computer investigator is responsible for the acquisition and subsequent processing of any digital forensic evidence. This is similar to the role of a traditional forensic analyst within the physical science fields in that the basic steps are the same, with the addition of digital evidence collection:

1. Identify the scene. Determine the location or locations where digital evidence of the crime may be resident. These might be physical locations (for example, Server Room 3, 2nd floor) or logical locations (for example, Syslog server http://www.sysloga.company.com).

2. Perform remote research. Gather as much information as possible from both open and private sources before taking any actions. Zero-touch analysis (network sniffing) and light-touch analysis (OS fingerprinting) might be performed at this stage as well.

3. Secure the scene. Secure the physical and logical crime scenes. Physical crime scenes require physical securing, including locks, tape, and guards . Logical crime scenes can be logically secured (for example, by locking out users and disconnecting their systems from the network) or physically secured (for example, by disconnecting a server and locking it in a safe).

4. Document the scene. When secured, the crime scene should be documented. Any evidence found as well as its location and condition need to be noted in the forensic logbook.

5. Process the scene for physical evidence. Prior to processing for digital evidence, the crime scene should be processed for DNA, fingerprints , and other physical evidence. This should be done by a trained physical forensic analyst.

6. Process the scene for digital evidence. After physical processing is complete, the scene can be processed for digital evidence. Acquiring drives , securing media, and live analysis all occur at this stage.

Ideally the computer investigator will work as a part of a team of trained specialists to fully process an investigation. Certain investigations will require the computer investigator to take the lead (for example, computer intrusions), and other investigations will require him to take a supporting role (for example, fraud investigations).

Where possible, the best-trained individual should perform the investigatory steps. If a crime scene photographer is available, use her. If physical security specialists are present, allow them to secure the scene. Just as computer investigators command a degree of respect for specialized knowledge and experience, they need to recognize and be respectful of the knowledge and experience that others on the response team bring to the table.