Process the Scene for Electronic Evidence

Previous page
Table of content
Next page

The processing of digital evidence at the crime scene is the responsibility of the computer investigator. After the physical processing of all IT equipment, the computer investigator takes over and is responsible for the packaging and handling of any electronic components .

image from book
CASE STUDY: ELECTRONIC DEVICE MISUSE

An employee of one of our clients was suspected of misusing company funds and colluding with an outside party. The company believed that there was information stored on both the employee's cell phone and PDA. The Human Resources team obtained the phone and PDA and placed the employee on administrative leave during the investigation. Both devices were secured by the individual who received them and then shipped them to us after a few weeks.

When the equipment arrived more than a month later, however, we had a difficult time analyzing the evidence. The cell phone battery had expired ; luckily, we had a compatible charger available in our lab and were able to recharge it. Unfortunately, the suspect's phone had continued to receive phone calls while locked up with HR. As a result, the received phone call log was overwritten. We were able to get the data through the phone company records given that it was a company phone.

The PDA faired worse . The battery had expired, as had the backup battery. When we recharged the device, we saw that the volatile memory had been wiped out with the battery failure, leaving us with a clean system.

image from book
 

Before disconnecting anything, every cable on the computer or electronic device should be labeled. A simple Brother P-Touch labeler is a cost-effective way to identify a specific cable and where it plugs in on both ends. The cable connections can then be noted in the logbook for later reference when reassembling. After all cables have been labeled, the power cable can be removed to shut down the computer (see the sidebar "Shutdown, Unplug, or Analyze Live" for details on powering down). On Windows systems, the power cable should be removed from the connection on the PC itself instead of the wall jack. Pulling out the wrong power cable can be embarrassing and lead to data loss (for example, if there is a UPS that communicates with the PC present). For laptops, the battery should be removed and then the laptop unplugged. If the laptop is unplugged first, the machine may switch powersave modes, which will also potentially alter data. The Shutdown function of Windows should not be used, nor should the power switch on the box.

Tip 

On older systems, the power switch was actually a relay on the power supply and using it caused all power to the system to be disconnected. Recent machines use a software switch, which causes a motherboard interrupt to be generated, resulting in a Windows-friendly system shutdown.

After powering down, each cable should be individually removed from the computer and placed in an evidence bag. After the cables have been removed, all components containing digital logic or that are sensitive to static charge should be placed in anti-static bags. The anti-static bags may then be placed into evidence bags and sealed. Peripherals, media, and other electronics such as floppy disks, CD-ROMs, USB Flash drives , PDAs, and cell phones should likewise be placed in anti-static bags prior to being placed in evidence bags.

image from book
SHUTDOWN, UNPLUG, OR ANALYZE LIVE

The decision to shut down, unplug, or analyze the system as live is case specific and critical in a Windows investigation.

Shutting down a Windows system using the Shutdown button will have tremendous impact upon a forensic investigation. From a forensic standpoint, shutdown will do the following:

  • Overwrite sections of the hard disk free space as information in memory is written to disk.

  • Remove the swap file (pagefile.sys) that stores cached memory, depending on the operating system version and system settings.

  • Terminate any running processes or applications, some of which may prompt for the saving of data, rendering the information unrecoverable in certain cases.

  • Alter dateand timestamps on numerous files.

  • Delete temporary files.

  • Add entries to the event log.

Although other operating systems may be damaged by an improper shutdown, Windows systems are generally better off being powered down by unplugging. The application data for currently open applications may or may not be written to disk, depending on the specific application. The contents of the memory are lost either way, and the hard disk structure is altered less by unplugging.

Although using the built-in shutdown feature is rarely the best approach, performing a live analysis may be valuable . The degree to which a live analysis is performed depends on the case and could consist of anything from a remote port scan to a full examination of the current operating conditions. Live Windows system analysis is covered in detail in Chapter 8, but the decision to do a live analysis can be evaluated by considering several questions:

  • Is an incident actively occurring on the machine?

    • Will capturing data about the incident as it is occurring be potentially useful? If so, keystroke monitoring, network sniffing, and other techniques may be appropriate.

    • Is the active incident destroying data, attacking other systems, or performing another destructive act that will be stopped by unplugging?

    • Will unplugging the system tip off the suspects ?

  • Are there currently open applications whose contents will be useful in the case?

  • Are there suspected processes in memory that may be useful in the case?

  • Is information stored in memory likely to be a key component in the case?

    • Is that information likely more valuable than the information on the hard disk?

There are additional options between pulling the plug and performing an inperson, live analysis as well. They are as follows :

  • Documenting the open applications before pulling the plug

  • Evaluating the system remotely

  • Performing a remote forensic duplication (using EnCase Enterprise) and then performing a live analysis

  • Doing the critical pieces of a live analysis and then pulling the plug

When making the decision to pull the plug, the key to success is understanding the implications, applying them to the specific case, and fully documenting the reasons behind the decision.

image from book
 
Note 

Windows 95 sets the file size of the pagefile to 0 at shutdown. Later operating systems rely on the value of HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown to decide whether or not to shut down the system (1 indicates it should be cleared).


Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy