< Day Day Up > 


Once the data has been collected, it must be protected from contamination. Originals should never be used in forensic examination—verified duplicates should be used. This not only ensures that the original data remains clean, but also enables examiners to try more dangerous, potentially data-corrupting tests. Of course, any tests done should be done on a clean, isolated host machine—you don’t want to make the problem worse by letting the attacker’s programs get access to a network.

A good way of ensuring that data remains uncorrupted is to keep a Chain of Custody. This is a detailed list of what was done with the original copies once they were collected. Remember that this will be questioned later on, so document everything (who found the data, when and where it was transported [and how], who had access to it, and what they did with it). You may find that your documentation ends up greater than the data you collected, but it is necessary to prove your case.


Once the data has been successfully collected, it must be analyzed to extract the evidence you wish to present and to rebuild what actually happened. As for everything, you must make sure that you fully document everything you do—your work will be questioned and you must be able to show that your results are consistently obtainable from the procedures you performed.


To reconstruct the events that led to your system being corrupted, you must be able to create a timeline. This can be particularly difficult when it comes to computers—clock drift, delayed reporting, and differing time zones can create confusion in abundance. One thing to remember is to never, ever change the clock on an affected system. Record any clock drift and the time zone in use, as you will need this later, but changing the clock just adds in an extra level of complexity that is best avoided.

Log files usually use timestamps to indicate when an entry was added, and these must be synchronized to make sense. You should also be using timestamps—you’re not just reconstructing events, you yourself are making a chain of events that must be accounted for as well. It’s best to use the GMT time zone when creating your timestamps—the incident may involve other time zones than your own, so using a common reference point can make things much easier.

Forensic Analysis of Back-Ups

When analyzing back-ups, it is best to have a dedicated host for the job. This examination host should be secure, clean (a fresh, hardened install of the operating system is a good idea), and isolated from any network—you don’t want it tampered with while you work, and you don’t want to accidentally send something nasty down the line.

Once this system is available, you can commence analysis of the back-ups. Making mistakes at this point shouldn’t be a problem—you can simply restore the back-ups again if required.

Remember the mantra—document everything you do. Ensure that what you do is repeatable and capable of always giving the same results.

Reconstructing the Attack

Now that you have collected the data, you can attempt to reconstruct the chain of events leading to and following the attacker’s break-in. You must correlate all the evidence you have gathered (which is why accurate timestamps are critical)—so it’s probably best to use some graphical tools, diagrams, and spreadsheets. Include all of the evidence you’ve found when reconstructing the attack—no matter how small it is. You may miss something if you leave a piece of evidence out.

As you can see, collecting electronic evidence is no trivial matter. There are many complexities you must consider, and you must always be able to justify your actions. It is far from impossible though—the right tools and knowledge of how everything works is all you need to gather the evidence required.

Now, let’s look at the gritty details of the search and seizure forensic activity. However, a word of warning is in order: Things become reasonably involved from this point on; try not to get overwhelmed. Keep in mind that the degree of complexity in the search and seizure process can always be scaled back in accordance with an organization’s investigation policies. (High-profile cases are given the full treatment; low-profile cases are given a less involved treatment.)

Searching and Seizing

The science of Computer Forensics is fast becoming a very necessary skill set for law enforcement departments, government entities, and corporations worldwide. As society becomes more digitized, the need for skilled personnel in this arena becomes more and more pressing. And as this shortage of skilled technicians becomes apparent, you will find more and more companies rushing in to fill the gap. You will see experts arise from all corners of the world. More on this later.

As it stands today, there is no one methodology for performing a computer forensic investigation and analysis. There are too many variables for there to be just one way. Some of the typical variables that first come to mind include operating systems; software applications; cryptographic algorithms and applications; and hardware platforms. But moving beyond these obvious variables spring other equally challenging variables: law, international boundaries, publicity, and methodology.

The intent of this part of the chapter is merely to put some ideas out there—to generate some interest, and, more important, stimulate thinking. As for evidence search seizure, some of these ideas already exist. However, the science of Computer Forensics is an exact science. It is tedious and meticulous. There is no room for error. However, does that not contradict what we, as humans, are. We error. We are not perfect. To sum up the intent here, it is hoped that you simply become more aware of the variables that are a part of computer forensics, and see that you must develop a methodology from which to work from. It is also very important for you to recognize that if you cannot be perfect and error free, then you must be exact in your methodology and make sure that you perform your investigations in check and to the standards you have developed. There are a few widely accepted guidelines for computer forensic analysis:

  • A computer forensic examiner is impartial. Our job is to analyze the media and report our findings with no presumption of guilt or innocence.

  • The media used in computer forensic examinations must be sterilized before each use.

  • A true image (bit stream) of the original media must be made and used for the analysis.

  • The integrity of the original media must be maintained throughout the entire investigation.

Before the Investigation

Long before the investigation begins, certain things need to be known. First, for sake of argument, let’s say that you have skilled technicians in-house. They have acquired and analyzed a plethora of evidence during their tenure. Excellent. You are confident in their ability. Furthermore, you have a top notch lab—the right equipment, the right computer forensic analysis tools, and so on. You are set, right? Well, maybe.

All the equipment and talent will not help you if we are not in synchronization with your local District Attorney. “Ah, we’re sorry Capt. Solo, but this is not enough evidence for me to move this case forward and prosecute.” Huh? Well, perhaps your local DA requires such and such, and you only have such. Or, maybe the DA requires more documentation on the chain of evidence handling. You cannot go backwards and recreate the trail after you have already blazed it!

This may seem like a no-brainer. Maybe. But, you have asked around, and to your surprise, you have gotten this response more than a few times: “Oh yeah, that is a good idea.” So, work with not only your local DA, but also your state DA. Network when you are not pushing a case to them. Learn what it is they require as a minimum, and tweak your methodology to meet this and go beyond. This way, when you have a case arise, you know what is required and can work the case from the inception in support of these requirements.

Methodology Development

Because there are so many variables in a Computer Forensics case, can anyone really develop the methodology from which to work from? Not really! However, there are two things that will lead to a solid analysis and case building: defining your methodology, and working according to this methodology. By definition, methodology implies a method, a set of rules: guidelines that are employed by a discipline.

The idea here is if you cannot defend how you work, nor why you work this way, the defending legal representation can drill you over and over again. Remember, the majority of jurors are not technical gurus. To sit there and explain to them that you have not defined the methodology your department uses is equivalent to admitting that you handle each case differently. Huh? Why not the same? Why is each case handled differently?

By defining your methodology, you are working from a guideline—a set of rules. This is what you do, this is how you do it, and here are the steps. It becomes a discipline. Your department has these guidelines and you follow them for each and every case. No, they are not exact. You use them as a point of reference and a focal starting point for each phase of every investigation. They cannot be exact because no two cases are identical. This car here is a Royals Royce, whereas that car there is a Yugo. You drive them differently because you have to. However, they are still both cars and so the basic mechanics are the same and you follow them. This is your methodology. You follow it. You open the door, you sit down, you start the engine, and so on. But, come time to drive, you drive differently! You have to because variables dictate this.

Document Everything

So important in computer forensic investigations is the chain of evidence. Who had custody at every step along the way? If resources allow, have two computer forensics personnel assigned to each case every step of the way. Specifically, having one person document what the other is doing and how they are doing it provides for a very detailed and accurate record of the handling of the evidence. Important in the documentation are the times that dates steps were taken; the names of those involved; and under whose authority were the steps taken?

If nothing else, by having this complete documentation you should be able to refute any claims of mishandling—especially if you have followed the steps defined within your methodology! Also, the documentation can provide a good point of reference for jogging the memories of the computer forensic examiners when case duration is lengthy and/or caseload is high.

Evidence Search and Seizure

Again, remembering that your specific needs will vary at some point in time, the steps listed here are not meant to be taken in a literal sense. They are not concrete, they may not be perfect for every case you work. Prior to search and seizure, you already have the proper documents filled out and paperwork filed as well as permission from the proper authority to search and seize the suspect’s machine (PC, Server, Tapes, etc.).

Step 1: Preparation

Before the investigation, make sure you are prepared! You should sterilize all media that is to be used in the examination process. If you cannot afford new media for each case, then you must make sure that the reusable media is free of viruses and that all data has been wiped from the media. Document the wiping and scanning process. Also, check to make sure that all computer forensic tools (software) are licensed for use. And check to make sure that all lab equipment is in working order.

This is the time to make sure you have a good choice for your computer forensic examiner! Is the computer forensic examiner able to testify in court if necessary? Is the examiner able to explain the methodology used in real-world, simple to understand terminology? Or will the jurors be wondering what bytes, bits, slack space, and hidden files are? What is reasonable doubt in relation to something completely foreign? Better yet, there should be reasonable doubt when used in high-technology. It is reasonable to acquit, because some jurors would not understand, if a file is hidden, how someone else could find it!

When posed with the question of how to explain something so technical to a very nontechnical jury, give the analogy of comparing the computer to a library. The jurors know what a library is. Ask them if they would use the card catalog to look up a book in the library to find what shelf the book is located on. So, use the directory structure to find files on a piece of evidence. Furthermore, if you went through the library, would you not find books on the shelves that were not in the card catalog? The same on the computer. If you do a physical search, you will find data that is not cataloged.

Step 2: Snapshot

Your team needs to take a snapshot of the actual evidence scene. You should photograph the scene, whether it is a room in a home or in a business. Digital cameras seem to be the emerging standard here.

You should also note the scene. Take advantage of your investigative skills here. Note pictures, personal items, and the like. Later on in the examination, these items may prove useful (e.g., for password cracking).

Next, photograph the actual evidence. For simplicity, let us assume, for example, that the evidence is a PC in a home office. Take a photograph of the monitor. What is on the screen? Take a photograph of the PC. Remove the case cover carefully and photograph the internals.

In addition, document in your journal of the PC—the hardware, the internal drives, peripheral components, serial numbers, and so on. Make sure you document the configuration of the cables and connections as well (IDE, SCSI, etc.).

You should also label the evidence according to your methodology. And you should photograph the evidence again after the labels have been applied.

Remember to document everything that goes on (who did what, how, why, and at what time). Also make sure that you have your designated custodian for the chain of custody initial each item after double-checking the list you have created at the scene. So, you should now have noted the configuration, the components, and so on. The custodian of the evidence should double-check your list and put his/her initials next to yours while at the scene. It is imperative to do this checking at the scene so as to dispel the possibility of evidence tainting at a later date.

Finally, you should videotape the entry of all personnel. This may not always be possible, and in some cases or departments, this may be cost prohibitive. However, what you are doing here is taping the actual entrance of your team into the suspect’s scene. By capturing your entrance and what you possess on tape, you are setting the stage for refuting any claims that evidence was planted at the scene, and so on.

However, where could the defense then point suspicion? The transport of the evidence? Right! So, by taping the entrance and the transport to the lab, you have a verifiable trail of what you did, when you did it, and how you did it. Is this overkill? Is this possible for every case you work? The taping process is a very solid means of supporting your work and may one day be required in your methodology.

Step 3: Transport

Assuming you have the legal authority to transport the evidence to your lab: You should pack the evidence securely. Be careful to guard against electrostatic discharge. Also, photograph/videotape and document the handling of evidence leaving the scene to the transport vehicle. Finally, you should also photograph/ videotape and document the handling of evidence from transport vehicle to the lab examination facility.

Step 4: Examination

Now, you should prepare the acquired evidence for examination in your lab: This would involve unpacking the evidence and documenting according to your methodology (date, time, examiners, etc.). You should also visually examine the evidence, noting and documenting any unusual configurations (PC), marks, and so on. In other words, you should seize the PC from a home office. This PC usually has a hard drive of size 8GB.

Now, it is time to make an exact image of the hard drive. There are many options here on what tool to use to image the drive. You could use EnCase. You could use the Unix command DD. You could use Byte Back. You could also use SafeBack. This list could go on and on. It is wise to have a variety of tools in your lab. Each of these tools has its respective strengths. It is recommended here that you work with as many of them as you can. Become so familiar with them that you know their strengths and weaknesses and how to apply each of them. The important note to remember here is: Turn off virus-scanning software.

Next, you should record the time and date of the Complementary Metal Oxide Semiconductor (CMOS). This is very important, especially when time zones come into play. For example, the evidence was seized in California (PDT) and analyzed in Georgia (EDT).


It is crucial to remove the storage media (hard drives, etc.) prior to powering on the PC to check the CMOS!

Do not boot the suspect machine! You can make the image in a number of ways. The key is that you want to do it from a controlled machine. A machine that you know works in a nondestructive/non-corrupt manner.

When making the bit stream image, note and document how the image was created. You should also note the date, time, and examiner. Note the tool used. Again, you are working from your methodology.

Also, when making the image, make sure that the tool you use does not access the file system of the target evidence media. You do not want to make any writes, you do not want to mount the file system, nor do you want to do anything that will change the file-access time for any file on that target evidence media.

After making the image, seal the original evidence media in a electrostatic-safe container, catalog it, and initial the container. Make sure that anyone who comes in contact with this container also inscribes his or her initials on the container. The container should be locked in a safe room upon completion of the imaging.

It may be a wise choice to then make a second bit stream image of your first image. You may need to send this to the suspect’s residence or place of work— especially if the seized machine was used in the workplace. Finally, the examination of the acquired image begins.

 < Day Day Up >