When a potential security breach must be reviewed, the computer forensics process comes into play. Similar to other forms of legal forensics, this process requires a vast knowledge of computer hardware and software in order to protect the chain of custody over the evidence, avoid accidental invalidation or destruction of evidence, and preserve the evidence for future analysis. Computer forensic review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. Therefore, a professional within this field needs a detailed understanding of the local, regional, national, and even international laws affecting the process of evidence collection and retentionespecially in cases involving attacks that may be waged from widely distributed systems located in many separate regions . Chain of CustodyForensic analysis first involves establishing a clear chain of custody over the evidence, which is the documentation of all transfers of evidence from one person to another, showing the date, time, and reason for transfer as well as the signatures of both parties involved in the transfer. In other words, it tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed . If you are asked to testify regarding data that has been recovered or preserved, it is critical that you, as the investigating security administrator, be able to prove that no other individuals or agents could have tampered with or modified the evidence. This requires careful collection and preservation of all evidence, including the detailed logging of investigative access and the scope of the investigation. Definition of the scope is crucial to ensure that accidental privacy violations or unrelated exposure will not contaminate the evidence trail. After data is collected, it must be secured in such a manner that you, as the investigating official, can state with certainty that the evidence could not have been accessed or modified during your custodial term . Preservation of EvidenceAfter the evidence has been identified, it must be properly collected and preserved to be used in court . If the evidence is not preserved properly, it may be inadmissible. The forensic process is built around the fact that computer evidence can be altered , lost, or destroyed . Preserving evidence is difficult in computers because the data itself is not physical; instead it resides on physical devices. Information obtained from a computer will generally fall under the category of hearsay. Hearsay is considered secondhand evidence and is not normally admissible in court. Any affected system should be immediately imaged before any other investigative tools are used. This ensures that data is preserved in its current state. If this step is not followed, timestamps may be inadvertently changed or files may be modified. Worse yet, because criminals have become more sophisticated, viruses or logic bombs may be set off. After the image is captured, it should be written to nonerasable media and documented according to local laws. If memory and cache are to be examined, the proper tools for capturing and reading these hardware devices should be used before imaging. Because imaging requires the computer to be rebooted, it would destroy data located in RAM and cache devices. During each of the steps, logs should be kept. If the data is accessed as a part of the investigation, all activity should be logged. If the evidence is moved, the reason for the move and the procedures used should be documented. This may sound like a lot of unnecessary work, but it is critical to preserving the trustworthiness of the data so that it can be presented in court. Remember that evidence should be labeled and stored properly in an area that is secure. Collection of EvidenceAs mentioned in the preceding section, hearsay is generally inadmissible. Computer evidence can be admissible if it can be shown that it was collected under defined procedures and as part of a routine business practice. These procedures must be established before the incident and collection occur in order for the evidence to be admissible. An investigating administrator must take many steps during the process of evidence acquisition, including the following:
Forensic software is available for collecting data properly. Forensic software allows you to collect and digitally sign a container that electronically stores evidence. After evidence is placed inside a digital bag, it is signed with a certificate to prove that no tampering has occurred since it was collected. Evidence gathered properly in this manner has already withstood the rigors of court and has been successful. Another form of collecting data involves the imaging of the system or systems compromised. This can be done by copying the entire drive at the binary level, or the data can be copied into a digital evidence bag. After a complete copy is made, it should be sealed as read-only. After that complete copy of the data is collected and stored, it must be secured from tampering or alteration to meet the necessary chain of custody rules. If the chain of custody is broken at any point, the court will simply throw out the evidence. |