Understanding Computer Forensics

When a potential security breach must be reviewed, the computer forensics process comes into play. Similar to other forms of legal forensics, this process requires a vast knowledge of computer hardware and software in order to protect the chain of custody over the evidence, avoid accidental invalidation or destruction of evidence, and preserve the evidence for future analysis. Computer forensic review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. Therefore, a professional within this field needs a detailed understanding of the local, regional, national, and even international laws affecting the process of evidence collection and retentionespecially in cases involving attacks that may be waged from widely distributed systems located in many separate regions .

Chain of Custody

Forensic analysis first involves establishing a clear chain of custody over the evidence, which is the documentation of all transfers of evidence from one person to another, showing the date, time, and reason for transfer as well as the signatures of both parties involved in the transfer. In other words, it tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed . If you are asked to testify regarding data that has been recovered or preserved, it is critical that you, as the investigating security administrator, be able to prove that no other individuals or agents could have tampered with or modified the evidence. This requires careful collection and preservation of all evidence, including the detailed logging of investigative access and the scope of the investigation. Definition of the scope is crucial to ensure that accidental privacy violations or unrelated exposure will not contaminate the evidence trail. After data is collected, it must be secured in such a manner that you, as the investigating official, can state with certainty that the evidence could not have been accessed or modified during your custodial term .

Preservation of Evidence

After the evidence has been identified, it must be properly collected and preserved to be used in court . If the evidence is not preserved properly, it may be inadmissible. The forensic process is built around the fact that computer evidence can be altered , lost, or destroyed . Preserving evidence is difficult in computers because the data itself is not physical; instead it resides on physical devices. Information obtained from a computer will generally fall under the category of hearsay. Hearsay is considered secondhand evidence and is not normally admissible in court.

Any affected system should be immediately imaged before any other investigative tools are used. This ensures that data is preserved in its current state. If this step is not followed, timestamps may be inadvertently changed or files may be modified. Worse yet, because criminals have become more sophisticated, viruses or logic bombs may be set off. After the image is captured, it should be written to nonerasable media and documented according to local laws. If memory and cache are to be examined, the proper tools for capturing and reading these hardware devices should be used before imaging. Because imaging requires the computer to be rebooted, it would destroy data located in RAM and cache devices.

During each of the steps, logs should be kept. If the data is accessed as a part of the investigation, all activity should be logged. If the evidence is moved, the reason for the move and the procedures used should be documented. This may sound like a lot of unnecessary work, but it is critical to preserving the trustworthiness of the data so that it can be presented in court. Remember that evidence should be labeled and stored properly in an area that is secure.

Collection of Evidence

As mentioned in the preceding section, hearsay is generally inadmissible. Computer evidence can be admissible if it can be shown that it was collected under defined procedures and as part of a routine business practice. These procedures must be established before the incident and collection occur in order for the evidence to be admissible.

An investigating administrator must take many steps during the process of evidence acquisition, including the following:

  • Protection It is important to protect the subject computer system or systems against alteration, physical damage, data corruption, or viral incursion.

  • Discovery Investigations must include existing files, deleted files, slack space (where unallocated space may retain valuable evidence), hidden files, encrypted files, and details regarding file ownership, file access, and file modification. This includes temporary file stores, pagefiles, and swap areas.

  • Analysis An analysis of the information should include details of any assumptions made during the course of the investigation, along with the results generated based on these assumptions. It is critical to include both successful and failed assumptions.

  • Documentation Documentation should include printouts, file listings, system and network layouts, file structures and file system details, discovered data and file ownership information, and any other details that might indicate the events that may have occurred. It is recommended that a detailed log of all access attempts and assumptions be included to prove that changes made during the investigative process were valid and not corruptive.

  • Preservation It is vital to preserve all documentation, data, and related items until such time as a properly designated and authorized agent of the court or the organization's legal staff is able to take possession. A signed document detailing the transfer should also be included in the documentation to provide clear tracking from the moment of the investigation's initiation to its conclusion.

  • Testimony An investigator should be prepared to provide expert analysis, consultation, and testimony if required. In many cases, the time between an investigation and its resolution may be significant, causing the documentation to become more important if the investigator is asked to testify or provide later analysis.

graphics/note_icon.gif

The practice of forensic analysis is a detailed and exacting one. The information provided in this chapter allows an entering professional to recognize the actions that will be taken during an investigation. It is crucial that you do not attempt to perform these tasks without detailed training in the hardware, software, network, and legal issues involved in forensic analysis.


Forensic software is available for collecting data properly. Forensic software allows you to collect and digitally sign a container that electronically stores evidence. After evidence is placed inside a digital bag, it is signed with a certificate to prove that no tampering has occurred since it was collected. Evidence gathered properly in this manner has already withstood the rigors of court and has been successful.

Another form of collecting data involves the imaging of the system or systems compromised. This can be done by copying the entire drive at the binary level, or the data can be copied into a digital evidence bag. After a complete copy is made, it should be sealed as read-only. After that complete copy of the data is collected and stored, it must be secured from tampering or alteration to meet the necessary chain of custody rules. If the chain of custody is broken at any point, the court will simply throw out the evidence.



Security+ Exam Cram 2 (Exam SYO-101)
Security+ Certification Exam Cram 2 (Exam Cram SYO-101)
ISBN: 0789729105
EAN: 2147483647
Year: 2005
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net