15.3 Documentation, Collection, and Preservation

15.3 Documentation, Collection, and Preservation

In some instances, it is desirable to preserve digital evidence on a networked system by gaining physical access to the associated computer and making a bit-stream copy of the contents using the guidelines provided in Chapter 23. Also, the same procedures are used to preserve loose media and related backup tapes, and collect associated hardware and software needed to read them. The primary differences when dealing with networked systems arise when digital investigators cannot make a bitstream copy of digital evidence.

A bitstream copy may not be viable in some situations because the system cannot be shut down, the hard drive may be too large to copy, or the digital investigator may not have authority to copy the entire drive. Also, digital investigators often rely on large Internet Service Providers to collect evidence from their own systems such as subscriber information. Furthermore, digital investigators may not be able to gain physical access to the system containing evidence, requiring them to collect evidence remotely. Digital investigators also collect digital evidence remotely when there is a strong chance that it will be destroyed before they can reach the machine. For instance, data on the Internet such as Web pages and Usenet messages can be altered or removed at any time and computer intruders often delete log files.

Also, when digital investigators are performing certain tasks, data is only displayed on screen for a moment, making it necessary to preserve the dynamic digital evidence in some way. For example, script on UNIX and the HyperTerminal program available on most Microsoft Windows systems can be used to record the results of an examination of routers, firewalls, and other network devices through a serial cable (Figure 15.3). Also, a second digital investigator observing the collection process can jot down each action and its result while the evidence is being collected. This approach has the added benefit of catching mistakes and making suggestions.

Figure 15.3: HyperTerminal has the capability to record the results of a router examination in a file. The "Capture Text" option is on the "Transfer" menu.

Another example of real time evidence gathering is an IRC chat session in which digital investigators keep a running log of their conversation with a suspect. However, if a significant amount of information is being displayed onscreen it may be desirable to record a visual representation of events. A visual recording can be created using a video camera or a software program that can capture dynamic digital evidence, like a sequence of onscreen events, and can replay them at a later time much like videotape. Notably, these and other programs that are useful for collecting digital evidence do not perform integrity checking and other documentation that can be used to authenticate the data.

In some cases, it is necessary to monitor network traffic in real time to convincingly attribute online activities to an individual and to locate other targets. Many organizations use intrusion detection systems to continuously monitor network traffic and generate alerts when certain patterns occur. Most intrusion detection systems can be configured to capture the network traffic associated with an alert but rarely perform integrity checking on log files or document other system details to help authenticate the data. Therefore, additional measures must be taken to preserve intrusion detection system logs as a source of digital evidence.

As noted in Chapters 10 and 11, copying a file alters some of its date-time stamps and compressing the files in a TAR or ZIP archive can retain these date-time stamps. However, these archives can become corrupted, making it difficult to extract the original files. Therefore, when collecting individual files from a system, it is advisable to note date-time stamps of files prior to collection, save a copy of the files in an archive to retain their date time stamps, and save copies of the files in uncompressed form to ensure that they are available if the archive is corrupted.

When it is not possible to obtain a bitstream copy of digital evidence, digital investigators must creatively employ the principles of preserving digital evidence and establishing chain of custody presented in Chapter 9. For instance, a log file can be preserved by noting the time of the system clock, documenting the file's location and associated metadata (e.g. size, date-time stamps), copying it to a collection disk, calculating its MD5 value, and labeling the collection disk appropriately. If the log is small enough, it can also be printed in paper form, initialed, and dated to provide another form of documentation. Additionally, it is advisable to save a second copy of the log file to a different medium and verify that both copies are readable on another system.

When dealing with network logs, preserving the entire log file rather than individual entries is preferable to only collecting relevant portions because digital investigators may later find that other portions of the log are relevant to the case.

CASE EXAMPLE

In a homicide case, digital investigators collected information from login server relating to the victim's activities but did not collect the entire log file. It was later determined that the offender may have been logged into the server at the same time, allowing them to chat in real time and arrange a meeting an hour later. By the time this was realized, archived copies of the relevant log files had been overwritten (the backup tapes had been reused) and it was not possible to determine who else was accessing the system at the time.

However, some binary log files can only be read using specialized software and just making a copy of the binary file may make analysis more costly and inconvenient. Therefore, in addition to preserving the binary log file, consider saving a copy of the contents in interpreted form. These and other considerations are discussed in more detail in Chapter 17.

A detailed record of the entire collection process should be maintained in digital or written form to help authenticate the resulting copies at a later time. This record should document who collected the evidence, from where, how, when, and why.^[3] Given the distributed nature of the Internet and the many potential sources of digital evidence, it can be very challenging to collect even the relatively static digital evidence such as Web pages and Usenet messages. In these simple situations, it may not be possible to obtain the date-time stamps of the associated files on the remote system. Therefore, it is imperative to make every possible effort to document the fact that evidence was stored on a remote computer, detailing where the original evidence was, when and how it was collected, and by whom. In more complex investigations, it becomes even more challenging to document evidence as it is collected from remote systems.

CASE EXAMPLE

An intruder was caught breaking into a computer system on an organization's network via the Internet. Before disconnecting the system from the network, digital investigators gathered evidence that clearly showed the intruder committing a crime. To achieve the equivalent of a videotape of the crime, digital investigators used a sniffer to monitor network traffic to record all IP packets of the intruder's session. Additionally, they logged into the compromised machine using a client that could keep a log of the session and gathered evidence of the intruder's presence on the system and programs that the intruder was running. In an effort to find related evidence, digital investigators searched neighboring systems (e.g. computers, firewalls, routers, intrusion detection systems) for information relating to the intruder. They found other machines compromised by the same intruder and they connected to those through a backdoor created by the intruder. Because it was not possible to access all of the compromised machines physically and there was a risk that the intruder might destroy evidence on these systems at any moment, digital investigators collected evidence from them remotely. While performing this remote collection, they again used programs that monitored their keystrokes, thus documenting the collection process.

When it is necessary to connect to a computer over a network and collect information about/from the remote system, there are several issues to be aware of, and a few ways to help document the process and demonstrate integrity and authenticity:

• Following a standard operating procedure (reduces mistakes and increases consistency across investigations).

• It is essential to retain a log of actions taken during the collection process and take print screens of important items.

• One must document which server actually contains the data that is being collected because the examiner can be forwarded from one server to a server in another country.

• Calculate the MD5/SHA1 values of all evidence prior to transferring them if possible, and after transferring them from the remote host.

• Consider digitally signing and encrypting the files and saving them to read only media.

In a number of cases, investigators gained remote access to the host that a computer intruder was using to launch attacks and then e-mailed themselves evidence gathered from the remote host. Although this approach is convenient, it complicates the chain of custody, makes it more difficult to confirm the integrity of the digital evidence, and may not work at all if the e-mail is not delivered. Therefore, when collecting evidence from a remote machine, use multiple methods to obtain two or more copies of the evidence. For instance, display the contents of text files on screen so that they are recorded by whatever logging program the examiner is using and transfer files directly from the remote host to a collection system whenever possible.

Ultimately, the measures one takes to preserve digital evidence depend on the type of evidence, the severity of the crime, and the importance of the evidence to the investigation. In some situations, it is sufficient to take print screens and make a copy of information from the Internet. In other situations, like when there are too many files to copy individually, or when the charges are especially serious such as murder, it becomes necessary to seize the entire computer that contains the materials.

For instance, in certain cases, it is possible that someone else was using the suspect's home computer. While actively monitoring the suspect's Internet activities, investigators can simultaneously serve a search warrant on the suspect's house in an effort to catch him/her red-handed. However, it is likely that the suspect's system would contain enough evidence to implicate him/her and active monitoring might only provide corroborating evidence. While such corroborating evidence is useful, active monitoring is time consuming, invasive and costly and should only be used as a last resort when additional corroborating evidence is needed to build a solid case or when this information might reveal other victims or targets.

Most network analysis tools can interpret files in tcpdump format, making it the de facto standard. Collecting network traffic also involves special considerations. If the IP address of interest is already known, it is a simple matter to capture network traffic relating only to that computer. However, when a dial-up connection is involved, it is necessary to determine which IP address has been assigned to the account of interest.^[4] Similarly, when IP addresses are assigned dynamically to hosts on a network, it may be necessary to monitor traffic from a specific MAC address. In other cases it may be necessary to monitor all traffic on a network. In any case, capturing network traffic can result in large files making it advantageous to start a new file regularly, naming each file uniquely, calculating hash values of each file, and storing files on secure media.

When capturing network traffic, it may be desirable to limit the amount and types of information that is collected. For example, digital investigators may only be authorized to monitor Web traffic. Although network capture tools can be configured to only collect Web traffic, some of these tools assume that certain ports are involved while other tools actually recognize the protocols. Such filtering is made more difficult when protocols resemble each other - some peer-to-peer protocols are based on HTTP and some instant messaging programs try to resemble Web traffic to bypass firewall rules. Therefore, collect first and filter and analyze later whenever possible, and be sure that you know what assumptions the tools are making before narrowing the collection. When it is necessary to filter, take the approach of capturing everything and only excluding what is not required rather than beginning from an exclusionary position and selectively capturing certain traffic.

^[3]These measures help authenticate the log file, but additional information about the system may be needed to determine if the log is complete and accurate. Therefore, if the log file is going to be used in court, make an effort to assess the reliability of the system that created the log file. Additionally, seek evidence from other independent sources that corroborate information in the log file.

^[4]Carnivore can determine which IP address is assigned to the account of interest by monitoring RADIUS authentications in network traffic (IITRI, 2000). Using other tools, it is also possible to monitor TACACS logs to determine which IP address is assigned to the account of interest.