9.4 Collection and Preservation

Once identified, digital evidence must be preserved in such a way that it can later be authenticated as discussed in Chapter 7. A major aspect of preserving digital evidence is collecting it in a way that does not alter it. Imagine for a moment a questioned death crime scene with a suicide note on the computer screen. Before considering what the computer contains, the external surfaces of the computer should be checked for fingerprints and the contents of the screen should be photographed. It would then be advisable to check the date and time of the system for accuracy and save a copy of the suicide note to a sanitized, labeled floppy diskette.

CASE EXAMPLE

In one homicide case, law enforcement seized the victim's computer but instead of treating it as they would any other piece of evidence, they placed the computer in an office, turned it on and operated it to see what they could find thus altering the system and potentially destroying useful date-time stamp information and other data. Additionally, they connected to the victim's Internet account, thus altering data on the e-mail server and creating log entries that alarmed other investigators because they did not know who had accessed the victim's account after her death.

In a child pornography investigation, papers, photographs, videotapes, digital cameras, and all external media should be collected. At the very least, hardware should be collected that may help determine how child pornography was obtained, created, viewed, and or distributed. In one case, investigators found a scrapbook of newspaper articles concerning sexual assault trials and pending child pornography legislation as well as a hand-drafted directory of names, addresses and telephone numbers of children in the local area (R. v. Pecciarich). Images are often stored on removable Zip or Flip disks and these items may be the key to proving intent and more severe crimes such as manufacture and distribution. For instance, a disk may contain files useful for decrypting the suspect's data or it may become evident that the suspect used removable disks to swap files with local cohorts.

The severity of the crime and the category of cybercrime will largely determine how much digital evidence is collected. When dealing with computer hardware as contraband or evidence (e.g. component theft), the technical and legal issues are not complex, just get the hardware. Additionally, no sophisticated seizure process or analysis of items will be necessary unless the hardware was used to commit a crime. When the computer is an instrumentality used to disseminate child pornography or commit online fraud, greater care is required to preserve the contents of the computer. In homicide and child pornography cases, it is often reasonable to seize everything that might contain digital evidence. However, even in a homicide or child pornography investigation, the other uses of the computers should be considered. If a business depends on a computer that was collected in its entirety when only a few files were required, the digital investigator could be required to pay compensation for the business lost.

CASE EXAMPLE (STEVE JACKSON GAMES, 1990):

On March 1, 1990 US federal agents searched the premises and computers of the Steve Jackson Games company for evidence relating to a hacker group that called itself the Legion of Doom. Steve Jackson Games designed and published role-playing games based on fictional ways of breaking into computer systems. They also ran a Bulletin Board System called Illuminati to provide support and private e-mail services to their customers. In addition to seizing computers and everything that looked like it was related to a computer, the federal agents confiscated all copies of a book that was under development at Steve Jackson Games. No charges were ever brought against Steve Jackson Games or anyone else as a result of this raid, but Steve Jackson Games did suffer significant losses. After several unsuccessful attempts to recover the seized items, Steve Jackson Games decided to sue the Secret Service and the individual agents for the wrongful raid of their business. During the trial, it was determined that Secret Service personnel/delegates had read and deleted private e-mail that had not yet been delivered to its intended recipients (the Secret Service denied this until it was proven). Steve Jackson Games dropped the charges against the individual agents to speed up the trial and the court ruled that the government had violated the Electronic Communications Privacy Act (ECPA) and the Privacy Protection Act (PPA). The court awarded Steve Jackson Games $51,040 in damages, $195,000 in attorneys' fees and $57,000 in costs.

9.4.1 Collecting and Preserving Hardware

Although the focus of this chapter is on the data stored on computers, a discussion of hardware is necessary to ensure that the evidence it contains is preserved properly. When dealing with hardware as contraband, instrumentality, or evidence, it is usually necessary to collect computer equipment. Additionally, if a given piece of hardware contains a large amount of information relating to a case, it can be argued that it is necessary to collect the hardware.

There are two competing factors to consider when collecting hardware. On the one hand, to avoid leaving any evidence behind, a digital investigator might want to take every piece of equipment found. On the other hand, a digital investigator might want to take only what is essential to conserve time, effort and resources and to reduce the risk of being sued for disrupting a person's life or business more than absolutely necessary. Some computers are critical for running institutions like hospitals and taking such a computer could endanger life. Additionally, sometimes it simply is not feasible to collect hardware because of its size or quantity.

It is simply unacceptable to suggest that any item connected to the target device is automatically seizable. In an era of increased networking, this kind of approach can lead to absurd results. In a networked environment, the computer that contains the relevant evidence may be connected to hundreds of computers in a local-area network (LAN) spread throughout a floor, building, or university campus. That LAN may also be connected to a global-area network (GAN) such as the Internet. Taken to its logical extreme, the "take it because it's connected" theory means that in any given case, thousands of machines around the world can be seized because the target machine shares the Internet. (Guidelines, Department of Justice 1994)

If it is determined that some hardware should be collected but there is no compelling need to collect everything in sight, the most sensible approach is to employ the independent component doctrine. The independent component doctrine states that digital investigators should only collect hardware "for which they can articulate an independent basis for search or seizure (i.e. the component itself is contraband, an instrumentality, or evidence)" (Department of Justice 1994). Also, digital investigators should collect hardware that is necessary for the basic input and output of the computer components that are being seized. For instance, rather than collecting hard drives as independent components, it is generally prudent to collect the entire chassis that the hard drives are connected to in case it is needed to access them. BIOS translation or hard drive controller incompatibilities can prevent another system from reading regular IDE hard disks containing evidence, making it necessary to connect the hard drives to the system that originally contained them. If a computer system must remain in place but it is necessary to take the original hard drive, a reasonable compromise is to duplicate the hard drive, restoring the contents onto a similar hard drive that can be placed in the computer, and take the original into evidence.

If digital investigators decide to collect an entire computer, the collection of all of its peripheral hardware like printers and tape drives should be considered. It is especially important to collect peripheral hardware related to the type of digital evidence one would expect to find in the computer. When looking for images, any nearby digital cameras, videocassette recorders, film digitization equipment, and graphic software disks and documentation should be collected. The reasoning behind seizing these peripherals is that it might have to be proved that the suspect created the evidence and did not just download it from the Internet. It can sometimes be demonstrated that a particular scanner was used to digitize a given image. Any software installation disks and documentation associated with the computer should also be collected. This makes it easier to deal with any problems that arise during the examination stage. For example, if documents created using a certain version of Microsoft Word are collected, but the installation disks are not, it might not be possible to open the documents without that version of Microsoft Word. Additionally, if the suspect owns a book describing how to use encryption software, this may be an indication that the suspect used encryption and other concealment technology.

Printouts and papers that could be associated with the computer should be collected. Printouts can contain information that has been changed or deleted from the computer. Notes and scraps of paper that could contain Internet dial-up telephone numbers, account information, e-mail addresses, etc. should be collected. Although it is often overlooked, the garbage often contains very useful evidence. A well-known forensic scientist once joked that whenever he returns home after his family has gone to bed, he does not bother waking his wife to learn what happened during the day, he just checks the garbage.

When a computer is to be moved, specially prepared floppy disks should be put in the disk drives to prevent the system from accidentally booting from the hard drive and to protect the drives during transit. Evidence tape should be put around the main components of the computer in such a way that any attempt to open the casing or use the computer will be evident. Taping the computer will not only help to preserve the chain of evidence but will also warn people not to use the computer. Loose hard drives should be placed in anti-static or paper bags and sealed with evidence tape. Additionally, digital investigators should write the date and their initials on each piece of evidence and evidence tape.

Any hardware and storage media collected must be preserved carefully. Preservation also involves a secure, anti-static environment such as a climate-controlled room with floor to ceiling solid construction to prevent unauthorized entry. Computers and storage media must be protected from dirt, fluids, humidity, impact, excessive heat and cold, strong magnetic fields, and static electricity. According to the US Federal Guidelines for Searching and Seizing Computers discussed in Chapter 2, safe ranges for most magnetic media are 50–90 F and 20–80% humidity. There are many anecdotes about computer experts who religiously backed up important information carefully, but then, destroyed the backups by inadvertently exposing them to (or storing them in) unsuitable conditions. Leaving disks in a hot car, a damp warehouse, or near a strong magnetic field can result in complete loss of data, so care should be taken. Fortunately, there are equally many stories about recovery of digital evidence despite criminals' attempts to destroy it, so not all hope is lost when faced with damaged digital evidence.

Another difficult decision when collecting hardware is whether to turn the computer off immediately or leave it running and collect volatile data from RAM. Most law enforcement training programs recommend turning all computers off immediately in all situations. For instance, the Good Practice Guide for Computer Based Evidence, by the Association of Chiefs of Police in the United Kingdom advises digital investigators to unplug the power cable from the computer rather than from the wall plate or using the power switch. This precaution anticipates the possibility that a computer's power switch is rigged to set off explosives or destroy evidence. Additionally, removing power abruptly rather than shutting the system normally may preserve evidence such as a swap file that would be cleared during the normal shutdown process.^[2]

Although caution often saves lives, there are many situations in which such extremes can do damage. For example, abruptly turning off a large, multiple user systems attached to a network can destroy evidence, disrupt many people's lives, and even damage the computer itself. Therefore, careful attention must be given to this crucial stage of the collection process. The Good Practice Guide for Computer Based Evidence renders a strong opinion in this matter:

It is accepted that the action of switching off the computer may mean that a small amount of evidence may be unrecoverable if it has not been saved to the memory but the integrity of the evidence already present will be retained.

However, this approach is questionable when dealing with systems that have gigabytes of RAM or the data in volatile memory are important to the investigation. For example, if digital investigators notice a suspect at a computer typing a warning message to an accomplice, that message is stored in RAM and will be lost if the computer is unplugged. A photograph of the screen is certainly helpful but it may also be desirable to collect the actual data. Saving data in RAM onto an external disk is a safe approach whereas printing may overwrite evidence by creating spool files on the evidentiary system. When investigating computer intrusions, it is usually desirable to capture information related to active processes and network connections that are stored in RAM. Active network connections can also be important in traditional investigations such as homicides. Ultimately, the digital investigator must decide if there is useful evidence in volatile memory and how to obtain that information with minimal impact on the system.

Preview (Chapter 19): Examining RAM — It may be possible to collect the necessary information by running programs from (and saving the data) to an external device. Specialized utilities like netstat, fport, and handle can be used to display information about network connections and processes on Windows machines. If this approach is taken, every action must be documented copiously along with the time and MD5 value of command output.

9.4.2 Collecting and Preserving Digital Evidence

When dealing with digital evidence (information as contraband, instrumentality, or evidence) the focus is on the contents of the computer as opposed to the hardware. There are two options when collecting digital evidence from a computer: just copying the information needed, or copying everything. If a quick lead is needed or only a portion of the digital evidence on the computer is of interest (e.g. a log file), it is more practical to search the computer immediately and just take the information required. However, if there is an abundance of evidence on the computer, it often makes sense to copy the entire contents and examine it carefully at leisure.

The approach of just taking what is needed has the advantage of being easier, faster, and less expensive than copying the entire contents. For instance, in some cases it may be sufficient to only collect active files and not deleted data, in which case a normal backup of the system might suffice. However, if only a few files are collected from a system, there is a risk that digital evidence will be overlooked or damaged during the collection and preservation process.

CASE EXAMPLE

A group of computer intruders gained unauthorized access to an IRIX server and used it to store stolen materials, including several credit card databases stolen from e-commerce Web sites. A system administrator made copies of the stolen materials along with log files and other items left by the intruders. The system administrator combined all of the files into a large compressed archive and transferred the archive, via the network, to a system with a CD-ROM burner. Unfortunately, the compressed archive file became corrupted in transit but this was not realized until the investigators attempted to open the archive at a later date. By this time, the original files had been deleted from the IRIX system. It was possible to recover some data from the archive file but not enough to build a solid case.

Preview (Chapter 19): Computer intruders have developed collections of programs, commonly called rootkits, to replace key system components and hide the fact that a computer has been broken into. Until recently, rootkits were only developed for UNIX systems but are now being developed for Windows NT. Using trusted copies of system commands can circumvent most rootkits, but additional precautions are required when dealing with more sophisticated computer criminals.

There is also a risk that the system has been modified to conceal or destroy evidence (e.g. using a rootkit) and valuable evidence might be missed. For instance, if digital investigators need log files from a computer, there may be additional deleted logs in unallocated space that could be useful. When collecting only a few files from a system, it is still necessary to document the collection process thoroughly and chronicle the files in their original state. For instance, obtain a full listing of all files on the disk with associated characteristics such as full path names, date-time stamps, sizes, and MD5 values.

Given the risks of only collecting a few files, in most cases, it is advisable to acquire the full contents of the disk because digital investigators rarely know exactly what the disk contains. Before copying data from a disk, it is advisable to calculate the MD5 value of the original disk - this hash value can be compared with copies to demonstrate that they are identical. When collecting the entire contents of a computer, a bitstream copy of the digital evidence is usually desirable (a.k.a. forensic image, exact duplicate copy).

A bitstream copy duplicates everything in a cluster, including anything that is in the slack space and other areas of the disk outside of the file system's reach, whereas other methods of copying a file only duplicate the file and leave the slack space behind (Figure 9.3). Therefore, digital evidence will be lost if a bitstream copy is not made. Of course, this is only a concern if slack space contains important information. If a file contains evidence and the adjacent slack space is not required, a simple file copy will suffice.

click to expand
Figure 9.3: Comparing bitstream copying to regular copying.

The majority of tools can interpret bitstream copies created using EnCase and UNIX dd, making them the de facto standards. Safeback is another common file format that is used mainly in law enforcement agencies. EnCase and Safeback embed additional information in their files to provide integrity checks. There is one empirical law of digital evidence collection that should always be remembered:

Empirical Law of Digital Evidence Collection and Preservation: If you only make one copy of digital evidence, that evidence will be damaged or completely lost.

Therefore, always make at least two copies of digital evidence and check to make certain that at least one of the copies was successful and can be accessed on another computer. In light of the fact that evidence acquisition tools have had problems that cause them not to copy some data under certain circumstances, it is advisable to make bitstream copies of a disk with two or more tools. For instance, one copy of a hard drive might be made using dd and a second using EnCase. Also, it is imperative that digital evidence is saved onto completely clean disks. If digital evidence is copied onto a disk that already has data on it, that old data could remain in the slack space, commingling with and polluting the evidence. Therefore, it is a good practice to sanitize any disk before using it to collect evidence. To sanitize a disk, use a file wipe program to write a specific pattern on the drive (e.g. 00000000) and verify that this pattern was written to all sectors of the drive. Also document the drive's serial number and the date of sanitization. In addition to preventing digital evidence transfer, sanitizing collection media shows professionalism.^[3]

As a rule, computers used to store and analyze digital evidence should not be connected to the public Internet. There is a risk that individuals on the Internet will gain unauthorized access to evidence.

Whether all available digital evidence or just a portion is collected, the task is to get the evidence from the computer with the least amount of alteration. One approach is to bypass the operating system on the computer that contains evidence using a specially prepared boot disk and make a bitstream copy of the hard drive as described in Chapters 10 and 11.

In certain situations, it may not be possible or desirable to boot the suspect's computer from a floppy disk. The next best alternative is to remove the hard drive(s) from the suspect computer and move them to an evidence collection system for processing.^[4] Although removing a disk from a computer and placing it in an evidence collection system requires more knowledge of computers than booting from a trusted diskette, it has several advantages. First, it might be difficult or impossible to boot the system from an evidence acquisition boot disk (e.g. no floppy/CD drive, BIOS password set). Second, the evidence collection software that is generally available requires a DOS boot disk - this will not work with Apple or Sun systems. Third, it is easier to develop an evidence collection procedure that involves a known evidence collection system than many unknown systems.

Preview (Chapters 10 and 11): An Evidence Acquisition Boot Disk enables examiners to determine which computers contain evidence by booting the system, previewing it, and searching for keywords. It is also possible to use this method to collect evidence via cables (parallel and network).

There are several ways to make a bitstream copy of a hard drive. Hardware duplication devices such as those made by Intelligent Computer Solutions^[5] and Logicube^[6] are useful for copying data from one IDE or SCSI drive to another. This is useful for preserving the original drive by minimizing the number of times it is copied. However, it is still necessary to examine the evidence on the drive by connecting it to an examination system with hardware and software optimized to support the forensic process (e.g. manual BIOS configuration, drive bays). Additionally, adapters are required to accommodate the many different kinds of storage devices. Even within the SCSI family, there are different types of interfaces. In one case, a Sun Sparc 5 system contained evidence on two hard drives with 80-pin Single Connector Attachment (SCA 80) SCSI interfaces. An adapter was obtained from Blackbox^[7] that enabled the SCA 80 drives to be plugged into a generic 50-pin SCSI card and power cable. Adapter cables for connecting both SCSI and IDE laptop hard drives to a standard computer are also available.

Remember that it is often possible to ask the system owner or administrator for assistance. If data is protected or encrypted, a system owner or administrator might be able to help gain access to it. It is usually safe to allow a system administrator to operate a computer while assisting the digital investigator. However, a suspect must never be allowed to operate a computer. Instead, the suspect should be asked to provide the information required.

The advantages and disadvantages of the three collection options are summarized in Table 9.2.

Table 9.2: Advantages and disadvantages of the three collection options described in Section 9.4.2.
COLLECTION METHOD	RELEVANT CYBERCRIME CATEGORIES	ADVANTAGES	DISADVANTAGES
Collect hardware	Hardware as fruits of crime Hardware as instrumentality Hardware as evidence Hardware contains large amount of digital evidence	Requires little technical expertise The method is relatively simple and less open to criticism Hardware can be examined later in a controlled environment Hardware is available for others to examine at a later date (opponents, other examiners, using new techniques)	Risk damaging the equipment in transit Risk not being able to boot (BIOS password) Risk not being able to access all evidence on drive (e.g. encrypted file system) Risk destroying evidence (contents of RAM) Risk liability for unnecessary disruption of business Develop a bad reputation for heavy-handedness
Collect all digital evidence, leave hardware	Information as fruits of crime Information as instrumentality Information as evidence	Digital evidence can be examined later in a controlled environment Working with a copy prevents damage of original evidence Minimize the risk of damaging hardware and disrupting business	Requires equipment and technical expertise Risk not being able to boot (BIOS password) Risk not being able to access all evidence on drive (e.g. encrypted file system) Risk missing evidence (Protected Area) Risk destroying evidence (contents of RAM) Time consuming Methods are more open to criticism than collecting hardware because more can go wrong
Only collect the digital evidence that you need	Information as fruits of crime Information as instrumentality Information as evidence	Allows for a range of expertise Can ask for help from system admin/owner Quick and inexpensive Avoid risks and liabilities of collecting hardware	Can miss or destroy evidence (e.g. rootkit) Methods are most open to criticism because more can go wrong than collecting all of the evidence

^[2]The guide does not mention the need to remove the computer's casing to examine the internals of the computer. A computer's casing should be removed to unplug power cables from hard drives, seat all cards properly, ensure that the computer does not contain explosives, and note any anomalies inside the computer like an extra disconnected hard drive.

^[3]If evidence from multiple sources is being stored on a single collection drive, create a unique directory structure for each source to avoid overwriting files collected previously by oneself or others.

^[4]Handle hard drives with great care. Touching parts of the drive with fingertips that have static electricity buildup can damage the drive. Roughly removing or inserting the data cable can break pins. Although such damage may be repairable, the cost and time required to repair the drive may be prohibitive.

^[5]http://www.ics-iq.com

^[6]http://www.logicube.com

^[7]http://www.blackbox.com