The main purpose of computer forensics is the proper identification and collection of computer evidence. It is both an art and a science. Computer evidence has common characteristics and differences with regular evidence. Forensic examiners need to understand the specifics of computer evidence so that they can prop- erly collect it for later use.
Computers can generally be involved in security violations in one of two ways. First, a computer can be used in the commission of crimes or violations of policy. Second, a computer can be the target of an attack. In the first case, one or more computers are used to perform an inappropriate action. Such actions might be illegal (for example, fraud or identity theft) or simply disallowed under an organization's security policy (for example, participating in online auctions on company time).
Regardless of whether an action is a crime, any violation of security policy is called a security incident. Actually, any intended violation of a security policy is an incident as well. A company's security policy should outline the appropriate response for each type of incident. As discussed in Chapter 2, 'Preparation-What to Do Before You Start,' most incidents that do not constitute crimes generally require only internal investigations. Internal investigations are normally carried out by an organization's incident response team (IRT). The incident response team is specially trained to identify and collect evidence of the incident. The team is also aware of what incidents are crimes and require law enforcement involvement.
In general, the incident response team deals with incidents in which the computer is the target of an attack. Criminal investigations are frequently conducted to investigate the first incident type in which a computer is used as a tool in committing a crime. In both cases, the process of computer forensics produces evidence of the activity carried out during the incident.
To properly investigate an incident and possibly take action against the perpetrator, you'll need evidence that provides proof of the identity and actions of an attacker. Computer evidence consists of files and their contents that are left behind after an incident. The existence of some files, such as pictures or executable files, can provide evidence of an incident. In other cases, the contents of files, such as log files, provide the necessary proof. Recognizing and identifying hardware, software, and data you can use is the first step in the evidence collection process.
Any computer hardware, software, or data that can be used to prove one or more of the five Ws and an H of a security incident (i.e., who, what, when, where, why, and how).
Four basic types of evidence can be used in a court of law:
Computer evidence generally falls into the first two categories of evidence. Before you start looking for evidence, understand that most successful cases are based on several types of evidence. As you conduct an investigation, be aware of the different types of evidence you can gather. Although computer forensics tends to focus on one or two evidence types, a complete investigation should address all types of available evidence. In the following sections, we'll look more closely at each of the four types of evidence.
The type of evidence most people are familiar with is real evidence . Real evidence is anything you can carry into a courtroom and place on a table in front of a jury. In effect, real evidence speaks for itself. It includes physical objects that relate to the case. In a murder trial, the case's real evidence might include the murder weapon. In the context of computer forensics, the actual computer could be introduced as real evidence. If the suspect's fingerprints are found on the computer's keyboard, such real evidence could be offered as proof that the suspect did use the computer. Sometimes real evidence that can conclusively relate to a suspect is called hard evidence .
Any physical objects that you can bring into court. Real evidence can be touched, held, or otherwise observed directly.
Real evidence that is conclusively associated with a suspect or activity.
Other types of real evidence in a computer forensics investigation could be the hard drive from a suspect's computer or a personal digital assistant (PDA). Real evidence is the most tangible and easiest to understand type of evidence. When presenting a case to a jury, real evidence can make the case seem more concrete. You may be asked to present real evidence, even when the most compelling evidence is not physical evidence at all. Remember that not all courtroom participants are technically savvy. A physical piece of pertinent evidence can often help your case. Without real evidence, a case can sometimes be perceived as weak and circumstantial.
Never overlook potential evidence when conducting an investigation. Other types of evidence may involve or refer to real evidence. It is very common to use log file contents when arguing a case. The process of establishing the credibility and authenticity of such data is often easier when you start with the physical disk drive and/or computer from which you extracted the log file. In this example, the real evidence supports your log file data.
Assume you have been asked to investigate an e-mail spammer. Due to the nature and volume of e- mails being sent, local law enforcement has been called in to investigate and they have called you. You arrive on the scene to begin your investigation.
Before you touch anything, look around the scene and take pictures of everything. Digital pictures are inexpensive, but they can be valuable later. As you progress through the investigation, you'll want to be able to refer back to images of the way you found everything. It's not uncommon to find additional evidence in the original pictures after extracting digital evidence from a suspect's machine.
The case of Cool Beans, Hot Java versus James T. Kirkpatrick is a fictitious case we'll use to illustrate the importance of real evidence. Kirkpatrick was charged with launching spam campaigns from a public terminal in the Cool Beans, Hot Java coffee shop. The Cool Beans network administrator provided ample proof that Kirkpatrick was in the shop during the alleged spam activity. Cool Beans provided security camera images of Kirkpatrick and accompanying computer access logs showing activity consistent with spam floods. Any technical person had to agree this case was a slam dunk. However, the jury acquitted Kirkpatrick due to a lack of compelling evidence. When questioned, the jurors said that they found it difficult to convict a man based on little more than computer printed reports and pictures showing him in the shop. They wanted more concrete evidence. Perhaps the actual computer Kirkpatrick used would have helped to convince the jury, or a network diagram showing how IP addresses are assigned, would have helped the jury make the jump from the virtual to the physical world.
After you take pictures of everything, start identifying all of the real evidence you think is pertinent and that you have permission to search or seize. Notice the suspect's computer. It has a scanner and a PDA cradle plugged into it. That tells you to look for the PDA and scanner source or target data. PDAs can be a valuable source of documentary evidence (which we discuss in the next section). Most people who use PDAs store a lot of personal data on them. Find the PDA and make sure it has power. When a PDA's battery runs down, the PDA loses all of its data. If you are authorized to seize the PDA, make sure you take the power supply as well.
After looking for the PDA, look for any source documents (for example, printed hard copies) the suspect might have scanned. Also look for CD/DVDROMs the suspect might have used to store scanned images. Next, examine the physical computer and surrounding area for other clues of evidence. You should look for additional clues such as:
Handwritten notes. Even technically savvy people use notes. In fact, because handwritten notes are not stored on a computer, many people consider them to be more 'secure.'
Any peripheral device that is, or can be, connected to the computer. This could include:
All removable media, such as:
CD/DVD-ROMs (CD/DVD-Rs and CD/DVD-RWs as well)
Tapes and other magnetic media
This is not an exhaustive list. It is simply a teaser to get you thinking about real evidence. After you have all the real evidence you can collect, it's time to consider other types of evidence.
Much of the evidence you are likely to use in proving a case will be written documentation. Such evidence includes log files, database files, and incident-specific files and reports that provide information indicating what occurred. All evidence in written form, including computer-based file data, is called documentary evidence . All documentary evidence must be authenticated. Because anyone can create an arbitrary data file with desired contents, you must prove that the evidence was collected appropriately and the data it contains proves a fact.
Written evidence, such as printed reports or data in log files. Such evidence cannot stand on its own and must be authenticated.
Documentary evidence authentication can be quite complex when you're trying to convince nontechnical jurors (or judges) that the contents of a file conclusively prove an attacker performed a specific action. Opposing attorneys will likely attack the method of authenticating documentary evidence as well as the evidence itself. We have all heard of hard evidence that was thrown out of court because it was collected illegally. Computer evidence can be even more difficult to collect properly. We will cover evidence admissibility in the section titled 'Evidence Admissibility in a Court of Law' later in this chapter.
In addition to the basic rules that affect all computer evidence, you must consider an additional rule. Anytime you introduce documentary evidence, you must introduce the original document, not a copy. This rule is called the best evidence rule . The purpose of this rule is to protect evidence from tampering. If the original document is required, there is less opportunity for a modification to occur during a copy operation. Of course, you'll have to convince the judge and jury that what you bring into court is actually the original document.
best evidence rule
When a document is presented as evidence, you must introduce the original document. You cannot introduce a copy.
As you progress through an investigation, you will use utilities and tools to explore the contents of the computer and storage media. All files and file contents that support your case will be considered documentary evidence. This is where you'll find the bulk of your evidence for many investigations.
Keep in mind that most of your documentary evidence will come directly from items on the real evidence list. Some documentary evidence will be supplied by third parties, such as access logs from an Internet Service Provider (ISP), but most will come from your own investigation activities.
You'll constantly be reminded to document every step of your investigation. Always document. There will be a test. Rest assured, if you testify in court, you'll be asked to justify your investigation and the actions you took to extract evidence.
Looking for physical evidence is easy. Use your eyes and your brain. Really look at the scene and think about how any physical device or object might provide the evidence you need to prove your case, whether the evidence you find will be presented in a court of law or just appear in an incident report. After you have a handle on the physical evidence, you can start looking at the physical media's content for digital evidence. How do you look for digital evidence? You will use a collection of forensic tools to search for documentary evidence. Some of these tools are as simple as file listings or viewers , while others are developed specifically for forensic investigations. Chapter 8, 'Common Forensic Tools,' covers common forensic tools and their use in an investigation. Until Chapter 8, we'll just refer to tools designed to examine file system contents as forensic tools .
So, what are you looking for? Use forensic tools to look for any file or file contents that show what the suspect did while using the computer. This could include many types of log files and other activity files. For example, WS_FTP is a common File Transfer Protocol (FTP) client. When you use it to transfer files, the program keeps a list of activity in a file named wsftp.log . Look for instances of this file. You'll be surprised how often people leave such audit trails lying around. Here's a list of some of the steps you'll want to take while looking for documentary evidence:
Catalog all programs installed on the target system.
Harvest all audit and activity log files yocan find that use default file- names . (To do this, yomight have to research some web pages from each identified program.)
Examine operating system and application configuration files for noted uses of nonstandard audit and activity log filenames.
Search for any files that are created as a result of using any identified program.
As with real evidence, your experience will guide you in identifying and extracting the documentary evidence you'll need. Be creative and persistent.
The testimony of a witness , either in verbal or written form, is called testimonial evidence. The most common form of testimonial evidence to the general public is through direct witness testimony in a court. The witness is first sworn in, and then he or she presents testimony that directly relates the witness's knowledge of the incident. Testimonial evidence does not include any opinion, just the direct recollection of the witness.
Evidence consisting of witness testimony, either verbal or in written form. Testimonial evidence can be presented in person by the witness in a court or through a recorded deposition.
The second common form of testimonial evidence is testimony delivered during a deposition. As with live testimony, the witness delivers testimony under oath. The testimony, as it is delivered, is recorded by a court reporter. The record of the deposition can be entered into evidence just as the testimony of a live witness in court. Each type of testimony has its advantages, but a deposition can often be taken much sooner when the events are fresher in the witness's mind.
You'll often need to use testimonial evidence to support and augment other types of evidence. For example, you may have the system administrator testify that your server keeps logs of all user accesses and has done so for the last two years . This testimony would help validate the documentary evidence of access log contents taken from the server's hard disk drive (physical evidence).
When you first looked at the e-mail spammer scene, you contacted every possible witness, right? You'll want to talk with every person who has physical access to the suspect's computer, as well as has substantive contact with the suspect. Interviewing witnesses is a task better left to law enforcement when dealing with a criminal investigation, but you should include their testimony in your investigation. Quite often, witness testimony can give you extra information that will lead you to more documentary or physical evidence.
A witness could give you clues to the hiding place of key storage media or computer usage habits of the suspect. If you have reason to believe the suspect carried out illegal activities during lunch , you can limit the initial amount of data you must examine. Work with whoever is interviewing witnesses to have your questions presented. The answers could save you a lot of work.
Many types of computer evidence may make sense to technical people but seem completely foreign to others. In order for judges and juries to understand the finer points of your case, it is often necessary to use visual aids or other illustrations to help explain some of the more technical details of the evidence. Such evidence that helps to explain, illustrate, or re-create other evidence is called demonstrative evidence . Demonstrative evidence does not stand on its own like other types of evidence. It exists to augment other evidence.
Evidence that illustrates, helps explain, or demonstrates other evidence. Many times, demonstrative evidence consists of some type of visual aid.
Let's assume you want to use a web server's log file to show how an attacker exploited a new vulnerability. The attack resulted in crashing the server and causing substantial loss of business while the system was down. The task of explaining how web servers work can be made easier by using charts , flowcharts, and other visual aids. Demonstrative evidence is often the necessary component to successful use of other types of evidence.
Often, you'll be called on to explain highly technical concepts to nontechnical people. For example, in our e-mail spammer case, you'll have to explain how a spammer works. Although most people have heard of spam, not many under- stand how it originates or spreads . Further, you'll have to explain why it is difficult to catch the originator of the messages and why spam causes problems in the first place. It would be a good idea to start with the basics. Show how normal e-mail works and how a spammer can cause problems by using excessive network bandwidth. Several illustrations would likely help get the message across.
For example, you might want to start at the beginning. Building a complex technical argument from the ground up requires a little basic education. The following is an illustration you could use to show how e-mail works.
Developing the right visual aids normally comes after the bulk of other evidence has already been collected. Remember, demonstrative evidence is used to explain or demonstrate other evidence. Use it to make your point clear to the judge and jury.
Now that we have looked at the different types of evidence, let's see how we can legally obtain evidence.