Your initial task in an investigation is to identify the evidence you need for your case. Remember, without evidence you don't really have much more than an opinion. Every case is different, so you will likely need different types of evidence for each case. Knowing what evidence you will need is an integral part of a successful investigation. The rule of thumb is to take everything. Unfortunately, there are substantial legal and logistical issues involved with this approach. More realistically , you should take anything and everything that could be remotely related to your case. Religiously adhere to the chain of custody guidelines and label everything as it is removed.
You should treat every computer forensics investigation as if the case you build will end up in court. The case in question does not need to involve criminal activity to warrant such care. You may be surprised how even simple investigations can end up as prime evidence for lawsuits in the future. Don't take chances . Protect your organization's assets by providing evidence that can be admitted into a court of law, if needed.
The facts surrounding the target of the investigation will determine the methods you employ . An investigation into how a server was used in a distributed denial of service attack (DDoS) is different from gathering evidence of illegal images on a laptop. Always understand the purpose of your investigation before you start.
distributed denial of service (DDoS) attack
An attack that uses one or more systems to flood another system with so much traffic that the targeted system is unable to respond to legitimate requests .
Suppose you were called to investigate possible stolen credit cards. The law enforcement officers who are working on this case expect to find incriminating evidence on the suspect's home computer. They have interviewed some of the suspect's coworkers and have found that he talked about a 'database of valuable information at home.' When you arrive at the suspect's home, where should you start? What type of evidence should you look for? Try to answer these questions by looking at some common guidelines of investigations.
When you enter a crime scene, carefully look around. Always document the scene by taking photographs, drawing sketches , and writing descriptions of what you see. The notes you take and photographs or drawings together form the initial site survey . As you progress in your investigation, you may find that looking back at the site survey gives you more context clues that show where to look next .
Notes, photographs, drawings, and any other documentation that describes the state and condition of a scene.
Don't get too caught up in finding specific evidence. Rather, treat an investigation like a large puzzle. Avoid fixating on the picture (on the puzzle's box); instead, look at the shapes and how the pieces fit together. When you focus on the end product too much, you can miss important evidence that may lead you in a different direction. Try to avoid looking only for evidence you expect to exist. Be on the lookout for any evidence that would be of interest to your case.
You would expect that the primary focus of a computer forensics investigation is computer hardware; however, that's not always true. Often, much more evidence than just physical hardware can be found. Although not the only type of evidence, hardware is a crucial type of evidence you must consider.
Take a look around your own office. How many types of computer hardware do you see? Chapter 2, 'Preparation,' covered different types of hardware and encouraged you to know what you use in your organization. You probably use several different types of hardware on a daily basis. Physical hardware is a great place to get fingerprints. If part of your case depends on proving that a certain person used specific hardware, fingerprints may provide the evidence you need. Think about the hardware you tend to touch on a routine basis:
Personal digital assistant (PDA) cradle ( especially the Hotsync button)
Keyboard-video-monitor (KVM) switches (if your office has more computers than monitors )
Media storage units (CD/DVDs, tape, floppy cases, and drawers)
And the list goes on. Your investigation may not require you to establish that a user touched specific hardware, but be prepared do so when necessary. Beyond the appeal of fingerprints, physical hardware is important because it holds the more common target of an investigation-data. Because all data resides on some type of hardware, you need access to the hardware to get at the data. Ensure that you have the proper authority to either seize or search the hardware before you continue.
Pay attention to all clues that hardware provides. If you find an expensive, high-speed scanner attached to a suspect's computer, you should probably find a repository of scanned documents on the computer or server. If you are investigating possible confidential information disclosure and you do not find many scanned documents on the computer in question, find out where the documents are. Few people invest in an expensive scanner unless they plan to use it. Look in not-so-obvious places for the scanned documents.
After you have the proper authorization, you will need to start cataloging the physical evidence. Different people choose different starting points. Some examiners start with the most prominent computer, normally the one in the center of the workspace. Others choose a point of reference, such as the entry door, as a starting point. Regardless of where you start, you should move through the scene carefully and document your actions as you proceed. Start where you are most comfortable. The goal is to consider all physical evidence. Choosing a starting point and moving through the scene in a methodical manner makes it more unlikely that you will miss important evidence.
Follow all communications links. If a computer you are examining is connected to a network, follow the cable or scan for the wireless access point (WAP) . Know how this computer is connected to other computers. Your investigation might need to expand to other computers connected to the investigation target. Be careful to avoid unnecessarily expanding the scope of your investigation, though. You might not need to examine all of the computers to which the target is connected, but you do need to know about any network connections.
wireless access point (WAP)
Network device that contains a radio transmitter/receiver and that is connected to another network. A WAP provides wireless devices access to a regular wired network.
The crown jewel of most computer investigations is the hard disk drive. By and large, most evidence lives on a hard drive somewhere. Issues surrounding hard disk drives will be discussed later in this chapter. Remember that the hard disk drive is only one type of hardware. Take the time to consider all types of hardware as you identify evidence for later analysis.
Let's apply our discussion to the real world. Suppose you arrive at the home of the suspected credit card thief . The local law enforcement officers have executed a search warrant and have asked you to help in the investigation. You cannot seize anything, but you can search the computer and associated hardware. You take pictures and start looking around. You notice the normal hardware that surrounds computers, but there is one little black block that catches your eye. Closer inspection reveals a small credit card swipe device with a Universal Serial Bus (USB) cable. You know this could be the device used to read stolen credit cards. Great! Juries love things they can touch and see. Now you need to find where the stolen numbers are stored.
Removable storage is commonly used for several purposes. You'll find files of all kinds lying around if you look. Refer to Chapter 2, 'Preparation-What to Do Before You Start,' for more detailed information about different types of hardware. Removable media are also common repositories for evidence. Take the time to carefully inspect all removable media you find for possible value to your investigation. Think about how most people use removable media. It generally serves the following purposes:
Data archival/ backups
Computer forensics examiners are sometimes called upon to locate missing individuals. One day I was contacted by the Chief Executive Officer of an Internet startup company and asked if I could come to his office to discuss a matter of some importance. Because his office was located only a few miles from my lab, I told him I would be there within the hour .
As soon as I arrived, the CEO greeted me, took me into his office, and closed the door. (This is always the sign that I am about to hear a really good story.) The CEO explained that the Vice President of Sales for the company had not reported to work in over a week. This was to say the least, highly unusual. The CEO had contacted everyone he could think of, but he had been unable to locate the VP. He had even driven to the VP's apartment and had the landlord check to see if everything was okay at the apartment. When the landlord went inside, he located nothing, and I mean nothing. The entire apartment was empty. No clothing, no furniture, and of course no VP.
The CEO asked me to examine the VP's desktop computer to see if I could locate any information as to where the VP might have gone and why he might have left. At this point, I asked the CEO if he had contacted the police yet. He said he had, but because there was no evidence of foul play, they only took a report and 'would get back to him.' The VP was not married and had no family, so there was really no one else looking for the VP besides the CEO. He went on to explain the VP had handled all of the sales, marketing, and collections for the company and really handled a large portion of running the business. Now without him, the company was suffering.
The CEO escorted me to the VP's office and unlocked the door. I located the VP's desktop computer sitting on the desk and noted that it was powered off. I removed the hard drive from the computer so that I could take it back to my lab. Following normal procedures, I completed a chain of custody form and gave a receipt for the hard drive to the CEO. I let him know I would get back with him as soon as possible and inform him of what I found.
After creating a forensically sound image of the hard drive, I imported the image into a commercial forensics utility, the Forensics Toolkit from AccessData, and began looking for clues as to what the VP had been doing prior to his disappearance. I located many graphics images of tropical beaches and real estate properties in Grand Cayman. I also located evidence that the VP had visited many Internet sites researching the banking privacy laws in the Cayman Islands, in the days just prior to his disappearance. Of course, I was beginning to suspect that the VP might have traveled to the Cayman Islands. I located a copy of an online airline reservation for a one-way flight to the Island just over a week ago along with a hotel reservation for a two-week stay.
I had located the VP. Well, that was the good news. Now it was time to find out what the VP had been up to just prior to his departure and maybe figure out why he left. I reviewed a number of e-mail messages the VP had sent to and received from several of the company's clients . The messages referenced that the client should send their payments for services rendered by the company to the company's new address and to please make the checks out to 'Service Tech.' He explained that this was the new division within the company that would be handling their accounts. I found that 18 different customers had received similar e- mails and responded to the VP acknowledging the change. I compiled my findings and made an appointment to speak with the CEO immediately.
Before I informed the CEO of my findings, I had to ask him a few questions. I let him know I thought I knew exactly where the VP was and why he left so quickly. I told him about the e-mail messages and asked him about the 'Service Tech' division and the address change for billing. As I had thought, the CEO had no idea what I was talking about. There was no 'Service Tech' and the billing address had been the same since the company was founded.
At that point I informed the CEO that it would be best if we contacted the police again, and he did so. The investigation ultimately found that the VP had opened a bank account in Grand Cayman in the name of 'Service Tech' and deposited over $900,000 in checks from the company's customers. Law enforcement agents were able to locate the now ex-VP based on the information provided by my investigation, and most of the money was eventually returned to the company.
This definitely isn't an example of a 'normal day at the office,' but it shows that the work we do can often times be very exciting and worthwhile.
The first two uses of removable storage are of the most interest to us. Although you may not be successful in finding the evidence you need on a hard disk drive, always look for backups or other secondary copies. Be especially persistent when looking for historical evidence. Removable storage devices come in many shapes and sizes. In years past, the only types of removable storage devices available to most users were floppy disks and magnetic tapes. Those days are long gone. You need to be on the lookout for many places to store evidence, including:
CDs and DVDs
USB drives and storage devices
Flash memory cards
Generally, you will find two types of files on removable media: intentionally archived and transient. Intentionally archived files are copied to removable media to keep as extra copies, or they are copied prior to deleting the originals . If you find a system that looks like it has been cleansed of any suspicious files, start looking for backup copies. In fact, the presence of software that cleanses systems, such as Evidence Eliminator or Window Washer, generally means the user may be hiding something. It is a good bet that some evidence was copied to removable media before the last cleansing cycle.
Many organizations that process large volumes of data often clear log files frequently. For example, many ISPs do not keep activity logs longer than 30 days. You may find that the ISP archives old log files, but they may not. Don't depend on archived data. Removable storage is only one part of evidence collection.
The other type of files you tend to find on removable media is transient. Transient files are files, or file remnants, that have been temporarily copied onto removable media. Such media is often used to transport data from one computer to another. Although files are commonly deleted from the removable media after they have served their purpose, you might find lingering files. In any case, you will probably find files you can at least partially recover. Few people take the time to securely cleanse removable media.
Removable media analysis is painstakingly slow. Most offices usually have a lot of CDs and floppies lying around, and the devices used to read them are typically far slower than most hard drives. Take your time and look at what is on each disk, tape, and device. Your persistence might pay off by producing evidence that cannot be found anywhere else.
The rule of thumb with respect to removable media is to take all that you can legally find and seize. Subsequent analysis will be slow, but it can yield evidence you will not find anywhere else.
The last type of common evidence is hard-copy documents. A hard-copy document is anything written that you can touch and hold. Evidence that consists of documents is called documentary evidence. Although this discussion is concerned with written evidence, recall from Chapter 3, 'Computer Evidence,' that data stored in computer files is also classified as documentary evidence. Printed reports , handwritten notes, cocktail napkins with drawings, and white boards are all examples of documentary evidence.
The most important characteristic of documentary evidence is that it cannot stand on its own. It must be authenticated. When you find suspicious files on a hard drive (or removable media), you must prove that they are authentic . You must prove that the evidence came from the suspect's computer and has not been altered since it was collected. Refer to Chapter 3 for a discussion of evidence handling.
Take pictures of all white boards and other writings. Carefully examine the crime scene for any documents that might be admissible as evidence. Look around the computer for sticky notes. It is amazing how many people keep passwords on sticky notes attached to the side of their monitors. Also look around, behind, on top of, and under all hardware components . Another common place to hide notes is in, or under, desk drawers.
Back at the credit card investigation scene, you notice a white board on the wall during your site survey. It looks like it has been used a lot but it has been wiped clean. Fortunately for you, no one took the time to use cleaning fluid to clean the board. If you look closely, you can still read some of what was written and then erased. It looks like a list of filenames. You write them down for later use.
Most people keep some notes handy to jog their memories. Sit down at the subject's desk and carefully look around. Every scrap of paper could potentially be evidence. Look for any written notes that contain either information directly related to the investigation or information that gives you some insight into the subject's activities. You could be looking for any of these pieces of written information:
Encryption key or pass code
Uniform Resource Locator (URL)
This list is just a sampling of information that could assist your investigation. Anything that helps point you toward or helps you access evidence is valuable information. Most people have to write some things down to remember them. Look for those notes. They can help direct you to more evidence in a fraction of the time it would take to perform an exhaustive search.