Evidence Preservation

Pull the Plug or Shut It Down?

One of the classic debates in computer forensics circles is the correct approach to handling a live system. If the computer system in question is operating when you approach it, should you turn it off? The question becomes more pronounced when you are brought in as part of an incident response team during an ongoing attack. Before you switch into investigator mode, you need to limit the extent of the damage. However, disconnecting the computer from the network or power supply can damage or destroy crucial evidence.

Let's assume you want to 'freeze' the system as it is and immediately halt all processing. In that case, you may want to literally pull the power plug out of the wall (or pull it from the back of the computer). Removing power immediately stops all disk writes , but it destroys anything in memory. Such an abrupt crash could also corrupt files on the disk. You may find that the very evidence file you want was corrupted by the forced crash. One client once unknowingly tested their disaster recovery plan in a very real way. Early one morning, the Unix computer that hosted the company's central database had the power cord pulled from the back of the computer. When power was restored, the filesystem detected one file that was hopelessly corrupted and promptly deleted it. Unfortunately, the file was the core database file. The client lost the entire database. Fortunately, the backup process had completed only 15 minutes prior to the crash, and no data had been entered since. Although newer operating systems tend to behave, be aware that a sudden loss of power can have negative results.

On the other hand, you may want to perform a proper system shutdown. Although shutting the system down protects any files from accidental corruption, the shutdown process itself writes many entries to activity log files and changes the state of the evidence. Further, a suspect computer could run procedures that cleanse many log files on shutdown. A proper shutdown might wipe out crucial evidence.

A third option is to leave the system up and running. Several of the popular computer forensics software suites support live forensics. With a small footprint, these tools allow you to take a snapshot of the entire system, including memory and disks, while it is still running. The easiest way to do this is to install the small monitor program on the computer prior to any incidents. Of course, this approach only works if you have a manageable number of workstations and you have the authority to install such programs. This is possible in an environment where the organization owns the hardware and can dictate what software is loaded. If you are fortunate enough to deploy forensics software on all of the computers in your organization, the forensics process can be greatly simplified.

You can still run live forensics even if you have had no previous access to the computer. A common way to do this is to carry the required forensic software on a USB drive. You can run the forensics directly from the USB drive, and save any output to it as well. This option gives you the ability to take a snapshot of the live system without changing its state in the process. The availability of large-capacity USB drives that fit on a key ring makes it possible to carry your entire tool set with you inconspicuously wherever you go.

Returning to the credit card investigation scene, you need to look for the files that match the name found written on the white board. Because you carry your USB flash drive with Maresware forensic utilities preloaded, all you have to do is plug in the USB drive.

You immediately have access to the utility you need to search for the files in question. Because you can only search the suspect's computer and not seize it, you'll need to search the drive without copying it first. That may sound like a strange restriction, but you'll probably run into many interesting situations as an investigator. So, search away!

Proving a Forensic Tool Is Safe

If your investigation ends up in a court of law, be prepared to provide evidence that the tools you used did their job without corrupting the evidence. That can be a tough sell if you try to prove it by yourself. An easier course would be to use commercially available forensic tools that have been accepted by courts. If in doubt, ask your local law enforcement contact which tools are accepted in local courts. If you use tools a judge has seen before, you are likely to avoid a lot of wasted time.

Supply Power As Needed

Some types of evidence require uninterrupted power to maintain the contents of memory. The most common type of hardware in this category is the personal digital assistant (PDA). PDAs are quite common and often contain valuable evidence. They also come in a variety of shapes and sizes. You can find traditional PDAs, as well as PDAs that are integrated into wireless phones and even wristwatches. Regardless of their design, they share one common trait: when the power runs out, the data is lost.

Let's assume you find a gold mine of information on a suspect's PDA. You extract the information and analyze it to find just what you were looking for. After a job well done, and after the self congratulations, you lock up all the evidence in the evidence locker and await the assigned trial date. When your trial date arrives, you open the evidence locker and find that the PDA battery had run out of power. Your original evidence is gone. Well, your analysis report should still exist. You can proceed with documentation of your findings, but it would be a lot easier to show the PDA with data still on it. Although you know what was there, it no longer corresponds to the PDA from which it was originally taken.

If you seize devices that require power to maintain data, seize the charger as well. Make sure you either seize the charger or are prepared to buy a charger for the device. Also be prepared to explain your actions in court. Another interesting feature of PDAs is that their very operation changes the stored data. You may have to explain to a judge or jury how PDAs keep track of current time in order to notify the user of timed events. Be careful when asked if the data in the PDA has changed since it was seized; it has. You simply have to explain how the evidence did not change.

Provide Evidence of Initial State

So, you have the system you need to analyze. How do you poke around the data and convince a judge or jury that you didn't change anything in the process? If you're talking about a disk drive, the answer is really quite simple. Just take a snapshot of the drive before you touch anything, and then compare the snapshot to the drive after your analysis. If they are the same, you didn't change anything.

hash

A mathematical function that creates a fixed-length string from a message of any length. The result of a hash function is the hash value, sometimes called a message digest. Hash functions are one-way functions. That is, you can create a hash value from a message, but you cannot create a message from a hash value.

The most common method of taking a snapshot of a drive is to calculate a hash of the entire drive. Most forensic tool sets include a utility to calculate either a cyclic redundancy check (CRC) or Message Digest 5 (MD5) hash value. Although other valid methods exist to generate a single value for a file, or collection of files, the CRC and MD5 hash values are the most common. Both algorithms examine the input and generate a single value. Any changes to the input will result in a different value.

After you have ensured the physical integrity of the media (static electricity countermeasures, stable workspace, etc.) you can mount the media and access it in read-only mode. It is important that you explicitly separate the suspect media from other media during any access to the data. The only safe way to ensure that nothing changes the data on the drive is to use trusted tools to access the media only once. The only reason to directly access suspect media is to copy it for analysis.