Before you can prove that you have maintained the integrity of data you present as evidence, you must prove that you have maintained the integrity of the hardware that contains the data. From the beginning of your investigation, you must take precautions, and document those precautions , to protect the hardware.
The main goal of evidence preservation is to ensure that absolutely no changes have taken place since the evidence was collected. Your collection and handling procedures will be examined. Take all necessary precautions to protect collected evidence from damage that might change its state. Static electricity discharge is a significant concern. You must bring static protection devices with you on each investigation. Use them, and make notes that explain the steps you take to avoid inadvertent damage.
You will have to address several concerns throughout your investigation. Do not handle any evidence until you are absolutely sure you can legally acquire the evidence and that the collection and analysis process will not change the evidence. The following sections cover some of the general issues of evidence preservation.
One of the classic debates in computer forensics circles is the correct approach to handling a live system. If the computer system in question is operating when you approach it, should you turn it off? The question becomes more pronounced when you are brought in as part of an incident response team during an ongoing attack. Before you switch into investigator mode, you need to limit the extent of the damage. However, disconnecting the computer from the network or power supply can damage or destroy crucial evidence.
Let's assume you want to 'freeze' the system as it is and immediately halt all processing. In that case, you may want to literally pull the power plug out of the wall (or pull it from the back of the computer). Removing power immediately stops all disk writes , but it destroys anything in memory. Such an abrupt crash could also corrupt files on the disk. You may find that the very evidence file you want was corrupted by the forced crash. One client once unknowingly tested their disaster recovery plan in a very real way. Early one morning, the Unix computer that hosted the company's central database had the power cord pulled from the back of the computer. When power was restored, the filesystem detected one file that was hopelessly corrupted and promptly deleted it. Unfortunately, the file was the core database file. The client lost the entire database. Fortunately, the backup process had completed only 15 minutes prior to the crash, and no data had been entered since. Although newer operating systems tend to behave, be aware that a sudden loss of power can have negative results.
On the other hand, you may want to perform a proper system shutdown. Although shutting the system down protects any files from accidental corruption, the shutdown process itself writes many entries to activity log files and changes the state of the evidence. Further, a suspect computer could run procedures that cleanse many log files on shutdown. A proper shutdown might wipe out crucial evidence.
A third option is to leave the system up and running. Several of the popular computer forensics software suites support live forensics. With a small footprint, these tools allow you to take a snapshot of the entire system, including memory and disks, while it is still running. The easiest way to do this is to install the small monitor program on the computer prior to any incidents. Of course, this approach only works if you have a manageable number of workstations and you have the authority to install such programs. This is possible in an environment where the organization owns the hardware and can dictate what software is loaded. If you are fortunate enough to deploy forensics software on all of the computers in your organization, the forensics process can be greatly simplified.
You can still run live forensics even if you have had no previous access to the computer. A common way to do this is to carry the required forensic software on a USB drive. You can run the forensics directly from the USB drive, and save any output to it as well. This option gives you the ability to take a snapshot of the live system without changing its state in the process. The availability of large-capacity USB drives that fit on a key ring makes it possible to carry your entire tool set with you inconspicuously wherever you go.
Returning to the credit card investigation scene, you need to look for the files that match the name found written on the white board. Because you carry your USB flash drive with Maresware forensic utilities preloaded, all you have to do is plug in the USB drive.
We haven't talked about specific forensic tools at this point, but stay tuned . We cover many of the most common hardware and software tools used in computer forensics investigations in Chapter 8, 'Common Forensics Tools.'
You immediately have access to the utility you need to search for the files in question. Because you can only search the suspect's computer and not seize it, you'll need to search the drive without copying it first. That may sound like a strange restriction, but you'll probably run into many interesting situations as an investigator. So, search away!
If your investigation ends up in a court of law, be prepared to provide evidence that the tools you used did their job without corrupting the evidence. That can be a tough sell if you try to prove it by yourself. An easier course would be to use commercially available forensic tools that have been accepted by courts. If in doubt, ask your local law enforcement contact which tools are accepted in local courts. If you use tools a judge has seen before, you are likely to avoid a lot of wasted time.
Some types of evidence require uninterrupted power to maintain the contents of memory. The most common type of hardware in this category is the personal digital assistant (PDA). PDAs are quite common and often contain valuable evidence. They also come in a variety of shapes and sizes. You can find traditional PDAs, as well as PDAs that are integrated into wireless phones and even wristwatches. Regardless of their design, they share one common trait: when the power runs out, the data is lost.
Let's assume you find a gold mine of information on a suspect's PDA. You extract the information and analyze it to find just what you were looking for. After a job well done, and after the self congratulations, you lock up all the evidence in the evidence locker and await the assigned trial date. When your trial date arrives, you open the evidence locker and find that the PDA battery had run out of power. Your original evidence is gone. Well, your analysis report should still exist. You can proceed with documentation of your findings, but it would be a lot easier to show the PDA with data still on it. Although you know what was there, it no longer corresponds to the PDA from which it was originally taken.
If you seize devices that require power to maintain data, seize the charger as well. Make sure you either seize the charger or are prepared to buy a charger for the device. Also be prepared to explain your actions in court. Another interesting feature of PDAs is that their very operation changes the stored data. You may have to explain to a judge or jury how PDAs keep track of current time in order to notify the user of timed events. Be careful when asked if the data in the PDA has changed since it was seized; it has. You simply have to explain how the evidence did not change.
So, you have the system you need to analyze. How do you poke around the data and convince a judge or jury that you didn't change anything in the process? If you're talking about a disk drive, the answer is really quite simple. Just take a snapshot of the drive before you touch anything, and then compare the snapshot to the drive after your analysis. If they are the same, you didn't change anything.
A mathematical function that creates a fixed-length string from a message of any length. The result of a hash function is the hash value, sometimes called a message digest. Hash functions are one-way functions. That is, you can create a hash value from a message, but you cannot create a message from a hash value.
The most common method of taking a snapshot of a drive is to calculate a hash of the entire drive. Most forensic tool sets include a utility to calculate either a cyclic redundancy check (CRC) or Message Digest 5 (MD5) hash value. Although other valid methods exist to generate a single value for a file, or collection of files, the CRC and MD5 hash values are the most common. Both algorithms examine the input and generate a single value. Any changes to the input will result in a different value.
After you have ensured the physical integrity of the media (static electricity countermeasures, stable workspace, etc.) you can mount the media and access it in read-only mode. It is important that you explicitly separate the suspect media from other media during any access to the data. The only safe way to ensure that nothing changes the data on the drive is to use trusted tools to access the media only once. The only reason to directly access suspect media is to copy it for analysis.
When available, use a write-blocking device to access suspect media. You can use software or hardware write blockers (see Chapter 3). Software write blockers prevent any operating system write operations from modifying the media. In essence, the software write blocker lives between the operating system and the device driver. Any requests for writes to the media are rejected.
Hardware write blockers are physical devices that sit between the drive itself and the controller card. The cable that transmits write instructions and data is physically altered to disallow any writes. Between the two options, the hardware write blocker is harder to bypass and is generally easier to explain in court.
If you have no access to either software or hardware write blockers, you can mount media in read-only mode. You will have to meticulously document the mount options you used to provide evidence to the judge or jury that you allowed no writes during analysis.
After you mount the suspect media, the first step you take is to create a hash. Use your own utility or a tool from your forensic tool set to create an MD5 hash of the entire media. This provides a reference to the initial state of the media you will use throughout your investigation. After the volume is mounted and you have calculated the hash, you can create a bit-by-bit copy of the suspect media. You will perform all further actions on the copy of the original media, not the original.
That's all you do with the original media. After the copy operation, discontinue any access to the original. It is important that you follow these steps with each media device you analyze:
Mount the suspect media in read-only mode (use a write blocker when possible).
Calculate an MD5 hash for the entire device.
Create a bit-by-bit copy of the media.
Unmount the media and return it to the evidence locker.
Take extra precautions to protect the original media and the initial hash. You will need both at the time of trial so that you can ensure that evidence you find is admissible . Even if your investigation does not lead to court, being able to prove that your activities made no changes to a disk drive is extremely helpful. You'll need the initial hash to prove such a claim.
The next step in the investigative process is the most time-consuming . After you have copies of the original media, it is time to start the analysis.