Part of your role as an investigator is to ensure that a nearly perfect snapshot of the system can be taken. The only problem with this is that nearly anything you do to a system can change it. For example, unplugging the network cable will change the system-but leaving the network plugged in will change it too! Even if you decide to do nothing, the system will change because the time on the system constantly changes. So, you can see the dilemma a computer forensics investigator faces. The best you can do is to capture as accurate a representation of the system as possible, documenting what you did and why.
Before we get into imaging, let's go over the order in which you process evidence. Request for Comments (RFC) 3227, entitled 'Guidelines for Evidence Collection and Archiving,' lists the following example order of volatility for a typical system proceeding from the volatile to the less volatile:
Routing table, ARP cache, process table, kernel statistics
Remote logging and monitoring data that is relevant to the system in question
Physical configuration, network topology
Request for Comments (RFC)
Started in 1969, RFCs are a series of notes about the Internet. An Internet document can be submitted to the Inter- net Engineering Task Force (IETF) by anyone , but the IETF decides if the document becomes an RFC. Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number.
This chapter focuses on collecting this type of information and covers the collection of some specific items later in the chapter. In the meantime, let's go over some procedures you want to avoid. An individual who uses the suspect system itself to search for evidence often jeopardizes their investigation. An example of this would be an investigator who used the built-in search capabilities of a Windows computer under analysis to search for and open files. By opening a file to review the file's properties, the access date changes, as illustrated in the first graphic on the next page.
Avoid doing forensics on the evidence copy or running programs, such as XCOPY , that modify the access time of all files on the system. The DOS XCOPY command copies the contents of one hard disk to another. See the second graphic and the one on the following page for a better explanation.
Notice the date and time of the 3com.zip file in the first of the two graphics-12/23/02, 7:42p. Now, look at the next graphic, which shows the properties of the 3com.zip file, and carefully examine the created and accessed dates, which now differ after the XCOPY command was issued to copy the 3com.zip file. What do you think just happened to your evidence? These actions have the potential to destroy valuable data as well as prevent any uncovered evidence from being presented in court . It's easy to destroy evidence unintentionally.
Use properly prepared media when making forensic copies to ensure that there is no commingling of data from different cases. Sanitize all media that is to be used in the examination process. If you cannot afford new media for each case, be sure that all previous media has been properly sanitized and that it doesn't contain any viruses or other such contaminants . To properly sanitize a drive, all data must be removed and overwritten. The sanitization process writes to active and inactive file space, bad sectors and tracks, the space between the end of a file and the end of a block or sector, file allocation tables, directories, and block maps.
The U.S. Department of Defense, in the clearing and sanitizing standard DoD 5220.22-M, recommends the approach to overwrite all addressable locations with a character, its complement, and then a random character and verify for clearing and sanitizing information on a writable media. Note that this method is not approved for media containing top secret information. To sanitize your media:according to this method, overwrite first with a certain byte value, such as 10101010 - 0x55 , and then with its complement, which is 01010101 - 0xAA , and finally with random byte values.
During the sanitization process, document your steps. You can sanitize and document the process in several different ways. Software sanitizing programs (such as Maresware Declasfy, Ontrack DataEraser, and WinHex) are available for this purpose. All of them work by overwriting the entire disk, usually several times, in a way designed to destroy all traces of preexisting information.
Besides software programs, some companies have equipment designed specifically for this process. The device shown in the following graphic-the Image MASSter Wipe MASSter-can sanitize nine hard drives , conforms to U.S. Department of Defense Standard DoD 5220.22-M, and gives you a forensic audit printout after wiping each drive.
Next, check to make sure that all forensic software tools are properly licensed for use and that all lab equipment is in working order. Several companies offer forensic imaging tools. The second image shows a handheld software duplication device made for computer disk drive data seizure. Image capture operations can be performed from a suspect's drive to another hard drive.
A universal hexadecimal editor used in computer forensics, data recovery, low- level data processing, and IT security.
(Photograph Courtesy of Intelligent Computer Solutions, Inc. 2004)
(Photograph Courtesy of Intelligent Computer Solutions, Inc. 2004)
Forensic kits are also available. A kit includes additional tools that you may need for capturing data. The kit shown in the following graphic includes tools made for seizing data from computers that cannot be opened in the field. High-speed data transfers can be performed between any suspect hard drives through the computer's FireWire or Universal Serial Bus (USB) port. The kit includes a bootable CD to boot the suspect's computer and run the acquisition program.
(Photograph Courtesy of Intelligent Computer Solutions, Inc. 2004)
In some cases, evidence that is relevant to a case may only temporarily exist. Evidence can be lost when a computer is powered down. This is why the Guidelines for Evidence Collection start with the volatile data. By capturing the volatile data before unplugging the computer, you get a snapshot of the system at the time you arrived on the scene. The following information should be collected:
System date and time
Current network connections
Current open ports and applications listening on those ports
Applications currently running
To capture this information, you should conduct a live response . In a live response, the information is collected without impacting the data on the system. The two most practical ways to do this are to save the information to a remote forensic system or to save it to a removable USB drive. To do this, you can use a tool called Netcat, which is a free tool used to create a reliable TCP connection between the target system and the forensic workstation. Using Netcat allows you to get on and off the target system in a relatively short amount of time. You can then analyze the data you have collected at a later time. You can also use Cryptcat, which is an encrypted version of Netcat. With Cryptcat, the traffic is encrypted between the target system and the forensic workstation. By using this type of process, the risk of data contamination or compromise is nearly eliminated.
Let's look at how you can gather some pieces of information with individual tools starting with volatile components first. One of the first places to capture information is from the Address Resolution Protocol (ARP) cache. The ARP cache is a table that maintains a mapping of each physical address and its corresponding network address. This information tells you to which other computers the computer you are working with is connected. The ARP cache also indicates the network and hardware addresses. For example:
Address Resolution Protocol (ARP)
A protocol used on the Internet to map computer network addresses to hardware addresses.
You can see that the computer has maintained a listing of the addresses for two additional computers. This information can be especially useful for a forensic situation in which a company may have been attacked from the inside (internally). The information in the ARP cache is held for a maximum of 10 minutes, and then the entries are deleted.
Another useful piece of information is the output of the traceroute command. Originally developed for the Unix operating system, traceroute is used for many operating systems and most routers. (Windows uses the tracert command, which produces the same type of information as traceroute .) You use traceroute to track the path a packet takes to get to its destination. For example, if you need to request records from service providers in regard to a case, the information contained in the traceroute output tells you through which company's routers the data traveled.
A command used to see where a network packet is being sent and received in addition to all the places it goes along the way to its destination.
Many firewalls do not issue error messages, so the traceroute client might time out. This means that it may stop at a certain point due to firewall restrictions or router rules.
The following graphic shows an example of tracert command output.
You can see that the path a packet took from our computer to the final destination passed through the following companies:
Time Warner Telecom
Exercise caution when performing a route trace . The packet will go to the suspect's computer, and the suspect could be listening.
Next, an investigator might want to collect a list of the processes running. The following graphic shows the file output of a program called PsService, which we used to capture this data.
Netstat displays the active computer connections. This information provides the investigator with a list of what protocols are running and what ports are open.
A utility that displays the active port connections on which the computer is listening.
After you collect data from the volatile sources, you might have to shut down the system for transport. Or you might encounter a suspect computer that is already shut down. Proper shutdown is necessary to maintain the integrity of the original evidence. Deciding how to shut down a system can be a tough call. If you disconnect the power cord, you risk losing data, especially on Unix computers. If you shut down the computer through the normal shutdown method, you risk running destructive programs that will delete data upon shutdown.
Whether you choose to literally pull the power plug to immediately stop all disk writes or properly shut down the computer, after the system is off, you can begin the process of creating a duplicate hard disk. You should boot from a floppy boot disk and then create a bit stream of the hard disk. To create a bootable floppy disk, format the floppy and copy the system files to the floppy. To do this, type c:\format a:\ /s . These system files will be copied : io.sys , drvspace.bin , command.com , and msdos.sys .
Drive imaging can be performed in several ways:
Disk-to-disk image, which is mainly used to test booting
Disk-to-image file, which results in faster searches and is compressible
Image file to disk, which is used to restore an image
A process used to create a bit-for-bit copy from one hard drive to another.
Among network administrators, tools such as Norton Ghost are popular for disk imaging. However, this type of software does have some issues associated with it. Ghost does not create an exact duplicate of the disk by default. It recreates the partition information and the file contents. A hash of the image will almost always result in a value that is different from the original disk and, therefore, can be excluded from evidence because the Rules of Evidence generally require that you provide an exact duplicate of the original. If you have no other disk-imaging options available, use Ghost. It is better than having no image at all. A white paper on the use of Ghost as a forensic tool is available on the SANS website ( http://www.sans.org ).
Procedures whereby absolutely no alteration is caused to stored data so that all evidence is preserved and protected from all contamination.
Regardless of whether the examiner performs a direct device-to-device copy of the media or creates forensic evidence copies for examination or restoration, the copy process should be forensically sound and the examination of media should be conducted in a forensically sound environment. A forensically sound environment is one in which the investigator has complete control. No procedures are permitted without the investigator approving them. The use of physical write-blocking devices or software write-blocking devices can be used to ensure that no writes impact the original media. These devices live between the operating system and disk driver device or are plugged in between the disk controller and the physical disk to block any write requests . Nonforensic software can write to the drive, so using a write-blocking device eliminates this issue. Hardware and software write blocking and proper documentation were discussed in Chapter 3, 'Computer Evidence.'
A process used to copy an entire hard drive that includes all bits of information from the source drive and stores it in a raw bit stream format.
Disk imaging is not the same as using backup software.
Moving on, let's define some terms and features in regard to making full- volume copies of data:
The first step in the forensic examination of a computer hard drive is to create the bit stream copy or forensic duplicate . This bit stream image of the original media is then used for the analysis. Bit stream images allow you to capture the slack and unallocated space so the deleted files and file fragments can be recovered. Forensic duplicates can be created by using a hardware duplicator, such as the MASSter Solo-2 Professional Plus or the Forensic SF-5000. A mirror image can be used when time is of the essence, but you will end up creating a working copy of the mirror image for analysis. Besides hardware solutions, many of the common tools used for obtaining a forensic duplicate are built into the software. For example, the following figure shows this process using WinHex.
A suspect drive should be duplicated , and then only the copy should be used for investigation, thereby ensuring the integrity of the original drive. The integrity of the original media must be maintained throughout the entire investigation. In a computer investigation, there is no substitute for properly obtaining a good working copy. An investigator must duplicate a disk using sound practices before performing any analysis; otherwise , the investigation can be jeopardized. If not properly done, your analysis will almost certainly alter file access times. Examinations should be conducted on a forensic duplicate of the original evidence, or via forensic evidence files. You saw what happened when XCOPY was used to copy files. Using tools that are unsound can make it more to difficult get the evidence admitted in court.
The compacting of an image file by compressing redundant sectors to reduce the amount of space it takes up.
As explained previously, forensic duplicating includes copying every bit of information on the disk regardless of whether or not it is part of the live data. This image provides a way for an investigator to do an in-depth analysis without fear of altering the original evidence. Keep in mind that the speed of the duplication process can vary greatly based on the physical state of the media, processor, and type of connection used to transfer the data. In addition, some products offer forensic compression and spanning options. Forensic compression reduces the image file by compressing redundant sectors. Spanning across multiple discs is used when the target media is smaller than the image file. For example, say that you are imaging or cloning a 40GB drive and the drives you are currently using hold 10GB. You will need four drives to copy all the data. Spanning automatically breaks down the image into individual files. Certain programs allow you to preset file sizes, especially if you are using CD-Rs to store the image.
spanning across multiple discs
Breaks the image file into chunks of a certain size so the image file can be backed up onto multiple CD recordable discs or other media types.
After an image has been made, how can you verify that it was made correctly? How can you be sure that the copy is exactly the same as the original? Verification will confirm that the original media was not changed during the copy procedure. Both the cyclic redundancy check (CRC) and the Message Digest 5 (MD5) confirmation ensure that the procedure did not corrupt the data. When MD5 is used, even a change to one bit of information on a large drive packed with data will result in a new message digest. By comparing the original disks and copies, these methods can be used in computer forensic examinations to ensure that an image is an exact replica of the original.
cyclic redundancy check (CRC)
A common technique for detecting data transmission errors. Each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The receiving device then applies the same formula to the message and checks to make sure the accompanying numerical value is the same, thereby verifying the data integrity.
Recovering data from a physically undamaged disk can be done by simply hooking it into another system and taking a raw dump of the disk contents to a file. You can then examine the information without fear of damaging the original. Another method is to hook up a sanitized drive to an IDE slot and then image the data. This method is shown in the following graphic.
Message Digest 5 (MD5)
A method of verifying data integrity that is more reliable than CRC. MD5 is a oneway hash function, meaning that it takes a message and converts it into a fixed string of digits, which is then used to verify that the message hasn't been altered .
When you need to make an exact image of the hard drive, you should have a variety of tools in your lab. Each tool has its own strengths and weaknesses. You should work with as many tools as you can, and you should become familiar with them so that you know their strong points and how to apply each of them. When choosing tools, one important consideration should be whether or not the tool can detect the presence of a hardware-protected area (HPA) . These areas are created specifically to allow manufacturers to hide diagnostic and recovery tools. In essence, a portion of the disk is hidden and can't be used by the operating system. Neither the Basic Input Output System (BIOS) nor the operating system can see this hidden area. Companies such as Phoenix Technologies have developed products that can use this protected space to hold utilities for diagnostics, virus protection, emergency Internet access, and remote desktop rebuilds, but they also allow consumers to use this area to hide data. Technically savvy criminals may conceal their activity in this area.
hardware-protected areas (HPAs)
Areas of a hard drive created to specifically allow manufacturers to hide diagnostic and recovery tools.
Keep in mind that full imaging will copy each sector of the original media, including, data that is hidden, partially erased, encrypted, data contained in space that was swapped out of memory, and all of the unused space. A full image copy provides a wealth of information for the forensic examiner. When working with a suspect computer and making the image, here are a few steps to remember:
Record the time and date reported in the BIOS. This can be an important factor, especially when time zones come into play.
Remove the storage media (such as hard drives, etc.) before powering on the PC to check the BIOS.
Do not boot the suspect machine's operating system, as booting it can destroy evidence.
When making the bit stream image, be sure to document how the image was created. This includes recording the date, time, examiner, and tools that were used.
When making the image, make sure that the tool you use does not access the file- system of the target media containing the evidence.
Use tools that do not make any writes or change the file access time for any file on the evidence media.
Basic Input Output System (BIOS)
Responsible for booting the computer by providing a basic set of instructions.
After the image is made, the original evidence media should be sealed in an electrostatic-safe container, cataloged, and initialed on the seal. The container should then be locked in a safe room. Anyone who comes in contact with the container should initial it as well. Consider making a second bit stream image of your first image, especially if the seized machine was used in the workplace. The employer may want to put the machine back in service.
In addition to extracting images from hard drives, you can use tools for memory imaging and forensic acquisition of data from the Palm operating system family of personal digital assistants (PDAs). Obtaining a bit-for-bit image of the selected memory region can properly preserve evidence. During this process, no data is modified on the target device, and the data retrieval is not detectable by the PDA user. The memory image of the device includes all user applications and databases, passwords, and various other pieces of information that may be useful in a forensic investigation. One such tool, called Palm dd (or pdd ), can retrieve and display the following:
Card number, name , and version
Palm OS version
RAM and ROM size
You can also extract the contents of the memory of a RIM Blackberry wireless PDA. Each device has either 512KB of SRAM or 4MB to 5MB of flash RAM. The SRAM is the same as the RAM on a desktop, and the flash RAM is actually the disk space used to store the file, operating systems, and the applications. In these devices, just as on a hard disk, you can hide databases, data between the application and file partitions, and data in unused filesystem space. A hacker can write a program that accesses a database upon synchronization of the device. The normal user or untrained investigator will have no idea it is there. A bit-for-bit image of the memory can be obtained by using a utility from the development kit called SAVEFS to dump the contents into a file that can be examined by a hex editor.
Chapter 3 briefly described the evidence log documentation necessary to produce a good case. Let's go into a little more detail here and specify some particular items of interest that should be documented when you examine a system and make an image of the drive or memory contents:
Collect the system date and time from the BIOS. Yoshould compare it to a reliable known time source and note any differences.
Record the drive parameters and boot order, along with the system serial numbers, component serial numbers , hardware component hashes, etc.
On hard drives, record the number and type of partitions.
On CDs, record the number of sessions.
Note the operating and filesystems used on the media.
Document installed applications.
Make a full directory listing to include folder structure, filenames, date/ time stamps, logical file sizes, etc.
As an investigator, you must be prepared to prove your methods and documentation. The case of United States v. Zacarias Moussaoui, Criminal No. 01-00455- A, is a good example in which a defendant's attorney disputed the authentication of hard drives submitted in discovery. The response explains that the FBI used three methods to image the drives. Page 2 of the response refers to methods approved by National Institute of Standards and Technologies (NIST). This brings up an interesting point. NIST does not approve imaging software. It tests it and publishes the results. The website for the Computer Forensics Tool Testing (CFTT) Project is http://www.cftt.nist.gov/ . The 'Imaging/Capture Tools' section references these tests for some of the tools.
To read the whole story about the drives in United States v. Zacarias Moussaoui, go to news. findlaw .com/hdocs/docs/terrorism/usmouss90402grsp.pdf or notablecases.vaed.uscourts.gov/1:01-cr-00455/docs/67282/0.pdf .
Many of today's tools can capture all the information that is needed for an investigation. But as the size of hard drives increase, so does the time it takes to sort through the volumes of data acquired . When a case needs to move swiftly or your disk space is limited, what do you do? In the next section, we'll cover partial volume images and capturing individual types of information rather than doing a full volume image.