Document Everything, Assume Nothing | Computer Forensics JumpStart

As an investigator , the better you understand a case, the better you'll be able to sense the next logical step. An experienced investigator knows that the success of a forensics investigation relies not only on the ability to uncover evidence but also on the ability to follow good methodology during the course of evidence collection and handling so that the evidence can be used in court . Under Federal Rule of Civil Procedure 26(a)(2)(B) , the parties involved in legal cases are required to disclose the identities of their forensics experts or risk not being able to call them to testify at trial. This rule states that testimony is to be accompanied by a written, signed report. The report is to contain:

A complete statement of all opinions and the basis and reasons for such
Any data or other information considered in forming the opinions
Any exhibits to be used in support of or summary for the opinions
The qualifications of the witness , including a list of all publications authored by the witness within the last ten years
Amount of compensation to be paid for the study and testimony
A listing of any other cases in which the witness has testified as an expert at trial or by deposition within the last four years.

Federal Rule of Civil Procedure 26

Federal Rule 26 states the General Provisions Governing Discovery and Duty of Disclosure. Section (a) states Required Disclosures and Methods to Discover Additional Matter.

Under Rule 30(b)(6), an organization's designated agent shall testify to matters known or reasonably available to the organization. This could include providing some additional items of more specific information, such as:

Quantity and locations of computers in use
Operating systems and application software installed and dates of use
File-naming conventions and what directories data is saved to
Backup disk or tape inventories and schedules
Computer use policies
Identities of current and former employees responsible for systems operations
E-mail with dates, times, and attachments
Word documents, tables, graphs, and database files
Internet bookmarks, cookies, and history logs

You begin the documentation process long before you start dealing with the data evidence in a case. Prior to seizing equipment or data, make sure you have the necessary paperwork filed and have proper permission to seize the computer or equipment in question. Remember that the Fourth Amendment limits the ability of government agents to search for evidence without a warrant , but consent is the most applicable exception to this Amendment. When a proper computer use policy is in place, it can cover an employee's consent to searching their system. If you have any doubts as to whether on not a warrant is needed, see the Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual on the Computer Crime and Intellectual Property Section Criminal Division of the United States Department of Justice website at http://www. cybercrime .gov/s & smanual2002.htm .

Note

Although the excitement of working in the computer forensics field is experienced while performing the investigation and 'catching the bad guy,' the 'real work' is achieved when the examiner ' kills a few trees' and completes the paperwork. As a computer forensics examiner , you must remember that the job is not complete until the report is filed.

Document everything carefully , consistently, and neatly. As discussed in Chapter 3, 'Computer Evidence,' you need to record the who, what, when, where, why, and how of the case. You'll also want to pay special attention to procedural details. You may want to start with a bound paper notebook, making notes in pen with dates and initials . This type of documentation can provide a good point of reference for jogging the memories of the forensic examiners when the case is lengthy. Chapter 3 provided a brief explanation of documentation and a sample log sheet. The National Institute of Justice offers a document titled 'Forensic Examination of Digital Evidence: A Guide for Law Enforcement.' Appendix C in that document has a wide variety of sample forms that you can tailor for your needs. The document, with sample forms, is located online at http://www.ojp. usdoj .gov/nij/pubs-sum/199408.htm .

A large percentage of your time will be spent writing reports and completing logs. All the documentation that you create can be used at a later time by the courts. When you write the report, remember that it will likely take a few years for the case to reach the courts. The better detailed the report you write now, the easier it will be for you to recall facts about the case when you have to testify in the future.

Interviews and Diagrams

If you interviewed anyone , you should create a list of who you interviewed, including their names , e-mail addresses, what they saw, when, where, and how. In cases such as the release of malware or denial of service (DoS) attacks, you can sometimes obtain more information than you expect just by asking. You might even end up with a confession.

Using diagrams is another method of documenting a case. Remember that jurors might not know about the workings of computers and networks, so you may want to use pictures or drawings to get your point across. For example, if you are asked to prove that the data presented has not been altered , you will have to present documentation that you made the image of the original evidence correctly. Let's say that you used MD5 verification to ensure that the procedure did not corrupt the data. You explain that when using MD5, even a change to one bit of information on a large drive packed with data results in a new message digest. By comparing the original disks and the copy, you can ensure that an image is an exact replica of the original. By using a drawing like the following one, you can help the jury better understand how this procedure works.

Real World Scenario-Tales from the Trenches: Reports

The ability to write clear and concise reports will greatly benefit the computer forensics examiner.

When I was testifying in a deposition a few years ago, an extremely well-prepared attorney for the opposing side questioned me for hours about the most minute details of the case. I had been called to analyze a hard drive belonging to a publishing company. The drive in question had been used by an editor and was suspected to contain highly inappropriate material prohibited by the company's acceptable use policy. I located many evidence items on the drive and documented each and every one as well as the procedures I had used to process the case.

When it was time to testify, the opposing attorney was very well briefed on the details of the case and on forensics procedures. If I had not properly prepared my report during that investigation, I would have per

formed poorly while I was 'being grilled.' I was properly prepared to testify because I had reviewed my report before the deposition and because I had written an extremely detailed report at the time of the investigation. This particular investigation had occurred three years and many investigations earlier, but I was able to easily recall the necessary facts just by reviewing the report.

Keep in mind that the work you do today to prepare a report may very well more than pay for itself many years down the road.

Videotapes and Photographs

If at all possible, videotape the entry of all persons into the crime scene. By taping the actual entrance of a forensics team into the area, you can help refute claims that evidence was planted at the scene. You might also want to take photographs of the actual evidence and take notes at the scene. For example, in the case of an intrusion, you may want to take a photograph of the monitor. However, time is usually of the essence. Consideration should be given to the possibility of destructive processes running in the background or a time-delayed password- protected screen saver. The computer most likely will be moved to a secure location where a proper chain of custody can be maintained and the processing of evidence can begin.

Pictures of the computer should be taken from all angles to document the system hardware components and how they are connected. Be careful to label each wire so that the original computer configuration can be restored. Remove the case cover of the PC or server, and carefully photograph the inside. Note the serial number, internal drives , and peripheral components. Documentation should include a physical description and detailed notation of any identifying markings or numbers . Make sure you document the configuration of the cables and connection types as well. Next, label the evidence and then once again photograph the evidence after the labels have been attached. It may be a good idea to use a 35mm camera to take the photographs. Digital images are easy to manipulate; therefore, should you be questioned whether the images have been altered, the negatives from the film can help your case.

Ideally, one person documents while another person handles the evidence. Document everything that goes on. The designated custodian for the chain of custody should initial each item after double-checking the list you have created. It is important to do this at the scene to eliminate the possibility of evidence tainting at a later date. You want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you refute allegations that you changed or altered the original evidence.

electrostatic discharge (ESD)

Buildup of electrical charge on one surface that is suddenly transferred to another surface when it is touched.

Transporting the Evidence

The next step in the documentation process is to document the transporting of the evidence to the lab. Photograph or videotape and document the handling of evidence leaving the scene to the transport vehicle. Be careful to guard against electrostatic discharge (ESD) . Although ESD won't kill you, it can certainly kill your computer components. Integrated circuits (such as processors, memory, and expansion cards) are especially sensitive to ESD. During transportation, electromagnetic fields created by magnets and radio transmitters can alter or destroy data as well. To ensure the integrity of the data stored on the media, also avoid conditions such as moisture, high humidity, and excessive heat or cold. At the examination facility, videotape or photograph and document the handling of evidence from the transportation vehicle to the lab.

electromagnetic fields

Produced by the local buildup of electric charges in the atmosphere. They can be damaging to computer components. They are present everywhere in our environment but are invisible to the human eye.

The original evidence should be left untouched unless extenuating circumstances exist. Do not leave the computer unattended unless it is locked in a secure location. You don't want to risk the destruction of any crucial evidence. New Technologies, Inc. (NTI) produces a program called Seized , which locks the seized computer and warns the computer operator that the computer contains evidence and should not be operated. You can find additional information at http://www.forensics-intl.com/seized.html .

Seized

A program developed by New Technologies, Inc. (NTI) that locks a seized computer and warns the computer operator that the computer contains evidence and should not be operated.

Documenting Gathered Evidence

When gathering and preparing evidence, keep in mind that normal computer operations can destroy evidence in memory, in the file slack , or in the swap file. When documenting physical evidence such as floppy or hard disks, put one copy in a bag and seal it with tape that can't be unsealed without leaving a mark. Clearly mark the bags with the case information. The Legal Imager and reaSsembly Application (LISA) can record this type of evidence right in the software. (LISA is available at http://www.blackcat.demon.co.uk/lisa/.) See the following illustration for an example of how you can enter case details into LISA. Be sure to have extra plastic bags with ties to store evidence and additional copies of all incident-handling forms.

The International Association of Computer Investigative Specialists (IACIS) has established a guide for forensic computer and digital evidence examinations. This guide lists examples of items to be documented. You can find it at www.cops.org/html/forensicprocedures.htm . You should document all standard procedures and processes used in the examination of the evidence and note in detail any deviations from the standard procedures. All recovered data should be properly marked .

International Association of Computer Investigative Specialists (IACIS)

An international volunteer corporation comprised of law enforcement professionals, including federal, state, local, and international law enforcement, who are committed to education in the field of forensic computer science.

Timelines of computer usage and file accesses can be valuable sources of computer evidence. Computer investigators rely on evidence stored as data and the timeline of dates and times that files were created, modified, or last accessed by a computer user . If the system clock is one hour different because of Daylight Saving Time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is crucial. The accuracy of the time and date stamps on files is dependant on the accuracy of the time and date stored in the CMOS chip of the computer. It is important to document the accuracy of these settings on the seized computer to validate the accuracy of the times and dates associated with any relevant computer files. Compare the current time and date with the date and time stored in the computer. The current time can be obtained form official time sites such as http://wwp.greenwichmeantime.com/ or http://www.worldtimeserver.com/ . Normally, the date and time are checked by using a floppy boot disk to boot the computer and then checking the time and date in the BIOS settings. The following graphic shows how to display the date and time in the BIOS.

Complementary Metal Oxide Semiconductor (CMOS)

An on-board semiconductor chip used to store system information and configuration settings when the computer is either off or on.

File dates and times are important in documenting the backdating of computer files. Sometimes criminals purposely change the date and time on their computers. They do this for several reasons; one of the most common is to defeat proper software licensing. Another reason the computer date and time may not be current is because the CMOS battery is dead. When a CMOS battery dies, the computer no longer keeps correct time, causing the computer date and time to be inaccurate. When the settings on the computer are inaccurate, the times and dates associated with relevant files can be established by a computer forensic specialist. Get Time from NTI can be used to document the time and date settings on a computer. A program called Afind is available from Foundstone's website ( http://www.foundstone.com ). Afind lists the last access time on files without tampering with the data. Remember to make a bit stream backup of the computer hard drive before running the computer or checking the time and date. It's important.

Activity timelines can be especially helpful when multiple computers and individuals are involved in the commission of a crime. The computer forensics investigator should always consider timelines of computer usage in all computer- related investigations. The same is true in computer security reviews concerning potential access to sensitive and/or trade secret information stored in the form of computer files. The time and date that files were created can be important in cases involving computer evidence. Forensic software, such as Guidance Soft- ware's EnCase, allows you to build a timeline in your casework. See the next graphic for an example.

In your forensic software, you can create a case and then enter details such case description, examiner name , organization, and comments. The next section will discuss these in finer detail. When working in a case file, you have the option of logging all your actions, including exact dates and times and screen- shots of dialog windows . The following graphic shows how to set these options in WinHex. WinHex was discussed in Chapter 5, 'Capturing the Data Image' and Chapter 8, 'Common Forensics Tools.'

Documenting the process from entering the scene to gathering the evidence is important. You aren't done yet, though. A couple of additional pieces of documentation might need to be gathered before the report is actually written.

Additional Documentation

If someone intends to prosecute for damages caused to an organization, all losses the organization suffered as a result of the incident should be documented. Have the organization provide such data as:

Estimated number of hours spent in response and recovery
Cost of damaged equipment
Value of data lost
Amount of credit given to customers because of the inconvenience
Loss of revenue
Value of any trade secret information

The basic rule of evidence is that it must be the best available, which means evidence that is primary or first-hand. Computer forensics involves the use of tools and procedures to guarantee the accuracy of the preservation of evidence. Most computer forensic specialists use multiple software tools, developed by separate and independent developers, to help them accurately preserve evidence.

By using different, independently developed tools to validate results, inaccuracies due to software design flaws or bugs can be avoided. By validating your evidence with software tools and procedures, you help eliminate the possibility that lawyers will challenge the integrity of the results based on the accuracy of the software tool used. By documenting everything, you should be able to refute any claims that you mishandled evidence or that the tools used in your investigation were not acceptable.

Hacker Acquitted

Aaron Caffrey, 19, was acquitted after a jury unanimously decided he was not guilty of unauthorized computer access related to an attack on the Port of Houston's web-based systems in September 2001. Caffrey claimed that the evidence against him was planted on his computer by attackers who used an unspecified Trojan to gain control of his PC and launch the assault. A forensic examination of Caffrey's PC found attack tools but no trace of a Trojan infection. The case was dependent on whether the jury accepted the argument that a Trojan could remove itself or accepted expert testimony from the prosecution that no such technology existed.

Now that you are familiar with all the information you should document, it's time to decide how to put all this information into a report format that a judge and jury can easily understand.