Acquiring Evidence

The most commonly accepted principles for seizing computer systems are defined in the U.S. Justice Department's guidelines for search and seizure of electronic evidence. The most recent of version of these guidelines, however, seems to concentrate almost entirely on obtaining and executing search warrants and much less on the physical seizure of equipment and data. The complete document, called Searching and Seizing Computers and Obtaining Electronic Evidence, is available on the department's web site at www. usdoj .gov/criminal/ cybercrime /searchmanual.htm. Earlier versions might still be archived on the Web and provide extensive technical details about searches.

The basic rules are to (1) document everything that the investigator does and (2) take all appropriate steps to ensure that the evidence itself is not compromised in any way (or in the least way possible) during the acquisition. In most situations, the evidence is copied and then the actual evidence disk itself is secured. All analysis is performed on the copy. There are situations in which the evidence might be modified or the examination must be performed on the actual media. These situations are covered in more detail in the next chapter.

Acquiring the data generally consists of securing the system, conducting an examination of the system and its surroundings, copying the media, and securing the evidence. In most configurations, the following steps will preserve the evidence and provide the investigator with any data he might require later (see Figure 8.1 and following list):

1. Secure the physical area. Take photographs of the system, including monitor and the back of the case, showing all the cable connections. Take photographs of any papers, disks, or peripherals in the immediate area. Inventory and collect any papers or disks that might be involved or might contain evidence.

2. Shut down the system. Unplug the machine from its power supply. Do not touch the keyboard, use the power button on the machine, or otherwise tell the system to do a graceful shutdown. Shutting down the operating system might trigger logic bombs designed to destroy evidence. It will definitely modify or destroy data in virtual memory.

3. Secure the system. If the computer is to be seized intact, it should be sealed before it is moved to the examination area. Insert a blank, write-protected floppy disk or a floppy- size piece of cardboard into the floppy drives . Label all cables and connectors prior to disconnecting any. Place evidence tape across the floppy drive, the power button, and all cable connectors.

4. Prepare the system. If the computer is not seized, or when the system is examined later in the laboratory, open the case. Take photographs of the inside of the computer prior to disconnecting any cables. Disconnect the power leads from all hard drives. Start the system and go to the setup menu.

5. Examine the system. Check the Setup menu for the current system date and time. Record the date and time, comparing it against a known standard. This is important later in correlating file timestamps to other evidence.

6. Prepare the system for acquisition. Change the boot sequence in the BIOS to boot from the floppy drive. If possible, the system should boot from the floppy only. If this is not offered as an option, the sequence should be floppy and then hard drive.

7. Connect the target media. Place a forensically clean drive into the system to use as a target disk. If possible, this disk should be set as Disk 1, with the original drive as Disk 2. This will also help prevent the system from booting to the original disk. Place a forensics boot disk containing the acquisition software in the floppy drive. Boot the system and make sure it does boot to the floppy and that it recognizes the target disk. Power the system down and reconnect the original drive power leads.

8. Copy the media. Boot the system again, using the forensics floppy. Use the software on this floppy to copy the original drive to the target. If time permits , it is always a good idea to make a second copy at this time as well.

9. Secure the evidence. Remove all drives from the system, place them into anti-static bags (never use plastic zip-lock bags), and seal them with evidence tape. Date and sign the evidence tape and secure the drives in a locked container.