Computer Forensics

Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence. It is a relatively new field that emerged in law enforcement in the 1980s, but since then, it has become an important investigative practice for both police and corporations. It involves collecting, examining, preserving, and presenting evidence that is stored or transmitted in an electronic format. Because the purpose of computer forensics is its possible use in court, strict procedures must be followed for evidence to be admissible.

Computer forensics uses scientific methods to retrieve and document evidence located on computers and other electronic devices. Using specialized tools and techniques, digital evidence may be retrieved in a variety of ways. Such evidence may reside on hard disks and other devices, even if it has been deleted so it is no longer visible through normal functions of the computer, or hidden in other ways. Forensic software can reveal data that is invisible through normal channels and restore it to a previous state.

Even when an incident is not criminal in nature, forensic procedures are still important to follow. There may be incidents where employees have violated policies. These actions can result in disciplinary actions (up to and including termination of employment). To protect the company from a lawsuit for wrongful termination, discrimination, or other charges by the disciplined employee, any actions taken by the company must be based on sound evidence.

There are a number of standards that must be met to ensure that evidence is not compromised and that information has been obtained correctly. If forensic procedures are not followed, judges may deem evidence inadmissible, defense lawyers may argue its validity, and the case may be damaged significantly. In many cases, the only evidence available is that which exists in a digital format. This could mean that the ability to punish an offender rests with you're the administrator's ability to collect, examine, preserve, and present evidence.

Legal differences exist between how a private citizen and law enforcement gather evidence. There are stricter guidelines and legislation controlling how agents of the government may obtain evidence. Because of this, evidence that is collected prior to involving law enforcement is less vulnerable to being excluded in court.

Constitutional protection against illegal search and seizure apply to government agents (such as police), but may not apply to private citizens. Before a government agent can search and seize computers and other evidence, a search warrant, consent, or statutory authority (along with probable cause) must be obtained. This does not apply to private citizens, unless they are acting as an "agent of the government" and is working under the direction or advice of law enforcement or other government parties.

Although fewer restrictions apply to private citizens, forensic procedures should still be followed. By failing to follow forensic procedures, the evidence may be lost or unusable. The procedures outlined in this section will help to preserve the evidence and ensure the evidence is considered admissible in court.

What Your Role Is

While law enforcement agencies perform investigations and gather evidence with the understanding that the goal is to find, arrest, prosecute, and convict a suspect, the motivation is not always clear in businesses. A network administrator's job is to ensure the network is backed up and running, while a Webmaster works to have an e-commerce site resuming business. With this in mind, why would computer forensics be important to these jobs? The reason is that if a hacker takes down a Web site or network, they may continue to do so until caught. Identifying and dealing with threats is a cornerstone of security, whether those threats are electronic or physical in nature.

Even when police have been called in to investigate a crime, a number of people will be involved. Members of an incident response team will generally be the first people to respond to the incident, and may work with police investigators to provide access to systems and expertise, if needed. Senior staff members should be notified to deal with the affects of the incident, and any inability to conduct normal business. In some cases, the company's Public Information Officer may be involved, if the incident becomes known to the media and is deemed newsworthy.

If police are not called in, and the matter is to be handled internally, then the incident response team will deal with a much broader range of roles. Not only will team members deal with the initial response to the incident, but they will also conduct the investigation and provide evidence to an internal authority. This authority may be senior staff, or in the case of a law enforcement agency, an Internal Affairs department. Even though no police may be involved in the situation, the procedures used in the forensic examination should be the same.

When conducting the investigation, a person must be designated as being in charge of the scene. This person should be knowledgeable in forensics, and directly involved in the investigation. In other words, just because the owner of the company is available, that person should not be in charge if they are computer illiterate and/or unfamiliar with procedures. The person in charge should have authority to make final decisions on how the scene is secured, and how evidence is searched, handled, and processed.

There are three major roles that people may perform when conducting an investigation. These roles are:

• First responder

• Investigator

• Crime scene technician

As shown in Figure 5.3, each of these roles has specific duties associated with them that are vital to a successful investigation. In certain situations, such as those involving an internal investigation within a company, a person may perform more than one of these roles.

Figure 5.3: Primary Roles in an Investigation Involving Computer Forensics

The first responder is the first person to arrive at a crime scene. This does not mean the janitor who notices a server is making funny noises and calls someone else to begin the investigation. While someone like this is still important, as they become the complainant if they notify appropriate parties, a first responder is someone who has the knowledge and skill to deal with the incident. The first responder may be an officer, security personnel, a member of the IT staff or incident response team, or any number of other individuals. The first responder is responsible for identifying the scope of the crime scene, securing it, and preserving volatile evidence.

Securing a scene is important to both criminal investigations and internal incidents, which use computer forensics to obtain evidence. The procedures for investigating internal policy violations and criminal law violations are basically the same, except that internal investigations may not require the involvement of law enforcement. However, for the remainder of this discussion, the incident will be addressed as a crime that has been committed.

Identifying the scope of a crime scene refers to establishing its scale. What is affected and where could evidence exist? When arriving on the scene, it is the first responder's role to identify what systems have been affected, as these will be used to collect evidence. If these systems were located in one room, then the scope of the crime scene would be the room itself. If it were a single server in a closet, then the closet would be the crime scene. If a system of networked computers were involved, then the crime scene could extend to several buildings.

Once the crime scene has been identified, the first responder must then establish a perimeter and protect it. Protecting the crime scene requires cordoning off the area where evidence resides. Until it is established what equipment may be excluded, everything in an area should be considered a possible source of evidence. This includes functioning and nonfunctioning workstations, laptops, servers, handheld Personal Digital Assistants (PDAs), manuals, and anything else in the area of the crime. Until the scene has been processed, no one should be allowed to enter the area, and people who were in the area at the time of the crime should be documented.

The first responder should not touch anything that is within the crime scene. Depending on how the crime was committed, traditional forensics may also be used to determine the identity of the person behind the crime. In the course of the investigation, police may collect DNA, fingerprints, hair, fibers, or other physical evidence. In terms of digital evidence, it is important for the first responder not to touch anything or attempt to do anything on the computer(s), as it may alter, damage, or destroy data or other identifying factors.

Preserving volatile evidence is another important duty of the first responder. If a source of evidence is on the monitor screen, they should take steps to preserve and document it so it is not lost. For example, a computer that may contain evidence may be left on and have programs opened on the screen. If a power outage occurred, the computer would shut down and any unsaved information that was in memory would be lost. Photographing the screen or documenting what appeared on it would provide a record of what was displayed, and could be used later as evidence.

When investigators arrive on the scene, it is important that the first responder provide as much information to them as possible. If the first responder touched anything, it is important that the investigator be notified so that it can be added to a report. Any observations should be mentioned, as this may provide insight into resolving the incident.

The investigator may be a member of law enforcement or the incident response team. If a member of the incident response team arrives first and collects some evidence, and the police arrive or are called later, then it is important that the person in charge of the team give all of the evidence and information dealing with the incident to the law enforcement officer. If more than one member of the team was involved in the collection of evidence, then documentation will need to be provided to the investigator dealing with what each person saw and did.

A chain of command should be established when the person investigating the incident arrives at the scene. The investigator should make it clear that they are in charge, so that important decisions are made or presented to them. Documentation should also be created to show who handled or possessed evidence during the course of the investigation, and provide details about how evidence is transferred to someone else's possession. Once the investigation begins, anyone handling the evidence is required to sign it in and out so that there is a clear understanding of who possessed the evidence at any given time.

Even if the first responder has conducted an initial search for evidence, the investigator will need to establish what constitutes evidence and where it resides. If additional evidence is discovered, the perimeter securing the crime scene may be changed. The investigator will either have crime scene technicians begin to process the scene once its boundaries are established, or the investigator will perform the duties of a technician. The investigator or a designated person in charge remains at the scene until all evidence has been properly collected and transported.

Crime scene technicians are individuals who have been trained in computer forensics, and have the knowledge, skills, and tools necessary to process a crime scene. The technician is responsible for preserving evidence, and will make great efforts to do so. The technician may acquire data from a system's memory, make images of hard disks before shutting them down, and ensure that systems are properly shut down before transport. Before transporting, all physical evidence will be sealed in a bag and/or tagged to identify it as a particular piece of evidence. The information identifying the evidence is added to a log so that a proper inventory of each piece exists. Evidence is further packaged to reduce the risk of damage, such as from electrostatic discharge or jostling during transport. Once transported, the evidence is then stored under lock and key to prevent tampering until such time that it can be properly examined and analyzed.

As seen, the roles involved in an investigation have varying responsibilities, and the people in each role require special knowledge to perform it properly.

Chain of Custody

Because of the importance of evidence, it is essential that its continuity is maintained and documented. A chain of custody must be established to show how evidence went from the crime scene to the courtroom. It proves where a piece of evidence was at any given time, and who was responsible for it. By documenting this, the security administrator can establish that the integrity of the evidence was not compromised.

If the chain of custody is broken, it could be argued that the evidence fell into the wrong hands and may have been tampered with, or that other evidence was substituted. This brings the value of evidence into question, and could make it inadmissible in court. To prevent this from happening, policies and procedures dealing with the management of evidence must be adhered to.

Evidence management begins at the crime scene, where it is bagged and/or tagged. When the crime scene is being processed, each piece of evidence should be sealed inside of an evidence bag. An evidence bag is a sturdy bag that has two-sided tape that allows it to be sealed shut. Once sealed, the only way to open it is to damage the bag, such as by ripping or cutting it open. The bag should then be marked or a tag should be affixed to it, showing the person who initially took it into custody. The tag would provide such information as a number to identify the evidence, a case number (which shows what case the evidence is associated with), the date and time, and the name or badge number of the person taking it into custody. A tag may also be affixed to the object, providing the same or similar information as is detailed on the bag. However, this should only be done if it will not compromise the evidence in any manner.

Information on the tag is also written in an evidence log, which is a document that inventories all evidence collected in a case. In addition to the data available on the tag, the evidence log includes a description of each piece of evidence, serial numbers, identifying marks or numbers, and other information that is required by policy or local law.

The evidence log also provides a log that details the chain of custody. This document is used to describe who had possession of the evidence after it was initially tagged, transported and locked in storage. To obtain possession of the evidence, a person needs to sign in and sign out evidence. Information is added to a chain of custody log to show who had possession of the evidence, when, and for how long. The chain of custody log specifies the person's name, department, date, time, and other pertinent information.

In many cases, the investigator will follow the evidence from crime scene to court, documenting who else had possession along the way. Each time possession is transferred to another person, it is written in the log. For example, the log would show the investigator had initial custody, while the next line in the log shows a computer forensic examiner took possession on a particular date and time. Once the examination is complete, the next line in the log would show the investigator again took custody. Even though custody is transferred back to the investigator, this is indicated in the log so there is no confusion over who was responsible on any date or time.

Preservation of Evidence

If data and equipment are to be used as evidence, the administrator will need to ensure their integrity has not been compromised. Preservation of data involves practices that protect data and equipment from harm, so that original evidence is preserved in a state as close as possible to when it was initially acquired. If data is lost, altered, or damaged, it may not be admissible in court. This means inadmissible evidence might as well have never existed at all. Worse yet, the credibility of how evidence was collected and examined may be called into question, making other pieces of evidence inadmissible as well.

Volatile evidence is any data or other evidence that may be lost once power is lost. While volatile data from computers was discussed earlier in this chapter, volatile evidence may exist in other equipment. If pagers, cell phones, or other equipment that contains possible evidence and that runs on battery is involved, the administrator must ensure it is also preserved for immediate examination. Phone numbers, pages received by the person, and other evidence could be lost once the battery power runs out. It is important to document anything that is visible through the display of a device, and photograph it, if possible.

If a system has power, then it is advisable to make an image of the computer's hard disk before powering it down. Criminals sometimes "booby trap" their systems so that malicious programs may reside on the hard disk that may damage or erase data when it is shutdown or started up again later. A crime scene technician can create an image using special software that makes an exact bit stream duplicate of the disk's contents, including deleted data that has not been overwritten (in some cases, even partially overwritten data can be recovered). If the system does not have power when they arrive on the scene, they should not start it up. A duplicate of the hard disk's contents can be created using imaging software by booting the system safely from a floppy, preventing any malicious programs from damaging data.

Disk imaging software creates an exact duplicate of a disk's contents, and can be used to make copies of hard disks, CDs, floppies, and other media. Disk imaging creates a bit stream copy, where each physical sector of the original disk is duplicated. To make it easier to store and analyze, the image is compressed into an image file, which is also called an evidence file.

Once an image of the disk has been made, the technician should confirm that it is an exact duplicate. Many imaging programs have the built in ability to perform integrity checks, while others require the administrator to perform checks using separate programs. Such software may use a cyclic redundancy check (CRC), using a checksum or hashing algorithm to verify the accuracy and reliability of the image.

When ready to perform an examination, copies of data should be made on media that is forensically sterile. This means that the disk has no other data on it, and has no viruses or defects. This will prevent mistakes involving data from one case mixing with other data, as can happen with cross-linked files or when copies of files are mixed with others on a disk. When providing copies of data to investigators, defense lawyers, or the prosecution, the media used to distribute copies of evidence should also be forensically sterile.

While the situations in each case involving computer equipment will be different, there are a number of common steps to follow to protect the integrity and prevent loss of evidence. These procedures assume the computer has been shut down.

1. Photograph the monitor screen(s) to capture the data displayed there at the time of seizure. Be aware that more than one monitor can be connected to a single computer; modern operating systems such as Windows 2000/XP support spreading the display across as many as 10 monitors. Monitors attached to the computer but turned off could still be displaying parts of the desktop and open applications.

2. Take steps to preserve volatile data.

3. Make an image of the disk(s) to work with so that the integrity of the original can be preserved. This step should be taken before the system is shut down, in case the owner has installed a self-destruct program to activate on shutdown or startup.

4. Check the integrity of the image to confirm that it is an exact duplicate, using a CRC or other program that uses a checksum or hashing algorithm to verify that the image is accurate and reliable.

5. Shut down the system safely according to the procedures for the operating system that is running.

6. Photograph the system setup before moving anything, including the back and front of the computer showing the cables and wires attached.

7. Unplug the system and all peripherals, marking/tagging each piece as it is collected.

8. Use an antistatic wrist strap or other grounding method before handling equipment, especially circuit cards, disks, and other similar items.

9. Place circuit cards, disks, and the like in antistatic bags for transport. Keep all equipment away from heat sources and magnetic fields.

Collection of Evidence

Collection is a practice consisting of the identification, processing, and documentation of evidence. When collecting evidence, technicians should start by identifying what evidence is present and where it is located. For example, if someone broke into the server room and changed permissions on the server, then the room and server would be where to find evidence. When establishing this, they would secure the scene, preventing others from entering the area and accessing the evidence. If the area was not secured, then suspects could enter the area and alter or contaminate evidence. For example, if fingerprints were being taken to determine who broke into the server room, then merely touching the door and other items would distort any findings. Maybe the perpetrator left the fingerprints while in the process of breaking in, or maybe they were left by someone else when the crime scene was insecure.

Once the evidence present is identified, the technician would then be able to identify how the evidence can be recovered. Evidence on computers may be obtained in a variety of ways, from viewing log files to recovering the data with special software like the following:

• SafeBack   SafeBack has been marketed to law enforcement agencies since 1990 and has been used by the FBI and the Criminal Investigation Division of the IRS to create image files for forensics examination and evidentiary purposes. It is capable of duplicating individual partitions or entire disks of virtually any size, and the image files can be transferred to SCSI tape units or almost any other magnetic storage media. The product contains CRC functions to check integrity of the copies and date and timestamps to maintain an audit trail of the software's operations. The vendor provides a three-day computer forensics course to train forensics specialists in the use of the software. (In fact, the company does not provide technical support to individuals who have not undergone this training.) SafeBack is DOS-based and can be used to copy DOS, Windows, and UNIX disks (including Windows NT/2000 RAID drives) on Intel-compatible systems. Images can be saved as multiple files for storage on CDs or other small-capacity media. To avoid legal concerns about possible alteration, no compression or translation is used in creating the image.

• EnCase   Unlike SafeBack, which is a character-based program, EnCase has a friendly graphical interface that makes it easier for many forensics technicians to use. It provides for previewing evidence, copying targeted drives (creating a bit stream image), and searching and analyzing data. Documents, zipped files, and e-mail attachments can be automatically searched and analyzed, and registry and graphics viewers are included. The software supports multiple platforms and file systems, including Windows NT with stripe sets and Palm OS devices. The software calls the bit stream drive image an evidence file and mounts it as a virtual drive (a read-only file) that can be searched and examined using the graphical user interface (GUI) tools. Timestamps and other data remain unchanged during the examination. The "preview" mode allows the investigator to use a null modem cable or Ethernet connection to view data on the subject machine without changing anything; the vendor says it is impossible to make any alterations to the evidence during this process.

• ProDiscover   This Windows-based application, designed by the Technology Pathways forensics team, creates bit stream copies saved as compressed image files on the forensics workstation. Its features include the ability to recover deleted files from slack space, analyze the Windows NT/2000 alternate data streams for hidden data, and analyze images created with the UNIX dd utility and generate reports. The vendor hosts an e-mail discussion list for exchange of tips and techniques and peer support for users of computer forensics products (www.techpathways.com).

If data recovery is needed, you will need to identify the operating system being used, and/or the media used to store the evidence. Once you've determined this, it is then possible to decide on the methodology and tools needed to recover the data.

In addition to photographing the screen of a computer, to record any volatile data, photographs should also be made of how the equipment is set up. When the technician has transported the equipment and is ready to begin examining it, they will need to set it up exactly as it was at the crime scene. After the case is completed, setup may also be required if the equipment is returned to the owner. To ensure the equipment is set up properly, the front and back of the machine should be photographed upon seizing it. Photographs or diagrams should be made showing how cables and wires were attached.

Backup media should also be collected, as analyzing any backup tapes may show that an incident began earlier than expected. In some cases, the technician may find that data that was backed up days or even weeks before show that an intruder entered a system or a virus infected data on hard disks. If this were undetected, then it is possible that they could unknowingly restore a virus to the system as part of the recovery process, and create a repeat of the initial incident.

Forensics is a science in which the evidence is what may identify or convict a culprit. Because of the weight this evidence may present in a trial or internal investigation, it must be ensured that the evidence has not been compromised in any way. If evidence is compromised, it can mean that someone whom almost certainly committed a crime cannot be convicted, and an employee who threatened security will go unpunished.

A standard requirement in forensics is practicing due care. It is important to be extremely careful as to how evidence is handled, and that every action is documented and accountable. At no time should there be any confusion as to who had possession of evidence, or what was done to it during that time. Taking precautions to protect the data ensures that it is not compromised in any way.

Exercise 5.06: Acquiring Evidence Using EnCase

In this exercise, we will use EnCase to acquire evidence from a floppy disk. If you do not have a copy of EnCase, you will not be able to perform this task. However, you can download a demo copy of EnCase to work with an included evidence file by visiting www.guidancesoftware.com/corporate/inforequest/request_demo.shtm.

When preparing to acquire evidence from a floppy disk, ensure that you have write-protected the disk so it cannot be written to. To write-protect the disk, slide the tab on the floppy so that tab is down and a hole is present.

1. Insert the floppy disk into the drive of the computer that has EnCase installed.

2. Start EnCase.

3. From the File menu, click on Acquire Evidence

4. When the wizard appears, you will see a screen similar to that shown in Figure 5.4. Select the Local Devices option under the Source group, and ensure that only the Floppy Drives (A&B) checkbox is checked under the Include group. Click Next to continue. This screen is used to control where evidence is acquired from.

   
   Figure 5.4: The EnCase "Create an Evidence File" Screen

5. After EnCase reads the floppy drive, a screen will appear asking you to select the drive to acquire evidence from. Since you only select the floppy drive, generally only one drive will appear here. If two appear, select the A drive. Click Next to continue.

6. The next screen requests that you enter data regarding the evidence being acquired. As shown in Figure 5.5, this includes the Case Number, Examiner (which would be your name), Evidence Number, and a place for notes. Fill out the fields with applicable information, and then click Next.

   
   Figure 5.5: EnCase "Identification" Screen

7. The next screen allows you to select how the evidence file will be created, including compression, passwords to open the evidence file, and other factors. Accept the default settings, and then click Finish. Upon doing so, EnCase will begin acquiring the data that will be contained within a file it creates.