Once you've gone through the process of securing a crime scene and interviewing witnesses, you must collect, preserve, and transport the evidence. Each piece of evidence must then be assessed, with digital evidence acquired from hard disks and other media, before being examined. Throughout this process, documentation is essential, as any actions that are taken should be included in a statement and/or final report. As we'll see in the sections that follow, this can be a lengthy process with procedures that must be followed to prevent any evidence from becoming inadmissible, or important pieces of evidence being overlooked altogether.
The Investigation Process
The process of conducting a computer forensic investigation can be a hectic experience, especially in a business environment where it is essential that systems are online to maintain the business. For example, if the company used an e-commerce site to make sales, taking the system down to perform an examination could cost thousands upon thousands of dollars. During such instances, you want to ensure that you follow forensic procedures, but not waste time wondering which steps should be performed next.
Although we've primarily discussed the investigation process from law enforcement's side in this chapter, the subsections that follow will provide information related to the roles of the incident response team and IT staff in the investigation. To perform an investigation properly, it is important that sets of procedures are followed that detail the steps to be taken. Following these guidelines will help you to meet the goals of an incident investigation, and provide information that can be used to handle the incident so that it doesn't escalate into a more significant problem. In the investigation process, you need to follow these six steps:
Preparation
As with anything dealing with security, it is important that threats are dealt with proactively, with safeguards and other measures in place before problems occur. If the necessary policies, procedures,
and tools aren't available when responding to an incident, an incident response team can waste valuable time trying to get organized. Preparation is the key to handling and investigating incidents.
As we've stressed throughout this chapter, it is important that people are properly trained in how to identify and report problems, and that they have a thorough understanding of the tasks they're expected to perform. In addition, companies should develop communication plans. Part of this policy should include or reference a communication plan that provides contact information on who will need to be called when problems are first reported. This includes members of the incident response team, other IT staff members, third-party vendors and support personnel, senior management, department managers, public relations personnel, and anyone else who may need to be conferred with the incident. The contact list should include the names of anyone who may need to be called during an incident, and his or her phone number, pager number, address, and any other relevant information.
In an emergency, it is important that people aren't scrambling to find contact information, so such information should be left with a centralized source. Some options might be the company switchboard, dispatch, Help Desk, or other departments of the company. If an incident needed to be reported, employees could notify the switchboard operator or dispatcher, who in turn could contact incident response team members.
Passwords are another piece of information that should be available in emergencies. Members of the IT staff or the incident response team may have varying levels of security, and may be unable to get into certain areas of the network or certain systems. For example, they may not have passwords to access administrative functions in certain systems, or workstations and servers may be locked down and can't be accessed without an administrator password. To allow them entry in extreme situations, copies of passwords should be written down, sealed in an envelope, and stored in a locked container (such as a safe). Any encrypted keys needed to access critical data should also be stored with these passwords. In an emergency, if the person who knows the passwords is unavailable, a member of the team can access the passwords and keys.
A company will need to do business after an incident has occurred, but in some incidents data may be altered, corrupted, or deleted. When this happens, the data may be irrevocably lost, unless backups have been regularly performed beforehand. By performing regular backups, you can restore the data on a server or workstation as needed. This is especially important if a particular machine is seized as evidence or data prior to the investigation date needs to be reviewed. To make it easier for members of the team to restore the data, recovery procedures should be documented thoroughly, allowing members to follow the understandable steps to restore systems to their previous state.
To aid in the detection process of an incident investigation (which we'll discuss next), preparation also requires that logging is activated on systems. Logging information to a file is a feature that's commonly provided for operating systems, and for certain software and equipment. Logs can provide a great deal of information, revealing indicators that may show whether an incident has occurred. The more information that's provided in these logs, the more evidence you'll have for discovering incidents and dealing with them accordingly.
Baselines should also be created by recording data on how the system behaves normally. The metrics recorded in a baseline would include measurements of network traffic, memory usage, and other information that provides a clear understanding of how systems normally run. The incident response team can compare the baseline to measurements taken when a problem is suspected, and thereby detect whether an incident has occurred.
Detection
Determining whether an incident has actually occurred is the next step of the incident investigation process. After all, just because someone reported that something doesn't seem right doesn't mean that the company's at risk or that a crime has occurred. A user could report that files have been deleted, and although it could be indicative of hacking, it could just mean the user is too embarrassed to admit he or she deleted them by accident. The detection phase of incident investigation examines such reports, and determines what further actions (if any) are required.
Detection requires looking at the safeguards and auditing controls that have previously been set up, and determining whether anomalies exist. For example, logs may provide a great deal of information that can confirm or discard any notions of unwanted activity. Members of the IT staff or information security personnel should check logs on a regular basis, and determine whether indications of problems have been recorded. System logs may show errors related to security violations, impending hardware failure, or other potential problems. Firewall logs should also be analyzed to identify indications of attempted hacking from the Internet, policy breaches, or other damaging events. By not checking logs regularly, an incident may be avoided early, preventing more significant problems from occurring.
Software specifically designed to deal with certain incidents, or elements of an incident, can be used in the detection process. AV software packages can be used to detect viruses, and can be configured to automatically deal with them upon detection. Intrusion detection systems can also be used to identify whether system security has been violated, systems have been misused, or accounts have been used or modified. Implementation of such software not only aids in protecting the network, but also allows you to detect incidents early.
In addition to the logs created by systems on the network, the IT staff should also keep a manual logbook. This will provide a record of dates, times, observations, system names, error messages, actions taken, and other details that may be considered valuable. The name of the person who reported the incident and the names of people who had access to systems should also be recorded. Creating a log should be done as early as possible. Information recorded in the log may be vital to solving problems, and may be needed for reference purposes if you're later required to testify in court.
Another reason for maintaining a logbook is that it can reveal patterns. Hackers may make several attempts to hack into a network, and being able to reference information on these previous occurrences can be valuable in identifying vulnerabilities, finding who is making these attempts, and may be used in the prosecution of that person. It can also be useful in identifying training issues, such as when multiple mistakes by the same person result in damaged data, invalid data entry, or erroneous reporting of incidents. Without a log of previous incident investigations, such patterns may be unidentifiable.
When an incident is confirmed, it is important that an image of the affected system is made as soon as possible. As we'll discuss later in this chapter and again in
Chapter 6, computer forensic software can be used to create an image of the data, creating an exact duplicate of a hard disk. This allows you to examine data on the disk, while leaving the original computer untouched. This is important, because examinations of the original computer's data could modify data on the disk. Even opening a file can alter information (such as the date/time of when it was last opened), and can negatively affect any further investigation or future prosecution. It is important to make an image of the system as soon as possible, because further intrusions into the system or malicious programs could
delete evidence used to identify a suspect. Rather than giving the suspect a chance to cover his or her tracks, it is important to preserve that evidence quickly.
Containment
It is important to limit the extent and significance of an incident so that it doesn't spread to other systems and continue doing damage. It makes no sense to identify a hacker's entry into a server, and then allow him or her to continue entering other servers on the network. In the same light, allowing viruses to spread across the network increases the level of damage. Containment limits the scope of such incidents, preventing the damage from spreading.
How an incident is contained will depend on the type of incident that has occurred, what is affected, and the importance of systems to the business. If someone had hacked into a network file server, it might be prudent to remove that server from the network, such as by unplugging the network cable from the adapter. In doing so, the hacker would be unable to do further harm, and would be unable to modify or delete any evidence he or she left behind. In other situations, such as an employee sending threatening e-mails, it would be overkill to prevent everyone from using network resources. In this case, having a member of the incident response team stay with that person until the police arrive, so as to prevent them from using a computer, would probably suffice.
Eradication
Just as it's important to prevent further damage by containing an incident, it is equally important to remove its cause. Eradication removes the source of a threat so that further damage isn't caused or repeated. In doing so, the system is left more secure, and further incidents may be prevented.
Eradication may occur through a variety of methods. For example, if a virus were detected on systems, eradication would require removing the virus from all media and systems by using AV software. In situations involving violations of law or policy, the eradication phase of incident investigation might require disciplinary action (such as terminating the employee) or pressing criminal charges. As you can see by this, the appropriate method of eradicating an incident depends on what or who is being dealt with.
Recovery
Once an incident has been handled, the company's IT staff will need to ensure that any data, software, and other systems are back to normal. The recovery phase is where these are restored to a normal state. Here it is determined that the incident did not permanently affect elements of the network, and everything is as it was previous to the incident.
Recovery is important because data may be modified, deleted, or corrupted during incidents, and configurations of systems may be changed. Other problems that may result include malicious code that was planted on systems. Such code may be triggered by certain events, or may activate at a later date when everything is presumed to be okay. Because of the possibility of future threats, you need to determine whether any remnants of an attack exist, and what may have been damaged by the incident.
Systems may be restored in a variety of ways. Certain systems may need to be reconfigured to the way they were before the incident, data may need to be validated to verify that it is correct, or in other cases, the system may need to be completely restored from backups. If data has been modified or destroyed, and a backup is restored, any work that took place since the backup was performed will need to be redone.
Follow-up
The follow-up to an incident investigation is where you determine whether improvements can be made to incident handling procedures. At this point, you examine the previous phases of the investigation, and review what was done and why. The follow-up requires an analysis of such details as:
▪ Preparation for the investigation, and whether additional preparation is needed
▪ Whether communication was effective, or if information was not conveyed in a timely fashion
▪ Steps taken during the investigation, and problems identified
▪ Determining whether the incident was detected quickly and accurately
▪ Whether the incident was adequately contained or spread to different systems
▪ Evaluating tools used in the investigation and whether new tools would result in improvements
It is also important for companies to identify how much the incident cost, so changes to budgets can be made to effectively manage the risks associated with certain incidents. This includes the cost of downtime, personnel costs, the value of data that was lost, hardware that was damaged, and other costs related to the investigation. By determining the financial costs associated with an incident, insurance claims can then be filed to reimburse the company and cost/benefit analyses can be updated. This information may also be included in Victim Impact Statements provided to the police.
Assessing Evidence
Earlier in this chapter, we discussed how the crime scene technician is responsible for processing digital evidence that is collected during an investigation. Although this may involve the technician being called directly to a crime scene and forced to deal with the situation on the fly, often this will entail assisting in obtaining a search warrant and assisting in technical aspects of the case before any evidence is ready to be searched and seized. As we'll see in the sections that follow, processing evidence is a four-part set of procedures consisting of assessment, acquisition, examination, and documentation.
Evidence assessment is the first part of this process, and it involves evaluating issues related to the case and the digital evidence that's being sought. It requires reviewing the search warrant or details of legal authorization to obtain the evidence, the details of the case, hardware and software that may be involved, and the evidence you hope to acquire for later evaluation. After completing these steps, you should be able to determine the best course of action to take in obtaining the evidence, based on the scope of the case.
Case Assessment
When an incident occurs that requires a computer forensic investigation, the investigator for the case will request the services of the crime scene technician. The request for forensic services should not be taken at face value so that the technician simply walks blindly into the case. It is important that the technician reviews the request and identifies the legal authority for his for her participation. This request for assistance should be in writing, and it should include such information as:
▪
Who is making the request for service, and contact information to call, page, and/or e-mail this person
▪ The incident or case number
▪ The name and other information regarding the suspect
▪ Whether the data has been viewed or accessed by anyone prior to your examination
▪ What kind(s) of forensic services are being requested
A request for service form that allows an investigator to provide this information is useful for several reasons. First and foremost, it provides an easy reference that connects evidence to a particular case. The form will provide information on whether a search warrant is required (based on who owns the computer), and can be useful in identifying information to search for. For example, if you were interested in searching for documents containing the suspect's name, you could simply refer to the form to get the correct spelling. If you were unsure whether all of the services requested have been fulfilled, you could look at the list of services the investigator wanted you to perform. Also, if the request for services was illegitimate and the request was made for personal reasons, you have an official form that will protect you from disciplinary actions.
Because the computer may have been accessed prior to your acquiring the data and examining it, you should also request the complete chain of evidence documentation. This is especially important if a computer has already been seized and is being delivered to the forensic lab. If there are any questions regarding data, you can then contact any parties who previously had custody of the machine to determine whether they accessed any files or performed any actions with the machine.
Although an investigator may be adept at interviewing suspects, following leads, and performing other tasks necessary to an investigation, he or she may not fully understand what is involved with computer forensics. It is important to discuss what you can and cannot do in an investigation, and what may or may not be discovered. In addition to this, you should discuss whether other attempts to acquire evidence or certain avenues of investigation have already been acted upon, such as the following:
▪ Is there a need for the use of other types of forensics? Has the evidence been checked for fingerprints, DNA, trace evidence, or other forensic evidence? If there is a need for this, you should wait before touching the computer until this has been completed.
▪ Has an attempt been made to acquire evidence from noncomputer sources? Because evidence is so often found on computers, it is possible that other sources of evidence have been overlooked. For example, digital cameras and cell phones that take pictures can be useful in child pornography cases, whereas check paper, paper files, and other items may be useful in financial crimes.
▪ Is there a need to acquire evidence from other systems? In cases involving the Internet, you may wish to obtain logs and account information from Internet service providers (ISPs), who may have logged when the person connected to the Internet, what sites he or she visited, e-mails that were sent and received, remote storage locations, and other information.
You should also discuss specific details of the case that can be used to narrow your search for information on a computer. If you understand why a person is being investigated, and the type of
evidence the investigator is searching for, it can decrease the amount of time required in finding that evidence. For example, fraud cases will often involve searching for spreadsheets and financial records, child pornography cases will require looking for photographs, and hacking cases will often require looking at source code and specific applications. In addition to this, certain information about the suspect should be available to you, such as the suspect's name, e-mail address, aliases, and user account information. By having this information beforehand, you will spend less time attempting to identify it when examining the computer.
In identifying aspects about the suspect who uses or owns a machine being examined, it can be useful to determine the person's computer skills. Different suspects will have varying levels of expertise with computers, with more advanced users possibly incorporating encryption or booby traps that will delete data if certain actions are performed. The more you know about a suspect and the case prior to dealing with the evidence, the better position you'll be in to successfully acquire and evaluate pertinent evidence.
Processing Location Assessment
Although the thought of where you'll collect or examine evidence may not be the first thought in an investigation, it is important to identify this early in the investigation. In many cases, the evidence will be examined in a forensic lab, where you'll be working with equipment in your own work area. In other situations, you'll have to visit the scene of the crime. Sometimes this will be an easily controlled environment, such as a server room that limits the number of people who can enter and have access to evidence. Other situations may require you to collect evidence from a kiosk, a computer in a public Internet café, or the scene of a homicide where other forensic professionals are still gathering their own evidence. By understanding where the evidence needs to be gathered, you'll be better prepared to determine the type of equipment you'll need to bring, or whether other personnel (such as police officers) will need to be present.
Computer Forensics in the Field
In most situations, computers that are seized as evidence are delivered to the person(s) who will perform a forensic examination of the digital evidence. This examination is then done in the (relative) comfort of a forensic lab setting. This isn't always the case, though, as situations may dictate a need for you to attend a crime scene to process and transport computers for later analysis.
One of my early forays into the field involved a multiple homicide, in which an entire family had been murdered (after which the killer committed suicide). Although everyone involved was deceased, there was a need to determine why the tragedy had occurred. The detective in charge of the case requested that I attend the crime scene so that I could seize the computer (properly package and transport it) and later perform a forensic examination of the data. While I was there, the Forensic Unit was still processing the crime scene. Afterward, I made a second trip to the family business, where another computer was seized. While I was there, the employees of the murdered family were grieving and were understandably distraught.
Although this was an unusual situation, it does illustrate the diverse locations one may visit in the field. Each location was also disturbing for different reasons. The first was a grisly crime scene, whereas the second was a business environment that was emotionally charged. It is also important that those planning to work in computer forensics are aware that the circumstances requiring your services can be unusual and disquieting.
When assessing the location, you should consider a number of factors. It may take considerably longer to collect evidence from some scenes compared to others, so an estimate should be provided to the investigator. If it will take awhile to collect the evidence, you should try to determine how your presence will impact the business. In some situations, it is better to remove a hard disk from a server, and to allow members of the company's IT staff to restore systems as swiftly as possible. However, even in the best of circumstances, a computer may be unavailable for some time, requiring personnel at the company to use other systems. If you will be on-site for some time, considerations may need to be made regarding who will perform other forensic examinations while you're unavailable.
Equipment and training may also be an issue in certain circumstances. In our previous example of a homicide scene, you may be exposed to blood spatters or other biological matter. In such cases, you may need to work in a suit that will protect you from biological hazards, or at the very least wear a mask and latex or vinyl gloves. The same could also apply if a computer is located in a marijuana grow operation, or a scene with chemicals or allergens present. By understanding the location in which an investigation will take place, you can better prepare for factors that will impact your ability to collect and examine evidence.
Evidence Assessment
The final step in evidence assessment specifically deals with the evidence itself. You should identify the stability of the evidence, and collect the most volatile evidence first before moving to nonvolatile evidence. In doing so, you should prioritize the collection and acquisition of evidence so that the evidence that is most likely to contain what you're searching for is examined first. For example, if a border guard discovered that someone had child pornography as the wallpaper on a laptop, you would obviously want to acquire evidence from the laptop and examine it first, before moving on to any CDs, DVDs, and other media that may also have been collected. Throughout this process, you should document any actions taken, and determine the best methods of relating that information. This may include taking notes, making diagrams, photographing items, or utilizing features available through forensic software.
When evidence needs to be transported, you should evaluate the condition and vulnerability of the items. Certain devices such as PDAs, cell phones, and laptops could simply be packaged in an evidence bag, whereas circuit boards and individual hard disks should first be stored in antistatic bags. In some cases, an investigator may also need to provide continuous electric power to battery-operated devices such as laptops that are low in power so that any volatile evidence isn't lost before it is
delivered to you. Once the evidence has been acquired, you should then place the evidence in a secure location that is free of electromagnetic interference.
Acquiring Evidence
The next phase of processing evidence is acquisition. As we mentioned earlier in this chapter, acquiring evidence is the process of obtaining digital evidence from its original source. In doing so, it is vital that the original data isn't altered, damaged, or destroyed when making a copy from which the forensic technician can work.
The first step in acquiring evidence from a computer is to document as much information about the machine as possible. You should note the serial number and any identifying information on the computer so that you can prove that the computer that was taken from a crime scene was actually the one that evidence was acquired from at a later time. This is especially important when there is a backlog of cases, and the computer may have been stored until the examiner had time to work on the machine. In documenting information, you should also review information on any hardware and software configurations that were noted when the machine was seized, in case this needs to be duplicated on the examiner's machine.
If you are dealing with a hard disk that has already been removed from a computer, the tasks in acquiring evidence are considerably easier. You would simply attach the hard disk to the examiner's workstation in a forensic lab, or to a write protection device such as FastBloc (used with EnCase software that we'll discuss in
Chapter 6), and then use forensic software to acquire its contents. However, generally you will be dealing with an entire computer or laptop, and not with individual components that have been seized. In such cases, you'll need to take steps to remove storage devices yourself. Disassembling the computer case will provide you with physical access to these devices, so you should ensure that you have taken precautions against static discharge and that you do not have the equipment close to any strong magnetic fields. Either of these can seriously damage computer components, so during the disassembly you should wear an antistatic wristband or stand on an antistatic mat.
Once the case has been opened, you can identify what hard disks and other components (for example, PC Card, network card, and so on) are installed, and you can begin to take steps to remove the storage devices. Before removing any storage devices, you should note how they are installed and configured so that they can later be reinstalled exactly as they were before. This could include taking a picture of the inside of the computer so that a visual reference is available for later. Once you've noted this, you should then remove the power connector or data cable from the back of the drive or motherboard. Doing so will prevent the destruction, damage, or modification of any data that is stored on the device in steps that follow. After disconnecting the storage device, you should make a note of the make, model, size, jumper settings, location, drive interface, and any other information you can see that will identify the hard disk and its settings.
Once you've removed the power connector or data cable from the hard disk, you can then take steps to retrieve information stored on the computer through a series of controlled boots. To perform a controlled boot and capture data stored in the CMOS/BIOS, you would start the computer and press the particular key on the keyboard that allows you to access the BIOS Setup for that particular machine. This is often displayed on the screen when the computer is first powered on, and is generally the Del or F10 key that accesses this program. However, you should check the manufacturer's Web site if it's not evident which key to press, as it can vary from system to system. Once you've entered the BIOS Setup, you can view the configuration information for that machine. You should note the date and time of the
system, whether power on passwords has been set up, and the boot sequence of the machine. If the boot order of the machine isn't configured to first try and boot from a floppy disk or the CD-ROM, you may need to change this. However, before modifying these settings, document what the original settings were, and what you changed them to afterward.
After ensuring that the system is configured to first boot from a floppy or CD-ROM, you would then test your forensic boot disk to make sure the computer will boot from that drive properly. With the power connector or data cable still removed from the storage devices, you would insert the boot disk, and then boot the computer. If it boots from the floppy or CD-ROM, you would then reconnect the storage devices to prepare for a third boot. When the computer boots this time, document the drive configuration information, including the logical block addressing (LBA), large disk, cylinders, heads, and sectors (CHS), and whether the computer is configured to auto-detect any hard disks that are installed. Once this is documented, power the system down.
If possible, it is best to physically remove the hard disk from the computer that's been seized and connect it to a workstation in a forensic lab, or to a device such as FastBloc that prevents disk writes and works between the examiner's computer and the hard disk. If it is attached to the machine that will perform the acquisition, you can then use information acquired earlier from the CMOS/BIOS to properly configure the storage device so that it will be recognized. In some situations, such as those that follow, it may be easier or possible to read the hard disk only by leaving it installed on the suspect's machine:
▪ Laptop computers use different hard disks from desktop computers, although adapters can be purchased that will connect the hard disk to a desktop system. In some cases, removing the disk from the laptop may be difficult, and reading the disk may not be possible if the appropriate adapter to connect the drive to a ribbon cable is unavailable.
▪ Equipment requirements, such as when the disk is used for network storage and network equipment is needed to access the data, or when other equipment (such as the adapters mentioned previously) are not available to the technician performing the examination.
▪ Redundant Array of Inexpensive Disks (RAID) technology may need to be left in an array, as attempting to acquire data from such disks individually may not provide results that are usable.
▪ Legacy equipment. In some cases, older drives may not work with newer systems, making it impossible to read the data.
If the hard disk isn't going to be connected to the examiner's machine, you will need to leave it installed on the suspect's machine. Depending on the forensic software being used, the examiner could then attach a CD-RW or other storage device to the machine, or connect to the machine using a network cable, null modem cable, or other method of allowing communication between the two machines. Regardless of the method used to connect the machines, the data that's acquired and saved as image files should be stored on forensically clean media.
Write protection is an important part of acquiring data, as it will prevent any data from being written to the suspect hard disk. If hardware-based write protection is used, it should be installed prior to starting the computer, whereas software-based write protection should be activated immediately after booting the system with the examiner's operating system or boot disk. Once it is started, you should then attempt to capture and document any electronic identifiers the disk might have, such
as its electronic serial number. Once these facts about the disk have been recorded, you are then ready to begin to acquire the data using methods that won't modify data on the disk, such as by using disk-imaging software to duplicate the data.
Disk Imaging
Disk imaging is accepted as standard practice in computer forensics to preserve the integrity of the original evidence. Disk imaging differs from creating a standard backup of a disk (for fault-tolerance purposes) in that ambient data is not copied to a backup; only active files are copied. Because a backup created with popular backup programs such as the Windows built-in backup utility is not an exact duplicate (in other words, a physical bitstream image), these programs should not be used for disk imaging. Programs such as Norton Ghost include switches that allow you to make a bitstream copy, but these programs were not originally designed for forensic use and do not include the features and analysis tools that are included with imaging programs and stand-alone imaging systems designed especially for forensic examination.
Bitstream Copies
Digital evidence is, by its nature, fragile. Some data is volatile—that is, it is transient in nature and, unlike data stored on disk, will be lost when the computer is shut down. Data on a computer disk can be easily damaged, destroyed, or changed either deliberately or accidentally. The first step in handling such digital evidence is to protect it from any sort of manipulation or accident. The best way to do this is to immediately make a complete bitstream image of the media on which the evidence is stored.
A bitstream image is a copy that records every data bit that was recorded to the original storage device, including all hidden files, temp files, corrupted files, file fragments, and erased files that have not yet been overwritten. In other words, every binary digit is duplicated exactly onto the copy media. Bitstream copies (sometimes called bitstream backups) use CRC computations to validate that the copy is the same as the original source data. The “mirror image” should be an exact duplicate of the original, and the original should then be stored in a safe place where its integrity can be maintained. The copy is made via a process called disk imaging. In some cases, evidence could be limited to a few data files that can be copied individually rather than creating a copy of the entire disk.
Using Disk Imaging to Create Duplicate Copies
Disk imaging refers to the process of making an exact copy of a disk. Imaging is sometimes also called
disk cloning or
ghosting, but the latter terms usually refer to images created for purposes other than evidence preservation
. Disk imaging differs from just copying all the files on a disk in that the disk structure and relative location of data on the disk are preserved. When you copy all the data on a disk to another disk, that data will usually be stored on the new disk in contiguous clusters as there is room to store it. That way, all the data on the two disks will be identical, but the way that the data is distributed on the disks will not. When you create a disk image (a bitstream copy), each physical sector of the disk is copied so that the data is distributed in the same way, and then the image is compressed into a file called an
image file. This image is exactly like the original, both physically and logically. There are a number of different ways to create a bit-level duplicate of a disk, including:
▪ Removing the hard disk from the suspect computer and attaching it to another computer (preferably a forensic workstation) to make the copy
▪
Attaching another hard disk to the suspect computer and making the copy
▪ Using a stand-alone imaging device such as the DIBS Rapid Action Imaging Device
▪ Using a network connection (Ethernet connection, crossover cable, null modem cable, USB, or the like) to transfer the contents of the disk to another computer or forensic workstation
Which of these methods you choose will usually depend on the equipment that you have at hand. A portable forensic workstation or stand-alone imaging device is probably the best solution, but it's also the most expensive.
Examining Evidence
The examination of evidence occurs after it has been acquired using forensic software. Working from an image of the original machine, you can extract files and other data from the image to separate files, which the examiner can then review. For example, a Microsoft Word document found in the image of the suspect machine could be extracted, allowing it to be opened and viewed in Word without modifying the original data or that available through the disk image. In this example, the file is first extracted and then analyzed to determine what value it holds as evidence. Although every file may not be individually examined in this manner, the process of analyzing data does require a repeated process of extracting data stored in different areas of the machine, and then determining its value to the investigation.
Extracting data from the machine isn't limited only to files that are available to the operating system, file system, or other software that may have been installed on the machine. By viewing various areas of the disk, you can access and examine file fragments and data that has been corrupted or deleted. Extraction of evidence from a hard disk can occur at either of two levels:
A
logical extraction is used to identify and recover files based on the operating system(s), file system(s), and application(s) installed on the computer. This type of extraction allows you to identify what data is stored in active files, deleted files, slack space, and unallocated file space. This type of examination would find information that is available to the operating system, and/or is visible to the file system on the suspect's computer. When this type of extraction occurs, any or all of the following actions might be performed:
▪ Extraction of file system information. This is done to identify the structure of folders, as well as the names, locations, sizes, attributes, dates, and timestamps of files.
▪ Extraction of files relevant to the investigation, which would be based on the name, extension, header/footer, content, and/or location of the file on the drive.
▪ Extraction of data that is encrypted, password-protected, and/or compressed.
▪ Extraction of data in the file slack. As we discussed in
Chapter 4, a cluster is a group of disk sectors where data is stored, and to which the operating system assigned a unique number to keep track of files. Because the cluster is a fixed size in operating systems such as
Windows, the entire cluster is reserved for a file even if the file doesn't fill that amount of space. This unused space is referred to as slack space.
▪ Extraction of data in unallocated space. Unallocated disk space is the part of a hard disk that is not part of any partition. For example, if you had a single 1GB partition that was assigned a drive letter (such as C:), this would be allocated space. However, if the drive was larger than 1GB, the remaining space on the drive would be unallocated space. Even though it hasn't been allocated to a partition, it may still contain damaged or deleted data.
▪ Recovery of deleted files. As we'll see in
Chapter 6, you can use various techniques and tools to recover data that been deleted.
▪ Reduction of data, which would reduce the number of files returned by eliminating known files.
A
physical extraction is used to identify and recover files and data across the entire physical hard drive. Because it occurs at the physical level, the file system used on the hard disk doesn't matter. A physical extraction may involve a number of different methods to find data that is stored on the computer, including:
▪ Keyword searching Extracting data in this way involves searching for specific data using specific keywords. Because the search occurs at a physical level, it can find data that is stored anywhere on the hard disk.
▪ File carving In this case, utilities will recover files or file fragments by looking for file headers/footers and other identifiers in the data. This is particularly useful when attempting to find data that has been damaged or deleted, was located in corrupt directories on the disk, or was stored on damaged media.
▪ Partition table and unused space examinations Examining the partition structure can help you to identify the file system being used and determine whether the physical size of the hard disk is accounted for.
Once the data has been extracted from the computer, it can then be analyzed. This involves looking at the data and determining whether it's relevant and significant to the case. Although an investigator may analyze data such as pictures that have been found on the machine, or may perform subsequent analysis on various files that have been recovered, the person examining the machine will perform a significant amount of this work to limit the amount of information that is later provided to the investigator of the case. Various types of analysis include:
▪ Application and file analysis
▪ Ownership and possession analysis
Time Frame Analysis
Timeframe analysis is used to determine when files were downloaded, viewed, or modified on a machine. It can be useful in constructing a sequence of events, or associating a particular user to a
time period. Using the date and timestamps on files, which show when a file was created, last accessed, or modified, a time frame can be established that shows when particular events occurred. In addition to this, dates and times stored in logs and other system files can show when a particular user logged on to a system or performed some action.
Data Hiding Analysis
Data hiding analysis involves looking for data that may be hidden on the hard disk. By concealing the information, the person who hid the information hopes it will avoid detection from casual or forensic detection. Although some techniques for hiding data may require special tools, others may be simple to detect if you're aware of the methods being used. In
Chapter 7, we'll discuss a number of these tools and methods in great detail.
Steganography
Steganography (from the Greek word for
covered writing) refers to a method of hiding data—not just concealing its contents as encryption does, but concealing its very existence. Steganography is usually used in conjunction with encryption for added protection of sensitive data. This method ameliorates one of the biggest problems of encrypting data—the fact that it is encrypted draws the attention of people who are looking for confidential or sensitive information. For more information on steganography, see
Chapter 7.
Application and File Analysis
Application and file analysis is used to identify what kinds of programs the suspect is using, to identify common file types used for specific purposes relevant to the investigation, and to associate files that have been located on the drive with particular software. Often, people will use certain patterns to name files or directories, whether it is to be as specific and detailed as possible (for example, TaxReturn2007.q07) or to hide the contents by using a specific code (for example, cp13yf.jpg to indicate child pornography depicting a 13-year-old girl). By identifying these patterns and their relevance, you can expand your search to look for other files with these features.
Some files can be associated with specific applications, to identify what programs are commonly being used. For example, you could identify files in a Temporary Internet Files directory to those used with Internet Explorer, whereas other files could be associated with e-mail programs. In doing so, you can determine what programs are being used. Similarly, by reviewing the Internet history and messages in the e-mail software, you could correlate files that have been saved to those sent or received via e-mail, or downloaded from a particular Web site.
The most direct method of determining what's in a file is, of course, to examine the contents. To identify what is depicted in an image, or the data in a spreadsheet or document, you will need to view the contents and determine their relevance to the case. To reduce the number of files you'll need to review, you should perform other actions mentioned in previous sections to narrow down what needs to be viewed.
Ownership and Possession Analysis
Ownership and possession analysis is used to identify who created, modified, or accessed files on a computer. By identifying the individual who created, viewed, or downloaded a particular file, you can
associate the existence of a file to the actions of a person. For example, if a person said that he or she hadn't seen a file, you could show that the file's ownership belonged to that person's user account, and by identifying the last time it was accessed, you could show that the person had reasonable knowledge of its existence. In this example, you can see that this type of analysis can easily be used with time frame analysis to show when a particular person used the computer and had access to a particular file.
Ownership of a file can be displayed through the properties of a file. In looking at the properties of a file, you can view who the current owner of a file is. If multiple users are on a machine, you can associate who owns the file with the person who uses that particular account. In knowing this, you can then peruse firewall logs or other resources to obtain additional information about the user's actions.
Closing the Case
Regardless of what the investigation entails, there comes a time where every case must be closed. Once the analysis has been completed and a sufficient amount of time has passed, you will need to accept what has been found and move on to another case. If certain evidence has been found, it may even be decided that additional evidence on the computer isn't necessary for the case. For example, if you've found the smoking gun in the case (such as dozens of child pornography pictures), additional evidence may be unnecessary if enough has been found to pursue a conviction. Once you're satisfied that based on the search parameters you have, the analyses you've performed are complete and there's little to nothing else to find, it is usually time to stop. After all, no one makes a career of a single case.
After a final report has been prepared and submitted to the investigator and/or prosecutor, you should follow up to identify what actions (if any) are being taken regarding the case. In some situations, new information that can be used to search for evidence may become available, and you may be asked to revisit the machine or examine new sources of data (such as other machines, devices, or storage sites) and try to find more. Other times, you will find that the person has taken a plea bargain (ending your role in the process), or that a trial will be underway at some point in the future. By following up with investigators, you will be able to determine what will occur next in the case.
At some point, any evidence you've acquired and analyzed will no longer be needed. Policies dealing with the destruction and disposal of evidence should be in place, to provide a guideline for how long you should keep property that's been seized, and disk images that have been acquired from machines, media, and devices. When the date approaches, you should contact the investigator, as he or she will be able to inform you whether the evidence should be retained longer. In some situations, evidence will be retained in the event of an appeal or delays in hearing the case in court or other hearings.