Digital Forensics

Lecture 5
Processing Crime and Incident Scenes
 Objectives
• Explain the rules for digital evidence
• Describe how to collect evidence at
private-sector incident scenes
• Explain guidelines for processing law
enforcement crime scenes
• List the steps in preparing for an evidence
search
• Describe how to secure a computer
incident or crime scene
 Objectives (continued)
• Explain guidelines for seizing digital
evidence at the scene
• List procedures for storing digital evidence
• Explain how to obtain a digital hash
• Review a case to identify requirements
and plan your investigation
 Identifying Digital Evidence
• Digital evidence
– Can be any information stored or transmitted
in digital form
• Some courts like accept digital evidence
as physical evidence
– Digital data is a tangible object
• Some require that all digital evidence be
printed out to be presented in court
 Identifying Digital Evidence
• General tasks investigators perform when
working with digital evidence:
– Identify digital information or artifacts that can
be used as evidence
– Collect, preserve, and document evidence
– Analyze, identify, and organize evidence
– Rebuild evidence or repeat a situation to
verify that the results can be reproduced
reliably
• Collecting computers and processing a
criminal or incident scene must be done
systematically
 Understanding Rules of
Evidence
• Consistent practices help verify your work
and enhance your credibility
• Comply with your state’s rules of evidence
or with the Federal Rules of Evidence
• Evidence admitted in a criminal case can
be used in a civil suit, and vice versa
• Keep current on the latest rulings and
directives on collecting, processing,
storing, and admitting digital evidence
 Understanding Rules of Evidence
• Data you discover from a forensic
examination falls under your state’s rules
of evidence
• Digital evidence is unlike other physical
evidence because it can be changed more
easily
– The only way to detect these changes is to
compare the original data with a duplicate
• Most courts have interpreted computer
records as hearsay evidence
– Hearsay is secondhand or indirect evidence
 Understanding Rules of
Evidence (continued)
• When attorneys challenge digital evidence
– Often they raise the issue of whether
computer-generated records were altered
• Or damaged after they were created
• One test to prove that computer-stored
records are authentic is to demonstrate
that a specific person created the records
– The author of a Microsoft Word document can
be identified by using file metadata
 Demo: Metadata in FTK
• Save a Word document
• In FTK:
– Click No, OK, OK through the demo warning
boxes
– Go directly to working with program
– File, Add Evidence
– Enter your name, Next, Next
– Click "Add Evidence" button
– Click "Individual File", Continue
– Navigate to Word document,double-click it
– OK, Next, Continue
 FTK Demo
• In "File Category", click the Documents
button
• Select the document in the lower pane
• "View files in native format" shows the
text typed into the Word document
• "View files in filtered text format" shows
the metadata, such as the registered
owner of the program
 Understanding Rules of
Evidence (continued)
• The process of establishing digital
evidence’s trustworthiness originated with
written documents and the best evidence
rule
• Best evidence rule states:
– To prove the content of a written document,
recording, or photograph, ordinarily the
original writing, recording, or photograph is
required
 Understanding Rules of
Evidence (continued)
• Rules of Evidence
– Allow a duplicate instead of originals when it
is "produced by the same impression as the
original … by mechanical or electronic re-
recording … or by other equivalent techniques
which accurately reproduce the original."
• As long as bit-stream copies of data are
created and maintained properly
– The copies can be admitted in court, although
they aren’t considered best evidence
 When a Copy is All You Have
• If the hard drive crashes after you make
the copy
• If removing the original computers is not
possible, because it would cause harm to
a business or its owner, who might be an
innocent bystander
– Steve Jackson Games was harmed in this
manner when the Secret Service seized all
computers because BBS users placed
evidence of a crime on them
– The company sued and won (link Ch 5a)
 Collecting Evidence in Private-
Sector Incident Scenes
• Private-sector organizations include:
– Businesses and government agencies that aren’t
involved in law enforcement
• Agencies must comply with state public disclosure
and federal Freedom of Information Act (FOIA) laws
– And make certain documents available as public
records
• FOIA allows citizens to request copies of public
documents created by federal agencies
 Collecting Evidence in Private-
Sector Incident Scenes
• A special category of private-sector businesses
includes ISPs and other communication companies
• ISPs can investigate computer abuse committed by
their employees, but not by customers
– Except for activities that are deemed to create an
emergency situation
• Investigating and controlling computer incident
scenes in the corporate environment
– Much easier than in the criminal environment
– Incident scene is often a workplace
 Collecting Evidence in Private-
Sector Incident Scenes
• Typically, businesses have inventory databases of
computer hardware and software
– Help identify the computer forensics tools needed to
analyze a policy violation
• And the best way to conduct the analysis
• Corporate policy statement about misuse of computing
assets
– Allows corporate investigators to conduct covert
surveillance with little or no cause
– And access company systems without a warrant
 Collecting Evidence in Private-
Sector Incident Scenes
•
(continued)
Companies should display a warning
banner or publish a policy, or both
– Stating that they reserve the right to inspect
computing assets at will
• Corporate investigators should know
under what circumstances they can
examine an employee’s computer
– Every organization must have a well-defined
process describing when an investigation can
be initiated
 Collecting Evidence in Private-
Sector Incident Scenes
•
(continued)
If a corporate investigator finds that an
employee is committing or has committed
a crime
– Employer can file a criminal complaint with the
police
• Employers are usually interested in
enforcing company policy
– Not seeking out and prosecuting employees
• Corporate investigators are, therefore,
primarily concerned with protecting
 Collecting Evidence in Private-
Sector Incident Scenes
•
(continued)
If you discover evidence of a crime during
a company policy investigation
– Determine whether the incident meets the
elements of criminal law
– Inform management of the incident
– Stop your investigation to make sure you
don’t violate Fourth Amendment restrictions
on obtaining evidence
– Work with the corporate attorney to write an
affidavit confirming your findings
 Becoming an Agent of Law
Enforcement
• If law enforcement officers ask you to find
more information, you are at legal risk
– Don’t do any further investigation until you
receive a subpoena or court order
 Processing Law Enforcement
Crime Scenes
• You must be familiar with criminal rules of
search and seizure
• You should also understand how a search
warrant works and what to do when you process
one
• Law enforcement officer may search for and
seize criminal evidence only with probable
cause
– Facts or circumstances that lead a reasonable
person to believe a crime has been committed
or is about to be committed
 Processing Law Enforcement
Crime Scenes (continued)
• With probable cause, a police officer can
obtain a search warrant from a judge
– That authorizes a search and seizure of
specific evidence related to the criminal
complaint.
 Understanding Concepts and
Terms Used in Warrants
• Innocent information
– Unrelated information
– Often included with the evidence you’re trying
to recover
• Judges often issue a limiting phrase to
the warrant
– Allows the police to separate innocent
information from evidence
 Understanding Concepts and
Terms Used in Warrants
• Plain view doctrine
– Objects falling in plain view of an officer who
has the right to be in position to have that
view
• Are subject to seizure without a warrant and may
be introduced in evidence
• “Knock and announce”
– With few exceptions, warrants require that
officers knock and announce their identity
• When executing a warrant
 Sample Criminal Investigation
• Computer crimes examples
– Fraud
– Check fraud
– Homicides
• Need a warrant to start seizing evidence
– Limit searching area
Sample Criminal Investigation
(continued)
 Preparing for a Search
• Preparing for a computer search and
seizure
– Probably the most important step in
computing investigations
• To perform these tasks
– You might need to get answers from the victim
and an informant
• Who could be a police detective assigned to the
case, a law enforcement witness, or a manager or
coworker of the person of interest to the
investigation
 Identifying the Nature of the
Case
• When you’re assigned a computing
investigation case
– Start by identifying the nature of the case
• Including whether it involves the private or public
sector
• The nature of the case dictates how you
proceed
– And what types of assets or resources you
need to use in the investigation
 Identifying the Type of
Computing System
• For law enforcement
– This step might be difficult because the crime
scene isn’t controlled
• If you can identify the computing system
– Estimate the size of the drive on the suspect’s
computer
• And how many computers to process at the scene
• Determine which OSs and hardware are
involved
 Determining Whether You Can
Seize a Computer
• The type of case and location of the evidence
– Determine whether you can remove
computers
• Law enforcement investigators need a warrant to
remove computers from a crime scene
– And transport them to a lab
• If removing the computers will irreparably harm a
business
– The computers should not be taken offsite
 Determining Whether You Can
Seize a Computer (continued)
• An additional complication is files stored
offsite that are accessed remotely
• If you aren’t allowed to take the computers
to your lab
– Determine the resources you need to acquire
digital evidence and which tools can speed
data acquisition
Obtaining a Detailed Description
of the Location
• Get as much information as you can
• Identify potential hazards
– Interact with your HAZMAT team
• HAZMAT guidelines
– A HAZMAT technician may need to acquire the
image, following your instructions
– You may need to put the target drive in a
special HAZMAT bag
– HAZMAT technician can decontaminate the bag
– Check for high temperatures
 Determining Who Is in Charge
• Corporate computing investigations
– Require only one person to respond
• Law enforcement agencies
– Handle large-scale investigations
– Designate lead investigators
 Using Additional Technical
Expertise
• Look for specialists
– OSs
– RAID servers
– Databases
• Finding the right person can be a
challenge
• Educate specialists in investigative
techniques
– Prevent evidence damage
Determining the Tools You Need
• Prepare tools using incident and crime
scene information
• Initial-response field kit
– Lightweight
– Easy to transport
• Extensive-response field kit
– Includes all tools you can afford
 Preparing the Investigation
Team
• Review facts, plans, and objectives with
the investigation team you have
assembled
• Goals of scene processing
– Collect evidence
– Secure evidence
• Slow response can cause digital evidence
to be lost
 Securing a Computer Incident or
Crime Scene
• Goals
– Preserve the evidence
– Keep information confidential
• Define a secure perimeter
– Use yellow barrier tape
– Legal authority: keep unnecessary people out
but don’t obstruct justice or fail to comply with
police officers
• Professional curiosity can destroy evidence
– Involves police officers and other professionals
who aren’t part of the crime scene processing
team
 Seizing Digital Evidence at the
Scene
• Law enforcement can seize evidence
– With a proper warrant
• Corporate investigators rarely can seize evidence
• When seizing computer evidence in criminal
investigations
– Follow U.S. DoJ standards for seizing digital
data
• Civil investigations follow same rules
– Require less documentation though
• Consult with your attorney for extra guidelines
 Preparing to Acquire Digital
Evidence
• The evidence you acquire at the scene depends on
the nature of the case
– And the alleged crime or violation
• Ask your supervisor or senior forensics examiner in
your organization the following questions:
– Do you need to take the entire computer and all
peripherals and media in the immediate area?
– How are you going to protect the computer and
media while transporting them to your lab?
– Is the computer powered on when you arrive?
Processing an Incident or Crime
Scene
• Guidelines
– Keep a journal to document your activities
– Secure the scene
• Be professional and courteous with onlookers
• Remove people who are not part of the
investigation
– Take video and still recordings of the area
around the computer
• Pay attention to details
– Sketch the incident or crime scene
– Check computers as soon as possible
 Handling a Running Computer
• Old rule: pull the plug
– Don’t cut electrical power to a running system
unless it’s an older Windows 9x or MS-DOS
system
• Perform a live acquisition if possible
• When shutting down Win XP or later, or
Linux/Unix, perform a normal shutdown, to
preserve log files
• Save data from current applications as
safely as possible
 Processing Data Centers with
RAID Systems
• Sparse acquisition
– Technique for extracting evidence from large
systems
– Extracts only data related to evidence for your
case from allocated files
• And minimizes how much data you need to
analyze
• Drawback of this technique
– It doesn’t recover data in free or slack space
 Using a Technical Advisor
• Technical advisor
– Can help you list the tools you need to
process the incident or crime scene
– Person guiding you about where to locate
data and helping you extract log records
• Or other evidence from large RAID servers
– Can help create the search warrant by
itemizing what you need for the warrant
 Technical Advisor
Responsibilities
• Know aspects of the seized system
• Direct investigator handling sensitive
material
• Help secure the scene
• Help document the planning strategy for
search and seizure
• Conduct ad hoc trainings
• Document activities
• Help conduct the search and seizure
 Documenting Evidence in the
Lab
• Record your activities and findings as you
work
– Maintain a journal to record the steps you
take as you process evidence
• Goal is to be able to reproduce the same
results
– When you or another investigator repeat the
steps you took to collect evidence
• A journal serves as a reference that
documents the methods you used to
Processing and Handling Digital
Evidence
• Maintain the integrity of digital evidence in
the lab
– As you do when collecting it in the field
• Steps to create image files:
– Copy all image files to a large drive
– Start your forensics tool to analyze the
evidence
– Run an MD5 or SHA-1 hashing algorithm on
the image files to get a digital hash
– Secure the original media in an evidence
locker
 Storing Digital Evidence
• The media you use to store digital
evidence usually depends on how long
you need to keep it
• CD-Rs or DVDs
– The ideal media
– Capacity: up to 17 GB
– Lifespan: 2 to 5 years
• Magnetic tapes
– Capacity: 40 to 72 GB
– Lifespan: 30 years
Storing Digital Evidence
(continued)
Evidence Retention and Media
Storage Needs
• To help maintain the chain of custody for digital
evidence
– Restrict access to lab and evidence storage
area
• Lab should have a sign-in roster for all visitors
– Maintain logs for a period based on legal
requirements
• You might need to retain evidence indefinitely
– You cannot retain child pornography evidence,
however
Evidence Retention and Media
Storage Needs (continued)
 Documenting Evidence
• Create or use an evidence custody form
• An evidence custody form serves the
following functions:
– Identifies the evidence
– Identifies who has handled the evidence
– Lists dates and times the evidence was
handled
• You can add more information to your form
– Such as a section listing MD5 and SHA-1
hash values
 Documenting Evidence
(continued)
• Include any detailed information you might
need to reference
• Evidence bags also include labels or
evidence forms you can use to document
your evidence
 Obtaining a Digital Hash
• Cyclic Redundancy Check (CRC)
– Mathematical algorithm that determines
whether a file’s contents have changed
– Most recent version is CRC-32
– Not considered a forensic hashing algorithm
• Message Digest 5 (MD5)
– Mathematical formula that translates a file into
a hexadecimal code value, or a hash value
– If a bit or byte in the file changes, it alters the
digital hash
 Obtaining a Digital Hash
(continued)
• Secure Hash Algorithm version 1 (SHA-
1)
– A newer hashing algorithm
– Developed by the National Institute of
Standards and Technology (NIST)
 Obtaining a Digital Hash
(continued)
• Three rules for forensic hashes:
– You can’t predict the hash value of a file or
device
– No two hash values can be the same
– If anything changes in the file or device, the
hash value must change
Obtaining a Digital Hash
(continued)
 Reviewing a Case
• General tasks you perform in any
computer forensics case:
– Identify the case requirements
– Plan your investigation
– Conduct the investigation
– Complete the case report
– Critique the case
 Sample Civil Investigation
• Most cases in the corporate environment
are considered low-level investigations
– Or noncriminal cases
• Common activities and practices
– Recover specific evidence
• Suspect’s Outlook e-mail folder (PST file)
– Covert surveillance
• Its use must be well defined in the company
policy
• Risk of civil or criminal liability
– Sniffing tools for data transmissions
 Covert Surveillance Tools

• Spector
• WinWhatWhere
• EnCase Enterprise Edition
Thank You!