Guide to Computer Forensics and Investigations, Second Edition Check links on slide 3, 5 Open http://68.156.151.124/ http://www.ioce.org/ http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm http://www.ojp.usdoj.gov/nij/topics/ecrime/pubs.htm http://www.usdoj.gov/01whatsnew/01_1.html Chapter 6 Digital Evidence Controls
Guide to Computer Forensics and Investigations, 2e Objectives Identify digital evidence Secure digital evidence at an incident scene Catalog digital evidence Store digital evidence Obtain a digital hash Guide to Computer Forensics and Investigations, 2e
Identifying Digital Evidence Evidence stored or transmitted in digital form Courts accept digital evidence as physical Groups Scientific Working Group on Digital Evidence (SWGDE) Active law enforcement only International Organization on Computer Evidence (IOCE) Digital evidence is accepted as a physical, tangible object. Guide to Computer Forensics and Investigations, 2e
Identifying Digital Evidence (continued) Working with digital evidence Identify potential digital evidence Collect, preserve, and document the evidence Analyze, identify, and organize the evidence Verify results can be reproduced Systematic job Use standardized forms for documentation If possible, one person should handle collection, documentation, etc. This helps keep things consistent and organized. If there is more evidence than can be properly handled by one individual, standardized forms and procedures should be used by all investigators. Guide to Computer Forensics and Investigations, 2e
Understanding Evidence Rules Handle all evidence consistently Always apply same security controls Evidence for a criminal case can be used on a civil litigation Keep current on the latest rulings and directives Check the DoJ website Check with your attorney on how to handle evidence You need to follow the Federal Rules of Evidence as well as the state’s rules of evidence. Guide to Computer Forensics and Investigations, 2e
Understanding Evidence Rules (continued) Bit-stream copies are considered physical evidence Other considerations for electronic evidence It can be changed more easily Hard to distinguish a duplicate from the original Computer records are hearsay evidence Secondhand or indirect evidence Not admissible in a court trial Hearsay evidence is indirect such as overheard conversations or comments about something someone else said. I can’t testify that person B told me about a conversation with person A as I can’t vouch for the correctness of the information. Guide to Computer Forensics and Investigations, 2e
Understanding Evidence Rules (continued) Business-record exception Records must have been created by suspect Records are original Computer records are admissible if they qualify as business-records Computer-generated records Computer-stored records Computer-generated records are those generated by the system, such as system logs. They are not created by a person. They are generally considered authentic if the program is operating correctly. Computer-stored records are human created electronic data. To be usable evidence, it must be shown that they were created by the person in question and have not been altered. Direct evidence that an individual created a record, particularly those recovered from slack or unallocated disk space, can be impossible to find. Circumstantial evidence, such as an individual being logged on to a PC when the record was created, can be used to show ownership. Guide to Computer Forensics and Investigations, 2e
Understanding Evidence Rules (continued) Use known processes and tools when handling evidence Printouts qualify as original evidence Bit-stream copies also qualify as original evidence Use the original evidence when possible Good evidence collection procedures and methods make it much easier to have that evidence admitted and validated in court. Digital evidence is presumed to be genuine unless a specific, supported accusation to the contrary is raised. Printouts are considered under the Federal Rules of Evidence to be original if they “reflect the data accurately”, thereby eliminating the need to enter a hard drive as evidence. Guide to Computer Forensics and Investigations, 2e
Securing Digital Evidence at an Incident Scene Depends on the nature of the case Considerations: Do you need to take the entire computer system? Is the computer powered on when you arrive? Is the suspect near the area of the computer? For example, a network server that may contain evidence of a suspected crime can not be taken from an innocent business. It may be disruptive enough to take it offline to make a bit stream copy of the drive. Guide to Computer Forensics and Investigations, 2e
Securing Digital Evidence at an Incident Scene (continued) Guidelines: Create a forensics copy Handling a powered-on computer Photograph the screen contents first Save active data to removable media Shutdown the computer Still- and video-record the scene Be invisible Norton Ghost can be used to create a forensics copy of a hard drive onto another drive. The copy is then installed in the PC and the original is taken to the lab. This allows the user (who may be the suspect) to continue using the machine without suspecting an investigation is taking place and without tampering with the evidence. Take photographs of every aspect of the PC, to include the cables, connections and peripherals. A standard shutdown procedure will probably preserve files and documents, although it will erase RAM. Hibernating (if available) may be a better procedure as it will preserve the state of the PC. Guide to Computer Forensics and Investigations, 2e
Cataloging Digital Evidence If the computer is turned off Identify the type of computer Photograph all cable connections Label cables with evidence tags Assign one person to collect and log evidence Tagging Current date and time Serial numbers Make and model Guide to Computer Forensics and Investigations, 2e
Cataloging Digital Evidence (continued) If the computer is turned off (continued) Maintain two separated logs for backup purposes Maintain constant control of the evidence collected and the scene Guide to Computer Forensics and Investigations, 2e
Cataloging Digital Evidence (continued) Additional steps if the computer is turned on Copy any application data on screens Save RAM data to removable media Shutdown the computer Use another OS to examine hard disk data Create a bit-stream copy of the suspect’s hard disk Verify integrity of the forensic copy Do not reboot the computer from the hard drive as it will change and destroy data. Boot from a floppy, CD or USB. Guide to Computer Forensics and Investigations, 2e
Lab Evidence Considerations Transport evidence to your lab Ensure security and integrity of digital evidence Record your activities and findings Goal Reproduce the same results Save your journal for future references At court Training Guide to Computer Forensics and Investigations, 2e
Processing and Handling Digital Evidence Create a bit-stream copy Use a write-blocking device Preserve the image file Steps: Copy all bit-stream images to a large hard disk Start forensics tools Check bit-stream image file integrity Place the original media in an evidence locker Check the file integrity by performing a hash against the original and the copy. Guide to Computer Forensics and Investigations, 2e
Storing Digital Evidence Considerations: How to save What type of media Where to store it For how long Ideal media: CD-Rs and DVDs Don’t forget that CD and DVD media are not indestructible. Once they are created, copies should be made and stored off site. Guide to Computer Forensics and Investigations, 2e
Storing Digital Evidence (continued) Other storage options―magnetic tapes 4mm DAT DLT Super-DLT or SDLT Do not rely on only one method Tape is inherently fragile material, although it has greater capacity than CD or DVD. Again, multiple copies should be made and stored separately. Guide to Computer Forensics and Investigations, 2e
Storing Digital Evidence (continued) Guide to Computer Forensics and Investigations, 2e
Evidence Retention and Media Storage Needs Maintain the chain of custody Evidence can be accepted in court Restrict access Lab Storage area When lab is opened Supervised by authorized personnel When lab is closed Protected by at least two security staff Guide to Computer Forensics and Investigations, 2e
Evidence Retention and Media Storage Needs (continued) Sign-in log for visitors Manual log system for evidence storage containers Should be kept for a period based on legal requirements Child pornography material can only be stored by law enforcement agents Child pornography is contraband and therefore can not be legally possessed by anyone other than law enforcement agencies. Guide to Computer Forensics and Investigations, 2e
Evidence Retention and Media Storage Needs (continued) This identifies the evidence, who removed it and when and when it was returned. Other information such as the purpose for removal, serial number or hash value or other details may be useful. Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Documenting Evidence Create or use an evidence custody form Update your form Changes in technologies and methods for acquiring data Evidence custody form functions Identifies the evidence Identifies who has handled the evidence Lists the dates and times the evidence was handled Guide to Computer Forensics and Investigations, 2e
Documenting Evidence (continued) Optional information MD5 hash value Customized information Use evidence bags labels Write on the bag when it is empty Antistatic bag for electronic components Keep an electronic copy of your evidence custody forms Guide to Computer Forensics and Investigations, 2e
Obtaining a Digital Hash Obtain a unique identity for file data Cyclic Redundancy Check (CRC) One of the first methods Most recent version CRC-32 MD5 Most common algorithm Mathematical formula translates a file into a hexadecimal value Guide to Computer Forensics and Investigations, 2e
Obtaining a Digital Hash (continued) Digital hash changes if a bit or byte changes Verification process Create a hash value Analyze data Create a second hash value Compare hash values Secure Hash Algorithm (SHA) Developed by NIST Secure Hash Algorithm (SHA) is beginning to replace MD5 and CRC-32. Guide to Computer Forensics and Investigations, 2e
Obtaining a Digital Hash (continued) Digital hashes are like digital fingerprints Non-keyed hash set can identify known programs Keyed hash set can produce a unique fingerprint A non-keyed hash set will not change if the file name or extension is changed. A keyed hash set uses a secret key to generate the hash value. As this will change depending on the key used, it can not be used to create a universal hash set for common programs. Guide to Computer Forensics and Investigations, 2e
Obtaining a Digital Hash (continued) Example: Create a file with Notepad Obtain its hash value with DriveSpy Modify the file Recompute its hash value Compare hash values Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Create a File Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e DriveSpy Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Computing Hash Value Guide to Computer Forensics and Investigations, 2e
Computing Hash Value (continued) Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Summary Digital evidence Information stored or transmitted on electronic or optical media Fragile and easy to alter Working with digital evidence Identify potential evidence Collect, preserve, document, analyze, and organize the evidence Guide to Computer Forensics and Investigations, 2e
Guide to Computer Forensics and Investigations, 2e Summary (continued) Handle evidence consistently for criminal or civil investigations Catalog or document evidence you find on a crime scene Store evidence Create forensic copies of your evidence Use digital signatures to verify evidence integrity Guide to Computer Forensics and Investigations, 2e
Questions & Discussion Guide to Computer Forensics and Investigations, 2e