BACS 371 Computer Forensics Overview of a Digital Investigation

Introduction Successful forensic analysts follow a predefined pattern of activities when performing an investigation. These patterns (or “models”) are designed to ensure that: All necessary steps are completed in the proper order All activities are performed in a legal manner Analysis is performed to generate admissible evidence Adequate documentation is collected to ensure the creation of a robust case It is extremely important that everything be “legal” and that all steps are documented. Failure to do this can endanger the case because the other side’s attorney can raise doubt and cause the evidence to be inadmissible.

Investigation Model There are several investigation models available. A popular one is the 6-step Casey model. Identification / Assessment Collection / Acquisition Preservation Examination Analysis Reporting

6-Step Casey Model

Identification / Assessment Define the scope and likely venue of the examination Collect all legal documentation needed Get any permissions required for resources not covered by warrants Identify the tools required Identify the personnel needed Identify the stakeholders In other words, determine the “lay of the land” of the case. Prior to accepting the case, you need to decide if you are qualified to handle it (scope and examination expertise).

Identification / Assessment For internal investigations you will need a signed letter of agreement outlining the scope of the investigation along with contractual details. For Civil investigations you will need a court order or subpoena prior to starting. For Criminal investigations you will need a warrant. Once this is in place, determine the likely sources of evidence for the case. If you are working a criminal case, you will most likely have been hired by a government agency. They will have their own processes and procedures to adhere to in addition to the legal documents mentioned in the slide. As a general rule, always assume that the case will go to trial. That way you will have all the needed documentation and procedures in place to build a strong case.

Collection / Acquisition Collection Methods must assure: Data is authentic Sources of data are reliable Nothing was modified throughout the process All tools used are valid Personnel are qualified to do their jobs Enough evidence exists to prove a point Conclusions are valid

Collection / Acquisition When collecting digital media, remember all issues of legal “search & seizure”. If the device runs on batteries, be sure to place it in a Faraday bag with an additional power source. In a “live acquisition”, use proper procedures to capture data on-site. Utilize “best practices” procedures to ensure that the physical devices are not compromised. Maintain (and document) a clean chain of custody. Document all steps taken to collect the devices from the initial contact through arrival at the forensic lab.

Preservation Use dependable, court recognized tools to image (i.e., collect) the data from the source media. NEVER work on original data sources. Target media for copies must be uncontaminated. Authenticate that the copy is identical to the original (i.e., hash values). Make a 2nd copy. Store the original and the 2nd copy in a secure location where you can control access. Maintain a thorough chain of custody. If live acquisition was used, then you will already have some data (e.g., RAM, PAGE file, network logs, …) preserved. You will likely still have to do an image of the device once it is turned off. Chain of custody is a full record of how the evidence was handled and who had access. Gaps in the C of C are an open invitation to making the evidence inadmissible.

Examination Look through your data image for overt evidence. For example, pictures, documents, spreadsheets, etc. that could be evidence. Look for evidence that the system may have hidden. Look for evidence that the user may have deleted, but is still recoverable. Look for evidence of anti-forensic techniques being employed. For example, encryption, ADS, hidden partitions, etc. Use court recognized tools whenever possible.

Analysis Based on your knowledge of the case, decide what evidence is material to the case. Using whatever forensic tools you deem necessary, locate and extract all material evidence (both inculpatory and exculpatory). If appropriate, build a timeline of activity. Document all your findings as you go so that you can write your final report easier. Inculpatory – supports the hypothesis of the case Exculpatory – does not support the hypothesis of the case

Reporting Using the extremely detailed documentation that you have collected so far…… Begin writing the report in a standard format appropriate for the audience. Fully explain all evidence that was retrieved. Fully explain any problems or discrepancies encountered during your analysis. Do not make any assertions of innocence or guilt. Just present the facts as you found them. Remember, you are to be completely objective.

Importance of “Best Practices” Formal investigative models and “best practices” are used in forensics to counter the opposition’s argument that the evidence is inadmissible. Even if your methods are flawless, it is the job of the opposing attorney to cast doubt on your findings. Using standard, well-accepted procedures and best practices minimizes the chance that the opposition’s arguments will be accepted. Not using them is an open invitation to problems at the trial.

Importance of Documentation The work product of your analysis is the documentation. Without good documentation, you can not present a robust case. 5 levels of documentation are needed: General case documentation Procedural documentation Process documentation Case timeline Evidence chain of custody Some of these levels are easier to maintain than others. For example, the chain of custody documentation is usually a signed form with indications as to who had access to the digital device.

General Case Documentation Contact information for everyone involved First response documentation Notes Photographs Videos All legal authorizations

Procedural Documentation Every task that was performed related to the investigation (not process) Summary of events List of equipment seized What steps were taken and what tools were used Detailed analysis of the data

Process Documentation User manuals Installation manuals README files Update history logs Results of testing

Case Timeline Case timeline Procedural timeline Systematic analysis of what transpired Times and dates of related events MAC data of files involved Procedural timeline Detailed list of steps taken Times and dates each step began and ended “MAC data” is the Modified, Accessed, and Create timestamps. The term is not specifically related to Apple computers.

Chain of Custody Begins when evidentiary materials are first seized Time and date taken From whom and where Complete description of each item Every time an item changes hands, time, date and people involved (get signatures) There can be no gaps in history

Summary You should use a generally-accepted investigation model along with forensic best practices. The model will help you perform all the steps in the proper order and will defuse the opposing attorney’s claims that your evidence is inadmissible. The forensic report is really the only deliverable of your work. You need meticulous documentation to create a professional forensic report.