Beginning of the Computer Forensic Investigation
The computer forensic investigation begins at the time the first notification comes to the examiners’ attention. From the outset, information sharing, advice, and incident response must be efficient and properly handled or evidence can be tainted before the actual examination commences. If mishandled, the examiner could be subject to vicious attack on the witness stand, or even worse, the evidence collected may be rendered inadmissible. Investigators rarely know how a person under investigation will react when they find out they find out investigators are on their way to seize their computer.
Text String Searches
The safety and security of investigators, and the evidence, are the paramount concern from the beginning. The incident response process can be quite strenuous at times, but attempting to cut corners and rush through the steps can ultimately lead to unprofessional work and major mistakes. Painstaking attention to detail, proper evidence handling, and observance of legal restrictions, are a recipe for professional incident response, a good follow-up examination, and a strong case in court.
Prior to Entering the Forensics Crime Scene
Before entry to the crime scene, the forensic examiner and investigators must gather as much information as possible about the search scene to reduce the risk of injury to the entry team and to know as much as possible about the evidence and people inside. Similar to the fundamentals a good journalist follows, it is essential to first consider the who, what, where, when, why, and how of the particular situation. Once the team gathers as much intelligence as possible to fully understand the situation at hand, the forensic team is able to enter the building.
Documenting the Forensics Crime Scene
Upon entry to the scene, the forensic team must first determine the location of all potential digital crime scenes. At this point, they touch nothing, being careful to not disturb the evidence in its state and only assessing the evidence and what immediate preservation procedures must be performed. After preserving the evidence, the forensic examiner begins the collection process by documenting the scene using notes, sketches, videos, or pictures, depending on which medium is most appropriate and available. The documentation process should be applied to all potential digital crime scenes. This process might include photographing the screens of running systems and devices. Most forensic examiners will not only photograph the screen, they will photograph particular files and applications, along with the back of the computers at various angles to capture exactly how the cables were plugged into the machine. Many examiners these days will do more, collecting evidence from running systems by saving it over a network connection or to an attached device. This process requires a higher level of expertise as it may result in significant changes of the evidence. At this point, by viewing the computer monitor, the forensic examiner will document the operating system being used, any currently running software, programs, or open files, and see if there was an encryption program running. Next, after all pertinent information has been photographed and other relevant information about the computers system state has been documented, the network connection should be disconnected. This prevents any data from being destroyed or edited remotely. If the computer is off, the same process of documenting the system state and connections is performed, and the computer is then prepared for disassembly and transport.
Unix and Linux Shutdown, Powerdown Procedures
For live systems, the shutdown process varies according to the operating system and the programs running at the time. If the computer is a server or is running Unix or Linux, it should be shut down using the normal shut down procedure. However, sometimes these systems should not be shut down at all – leaving one viable alternative – a logical acquisition of selected target files and metadata. If the examiner chooses to shut the system down, some data would be lost, such as RAM (random access memory), the running process, current network connections, and current logged-in users. This evidence can however be collected prior to shutdown. However, staying true to best practices for shut down procedures, these machines need to be shut down as specified.
Laptop and Other Computer Shutdown, Powerdown Procedures
Many systems encountered in the field will be workstations, not servers, running Windows operating systems. The convention in the field for several years has been to cut power to the system by pulling the plug or battery. This tide is changing, as cutting the power is now leading to a loss of larger quantities of valuable information due to larger amounts of RAM found in standard systems. Plus, the advent of more widely available disk encryption has resulted in the need to do more investigation before power is lost. If power will be cut, and the computer is a laptop, the plug should be pulled from the back of the machine, and the battery should be removed. In desktop systems, the plug is pulled from the back of the computer. By cutting power in this fashion, the hard drive is stopped dead in its tracks, preventing the system or any person from potentially altering evidence.
Examining Hard Drive for Forensic Evidence and Removing the Hard Drive
Once the computer is completely powered down, the next step is to determine if the hard drive in question has evidence, allowing it to be seized for further examination in the lab. In some situations, the forensic examiner must examine the contents of the hard drive to determine whether it contains evidence in the case prior to seizure. To do this, the forensic examiner previews the evidence in the field. To preview the hard drive, it is sometimes removed from the system. During the process of removing and previewing the drive, it is important to use extra precautions to not only protect the data from being altered, but to also protect the actual hard drive from becoming damaged. To prevent the alteration of data or damage to the drive, the examiner must consider such environmental factors as temperature and electro-magnetic shock. The case of the computer is opened and the cables connecting the drive to the power supply and mother board are removed. Then the drive is removed from its mounts and taken out of the computer. It is important for forensic examiners to wear latex gloves when removing the hard drive to avoid leaving any of their hair, fingerprints, fibers, or body tissue behind. It is not only important to protect the digital evidence from contamination, but also the physical evidence as well.
If the hard drive is seized, it is subject to a more thorough examination later in a laboratory environment. This is a two-step process. The first step in the process is called imaging – where a copy of the drive is saved to sterile media. The second step is the analysis or examination phase. This is the process of using special software to look at the contents of the image file for evidence.
Documenting the Hard Drive
Before the drive is imaged, the model number, serial number, and drive geometry of the drive are documented. This documentation process may include taking photographs of the drive. Drive geometry is a term referring to the physical makeup of the drive. The examiner determines the capacity of the drive by looking at the sector count. This information is critical to the examination because there are many ways to disguise the actual capacity of the drive. If the examiner does not know the actual capacity of the drive, the examiner can not determine whether or not the drive has been copied in its entirety. If the drive has not been copied in its entirety, the missing content can include valuable evidence in the case.
Using Write Blockers and Previewing Hard Drive
The golden rule of computer forensics is, whenever possible, do not change the original data. To date, the best path to following the golden rule is to use hardware devices called write blockers. Write blockers are hardware devices that are used to physically bridge the original media seized for examination and the examiner’s workstation. Write block devices thus stand between the examiner’s workstation and the original media and prevent any data from being written from the workstation to the original media. Several of these devices have been subject to and stood up to significant testing by the National Institute for Standards in Technology (NIST) because they are so critical to the forensic examination process. To read more about the results of some of these tests, visit NIST’s Computer Forensic Tool Testing program website at www.cftt.nist.gov.
Documenting BIOS Time and Date Settings
While the drive is removed from the system, many examiners use that occasion as an opportunity to capture critical information from the computer system’s BIOS chips. This information can include information that includes the boot sequence for the system, whether or not there are system or hard drive passwords, and most important, to gather the current system date and time. The system’s date and time settings may be accurate, or could be inaccurate. The time and date settings are collected and compared to the actual date and time to make a determination of accuracy. If they are inaccurate, the examiner must adjust date and time stamps on the evidence respectively.
The Forensic Bagging and Tagging Process
“Bagging and tagging” is the process of seizing the evidence that will be brought off-site for analysis in a lab environment. This is the point where chain of custody documentation begins. Chain of custody is a legal term that relates to the process of documenting exactly who was in custody of evidence, when that change in custody took place, and all attendant circumstances. Maintaining a well-documented chain of custody is critical to later authenticating the evidence in court. The first step in seizing evidence during the bag-and-tag process is to plug the network cable back into the computer. Next, all cables near there terminal end should be labeled and an identical label should be placed next to its corresponding port. Once all the cables and ports have been properly labeled, the forensic examiner should again photograph the back of the computer at several different angels. Taking these photographs will serve as proof for how the computer was configured at the scene. This documentation will be useful if the forensic examiner must later reconstruct the system. Once documented, all the cables connected to the computer should be removed. Next, the computer can be placed in a large antistatic bag or a cardboard box, and the hard drive should be placed in a separate, smaller antistatic bag. Once the computer and hard drive are properly secured, they should each be appropriately labeled. The label should detail the contents of the bag, time and date, the person seizing the items in the bag, where the items was located at the search scene, and where the item is going, in addition to any other necessary information.
Gathering and Transporting Forensic Evidence
Following the bagging and tagging process, it is now time to gather all of the evidence and transport it back to the forensic lab for further examination. The evidence should be packed carefully so that any bumps or sudden stops during transportation wouldn’t cause it to shift or be damaged in any way. Environmental conditions should be always be of concern to the person transporting the evidence. Once everything has been packed securely and is ready to be transferred, it is always a good practice for the forensic examiner to double check that they have collected all of the evidence, and just as important, all of the examiner’s equipment, including the tools that are used during the seizure. A copy of the search warrant should be left for the person in charge of the building or household where the seizure took place, as well as a detailed list of the items that were seized.
Documenting Back at the Forensic Lab
Once back at the lab, the chain of custody report must be continued, detailing that the evidence has left its original location and is now at the forensic lab. The date and time the evidence arrived at the lab should be documented, along with any other information necessary for the chain of custody report. The chain of custody form should also detail where the item is stored at all times it is in the lab, whether it be in a secure safe or removed for analysis.
After the examiner has successfully secured the evidence in the laboratory environment, the next step is to image any media that will be subject to analysis. As stated above, the examiner must use every precaution while imaging the media to not alter the original evidence. Using write blockers during the imaging process is always helpful in achieving this goal. When copying the media, the examiner must also prevent the cross-contamination of evidence. Cross-contamination occurs when evidence from two separate cases is somehow inter-mixed. One method of preventing cross-contamination is to conduct each examination on its own freshly wiped hard drive. The hard drive can be formatted so it is clearly labeled as the destination for all of the evidence. All image files, case files, the exported evidence, and final report can all be saved to this hard drive. If this process is followed, the possibility of cross-contamination is minimized or eliminated.