Topanswers
Chapter 6
First Response and The Digital Investigator
1
Forensics and Computer Science
Just what does “forensics” mean?
Suitable for presentation in court
Digital forensics combines legal process with technology
The job of the digital forensic investigator
NEVER do harm to the investigation
Acquire evidence from computer devices that can be used as evidence
Locard’s Principle
If you touch it, you change it
Whatever a criminal touches, there is evidence to be found
Whatever an investigator touches, there is evidence to be destroyed
BUT… changing the evidence does not necessarily render it unusable
Characteristics of Evidence
Class characteristics
A large group can share the same characteristic
Used to narrow the search pattern
Individual characteristics
A descriptive element that is unique to a sample
Colors are not unique—but serial numbers are
Digital Versus Physical Evidence
A paper document is physical
May carry fingerprints or chemical elements to analyze
Will not prove who created it
Will not carry metadata for further analysis
A digital document has the metadata and can be traced to the owner
They are not the same piece of evidence
Digital Media
A paper document that is burned is gone for good
A digital document that is deleted can be restored
Digital sources carry evidence of the document other than the document itself
File system metadata
Registry entries
Temporary files
First on the Scene
Always find out who is in charge before you begin
It will never be you
There might be multiple “owners” of the scene
Secure the scene
People’s safety first
Integrity of the evidence next
Identify potential sources of evidence
Document the Scene
Take a LOT of photographs
Always carry a digital camera
Try to make it a point to also carry a video camera
Make an inventory of all potential devices that might contain evidence (start a chain of custody)
Make notes on your observations (and remember that they can be subpoenaed)
Identifying Data Sources
Obvious sources
Computers
PDAs
Cell phones
External drives
CDs
Other media
Less obvious sources
Less Obvious Sources
Digital cameras and video recorders
Game machines
Digital audio recorders
Printer/Fax machines
Answering machines
Owner’s manuals may point to sources not present
Handling Evidence
Identify and photograph the evidence
Document the evidence (make, model, S/N, etc.)
Package the evidence for transport
Should you block signals?
Should power be maintained?
Transport the evidence safely and securely
Store the evidence safely and securely
Chain of Custody
Must identify the material in a way unique to that individual item
One of the most critical pieces of documentation
Follows each piece of evidence around everywhere it goes
Must be updated each time it moves or changes hands
Documenting Evidence
Where was it found?
What state was it in?
What time and on what date was it collected?
Give a physical description of the evidence
Type of device
Capacity, condition, etc.
Identify make, model, S/N if applicable
Packaging Evidence
Protect from impact
Protect from electro-magnetic radiation
Protect from extreme temperature and moisture
Protect from tampering
Make sure it is clearly labeled
Transporting Evidence
Never assume that a computer is stand-alone
Determine if it should remain powered up
If it must be shut down, document the state of the computer before breaking it down
What application was active?
Running processes (if possible)
Network connections (if possible)
Protect portable devices and media from external corruption
Storing Evidence
Chain of custody rules apply to storage
Log in/log out must include who, what, when, where, and why
Rules of protection during transport apply equally to storage
Access to storage must be limited and monitored
Disposition of Evidence
When the job is done, evidence must be destroyed or returned
All contraband must be destroyed, regardless of provenance
Private or intellectual property may be either returned or destroyed, depending on the courts
If destroyed, the material must be rendered completely unrecoverable