Best Practice in collecting digital evidence

didosld

forensic3e_ppt_ch04.pptx

Home >Information Systems homework help >Best Practice in collecting digital evidence

System Forensics, Investigation, and Response

Lesson 4

Collecting, Seizing, and Protecting Evidence

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Outline the proper approach to collecting, seizing, and protecting evidence.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Proper forensic procedure

Evidence handling

Storage formats

Forensically imaging a drive

RAID acquisitions

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Proper Procedure Overview

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Shut down the computer.

Transport the computer to a secure location.

Prepare the system.

Document the hardware configuration of the system.

Mathematically authenticate data on all storage devices.

Shutting Down the Computer

Before you shut the computer down:

Check for running processes

In Windows, use Task Manager

Take a picture of the screen for your records

Check for live connections to the system:

netstat

net sessions

open files (critical to run)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Check to see what processes are running:

Press Ctrl+Alt+Delete keys at the same time.

Select Task Manager.

Select the Process tab.

Checking for live connections to the system in Linux and Windows:

netstat—Shows network statistics and any current connections. Look for external connections from outside the current network.

net sessions—Shows established network communications sessions, such as someone logging on to that system.

openfiles—Indicates whether there are any shared files or folders open and who has them open.

Run each of these commands and photograph the results before shutting down the machine. Also document that you ran them, the time, and the results. Then power down the machine.

Powering down the computer:

Simply pull the plug. Doing so interrupts normal operations. If there is some malware on the computer, it could delete files, clear the swap, or otherwise destroy evidence if the computer is powered down and then powered up normally.

2/2/2021

Task Manager Running Processes

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

netstat Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The netstat command shows network statistics and any current connections.

Shows even meaningless connections, such as your computer opening a web browser.

2/2/2021

net sessions Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The net sessions command only shows established network communication sessions, such as someone logging on to that system.

2/2/2021

openfiles Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The openfiles command tells you if any shared files or folders are open and who has them open.

2/2/2021

System Memory with OSForensics

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

You can also capture system memory using OSForensics.

2/2/2021

Transporting the Computer

Keep evidence in possession or control at all times

Document movement of evidence between investigators

Secure evidence appropriately so it can’t be tampered with or corrupted

Lock in a vehicle

Drive vehicle directly to lab

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

You must have legal authority to seize and transport evidence.

A seized computer should be locked in a vehicle and the vehicle should be driven to the lab directly with no other stops along the way. The chain of custody must be maintained throughout transport.

Upon reaching the lab, the computer must be stored securely. If left unattended, the seized computer can be easily compromised. Evidence can be accidentally or purposely destroyed. Chain of custody must be maintained at all time to avoid accusations that evidence was planted on the suspect computer.

2/2/2021

Preparing the System

For suspect computers:

Remove the drive(s)

Create an evidence form and/or a chain of custody form

For mobile devices:

Remove SIM card, if necessary

Some devices let you dock the phone examine it without removing SIM

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

For computers, remove any drives even if they are not attached to any cabling and complete a chain of custody form. It is a good idea to photograph all drive connections, cable connections to the case, and general work area.

For cell phones, it may be necessary to remove the SIM card. However, some forensic devices allow you to dock the phone into the device and examine it without removing the SIM card.

2/2/2021

Evidence Form

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Chain of Custody Form

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Documenting the Hardware Configuration of the System

Before dismantling the computer:

Take pictures of computer from all angles

Record BIOS system time and date in chain of custody form

After restoring power:

Eject all removable media and fill out a separate chain of custody form for each

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Before dismantling the computer, take pictures from all angles to document the hardware components and how they are connected. Label each wire to make it easy to reconnect each one and restore the system to its original configuration.

Check the manufacturer’s website for information about how to access the BIOS information. Usually, this information is accessed during the initial boot screen by pressing Esc, Delete, and F2 (for some systems, it is F9, F10, or F11).

The BIOS time is important because it can significantly differ from the actual time and time zone set for the geographical area in which you are located.

If the BIOS time is different, note this and then adjust the times of any files you recover from the image to determine the actual time and date they were created, accessed, or modified.

After the power has been restored to the system, eject all media contained in drives that cannot be operated without power (such as CD-ROMs and DVD-ROMs) and remove them. Fill out a separate chain of custody form for each item removed.

2/2/2021

Mathematically Authenticating Data on All Storage Devices

After imaging drive, create a hash of the original and the copy

Compare the hashes

If they don't match exactly, something was altered

Document hashing algorithm used and results

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Linux has built-in hashing tools. In addition, EnCase and Forensic Toolkit will hash the suspect drive after it has been imaged to check for copy errors.

2/2/2021

Handling Evidence

Digital forensics specialist is responsible for finding, preserving, and preparing evidence

The specialist must:

Collect data

Document filenames, dates, and times

Identify any file, program, and storage anomalies

Gather evidence

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Collecting Data

Three primary types of data that a forensic investigator must collect, in this order:

Volatile data

Temporary data

Persistent data

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Collect volatile data first:

Swap file: The swap file is used to optimize the use of random access memory (RAM). Data is frequently found in the swap file. The details on how to extract data from the swap file vary depending on the installed operating system.

State of network connections: This data is captured before the system is shut down.

State of running processes: This data is captured before the system is shut down.

After collecting volatile data, collect temporary data—data that an operating system creates and overwrites without the computer user taking a direct action to save this data.

Then collect persistent data.

2/2/2021

Documenting Filenames, Dates, and Times

Filenames, creation dates, and last modified dates and times can be relevant as evidence

Catalog all allocated and “erased” files

Sort files based on filename, file size, file content, creation date, and last modified date and time

Sorting provides a timeline of computer usage

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Identifying File, Program, and Storage Anomalies

Text search programs can’t identify text data stored in binary format

They require manual evaluation

Evaluate hidden partitions for evidence and document their existence

In Windows, also evaluate files in the Recycle Bin

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

If you find relevant files, thoroughly document the issues involved. Those issues can include the following:

• How did you find the files?

• What condition were they in (i.e., did you recover the entire file or just part of the file)?

• When was the file originally saved?

Remember that the more information you document about evidence, the better.

2/2/2021

Evidence-Gathering Measures

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Forensic specialists should take the following measures when gathering evidence:

Avoid changing the evidence—Forensic specialists should:

Photograph equipment in place before removing it

Label wires and sockets so computers and peripherals can be reassembled in a laboratory exactly as they were in the original location

Transport computers, peripherals, and media carefully to avoid heat damage or jostling

Avoid touching original computer hard disks and CDs

Make exact bit-by-bit copies and store the copies on a medium that cannot be altered, such as a CD-ROM

Determine when evidence was created—Forensic specialists should not trust a computer’s internal clock or activity logs. Before logs disappear, an investigator should capture:

The time a document was created

The last time it was opened

The last time it was changed

Trust only physical evidence—The physical level of magnetic materials is where the 1s and 0s of data are recorded. In system forensics, only this physical level is

real. A forensic specialist should consider everything else untrustworthy.

Search throughout a device—Forensic specialists must search at the bit level across a wide range of areas inside a computer, including:

Email and temporary files in the operating system and in databases

Swap files that hold data temporarily, logical file structures, and slack and free space on the hard drive

Software settings and script files that perform preset activities

Web browser data caches, bookmarks and history, and session logs that record patterns of usage

Present the evidence well—Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. The evidence should be solid enough that a defense counsel cannot rebut it. A forensic specialist must create a step-by-step reconstruction of actions, with documented dates and times. The specialist’s testimony must explain simply and clearly what a suspect did or did not do.

Avoid changing evidence

Determine when evidence was created

Search throughout a device

Determine information about encrypted and steganized files

Present evidence well

Physical and Logical Analysis

File residue

Ambient data

Physical Analysis

Logical Analysis

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Physical analysis is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.

Logical analysis involves using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data.

Put another way, physical analysis is looking for things that may have been overlooked, or are invisible, to the user. Logical analysis is looking for things that are visible, known about, and possibly controlled by the user.

URLs

Email addresses

File formats

Damaged sectors

Data outside partitions

Partitions

File metadata

Context of data

File paths

Creating a Timeline

To reconstruct events that led to corruption of a system, create a timeline

Challenges with computers:

Clock drift

Delayed reporting

Different time zones

Never change clock on a suspect system

Record clock drift and time zone in use

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Storage Formats

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Magnetic media

Hard drives and floppy drives

Data is stored magnetically; drives are susceptible to magnetic interference

If drive is demagnetized, there is no way to recover data

Transport suspect drives in special transit bags that reduce electrostatic interference to decrease the chance of inadvertent loss of data

Magnetic drives have moving parts

Solid-state drives (SSDs)

Use microchips that retain data in non-volatile memory chips

Contain no moving parts

Drives are usually less susceptible to physical damage than magnetic drives

If internal, SSDs can use same interfaces as magnetic drives, including SCSI and SATA

If external, it is most common for them to have a universal serial bus (USB) connection

Digital audio tape (DAT) drives

Are among most common type of tape drives

Use 4-mm magnetic tape enclosed in a protective plastic shell

Tapes wear out just like audio tapes

Will most likely contain archived/backup data that you need to analyze

Forensically wipe target drive first so you can be sure that there is no residual data on that drive

Ten restore it to target hard drive (magnetic or solid state) in order to analyze it

2/2/2021

Magnetic media

Solid-state drives

Digital audio tape (DAT) drives

Storage Formats (cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

DLT

Another type of magnetic tape storage

Relies on a linear recording method

Tape as either 128 or 208 total tracks

Used primarily to store archived data

Optical media

CD-ROMs use high and low polarization to set the bits of data; however, CDs have reflective pits that represent the low bit

If pit is nonexistent, data is a 1; if pit exists, it’s a 0

Laser mechanism detects the distance the light beam has traveled in order to detect the presence or absence of a pit; this is why scratches can be problematic for optical media

DVDs and Blu-ray discs are enhancements to original compact discs

Still utilize same optical process but have larger capacity

Should be forensically copied to a clean, forensically wiped drive for analysis

USB

Is actually a connectivity technology, not a storage technology

Can be used to connect to external drives that can be either magnetic or solid state

Have no moving parts, which means these drives are resilient to shock damage

Thumb drives can be easily erased or overwritten.

Copy data from USB drive to a target forensic drive for analysis

2/2/2021

Digital linear tape (DLT) and super DLT

Optical media

Universal serial bus (USB)

Magnetic and Solid State Drives

Host protected area (HPA) or vendor-specific drive space

Master boot record (MBR) where empty drive sectors remain

Volume slack

Unallocated space

Good blocks marked as bad

File slack

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Files stored on disk (archives, files, folders, etc.)

Host protected area (HPA) or vendor-specific drive space (recovery volumes, etc.)

Master boot record (MBR) where empty drive sectors remain

Boot sectors in non-bootable partitions

2/2/2021

File Formats

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The Advanced Forensic Format (AFF)

An open file standard with three variations: AFF, AFM, and AFD

AFF variation stores all data and metadata in a single file

AFM variation stores data and metadata in separate files

AFD variation stores data and metadata in multiple small files

EnCase

A proprietary format defined by Guidance Software for use in its EnCase tool to store hard drive images and individual files

Includes a hash of the file to ensure nothing was changed when it was copied from the source

The Generic Forensic Zip (Gfzip)

Open-source file format used to store evidence from a forensic examination

iXImager

A proprietary file format used by the iLook tool

Tool was developed by the U.S. Internal Revenue Service (IRS) and is restricted to law enforcement and government use only

2/2/2021

Advanced Forensic Format (AFF)

EnCase

iXImager

Generic Forensic Zip (Gfzip)

Forensic Imaging

An image is an exact bit-by-bit copy of a disk

Used for evidence collection without altering original

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Digital forensics specialists should work with an image of any suspect storage media whenever possible to avoid damaging or altering any evidence.

2/2/2021

Imaging with dd and netcat

Forensically wipe the drive:

dd if=/dev/zero of=/dev/hdb1 bs=2048

Use netcat to set up the forensic server to listen:

# nc –l –p 8888 > evidence.dd

Use the dd command to read the first partition:

# dd if=/dev/hda1 | nc 192.168.0.2 8888 –w 3

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Once you have acquired a physical storage medium of some type, you need to image it. You always work with an image whenever possible. It is possible to create a forensic image utilizing open-source tools, specifically Linux commands.

First, you must forensically wipe the target drive (which is the drive to which you will copy the suspect drive contents) to ensure there is no residual data left from a previous case. You can do this with the Linux dd command: dd if=/dev/zero of=/dev/hdb1 bs=2048

dd is a common UNIX program whose primary purpose is the low-level copying and conversion of raw data at the bit level. If you do your copy through the file system/operating system, then you can see only the data that the operating system sees. You won’t get deleted files or slack space, so a basic file system copy is inadequate for forensic analysis. You must get a bit-level copy, and the dd utility is perfect for that.

You also need to use netcat to set up the forensic server to listen, so you have another Kali Linux CD boot up the suspect drive to copy it to the forensic server. At this point, both the suspect drive and the target forensic server have been booted into Linux using Kali.

Netcat reads and writes bits over a network connection. The command to run on the forensic server is as follows: # nc –l –p 8888 > evidence.dd.

This sets up the listen process on the forensic server prior to sending the data from the subject’s computer. The process listens (the –l flag) on port 8888 (the –p 8888 command) and takes all input and writes to a file called evidence.dd. You can always use another port or another filename if necessary. You must ensure the target drive is at least as big as the suspect drive.

On the suspect computer, use the dd command to read the first partition: # dd if=/dev/hda1 | nc 192.168.0.2 8888 –w 3.

You then pipe the output of the dd command to netcat, which sends the bits over the network to the specified network address and port on the listening forensic computer. The argument –w 3 indicates that netcat should wait 3 seconds before closing the connection upon finding no more data. This assumes that the suspect partition is hda1, but it might be a different partition.

2/2/2021

Imaging with EnCase

Makes bit-level images and then mounts them for analysis

Preview mode allows investigator to use a null modem cable or Ethernet connection to view data on the subject machine safely

Doesn't alter evidence

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Imaging with EnCase

Courtesy of Guidance Software, Inc.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Once you have the hard drive disconnected from the suspect machine, you can connect that drive to the forensic computer. In some cases, you first connect to a device that prevents writing to the suspect device. FastBlock and Tableau are two such devices that are widely used in forensics.

At the top of the EnCase window, click New on the toolbar to start the new case you will be working. The Case Options dialog box opens. Enter the case name and the examiner’s name. The text boxes are filled in automatically, but you have to click on the button on the right side next to each of the lower text boxes to select the paths. After selecting the paths, click the Finish button.

2/2/2021

Imaging with EnCase

Courtesy of Guidance Software, Inc.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

After creating a case, save it by clicking the Save icon on the EnCase toolbar.

Select a path for the save location when prompted.

Now, you are ready to acquire evidence. On the EnCase toolbar, click the Add Device button. The Add Device window appears in EnCase, asking which device to add.

The left pane lists devices with subfolders, Local and Evidence Files. The right pane lists Local Drives, Palm Pilot, Parallel Port, and Network Crossover (note these options may be different on some systems). In this procedure, you check the Local Drives in the right pane.

2/2/2021

Imaging EnCase

Courtesy of Guidance Software, Inc.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

After EnCase reads the local drives, another window appears. Once you have added the device, it shows in the case.

Note that you can add multiple devices to a single case.

2/2/2021

Imaging with Forensic Toolkit (FTK)

Takes snapshot of entire disk, makes bit-level copy for analysis

Inexpensive, easy to use, good all-in-one forensic tool

Offers Registry viewing, in-depth logging, standalone disk imaging, direct email and zip file analysis

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Imaging with FTK

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Once you have connected the suspect drive to the forensic machine, you simply have to add evidence. You now have to select specifically what you want to image. FTK offers a number of choices. The most common choice is a physical drive, but you can also add folders, logical drives, and even drive images, such as those made with the dd and netcat commander.

2/2/2021

Imaging with FTK

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Select one of the Source Evidence Type options and then click the Next button.

2/2/2021

Imaging with FTK

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

From the Select Drive drop-down, choose the specific drive you want to acquire and then click Finish. FTK mounts the drive and you can then see it in the evidence tree.

2/2/2021

Imaging with OSForensics

Allows you to mount images created with other tools

Also allows you to create an image

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Imaging with OSForensics

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Select Drive Imaging from the main menu (not shown).

Select the source drive you wish to image, and the target where you want to put the image. Notice that Verify Image is checked by default. You should not uncheck this.

Start the process and an image of the source drive will be created and verified.

2/2/2021

RAID Acquisitions

RAID 0, 1, 3, 4, 5, 6, 1+0

Can acquire RAID 1 disks separately

RAID 0, 3, 4, 5, and 6 use data striping across multiple disks

Make a forensic image of the entire RAID array

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

2/2/2021

Redundant Array of Independent Disks (RAID)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

RAID 0 (disk striping)—Distributes data across multiple disks in a way that improves data retrieval speed.

RAID 1—Mirrors the contents of the disks creating an identical copy of the drive running on the machine.

RAID 3 or 4 (striped disks with dedicated parity)—Combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storage capacity of the array is reduced by one disk.

2/2/2021

RAID 0

Distributes data across multiple disks

RAID 1

Mirrors disks

RAID 3 or 4

Combines three or more disks for fault tolerance

Includes parity

Improved data retrieval speed

Creates an identical copy of a drive

Redundant Array of Independent Disks (RAID)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

RAID 5 (striped disks with distributed parity)—Combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3, but the parity is not stored on one dedicated drive; instead, parity information is interspersed across the drive array. The storage capacity of the array is a function of the number of drives minus the space needed to store parity.

RAID 6 (striped disks with dual parity)—Combines four or more disks in a way that protects data against loss of any two disks.

2/2/2021

RAID 5

Combines three or more disks

RAID 6

Combines four or more disks

Protects against loss of data on any two disks

Similar to RAID 3 but no parity

Summary

Proper forensic procedure

Evidence handling

Storage formats

Forensically imaging a drive

RAID acquisitions

Page ‹#›

System Forensics, Investigation, and Response