Please follow all Instructions
What Is Computer Evidence?
The main purpose of computer forensics is the proper identification and collection of computer evidence. It is both an art and a science. Computer evidence shares common characteristics with, but also differs from, conventional legal evidence. Forensic examiners need to understand the specifics of computer evidence so that they can properly collect it for later use.
Incidents and Computer Evidence
Computers may be involved in security violations in one of two ways. First, a computer can be used in the commission of crimes or violations of policy. Second, a computer can be the target for an attack. In the first situation, one or more computers are used to perform an inappropriate action. Such actions might be illegal (for example, fraud or identity theft) or simply disallowed under an organization's security policy (for example, participating in online auctions on company time).
Regardless of whether an action is a crime, any violation or intended violation of security policy is called a security incident. A company's security policy should outline an appropriate response for each type of incident. As covered in Chapter 2, "Preparation—What to Do Before You Start," most incidents that do not constitute crimes generally require only internal investigation. An organization's incident response team (IRT) normally carries out internal investigations. The IRT is specially trained to identify and collect evidence to document and categorize incidents. This team must also be cognizant when incidents are crimes and require law enforcement involvement.
In general, an incident response team deals with incidents where one or more computers serve as the target for an attack. Criminal investigations are frequently conducted to address the type of incident where a computer is used as a tool in committing a crime. In both situations, the computer forensic analysis produces evidence of activity carried out during an incident.
To investigate an incident properly and build a case that allows you to take action against a perpetrator, you'll need evidence to provide proof of the attacker's identity and actions. Computer evidence consists of files, along with their contents, that remain behind after an incident has occurred. In some cases, the files themselves—such as pictures or executable files—can provide evidence of an incident. In other cases, the contents of files such as logs or protocol traces provide necessary proof. Recognizing and identifying hardware, software, and data you can use is the first step in the evidence collection process.
Any computer hardware, software, or data that can be used to prove one or more of the five Ws and the H for a security incident—namely, who, what, when, where, why, and how.
Types of Evidence
Four basic types of evidence can be used in a court of law:
· Real evidence
· Documentary evidence
· Testimonial evidence
· Demonstrative evidence
Computer evidence generally falls into the first two categories.
Before you start looking for evidence, understand that most successful cases are based on several types of evidence. As you conduct an investigation, be aware of what types of evidence you can gather. Although computer forensics tends to focus on one or two types, a complete investigation should address all types of evidence available. In the following sections, we look more closely at each of these four types of evidence.
Real Evidence
The type of evidence most people already know about is real evidence. Real evidence is anything you can carry into a courtroom and place on a table in front of a jury. In effect, real evidence speaks for itself. It includes physical objects that relate to a case.
Any physical objects you can bring into court. Real evidence can be touched, held, or otherwise observed directly.
Of the four types of evidence, real evidence is the most tangible and easiest to understand. When presenting a case to a jury, real evidence can make a case seem more concrete. You may be asked to present real evidence, even when the most compelling evidence is not physical evidence at all.
Remember that most courtroom participants are not technically savvy. Consequently, any piece of pertinent tangible physical evidence will help a case. Without real evidence, in fact, a case may be perceived as weak or circumstantial.
In a murder trial, the case's real evidence might include the murder weapon. In the context of computer forensics, the actual computer used to commit a crime could be introduced as real evidence. If a suspect's fingerprints are found on that computer's keyboard, real evidence can be offered to prove that the suspect uses that machine. A hard drive from a suspect's computer or a mobile device might also constitute real evidence.
Sometimes real evidence that conclusively relates to a suspect (such as finger-prints or DNA) is called hard evidence.
Real evidence conclusively associated with a suspect or activity.
Hot Java, Cold Jury
Cool Beans, Hot Java versus James T. Kirkpatrick is a fictitious case we'll use to illustrate the importance of real evidence. Kirkpatrick was charged with launching spam campaigns from a public terminal in the Cool Beans, Hot Java coffee shop. The Cool Beans network administrator provided ample proof that Kirkpatrick was in the shop during the alleged spam activity. Cool Beans provided security camera images of Kirkpatrick and accompanying computer access logs showing activity consistent with spam floods. Any technical person had to agree this case was a slam dunk.
However, the jury acquitted Kirkpatrick owing to the lack of compelling evidence. When questioned, jurors said that they found it difficult to convict a man based on little more than printed reports and pictures showing him in the shop. They wanted concrete evidence. Perhaps the actual computer Kirkpatrick used would have helped to convince the jury, or a network diagram showing how IP addresses are assigned, could have helped the jury make the jump from the virtual to the physical world.
Assume you have been asked to investigate a spammer. Because of the nature and volume of e-mails sent, local law enforcement has been called in to investigate and they have called on you to help out. You arrive on the scene to begin your investigation.
Before you touch anything, look around the scene and take pictures of everything. Digital pictures are inexpensive, but can be valuable later. As you work through the investigation, you'll frequently want to refer back to images of the crime scene as you originally found it. As an added bonus, it's not uncommon to find additional evidence in original pictures after extracting digital evidence from a suspect's machine.
After you photograph everything, start identifying all of the potentially pertinent real evidence that you have permission to search or seize. Notice that the suspect's computer has both a scanner and a mobile device cradle attached. That tells you to look for the mobile device and scanner source or target data. Mobile devices can be valuable sources for documentary evidence (which we discuss in the next section). Most people who use mobile devices store lots of personal data on them. Find the mobile device and make sure it has power. If you are authorized to seize a mobile device, be sure to take its power supply as well.
After looking for and securing the mobile device, look for any source documents (for example, printed hard copies) the suspect might have scanned. Also look for CD/DVD-ROMs the suspect may have used to store scanned images. Next, examine the physical computer and surrounding area for other signs of evidence. You should look for such items as:
· Handwritten notes. Even technically savvy people use notes. In fact, because handwritten notes are not stored on a computer, many people consider them to be more "secure."
· Any peripheral device that is, or can be, connected to the computer. This could include:
· Storage devices
· Communication devices
· Input/output devices
· All removable media, such as:
· Optical media (write-once or rewritable CDs, DVDs, or Blu-ray Discs)
· Removable disks (floppies, ZIP disks, and so forth)
· USB Flash Drives (UFDs) and other USB drives, plus eSATA or FireWire drives
· Tapes and other magnetic media
This list is not exhaustive. It is simply a teaser to start you thinking about real evidence.
Looking for physical evidence is easy. Use your eyes and your brain. Look hard at the scene and think about how any physical device or object might provide evidence you need to prove your case, whether such evidence will be presented in a court of law or appear in an incident report.
After you acquire all the real evidence you can collect, it's time to consider other types of evidence that might be available. These types of evidence—documentary, testimonial, and demonstrative—are covered in the following sections.
Documentary Evidence
Much of the evidence you are likely to use in proving a case will be written documentation. Such evidence includes log files, database files, and incident-specific files and reports that supply information about what occurred. All evidence in written form, including computer-based file data, is called documentary evidence . All documentary evidence must be authenticated. Because anyone can create an arbitrary data file with specific content, you must prove that documentary evidence was collected appropriately and that the data it contains proves some fact.
Written evidence, such as printed reports or data in log files. Such evidence cannot stand on its own and must be authenticated.
Authenticating documentary evidence can be quite complex when you're trying to convince nontechnical jurors (or judges) that the contents of a file conclusively prove an attacker performed some specific action. Opposing attorneys are likely to attack the method of authenticating documentary evidence as well as the evidence itself. We have all heard of hard evidence thrown out of court because it was collected illegally. Computer evidence can be even more difficult to collect properly. We will cover admissibility in the section titled "Admissibility of Evidence in a Court of Law" later in this chapter.
Best Evidence Rule
In addition to basic rules that govern all computer evidence, you must consider one additional rule. Whenever you introduce documentary evidence, you must introduce an original document, not a copy. This is called the best evidence rule. The purpose of this rule is to protect evidence from tampering. If an original document is required, there is less opportunity for modification to occur during some copy operation. Of course, you'll have to convince the judge and jury that the document you bring into court is actually the original.
Whenever a document is presented as evidence, you must introduce the original document if at all possible. A copy may only be introduced if the original is not available.
As you progress through an investigation, you will use utilities and tools to explore the contents of the computer and storage media. All files and file contents that support your case are considered documentary evidence. This is where you'll find the bulk of your evidence for many investigations.
Remember, most of your documentary evidence will come directly from items on the real evidence list (such as computers or mobile devices). Some documentary evidence will be supplied by third parties, such as access logs from an Internet service provider (ISP), but most will come from your own investigative activities.
You'll constantly be reminded to document each and every step in your investigation. Always document. There will be a test! Rest assured that if you testify in court, you'll be asked to justify your investigation and any and all actions you took to extract evidence.
After you get a handle on the physical evidence, you can start looking at the physical media's content for digital evidence. How do you look for digital evidence? You will use a collection of forensic tools to search for documentary evidence. Some of these tools are as simple as file listings or viewers, while others have been developed specifically for forensic investigations. Chapter 8, "Common Forensic Tools," covers frequently used forensic tools and their uses in an investigation. Until Chapter 8, we refer to tools designed to examine file system contents as forensic tools.
So, what are you looking for? Use forensic tools to look for any file or file contents that show what a suspect did while using the computer. This can include many types of log files and other activity files. For example, WS_FTP is a common File Transfer Protocol (FTP) client. When you use it to transfer files, the program lists all activity in a file named wsftp.log. Look for instances of this file. You'll be surprised how often people leave such audit trails lying around.
Here's a list of some of the steps you'll want to take while looking for documentary evidence:
· Catalog all programs installed on the target system.
· Harvest all audit and activity log files you can find that use default file-names. (To discover the default names for audit and log files, you might have to research each identified program. The program's web page is one place to start.)
· Examine operating system and application configuration files for recorded use of nonstandard audit or activity log filenames.
· Search for any files created as a result of using any identified program.
As with real evidence, experience will guide you in identifying and extracting documentary evidence. Be creative and persistent!
Testimonial Evidence
The testimony of a witness, either in verbal or written form, is called testimonial evidence. The most common form of testimonial evidence familiar to the general public is direct witness testimony in the courtroom. A witness is first sworn in, and then he or she presents testimony that directly relates knowledge of an incident. Testimonial evidence does not include opinions, just direct recollection from the witness.
Evidence consisting of witness testimony, either in verbal or written form. Testimonial evidence may be presented in person by a witness in a court or in the form of a recorded deposition.
A second common form of testimonial evidence is testimony delivered during a deposition. As with live testimony, during a deposition, the witness delivers testimony under oath. All testimony, as it is delivered, is recorded by a court reporter. A record of a deposition can be entered into evidence just like the testimony of a live witness in court. Each type of testimony has its advantages, but a deposition can often be taken much sooner, when events are fresh in a witness's mind.
You'll often need to use testimonial evidence to support and augment other types of evidence. For example, you may have a system administrator testify that your server keeps logs of all user accesses and has done so for the last two years. This testimony helps to validate the documentary evidence of access log contents taken from that server's hard disk drive (physical evidence).
When you first looked at the e-mail spammer scene in the fictitious Cool Beans, Hot Java versus James T. Kirkpatrick case, you contacted every possible witness, right? When investigating an incident, you'll want to talk with each person who has physical access to the suspect's computer, or who has substantive contact with that suspect. Interviewing witnesses is a task best left to law enforcement when dealing with criminal matters, but you should include their testimony in your investigation. Quite often, witness testimony provides extra information that leads you to additional documentary or physical evidence.
A witness could give you clues to hiding places for key storage media, or to the suspect's computer usage habits. If you have reason to believe a suspect carried out illegal activities during lunch, for example, this can help you limit the initial amount of data you must examine. Work with whoever is interviewing witnesses to get your questions presented. Those answers can save you a lot of work!
Demonstrative Evidence
Many types of computer evidence make sense to technical people but seem completely foreign to less technical folks. For judges and juries to understand the finer points of a case, it is often necessary to use visual aids and other illustrations to help explain some of the more technical details in the evidence. Any evidence that helps to explain, illustrate, or re-create other evidence is called demonstrative evidence. Demonstrative evidence does not stand on its own as do other types of evidence. It exists only to augment other evidence.
Evidence that illustrates or helps to explain other evidence. Usually demonstrative evidence consists of some kind of visual aid.
Let's assume you want to use a web server log file to show how an attacker exploited a new vulnerability. That attack crashed the server and caused substantial loss of business while the system was down. You can use charts, flowcharts, and other visual aids to help explain how web servers work in a way that is easy to understand. Demonstrative evidence is often essential to successful use of other types of evidence.
In many cases, you'll be called upon to explain highly technical concepts to nontechnical people. For example, in our e-mail spammer case, you'd have to explain what a spammer does. Although most people have heard of spam, not many understand how it originates and spreads. Further, you'd have to explain why it's so difficult to catch the originator of those messages, and why spam causes problems in the first place. It is always a good idea to start with the basics. Show how normal e-mail works and how a spammer causes problems by using excessive network bandwidth. Several illustrations are likely to help get this information across.
For example, you might want to start at the beginning. Building a complex technical argument from the ground up requires some basic education and background. Figure 3.1 is an illustration you might use to show how e-mail works.
Figure 3.1: Demonstrative evidence helps explain how e-mail works.
Developing the right visual aids normally comes after the bulk of other evidence has already been collected. Remember, demonstrative evidence is used to explain or demonstrate other evidence. Use it to make your points clear to a judge and jury.
Now that we have looked at the different types of evidence, let's see how you can obtain evidence legally.
Search and Seizure
You probably won't have unobstructed access to all evidence. Before you collect any evidence, make sure you have the right to either search or seize the evidence in question. This section briefly discusses options and restrictions that relate to searching and seizing evidence.
Voluntary Surrender
The easiest method of acquiring the legal right to search or seize computer equipment is through voluntary surrender. This type of consent occurs most often in cases where the primary owner is different from the suspect. In many cases, the equipment owner cooperates with the investigators by providing access to evidence. You might want to consider obtaining written consent to search prior to beginning your evidence collection activities.
Permission granted by a computer equipment owner to search and/or seize equipment for investigative purposes.
Be aware that evidence you want might reside on a business-critical system. Although the equipment owner may be cooperative, you must be sensitive to the impact your requests for evidence may have on the owner's business. Although you might want to seize all the computers in the Human Resources department to analyze payroll activity, you can't put the whole department out of operation for long.
If your activities will alter the business functions of an organization, you may need to change your plans. For example, you could make arrangements to create images of each drive from the Human Resources department computers during off-business hours. If you can image each drive overnight, you could get what you need without impacting the normal flow of operations.
You would also have voluntary consent in cases in which an employee signed a search and seizure consent agreement as a condition of employment. Such prior consent relieves you from having to get additional permission to access evidence. As in any investigation, the value of evidence often diminishes over time. The sooner you collect evidence, the higher the likelihood that such evidence will be useful. If no such consent exists, you must get a court involved.
Never assume you have consent to search or seize computer equipment. Always ensure that you are in compliance with all policies and laws when conducting an investigation. Few things are more frustrating than having to throw out good evidence because it was acquired without proper consent.
Subpoena
In cases where you lack voluntary consent to search or seize evidence, you must ask permission from a court. The first option for using a court order is a subpoena. A subpoena compels the individual or organization that owns computer equipment to surrender it.
A court order that compels an individual or organization to surrender evidence.
A subpoena is appropriate when it is unlikely that notifying the computer equipment owner will result in evidence being destroyed. A subpoena provides the owner ample time to take malicious action and remove sensitive information. Make sure you are confident a subpoena will not allow a suspect to destroy evidence.
One common use for a subpoena is when a nonsuspect equipment owner is unwilling to surrender evidence. An owner could have many reasons for being unwilling to release evidence. The evidence could contain sensitive information and company policy could require a court order to release this type of information. Many times, a court order is required by policy or regulation to document that sufficient authority exists to release such information. In any case, where cooperation is based on proper authority, a subpoena may provide access to evidence you need.
Search Warrant
When you need to search or seize computer equipment that belongs to a suspect in an investigation, it's possible that evidence may be damaged or rendered useless if the suspect knows of the investigation. You must have a court grant law enforcement officers permission to search and/or seize the identified computer equipment without giving the owner any prior notice.
A search warrant allows law enforcement officers to acquire evidence from a suspect's machine without giving a suspect any opportunity to taint the evidence. Resort to a search warrant only when a subpoena puts evidence at risk. If you are working as an independent investigator, you cannot execute a search warrant. This option is open only to law enforcement officials.
A court order that allows law enforcement to search and/or seize computer equipment without providing advance warning to its owner.
Because a search warrant is an extreme step, courts are reluctant to grant such a ruling without compelling reasons to do so. Make sure you are prepared to justify your request. If you are operating on a "hunch," you are likely to be refused. Before asking for a search warrant, gather some preliminary evidence that points to the suspect and his or her machine as a crucial part of the evidence chain.
Chain of Custody
After you understand how to identify computer evidence and you know what equipment you can access, you are ready to begin collecting evidence. The steps you take during the collection process determine whether that evidence will be useful once the investigation is completed. You must ensure that your evidence has been acquired properly and remains pristine. This section discusses several concepts necessary to ensure that collected evidence remains valid for later use.
Definition
All evidence presented in a court of law must exist in the same condition as it did when it was collected. Simply put, evidence cannot change at all once you collect it; in legal terms, the evidence must be in pristine condition. You'll be required to prove to the court that the evidence did not change during the investigation. That means you must provide your own evidence that all collected evidence exists, without changes, as it did when it was collected. The documentation that chronicles every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.
Documentation of all steps that evidence has taken from the time it is located at a crime scene to the time it's introduced in a courtroom. All steps include collection, transportation, analysis, and storage processes. All accesses to the evidence must be documented as well.
The chain of custody is so named because evidence has the potential to change each time it is accessed. You can think of the path evidence takes to the court-room as a chain in which each access is a link in the chain. If any link breaks (and thereby breaks the integrity of the evidence), the whole chain breaks at that point.
The court expects the chain of custody to be complete and without gaps. You demonstrate a complete chain of custody by providing an evidence log that shows every access to evidence, from the time of its collection to its appearance in court.
A complete chain of custody log also includes procedures that describe each step. For example, an entry might read "checked out hard disk drive serial number BR549 to create a primary analysis image." You should also include a description of what "creating a primary analysis image" means. The defense will examine the chain of custody documents, looking for gaps or inconsistencies. Any issue with the chain of custody has the real potential of causing the court to throw out the evidence in question. If that happens, any evidence you collect becomes useless and your credibility will be questioned.
Controls
Each step in the chain of custody must impose specific controls to maintain the integrity of the evidence. The first control could be to take pictures of the evidence's original state. This, of course, is only applicable for real evidence. Once you photograph and/or document the initial state of the entire scene, you can begin to collect evidence.
From the very first step, you must list all procedures you use during the collection process and be ready to justify all of your actions. For example, when you collect a disk drive for analysis, you must carefully follow standard practices regarding disk identification, removal, handling, storage, and analysis. Each step in the evidence collection and handling process must have at least one associated control that preserves the state of the evidence.
Continuing our disk drive evidence example, you must use proper handling techniques with disk drives, and you must also document each step in that process. Before you start, take precautions against disk drive damage. Such precautions include:
· Grounding to prevent static discharge
· Securing and padding the work surface to prevent physical shock
· Noting power requirements to protect against inadvertent power-related damage
You'll also need to implement and document all controls that prevent accidental changes to the evidence. These precautions include:
· Implementing a write blocker to prevent accidental writes to the media
· Generating a snapshot of the media using a hash or checksum before any analysis (Hash and checksums are discussed in more detail in Chapter 8.)
· Using analysis tools that have been verified to run using read-only access
Needless to say, you must plan each step along this path. At every step, make sure at least one control is present to ensure that the evidence stays pristine and unaltered. The section entitled "Leave No Trace," which appears later in this chapter, covers some specific controls; however, the preceding list illuminates the level of detail required to satisfy a court of law that evidence has not changed since it was collected.
The following steps illustrate how to handle a disk drive you suspect contains evidence:
· After you have determined that you need to analyze a hard disk drive, the first step is to seize the drive. You must fully document the entire process, including:
Seizure authority
Seizure process
Safety precautions
Source location, time, and person who performed seizure actions
Packing and transportation method
Destination location, time, and person who transferred the item to secure storage
Description of storage facilities, including procedures to ensure evidence security
· After seizing the drive, mount it in read-only mode and make a copy of the drive for analysis. Make sure you:
Document the process of mounting the device
Describe the precautions taken to prevent changes to the media
List all of the steps in the copy process
· Compare your copy of the drive to the original to ensure that you have an exact copy. Make sure you:
Describe the process and tools used to compare drive images
· After making a clean copy of the original drive, you can begin your analysis of that copy.
Figure 3.2 illustrates the process.
Figure 3.2: Documenting chain of custody when seizing a disk drive as evidence
Real World Scenario
Tales from the Trenches: Computer Evidence
The computer forensic expert is often called on to save the day, even when that "day" occurred over a year and a half ago.
The statute of limitations for sexual harassment can range from as few as 30 days for federal employees to as long as three years in certain states. After being contacted by senior management for a small publicly traded company located in a state with an extended statute of limitations for this crime, I boarded a flight to see if I could help locate evidence that was more than 18 months old.
A senior manager for the company was being sued for sexual harassment by an employee who had left the company 18 months earlier. The employee had not made any allegations when leaving the company and had only recently filed suit. After speaking with the senior manager named in the suit, the company officials were hoping I might be able to locate proof that the romance was mutual and consensual and thus did not constitute sexual harassment.
As is the norm in a majority of businesses, when the complaining employee left the company, the employee's desktop computer hard disk had been reformatted, reloaded, and that computer reassigned to another employee. The company CIO was able to track down the computer and presented it to me to see what I could locate. By this time, the computer had been in use by another employee for almost 15 months. The senior manager's laptop computer had been lost six months ago. In addition, the company recently implemented a new installation of Microsoft Exchange and had no backup tapes from the old e-mail server.
I imaged the hard drive using the Image MASSter Solo 4 Forensic Portable Evidence Seizure Tool from Intelligent Computer Solutions and created a new case file using AccessData's Forensic Toolkit (FTK). I added the acquired image of the hard disk as evidence in the case file in FTK and then indexed the case. After this prep work, things happened quickly.
One of the strengths of FTK is its ability to quickly locate e-mails. I swiftly sorted all the e-mails by date and began reading a string of "love letters" sent from the employee to the manager and from the manager to the employee. It was obvious from the tone of the letters that the relationship was indeed mutual. Additionally, I was able to locate calendar entries from the employee's Outlook .pst file that listed planned meeting times and locations for the couple. I found one particularly humorous and potentially case-defeating file on the computer in an e-mail attachment sent from the employee to the manager. It was a self-photographed nude picture of the employee taken using a mirror.
I located more than enough data to show the relationship was mutual. When presented with all this evidence, the employee dropped the lawsuit. This case illustrates that potential evidence can be found on computers long after incidents occur, if an investigator takes the time and knows how to look for it.
Documentation
The first item in your hands when you enter a crime scene should be a camera, and the second item a pencil. The key to providing a chain of custody that a court will accept is meticulous documentation. You must enter notes into an evidence log, listing all information pertinent to accesses to the evidence.
Each and every time evidence is accessed (including initial collection) the evidence log should include at least the following items of information:
· Date and time of action
· Action type (choose one)
· Initial evidence collection
· Evidence location change
· Remove evidence for analysis
· Return evidence to storage
· Personnel collecting/accessing evidence
· Computer descriptive information
· Computer make and model
· Serial number(s)
· Location
· Additional ID information
· BIOS settings specific to disk drives
· Disk drive descriptive information
· Disk drive manufacturer, model number, and serial number
· Drive parameters (heads, cylinders, sectors per track)
· Jumper settings
· Computer connection information (adapter, master/slave)
· Handling procedure
· Preparation (static grounding, prevention of physical shock, etc.)
· Contamination precautions taken
· Step-by-step events within the events of each action
· Inventory of supporting items created/acquired (e.g., hash or check-sum of drive/files)
· Complete description of action
· Procedure used
· Tools used
· Description of each analysis step and its results
· Reason for action
· Notes
· Comments not specifically requested anywhere else in the log
· The notes section provides additional details as an investigation unfolds
This log provides the court with a chain that can be traced back to the point at which the evidence was collected. It provides the beginning of the assurance that the evidence has not changed from its original state. The next step in the process is to justify that each step in the chain was carried out according to industry best practices and standards. Once you establish that you have handled evidence in an appropriate manner and maintained the integrity of the evidence, you are ready to take it to court.
Figure 3.3 illustrates a minimal log format. This type of log usually needs supporting documents for each line item. The minimal log format gives a brief overview of evidence handling history, and the detailed description for each line item would provide the additional details mentioned previously.
|
Chain of Custody Log |
|||||
|
Line |
Item |
Date |
Time |
Who |
Description |
|
1 |
Hard disk drive, ser #123456 |
7/15/04 |
10:15 AM |
M. SOLOMON |
Seized hard drive from scene, premission provided by business owner |
|
2 |
Hard disk drive, ser #123456 |
7/15/04 |
10:45 AM |
M. SOLOMON |
Transported HDD to evidence locker in main office |
|
3 |
Hard disk drive, ser #123456 |
7/16/04 |
7:30 AM |
M. SOLOMON |
Removed HDD to create analysis copy |
|
4 |
Hard disk drive, ser #123456 |
7/16/04 |
9:15 AM |
M. SOLOMON |
Returned HDD to evidence locker |
Figure 3.3: Chain of custody log
Before you take evidence to court, you need to ensure that it will be acceptable. In the next section, we cover the rules that govern what evidence is admissible in a court of law.
Admissibility of Evidence in a Court of Law
Not all evidence is appropriate for admission into a court. The court applies specific rules to evidence submitted. It's a waste of time and effort to analyze evidence that a court refuses to consider. Some evidence never has a chance of making it to court, and good evidence can be tainted by an investigator on its way to court, making it unacceptable.
Know what separates valid evidence from invalid evidence. It will save you substantial amounts of time, and it could make the difference between a successful and unsuccessful case.
Relevance and Admissibility
The courts apply two basic standards to all evidence. Any evidence you want to use in a court case must be relevant and admissible. Relevant evidence is any evidence that proves or disproves the facts in a case. If evidence does not serve to prove or disprove the facts in a case, it can be deemed irrelevant and, therefore, not allowed.
Evidence that serves to prove or disprove facts in a case.
In addition to evidence being judged relevant, evidence must also be admissible. Admissible evidence is evidence that conforms to all regulations and statues governing the nature and the manner in which it was obtained and collected. Certain evidence may be relevant, but not admissible.
Evidence that meets all regulatory and statutory requirements, and has been properly obtained and handled.
There are many reasons why evidence could be inadmissible. Unfortunately, investigators can contribute to inadmissibility of evidence. The two quickest ways to render good evidence inadmissible are to:
· Collect evidence illegally.
· Modify evidence after it is in your possession.
It is extremely important that investigators be diligent in all activities required to preserve all evidence in an admissible state. Inadmissible evidence weakens your case, and the effort you put into obtaining evidence that is deemed inadmissible is often wasted.
Make every effort to maintain the admissibility of evidence, starting from the beginning of your investigation. All too often, investigations start as internal incident response efforts that do not include law enforcement. During an investigation, you might determine that an incident involved criminal activity. At that point, it is time to involve law enforcement. This is why it is important to preserve evidence before criminal activity is discovered. IRT procedures should be consistent with court requirements for collecting and handling evidence. If not, valuable evidence might become inadmissible before a criminal investigation gets underway.
Techniques to Ensure Admissibility
Your main goal in an investigation is to ensure admissibility of evidence. The IRT is responsible for ensuring that damage from an incident has been contained and the organization's primary business functions can continue. As an investigator, you must operate with different goals in mind. In smaller organizations, separating these two responsibilities can be difficult.
Always remember the importance of preserving evidence. Make sure you collect and handle evidence properly at each step. The success of any court appearance depends on the quality of your part of the investigation.
Know the Rules
Before you ever participate in an investigation, you should know the rules surrounding evidence collection and handling. Each state imposes slightly different rules, so know your local laws and policies. There are also very different rules for different types of evidence. For example, analyzing a database that contains confidential personal medical information will have more stringent requirements than a database containing a parts inventory. Ask questions before engaging in evidence collection. In this case, forgiveness is far more difficult to obtain than permission.
The best place to start is by developing a relationship with local law enforcement agents. Call your local agency and ask for the computer forensic unit. Meet with them and take the time to learn how they approach investigations. Most of the time, law enforcement officers will gladly provide guidance and help you comply with their investigative requirements. Learning from them will save all of you substantial time and effort when an event occurs that requires law enforcement involvement.
Also spend some time with your own organization's legal staff. They can provide valuable input to guide your investigative efforts as well. The goal is to ensure that your processes comply with any statutes, regulations, and policies before any investigation starts.
Protect the Chain of Custody
Once you find yourself in the midst of an investigation, take every effort to protect the chain of custody. The best process is worthless if it is not followed and enforced. If your process requires that the evidence locker be physically locked at all times, never leave it unlocked while you "run a quick check." Even small deviations from published policy can render evidence inadmissible.
Be doggedly diligent in protecting evidence. You should allow only trained personnel near evidence. Make sure they are trained in the proper handling of evidence, and understand the importance of maintaining the chain of custody. The cost of training is far less than the cost of losing valuable evidence due to a single careless act. Defense attorneys look for such mistakes. Take great care to ensure that you don't make any mistakes, take any shortcuts, or otherwise taint your evidence.
Treat Each Incident as a Criminal Act
The single most important practice to enact is to treat every incident as a criminal act. Always assume that evidence you collect will be used in a court case. You'll go a long way to ensure that all collected evidence is admissible. It is a lot easier to loosen up the evidence collection standards, once you decide there will be no need for law enforcement involvement, than it is to fix a sloppy collection effort later in a criminal investigation.
Always assuming evidence will be used in court also tends to make you more diligent in adhering to evidence handling procedures. The belief that evidence is only for internal use can foster a more casual atmosphere that may lead to more mistakes. Take the high road and treat all evidence as though a judge will see it. It will increase the overall quality of your investigative work.
If you assume you will end up presenting your evidence in court, you must ensure that it is pristine. In the next section, we'll look at issues related to keeping evidence pure and unspoiled.
Leave No Trace
The Boy Scouts embrace a philosophy that protects our environment from the effects of hiking, camping, and other outdoor activities. It is called "Leave No Trace," and it affects most outdoor endeavors. The basic idea is that after engaging in an outdoor activity, there should be no trace that you were ever there. The reality is that most outdoor venues allow a more relaxed version, possibly called "Leave Almost No Trace."
In computer forensics, though, you must adhere to a strict "Leave No Trace" policy. You must prove that none of your analysis efforts left any trace on the evidence media. In fact, you'll have to prove that you never modified the evidence in any way.
There are several ways to ensure that evidence remains unmodified, but they are not equally convincing in a court of law. Decide which approach you'll take before the investigation starts (or at least before the analysis of a particular piece of evidence starts).
Read-Only Image
One method to ensure that no changes occur to media is through the use of read-only images. There are multiple ways to access media in read-only mode. One method is to mount the evidence volume in read-only mode. Although this is a safe option when performed properly, it is exceedingly difficult to convince a court that you used the correct options when mounting, or accessing, a volume.
Further, it is very easy to accidentally mount the volume using the wrong options and inadvertently write to the volume. This is a huge risk when working with the primary copy because writing anything to the primary copy makes the volume inadmissible.
If you decide to mount a suspect's volume in read-only mode, only mount the volume to make a full copy of the volume (or selected files). Be diligent in documenting and verifying the options you used. However, if another option exists (such as write-blocking devices), use it instead. You'll have an easier time convincing the court of the volume's integrity.
Software Write Blocker
One method to ensure that no writes impact a mounted volume is through the use of a software write blocker. A software write blocker is a layer of software that sits between the operating system and the actual device driver for the disk. All disk access requests that use standard operating system calls are prevented from writing to the disk.
Software that sits between the operating system and the disk driver that blocks all write requests.
Although this approach is generally safe, some software write blockers allow direct disk access in some cases. Be sure you do your homework and verify that the tool you use is secure in all cases. You also need to ensure that your tool of choice is updated to the latest version (so you need to keep track of the version you use for each investigation). If any vulnerability is detected in a version of the software you are using for an investigation, document its effect on your analysis.
Most vendors that produce computer forensic software and tools provide a software write blocker. Take a look at several tools and the utility they provide. Make sure their capabilities match your needs.
The last step in any media analysis is to run a checksum on the volume and compare it to the checksum run on the same volume prior to analysis. If the two do not match, the volume has changed. If this ever happens, there is clearly a problem with the software write blocker. (Checksums and hashes are discussed in Chapter 4, "Common Tasks.")
Hardware Write Blocker
Another method for preventing writes to media is through the use of a hardware write blocker. Some courts view hardware write blockers as more secure than software write blockers because a physical connection blocks any other paths to the disk. The concept behind a hardware write blocker is the same as for the software write blocker. Normal read access to the device is supported, but all write requests are blocked.
A hardware device that is plugged in between the disk controller and the physical disk, and blocks any write requests.
Several vendors sell hardware write blockers, from inline cable devices to full subsystems that support multiple interfaces. As with software write blockers, do your homework to validate manufacturer's claims. Any court will likely require that you provide independent proof that the device you chose performs as advertised.
Software and Hardware Write Blockers
Here are some products that block disk writes. Look at all of them and evaluate their features to decide which one is right for your use.
Write Block Software Tools
· PDBLOCK, by Digital Intelligence, Inc. (www.digitalintelligence.com)
· EnCase, by Guidance Software (www.guidancesoftware.com)
· Super DriveLock from Intelligent Computer Solutions, Inc. (www.ics-iq.com)
· Forensic Write Blockers from Tableau (www.tableau.com)
· Forensic UltraDock from WiebeTech (www.wiebetech.com)
Write Block Hardware Devices
· ACARD Write Block Kit, by ACARD Technology (www.acard.com)
· DriveLock and FastBloc, by Intelligent Computer Solutions (www.ics-iq.com)
· NoWrite, MyKey Technology, Inc. (www.mykeytech.com)
· UltraKit and UltraBlock, by Digital Intelligence, Inc. (www.digitalintelligence.com)
· FastBloc, Guidance Software (www.guidancesoftware.com)
Also look at the Computer Forensic Tool Testing (CFTT) Project Web site for further analysis of the tools listed previously (and more). You can visit the CFTT Web site at www.cftt.nist.gov.