Please follow all Instructions

profileJohn_matt
chapter_4_text.docx

Evidence Identification

Your initial task in an investigation is to identify the evidence you need for your case. Remember, without evidence you don't really have much more than an opinion. Every case is different, so you will likely need different types of evidence for each case. Knowing what evidence you will need is an integral part of a successful investigation. One rule of thumb is to "take everything." Unfortunately, there are substantial legal and logistical issues involved in this approach. More realistically, you should take anything and everything that could be remotely related to your case. Religiously adhere to the chain of custody guidelines and label everything as it is removed.

Who Will Use the Evidence You Collect?

Treat every computer forensic investigation as if the case you build will end up in court. The case in question does not need to involve criminal activity to warrant such care. You may be surprised that even simple investigations can end up as prime evidence for lawsuits in the future. Don't take chances. Protect your organization's assets by providing evidence that can be admitted into a court of law, if need be.

The facts surrounding the target of the investigation will determine the methods you employ. An investigation into how a server was used in a distributed denial of service attack (DDoS) is different from gathering evidence of illegal images stored on a laptop. Always understand the purpose of your investigation before you start.

distributed denial of service (DDoS) attack

An attack that uses one or more systems to flood another system with so much traffic that the targeted system is unable to respond to legitimate requests for service or access.

Suppose you were called to investigate possible stolen credit cards. The law enforcement officers working on this case expect to find incriminating evidence on the suspect's home computer. They have interviewed some of the suspect's coworkers and found that she talked about a "database of valuable information at home." When you arrive at the suspect's home, where should you start? What type of evidence should you look for? Try to answer these questions by looking at some common guidelines for investigations.

site survey

Notes, photographs, drawings, and any other documentation that describe the state and condition of a scene.

When you enter a crime scene, look around carefully. Always document the scene by taking photographs, drawing sketches, and writing descriptions of what you see. The notes you take, together with photographs or drawings, form the initial site survey. As you progress in your investigation, you may find that looking back at the site survey gives you more contextual clues that show where or what to look at next.

Tip 

Don't get too caught up in finding specific evidence. Rather, treat an investigation like a large puzzle. Avoid fixating on the picture (on the box cover); instead, look at the shapes and how the pieces fit together. Try to avoid looking only for evidence you expect to find. When you focus on the end product too much, you can miss important evidence that may lead you in a different direction. Be on the lookout for any evidence that could be of interest to your case.

Physical Hardware

You might expect that the primary focus of a computer forensic investigation is computer hardware; however, that's not always true. Often, much more evidence than just physical hardware can be found. However, hardware is one crucial type of evidence you must consider.

Take a look around your own office. How many types of computer hardware do you see? Chapter 2, "Preparation—What to Do Before You Start," covered different types of hardware and encouraged you to know what gets used in your organization. You probably use several different types of hardware on a daily basis.

Physical hardware is a great place to get fingerprints. If part of your case depends on proving a certain person used specific hardware, fingerprints may provide the evidence you need. If you want to get fingerprint evidence from computer hardware, the best way to do that is to check the equipment out to a police or licensed expert third-party fingerprint technician/expert to obtain the fingerprint evidence. That's a totally different kind of forensics and should be turned over to experts in that area of forensics. Think about the hardware you tend to touch on a routine basis:

· Keyboard

· Printers

· Mouse

· Touchpad

· CD-ROM/DVD drive

· Laptop case

· Scanner lids

· Mobile device cradle (especially its buttons and switches)

· Keyboard-video-monitor (KVM) switches (if your office has more computers than monitors)

· Game controller

· Media storage units (CD/DVDs, tape, floppy cases, and drawers)

And the list goes on. Your investigation may not require you to establish that a user touched specific hardware, but be prepared do so when necessary.

Beyond the appeal of fingerprints, physical hardware is vital because it holds the most common target of an investigation—data. Because all data resides on some type of hardware, you need access to hardware to get at the data. Ensure that you have the proper authority to either seize or search the hardware before you continue.

What Else Can Hardware Tell You?

Pay attention to all clues that hardware provides. If you find an expensive, high-speed scanner attached to a suspect's computer, you should probably expect to find a repository of scanned documents on the computer or some server. If you are investigating possible confidential information disclosure and you do not find many scanned documents on the computer in question, look elsewhere for the documents. Few people invest in an expensive scanner unless they plan to use it. Look in not-so-obvious places for the scanned documents.

After you have proper authorization, you need to start cataloging the physical evidence. Different people choose different starting points. Some examiners start with the most prominent computer, normally the one in the center of the workspace. Others choose a point of reference, such as the entry door, as a starting point.

Regardless of where you start, move through the scene carefully and document your actions as you proceed. Start where you are most comfortable. The goal is to consider all physical evidence. Choosing a starting point and moving through the scene in a methodical manner makes it less likely that you will miss important evidence. Don't forget to look up! And down! And all around. Computer forensic evidence has even been found inside walls.

Follow all communications links. If a computer you are examining is connected to a network, follow the cable or scan for the wireless access point (WAP). Know how this computer is connected to other computers. Your investigation might need to expand to other computers connected to the investigation target. Be careful to avoid unnecessarily expanding the scope of your investigation, though. You might not need to examine all of the computers to which the target is connected, but you do need to know about any network connections.

wireless access point (WAP)

Network device that contains a radio transmitter/receiver that is connected to another network. A WAP provides wireless devices access to a regular wired network.

The crown jewels in most computer investigations are the computers' hard disk drives. By and large, most evidence lives on some hard drive. Issues surrounding hard disk drives are discussed later in this chapter in the section entitled "Evidence Preservation." However, remember that a hard disk drive is only one type of hardware. Take time to consider all types of hardware as you identify evidence for later analysis.

Let's apply our discussion to the real world. Suppose you arrive at the home of a suspected credit card thief. Local law enforcement officers have executed a search warrant and asked you to help in the investigation. You cannot seize anything, but you can search the computer and associated hardware. You take pictures and start looking around. You notice the normal hardware that surrounds computers, but there is one little black block that catches your eye. Closer inspection reveals a small credit card swipe device with a Universal Serial Bus (USB) cable. You know this could be the device used to read stolen credit cards. Great! Juries love things they can touch and see. Now you need to find where those stolen numbers are stored.

Removable Storage

Removable storage is commonly used for several purposes. You'll find files of all kinds lying around if you look. Refer to Chapter 2 for more detailed information about different types of hardware. Removable media are also common repositories for evidence.

Take some time to carefully inspect all removable or external media you find for possible use in your investigation. Think about how most people use such media. It generally serves these purposes:

· Data archival/backups

· Data transport

· Program installation

Real World Scenario

Tales from the Trenches: The Missing Man

Computer forensic examiners are sometimes called upon to locate missing individuals. One day I was contacted by the Chief Executive Officer of an Internet startup company and asked if I could come to his office to discuss a matter of some importance. Because his office was located only a few miles away, I said I would be there within the hour.

As soon as I arrived, the CEO greeted me, took me into his office, and closed the door. (This is always the sign that I am about to hear a really good story.) The CEO explained that the Vice President of Sales for the company had not reported to work in over a week. This was, to say the least, highly unusual. The CEO had contacted everyone he could think of, but he had been unable to locate the VP. He even drove to the VP's apartment and had the landlord check to see if everything was okay. When the landlord went inside, he found nothing, and I mean nothing. The entire apartment was empty. No clothing, no furniture, and of course, no VP.

The CEO asked me to examine the VP's desktop computer to see if I could locate any information as to where the VP might have gone and why he might have left. At this point, I asked the CEO if he had contacted the police yet. He said he had, but because there was no evidence of foul play, they only took a report and "would get back to him." The VP was not married and had no family, so there was really no one else looking for the VP besides the CEO. He went on to explain that the VP handled all the sales, marketing, and collections for the company, a large portion of running the business. Now, without him, the company was suffering.

The CEO escorted me to the VP's office and unlocked the door. I located the VP's desktop computer sitting on the desk and noted that it was powered off. I took digital photos of the office and the evidence and then I removed the hard drive from the computer so that I could take it back to my lab. Following normal procedures, I completed a chain of custody form and gave a receipt for the hard drive to the CEO. I let him know I would get back to him as soon as possible and inform him of what I found.

After creating a forensically sound image of the hard drive, I imported the image into a commercial forensic utility, the Forensic Toolkit from AccessData, and began looking for clues about what the VP had been doing prior to his disappearance. I located many graphics images of tropical beaches and real estate in Grand Cayman. I also located evidence that in the days just prior to his disappearance the VP had visited many Internet sites researching banking privacy laws in the Cayman Islands. Of course, I was beginning to suspect that the VP might have traveled to the Caymans. I located a copy of an online airline reservation for a one-way flight to the Island just over a week ago along with a hotel reservation for a two-week stay.

I had located the VP. Well, that was the good news. Now it was time to find out what the VP had been up to just prior to his departure and maybe figure out why he left. I reviewed a number of e-mail messages the VP had sent to and received from several of the company's clients. These messages said that these clients should send their payments for services rendered by the company to the company's new address and to please make all checks out to "Service Tech." He explained that this was a new division within the company that would be handling their accounts. I found that 18 different customers had received similar e-mails and responded to the VP acknowledging the change. I compiled my findings and made an appointment to speak with the CEO immediately.

Before I informed the CEO of my findings, I had to ask him a few questions. I let him know I thought I knew exactly where the VP was and why he left so quickly. I told him about the e-mail messages and asked him about the "Service Tech" division and the address change for billing. As I thought, the CEO had no idea what I was talking about. There was no "Service Tech" division and the billing address had been the same since the company was founded.

At that point I informed the CEO that it would be best if we contacted the police again, and he did so. The investigation ultimately found that the VP had opened a bank account in Grand Cayman in the name of "Service Tech" and deposited over $900,000 in checks from the company's customers. Law enforcement agents were able to locate the now ex-VP based on the information provided by my investigation, and most of the funds were eventually returned to the company.

This definitely isn't an example of a "normal day at the office," but it shows that the work computer forensic investigators do can be exciting and worthwhile.

The first two uses for removable or external storage are of the most interest to us. Although you may not be successful in finding evidence you need on a hard disk drive, always look for backups or other secondary copies. Be especially persistent when looking for historical evidence. Removable storage devices come in many shapes and sizes. In years past, the primary removable storage devices available to most users were floppy disks and magnetic tapes. Those days are long gone. You need to be on the lookout for other places to store evidence, including:

· Optical media, including CDs, DVDs, and Blu-ray Discs

· USB drives and storage devices

· eSATA and FireWire external hard disks

· Networked storage devices of all kinds (servers, NAS, SAN)

· Flash memory cards and UFDs

Generally, you will find two types of files on removable or external media: intentionally archived and transient.

· Intentionally archived files are copied to removable media to keep as extra copies, or they are copied prior to deleting originals. If you find a system that looks like it has been cleansed of suspicious files, start looking for backups. In fact, the presence of software that cleanses systems, such as Evidence Eliminator or Window Washer, generally means a user may be hiding something. It is a good bet that some evidence was copied to removable media before the last cleansing cycle.

· Many organizations that process large volumes of data often clear log files frequently. For example, many ISPs keep no activity logs longer than 30 days. You may find that an ISP archives old log files, but they may not. Don't depend on archived data. Removable storage is only one part of evidence collection.

· Transient files are files, or file remnants, that have been temporarily copied onto removable media. Such media is often used to transport data from one computer to another. Although files are commonly deleted from the media after they have served their purpose, you might find lingering files. In any case, you will probably find files you can at least partially recover. Few people take the time to securely cleanse removable media, though they may do so for external media.

Tip 

Removable and external media analysis is painstakingly slow. Most offices usually have a lot of such media lying around, and the devices used to read them can be far slower than most hard drives. Nevertheless, take your time and look at what is on each disk, tape, or device. Your rigor might pay off by producing evidence that cannot be found elsewhere.

The rule of thumb for removable and external media is to take all that you can legally find and seize. Subsequent analysis can be slow, but it can also yield evidence you won't find anywhere else.

Documents

The last type of common evidence is hard-copy documents. A hard-copy document is anything written that you can touch and hold. Evidence that consists of documents is called documentary evidence. Although this discussion is concerned with written evidence, recall from Chapter 3, "Computer Evidence," that data stored in computer files is also classified as documentary evidence. Printed reports, handwritten notes, cocktail napkins with drawings, and white boards are all examples of documentary evidence.

Note 

The most important characteristic of documentary evidence is that it cannot stand on its own. It must be authenticated. When you find suspicious files on a hard drive (or removable media), you must prove that they are authentic. You must prove that the evidence came from the suspect's computer and has not been altered since it was collected. Refer to Chapter 3 for a discussion of evidence handling.

Take pictures of all white boards and other writings. Carefully examine the crime scene for any documents that might be admissible as evidence. Look around the computer for sticky notes. It is amazing how many people keep passwords on sticky notes attached to the sides of their monitors. Also look around, behind, on top of, and under all hardware components. Another common place to hide notes is in, or under, desk drawers.

Back at the credit card investigation scene, you notice a white board on the wall during your site survey. It looks like it has been used a lot but it has been wiped clean. Fortunately for you, no one took the time to use cleaning fluid to clean the board. If you look closely, you can still read some of what was written and then erased. It looks like a list of filenames. You should (and do) write them down for later use.

Most people keep notes handy to jog their memories. Sit down at the subject's desk and look around carefully. Every scrap of paper is potential evidence. Look for written notes that contain either information directly related to the investigation or information that gives you some insight into the subject's activities. Look for any of these pieces of written information:

· Password

· Encryption key or pass code

· Uniform Resource Locator (URL)

· IP address

· E-mail address

· Telephone number

· Name

· Address

· Filename

· Upload/Download/Working directory

This list is just a sampler of information that could assist your investigation. Anything that helps point you toward or helps you access evidence is valuable. Most people write some things down so they can remember them. Look for those notes. They can help direct you to more evidence in a fraction of the time it would take to perform

Evidence Preservation

Before you can prove that you maintained the integrity of data you present as evidence, you must prove that you maintained the integrity of the hardware that contains the data. From the beginning of your investigation, you must take precautions, and document those precautions, to protect the hardware.

The main goal of evidence preservation is to ensure that absolutely no changes have taken place since the evidence was collected. Your collection and handling procedures will be examined. Take all necessary precautions to protect collected evidence from damage that might change its state. Static discharge is a significant concern. You must bring static protection devices with you to each investigation. Use them, and make notes to explain the steps you take to avoid inadvertent damage.

You will have to address several concerns throughout your investigation. Do not handle any evidence until you are absolutely sure you can legally acquire the evidence and that the collection and analysis process will not change that evidence. The following sections cover some of the general issues regarding evidence preservation.

Pull the Plug or Shut It Down?

One of the classic debates in computer forensic circles is the correct approach to handling a live system. If the computer system in question is operating when you approach it, should you turn it off? The question becomes more pronounced when you are brought in as part of an incident response team during an ongoing attack. Before you switch into investigator mode, you need to limit the extent of the damage. However, disconnecting the computer from the network or power supply can damage or destroy crucial evidence.

Let's assume you want to "freeze" the system as it is and immediately halt all processing. You can accomplish this by literally pulling the power plug out of the wall (or pull it from the back of the computer). Removing power immediately stops all disk writes, but it destroys anything in memory. Such an abrupt crash could also corrupt files on the disk. You may find that the very file you want to use as evidence has been corrupted by the forced crash.

One client once unknowingly tested their disaster recovery plan in a very real way. Early one morning, the UNIX computer that hosted the company's central database had the power cord pulled from the back of the computer. When power was restored, the file system detected one file that was hopelessly corrupted and promptly deleted it. Unfortunately, that file was a core database file, so the client lost their entire database. Fortunately, the backup process had been completed only 15 minutes prior to the crash, and no data had been entered afterward. Although newer operating systems tend to behave less destructively, be aware that a sudden loss of power can produce negative results.

On the other hand, you may want to perform a proper system shutdown. Although shutting a system down protects any files from accidental corruption, the shutdown process itself writes many entries to activity log files and changes the state of the evidence. Further, a suspect computer could run procedures that cleanse log files on shutdown. Thus, a proper shutdown might wipe out crucial evidence.

A third option is to leave the system up and running. Several of the popular computer forensic software suites support live forensics. With a small footprint, these tools allow you to take a snapshot of the entire system, including memory and disks, while it is still running. The easiest way to do this is to install the small monitor program on the computer prior to any incidents. Of course, this approach only works if you have a manageable number of workstations and you have the authority to install such programs. This is possible in an environment where the organization owns the hardware and can dictate what software is loaded. If you are fortunate enough to deploy forensic software on all of the computers in your organization, the forensics process can be greatly simplified.

You can still run live forensics even if you have had no previous access to the computer. One common way to do this is to carry the required forensic software on a USB drive. You can run the forensics directly from the USB drive, and save any output to that drive as well. This option gives you the ability to take a snapshot of the live system without changing its state. The availability of large-capacity USB drives that fit on a key ring makes it possible to carry your entire tool set with you inconspicuously wherever you go.

Returning to the credit card investigation scene, you need to look for the files that match the name found written on the white board. Because you carry your USB flash drive preloaded with the forensic program ProDiscover Incident Response from Technology Pathways (www.techpathways.com), all you have to do is plug in the USB drive, run the program, and begin examining the evidence.

Note 

We haven't talked about specific forensic tools at this point, but stay tuned. We cover many of the most common hardware and software tools used in computer forensic investigations in Chapter 8, "Common Forensic Tools."

You immediately have access to the utility you need to search for the files in question. Because you can only search the suspect's computer and not seize it, you need to search the drive without copying it first. That may sound like a strange restriction, but you'll probably run into many interesting situations as an investigator. Now, search away!

Proving That a Forensic Tool Does Not Change the Evidence

If your investigation ends up in court, be prepared to provide evidence that the tools you use do not corrupt the evidence. That can be a tough sell if you try to prove this by yourself. An easier course is to use commercially available forensic tools that have already been accepted by courts. If in doubt, ask a local law enforcement contact which tools are accepted in local courts. If you use tools a judge has seen before, you are likely to avoid a lot of wasted time. Another valuable resource is the Computer Forensic Tool Testing (CFTT) Project from the National Institute of Standards and Technology or NIST (www.cftt.nist.gov).

Supply Power As Needed

Some types of evidence require uninterrupted power to maintain memory contents. The most common type of hardware in this category is the personal digital assistant (PDA) and some cell phones. PDAs and cell phones can contain valuable evidence. They also come in a variety of shapes and sizes. You can find traditional hand-held PDAs, as well as PDAs that are integrated into mobile devices, wireless phones, and even wristwatches. Regardless of their design, some cell phones and PDAs share a common trait: when the power runs out, the data is lost. (Note: smartphones usually include flash memory cards where they store information, so that running out of power or a dead battery doesn't result in data loss.)

Let's assume you find a gold mine of information on a suspect's PDA or cell phone. You extract the information and analyze it to find just what you were looking for. After a job well done, and after the self-congratulations, you lock up all the evidence in the evidence locker and await the assigned trial date. When your trial date arrives, you open the evidence locker and find that the battery has run out of juice. Your original evidence is gone. Well, your analysis report should still exist. You can proceed with documentation of your findings, but it would be a lot easier to show the device with the data still on it. Although you know what was there, it no longer corresponds to the device from which it was originally taken.

If you seize devices that require power to maintain data, seize their chargers as well. Make sure you either seize the charger or are prepared to buy a charger for that device. Also be prepared to explain your actions in court. Another interesting feature of PDAs is that their very operation changes the stored data. You may have to explain to a judge or jury how PDAs keep track of current time in order to notify the user of timed events. Be careful when asked if the data in the PDA has changed since it was seized; it has. It is also highly recommended to place mobile devices and cellular phones into a product like the StrongHold Bag from Paraben Corporation (http://www.paraben.com/stronghold-bag.html) to block electronic wireless signals from reaching the devices and further changing the evidence. You simply have to explain that the evidence in question did not change.

Provide Evidence of Initial State

So, you have the system you need to analyze. How do you poke around the data and convince a judge or jury that you didn't change anything in the process? If you're talking about a disk drive, the answer is really quite simple. Just take a snapshot of the contents of the drive before you touch anything, and then compare the snapshot to the drive after your analysis. If they are the same, you didn't change anything.

The most common method for performing a drive integrity check is to calculate a hash for the entire drive. A hash is a unique value generated for a collection of data. It is a "signature value," which means that if any single bit in the hashed data set changes, so also will the hash value. Most forensic tool sets include a utility to calculate some kind of hash value, usually a Message Digest 5 (MD5) or Secure Hashing Algorithm Version 1.0 (SHA-1) hash value. Although other valid methods exist to generate a single value for a file, or collection of files, MD5 and SHA-1 hash values are the most common. Both algorithms examine the input and generate a single value, but SHA-1 is considered to be stronger and more mathematically secure than MD5. For either algorithm, any change to the input (in this case, an entire drive's worth of content) will result in a different hash value.

hash

A mathematical function that creates a fixed-length string from a message of any length. The result of a hash function is a hash value, sometimes called a message digest. Hash functions are one-way functions. That is, you can create a hash value from a message, but you cannot create a message from a hash value.

After you ensure the physical integrity of the media (static electricity counter-measures, stable workspace, etc.) you can mount the media and access it in read-only mode. It is important that you explicitly separate suspect media from other media during any access to the data. The only safe way to ensure that nothing changes the data on the drive is to use trusted tools to access the original evidence media only once. The only reason to directly access suspect media is to copy it for later analysis.

Write Blockers

When available, use a write-blocking device to access suspect media. You can use software or hardware write blockers (see Chapter 3). Software write blockers prevent any operating system write operations from modifying the media. In essence, a software write blocker lives between the operating system and the device driver. Any requests for writes to the media are rejected.

Hardware write blockers are physical devices that sit between the drive itself and its controller card. The cable that transmits write instructions and data is physically altered to disallow any writes. The hardware write blocker is harder to bypass and is generally easier to explain in court, so you should use it instead of the software write blocker if you can.

If you have no access to either software or hardware write blockers, you can mount media in read-only mode. You will have to meticulously document the mount options you use to provide evidence to the judge or jury that you allowed no writes during analysis.

State Preservation Evidence

After you mount the suspect media, the first step you take is to create a hash. Use your own utility or a tool from your forensic tool set to create an SHA-1 or MD5 hash of the entire media. This provides a reference to the initial state of the media, and you will use this reference throughout your investigation to prove that any copies you make have the same content as the original media. After the volume is mounted and you have calculated the hash, you can create a bit-for-bit copy of the suspect media. You will perform all further actions on this copy, not on the original media.

That's all you do with the original media. After the copy operation, discontinue access to the original. It is important that you follow these steps with each media device you analyze:

· Mount the suspect media in read-only mode (use a write blocker when possible).

· Calculate an SHA-1 or MD5 hash for the entire device.

· Create a bit-by-bit copy of the media.

· Recalculate the SHA-1 or MD5 hash for the original and for the copy: both must be identical to the original SHA-1 or MD5 hash.

· Unmount the media and return it to the evidence locker.

Note 

Take extra precautions to protect the original media and the initial hash. You will need both at the time of trial so that you can ensure that evidence you find is admissible. Even if your investigation does not go to court, being able to prove that your activities made no changes to a disk drive is helpful. You need the initial hash to substantiate that claim.

The next step in the investigative process is the most time-consuming. After you have copies of the original media, it is time to start the analysis.

Evidence Analysis

Before you begin your media examination, create a hash of the copy you made of the original media. Does it agree with the hash of the original? If so, you may proceed. If not, find out why. Perhaps you mounted the copy and allowed some writes to occur. Or perhaps the copy process was flawed. In any case, don't start the analysis until you have a clean copy (an exact copy of the original media, with the same hash).

Note 

Most computer forensic tool sets include utilities that create device copies and calculate checksums where appropriate. If you are using the UNIX operating system, you can obtain and use the md5sum utility to calculate checksums. Most Linux distributions include the md5sum utility as part of their command-line environment, but if yours is missing for some reason, check with the primary distribution download site for your Linux version to find a copy (thus, for example, you can download this utility through links on the ubuntu.com site at https://help.ubuntu.com/community/HowToMD5SUM). If you would like a Windows version of the utility, go to http://www.etree.org/md5com.html.

checksum

Checksum or hash sum is a method to detect errors in transmission or storage of data to determine if data has been altered. A checksum or hash performs a mathematical calculation on the data involved before it is sent to calculate a unique value conditioned by the content of the data itself. This calculation is repeated following reception of the data and if the two values agree it's assumed that the received data is identical to the sent data (even a change in a single bit will cause the hash or checksum value to change).

The next sections discuss how to approach media analysis. The actual analysis process is part science and part art. You must develop a sense of where to look first, and then possess the technical skills to extract the information. We'll focus on the high level overview here, as opposed to detailing specific actions you take with individual tools. Chapter 8 covers such tools, so we'll save those details and recommendations until then.

Knowing Where to Look

There is no easy answer to the question "Where do I look for evidence?" As with any investigation, not all evidence is clear or easily available. Some evidence is subtle, and some may be deliberately hidden or damaged. The specific type of evidence you are searching for depends on the goal of your investigation. If you are looking for evidence in a music CD pirating case, you will likely be searching for stored sound files. If you are gathering evidence in an e-mail fraud case, you will likely look at activity logs and e-mail-related files.

Let's get back to our credit card investigation example. Where should you look for credit card numbers? You know key credit card data includes the card number, expiration date, and possibly card owner information. That kind of information could be stored in a spreadsheet or a database. You search the hard disk for files that resemble the filenames you found on the white board. Unfortunately, you found nothing in the file system, deleted files, or in slack space. (The space on a hard disk where a file ends and the disk storage cluster ends is referred to as slack space , which is discussed in more detail in Chapter 6, "Extracting Information from Data".)

Where do you look next? In this investigation, you will look at removable and external media. We'll rejoin that investigation a little later.

You must be comfortable with the operating system running on the suspect computer. You might be using UNIX-based forensic tools, but if the suspect media is an image of the primary drive from a Windows computer, you'd better be comfortable with Windows as well. Default locations for files differ dramatically among various operating systems. In fact, file location defaults can even be different between releases in the same operating system family. Know the operating system with which you are working.

Activity logs and other standard files are commonly stored in default locations on many systems. Always look in those default locations for logs and configuration files. This step alone can tell you about the suspect. If all logs and configuration files live in the default locations, it is likely that the suspect did not implement security. On the other hand, if you find several applications using nonstandard paths and file storage locations, your suspect may have hidden incriminating files well.

Use every means at your disposal to understand what the suspect was trying to do with the computer. Consider all the supporting evidence uncovered so far. This is where documentary evidence you collect at the scene might be helpful. As you work through different types of evidence, your forensic tool set can help by flagging unusual data on the suspect media.

Good forensic tools help you by providing access to areas of a computer that can be used to hide data. But before you look for hidden data, look at the evidence that you can get to easily. Depending on what you are seeking, you might find it helpful to look where the suspect has been surfing on the Web. Look at the history and cache files for each web browser on the system, and then look at the cookies as well. Although web browsers allow you to look at some historical data, get a tool designed to explore web browser activity. Likewise, look into e-mail correspondence for each e-mail client installed on the computer.

Note 

Make absolutely sure you have the legal authority to examine a system. You may be allowed to look for only certain type of files or activity. Do not exceed your authority.

As mentioned previously, we'll discuss specific forensic tools in Chapter 8. For now, let's look at a few of the different types of tools you'll need in the computer forensic process.

Viewers

File viewers provide small images of file contents. These programs scan a directory for files that match your criteria and show what is in those files. Viewers are great for finding pictures or movie files. Although most use a file's extension to identify graphics files, some more sophisticated tools can look at a file's header to identify it as a graphics file.

file viewer

A utility that provides thumbnail images of files. Such tools are useful for scanning a group of files visually.

Some viewers also handle nongraphics file types, such as word processing files. The advantage of a viewer tool is that it provides visual representations for the files it finds. This can make scanning for inappropriate pictures far easier than looking at images individually.

Extension Checkers

Another useful forensic tool is an extension checker. This type of tool compares a file's extension with its actual data type. One favorite method for hiding data from casual users is to change the file extension. For example, if you want to hide the image file named blueangels.jpg, you could rename it to blueangel.db, or even something totally obscure, such as br.549. An extension checker utility looks at the extension and compares it to the file's actual header. Any discrepancies are reported as exceptions.

extension checker

A utility that compares a file's extension to its header. If the two do not match, the discrepancy is reported.

Unerase Tools

Most people are familiar with unerase tools to recover deleted files. These tools have been around the DOS and Windows worlds for years. On older Windows versions, a simple unerase tool can recover files easily. Newer operating systems complicate this process, but files placed in the Recycle Bin can often be recovered with the help of forensic utilities, even if the Recycle Bin has been emptied. File-recovery utilities, available for nearly all file systems in use today, help in identifying and restructuring deleted files.

unerase tool

A utility that assists in recovering previously deleted files. In some cases, files can be completely recovered. At other times, only portions of a file can be recovered.

Searching Tools

Forensic examiners must often search large numbers of files for specific keywords or phrases. Several searching tools support such large-scale searches. An investigation may turn up certain words or phrases that can identify evidence. Searching for known IP addresses, e-mail addresses, or people's names can link bits of evidence together.

searching tool

A tool that searches for patterns (mostly string patterns) in large file collections.

Wading through a Sea of Data

The first thing you will notice when you start to use the tools discussed in the previous section is the enormous volume of results that they return. No matter how narrowly you define the scope of your activities, you end up with more data than you can use. Your job is to sift through that data and to extract only pertinent information.

Log files provide great audit trails for system activity. They can tell you nearly every event that occurred within a specific scope. For example, web server log files can keep track of every request from and response to web clients. However, most applications allow for minimal logging to avoid performance impacts. Before you spend too much time looking through log files, be sure you understand what level of detail each application log contains.

A couple of tools can make analysis of log files easier:

· Log file scanner Log scanner utilities do little more than scan log files and extract events that match a requested event pattern. For text log files, a simple text search utility could provide a similar result in some cases. Most log file scanners make this process easier by allowing queries for specific times that involve certain events.

· Log-based IDS This type of intrusion detection system (IDS) provides a convenient method to analyze multiple log files. When searching for activity consistent with a network intrusion, let the IDS look at log files and highlight suspicious activity. This information is not helpful for every investigation, however.

In some cases, you can use tools to help analyze data. In other cases, you must physically examine all of that data yourself. In either case, one of the more difficult aspects of computer forensics is the process of separating the evidence that matters from everything else.

Sampling Data

Sometimes you will find that the volume of data is so large that there is no feasible way to examine it all. Some log files contain so much detail that it is nearly impossible to use it all. You might be able to process it, but the amount of useful evidence can be overwhelming.

Any time you have more data than is practical, consider taking samples of such data. You can use data sampling for input and output data. For example, suppose you are analyzing a large drive with more than a million photos. Your job is to find out if there are any images of classified equipment. One way to approach this task is to use a viewer utility on an arbitrary collection of pictures. Determine whether patterns exist. If you find from looking at samples of 25 pictures that files are organized by department, you can use this additional information to narrow your search.

On the other end of the spectrum, suppose your search yields 5,000 pictures of classified equipment. You would not want to submit all 5,000 pictures as evidence. Too much evidence can be overwhelming if presented all at once. Instead of submitting all 5,000 pictures, you may want to select a representative sample to submit, along with information describing the remaining pictures in that group. All 5,000 pictures could be entered as evidence, but only the sample needs to be presented. The same approach applies to log file entries. Whenever a large volume of data or large number of redundant data exists, use a representative sample to present the whole data set.

Evidence Presentation

After analysis is complete, it's time to present results. The goal in any case is to persuade the audience using evidence. Your audience might be a judge, jury, or a group of managers meeting in a conference room. Your goal is to use the evidence you have collected to prove one or more facts. Even with great evidence, the success of a case often depends how effectively the evidence is presented.

This section covers some basic ideas to remember when presenting evidence. These ideas are simple and common in many presentations. Though simple, they are important and bear repeating.

Know Your Audience

Before presenting any topic, get to know as much about your audience as possible. Know why they are willing to listen to you and what they expect to learn from your presentation. A group of Information Services (IS) managers will have different expectations and motivations than a jury in a criminal trial. The more you know about them, the better you can deliver a convincing presentation.

Do Your Homework

When possible, find out who will be in your audience. If you are presenting evidence in a court of law, you will know quite a lot about the judge and the jurors. It may take more work to find out about your audience when presenting to other groups. Try to get as much basic demographic information about audience participants as possible.

For example, if you find you are presenting to a group of IS managers, your presentation will probably be different than if you were speaking to a group of auditors. Although the content will be the same, the tone and presentation style may differ. The better you know and understand the needs of your audience, the better your presentation will come across.

Another common presentation venue is a trade show or convention. You may be asked to present findings from an actual case you worked on. In this setting, there is a better chance that an audience will be more IS literate and technically minded. Organize your presentation to interest your audience. Take the time to do your homework, and develop the ability to speak to the needs and interests of your audience.

Read the Room

After you begin your presentation, attend carefully to the response you receive from your audience. Sometimes you will see rapt attention in their eyes as they hang on every word of your descriptions of the evidence. The other 98 percent of the time, though, the response is likely to be blank stares of mild interest. Seriously, always watch for signs of boredom. When you do see blank stares and fidgeting, change your pace, your tone, or even your approach. Remember: It is nearly impossible to bore someone into believing you.

Far too many presenters ignore their audiences. They might have a canned presentation, and they deliver it the same way regardless of the audience. You can't do that and be successful as a computer forensic examiner. You may or may not be called upon to present the evidence you uncovered, but you should be prepared nonetheless. Skilled presenters aren't necessarily less boring than anyone else—they simply know how to detect boredom early on and what to do about it. Many fine texts cover presentation techniques. Browse a few of them for some ideas on getting your point across.

Presenting facts is quite simple. Follow these basic steps:

· Tell what you did.

· Tell why you did it.

· Tell how you did it.

· Tell what you found.

Think about what you would want to hear if you were in the audience. The facts remain the same, but the delivery approach must change to appeal to each audience. For example, technical audiences like facts and "how-to" information. Managers tend to like higher-level pitches. For a group of managers, skip the gory details and talk more about the big picture. Although you focus on big-picture topics, be prepared to answer detailed questions when they arise.

Speaking and presentation books cover far more on reading an audience. Remember that boring someone does little more than tune them out. A persuasive argument is rarely boring. Watch the audience and react to them. You will connect more effectively, and have a better chance of persuading them to consider seriously the points you present.

Target the Points

When planning a presentation, write an outline of the points you want to make. Always start with an outline, no matter how rough. Use the evidence and the process of collecting it to support or explain your points. A random list of evidence is likely leave an audience more confused than convinced. Get organized, and stay on point!

Take the time to list each point you wish to make, and then expand the points with evidence. The core of your presentation is the evidence, so your evidence should dictate the flow of the presentation. Your points should specifically address each piece or type of evidence, and your evidence should support each point in the presentation. Although the relationship between presentation points and evidence seems circular, the actual points should be the target of your initial outline.

Add to your initial outline until you have a structure that brings out all of the evidence you choose to present. The next section discusses the organization of a presentation. But don't worry about organization until you are confident that you are able to address each of the important points in your presentation.

Your points can be either generic or specific to a particular case. A generic outline might look like this:

· Initial site survey

· Evidence collection

· Evidence handling and storage

· Initial site analysis

· Data analysis

· Findings

Your initial outline should reflect your own style and comfort level. The important thing is to ensure that your presentation is clear and concise. Spend your audience's time wisely; don't waste it. Include all the information you need to and nothing more.

Tip 

Start with a simple outline. You don't have to produce a final product in one sitting. You can be far more productive when you get something into an outline, then go back over the material to edit it. Treat your outline as a brainstorm session and get everything you can remember into an outline. This makes sure you don't overlook crucial ideas while wrestling with the details.

Organization of Presentation

After you have an outline and a general flow, you need to consider how to organize your presentation. Although each presentation is different, you can use a few common rules of thumb. First, use a presentation method with which you are comfortable. If you are most comfortable drawing pictures as you go, set up a white board and dispense with the PowerPoint presentation. If you do use PowerPoint, plan for no more than 30 slides per hour. This guideline works well for general presentations. If you feel you need to spend more time on one topic, consider creating multiple slides for that topic. If you spend too much time on a single slide, it can become stale, and you risk losing your audience's attention.

Use what works best for your personality. Remember that the main purpose for your presentation is to present evidence you believe proves one or more facts in a case. Take the audience on a tour through the evidence trail that leads them to a conclusion about what happened that resulted in this case. Sometimes the presentation should take a chronological approach. At other times, a topical approach keeps consistency and cohesion.

Don't get locked into any particular type of organization. Think through what you want your audience to take away from your presentation. Use a flow and organization that makes sense to you and that leads the audience where you want them to go.

Tip 

The outline approach works best for us. Whether we are writing a report or developing a presentation, we always work from an outline. As the outline grows and matures, we expand the content into the final format. For presentations, we frequently use PowerPoint. We generally move from an outline to PowerPoint only when we have each slide listed and the major points for each slide. Experiment and find a method that works well for your style.

Keep It Simple

Above all else, use the KISS method when presenting technical information to others (even other technical people). The KISS method stands for "Keep It Simple, Stupid." It's a silly reminder to us all that complexity breeds confusion. Part of the challenge in any presentation of evidence is to make the complex seem simple. Always use the simplest techniques you can think of to present evidence.

KISS method

KISS stands for "Keep It Simple, Stupid." This acronym reminds us to avoid making things more complicated than they need to be.

Whenever possible, use visual aids. The common saying "a picture is worth a thousand words," is truer today than ever before. Humans process visual images far more efficiently than written words. Whenever you can use a picture, drawing, or chart to convey a concept with just a few words, use it. The audience will remember a picture far longer than any words you use to describe it. Use pictures of the crime scene. If your audience is nontechnical, use a picture of a disk drive to explain the process of searching for hidden files. (See Figure 4.1.) Always look for opportunities to simplify the presentation.

Figure 4.1: Graphics convey concepts efficiently.

Another decision you must make when planning a presentation is how much technology to use. Multimedia presentations with video and sound can be impressive, but they can also be distracting. Use technical props only when they simplify a presentation, not to impress your audience. Although some presenters use technology to add pizzazz to their presentations, this can come across as showy and insubstantial. In such cases, added technical features do not amplify the substance of the presentation.

Use technology when it enhances the audience's understanding. Don't use it when it merely adds complexity. A simple presentation allows an audience to concentrate on the evidence. Always remember to consider your audience as you develop your presentation. Don't make it too complex. Keep it simple, you-know-who!