Computer evidence requires the same chain of custody procedures as other types of evidence. The custodian must strictly control access and keep accurate records to show who has examined the evidence and when. When evidence is presented to a court, council must be ready to show that the “thing” they offer is the same “thing” originally seized. “When that evidence is not distinctive but fungible (whether little bags of cocaine, bullet shell casings, or electronic data), the &quot;process or system&quot; (to use the language of Fed. R. Evid. 901(b)(9)) which authenticates the item is a hand-to-hand chain of accountability.”  Fungible adj.: (law) of goods or commodities; freely exchangeable for or replaceable by another of like nature or kind in the satisfaction of an obligation. This means to the computer forensic examiner that they must have a continuing awareness that all the actions that they take during a technical examination are subject to review by all parties in a civil or criminal investigation. The procedures detailed below will assist in providing a guideline for handling and processing computer-related evidence.  Federal Guidelines for Searching and Seizing Computers , Page 119.
Prevent the subject from having access to the system. This means: Remove them from keyboard from the moment you begin the search Disable any access they have to the network they are on Don’t allow them to “assist” you with your examination of the computer General Principles during Evidence Collection Adhere to your site's Security Policy and engage the appropriate Incident Handling and Law Enforcement personnel Capture as accurate a picture of the system as possible. Keep detailed notes. These should include dates and times. If possible generate an automatic transcript. (e.g., The 'script' program can be used, however the output file it generates should not be to media that is part of the evidence). Be prepared to testify (perhaps years later) outlining all actions you took and at what times. Detailed notes will be vital. Minimize changes to the data as you are collecting it. This is not limited to content changes; you should avoid updating file or directory access times. Remove external avenues for change. When confronted with a choice between collection and analysis you should do collection first and analysis later. Though it hardly needs stating, your procedures should be implementable. If possible procedures should be automated for reasons of speed and accuracy. Be methodical. Speed will often be critical so your team should break up and collect evidence from multiple systems (including network devices) in parallel. However on a single given system collection should be done step by step, strictly according to your collection procedure. Proceed from the volatile to the less volatile (see the Order of Volatility below). You should make a bit-level copy of the system's media. If you wish to do forensics analysis you should make a bit-level copy of your evidence copy for that purpose, as your analysis will almost certainly alter file access times. Avoid doing forensics on the evidence copy. Chain of Custody You should be able to clearly describe how the evidence was found, how it was handled and everything that happened to it. The following need to be documented Where, when and by whom was the evidence discovered. Where, when and by whom was the evidence handled or examined. Who had custody of the evidence, during what period. How was it stored. When the evidence changed custody, when and how did the transfer occur (include shipping numbers, etc.). Portions of the above are from “Guidelines for Evidence Collection and Archiving” by Dominique Brezinski and Tom Killalea which is a draft document
A common practice is to make at least two copies of the evidential computer. One of these is sealed in the presence of the computer owner and then placed in secure storage. This is the MASTER copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy. If the computer itself has been seized and held in secure storage by the Police, this will constitute &quot;best evidence&quot;. If the computer has not been seized then the MASTER copy becomes best evidence. In either case, the assumption is that whilst in secure storage there can be no possibility of tampering with the evidence. This does not protect the computer owner from the possibility that secured evidence may be tampered with. A growing practical problem with this method of evidential copying occurs not with the security aspect but because of the increasing sizes of fixed disks found in computers. A size of 2 Gigabytes is no longer unusual and it is common to find more than one fixed disk within a single machine. The cost of the media is decreasing slowly but this is still significant when considering the quantity of information to be copied and stored (even though the system does allow for media re-use). There is also the problem of the length of time individual copies may take to complete. A sizable saving in both time and expense might therefore be achieved if an alternative method of evidential security could be arranged. SafeBack is a sophisticated evidence preservation tool that was developed specifically for the U. S. Treasury Department in the processing of computer evidence. It is a unique piece of software that has become an industry standard in the processing of computer evidence around the world. SafeBack can also be used covertly to duplicate all storage areas on a computer hard disk drive. Drive size creates essentially no limitation for this unique computer forensics tool. SafeBack is used to create mirror-image backup files of hard disks or to make a mirror-image copy of an entire hard disk or partition. Backup image files can be written to essentially any writeable magnetic storage device, including SCSI tape backup units. SafeBack preserves all the data on a backed-up or copied hard disk, including inactive or 'deleted' data. Cyclical redundancy checksums (CRCs) distributed throughout the backup process enforce the integrity of backup copies to insure the accuracy of the process. Backup image files can be restored to another system's hard disk. Remote operation via parallel port connection allows the hard disk on a remote PC to be read or written by the master system. A date and time stamped audit trail maintains a record of SafeBack operations during a session and software dongles are not involved or required for operation. From an evidence standpoint, SafeBack is ideal for the computer forensics specialist because the restored SafeBack image can be used to process the evidence in the environment in which it was created. This is especially important when system configurations and/or application settings are relevant to the display or printing of the evidence.
It should be acknowledged that almost all forensic examinations of computer media are different and that each cannot be conducted in the exact same manner for numerous reasons, however there are four essential requirements of a competent forensic examination. These are: Forensically sterile media must be used, many utilities are available that will clean media to government security standards Any examination must maintain the integrity of the original media Positive control must be maintained for all attempts by software or hardware to write to the examined media Examination results must be properly marked, controlled and transmitted.
In many instances a complete examination of all of the data on media may not be authorized, possible, necessary or conducted for various reasons. In these instances, the examiner should document the reason for not conducting a complete examination. Some examples of limited examinations would be: The search warrant or the courts limit the scope of examination. The equipment must be examined on premises. (This may require the examination of the original media. Extreme caution must be used during this type of examination.) The media size is so vast that a complete examination is not possible. The weight of the evidence already found is so overwhelming that a further search is not necessary. The material required to prove the case is very specific and addition examinations would be unnecessary or of no value. It is just not possible to conduct a complete examination because of hardware, operating systems or other conditions beyond the examiner’s control.
Slack Space The unused space in a disk cluster . The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file . The unused space is called the slack space. DOS and older Windows systems use a 16-bit file allocation table (FAT) , which results in very large cluster sizes for large partitions . For example, if the partition size is 2 GB , each cluster will be 32 K . Even if a file requires only 4 K, the entire 32 K will be allocated, resulting in 28 K of slack space. Windows 95 OSR 2 and Windows 98 resolve this problem by using a 32-bit FAT ( FAT32 ) that supports cluster sizes as small as 4 K for very large partitions. Unallocated space The space on a hard drive that is not reserved for use by a file in the file allocation table. Where data may be hidden - Word processing programs routinely store backup files of the document that is currently being worked on. - System programs routinely use portions of files currently in use to fill in blank or dead spots at the end of saved files. This means that portions of a document that is prepared or viewed on a computer could be stored in several locations on the computer ’ s hard drive without the operator ’ s knowledge. (ie slack space)
A graphical chart can help investigators establish the most significant areas of an investigation and aid decision makers in effectively allocating resources. Etrust Network Forensics can provide this graphical representation and can be used in techniques such as link analysis involved in any type of fraud investigation. As the relationships between individuals, accounts, and calling volumes are uncovered, the graphs grow in complexity. Investigators can then focus on individual aspects of their case, producing simplified charts that cut to the heart of the case. As data is captured from various sources and organized, investigators need to clearly understand which pieces of information are relevant, how they relate to each other, and what it means to their case. Investigators assigned to cases can use Etrust Network Forensics to uncover hidden links in their data and focus on the most likely suspects. Etrust Network Forensics can be commonly used in investigations to help identify the following: New investigation targets Significant links, patterns and dates New hot numbers for fraud detection systems
Computer Forensics Neil Greenberg
Forensics Page Specializing in or having to do with the application of scientific knowledge to legal matters, as in the investigation of a crime.
Computer Forensics Page Computer forensics is the process of collecting, preserving, and analyzing computers and computer media for the purpose of determining the presence of evidence.
Evidence Page Anything properly admissible in a Court, that will aid the function of a criminal / civil proceeding in establishing guilt or innocence.
How Used <ul><li>Computer forensics is used to discover evidence in a number of computer crimes, including espionage, industrial espionage, trade secret theft and theft or destruction of intellectual property. </li></ul><ul><li>It is also used to discover computer misuse by employees who are browsing inappropriate web sites or committing theft against the company. </li></ul>Page
Who Uses <ul><li>Criminal prosecutors – incriminating documents of homicide, fraud, child pornography and drug related activities </li></ul><ul><li>Civil Litigators – uses personal and business records from computer records in divorce, fraud, intellectual property, discrimination and harassment cases </li></ul>Page Focus of practice
Who Uses <ul><li>Insurance companies use computer records of billing and services to prove fraud in medical billing and accident cases. </li></ul><ul><li>Individuals may use examiners to assist in proving cases of wrongful termination, sexual harassment or discrimination. </li></ul>Page
Procedures <ul><li>Protect the subject computer system from damage, alteration, data corruption and virus introduction </li></ul><ul><li>Discover all file on the subject system including deleted, hidden and password protected files </li></ul><ul><li>Recover as much data as possible from deleted or obstructed data files </li></ul>Page
Procedures <ul><li>Access the contents of encrypted or password protected files as possible </li></ul><ul><li>Analyze all possible relevant data which may be discoverable but otherwise inaccessible such as slack space and unallocated space </li></ul>Page
Computer Evidence Vs. Other <ul><li>Connectivity of computers creates unusual issues: networks, file servers. Location of information becomes an issue </li></ul><ul><li>Technical issues are unique: encryption, hidden data </li></ul><ul><li>Often searching for intangibles, information in electronic form </li></ul>Page
Science Vs. Art <ul><li>A little of both </li></ul><ul><li>No two cases are the same </li></ul><ul><li>Start with plan A be prepared for plan Z </li></ul>Page
Protecting the Evidence <ul><li>Safeguarding the evidence is as important as any other step in the forensic process </li></ul><ul><li>Improperly handled evidence can be discarded in court </li></ul><ul><li>Those involved must be prepared to testify to how the evidence was handled </li></ul>Page
Collecting the Evidence <ul><li>Separate the subject from the evidence </li></ul><ul><li>Take only what you have to </li></ul><ul><li>Search for other useful information </li></ul><ul><li>Create a record to the material collected which will show a chain of custody </li></ul>Page
Data Replication <ul><li>Vital to prevent accidental writes to original evidence </li></ul><ul><li>Use forensically clean media for copies </li></ul><ul><li>Use software capable of making an exact image of the original and restoring an exact image </li></ul>Page
Replication Process <ul><li>Media from suspect system is removed and loaded into an examination system </li></ul><ul><li>If not removed from original, use trusted media to boot system </li></ul><ul><li>If replication software is not available or unusable, create a level 0 backup using standard system software and collect last set of backups </li></ul>Page
Exam System Replica <ul><li>Replica media is forensically cleaned </li></ul><ul><li>Copy of original copy is made </li></ul><ul><li>Original copy of media is returned to control </li></ul><ul><li>Exam of copy is conducted </li></ul>Page
Exam System Replica Alternate <ul><li>Instead of copy, image files are made approximately 600mb in size </li></ul><ul><li>Images are written to CD-R’s </li></ul><ul><li>The images are used to restore a copy of the original to forensically clean media </li></ul>Page
Performing an Examination <ul><li>Be aware of the subjects capabilities </li></ul><ul><li>Determine the scope for the examination </li></ul><ul><li>Document everything that is done during the exam </li></ul><ul><li>Use only legal copies of software to perform the examination </li></ul>Page
Basic Processing <ul><li>Verify that the system contains no viruses </li></ul><ul><li>Survey the contents of the system by producing a complete listing of the files on the media </li></ul><ul><li>Exam files for content </li></ul><ul><li>Look for erased </li></ul><ul><li>Look for hidden files </li></ul><ul><li>Where data hides </li></ul>Page
Verify Virus Free <ul><li>Viruses can infect the examination system resulting in lost time </li></ul><ul><li>May cascade to later exams if not check </li></ul><ul><li>Keep virus software up to date </li></ul><ul><li>Scan system often </li></ul>Page
Survey the Contents <ul><li>Gain a general understanding of the contents of the media </li></ul><ul><li>Pipe verbose dir or ls to a file to produce a listing of the files on the media if a question arrives later if a file or program was present on the media </li></ul><ul><li>Help to quickly focus the search for evidence </li></ul>Page
Examining File Content <ul><li>In most cases, relevant files are identified during the survey phase </li></ul><ul><li>File viewer software such as quick view plus will quickly view contents of files without the need to load applications </li></ul><ul><li>Relevant files are copied off for reference </li></ul><ul><li>Care must be taken if executing application software, typically done last </li></ul>Page
Erased Files <ul><li>Often found using unerase utilities </li></ul><ul><li>Disk editors will show erased files, more difficult to examine </li></ul>Page
Hidden Files <ul><li>Can be identified using utilities </li></ul><ul><li>Verbose directory listing may show </li></ul><ul><li>Review of TOC of media using a disk editor will show </li></ul><ul><li>Because a file is hidden, doesn’t mean its suspicious </li></ul>Page
Where Data Hides <ul><li>Slack space </li></ul><ul><li>Unallocated space </li></ul><ul><li>Temporary directories </li></ul><ul><li>Cache directories </li></ul><ul><li>Use a search utilities that is not bounded by files to search keyword to quickly locate data not in a file </li></ul><ul><li>Data not in a file can be recovered using a disk editor </li></ul>Page
Reporting <ul><li>Include detailed notes of things done during the examination </li></ul><ul><li>Include recovered files </li></ul><ul><li>May require additional note explaining processes that were not detailed during the recovery notes </li></ul>Page
The Challenge <ul><li>Maintaining control of the organizations trade secrets or intellectual property can be difficult given the current push toward global outsourcing of information management. </li></ul><ul><li>How can an organization understand who is sharing information with whom? </li></ul>Page
Intellectual Property <ul><li>Every organization has certain information that is crucial to the viability of the organization </li></ul><ul><ul><li>Manufacturing diagrams </li></ul></ul><ul><ul><li>Patient Information </li></ul></ul><ul><ul><li>Financial client data </li></ul></ul><ul><ul><li>Source code </li></ul></ul><ul><ul><li>Media files </li></ul></ul><ul><ul><li>Business methodologies </li></ul></ul><ul><ul><li>Salary information </li></ul></ul><ul><li>The loss of the right piece of information can quickly put an organization out of business and lead to a lengthy legal processes </li></ul>Page
Where is it Located? <ul><li>Difficult to answer since many organizations are sending data processing and other capabilities overseas </li></ul><ul><ul><li>Claims processing </li></ul></ul><ul><ul><li>Tech support </li></ul></ul><ul><ul><li>Software development </li></ul></ul><ul><ul><li>Design and manufacturing </li></ul></ul><ul><li>Greater risk of information leakage if sensitive data is placed overseas </li></ul>Page
Corporate Espionage <ul><li>Black market for competitive information </li></ul><ul><ul><li>Internal personnel can be bought </li></ul></ul><ul><ul><li>Hackers as “hired guns” </li></ul></ul><ul><li>Effective security processes </li></ul><ul><ul><li>Classification of data </li></ul></ul><ul><ul><li>Need to know validation </li></ul></ul><ul><li>Communications to sensitive data stores can also be monitored </li></ul>Page