First Responders Course - Session 8 - Digital Evidence Collection 
Phil HugginsFebruary 2004
Description Acquisition Guidelines Data Handling
This phase collects data from a suspect system and saves it on a trusted server or disk This data preserves the scene so that it can be introduced into court A copy of this data can be used in the forensic lab Different amounts of data are gathered depending on the scenario
Document crime scene and all actions that you take. You may need to testify exactly what you did, so even record the mistakes. Record all serial and part numbers of hard drives, servers, and other equipment. It helps to make labels for the hard drives with comments on them. Use a digital camera to record what cables are connected to what. Minimize system activity Kill schedulers Do NOT make a backup using normal backup software and hardware Do NOT reconfigure the system Do NOT install new software (use a CD if necessary) Acquire the data as soon as possible, otherwise it may change
Maintain Chain of Custody (CoC) forms at all times After the data is acquired, make a MD5 checksum of it and record in a notebook. This value should be verified periodically during the analysis. For static data, such as a hard disk, the MD5 of the original and copy should be verified after acquisition.
Any data that could be entered into court, must have a Chain of Custody (CoC) form with it. A CoC form identifies who was responsible for the data at a given time. Ensure this is created and maintained throughout the acquisition and investigation
To keep the chain of custody, transport data with a trustworthy courier. Keep the shipping statement with the CoC form. If flying, it is best to carry the drives instead of checking them in. As this is usually not possible with increased security checks and other luggage, such as a laptop, a courier may still be the best option. The data should be stored in a secure place at all times. A dedicated forensics lab should contain a safe with security cameras.
For each system that you work on, fill out a System Description form. This form could contain fields for: Manufacturer, Model number, Serial number Operating System Type Number of hard drives with model and serial number. MAC address of network card(s) Physical security of system Owner’s name Time it was acquired from owner and when it was given back
All hard drives look alike The Hard Drive Form keeps track of which drive contains what data and where it has been installed These should be created for both evidence drives and suspect drives Labels & Post-It notes are also useful to mark the contents of drives (but they can fall off!) Document when jumpers are moved and which systems it is installed in
1. Document the scene using a notebook and a System Acquisition Form. If possible unplug it from the network and plug it into an empty hub or switch.2. If the system has not been rebooted since the incident was detected, collect volatile data. This should be done with trusted binaries on a CD or floppy.3. If the system can be turned off, then unplug it for static data acquisition. If it can not be turned off, then perform static data acquisition over the network.4. After the acquisition, create a Chain of Custody form and maintain control of data at all times.