Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

First Responders Course - Session 8 - Digital Evidence Collection [2004]


Published on

The eight session from a two day course for potential first responders I ran for a large financial services client.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

First Responders Course - Session 8 - Digital Evidence Collection [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Description Acquisition Guidelines Data Handling
  3. 3.  This phase collects data from a suspect system and saves it on a trusted server or disk This data preserves the scene so that it can be introduced into court A copy of this data can be used in the forensic lab Different amounts of data are gathered depending on the scenario
  4. 4.  Document crime scene and all actions that you take. You may need to testify exactly what you did, so even record the mistakes.  Record all serial and part numbers of hard drives, servers, and other equipment.  It helps to make labels for the hard drives with comments on them.  Use a digital camera to record what cables are connected to what. Minimize system activity  Kill schedulers  Do NOT make a backup using normal backup software and hardware  Do NOT reconfigure the system  Do NOT install new software (use a CD if necessary) Acquire the data as soon as possible, otherwise it may change
  5. 5.  Maintain Chain of Custody (CoC) forms at all times After the data is acquired, make a MD5 checksum of it and record in a notebook. This value should be verified periodically during the analysis. For static data, such as a hard disk, the MD5 of the original and copy should be verified after acquisition.
  6. 6.  Any data that could be entered into court, must have a Chain of Custody (CoC) form with it. A CoC form identifies who was responsible for the data at a given time. Ensure this is created and maintained throughout the acquisition and investigation
  7. 7.  To keep the chain of custody, transport data with a trustworthy courier. Keep the shipping statement with the CoC form. If flying, it is best to carry the drives instead of checking them in. As this is usually not possible with increased security checks and other luggage, such as a laptop, a courier may still be the best option. The data should be stored in a secure place at all times. A dedicated forensics lab should contain a safe with security cameras.
  8. 8.  For each system that you work on, fill out a System Description form. This form could contain fields for:  Manufacturer, Model number, Serial number  Operating System Type  Number of hard drives with model and serial number.  MAC address of network card(s)  Physical security of system  Owner’s name  Time it was acquired from owner and when it was given back
  9. 9.  All hard drives look alike The Hard Drive Form keeps track of which drive contains what data and where it has been installed These should be created for both evidence drives and suspect drives Labels & Post-It notes are also useful to mark the contents of drives (but they can fall off!) Document when jumpers are moved and which systems it is installed in
  10. 10. 1. Document the scene using a notebook and a System Acquisition Form. If possible unplug it from the network and plug it into an empty hub or switch.2. If the system has not been rebooted since the incident was detected, collect volatile data. This should be done with trusted binaries on a CD or floppy.3. If the system can be turned off, then unplug it for static data acquisition. If it can not be turned off, then perform static data acquisition over the network.4. After the acquisition, create a Chain of Custody form and maintain control of data at all times.