File000117

Module IV - Digital Evidence

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Investigators Now Crack Crime Computers on The Spot

Source: http://news.cnet.com/



Module Objective

• The Definition of Digital Evidence• Characteristics of Digital Evidence• Types of Digital Data• Best Evidence Rule• Federal Rules of Evidence• International Principles for Computer Evidence• The Scientific Working Group on Digital Evidence (SWGDE)• Electronic Devices: Types and Collecting Potential Evidence• Digital Evidence Examination Process

• Evidence Assessment• Evidence Acquisition • Evidence Preservation• Evidence Examination and Analysis• Evidence Documentation and Reporting

• Electronic Crime and Digital Evidence Consideration by Crime Category

This module will familiarize you with:



Module Flow

Electronic Devices: Types and

Collecting Potential Evidence

Evidence Acquisition Evidence Assessment

Evidence Documentation and Reporting

Evidence Examination and Analysis

Evidence Preservation

Digital Evidence Examination Process

Electronic Crime and Digital Evidence Consideration

by Crime Category

Characteristics of Digital Evidence

Definition of Digital Evidence

Scientific Working Group on Digital Evidence

(SWGDE)

Types of Digital Data

International Principles for Computer Evidence

Best Evidence RuleFederal Rules of Evidence



Digital Data



Definition of Digital Evidence

• Graphics files• Audio and video recording and files• Internet browser histories• Server logs• Word processing and spreadsheet files• Emails• Log files

Digital evidence is found in the files such as:

Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form”

Digital information can be gathered while examining digital storage media, monitoring the network traffic, or making the duplicate copies of digital data found during forensics investigation



Increasing Awareness of Digital Evidence

Businesses are facing the need for gathering evidence on their networks in reply to the computer crime

Many organizations are taking into account the legal remedies when attackers target their network and focus on gathering the digital evidence in a way that will hold up in court

Government organizations are also paying attention in using digital evidence to identify the terrorist’s activities and prevent future attacks

As a result, there is increase in the expectation that computer forensic investigators have complete knowledge of handling digital evidence



Challenging Aspects of Digital Evidence

Forensics investigators face many challenges while preserving the digital evidence as it is a chaotic form of evidence and is critical to handle

During the investigation, it can be altered maliciously or unintentionally without leaving any traces

Digital evidence is circumstantial that makes it difficult for a forensics investigator to attribute the system’s activity

It is an abstraction of some events, when the investigator performs some task on the computer, the resulting activity creates data remnants that gives the incomplete view of the actual evidence



The Role of Digital Evidence

Role of digital evidence is to establish a credible link between the attacker, victim, and the crime scene

According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”

For example, at the time of crime, if any information from an victim computer is stored on the server or system itself, investigator can trace that information by examining log files, Internet browsing history etc.



Characteristics of Digital Evidence

• Evidence must be related to the fact being proved Admissible

• Evidence must be real and related to the incident in a proper way Authentic

• Evidence must prove the attacker’s actions and his innocence Complete

• Evidence must not cast any doubt on the authenticity and veracity of the evidenceReliable

• Evidence must be clear and understandable by the judgesBelievable

The digital evidence must have some characteristics to be disclosed in the court of law

Characteristics of the digital evidence:



Fragility of Digital Evidence

Digital evidence is fragile in nature

During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently

If the computer is connected to the Internet, the person involved in the crime may delete the evidence by deleting the log files

After the incident, if a user ‘writes’ any data to the system, it may overwrite the crime evidence



Anti-Digital Forensics (ADF)

ADF is an approach to manipulate, erase, or obfuscate the digital data

It makes forensic examination difficult, time consuming, or impossible

General categories of ADF are:

• Overwriting data and metadata (wiping)• It destroys any potentially incriminating data by multiple overwrites• “0” or random numbers are used to overwrite the actual data

• Exploitation of bugs in forensic tools• Forensic imaging and analysis tools are programmed to misread the files• For example, text file may be read as an executable file



Anti-Digital Forensics (cont’d)

Hiding data (Steganography, Cryptography, and Low-tech methods)

• Confidential data is hidden under the images• Messages are encrypted using strong cryptographic algorithms which

cannot by decrypted by analysts• Through low tech methods, data or information is hided from an

examiner

Obfuscation of data

• Obfuscation of data is intended to confuse the forensic analysts• It is created by using anonymous remailers to strip the email header’s

information • Bootable USB or CD/DVD is also used to compromise the system or

network



Types of Digital Data

• Volatile data can be modified• It contains system time, logged-on user(s), open files, network

information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history

Volatile data

• Non-volatile data is used for the secondary storage and is long-term persisting

• It contains hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings , and event logs

Non-volatile data



Types of Digital Data (cont’d)

• Transient data contains information such as open network connection, user logout, programs that reside in memory, and cache data

• If the machine is turned off, all these information are lost permanently

Transient data:

• Fragile data is that information which is temporarily saved on the hard disk and can be changed

• It contains information such as last access time stamps, access date on files etc.

Fragile data:

• Temporarily accessible data are stored on the hard disk and are accessible only for certain time

• It contains data like encrypted file system information

Temporarily accessible data:




• Active data is the presently used data by the parties for their daily operations

• This data is direct and straightforward to recognize and access using the current system

Active data:

• Archival data manages data for long term storage and maintains records

Archival data:

• Backup data refers to a copy of the system data• This data can be used at any time of recovery process after disaster or

system crash

Backup data:




• The data which is stored on a computer when a document is deleted is called residual data

• When a file is deleted, the computer tags the file space instead of cleaning the file memory

• The file can be retrieved until the space is reused

Residual data:

• Metadata maintains a record about a particular document

• The record consists of format of file, how, when, and who has created, saved, and modified the file

Metadata:



Rules of Evidence

• Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration

• The trier of fact may be a judge or a jury, depending on the purpose of the trial and the choices of the parties

Definition:

Evidence that is to be present in the court must comply with the established rules of the evidence

Prior to the investigation process, it is important that the investigator understands the Rules of Evidence



Best Evidence Rule

Best evidence rule is established to prevent any alternation of digital evidence either intentionally or unintentionally

It states that the court only allows the original evidence of any document, photograph, or recording at the trial rather than copy but the duplicate will be allowed as an evidence under the following conditions:

• Original evidence destroyed due to fire and flood• Original evidence destroyed in the normal course of business• Original evidence in possession of a third party



Federal Rules of Evidence

• (a) Effect of erroneous ruling• Error may not be predicated upon a ruling which admits or excludes

evidence unless a substantial right of the party is affected• (1) Objection. - In case the ruling is one admitting evidence, a timely objection

or motion to strike appears of record, stating the specific ground of objection, if the specific ground was not apparent from the context; or

• (2) Offer of proof. - In case the ruling is one excluding evidence, the substance of the evidence was made known to the court by offer or was apparent from the context within which questions were asked

Rulings on Evidence:

These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined



Federal Rules of Evidence (cont’d)

• (b) Record of offer and ruling• The court may add any other or further statement which shows the

character of the evidence, the form in which it was offered, the objection made, and the ruling there on. It may direct the making of an offer in question and answer form

• (c) Hearing of jury• Proceedings shall be conducted, to the extent practicable, so as to

prevent inadmissible evidence from being suggested to the jury by any means, such as making statements or offers of proof or asking questions in the hearing of the jury

• (d) Plain error• Nothing in this rule precludes taking notice of plain errors affecting

substantial rights although they were not brought to the attention of the court

Rulings on Evidence:




• Questions of admissibility generally• Preliminary questions concerning the qualification of a person to be a

witness, the existence of a privilege, or the admissibility of evidence shall be determined by the court, subject to the provisions of subdivision (b)

• In making its determination, it is not bound by the rules of evidence except those with respect to privileges

• Relevancy conditioned on fact• When the relevancy of evidence depends upon the fulfillment of a

condition of fact, the court shall admit it upon, or subject to, the introduction of evidence sufficient to support a finding of the fulfillment of the condition

• Testimony by accused• The accused does not, by testifying upon a preliminary matter, become

subject to cross-examination as to other issues in the case

Preliminary Questions:




• Hearing of jury• Hearings on the admissibility of confessions shall in all cases be

conducted out of the hearing of the jury• Hearings on other preliminary matters shall be conducted when the

interests of justice require, or when an accused is a witness and so requests

• Weight and credibility• This rule does not limit the right of a party to introduce before the jury

evidence relevant to weight or credibility

Preliminary Questions:

• When evidence which is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon request, shall restrict the evidence to its proper scope and instruct the jury accordingly

Limited Admissibility:




Hearsay Rule:

• Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted

• It is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress

Statements which are not hearsay:

• Prior statement by witness• Admission by party-opponent




• Present sense impression• Excited utterance• Statements for purposes of medical diagnosis or treatment• Recorded recollection• Records of regularly conducted activity• Absence of entry in records kept in accordance with the provisions• Public records and reports• Records of vital statistics

Even if the declarant is available as a witness, the following are not excluded by the hearsay rule:

Rule 803. Hearsay Exceptions - Availability of Declarant Immaterial




Rule 804. Hearsay Exceptions; Declarant Unavailable

If the declarant is unavailable as a witness, the following are not excluded by the hearsay rule:

• Former testimony• Statement under belief of impending death• Statement against interest• Statement of personal or family history




• Writings and recordings:• Writings and recordings consist of letters, words, or numbers, or their equivalent, set

down by handwriting, typewriting, printing, photostating, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation

• Photographs:• Photographs include still photographs, X-ray films, video tapes, and motion pictures

• Original:• An original of a writing or recording is the writing or recording itself or any

counterpart intended to have the same effect by a person executing or issuing it

• Duplicate:• A duplicate is a counterpart produced by the same impression as the original, or

from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original

Rule 1001: Definitions

Content of writing, recording, and photographs




• To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress

Rule 1002: Requirement of Original

• A duplicate is admissible to the same extent as an original unless • (1) a genuine question is raised as to the authenticity of the original or • (2) in the circumstances it would be unfair to admit the duplicate in lieu

of the original

Rule 1003: Admissibility of Duplicates




• The original is not required, and other evidence of the contents of a writing, recording, or photograph is admissible if:• (1) Originals are lost or destroyed. All originals are lost or have been

destroyed, unless the proponent lost or destroyed them in bad faith• (2) Original is not obtainable. No original can be obtained by any

available judicial process or procedure• (3) Original is in possession of the opponent. At a time when an original

was under the control of the party against whom offered, that party was put on notice, by the pleadings or otherwise, that the contents would be a subject of proof at the hearing, and that party does not produce the original at the hearing

• (4) Collateral matters. The writing, recording, or photograph is not closely related to a controlling issue

Rule 1004: Admissibility of Other Evidence of Contents



International Organization on Computer Evidence (IOCE)

The International Organization on Computer Evidence (IOCE) was established in 1995

The purpose of this organization is to provide a forum to global law enforcement agencies for exchanging information regarding cyber crime investigation and other issues associated with computer forensics

IOCE develops a service for direct communication between member agencies and arranges many conferences to establish a strong relationship



http://www.ioce.org/



IOCE International Principles for Digital Evidence

When dealing with digital evidence, all of the general forensic and procedural principles must be applied

Upon seizing digital evidence, actions taken should not change that evidence

When it is necessary for a person to access the original digital evidence, that person should be trained for the purpose

All activities relating to the seizure, access, storage, or transfer of the digital evidence must be fully documented, preserved, and available for review

An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession

Any agency, which is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles



Scientific Working Group on Digital Evidence (SWGDE)http://www.swgde.org/



SWGDE Standards for the Exchange of Digital Evidence

• In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and broadly accepted procedures, equipment, and materials

Principle 1

• All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency's policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency's management authority

Standards and Criteria 1.1



SWGDE Standards for the Exchange of Digital Evidence (cont’d)

• Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness


• Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner


• The agency must maintain written copies of appropriate technical procedures




SWGDE Standards for the Exchange of Digital Evidence (cont’d)

• The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure


• All activities relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony


• Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner




Electronic Devices: Types and Collecting Potential Evidence



Electronic Devices: Types and Collecting Potential Evidence

• They are address books, database files, audio or video files, documents or text files, image or graphics files, Internet bookmarks or favorites and spreadsheet files, where you can obtain information of investigative value

User-Created Files

• They are compressed files, misnamed files, encrypted files, password-protected files, hidden files, and steganography

User-Protected Files

• They are backup files, log files, configuration files, printer spool files, cookies, swap files, hidden files, system files, history files, and temporary files

Computer-Created Files

Computer Systems:

Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape



Electronic Devices: Types and Collecting Potential Evidence (cont’d)

Hard drive

• Hard drive is an electronic storage device which stores data magnetically• It stores the data in different file formats such as text, picture, and video file etc.• To collect the evidence, check text , picture, video, multimedia, database, and

computer program files

Thumb drive

• Thumb drive is a removable data storage device with USB connection• It is small in size and lightweight• To collect the evidence, check text, graphics, image, and picture files

Memory card

• Memory card is a removable electronic storage device and used in many devices such as digital camera, PDA, computer etc.

• Data present in the memory card is not lost when power is turned off• To collect the evidence, check event logs, chat logs, test file, image file, picture

file, and browsing history of Internet

Hard drive

Thumb drive

Memory card



Access Control Devices:

Smart card

• It is a portable device that contains a microprocessor, which stores encryption key or password and digital certificate

Dongle

• It is a copy protection device provided with software that is plugged into a computer port

Biometric scanner

• It is connected to a computer system that identifies the physical characteristics of an individual


Smart Cards

Dongle

Biometric scanner

Evidence is found in recognizing or authenticating the information of the card and the user, level of access, configurations, permissions, and in the device itself



Deleted messages

Last number called

Memo

Phone numbers

Tapes

Answering Machine:

It is a part of a telephone or is connected between a telephone and the landline connection

Evidence is found in voice recordings such as:





• Images• Removable cartridges• Video• Sound• Time and Date stamp

Evidence is found in:

Digital Camera:

It records images and video and transfers them to computer media with the help of conversion hardware

Digital Camera




Handheld Devices such as Personal Digital Assistants (PDAs) and Electronic Organizers

• PDA is a hand held and portable device that includes computing, telephone/fax, paging, and networking

• Evidence is found in Address book, appointment calendars or information, documents, e-mail, handwriting, password, phone book, text messages, and voice messages

Modem:

• It is used by computers to communicate over telephone lines

• Evidence is found on the device itself Modem

PDA




• Evidence is found on the MAC (Media Access Control) address

Local Area Network (LAN) Card/Network Interface Card (NIC)

• Routers, hubs, and switches connect different computers or networks• For routers, evidence is found in the configuration files• For hubs and switches, evidence is found on the devices themselves

Routers, Hubs, and Switches

• Server is a central computer which gives service to other computers connected in the same network

• Evidence is found in the computer system

Server

• Network cables consists of a variety of colors, thicknesses, shapes, and connectors depending on the components they are connected with

• Evidence is found on the devices

Network Cables and Connectors

Network Interface Card

Router

Hub

Switches

Network Cables

Connectors

Network Components:




• It is a handheld and portable electronic device for sending and receiving electronic messages that may be in numeric form or in alphanumeric form

• It contains volatile evidence such as address information, text messages, e-mail, voice messages, and phone numbers

Pager:

• It includes thermal, laser, inkjet and impact printers, which are connected to the computer over a cable (serial, parallel and universal serial bus) or accessed over an infrared port

• Some printers contain a memory buffer, which enables you to receive and store multiple documents

• Evidence is found through usage logs, time and date information, and network identity information, Ink cartridges, and Time and date stamp

Printer:

Pager

Printer




Removable Storage Device and Media:

Storage device and media such as tape, CD, DVD, floppy are used to store digital information

These devices are portable and stores different files such as text, graphics, multimedia, and video files

Evidence is found in the devices themselves




Scanner:

It is an optical device connected to a computer, which enables the document to pass on the scanning device and sends it to the computer as a file

Evidence is found by looking at the marks on the glass of the scanner




Telephones:

• Evidence is found through:• Names• Phone numbers• Caller identification information• Appointment information• Electronic mail and pages

Copiers:

• They make the copies of printed or graphical documents• Evidence is found in:

• Documents• User usage logs• Time and date stamps




• They read the information that is present on the tracks of the magnetic stripe

• Evidence is found through:• Card expiration date• User’s address• Credit card numbers• User’s name

Credit Card Skimmers:

• Evidence in found through:• Address book• Notes• Appointment calendars• Phone numbers• Email

Digital Watches:

Credit Card Skimmer

Digital Watch



Facsimile (Fax) Machines• Evidence is found through:

• Documents• Phone numbers• Film cartridge• Send or receive logs

Global Positioning Systems (GPS)• Evidence is found through:

• Previous destinations• Way points• Routes and• Travel Logs




Evidence Assessment



Digital Evidence Examination Process

Evidence Assessment

Evidence Acquisition






Evidence Assessment

The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of the action

Conduct a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of hardware and software, potential evidence sought, and the circumstances surrounding the acquisition of the evidence



Evidence Assessment (cont’d)

Prioritize the evidence where necessary:

• Location where evidence is found or• Stability of the media to be examined

Determine how to document the evidence (e.g., photograph, sketch, notes)

Evaluate storage locations for electromagnetic interference

Determine the condition of the evidence as a result of packaging, transport, or storage

Assess the need to provide continuous electric power to the battery-operated devices



Prepare for Evidence Acquisition

• An initial estimate of the impact of the situation on the organization's business

• A detailed network topology diagram that highlights the affected computer systems and provides details about how those systems might be affected

• Summaries of interviews with users and system administrators• Outcomes of any legal and third-party interactions• Reports and logs generated by tools used during the assessment phase• A proposed course of action

Documentation that helps in preparing for evidence acquisition:

To prepare for the acquisition of evidence, all the actions and outcomes of the previous phases of the digital evidence examination process should be determined properly



Preparation for Searches

Before preparing a warrant to seize all or part of a computer system and the information it contains, it is critical to determine the computer's role in the offense

• A counterfeiter might use his computer, scanner, and color printer to scan U.S. currency and then print money

• A drug dealer may store records pertaining to customers, prices, and quantities delivered on a personal computer

• A blackmailer may type and store threatening letters in his computer

• Attackers often use their computers both to attack other’s computer systems and to store the stolen files

For example:



Seizing the Evidence

If a computer is used to store the evidence then the storage media should be seized in addition with other devices

While running programs to collect analysis information, the books found in the scene should be collected to understand the programs

The suspect should be prevented from touching the system

At the time of seizing process, the computer should not be powered down



Imaging

Remove the subject storage device and perform the acquisition using the examiner’s system

When attaching the subject device to the examiner’s system, configure the storage device so that it will be recognized

Ensure that the examiner’s storage device is forensically clean when acquiring the evidence



Bit-Stream Copies

Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk

A bit-stream image is the file that contains the bit-stream copy of all the data on a disk or partition

The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks



Write Protection

Write protection should be initiated, if available, to preserve and protect original evidence

Creating a known value for the subject evidence prior to acquiring the evidence (e.g. performing an independent cyclic redundancy check(CRC), MD5 hashing)

If hardware write protection is used:

• Install a write protection device• Boot the system with the examiner’s controlled operating system

If software write protection is used:

• Boot the system with the examiner-controlled operating system• Activate write protection




Digital evidence is fragile and can be altered, damaged, or destroyed by improper handling or examination

In case of failure, evidence may be unusable or it may lead to an inaccurate conclusion

Acquire the original digital evidence in a manner that protects and preserves the evidence



Evidence Acquisition from Crime Location (cont’d)

Disassemble the case of the computer to be examined to permit physical access to the storage devices

Ensure that the equipment is protected from static electricity and magnetic fields

Identify the storage devices that need to be acquired; these devices can be internal, external, or both



Evidence Acquisition from Crime Location (cont’d)

• Drive condition (e.g. make, model, geometry, size, jumper settings, location, drive interface)

• Internal components (e.g. sound card, video card, network card, including media access control (MAC) address, personal computer memory card international association (PCMCIA) cards)

Document internal storage devices and hardware configuration:

Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data



Acquiring Evidence from Storage Devices

Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g. non-host specific data such as the partition table matches the physical geometry of the drive)

Capture the electronic serial number of the drive and other user-accessible, host-specific data

Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools such as:

• Stand-alone duplication software• Forensic analysis software suite• Dedicated hardware devices

Verify successful acquisition by comparing the known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy



Collecting Evidence

Data on digital evidence can be collected either locally or over a network

Acquiring the data locally has the advantage of greater control over the computer(s) and the data involved

Other factors, such as the secrecy of the investigation, the nature of the evidence that must be gathered, and the timeframe for the investigation will ultimately determine whether the evidence is collected locally or over the network

Create accurate documentation that will later allow to identify and authenticate the evidence that are collected

Determine which investigation methods to use i.e., typically a combination of offline and online investigations is used

In offline investigations, additional analysis is performed on a bit-wise copy of the original evidence

In an online investigation, analysis is performed on the original live evidence



Collecting Evidence (cont’d)

• Server information includes server role, logs (such as event logs), files, and applications

• Logs from internal and external facing network devices, such as firewalls, routers, proxy servers, network access servers (NAS), and intrusion detection systems (IDS) that may be used in the possible attack path

• Internal hardware components, such as network adapters (which include media access control (MAC) address information) and PCMCIA cards

• Storage devices that need to be acquired (internal and external), including hard disks, network storage devices, and removable media

Identify and document the potential sources of data:

Note: When capturing volatile data, carefully consider the order in which the data is collected




• If any internal storage devices are to be removed, turn off the computer first

• Before turning off the computer, verify that all volatile data has been captured

• Determine whether to remove the storage device from the suspect computer and use your own system to acquire the data

• Create a bit-wise copy of the evidence in a backup destination, ensuring that the original data is write-protected

• Document the internal storage devices and ensure that information about their configurations is included

• Verify the data collected, create checksums, and digital signatures when possible to establish that the copied data is identical to the original

Use the following methods to collect data from the storage media and record storage media configuration information:




• Process Register• Virtual and physical memory• Network state• Running processes• Disks, floppies, tapes• CD-ROM, paper printouts

Evidence can be collected from a live computer by searching:

• Running processes (ps or the /proc file system)• Active network connections (netstat)• ARP cache (arp)• List of open files (lsof)• Virtual and physical memory (/dev/mem, /dev/kmem)

Volatile and important sources of evidence on live systems and the commands used to capture the evidence:




• Guidance Software’s EnCase (www.guidancesoftware.com)• Accessdata’s Forensic Toolkit (www.accessdata.com)

Computer Forensic Tools for Data Collection include:



Collecting Evidence from RAM

• When an application is opened, RAM stores the files present in that application

• The memory is lost when the files are closed and is used by the operating system for other file storage

• Do not power down the computer which may destroy the critical information

• Evidence can be present in RAM even after wiping from the hard disk, to perform this:

• Wipe the file from the hard disk after opening it using a wiping tool• Use a utility dd to write the contents of RAM into hard disk which is a general

purpose UNIX utility; copies files and is useful for creating forensic images

Trace Evidence in RAM



Collecting Evidence from RAM (cont’d)

• At the time of no RAM memory available to allocate memory for an application, the operating system transfers the content present in RAM to a temporary Swap file to use the RAM memory for new application

• The contents in the swap file are overwritten frequently• The examiner can trace the swap file by searching the headers

and footers associated with a particular file

Trace evidence in Swap file



Collecting Evidence from a Stand-alone Network Computer

Do not use the computer for evidence search

Photograph all the devices connected to the computer

Do not turn on the system, if it is in off state

If the computer is ON, take a photograph of the screen

If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen

Unplug all the cords and devices connected to the computer and label them for later identification

If the computer is connected to the router and modem, unplug the power



Chain of Custody

Chain of Custody is a road map that tells about how the evidence is collected, analyzed, and preserved to present in front of the court

It ensures auditing of the original data evidence and tracking the logs accurately

In chain of custody, all the transfer of evidence from person to person should be documented



Chain of Evidence Form

Date Type of Incident Case#

Model# Manufacturer# Serial#

Consent Required Y/N Signature of Consenting Person Tag#

Description of Form

Person Receiving Evidence Signature

Chain of Custody

Form

LocationDate Reason

To

Location

From

LocationDate Reason

To

Location

From

LocationDate Reason

To

Location

From

LocationDate Reason

To

Location

Final Disposition of Evidence Date



Preserving Digital Evidence: Checklist

Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Verify if the monitor is in on, off, or in sleep mode

Remove the power cable depending on the power state of the computer i.e., in on, off, or in sleep mode

Do not turn “on” the computer if it is in “off” state

Take photo of the monitor screen if the computer is in “on” state

Check the connections of the telephone modem, cable, ISDN, and DSL



Preserving Digital Evidence: Checklist (cont’d)

Remove the plug from the power router or modem

Remove any floppy disks that are available at the scene to safeguard the potential evidence

Keep tape on drive slots and power connector

Photograph the connections of the computer and the corresponding cables and label them individually

Label every connector and cable that are connected to the peripheral devices




Personal digital assistants (PDAs), cell phones, and digital cameras store information in the internal memory

Do not turn “on” the device if it is in “off” state

Leave the device “on” if it is in “on” state, only in case of PDAs or cell phones

Photograph the screen display of the device

Label and collect all the cables and transport them along with the device

Make sure that the device is charged

Hold the additional storage media such as memory sticks and compact flash




Transfer fragile data to a non-volatile medium/device without disrupting any other component of the computer

Do not use the victim’s hard disk to store the fragile data

Avoid the use of too much virtual memory as it may cause data overwriting

Use floppy disk for a small amount of data/information

Do not use USB or firewire drive to store data because they change the system’s state

If the victim’s system is connected to the Internet, use the same path that is used by the intruder to extract the data from the victim’s computer

Disconnect the victim’s computer from the Internet to protect it from further attack




Do not use the original digital data regularly for examination

Do not run any program on the victim’s computer

If any changes occur during the collection of the evidence, document all the changes accordingly

Capture an accurate image of the system as possible

Do not run any anti-virus program because it changes date and time of each file they scan

Ensure that your actions are repeatable



Preserving Floppy and Other Removable Media

• Tape over the notch• Mark the information such as date, time, and initials

using the permanent marker • Place in static free bags

5 ¼ inch disks

• Place the write protected tab in the open position• Mark the information using permanent marker• Place in static free bags

3 ½ inch disks

• Remove the plastic write enable ring• Mark the information on tape up to first 10-13 feet• Place in static free bags

Reel-to-reel tapes



Preserving Floppy and Other Removable Media (cont’d)

• Remove the record tab• Mark the information on plastic surface of tape using the

permanent marker• Place in static free bag

Cassette tapes

• Tape over the notch• Mark the information using permanent marker• Place in static free bags

Disk cartridges (removable hard drives)

• Align the arrow at safe mark by turning the dial• Mark the information on plastic surface using the

permanent marker • Place in static free bag

Cartridge tapes



Handling Digital Evidence

Wear protective latex gloves for searching and seizing operations on the site

Store the electronic evidence in a secure area and climate controlled environment

Use wireless StrongHold bag to block the wireless signals from getting to the electronic device

Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives

Pack the magnetic media in antistatic packaging

Protect the electronic evidence from magnetic field, dust, vibration, and other factors that may damage the integrity of the electronic evidence



Store and Archive

• Physically secure and store the evidence in a tamperproof location• Ensure that no unauthorized personnel has access to the evidence, over the network, or

otherwise• Protect storage equipment from magnetic fields• Make at least two copies of the evidence that are collected, and store one copy in a

secure offsite location• Ensure that the evidence is physically secured (for example, by placing the evidence in

a safe) as well as digitally secured• Clearly document the chain of custody of the evidence

• Create a check-in / check-out list that includes information such as the name of the person examining the evidence, the exact date and time they check out the evidence, and the exact date and time they return it

Best practices for data storage and archival include the following:

When evidence is collected and ready for analysis, it is important to store and archive the evidence in a way that ensures its safety and integrity



Digital Evidence Findings

• Digital laboratory experts must educate the case agents, prosecutors to review the report of the evidence finding which includes:• In-service training• Legal updates• Individual conversations• Discussion on how to find report

Educate the intended audience:

• Finding report should include:• Investigator’s request• Detailed description of the examined items• Receipt and disposition of the founded evidence• Examiner’s identity

Develop a report of findings:



DO NOT Work on the Original Evidence



Evidence Examination

General forensic principles apply when examining digital evidence

Different types of cases and media may require different methods of examination

Persons conducting an examination of digital evidence should be trained for this purpose

The examination should not be conducted on the original evidence



Evidence Examination (cont’d)

• Prepare working directory/directories on separate media to which evidentiary files and data can be recovered and/or extracted

Preparation

• There are two different types of extraction: physical and logical• The physical extraction phase identifies and recovers data

across the entire physical drive without the file system• The logical extraction phase identifies and recovers files

and data based on the installed operating system(s), file system(s), and/or application(s)

Extraction



Physical Extraction

• Keyword searching, file carving, and extraction of the partition table, and unused space on the physical drive

• Performing a keyword search across the physical drive may be useful as it allows the examiner to extract data that may not be accounted for by the operating system and file system

• File carving utilities processed across the physical drive may assist in recovering and extracting useable files and data that may not be accounted by the operating system and file system

• Examining the partition structure may identify the file systems present and determine if the entire physical size of the hard drive is accounted for

This may include the following methods:

During this stage, the extraction of the data from the drive occurs at the physical level regardless of file systems present on the drive



Logical Extraction

• Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location

• Data reduction to identify and eliminate known files through the comparison of the calculated hash values to the authenticated hash values

• Extraction of files pertinent to the examination. Methods to accomplish this may be based on the file’s name and extension, file header, file content, and location on the drive

• Recovery of the deleted files• Extraction of the password-protected, encrypted, and compressed data• Extraction of file slack• Extraction of the unallocated space

Steps may include:

During this stage, the extraction of the data from the drive is based on the file system(s) present on the drive and may include data from such areas as active files, deleted files, file slack, and unallocated file space



Analyze Host Data

• Identify what you are looking for, there will be a large amount of host data, and only a portion of that data might be relevant to the incident

• Examine the operating system data, including clock drift information, and any data loaded into the host computer's memory to see if you can determine whether any malicious applications or processes are running or scheduled to run

• Examine the running applications, processes, and network connections• Use tools such as Windows Sysinternals ProcessExplorer,

LogonSession, and PSFile to perform these tasks

Procedures used to analyze host data are:

Host data includes information about the operating system and application’s components



Analyze Storage Media

• Perform offline analysis on a bit-wise copy of the original evidence• Determine whether data encryption was used, such as the Encrypting File

System (EFS) in Microsoft Windows. Several registry keys can be examined to determine whether EFS was ever used on the computer

• If necessary, uncompress any compressed files and archives• Create a diagram of the directory’s structure

Procedures used to extract and analyze data from the storage media collected are:

The storage media collected during the ‘Acquire the Data’ phase contains many files

Analyze these files to determine their relevance to the incident, which can be a daunting task because the storage media such as hard disks and backup tapes often contain hundreds of thousands of files



Analyze Storage Media (cont’d)

• Identify files of interest• Examine the registry, the database that contains Windows

configuration information, for information about the computer boot process, installed applications, and login information such as username and logon domain

• Search the contents of all gathered files to help identify files that may be of interest

• Study the metadata of files of interest, using tools such as Encase

• Use file viewers to view the content of the identified files, which allow you to scan and preview certain files without the original application that created them

Procedures used to extract and analyze data from the storage media collected are:



Analyze Network Data

• Examine network service logs for any events of interest

• Examine firewall, proxy server, intrusion detection system (IDS), and remote access service logs

• View any packet sniffer or network monitor logs for data that might help you determine the activities that took place over the network

Procedure used in analyzing network data are:

The investigations focus on and examine images of the data



Analysis of Extracted Data

Analysis is the process of interpreting the extracted data to determine their significance to the case

Some examples of analysis that may be performed include:

• Timeframe analysis• Data hiding analysis• Application and file analysis• Ownership and possession

Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investigative leads, and/or analytical leads



Timeframe Analysis

• Reviewing the time and date stamps contained in the file system metadata (e.g. last modified, last accessed, created, change of status) to link files of interest to the timeframes relevant to the investigation

• An example of this analysis would be using the last modified date and time to establish when the contents of a file were last changed

• Reviewing the system and application logs that may be present• These may include error logs, installation logs, connection logs, security logs, etc. • For example, examination of a security log may indicate when a user name/password

combination was used to log into a system

Two methods used for timeframe analysis:

Timeframe analysis can be useful in determining when events occurred on a computer system, which can be used as a part of associating usage of the computer to an individual(s) at the time the events occurred

Take into consideration any differences in the individual’s computer date and time as reported in the BIOS



Data Hiding Analysis

• Correlating the file headers to the corresponding file extensions to identify any mismatches

• Presence of mismatches may indicate that the user intentionally hid data

• Gaining access to all password-protected, encrypted, and compressed files, which may indicate an attempt to conceal the data from unauthorized users. A password itself may be as relevant as the contents of the file

• Steganography

Methods used include:

Data can be concealed on a computer system. Data hiding analysis can be useful in detecting and recovering such data and may indicate knowledge, ownership, or intent



Application and File Analysis

Many programs and files identified may contain information relevant to the investigation and provide insight into the capability of the system and the knowledge of the user

Results of this analysis may indicate the additional steps that need to be taken in the extraction and analysis processes



Application and File Analysis (cont’d)

• Reviewing file names for relevance and patterns• Examining the file’s content• Identifying the number and type of the operating system(s)• Correlating the files with the installed applications• Considering relationships between files; example, correlating Internet

history to cache files and e-mail files to e-mail attachments• Identifying the unknown file types to determine their value to the

investigation• Examining the users’ default storage location(s) for applications and the

file structure of the drive to determine if files have been stored in their default or alternate location(s)

• Examining user-configuration settings• Analyzing file metadata, the content of the user-created file containing

data additional to that presented to the user, typically viewed through the application that created it

Some examples include:



Ownership and Possession

• Placing the subject at the computer at a particular date and time may help to determine ownership and possession (timeframe analysis)

• Files of interest may be located in non default locations (e.g., user-created directory named “child porn”) (application and file analysis)

Elements of knowledgeable possession may be based on the analysis described, including one or more of the following factors:

In some instances, it may be essential to identify the individual(s) who created, modified, or accessed a file. It may also be important to determine ownership and knowledgeable possession of the questioned data



Ownership and Possession (cont’d)

• The file name itself may be of evidentiary value and also may indicate the contents of the file (application and file analysis)

• Hidden data may indicate a deliberate attempt to avoid detection (hidden data analysis)

• If the passwords needed to gain access to the encrypted and password-protected files are recovered, the passwords themselves may indicate possession or ownership (hidden data analysis)

• Contents of a file may indicate ownership or possession by containing information specific to a user (application and file analysis)

Elements of knowledgeable possession may be based on the analysis described above, including one or more of the following factors:



Documenting the Evidence

Documentation of the digital evidence examination is an ongoing process, therefore it is important to correctly record each step during the examination

Report should be written simultaneously with the examination and presentation of the report should be consistent with the departmental policies



Evidence Examiner Report

The common consideration list that helps the examiner throughout the documentation process:

• Take notes when discussing with the case investigator• Preserve a copy of the search authority and chain of

custody documentation• Write detailed notes about each action taken• Include date, time, complete description, and result of

each action taken in the documentation• Document any irregularities encountered during the

examination• Include the operating system’s name, software, and

installed patches



Final Report of Findings

Disclose specific files related to the request

Other files, including deleted files, that support the findings

String searches, keyword searches, and text string searches

Internet-related evidence, such as website traffic analysis, chat logs, cache files, e-mail, and news group activity

Graphic image analysis

Indicators of ownership, which could include program registration data



Final Report of Findings (cont’d)

Descriptive Data analysis

Description of the relevant programs on the examined items

Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions, and file name anomalies

Supporting materials

• List supporting materials that are included with the report, such as printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation



Computer Evidence Worksheet

Case Number : ________________ Exhibit Number: ______________

Laboratory Number: ____________ Control Number: ______________

Computer Information

Manufacturer: ________________ Model: ____________________

Serial Number: __________________________________________

Examiner marking: _______________________________________

Computer Type: Desktop Laptop Other: ________

Computer Condition: Good Damage

Number of hard Drives: __________ 3.5’’Floppy drive 5.25’’ Floppy drive

Modem Network card Tape drive Tape drive type: ________

100 MB Zip 250 MB Zip CD Reader CD Read/write

DVD Others: _____________________



Computer Evidence Worksheet (cont’d)

CMOS Information Not Available

Password Logon Yes No Password = ________

Current Time _______ AM PM Current Date ___/___/___

COMS Time _________ AM PM Current Date ___/___/___

CMOS Hard Drive #1 Setting

Capacity:______ Cylinders:_______ Heads:______ Sectors:_______

Made: LBA Normal Auto Legacy CHS


Made: LBA Normal Auto Legacy CHS

CMOS Hard Drive #2 Setting

Auto

Auto



Hard Drive Evidence Worksheet

Case Number : ________________ Exhibit Number: ______________

Laboratory Number: ____________ Control Number: ______________

Hard Drive #1 Label Information [Not Available ] Hard Drive #2 Label Information [Not Available ]

Manufacturer: ________________

Model: _____________________

Serial Number: _______________

Capacity:_______ Cylinders:_________

Heads:_________ Sectors:__________

Controller Rev.____________________

IDE 50 Pin SCSI

68 Pin SCSI 80 Pin SCSI Other

Jumper: Master Slave

Cable Select Undetermined

Manufacturer: ________________

Model: _____________________

Serial Number: _______________

Capacity:_______ Cylinders:_________

Heads:_________ Sectors:__________

Controller Rev.____________________

IDE 50 Pin SCSI

68 Pin SCSI 80 Pin SCSI Other

Jumper: Master Slave

Cable Select Undetermined



Hard Drive Evidence Worksheet (cont’d)

Hard Disk #1 Parameter Information

DOS FDisk PTable PartInfo Linux Fdisk SafeBack Encase Other:___


LBA Address Sectors: _____________ Formatted Drive Capacity: ____________

Volume Label: __________________________________________________

Partitions:

Name Bootable? Start End Type

________ _________ _________ _________

________ _________ _________ _________

________ _________ _________ _________



Removable Media Worksheet

Case Number : ________________ Exhibit Number: ___________

Laboratory Number: ____________ Control Number: ___________

Media Type / Quality

Diskette [ ] LS 120 [ ] 100 MB Zip [ ] 250 MB Zip [ ]

1 GB Jaz [ ] 2 GB Jaz [ ] Magneto-optical [ ] Tape [ ]

CD [ ] DVD [ ] Other [ ]

ExaminationExhibit #

Sub-Exhibit #Triage Duplicated Browse Unerase

Keyword Search



Electronic Crime and Digital Evidence Consideration by Crime Category



Electronic Crime and Digital Evidence Consideration by Crime Category

• Account data based on online auction sites• Accounting or bookkeeping software and related data

files• Address books• Customer information or credit card data• Databases• Digital camera software• E-mail/notes/letters• Financial or asset records• Internet browser history or cache files

Online auction fraud



Child Exploitation/Abuse:• Chat logs• Date and time stamps• Digital camera software• E-mail/notes/letters• Games• Graphic editing and viewing software• Images• Internet activity logs• Movie files• User-created directory and file names that

categorize images

Electronic Crime and Digital Evidence Consideration by Crime Category (cont’d)



• Address books• Configuration files• E-mail/notes/letters• Executable programs• Internet activity logs• Internet protocol (IP) address and user name• Internet Relay Chat (IRC) logs• Source code• Text files (user names and passwords)

Computer Intrusion:




Death Investigation:• Address books• Diaries• E-mail/notes/letters• Financial/asset records• Images• Internet activity logs• Legal documents and wills• Medical records• Telephone records




• Check, currency, and money order images• Credit card skimmers• Images of signatures• False financial transaction forms• False identification

Economic Fraud (Including Online Fraud and Counterfeiting):

• Internet activity logs• Legal documents• Telephone records• Victim’s background research• E-mail/notes/letters• Financial or asset records

E-Mail Threats/Harassment/Stalking:




Extortion:

• Date and time stamps• E-mail/notes/letters• History log• Internet activity logs• Temporary Internet files• User names

Gambling:

• Customer database and player records• Customer information or credit card data• Electronic money• Sports betting statistics• Image players




• Credit card generators• Credit card reader/writer• Digital cameras• Scanners

Hardware and software tools:

• Birth certificates• Check cashing cards• Digital photo images for photo identification• Driver’s license• Electronic signatures• Fictitious vehicle registrations• Scanned signatures• Social security cards

Identification templates:


Identity Theft:




• E-mails and newsgroup postings• Erased documents• Online orders• Online trading information• System files and file slack• World Wide Web activity at forgery sites

Internet activity related to ID theft:

• Business checks• Cashiers checks• Counterfeit money• Credit card numbers• Fictitious court documents• Fictitious loan documents• Fictitious sales receipts

Negotiable instruments:

Identity Theft:



Narcotics:• Address books• Calendar• Databases• Drug recipes• E-mail/notes/letters• False identification• Financial/asset records• Internet activity logs• Prescription form images




Prostitution:

• Address books• Biographies• Calendar• Customer database/records• E-mail/notes/letters• False identification• Financial/asset records• Internet activity logs• Medical records• World Wide web page advertising




• Chat logs• E-mail/notes/letters• Image files of software certificates• Internet activity logs• Serial numbers• Software cracking information and utilities• User-created directory and file names that

classify the copyrighted software

Software Piracy:




• Cloning software• Customer database/records• Electronic Serial Number (ESN)/Mobile

Identification Number (MIN) pair records• E-mail/notes/letters• Financial/asset records• “How to phreak” manuals• Internet activity• Telephone records

Telecommunications Fraud:




Summary

Digital evidence is information and digital data of investigative value that is recorded or preserved on electronic devices

Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration

The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action

Digital evidence is fragile and can be altered, damaged, or destroyed by improper handling or examination

Transfer fragile data to a non-volatile medium/device without disrupting any other component of the computer

Documentation of digital evidence examination is an ongoing process, therefore it is important to correctly record each step during the examination

File000117

Technology

Transcript of File000117