Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply “pulling the plug” as a first step in evidence collection to the adoption of methodologies to acquire evidence “Live” from a suspect computer.
The need for changes in digital evidence collection are being driven by the rapidly changing computing environment:
- Applications are installed from removable media such as a USB stick and are then virtualized in RAM without a trace on the hard disk
- Root kits hide within process undetected by the underlying operating system and when using local tools (binaries) — you must analyze memory with trusted binaries
- Malware is fully RAM resident with no trace of existence on the hard disk
- Users regularly utilize covert / hidden encrypted files or partitions – areas of the hard drive to hide evidence
- Popular web browsers offer the user the ability to cover their tracks — log files of user activity are created but deleted when the browser is closed
- Web 2.0 continues to change the landscape with web based email, blogs, wiki’s and twitter extending storage of user actions / communications beyond the traditional hard disk found on the users machine.
Live Digital Evidence Collection
Effectively Live forensics provides for the collection of digital evidence in an order of collection that is actually based on the life expectancy of the evidence in question. Simply put in all likelihood perhaps the most important evidence to be gathered in digital evidence collection today and for the foreseeable future exists only in the form of the volatile data contained within the computers RAM.
Order of volatility of digital evidence
- CPU, cache and register content
- Routing table, ARP cache, process table, kernel statistics
- Memory
- Temporary file system / swap space
- Data on hard disk
- Remotely logged data
- Data contained on archival media
An accepted best practice in digital evidence collection – modified to incorporate live volatile data collection.
Stand Alone Computer
For proper evidence preservation, follow these procedures in order (Do not use the computer or search for evidence)
- Photograph the computer and scene
- If the computer is off do not turn it on
- If the computer is on photograph the screen
- Collect live data – start with RAM image (Live Response locally or remotely via F-Response) and then collect other live data “as required” such as network connection state, logged on users, currently executing processes etc.
- If hard disk encryption detected (using a tool like Zero-View) such as full disk encryption i.e. PGP Disk — collect “logical image” of hard disk using dd.exe, Helix – locally or remotely via F-Response
- Unplug the power cord from the back of the tower – If the computer is a laptop and does not shut down when the cord is removed then remove the battery
- Diagram and label all cords
- Document all device model numbers and serial numbers
- Disconnect all cords and devices
- Check for HPA then image hard drives using a write blocker, Helix or a hardware imager
- Package all components (using anti-static evidence bags)
- Seize all additional storage media (create respective images and place original devices in anti-static evidence bags)
- Keep all media away from magnets, radio transmitters and other potentially damaging elements
- Collect instruction manuals, documentation and notes
- Document all steps used in the seizure
Hashing
A reliable hash proves that the media contents have not been altered. Hashing program produces a fixed length large integer value (ranging from 80 – 240 bits) representing the digital data on the seized media. Any changes made to the original evidence will result in the change of the hash value.
Hashing is applying a mathematical algorithm to a file/disk/storage media to produce a value that is unique like fingerprint to that file/disk/dataset and any changes that will be made in the file/dataset will in turn change/alter the hash value. Hash value is one of the widely accepted methods of authenticating any given data set (files/folders/storage media) in the courts of law across the world. The hash value is usually alphanumeric (containing alphabets and numbers). Different types of hash algorithms are available like MD5 (Message Digest 5), SHA256 (secure hash algorithm) for use.
The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash
Digital Evidence Collection form is one of the most important elements of the forensic process. It is necessary that the steps taken for collection should be accurate and repeatable with the same results every time it is done. For this to happen, a proper documentation of the process used for collection needs to be maintained for every device that is collected. This documentation should contain all the information about the evidence that is visible to the naked eye. It should contain information about the kind of software and version used and the time when the collection process started and ended. This documentation called as the Digital Evidence Collection (DEC) form thus consists of the information on the evidence and the media on which the evidence is being copied to.
The standard details captured in a DEC form are given below
- Crime Number / Enquiry Number
- Applicable Section(s) of the law
- Date — The date when the equipment is seized/taken for forensic analysis including hash value.
- Name of the Investigating Officer / Enquiry Officer
- Address — Place where the acquisition has taken place