The first step an investigator must take after identifying a security incident and collecting the evidence is to secure the evidence to prevent tampering. Securing the evidence involves retrieving all the information held on a computer so that it can be used in the investigation. The term computer here includes all computer media (for example, floppy disks, tapes, CD-ROMs, DVDs, and removable hard drives).
By securing the evidence, the investigator ensures that it is not altered during the examination process. Securing the evidence should be in accordance with best practices. Best practices are an empirically proven set of methods for performing a task in the best and most efficient way. If security is breached, the evidence might lose its credibility.
Because digital evidence can be easily tampered with, altered, or destroyed, an investigator needs to ensure that the evidence is preserved and secured well. Failure to do so may result in the evidence being inadmissible when submitted to a court of law.
An investigator needs to take the following steps to secure the digital evidence while collecting it at the crime scene:
- Document and verify the hardware configuration of the system to be examined.
- Disassemble the computer to be examined.
- Identify and document the internal storage devices.
Preventing Evidence Tampering
It is essential for the investigator to ensure that the least amount of tampering is done to the evidence, because tampering can alter the evidence. To do so, the investigator must prevent anyone from tampering with the evidence, either remotely or at the suspect system.
- Gather the evidence: Gather the evidence using appropriate and industry-accepted techniques and procedures.
- Prepare the chain of custody: The investigator must document the gathering process. The document should include time stamps, digital signatures, and signed statements. An investigator must never turn on or operate the subject computer during an investigation. If the subject computer has to be on, the investigator should unplug the system and make sure it is not connected to the network environment.
The following are the steps that should be taken to preserve electronic evidence:
- Document the actions and changes observed in the monitor, system, printer, and other electronic
- Verify whether the monitor is on, off, or in sleep mode.
- Remove the power cable if the device is off. Do not turn the device on.
- Take a photo of the monitor screen if the device is on.
- Check dial-up, cable, ISDN, and DSL connections.
- Remove the power cord from the router or modem.
- Remove any floppy disks that are available at the scene to safeguard the potential evidence.
- Keep tape on drive slots and power connectors.
- Photograph the connections between the computer system and related cables, and label them individually.
- Label every connector and cable connected to peripheral devices.
For handheld devices:
- Personal digital assistants (PDAs), cell phones, and digital cameras store information in internal
- Do not turn the device on if it is off.
- Leave the device on if it is already on.
- Photograph the screen display of the device.
- Label and collect all cables and transport them along with the device.
- Make sure that the device is charged.
- Collect additional storage media like Memory Sticks and CompactFlash cards.
Order of Volatility
Volatility is the measure of how perishable electronically stored data are. When collecting evidence, the order of collection should proceed from the most volatile to the least volatile. The following list is the order of volatility for a typical system, beginning with the most volatile
- Registers and cache
- Routing table, process table, kernel statistics, and memory
- Temporary file systems
- Disks or other storage media
- Remote logging and monitoring data that is related or significant to the system in question
- Physical configuration and network topology
- Archival media
Dealing with Powered-Off Computers – At this point in the investigation, an investigator should not change the state of any electronic devices or equipment. If it is switched off, the investigator should leave it off and take it into evidence.
Dealing with Powered-On Computers – When dealing with a powered-on computer, the investigator should stop and think before taking any action. The contents of RAM may contain vital information. For example, data that is encrypted on the hard disk may be unencrypted in RAM. Also, running process information is stored in RAM. All of this vital information will be lost when the computer is shut down or when the power supply is removed.
If a computer is switched on and the screen is viewable, the investigator should photograph the screen and document the running programs. If a computer is on and the monitor shows a screensaver, the investigator should move the mouse slowly without pressing any mouse button, and then photograph and document the programs.
Dealing with a Networked Computer – If the victim’s computer is connected to the Internet, the first responder must follow this procedure in order to protect the evidence:
- Unplug the network cable from the router and modem in order to prevent further attacks.
- Do not use the computer for the evidence search because it may alter or change the integrity of existing evidence.
- Photograph all devices connected to the victim’s computer, particularly the router and modem, from several angles. If any devices, such as a printer or scanner, are present near the computer, take photographs of those devices as well.
- If a screensaver is visible, move the mouse slowly.
- If the computer is on, take a photograph of the screen and document any running programs.
- Unplug all cords and devices connected to the computer and label them for later identification.
- Unplug the main power cord from the wall socket.
- Pack the collected electronic evidence properly and place it in a static-free bag.
- Keep the collected evidence away from magnets, high temperatures, radio transmitters, and other elements that may damage the integrity of the evidence.
- Document all steps involved in searching and seizing the victim’s computer for later investigation.
Dealing with Open Files and Startup Files – When malware attacks a computer system, some files are created in the startup folder to run the malware program. The first responder can get vital information from these files by following this procedure
- Open any recently created documents from the startup or system32 folder in Windows and the rc.local file in Linux.
- Document the date and time of the files.
- Examine the open files for sensitive data such as passwords or images.
- Search for unusual MAC (modified, accessed, or changed) times on vital folders and startup files.
- Use the dir command for Windows or the ls command for Linux to locate the actual access times on the files and folders.
Forensic Duplication
It refers to bit stream imaging of data from the digital media in question. Data resides in all sorts of storage media present in computers, smart phones, GPS devices, USB drives, and so on. We need to be able to get to this information in a manner that it does not change the information on the devices themselves. If the evidence is not collected properly, we face an issue where the results of the forensic exam will be put in doubt. Hence it is necessary to copy the data carefully in a forensically sound manner.
Files can be copied from suspected storage media using two different techniques
- Logical backup – A logical backup copies the directories and files of a logical volume. It does not capture other data that may be present on the media, such as deleted files or residual data stored in slack space.
- Bit stream Imaging – Also known as disk imaging/ cloning/ bit stream imaging generates a bit-for-bit copy of the original media, including free space and slack space. Bit stream images require more storage space and take longer to perform than logical backups.
Packaging and Labeling
It refers to the collection of the evidence and then numbering them in a way that it would easy to go back and retrieve the data at a later date/time. Every piece of evidence needs to get a tag number, which contains all the visible details on the evidence. This information then goes into evidence Database, which contains details of all the evidences and the tag number on it.
It is necessary to understand that tagging is a very important part of the forensics process as it allows us to find the evidence needed among the plethora of evidence that is collected at a crime scene.
Primarily the IO has to choose packaging that is of proper size and material, to fit into the evidence. This is a key point. Do not drop your digital evidences into a plastic grocery bag you commonly find or some make shift package, and then expect it to hold up the digital evidences in good shape. Various types of evidence need special packaging, so you need to come to the scene prepared with a variety of evidence envelopes, bags, and containers. The packaging should also be clean, and preferably new, to avoid contamination. The IO’s toolkit as per the check list provided earlier in the manual will help the collection of the evidence in the prescribed manner and in a safe manner without damage.
Transportation
The dispatch and transportation of evidences is another crucial aspect that has to be kept in mind by the IOs. Poor dispatching and transportation practices can physically damage the evidences collected and thereby rendering them useless. Sometimes, the poor handling may result in alteration of the contents of the digital evidences due to shock and external electro-magnetic interferences. Such changes can put a question mark over the integrity of the evidences collected by the Investigating officer. While sending the evidences to the Forensic Science Laboratories, always ensure that
- The suspected computer storage media is carried by a special messenger but not by Registered / Insured post.
- A fresh hard disk of approximately same capacity should also be submitted for forensic imaging along with the suspected storage media.