Note
Studied by 22 peopleNoteStudied by 22 peopleNoteStudied by 6 peopleNoteStudied by 9 peopleNoteStudied by 329 peopleNoteStudied by 27 peopleChapter 4: Processing Crime and Incident Scenes
4.1: Identifying Digital Evidence
Digital evidence can be any information stored or transmitted in digital form.
Because you can’t see or touch digital data directly, it’s difficult to explain and describe.
Scientific Working Group on Digital Evidence (SWGDE): Set standards for recovering, preserving, and examining digital evidence.
Following are the general tasks investigators perform when working with digital evidence:
Identify digital information or artifacts that can be used as evidence.
Collect, preserve, and document evidence.
Analyze, identify, and organize evidence.
Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
Understanding Rules of Evidence
Consistent practices help verify your work and enhance your credibility, so you must handle all evidence consistently.
Apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime to comply with your state’s rules of evidence.
Keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence.
Another concern when dealing with digital records is the concept of hearsay, which is a statement made while testifying at a hearing by someone other than an actual witness to the event.
The following are some that apply to digital forensics investigations:
Business records, including those of a public agency
Certain public records and reports.
Evidence of the absence of a business record or entry.
Learned treatises used to question an expert witness.
Statements of the absence of a public record or entry.
Computer-generated records: Data the system maintains, such as system log files and proxy server logs.
Computer-stored records: Electronic data that a person creates and saves on a computer or digital devices, such as a spreadsheet or word processing document.
For the evidence to qualify as a business record exception to the hearsay rule, a person must have created the computer-stored records, and the records must be original.
4.2: Collecting Evidence in Private-Sector Incident Scenes
State public disclosure laws define state public records as open and available for inspection.
Investigating and controlling computer incident scenes in private-sector environments is much easier than in crime scenes.
In the private sector, the incident scene is often a workplace where a policy violation is being investigated.
To investigate employees suspected of improper use of company digital assets, a company policy statement about the misuse of digital assets allows private-sector investigators to conduct covert surveillance with little or no cause and access company computer systems and digital devices without a warrant, which is an advantage.
If a company doesn’t display a warning banner or publish a policy stating that it reserves the right to inspect digital assets at will, employees have an expectation of privacy.
A well-defined company policy should state that an employer has the right to examine, inspect, or access any company-owned digital assets.
Private-sector investigators should know under what circumstances they can examine an employee’s computer.
With a policy statement, an employer can freely initiate any inquiry necessary to protect the company or organization.
Organizations must also have a well-defined process describing when an investigation can be initiated.
Private-sector investigators are concerned mainly with protecting company assets, such as intellectual property.
Finding evidence of a criminal act during an investigation escalates the investigation from an internal civil matter to an external criminal complaint.
4.3: Processing Law Enforcement Crime Scenes
Probable cause: The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
Understanding Concepts and Terms Used in Warrants
Innocent information is often included with the evidence you’re trying to recover.
When you find commingled evidence, judges often issue a limiting phrase to the warrant, which allows the police to separate innocent information from evidence.
Plain View Doctrine: States that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence.
For the plain view doctrine to apply, three criteria must be met:
The officer is where he or she has a legal right to be.
Ordinary senses must not be enhanced by advanced technology in any way.
Any discovery must be by chance.
4.4: Preparing for a Search
Identifying the Nature of the Case
You start by identifying the nature of the case, including whether it involves the private or public sector.
Serious cases might involve an employee abusing company digital assets to acquire or deliver contraband.
Law enforcement cases could range from a check fraud ring to a homicide.
The nature of the case dictates how you proceed and what types of assets or resources you need to use in the investigation.
Identifying the Type of OS or Digital Device
For law enforcement, this step might be difficult because the crime scene isn’t controlled. You might not know what kinds of digital devices were used to commit a crime or how or where they were used.
If you can identify the OS or device, estimate the size of the storage device on suspect computers and determine how many digital devices you have to process at the scene.
Determine what hardware might be involved. Then you need to determine the OS.
For private-sector investigators, configuration management databases make this step easier.
Consultants to the private sector or law enforcement officers might have to investigate more thoroughly to determine these details.
You also need to consider cloud storage, which has become more widespread.
Determining Whether You Can Seize Computers
The ideal situation for incident or crime scenes is seizing computers and digital devices and taking them to your lab for further processing.
The type of case and location of the evidence determine whether you can remove digital equipment from the scene.
Law enforcement investigators need a warrant to remove computers from a crime scene and transport them to a lab.
If removing the computers will irreparably harm a business, the computers shouldn’t be taken offsite, unless you have disclosed the effect of the seizure to the judge.
You must decide whether the drives containing these files need to be examined. Another consideration is the availability of cloud storage, which essentially can’t be located physically.
The data is stored on drives where data from many other subscribers might be stored.
If you aren’t allowed to take the computers and digital devices to your lab, determine the resources you need to acquire digital evidence and which tools can speed data acquisition.
Getting a Detailed Description of the Location
The more information you have about the location of a digital crime, the more efficiently you can gather evidence from the crime scene.
Environmental and safety issues are the main concerns during this process.
Before arriving at incident or crime scenes, identify potential hazards to your safety as well as that of other examiners.
Some cases involve dangerous settings, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
The recovery process might include decontaminating digital components needed for the investigation.
If the decontamination procedure might destroy electronic evidence, a HAZMAT specialist or an investigator in HAZMAT gear should make an image of a suspect’s drive.
If you have to rely on a HAZMAT specialist to acquire data, coach the specialist on how to connect cables and how to run the software.
You must be exact and articulate in your instructions. Ambiguous or incorrect instructions could destroy evidence.
When dealing with extreme conditions, such as biological or chemical hazardous contaminants, you might have to sacrifice equipment, such as data and power cables, to perform a task.
If the temperature in the contaminated room is higher than 80 degrees, you should take measures to avoid damage to the drive from overheating.
In a dry desert region, consider cooling the target drive by using sealed ice packs or double-wrapped bags of ice so that moisture doesn’t leak out and damage the drive.
Determining Who Is in Charge
Private-sector investigations usually require only one person to respond to an incident or crime scene.
Processing evidence usually involves acquiring an image of a suspect’s drive.
In law enforcement, many investigations need additional staff to collect all evidence quickly. For large-scale investigations, a crime scene leader should be designated.
Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to ensure that the team addresses all details when collecting evidence.
Using Additional Technical Expertise
After you collect evidence data, determine whether you need specialized help to process the incident or crime scene.
If you’re the lead on this investigation, you must identify the additional skills needed to process the crime scene.
When working at high-end computing facilities, identify the applications the suspect uses.
If you do need to recruit a specialist who’s not an investigator, develop a training program to educate the specialist in investigative techniques. This advice also applies to specialists you plan to supervise during search-and-seizure tasks.
When dealing with digital evidence, an untrained specialist could destroy evidence unintentionally, no matter how careful you are in giving instructions and monitoring his or her activities.
Determining the Tools You Need
Being overprepared is better than being underprepared, especially when you determine that you can’t transfer the computer to your lab for processing.
Initial-Response Kit — should be lightweight and easy to transport.
With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
Extensive-Response Kit — should include all the tools you can afford to take to the field.
When you arrive at the scene, you should extract only those items you need to acquire evidence.
Doing so protects your equipment and minimizes how many items you have to keep track of at the scene.
Tools in an Initial-Response Kit (No. Needed)
Small Computer Kit (1)
Large-capacity drive (1)
Set of Japanese Industrial Standard (JIS) screwdrivers (1)
Set of ANSI screwdrivers (1)
Antistatic wristbands (2)
IDE ribbon cable (ATA-33 or ATA-100) (1)
SATA cables (1)
Forensic boot media containing an acquisition utility (1)
Laptop IDE 40- to 44-pin adapter, other adapter cables (1)
Laptop or tablet computer (1)
FireWire or USB dual write-protect external bay (1)
Flashlight (1)
Digital camera with extra batteries or 35mm camera with film and flash (1)
Evidence log forms (10)
Notebook or digital dictation recorder (1)
Computer evidence bags // antistatic bags (10)
Evidence labels, tape, and tags (20)
Permanent ink marker (1)
USB drives / portable hard drives (10)
Tools in an Extenisve-Response Kit (No. Needed)
Assorted technical manuals, ranging from OS references to forensic analysis guides (Varies)
Initial-response field kit (1)
Laptop or tablet with cables and connectors (1)
Electrical power strips (2)
Additional hand tools, including bolt cutters, pry bar, and a hacksaw (1)
Leather gloves and disposable latex gloves (assorted sizes) (1)
Set of JIS screwdrivers (1)
Set of ANSI screwdrivers (1)
Antistatic wristbands (2)
Hand truck and luggage cart (1)
Large garbage bags and large cardboard boxes with packaging tape (10)
Rubber bands of assorted sizes (1)
Magnifying glass (1)
Ream of printer paper (1)
Small brush for cleaning dust from digital devices (1)
USB drives of varying sizes (10)
External hard drives (1 TB or larger) with power cables (2)
Converter cables (Assorted)
Additional assorted hard drives or USB drives for data acquisition (5)
Preparing the Investigation Team
Before you initiate the search and seizure of digital evidence at incident or crime scenes, you must review all the available facts, plans, and objectives with the investigation team you have assembled.
The goal of scene processing is to collect and secure digital evidence successfully.
The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data.
Keep in mind that digital evidence is volatile.
Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene.
4.5: Securing a Digital Incident or Crime Scene
Evidence is commonly lost or corrupted because of professional curiosity, which involves the presence of police officers and other professionals who aren’t part of the crime scene–processing team.
When working at an incident or crime scene, be aware of what you’re doing and what you have touched, physically or virtually.
A police detective can take elimination prints of everyone who had access to the crime scene to identify the fingerprints of known people; digital evidence doesn’t have an equivalent elimination process.
You must protect all digital evidence, so make sure no one examines a suspect’s computer before you can capture and preserve an image of the hard disk.
4.6: Seizing Digital Evidence at the Scene
Processing Incident or Crime Scenes
Use your judgment to determine what steps to take when processing a civil or criminal investigation. For any difficult issues, seek out legal counsel or other technical experts.
Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene.
To secure the scene, use whatever is practical to make sure only authorized people can access the area. Remove anyone who isn’t investigating the scene unless you need his or her help to process the scene.
Take video and still recordings of the area around the computer or digital device. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers.
Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug, in case you need to reassemble components at the lab.
When you finish videotaping or photographing the scene, sketch the incident or crime scene. This sketch is usually a rough draft with notes on objects’ dimensions and distances between fixed objects.
Because digital data is volatile, check the state of each computer or device at the scene as soon as possible. Determine whether the computer is powered on or off or in hibernation or sleep mode.
If it’s off, leave it off.
If it’s on, use your professional judgment on what to do next.
Standard digital forensics practice has been to kill the computer’s power to make sure data doesn’t become corrupt through covert means.
As a general rule, don’t cut electrical power to a running system unless it’s an older Windows or MS-DOS system.
If you’re working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions.
Don’t examine folders or network connections or press any keys unless it’s necessary.
For systems that are powered on and running, photograph the screens. If windows are open but minimized, expanding them so that you can photograph them is safe.
As a precaution, write down each window’s contents.
As you’re copying data on a live suspect computer, make notes in your journal about everything you do so that you can explain your actions in your formal report to prosecutors and other attorneys.
When you’ve finished recording screen contents, save them to external media.
If you can’t save an open application to external media, save it to the suspect drive with a new filename. Changing the filename avoids overwriting an existing file that might not have been updated already.
After you have saved all active files on the suspect computer, you can close all applications.
If an application prompts you to save before closing, don’t save the files.
When all applications are closed, perform an orderly shutdown.
After you record the scene, shut down the system, and bag and tag the evidence, follow these steps:
Assign one person, if possible, to collect and log all evidence. Minimize the number of people handling evidence to ensure its integrity.
Tag all the evidence you collect with the current date and time, serial numbers or unique features, make and model, and name of the person who collected it.
Maintain two separate logs of collected evidence to be reconciled for audit control purposes and to verify everything you have collected.
Maintain constant control of the collected evidence and the crime or incident scene.
To finish your analysis and processing of a scene, collect all documentation and media related to the investigation, including the following material:
Hardware, including mobile and peripheral devices
Software, including OSs and applications
All media, such as USB drives, backup tapes, and disks
All documentation, manuals, printouts, and handwritten notes
Processing Data Centers with RAID Systems
Digital investigators sometimes perform forensics analysis on RAID systems or server farms, which are rooms filled with extremely large disk systems and are typical of large business data centers, such as banks, insurance companies, and ISPs.
Sparse Acquisition: This technique extracts only data related to evidence for your case from allocated files and minimizes how much data you need to analyze.
A drawback of this technique is that it doesn’t recover data in free or slack space. If you have a digital forensics tool that accesses unallocated space on a RAID system, work with the tool on a test system first to make sure it doesn’t corrupt the RAID system.
Using a Technical Advisor
Technical Advisor: The person guiding you about where to locate data and helping you extract log records or other evidence from large RAID servers.
They can help create the search warrant by itemizing what you need for the warrant.
At the scene, they can help direct other investigators to collect evidence correctly.
Technical advisors have the following responsibilities:
Know all aspects of the system being seized and searched.
Direct investigators on how to handle sensitive media and systems to prevent damage.
Help ensure the security of the scene.
Help document the planning strategy for the search and seizure.
Conduct ad hoc training for investigators on the technologies and components being seized and searched.
Document activities during the search and seizure.
Help conduct the search and seizure.
Documenting Evidence in the Lab
After you collect digital evidence at the scene, you transport it to a forensics lab, which should be a controlled environment that ensures the security and integrity of digital evidence.
In any investigative work, be sure to record your activities and findings as you work. To do so, you can maintain a journal to record the steps you take as you process evidence.
Your goal is to be able to reproduce the same results when you or another investigator repeat the steps you took to collect evidence.
If you get different results when you repeat the steps, the credibility of your evidence becomes questionable. At best, the evidence’s value is compromised; at worst, the evidence will be disqualified. Because of the nature of electronic components, failures do occur.
Processing and Handling Digital Evidence
Your first task is to preserve the disk data. If you have a suspect computer that hasn’t been copied with an imaging tool, you must create a copy.
When you do, be sure to make the suspect drive read-only and document this step. If the disk has been copied with an imaging tool, you must preserve the image files.
You use the following steps to create image files:
Copy all image files to a terabyte drive or a storage area network (SAN). Start your forensics tool to access and open the image files.
Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash. Later in “Obtaining a Digital Hash,” you learn how to compare MD5 or SHA-1 hashes to make sure the evidence hasn’t changed.
When you finish copying image files to a larger drive, secure the original media in an evidence locker. Don’t work with the original media; it should be stored in a locker that has an evidence custody form. Be sure to fill out the form and date it.
4.7: Storing Digital Evidence
The choice of media for storing digital evidence usually depends on how long you need to keep it. If you investigate criminal matters, store the evidence as long as you can.
The ideal storage media for digital data is solid-state USB drives.
You can also use magnetic tape to preserve evidence data. The 4-mm DAT magnetic tapes store from 40 to 72 GB or more of data, but they’re slow at reading and writing data.
Evidence is routinely kept for long periods.
Don’t rely on one media storage method to preserve your evidence, however.
Be sure to make two copies of every image to prevent data loss.
Evidence Retention and Media Storage Needs
To help maintain the chain of custody for digital evidence so that it’s accepted in court or by arbitration, restrict access to your lab and evidence storage area.
When your lab is open for operations, authorized personnel must keep these areas under constant supervision.
When your lab is closed, at least two security workers should guard evidence storage cabinets and lab facilities.
As a good security practice, your lab should have a sign-in roster for all visitors.
If you’re supporting a law enforcement agency, you might need to retain evidence indefinitely, depending on the type of crime. Check with your local prosecuting attorney’s office or state laws to make sure you’re in compliance.
For the private sector, check with the organization’s legal department, which is responsible for setting standards for evidence retention.
Cases in which child pornography is discovered are the exception: The evidence must be examined by law enforcement. As a private-sector investigator, you aren’t allowed to examine these files.
Documenting Evidence
An evidence custody form serves the following functions:
Identifies the evidence.
Identifies who has handled the evidence.
Lists dates and times the evidence was handled.
Evidence bags also include labels or evidence forms you can use to document
your evidence.
Commercial companies offer a variety of sizes and styles of paper and plastic evidence bags.
Be sure to write on the bag when it’s empty, not when it contains digital evidence, to make sure your writing is legible and to avoid damaging the evidence.
You should use antistatic bags for electronic components.
4.8: Obtaining a Digital Hash
To verify data integrity, different methods of obtaining a unique identity for file data have been developed.
Cyclic Redundancy Check (CRC)
A mathematical algorithm that determines whether a file’s contents have changed.
However, this is not considered a forensic hashing algorithm.
Message Digest 5 (MD5)
The first algorithm used for digital forensics.
It is a mathematical formula that generates a hexadecimal code based on the contents of a file, a folder, or an entire drive.
If a bit or byte in the file changes, it alters the hash value, a unique hexadecimal value that can be used to verify that a file or drive hasn’t changed or been tampered with.
According to work done by Wang Xiaoyun, there are three rules for forensic hashes:
You can’t predict the hash value of a file or device.
No two hash values can be the same.
If anything changes in the file or device, the hash value must change.
Secure Hash Algorithm version 1 (SHA-1)
Developed by the National Institute of Standards and Technology (NIST).
It has slowly replaced MD5 and CRC-32, although MD5 is still widely used.
Non-Keyed Hash Set
A unique hash number is generated by a software tool, such as the Linux md5sum command.
It can identify known files, such as executable programs or viruses, that hide themselves by changing their names.
Keyed Hash Set
It is created by an encryption utility’s secret key.
It can produce a unique hash set for digital evidence.
4.9: Reviewing a Case
The following are the general tasks you perform in any digital forensics case:
Identify the case requirements.
Plan your investigation.
Conduct the investigation.
Complete the case report.
Critique the case.
Sample Civil Investigation
Most cases in the private sector are considered low-level investigations, or noncriminal cases.
Another activity common in the private sector is covert surveillance of employees who are abusing their computing and network privileges.
For covert surveillance, you set up monitoring tools that record a suspect’s activity in real time.
Real-time surveillance requires sniffing data transmissions between a suspect’s computer and a network server.
Network sniffer tools allow network administrators and others to determine what data is being transmitted over the network.
The tools are hidden or disguised as other programs in Windows Task Manager and process logs.
Guidance Software EnCase Enterprise Edition (EEE): A centrally located server with specialized software that can activate servlets over a network to remote workstations.
NoteStudied by 22 peopleNoteStudied by 22 peopleNoteStudied by 6 peopleNoteStudied by 9 peopleNoteStudied by 329 peopleNoteStudied by 27 people