Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations2 Explain guidelines for seizing digital evidence at the scene Describe how to secure a computer incident or crime scene Describe how to preserve the evidence and establish the chain of custody Enumerate some general guidelines to process crime and incident scene Objectives

Guide to Computer Forensics and Investigations3 Introduction A principle in criminal investigation called Locard’s Exchange Principle –Anyone or anything entering a crime scene takes something of the scene with them and leaves something of themselves behind Victim Crime Scene Suspect Evidence

Source: evidence 4 Don’t let amateurs collect digital evidence Introduction (Cont.) General Rule: Harm Nothing!

Guide to Computer Forensics and Investigations5 Introduction (Cont.) Digital Evidence – Digital data that establish that a crime has been committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003) – Can be any information stored or transmitted in digital form

Guide to Computer Forensics and Investigations6 Introduction (Cont.) Digital Evidence (Cont.) –All investigations must follow the following rules of evidence: Digital evidence integrity must be preserved to be admissible in court. –If the evidence is contaminated it cannot be de- contaminated Digital evidence must be reliable: Authenticity evidence, clear easy to understand, and believable by a jury Digital evidence must be complete : Exculpatory evidence for alternative suspects

Guide to Computer Forensics and Investigations7 Introduction (Cont.) Digital Crime Scene – The electronic environment where digital evidence can potentially exist (Rogers, 2005) – Collecting computers and processing a criminal or incident scene must be done systematically Computer Forensics Crime Scene Investigation Process – No one right way to do it!

Guide to Computer Forensics and Investigations8 Introduction (Cont.) Responding to a computer forensics incident or crime –Generally involves the following steps: 1.Seizing Digital Evidence at the Scene 2.Securing a computer incident or crime scene 3.Preserving the data 4.Establishing the chain of custody 5.Examining data for evidence

Guide to Computer Forensics and Investigations9 Introduction (Cont.) Responding to a computer forensics incident or crime –Generally involves the following steps: 1.Seizing Digital Evidence at the Scene 2.Securing a computer incident or crime scene 3.Preserving the data 4.Establishing the chain of custody 5.Examining data for evidence

Guide to Computer Forensics and Investigations10 Seizing Digital Evidence at the Scene Preparing to Acquire Digital Evidence –The evidence you acquire at the scene depends on the nature of the case (Crime or Violation) – Ask your supervisor or senior forensics examiner in your organization the following questions: Do you need to take the entire computer and all peripherals and media in the immediate area? How are you going to protect the computer and media while transporting them to your lab? Is the computer powered on when you arrive? Is it possible the suspect damaged or destroyed the computer, peripherals, or media?

Guide to Computer Forensics and Investigations11 Seizing Digital Evidence at the Scene (Cont.) Using a Technical Advisor –Can help you list the tools you need to process the incident or crime scene and guide you about where to locate data (extract log records or other evidence from large RAID servers) – Responsibilities Know aspects of the seized system Direct investigator handling sensitive material Help secure the scene Document activities

Guide to Computer Forensics and Investigations12 Why securing a computer incident or crime scene? –Protecting the crime scene is crucial because if evidence is contaminated, it cannot be decontaminated. –The main goals of securing the crime scene are the following: Preserve the evidence (No damage during collection, transportation, or storage) Keep information confidential –Depending on the situation, crime scene preservation will vary. –Professional curiosity can destroy evidence Involves police officers and other professionals who aren’t part of the crime scene processing team Seizing Digital Evidence at the Scene (Cont.)

Guide to Computer Forensics and Investigations13 Securing a Computer Incident or Crime Scene (Cont.) How securing a computer incident or crime scene? –Define a secure perimeter Use yellow barrier tape

Guide to Computer Forensics and Investigations14 Securing a Computer Incident or Crime Scene (Cont.) How securing a computer incident or crime scene? (Cont.) –Physical surroundings of the computer should be photographed and clearly documented Photographs should be taken before anything is touched

Guide to Computer Forensics and Investigations15 Securing a Computer Incident or Crime Scene (Cont.) How securing a computer incident or crime scene? (Cont.) –Physical surroundings of the computer should be photographed and clearly documented Photograph and label all equipment Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected

Guide to Computer Forensics and Investigations16 Securing a Computer Incident or Crime Scene (Cont.) How securing a computer incident or crime scene? (Cont.) –Take custody of computer, peripherals, and media. –Bag and tag all evidence Assign one person to collect and log all evidence Record the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it Maintain two separate logs of collected evidence –Use antistatic bags

Guide to Computer Forensics and Investigations17 Preserving the Data Capture volatile data –Computer forensics team first captures any volatile data that would be lost when computer is turned off and moves data to a secure location Contents of RAM Current running processes Current network connections (recent connections and open applications/sockets) Logon sessions Open files: File system time and date stamps

Guide to Computer Forensics and Investigations18 Preserving the Data (Cont.) Acquire image –Reboot will change disk images. Do not reboot! –After retrieving volatile data, focus on the hard drive –Make forensic backup = system image = bit-stream backup Copy every bit of the file system, not just the disk files! Its accuracy meets evidence standards –Example tools include: Prodiscover EnCase FTK –OS does not influence which tools to use for bit-image capture

Guide to Computer Forensics and Investigations19 Preserving the Data (Cont.) Acquire image (Cont.) –Copy all image files to a large drive –Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash

Guide to Computer Forensics and Investigations20 Establishing the Chain of Custody As soon as the team begins its work, must start and maintain a strict chain of custody Chain of custody protects the integrity and reliability of the evidence –It documents that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence –Effective process of documenting the complete journey of the evidence during the life of the case Who collected it? How & where? Who took possession of it? How was it stored & protected in storage?

Guide to Computer Forensics and Investigations21 Establishing the Chain of Custody (Cont.) Create or use an evidence custody form An evidence custody form serves the following functions: –Identifies the evidence –Identifies who has handled the evidence –Lists dates and times the evidence was handled

Guide to Computer Forensics and Investigations22 General Guidelines Keep a journal to document your activities Record all active windows or shell sessions Make notes of everything you do when copying data from a live suspect computer Close applications and shut down the computer

Guide to Computer Forensics and Investigations23 General Guidelines (Cont.) Useful information to collect –Seize all hardware that is necessary to reconstruct evidence (Hardrive disk, USB, CDs, DVDs, floppies, papers) Better to collect too much than too little –IDS, Firewall, and System logs –Suspect’s web pages, s, internet activities –Suspect’s access of files (created/modified/viewed) –Authenticate the copy so that you can prove that evidence discovered was on the original media. –Always work from a copy, not from the original.

Guide to Computer Forensics and Investigations24 General Guidelines (Cont.) Useful information to collect (Cont.) –Use a write-blocking device to prevent accidentally writing to the suspect media. –Use write blockers devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands. Can be hardware or software –With the write blocker in place, you can now make several copies of the image. –It is a good idea to make at least 2 working images – one to be used as a backup and one to work on.