Introduction to Computer Forensics Search & Seizures “Electronic Data Recovery/Bag & Tag” Outline • Definitions • Rules of Evidence • DFS seizure standards • Procedures – Field examinations – Disk Seizures – System Seizures • Forensic Tool Kits • Practical exercise Learning Objectives • At this end of this module you will be able to: – Describe the importance of managing and handling evidence correctly; – Compare and contrast standards related to seizing computer systems, media etc.; – Discuss the importance of managing the “crime scene”; and – Demonstrate applied knowledge of procedures and guidelines. Definitions • Digital Evidence Information stored or transmitted in binary form that may be relied upon in court. • Original Digital Evidence Physical items and those data objects, which are associated with those items at the time of seizure. • Duplicate Digital Evidence A duplicate is an accurate digital reproduction of all data objects contained on the original physical item. • Backup – Acopy bit by bit Definitions • Chain of Custody A means of accountability, that shows who obtained the evidence, where and when the evidence was obtained, who secured the evidence, who had control or possession of the evidence. • Rules of Evidence Evidence must be competent, relevant, and material to the issue. Forensic Principles “Rules of Evidence: A Quick Review” 5 Rules of Evidence • Admissible – Must be able to be used in court or elsewhere • Authentic – Evidence relates to incident in relevant way • Complete (no tunnel vision) – Exculpatory evidence for alternative suspects • Reliable – No question about authenticity & veracity • Believable – Clear, easy to understand, and believable by a jury Evidence Life Cycle • Collection & identification • Storage, preservation, and transportation • Presentation • Return to production, owner, or court Categories of Evidence • Admissibility of evidence based on factual foundation – Varies for different types of evidence • Best evidence – Primary evidence used in trail – Usually documentation falls into this category • Secondary evidence – Not viewed as reliable & strong in proving innocence or guilt – Oral evidence Categories of Evidence • Direct evidence – Proves a fact all by itself – Eye witness testimony • Conclusive evidence – Irrefutable and cannot be contradicted • Circumstantial evidence – Proves an intermediate fact that can be used to deduce or assume the existence of another fact Categories of Evidence • Corroborative evidence – Supporting evidence used to help prove an idea or point • Opinion evidence – Pertains to witness testimony – Witness must testify to only the facts of the issue and not their opinion of the facts Hearsay Evidence • Hearsay Evidence – Oral or written evidence that is second hand and that has no firsthand proof of accuracy or reliability – Statements spoken, written or otherwise uttered by a person outside of court, when the out of court statement is used to try to prove the facts asserted in the statement. – Generally written documents are considered to be hearsay if they are to be admitted into evidence to prove the truth of the facts alleged in the document. Hearsay Evidence • In certain instances computer records fall outside of the hearsay rule – Information relates to regular business activities – Automatically computer generated data • No human intervention • Prove system was operating correctly • Prove no one changed the data Chain of Custody • Protects integrity of the evidence • Effective process of documenting the complete journey of the evidence during the life of the case • Allows you to answer the following questions: – Who collected it? – How & where? – Who took possession of it? – How was it stored & protected in storage? – Who took it out of storage & why? – For the exam Forensic Principles “Are We There Yet?” Forensic Principles • Digital/ Electronic evidence is extremely volatile! • Once the evidence is contaminated it cannot be de-contaminated! • The courts acceptance is based on the best evidence principle – With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. Forensic Principles • The IOCE International Principles are governed by the following attributes: 1.Consistency with all legal systems; 2.Allowance for the use of a common language; 3.Durability; 4.Ability to cross international boundaries; 5.Ability to instill confidence in the integrity of the evidence; 6.Applicability to all forensic evidence; and 7.Applicability at every level, including that of individual, agency, and country Forensic Principles • The 6 Principles are: 1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles. Forensic Principles • G8 proposed Principles • International Organization on Computer Evidence (IOCE) – In March 1998, IOCE was appointed to draw international principles for the procedures relating to digital evidence, to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state. Electronic Data Discovery Electronic Data Discovery • Electronic discovery refers to the discovery of electronic documents and data. • Electronic documents include: – e-mail, web pages, word processing files, computer databases, and virtually anything that is stored on a computer. • Technically, documents and data are “electronic” if they exist in a medium that can only be read through the use of computers. – often distinguished from “paper discovery,” which refers to the discovery of writings on paper that can be read – without the aid of some devices. Seizures “Bagging & Tagging” General Evidence Dos & Don’ts 1. Minimize Handling/Corruption of Original Data 2. Account for Any Changes and Keep Detailed Logs of Your Actions 3. Comply with the Five Rules of Evidence 4. Do Not Exceed Your Knowledge 5. Follow Your Local Security Policy and Obtain Written Permission 6. Capture as Accurate an Image of the System as Possible 7. Be Prepared to Testify 8. Ensure Your Actions are Repeatable 9. Work Fast 10. Proceed From Volatile to Persistent Evidence 11. Don't Run Any Programs on the Affected System 12. Document Document Document!!!! • Source: AusCERT 2003 (www.auscert.org) Step 1: Planning for the Search & Seizure • Responders should determine: – The type of case (e.g., child porn, IP Theft etc.) – The type of computer(s) involved; – The operating system(s) used; and – Level of technical savvy of the end user. • A Primary Evidence (PE) person should be appointed. The PE is responsible for preparing a detailed plan for documenting, preserving, and maintaining the integrity of all seized evidence (digital and paper). Step 2:Securing and Evaluating the Scene • Control the scene – Allow only authorized persons access – Record the names of all individuals present during the search • Confirm when the system was last accessed – Establish a chronology of access to the media • Photograph or video tape the entire scene including the contents on the monitor. Step 2:Securing and Evaluating the Scene Step 3: Securing the System • If the system is “On” do not perform a controlled shut down. Pull the power cable! • If the computer is “Off” do not turn it on. • Disconnect all remote access to the system (e.g., LAN cables, Modem cables etc.). Be sure to tag and label all cables and connectors. • Physically examine the system (i.e., remove covers and photograph). • Document model and serial numbers of the system and its components. • Inventory all peripherals (PDAs, Printers, Scanners, WAPs, Fax machines etc.). • Search scene for secondary storage media (USB drives, devices, diskettes, tapes etc.) • Make detailed notes!! Step 4: Interviews • Separate and identify all persons (witnesses, subjects, or others) at the scene and record their location at time of entry. • Passwords. Any passwords required to access the system, software, or data. (An individual may have multiple passwords, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access token, scheduler,or contact list.) • Determine the “Purpose” of the system. – Any unique security schemes or destructive devices. – Any offsite data storage. – Any documentation explaining the hardware or software – installed on the system. Step 5: Evidence Collection • Non-electronic Evidence – Proper care must be taken to ensure all evidence is properly recovered and preserved – Do not overlook paper/document evidence – All pertinent non-electronic evidence should be identified, secured, and preserved. Step 5: Evidence Collection • Electronic Evidence – System • Stand alone computers • Laptops • PDA • Cell Phones – Media • Hard Drives • Diskettes • Memory cards Step 5: Evidence Collection: Electronic • Ensure that the suspect media is “locked” (read only) to prevent contamination • Document all steps. Step 6: Seizures • Types – System/Laptop – Media Only • Procedures – Properly inventory the system & peripherals – Disconnect all peripherals – Label all cables – In the case of multiple systems label and code each system – Place all magnetic media in antistatic packaging – Properly label all containers used to hold the evidence – Leave a “Blank” of Forensic Boot disk in the diskette or CD-ROM drive – In the case of media only properly be properly grounded prior to removing the media (i.e., the use of a grounding wrist device is recommended). – In the case of media only record make, model, ser #, and stenciled drive geometry Step 6: Seizures • Transportation and Storage – Keep electronic evidence away from magnetic sources (e.g., radio transmitters, speaker magnets and heated seats) – Protect evidence from extremes in temperature – Use proper anti-shock packing material in all containers (i.e., bubble wrap, Styrofoam etc.) – Maintain the chain of custody on all evidence transported. – Warning prolonged storage can result in alteration of system evidence (dates, times etc.) as batteries have a limited life span. – Store all seized evidence in a properly secured storage area (e.g., locked cabinet, restricted access lab, etc.) Forensic Field kits • Documentation Tools – Cable tags. – Indelible felt tip markers. – Stick-on labels. • Disassembly and Removal Tools – A variety of nonmagnetic sizes and types of: – Flat-blade and Philips-type screwdrivers. – Anti-static Straps – Hex-nut drivers. – Needle-nose pliers. – Secure-bit drivers. – Small tweezers. – Specialized screwdrivers (manufacturer-specific, e.g., Compaq, – Macintosh). – Standard pliers. – Star-type nut drivers. – Wire cutters. Forensic Field kits Package and Transport Supplies – Antistatic bags. – Antistatic bubble wrap. – Cable ties. – Evidence bags. – Evidence tape. – Packing materials (avoid materials that can produce static – electricity such as Styrofoam or Styrofoam peanuts). – Packing tape. – Sturdy boxes of various sizes. Forensic Field kits • Items that also should be included within a kit are: – Rubber Gloves**** – Hand truck. – Large rubber bands. – List of contact telephone numbers for assistance. – Magnifying glass. – Printer paper. – Seizure disk. – Small flashlight. – Unused floppy diskettes (3.5 and 5.25 inch). – Blank & Zeroed Hard Drives Summary • Due to the fragile nature of digital evidence, proper procedures need to be adhered to in order to ensure the integrity and admissibility of the evidence. • The collection of digital evidence must adhere to the 5 rules of evidence. • The G8 has developed a set of common principles for digital evidence that are International is scope. • Controlling the scene, the system, and the media, are extremely important. • The use of SOPs greatly enhances the likelihood that mistakes will not be made. • Maintaining the chain of evidence is crucial. • Document everything, replicability is crucial! LAB 3 Search & Seizure: Guidelines and Procedures Lab • Practical Exercise • Search and Seizure – teams of 3 people – Designate an Evidence Person – Conduct a field seizure following the guidelines discussed – Complete and hand in a brief field report with the names of all the team members listed on the report.