Introduction to Computer Forensics Introduction to Computer Forensics Search

Document Sample
Introduction to Computer Forensics Introduction to Computer Forensics Search Powered By Docstoc
					   Introduction to Computer

Search & Seizures “Electronic Data
      Recovery/Bag & Tag”
•   Definitions
•   Rules of Evidence
•   DFS seizure standards
•   Procedures
    – Field examinations
    – Disk Seizures
    – System Seizures
• Forensic Tool Kits
• Practical exercise
       Learning Objectives

• At this end of this module you will be able to:
   – Describe the importance of managing and handling
     evidence correctly;
   – Compare and contrast standards related to seizing
     computer systems, media etc.;
   – Discuss the importance of managing the “crime scene”;
   – Demonstrate applied knowledge of procedures and

• Digital Evidence
  Information stored or transmitted in binary form that may
  be relied upon in court.
• Original Digital Evidence
  Physical items and those data objects, which are
  associated with those items at the time of seizure.
• Duplicate Digital Evidence
  A duplicate is an accurate digital reproduction of all data
  objects contained on the original physical item.
• Backup – Acopy bit by bit

• Chain of Custody
  A means of accountability, that shows who obtained the
  evidence, where and when the evidence was obtained,
  who secured the evidence, who had control or
  possession of the evidence.
• Rules of Evidence
  Evidence must be competent, relevant, and material to
  the issue.
    Forensic Principles

“Rules of Evidence: A Quick Review”
       5 Rules of Evidence

• Admissible
  – Must be able to be used in court or elsewhere
• Authentic
  – Evidence relates to incident in relevant way
• Complete (no tunnel vision)
  – Exculpatory evidence for alternative suspects
• Reliable
  – No question about authenticity & veracity
• Believable
  – Clear, easy to understand, and believable by a jury
       Evidence Life Cycle

•   Collection & identification
•   Storage, preservation, and transportation
•   Presentation
•   Return to production, owner, or court
       Categories of Evidence

• Admissibility of evidence based on factual
   – Varies for different types of evidence
• Best evidence
   – Primary evidence used in trail
   – Usually documentation falls into this category
• Secondary evidence
   – Not viewed as reliable & strong in proving
     innocence or guilt
   – Oral evidence
       Categories of Evidence

• Direct evidence
   – Proves a fact all by itself
   – Eye witness testimony
• Conclusive evidence
   – Irrefutable and cannot be contradicted
• Circumstantial evidence
   – Proves an intermediate fact that can be used to
     deduce or assume the existence of another fact
       Categories of Evidence

• Corroborative evidence
  – Supporting evidence used to help prove an idea or
• Opinion evidence
  – Pertains to witness testimony
  – Witness must testify to only the facts of the issue and
    not their opinion of the facts
      Hearsay Evidence

• Hearsay Evidence
  – Oral or written evidence that is second hand and that
    has no firsthand proof of accuracy or reliability
  – Statements spoken, written or otherwise uttered by a
    person outside of court, when the out of court statement
    is used to try to prove the facts asserted in the
  – Generally written documents are considered to be
    hearsay if they are to be admitted into evidence to
    prove the truth of the facts alleged in the document.
       Hearsay Evidence

• In certain instances computer records fall outside
  of the hearsay rule
   – Information relates to regular business activities
   – Automatically computer generated data
       • No human intervention
       • Prove system was operating correctly
       • Prove no one changed the data
       Chain of Custody

• Protects integrity of the evidence
• Effective process of documenting the complete
  journey of the evidence during the life of the case
• Allows you to answer the following questions:
   – Who collected it?
   – How & where?
   – Who took possession of it?
   – How was it stored & protected in storage?
   – Who took it out of storage & why?
   – For the exam
     Forensic Principles
“Are We There Yet?”
       Forensic Principles

• Digital/ Electronic evidence is extremely volatile!
• Once the evidence is contaminated it cannot be
• The courts acceptance is based on the best
  evidence principle
   – With computer data, printouts or other output
     readable by sight, and bit stream copies adhere
     to this principle.
        Forensic Principles

•   The IOCE International Principles are governed by the
    following attributes:
         1.Consistency with all legal systems;
         2.Allowance for the use of a common language;
         4.Ability to cross international boundaries;
         5.Ability to instill confidence in the integrity of the
         6.Applicability to all forensic evidence; and
         7.Applicability at every level, including that of individual,
          agency, and country
       Forensic Principles

•   The 6 Principles are:
      1. When dealing with digital evidence, all of the general forensic
         and procedural principles must be applied.
      2. Upon seizing digital evidence, actions taken should not
         change that evidence.
      3. When it is necessary for a person to access original digital
         evidence, that person should be trained for the purpose.
      4. All activity relating to the seizure, access, storage or transfer
         of digital evidence must be fully documented, preserved and
         available for review.
      5. An Individual is responsible for all actions taken with respect
         to digital evidence whilst the digital evidence is in their
      6. Any agency, which is responsible for seizing, accessing,
         storing or transferring digital evidence is responsible for
         compliance with these principles.
        Forensic Principles

• G8 proposed Principles
• International Organization on Computer Evidence (IOCE)
   – In March 1998, IOCE was appointed to draw
     international principles for the procedures relating to
     digital evidence, to ensure the harmonization of methods
     and practices among nations and guarantee the ability to
     use digital evidence collected by one state in the courts
     of another state.
Electronic Data Discovery
       Electronic Data Discovery

• Electronic discovery refers to the discovery of
  electronic documents and data.
• Electronic documents include:
   – e-mail, web pages, word processing files, computer
     databases, and virtually anything that is stored on a
• Technically, documents and data are
  “electronic” if they exist in a medium that can
  only be read through the use of computers.
   – often distinguished from “paper discovery,” which
     refers to the discovery of writings on paper that can
     be read
   – without the aid of some devices.
“Bagging & Tagging”
           General Evidence Dos & Don’ts

1. Minimize Handling/Corruption of Original Data
2. Account for Any Changes and Keep Detailed Logs of Your Actions
3. Comply with the Five Rules of Evidence
4. Do Not Exceed Your Knowledge
5. Follow Your Local Security Policy and Obtain Written Permission
6. Capture as Accurate an Image of the System as Possible
7. Be Prepared to Testify
8. Ensure Your Actions are Repeatable
9. Work Fast
10. Proceed From Volatile to Persistent Evidence
11. Don't Run Any Programs on the Affected System
12. Document Document Document!!!!
•   Source: AusCERT 2003 (
         Step 1: Planning for the Search &

• Responders should determine:
   –   The type of case (e.g., child porn, IP Theft etc.)
   –   The type of computer(s) involved;
   –   The operating system(s) used; and
   –   Level of technical savvy of the end user.
• A Primary Evidence (PE) person should be
  appointed. The PE is responsible for preparing a
  detailed plan for documenting, preserving, and
  maintaining the integrity of all seized evidence
  (digital and paper).
       Step 2:Securing and Evaluating the

• Control the scene
   – Allow only authorized persons access
   – Record the names of all individuals present during
     the search
• Confirm when the system was last accessed
   – Establish a chronology of access to the media
• Photograph or video tape the entire scene including
  the contents on the monitor.
Step 2:Securing and Evaluating the
        Step 3: Securing the System

• If the system is “On” do not perform a controlled shut down.
  Pull the power cable!
• If the computer is “Off” do not turn it on.
• Disconnect all remote access to the system (e.g., LAN
  cables, Modem cables etc.). Be sure to tag and label all
  cables and connectors.
• Physically examine the system (i.e., remove covers and
• Document model and serial numbers of the system and its
• Inventory all peripherals (PDAs, Printers, Scanners, WAPs,
  Fax machines etc.).
• Search scene for secondary storage media (USB drives,
  devices, diskettes, tapes etc.)
• Make detailed notes!!
         Step 4: Interviews

• Separate and identify all persons (witnesses, subjects, or
  others) at the scene and record their location at time of entry.

• Passwords. Any passwords required to access the system,
  software, or data. (An individual may have multiple
  passwords, e.g., BIOS, system login, network or ISP,
  application files, encryption pass phrase, e-mail, access
  token, scheduler,or contact list.)

• Determine the “Purpose” of the system.
   – Any unique security schemes or destructive devices.
   – Any offsite data storage.
   – Any documentation explaining the hardware or software
   – installed on the system.
     Step 5: Evidence Collection

• Non-electronic Evidence
  – Proper care must be taken to ensure all
    evidence is properly recovered and preserved
  – Do not overlook paper/document evidence
  – All pertinent non-electronic evidence should be
    identified, secured, and preserved.
        Step 5: Evidence Collection

• Electronic Evidence
   – System
      • Stand alone computers
      • Laptops
      • PDA
      • Cell Phones
   – Media
      • Hard Drives
      • Diskettes
      • Memory cards
     Step 5: Evidence Collection:

• Ensure that the suspect media is “locked”
  (read only) to prevent contamination
• Document all steps.
         Step 6: Seizures
•   Types
    – System/Laptop
    – Media Only
•   Procedures
    – Properly inventory the system & peripherals
    – Disconnect all peripherals
    – Label all cables
    – In the case of multiple systems label and code each system
    – Place all magnetic media in antistatic packaging
    – Properly label all containers used to hold the evidence
    – Leave a “Blank” of Forensic Boot disk in the diskette or CD-ROM
    – In the case of media only properly be properly grounded prior to
      removing the media (i.e., the use of a grounding wrist device is
    – In the case of media only record make, model, ser #, and stenciled
      drive geometry
        Step 6: Seizures

• Transportation and Storage
   – Keep electronic evidence away from magnetic sources (e.g.,
     radio transmitters, speaker magnets and heated seats)
   – Protect evidence from extremes in temperature
   – Use proper anti-shock packing material in all containers (i.e.,
     bubble wrap, Styrofoam etc.)
   – Maintain the chain of custody on all evidence transported.
   – Warning prolonged storage can result in alteration of system
     evidence (dates, times etc.) as batteries have a limited life
   – Store all seized evidence in a properly secured storage area
     (e.g., locked cabinet, restricted access lab, etc.)
            Forensic Field kits

•   Documentation Tools
     –   Cable tags.
     –   Indelible felt tip markers.
     –   Stick-on labels.

•   Disassembly and Removal Tools
     –   A variety of nonmagnetic sizes and types of:
     –   Flat-blade and Philips-type screwdrivers.
     –   Anti-static Straps
     –   Hex-nut drivers.
     –   Needle-nose pliers.
     –   Secure-bit drivers.
     –   Small tweezers.
     –   Specialized screwdrivers (manufacturer-specific, e.g., Compaq,
     –   Macintosh).
     –   Standard pliers.
     –   Star-type nut drivers.
     –   Wire cutters.
         Forensic Field kits

Package and Transport Supplies
   –   Antistatic bags.
   –   Antistatic bubble wrap.
   –   Cable ties.
   –   Evidence bags.
   –   Evidence tape.
   –   Packing materials (avoid materials that can produce static
   –   electricity such as Styrofoam or Styrofoam peanuts).
   –   Packing tape.
   –   Sturdy boxes of various sizes.
         Forensic Field kits

• Items that also should be included within a kit are:
   –   Rubber Gloves****
   –   Hand truck.
   –   Large rubber bands.
   –   List of contact telephone numbers for assistance.
   –   Magnifying glass.
   –   Printer paper.
   –   Seizure disk.
   –   Small flashlight.
   –   Unused floppy diskettes (3.5 and 5.25 inch).
   –   Blank & Zeroed Hard Drives
• Due to the fragile nature of digital evidence, proper procedures
  need to be adhered to in order to ensure the integrity and
  admissibility of the evidence.
• The collection of digital evidence must adhere to the 5 rules of
• The G8 has developed a set of common principles for digital
  evidence that are International is scope.
• Controlling the scene, the system, and the media, are extremely
• The use of SOPs greatly enhances the likelihood that mistakes
  will not be made.
• Maintaining the chain of evidence is crucial.
• Document everything, replicability is crucial!
                  LAB 3

Search & Seizure: Guidelines and

• Practical Exercise
• Search and Seizure
  – teams of 3 people
  – Designate an Evidence Person
  – Conduct a field seizure following the guidelines
  – Complete and hand in a brief field report with the
    names of all the team members listed on the report.