Ch17 - 17.02 - Collecting Digital Evidence Flashcards
Understanding the Process of Collecting Digital Evidence
- Seize the Evidence
- Acquire the Evidence (Data Acquisition)
- Verify the Evidence
- Analyze the Evidence
- Report on Findings
- Seize the Evidence
The first step to working with digital evidence is to seize the evidence. Evidence could exist on the hard drive of a desktop computer, server, laptop, or even a mobile device, so you may be responsible for collecting evidence from each of these electronic devices. Seizing the evidence means going to the location of the suspect’s electronic device containing the evidence,
disconnecting the power from the electronic device, and taking the device back to your forensics lab. In a corporate case, this may involve waiting for a
time after hours when the employee is not around and then taking the employee’s workstation. Or, depending on the nature of the violation, you may seize the electronic device immediately. When dealing with a public investigation, it is important that law enforcement obtain a search warrant for any items that need to be seized.
It is critical during the seizure of the evidence that you document the scene, including making your own notes, labeling the evidence, and taking pictures
- Acquire the Evidence (Data Acquisition)
Once the evidence has been seized, you can then acquire the evidence. Acquiring the evidence involves taking an image of the evidence so that you
can do your investigation from a copy of the evidence and not from the original evidence. It is critical that you acquire a bit-level copy (raw sector-by-sector copy) of any drives on the suspect’s system by using forensically
sound imaging software. Forensically sound imaging software is software that is designed for computer forensics and does not make any modifications to
the source drive.
Acquire the Evidence (Data Acquisition) - Static vs. Live Images
Static Images:
When acquiring the image, you typically will take the drive out of the suspect’s system and then connect the drive to your forensics workstation. The forensics workstation is a system you set up with your forensics software and with no connection to the network or Internet.
Live Images
Although most times you will be dealing with static images, you may sometimes need to do a live acquisition. With static images, you are unable to capture the contents of memory because the power was removed from the system when it was seized. Before seizing the evidence, plan whether you need to do a live acquisition or a static acquisition. The benefit of the live acquisition is that you can obtain the contents of memory by placing a forensics CD into the system and running your imaging software and dumping the contents of memory to disk or across the network. The
drawback of the live acquisition is that you are modifying the system when you run your software—you must verify ahead of time with the lead investigator that this is acceptable.
Performing a live acquisition allows you to perform two very important tasks:
1. Capture the contents of memory
2. Capture the contents of an encrypted drive
(so if you suspect that the drive is encrypted, you should do a live acquisition before pulling the power)
- Verify the Evidence
A big part of the forensics process is to validate the contents of the forensic image by running a hashing algorithm on the data to generate a hash value.
The concept here is that the hash value generated will be unique, based on the data in the evidence. If you ever need to prove that the copy of the drive you
are working with is the same data as the original, you can compare the hash values.
Most forensics tools generate a hash value when the bitstream image is created, but you can use other tools such as MD5sum to calculate the hash value on data.
- Analyze the Evidence
After you have acquired the image of the suspect’s drive and generated the hash value, you are ready to start your forensics analysis. You should create your analysis only on a copy of the evidence and never on the original
evidence.
When performing your analysis, you will use forensics software to locate data on the drive, including deleted files. Depending on the nature of the case, you may wish to look through the suspect’s e-mail, Internet history, and deleted files to locate files of interest.
- File Filtering
- RAID Array
- Network Traffic and Logs
- Witness Interviews
- Big Data Analysis
- Report on Findings
During the analysis of the evidence, most forensics software allows you to bookmark items of interest and to have them added to a report that you can generate. It is critical as you are performing your investigation to also be planning the report on your findings by logging all of your steps and marking items of interest. The report should contain the following:
- Items of Interest
- Log of Actions Taken
- Result of the Investigation
When performing your investigation, it is critical to record all your activities and the time of each activity. Recording the time you start each action and how long it took is critical to the success of the investigation.
Record time offset is an important setting for the investigator to configure when performing an investigation. Configuring record time offset involves
the investigator configuring the time zone in the forensics software to match the time zone of the suspect’s system so that all time stamp information in the evidence is accurate.
Where to Find Evidence
Know that you should collect data first from volatile (meaning that information is not permanently stored there, timing is critical if you decide that the contents of memory may contain evidence) areas and then move to the nonvolatile areas. This is known as the order of volatility—you should collect data in the order of volatility. The order of volatility is memory (RAM), swap file, hard disk, and then finally CD/DVD-ROM.
Metadata
Information about the file and how the file came into
existence.