Forensics Walk-Through

Question 1

First Steps for any Incident:

Answer 1

• Consider photographs of the scene
• Ordinary forensic issues, CCTV, fingerprints
• Locate all physical articles and plane in a sealed bag
• Identify any witnesses to the events
• If a computer is switched on - should not be immediately switched off
• If a computer is switched off - it should not be switched on

Question 2

Four Stages of Investigation:

Answer 2

1) Collection
2) Examination
3) Analysis
4) Report & Statement

Question 3

Mirror Image Copying Process:

Answer 3

1) Use a write-blocking device
2) Use cryptographic hash functions and check-sums to ensure integrity
3) After copying, has values and digital signatures can be verified later

Question 4

Creating mirror images may require a large selection of specialised devices and equipment…

Answer 4

• Different connectors, interface specifications
• e.g. Tableau TD2U DuplicatorImager
• Such devices are required for different storage interfaces, recent proliferation of standards has made this substantially more expensive
• Some devices may also be protected

Question 5

Forensic Image Tools:

Answer 5

• Built-in image capabilities
• Ability to recover previously deleted files/folders
• Ability to recover deleted material in space that is not currently allocated to a file
• Searching through and/or carving files from unallocated space
• Keyword searches over storage images
• Sorting files by any property
• Bookmarking files for subsequent investigation steps
• Extracting files from images, documenting the provenance and process
• Creating reports according to approved templates
• Mounting files such as compressed archives, Microsoft Windows Registry or other database formats
• Examination of proprietary email files
• Internet access history analysis including temporary Internet files, cookies, history, favourites
• Password recovery

Question 6

Problems in Evidence Collection:

Answer 6

• Losing RAM
• Deleting evidential files
• Accidental writing to evidential disk
• Installing diagnostic software on disk
• Changes to date & time stamps
• Re-location of evidential files & directories
• Creation of files & directories
• Recovering deleted files directly onto disk
• Executing native software or applications, batch files, macros on the evidential disk

Question 7

Maintaining Continuity of Evidence:

Answer 7

Ensuring evidence remains admissible.
• Everything in Court must be proved
• Every part of the structure of a disk is evidence
• If tampered with or accessed except under provable circumstances not affecting content, integrity as evidence is lost

Question 8

Active (live) systems present a number of challenges and opportunities…

Answer 8

Both potentially rich sources of additional evidence, but also risks of losing data particularly to counter-forensic techniques

Question 9

Copying Volatile Memory Contents Challenge Solutions:

Answer 9

• Virtual Machine snapshots
• Hardware debuggers and in-circuit emulators
• Exploiting Hibernating Mode or equivalent
• Exploit crash dumps

Question 10

Key Factors Contributing to Fragility of Digital Evidence and Difficulties in Accessing:

Answer 10

• Data is easily changed
• Data can be disguised or concealed
• Encryption
• Data destruction - overwriting
• Data can be misinterpreted or unintelligible
• Clocks

Question 11

Strict Procedures Followed For Storage Media:

Answer 11

• Static electricity must be discharged
• The host system must be switched off
• Computer and configuration must be photographed
• Manufacturer, model & serial numbers noted
• Covers must be removed
• Internal configuration of the system must be photographed
• Storage devices can now be removed from the enclosure
• Device must also itself be photographed
• Manufacturer and other data of device noted
• Any configuration items noted
• Device placed in anti-static bag
Anti-static bag placed in envelope and sealed with tape
• Each aperture of the envelope signed and dated
• Witness must sign and date apertures
• Envelope stored in safe together with a record entry to the safe

Question 12

Examination Phase:

Answer 12

• A technical review conducted under (reproducible) laboratory conditions
• Critical goal is data reduction due to the potential volume of data on modern systems

Question 13

Examination Phase must include…

Answer 13

System timestamps (clock), registry files, input/output access files, swap files, slack space, other nodes where evidence will accumulate, e.g. internet/web cache

Question 14

Analysis Phase - Actus Reus:

Answer 14

The guilty act. What is there? or what has been done?

Question 15

Analysis Phase - Mens Rea:

Answer 15

The guilty mind or intent. Is it deliberate?

Question 16

Analysis Phase - Must Document:

Answer 16

• Date and time of all investigation events
• All methods used
• All software or other tools used
• Any expert re-construction of events
• Continuity of Evidence
• Tools used to maintain the documentation