By Warren G. Kruse II and Jay G. Heiser

[NOTE: [The following excerpt is reprinted by permission from Computer Forensics: Incident Response Essentials, Addison-Wesley Professional, © 2001. ISBN-10: 0201707195; ISBN-13: 978-0201707199]

Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures, and flexibility is expected and encouraged when encountering the unusual.

This is a good place to remind ourselves that we have to treat every case as if it will end up in court. Take a minute to think of the consequences; don’t start poking around a computer, decide that you have a problem, and then start handling it as evidence. It is easier to regard the computer as evidence from the start, easing up on the evidentiary process if you discover that a crime wasn’t committed. The opposite approach is more difficult, if not impossible.

The basic methodology consists of what you can think of as the three As:

 1. Acquire the evidence without altering or damaging the original.

 2. Authenticate that your recovered evidence is the same as the originally seized data.

 3. Analyze the data without modifying it.

When it comes to computer forensics, the only thing you can be certain of is uncertainty. We often hear people say “I always do this” or “I always do that” but how can that kind of certainty be possible when there are so many unknowns?

The ideal way to examine a system and maintain the most defensible evidence is to freeze it and examine a copy of the original data.

Chain of Custody

While this topic should be second nature for readers experienced in law enforcement, it may be a new concept for others. The goal of carefully maintaining the chain of custody is not only to protect the integrity of your evidence, but also to make it difficult for the other side to successfully argue that the evidence was tampered with while it was in your custody. The chain of custody procedure is a simple yet effective process of documenting the complete journey of your evidence during the life of the case, including answers to the following questions:

• Who collected it?

• How and where?

• Who took possession of it?

• How was it stored and protected in storage?

• Who took it out of storage and why?

Anyone who has possession of the evidence, the time at which they took and returned possession, and why they were in possession of the evidence must be documented. Be assured that the other side will carefully review the records associated with evidence, cross-referencing it to other documents in an attempt to find discrepancies that can be used to weaken the case against his or her client.

Collection

Obviously, you want the evidence collection process to support your case. The complexity of the collection process usually corresponds to the complexity of an incident. When you collect evidence, try to collect everything you can legally get your hands on. This may seem like trivial advice now, but remember this tip when you’re in crisis mode in the early stages of an investigation. Once you leave that data center, there is usually no going back. The computer, backup tape, floppy disk, or scrap of paper that you initially thought was of no evidentiary value will probably be gone when you decide you have to return for additional evidence. This is especially true for log files.

Depending on the computer producing the logs, the data may be overwritten routinely in intervals ranging from a few minutes to a few months. If you are dealing with an Internet service provider (ISP), remember that they are not in the business of storing logs; act quickly or the logs will be long gone. A rule of thumb for most ISPs is 30 days, but because the cost of storing huge log files is high and the business benefit is low, they have little incentive to save huge amounts of data. If you are going to subpoena the logs from an ISP and you want to ensure that the evidence will not be overwritten, you can ask them to preserve the logs while you are going through the legal process. Most ISPs will comply; just try to make sure that your contact at the ISP is not a suspect. We have heard accounts of ISPs being asked to preserve logs, but when the subpoena showed up the data was missing.

Identification

Every single item that gets collected has to be identified and labeled. Most police departments are skilled in the methodical collection of evidence. In a large investigation, a law enforcement agency assigns a person to be the evidence custodian at the scene. This ensures that a specific individual is responsible for evidence collection instead of everyone walking out of the door with something under his or her arm. You should not collect evidence by yourself; get someone to go with you as a witness. Ask your coworker to document the evidence while you are collecting it.

If you are involved in a large-scale investigation involving numerous computers, an easy way to simplify collection is to position your evidence custodian at the door with a laptop computer, a portable printer, and a label printer such as the Casio Smart Label printer (if such equipment is not available, handwritten labels will do just fine). While your investigators are bringing out hand trucks full of equipment, your evidence custodian can fill out the evidence log online and print labels for the equipment. By creating reports ahead of time that automatically fill in the identical information on sequential reports, labels, and so on, you save a lot of time. Your favorite word processor probably has some of this functionality.

You must accurately count and identify the evidence. You can use a label maker for identification, or you can use stickers or tags, as long as they will not easily come off and they are large enough to include:

• The matter number

• A brief description

• Your signature (on each item)

• The date and time the evidence was collected

Documenting the Investigation

This step may be the most difficult for computer professionals. Most technically adroit people can fix a computer blindfolded, but when you ask them how they did it, they might not be able to tell you. If you fall into this category, it is another good reason to work with a partner. One person works on the computer, and the other person takes notes. You will find that once you start finding evidence, you will be drawn to further exploration and find even more evidence. If you aren’t careful, you can become so engrossed in your analysis that you totally forget to take notes. Keep that writing pad handy and don’t leave the details to memory.

Document your actions in thorough reports with extensive details including the software and version numbers of your software evidence, collection tools, the methods you used to collect and analyze the computer media, and the explanation of why you did what you did. (Make sure you use only software that you are legally licensed to have. It is embarrassing to be asked in a court of law, with the judge and jury watching, if you were using illegally obtained software.)

Fortunately, the decisions you make in an investigation will not be judged on whether or not you were right or wrong. Your value to the prosecution is usually the “reasonableness” of your actions. If your notes thoroughly document everything you did, they will greatly facilitate your explanation when asked about the incident tomorrow by your boss, next week by your victim, the following month by a union or attorney, and then three years from now when the case goes to trial in either a civil or criminal court. If you believe that your memory alone is sufficient, think back to the last time your computer did not boot properly. What exactly did you do to remedy the problem?

It is difficult to show that evidence (any kind of evidence) that you’ve collected is the same as what was left behind by a criminal. Crime scenes age, and computers are no exception. Evidence can be damaged by adverse environmental conditions (for example, mold and dust) and by insects. You can show that the investigator introduced no changes.

The chain of custody and other evidentiary handling rules assure the jury that no unanticipated or introduced changes occurred and that it is reasonable to extrapolate from the point of collection back to the time of the incident. In the digital world, we even have an advantage in that we can show that the evidence did not change at all after we’ve collected it. While we cannot show exactly when the evidence was collected, simple techniques enable us to timestamp it, so we can at least show that it was in existence at a specific point in time. Neither of these authentication techniques is possible with other forms of evidence.

Both proof of integrity and timestamping are provided by calculating a value that functions as a sort of electronic fingerprint for an individual file or even an entire floppy or hard drive. This is a cryptographic technique, and the value is called a hash.  a hash value is calculated with the use of software, and that all forensic utility suites include such a capability. When you initially collect data, you should create a hash value and record it. After doing so, you can prove that the copies of the data you are using for your examination are identical to what was originally collected.

Two algorithms, MD5 and SHA, are in common use today. If possible, create a hash of the entire drive and the individual files. Increasingly, applications such as Accessdata's Forensic Toolkit are using multiple hash algorithms. That way, if a cryptological attack is discovered against a single algorithm, the data from the other algorithm will still be valid. CRC is already obsolete, and we predict that the use of two hash routines will soon become common practice.

Preservation

The preservation of computer evidence is grunt work. It is tedious, but lack of attention to boring details can blow your case. You must be able to account for the evidence the entire time it is in your custody. If you cannot do this, none of the results of your efforts spent collecting and analyzing data will be admissible in court. Remember to keep a complete chain-of-custody document and store the evidence somewhere where it will not get damaged. The last thing you want to do is have to replace a confiscated computer that was damaged or lose a case because the original evidence is no longer in working order.

Several commercial products are available for drive imaging that are acceptable for use in forensics. A forensic backup is important because you want to make a bit-for-bit (also known as a bit stream) clone of the original drive. A “normal” backup doesn’t copy deleted files and the other parts of a hard drive that we want to investigate for clues. We will discuss some specific techniques in upcoming issues of Encore Discoveries. For now, let’s discuss the basic methodology, which is the same on every operating system: “Do no harm!” Whatever else you do, try not to damage your evidence, and never overstep legal boundaries.

A little bit of knowledge can be dangerous, so try not to be your own worst enemy and overstep your knowledge. Whenever possible, protect your original physical evidence by working with a digital copy so that if you do make a mistake, you can wipe the analysis drive, restore your image once again, and continue your analysis.

You are now in the home stretch of basic computer forensics and ready for the most gratifying step, the analysis! While you must continue to treat your collected evidence with respect and care during the analysis phase, it is interesting to be actively analyzing the evidence instead of doing paperwork. Remember to include a note in your reports and your chain-of-custody records whenever you obtain and return the original evidence to your secure storage cabinet.

The meat of computer forensics is the process of acquiring evidence, authenticating evidence, and analyzing that evidence. Successful investigations require both religious adherence to the rigorous standard procedures of evidence collection and custody, while simultaneously being flexible and imaginative in locating and analyzing that evidence. It is a difficult balance between being highly disciplined while also being willing to experiment with new ideas. Depending upon your personal approach, this tension between process and flexibility will be either totally frustrating or highly stimulating. The more knowledge and practice you have, the better prepared you will be to overcome this challenge.

If your company or firm has been lucky enough to avoid the need for computer forensics (or so you think), congratulations; it will come soon enough.

Warren Kruse, CISSP, CFCE is Vice President of Data Forensics and Analytics at Encore Legal Solutions. He assists law firms and corporate legal departments with litigation readiness, data collection, preservation, computer forensics, incident response and cybercrime prevention. Warren can be reached at wkruse@encorelegal.com.