• Image viewers
• E-mail viewers
• Password-cracking tools
• Open source tools
• Mobile device tools (PDA/cell phone)
• Large storage analysis tools
More than one tool can usually do the job, but depending on your skill level, familiarity, and comfort, some tools are more effective for particular uses than others. The important result is that you can get your work done efficiently with verifiable and well-documented results.
THE FLYAWAY KIT
Following is a list of suggestions for additional equipment to include in a basic tool kit for use in offsite searches. Given that your circumstances may vary, use your best judgment when deciding what to take with you.
Small Tool Kit Remember that you may need a small tool kit to dismantle the computer. Make sure you include assorted screwdrivers, pliers, wire snips, and a small flashlight in your flyaway kit. It can be frustrating after a long airplane getaway to a remote location to realize you don’t have the right tools in your bag.
Digital Camera with Date/Time Stamp A digital camera with a date/time stamp ensures that you know exactly how the scene was laid out before you started your work. In covert collections, a digital camera will help you reposition the office papers, photos, and other personal items found on top of the computer you are investigating. In some cases, these images may help you remember something you forgot or bring attention to something you need to revisit.
Notepad and Forms Always carry a notepad to jot down information about who is in the room and what they have to say about the computer’s usage. Also include notes on what is happening in the room, the date and time of incremental events, where everything is located, and details on how you are performing your search and seizure. An evidence or property log is great for recording details of computer and component makes, models, and serial numbers. Prepared forms will make sure you include everything in the rush or drudgery of responding.
Permanent Markers and Labels Permanent markers and labels will help you tag components as they are removed.
Antistatic Bags If you are removing and carrying a hard drive back to the lab, consider taking along appropriate protective means to carry the drive back safely to the office, such as anti-static bags and a small padded box. If you are traveling with only a few drives, hand-carry them on the plane if you do not have a sufficient protective enclosure for the drives. Most hard drives were not made for the rough handling they would surely get in the belly of the airplane storage area.
Policies and Procedures Copies of appropriate policies and procedures should be standard in your flyaway kits, including policies confirming your right to perform your job and standard procedures making sure you are thorough. Having these will help answer questions by workers who do not know you and have questions about what you are doing with the computers. A well-written checklist included with your procedures can be a blessing. Include a contact person at the local site to ensure you have access to resources.
Equipment Manuals and Guides You might digitally store or carry appropriate manuals for your own gear or the equipment you will encounter. Search-and-seizure guides or other notes may also help you respond to the incident.
CASE MANAGEMENT
You clear off your desk following the victory of completion of an investigation, and the phone rings. It’s HR out of Boston, and they need you to answer some questions about the case you just completed. They are worried about a potential wrongful termination lawsuit. Now what? Where do you go from here? Where was that summary report? What happened to that hard drive? How was that information found? Case management is the practice of organizing, working with, and archiving information produced during an investigation.
Poor Case Management
Unfortunately, many companies have extremely poor case management practices. When it comes to locating a file associated with a particular case, the difficulty and lack of controls can make the task nearly impossible. Ask many companies to locate the hard drive they had a couple of months ago, and good luck! You need those locked-away case findings if a terminated employee decides to file suit against your organization.
Effective Case Management
No matter the size or the number of investigations you handle, effective case management is essential to organizing your data and supporting documentation in a manner that is safe, preserved, and retrievable. Several important points to consider include the types of investigations you commonly encounter, the volume, and the number of people in your lab.
Some standard daily practices can make your life easier. Use standardized forms for all of your tracking needs. This practice provides consistency in the lab and saves you time. Clearly label all hard drives, other media, and components you wish to store. They can be stored together however you wish as long as they are protected and organized. For example, you can place critical hard drive originals used during the investigation inside anti-static wrapping and then inside manila envelopes. The envelopes fit nicely inside plastic containers or on a shelf in a fireproof safe.
In medium to large labs dealing with multiple ongoing investigations, it helps to have one individual and a backup responsible for case archival and retrieval to maintain consistency. This is an organizational decision based on your needs and resources. An experienced and efficient examiner can handle five to seven cases simultaneously. If you have more than four or five people on your team, you want to consider seriously reassigning or hiring examiners to handle all of your case-management administration.
Entire courses and disciplines are involved in effective case management. If you have a large caseload and you don’t have formal case management procedures in place, you might want to research our Web site, www.hackingexposedforensics.com, for more information and links to other sites.
Misplacing Evidence
On the surface, this risk sounds like a no-brainer. “How could I ever lose a vital hard drive?” It takes only one such mistake to realize the catastrophic results of losing a vital piece of evidence in a high stakes case. Furthermore, consider the fast-paced nature of the industry in terms of how many cases an investigator will work on at a time, as well as the long layovers between events on a case, and you can see how vital keeping track of case files and evidence using something other than memory can be.
Effective Evidence Handling
Chain of custody isn’t just a good idea, it’s the law. You can maintain your evidence logs in many ways—from keeping handwritten manual logs to using software databases and bar-coding systems. What method you use depends on the size of your organization and the amount of evidence you typically handle. The important thing is to maintain a chain of custody to demonstrate that you have positive control of the evidence.
Proper chain of custody should show the following:
• Identify the people who handle the evidence at every step of the investigation.
• Document what actions/procedures were performed on the evidentiary item and how it was collected (for example, removal of a hard drive from a computer).
• Document when the evidence was collected and when/if the evidence was transferred to the custody of another party.
• Show where the evidence was collected and where is it being stored.
• Indicate the reason the evidence was collected.
A lot of discussion among forensics professionals deals with how to maintain and track evidence. Any sufficiently large organization will have knock-down, drag-out fights about how to number evidence and what the numbers mean. At the end of the day, it really doesn’t matter how evidence is numbered, as long as it is consistent across all the investigations and the evidence numbering system is designed to prevent collisions (the same evidence number being used for multiple cases/images). For our purposes, random or sequential numbering has worked just as well as anything else out there. Remember that this is a process issue and not a technology one, and choose wisely. Once a numbering system has been chosen, yo
u can implement it in cases in multiple ways.
Traditional Tracking Systems
You can use numerous ways to track your evidence as you proceed with your investigation. As mentioned, you can use handwritten logs. Many sample chain of custody forms are available to the public (a sample is included in this book). Logs should be kept in a secure location near or with your evidence. This makes it convenient for you to update your logs as you handle the evidence while keeping it in a protected area. Be sure to keep backup copies of your forms in a separate, but equally secure, location in case damage occurs to the original copies.
Automated Tracking Systems
If your organization typically handles large-scale investigations, you may need an evidence tracking system that is more automated. A number of available software systems can automatically generate evidence numbers, labels, and bar codes to attach to your evidence. They can also be used to create databases in which to track your evidence. These types of systems typically use scanners and simplify the evidence-tracking process by reducing the amount of paperwork and time needed. However, these systems can be expensive and may not be ideal for organizations running on smaller budgets. Many organizations use a combination of paper logs and computer databases. What is important is that your chosen method properly documents the entire history of possession in a way that maintains the chain of custody.
Improper Evidence Destruction
Often the case data that is dealt with is highly confidential and proprietary. As such, you, as an investigator, should be concerned not only with the preservation of evidence when required, but also the destruction of evidence when the case is over and you have counsel’s request to destroy the data. You only need to look at the anecdotal stories of hard drives purchased on eBay and the personal information contained on them to understand why proper attention needs to be given to destruction procedures as well.
Proper Destruction of Evidence
At some point, your case is going to wrap up and the time will come for you to destroy your case files. You may have a protective order that states how you must dispose of any work data you have generated during the case. Depending on your organization, you may need to obtain a directive from your client as to how they would like you to dispose of case data. At any rate, your organization should have a retention policy that states how long you keep case files, what materials you retain, how/when files are destroyed, and who destroyed them.
File destruction can occur in many ways. If your organization is small, a papershredder may suffice and you can wipe your own storage media in-house. Larger organizations typically outsource their data destruction to companies that specialize in these services, as they have the capacity to shred large amounts of paper documents, in addition to destroying storage media such as CD/DVD discs, backup tapes, and hard drives. Either way, you should keep documentation as to what you destroyed, the method you used, when it was destroyed, and who performed the work.
BONUS: LINUX OR WINDOWS?
We leave it up to you to impose the final verdict about which operating system to use. In general, we suggest basing your decision on your organization’s policy, types of investigations, and resources, and your current OS understanding. We also recommend downloading and installing Linux for the experience. Take the time to kick around a few commands. If your department is short on funds, Linux is an excellent platform to use despite the initial learning curve.
On the flip side, Windows is easy to use, familiar, and has an excellent repository of tools available if you have the capital to acquire them.
PART II
COLLECTING THE EVIDENCE
CASE STUDY: THE COLLECTIONS AGENCY
We received a phone call Thursday at 3 p.m. Then, at 5 p.m., we were notified that we were being deployed to New York City to meet with client personnel the next morning. Within that two-hour period, we were to gather up our personal items, such as clothes and other effects. We also had to bring along all of our paperwork and equipment packed and ready for the plane. Our advance preparations paid off, and we made it out on the last flight that night.
Preparations
With preparations in hand from Part I, we had our portable system in its air travel–safe container. We called it “The Heavy” because the box was plastered with multiple stickers warning would-be lifters how much the box weighed. The Heavy carried the imaging and preview systems, extra hard drives, write blockers, and other assorted parts. We also carried precompleted paperwork along with templates in case we needed to print more paperwork from our laptops. Waking up in New York that morning, we rushed to an 8 a.m. meeting with the client.
Revelations
At 10 a.m. Friday, after a two-hour meeting, what was supposed to be a simple, two-day operation revealed its true nature. Instead of the original and simple two-system collection for which our company deployed us, a larger pattern quickly emerged. Shortly after examining the first two systems, the controlled samples exposed the need to visit each of the systems across the company’s network and throughout the city.
Collecting Evidence
The extent of the damage was clearly larger than anyone expected, and it was necessary for us to collect and image for preservation and analysis each of these computers. We began to collect systems throughout the city and visited 63 hard drives in four days.
We worked quietly and split the load between us and our corporate office. We kept systems we knew the suspect had used onsite in New York for immediate analysis and sent systems we knew were only affected but not used by the suspect to the lab for imaging. Once again, the preplanning from Part I allowed us to scale from three systems to more than ten systems working in parallel. Imaging continued around the clock. One of our portable systems was used so much and jarred so hard during acquisitions that the fan broke off in transit and the processor overheated to the point that the chip cracked.
The goal was to analyze the impact of the situation and preserve relevant data to minimize the legal risk to the client and client’s duty to preserve. Moreover, we needed to identify the potential ongoing damage from the suspect. Life was about to get interesting.
CHAPTER 4
FORENSICALLY SOUND EVIDENCE COLLECTION
Evidence collection is the most important part of the investigation of any incident, and it’s even more important if the evidence will find its way into a court of law. No matter how good your analysis, how thorough your procedures, or how strong your chain of custody, if you cannot prove to the court that you collected your evidence in a forensically sound matter, all your hard work won’t hold up and will be wasted.
In this chapter, we discuss several types of collections, also called acquisitions or imaging (short for forensic imaging), scenarios that might play out in your day-to-day investigative duties. We cover the most common scenario, collecting evidence from a single system, and discuss some common mistakes that are made while collecting evidence. Other types of imaging are covered throughout the rest of the book.
COLLECTING EVIDENCE FROM A SINGLE SYSTEM
A single system in this context can include any type of x86-based system, such as desktop and laptop computers and possibly lower-end servers. I say possibly because in most cases a higher-end server may contain a RAID set, which is discussed in detail in Chapter 10. A single system may include IDE (Integrated Device Electronics), SATA (Serial AT Attachment), or SCSI (Small Computer System Interface) drives and may have a wide assortment of peripherals attached to it; in this section, we focus on collecting evidence from IDE, SATA, or SCSI hard drives.
Typically during an investigation, you should power down any system that you are about to acquire and boot it into a safe operating system environment or remove the hard drive(s) and attach the drive(s) to some sort of hardware-based write blockers and to your own forensic system. However, at times you may want to keep the system powered on and acquire the information from the active memory, but that is outside the scope of this section and should not be attempte
d by anyone who does not feel confident enough in his or her procedures to defend his or her actions in court.
After reading the previous chapters, you should have a good understanding of the basic tools and issues that exist in the forensics process. You can now use that knowledge to go through the process of collecting evidence from a single system. While we attempt to cover the most popular tools in use today, more are available, and there is no reason why any particular tool or technology that is documented to conform to your forensic needs could not be used in this generic framework.
We use the terms suspect system and forensic system to distinguish between the system from which you are collecting data and the system on which you will be performing your forensic analysis, respectively.
Step 1: Power Down the Suspect System
Powering down the suspect system allows you to state on the record and in your documentation that you’ve established a time and date upon which no other modifications will occur in the system. It is important that you are able to prove that nothing you do in the course of your collection, analysis, and reporting modifies the original evidence. If you cannot prove this, your findings may be dismissed.
Never rely on the power buttons on the front panel of a computer case to power off a system, as many systems today by default will go into stand-by mode when these buttons are pressed. Instead, remove the power cord from the system and wait until the power supply fan stops spinning to continue. If LEDs on the motherboard stay lit after shutdown, they should turn off in about 20 seconds.
Hacking Exposed Page 9