Applying Forensic Science to Computers
October 28, 2016
Categorised in: Computer Forensic & Cyber Applications
Digital evidence examiners extract valuable bits from large masses of data and present them in ways that decision makers can comprehend.
Flaws in the underlying material or the way it is processed reduce the value of the final product.
Digital investigators often perform all of the requisite tasks from collecting, documenting, and preserving digital evidence to extracting useful data and combining them to create an increasingly clearer picture of the crime as a whole.
Digital investigators need a methodology to help them perform all of these tasks properly, find the scientific truth, and ultimately have the evidence admitted in court.
METHODOLOGY CONSIST OF FOLLOWING STAGES
- Examination and analysis
- Reporting results
Planning is especially important in cases that involve computers.
Whenever possible, while generating a search warrant, the search site should be researched to determine what computer equipment to expect, what the systems are used for, and if a network is involved.
If the computers are used for business purposes or to produce publications, this will influence the authorization and seizure process.
Also, without this information, it is difficult to know what expertise and evidence collection tools are required for the search.
If a computer is to be examined on-site, it will be necessary to know which operating system the computer is running (e.g., Mac OS, UNIX, or Windows).
It will also be necessary to know if there is a network involved and if the cooperation of someone who is intimately familiar with the computers will be required to perform the search.
One person should be designated to take charge of all evidence to simplify the chain of custody.
Such coordination is especially valuable when dealing with large volumes of data in various locations, ensuring that important items are not missed.
In situations where there is only one chance to collect digital evidence, the process should be practiced beforehand under similar conditions to become comfortable with it.
A final preparatory consideration is regarding proper equipment. Most plans and procedures will fail if adequate acquisition systems and storage capacity are not provided.
Some of the fundamental items that can be useful when dealing with computers as a source of evidence include the following:
- Evidence bags, tags, and other items to label and package evidence
- Digital camera to document scene and evidential items
- Forensically sanitized hard drives to store acquired data
- Forensically prepared computer(s) to connect with and copy data from evidential hard drives onto forensically sanitized hard drives
- Hardware write blockers for commonly encountered hard drives (e.g., IDE and SATA)
- Toolkit, including a flashlight, needle-nose pliers, and screwdrivers for various types and sizes of screws.
Surveying a crime scene is a methodical process of finding all potential sources of digital evidence and making informed, reasoned decisions about what digital evidence to preserve.
One effective approach to conducting a methodical crime scene survey is to divide the area into a grid and inspect each segment of the grid thoroughly.
By dividing the larger area into smaller segments, there is less chance of overlooking important items such as a small memory card or hidden pieces of storage media.
This concept can be applied to both the physical area and digital realm.
Surveying a crime scene for potential sources of digital evidence is a twofold process.
First, digital investigators have to recognize the hardware (e.g., computers, removable storage media, and network cables) that contains digital information.
Second, digital investigators must be able to distinguish between irrelevant information and the digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator.
During a search, manuals and boxes related to hardware and software can give hints of what hardware, software, and Internet services might be installed/used.
Applying the scientific method during the survey process involves developing and testing theories about which items contain relevant digital evidence, why expected items are missing, and where missing items might be found.
SURVEY OF HARDWARE
There are many computerized products that can hold digital evidence such as telephones, mobile devices, laptops, desktops, larger servers, mainframes, routers, firewalls, and other network devices.
There are also many forms of storage media including compact disks, floppy disks, magnetic tapes, high capacity flip, zip, and jazz disks, memory sticks, and USB storage devices.
Less obvious sources of digital evidence include the following:
- Gaming systems (e.g., PS3 and XBox360), which can contain a variety of multimedia and may be configured to run a fully functional operating system such as Linux;
- Video cameras (camcorders and CCTV), which may store files on internal memory, on removable storage media, or on a central server;
- Removable memory cards from digital cameras and mobile devices, which are growing in storage capacity while shrinking in size, and are easily overlooked;
- Printers with an internal hard drive;
- Digital picture frames;
- Nonstandard peripherals connected to computers such as an antenna or customized circuit board.
Following all cables that are connected to computer equipment found at the crime scene can lead to additional items in unusual places such as the ceiling or floor.
Even when cables do not lead to the ceiling or floor, it is prudent to search in such unusual places because wireless networks have become more prevalent in businesses and households.
Before approaching a crime scene, try to determine which types of hardware might be encountered as different equipment and expertise are required for terabytes of storage versus miniature systems.
SURVEY OF DIGITAL EVIDENCE
Different crimes result in different types of digital evidence.
For example, cyberstalkers often use e-mail to harass their victims, computer crackers sometimes inadvertently leave evidence of their activities in log files, and child pornographers sometimes have digitized images stored on their computers.
Additionally, operating systems and computer programs store digital evidence in a variety of places. Therefore, the ability to identify evidence depends on a digital investigator’s familiarity with the type of crime that was committed and the operating system(s) and computer program(s) that are involved.
In addition to looking for user-created documents and multimedia on storage media, digital investigators may find relevant information in the Registry, log files, and artifacts associated with applications used on the computer (e.g., logs of instant messaging chat, and files exchanged using P2P programs).
Again, the different kinds of digital evidence on a computer are limited only by the user’s activities and creativity.
Documentation is essential at all stages of handling and processing digital evidence, and includes the following:
- Chain of custody: who handled the evidence, when, where, and for what purpose;
- Evidence intake: characteristics of each evidential item such as make, model, and serial number;
- Photos, videos, and diagrams: capturing the context of the original evidence;
- Evidence inventory: a list or database of all evidential items;
- Preservation guidelines: a repeatable process for preserving digital evidence, which may contain references to specific tools;
- Preservation notes: notation of steps taken to preserve each evidential item and any necessary deviations from the preservation guideline documentation;
- Forensic examination guidelines: a repeatable process for examining digital evidence, which may contain references to specific tools;
- Forensic examination notes: notation of actions taken to examine each evidential item, including a summary of the outcome of each action and details about important findings.
In any digital investigation, it is important to keep track of important actions and all items of evidence that have been obtained.
Case documentation goes beyond chain of custody and evidence in-take forms to include when important information was received, who was interviewed, and what was said.
It is also important to maintain an inventory of digital evidence and a database can be useful for keeping track of digital evidence as shown in Figure. particularly when dealing with many sources of data.
Case management also involves maintaining the physical security of evidential items, and storing multiple copies of digital evidence to ensure that a pristine copy is available in the event of a working copy becoming damaged.
A major aspect of preserving digital evidence is preserving it in a way that minimizes the changes made.
Imagine for a moment a questioned death crime scene with a suicide note on the computer screen. Before considering what the computer contains, the external surfaces of the computer should be checked for fingerprints and the contents of the screen should be photographed. It would then be advisable to check the date and time of the system for accuracy and save a copy of the suicide note to sanitized labeled removable media.
When dealing with hardware as contraband, instrumentality, or evidence, it is usually necessary to collect computer equipment.
Additionally, if a given piece of hardware contains a large amount of information relating to a case, it can be argued that it is necessary to collect the hardware.
PRESERVING DIGITAL EVIDENCE
When dealing with digital evidence (information as contraband, instrumentality, or evidence) the focus is on the contents of the computer and storage media as opposed to the hardware itself.
There are several approaches to preserving digital evidence on a computer:
- Place the evidential computers and storage media in secure storage for future reference;
- Extract just the information needed from evidential computers and storage media;
- Acquire everything from evidential computer and storage media.
Whether acquiring all data or just a subset, there are two empirical laws of digital evidence collection that should always be remembered:
Empirical Law of Digital Evidence Collection and Preservation #1: If you only make one copy of digital evidence, that evidence will be damaged or completely lost.
Empirical Law of Digital Evidence Collection and Preservation #2: A forensic acquisition should contain at least the data that is accessible to a regular user of the computer.
Therefore, always make at least two copies of digital evidence and check to make certain that at least one of the copies was successful and can be accessed on another computer.
In addition, it is important to verify that tools used to copy digital evidence capture all of the desired information, including metadata such as date-time stamps that are associated with acquired files.
As an example, when acquiring digital evidence from a cell phone, a forensic acquisition should at least acquire the data that were visible to the user.
EXAMINATION AND ANALYSIS
A forensic examination involves preparing digital evidence to facilitate the analysis stage.
there are three levels of forensic examination: (1) survey/triage forensic inspections, (2) preliminary forensic examination, and (3) in-depth forensic examination.
The nature and extent of a digital evidence examination depend on the known circumstances of the crime and the constraints placed on the digital investigator.
If a computer is the fruit or instrumentality of a crime, the digital investigators will focus on the hardware.
If the crime involves contraband information, the digital investigators will look for anything that relates to that information, including the hardware containing it and used to produce it.
If information on a computer is evidence and the digital investigators know what they are looking for, it might be possible to extract the evidence needed quite quickly.
The process of filtering out irrelevant, confidential, or privileged data includes the following:
- Eliminating valid system files and other known entities that have no relevance to the investigation.
- Focusing on the most probable user-created data.
- Focusing on files within a restricted time frame.
- Managing duplicate files, which is particularly useful when dealing with backup tapes.
- Identifying discrepancies between digital evidence examination tools, such as missed files and MD5 calculation errors.
CLASS/INDIVIDUAL CHARACTERISTICS AND EVALUATION OF SOURCE
Three fundamental questions that need to be addressed when examining a piece of digital evidence are what is it (identification), what characteristics distinguish it (classification or individualization), and where did it come from (evaluation of source).
When a file is deleted, the data it contained actually remain on a disk for a time and can be recovered.
The details of recovering and reconstructing digital evidence depend on the kind of data, its condition, the operating system being run, the type of the hardware and software, and their configurations.
Eg: word document vs. images or video
Investigative reconstruction leads to a more complete picture of a crime—what happened, who caused the events when, where, how, and why.
The three fundamental types of reconstruction—functional, relational, and temporal.
In an investigation, there are several purposes to assessing how a computer system functioned:
- To determine if the individual or computer was capable of performing actions necessary to commit the crime.
- To gain a better understanding of a piece of digital evidence or the crime as a whole.
- To prove that digital evidence was tampered with.
- To gain insight into an offender’s intent and motives. For instance, was a purposeful action required to cause damage to the system or could it have been accidental?
- To determine the proper working of the system during the relevant timeperiod. This relates to authenticating and determining how much weight to give digital evidence
In an effort to identify relationships between suspects, victim, and crime scene, it can be useful to create nodes that represent places they have been, e-mail and IP addresses used, financial transactions, telephone numbers called, etc. and determine if there are noteworthy connections between these nodes.
When investigating a crime, it is usually desirable to know the time and sequence of events. Fortunately, in addition to storing, retrieving, manipulating, and transmitting data, computers keep copious account of time. For instance, most operating systems keep track of the creation, last modification, and access times of files and folders. These date-time stamps can be very useful in determining what occurred on a computer
The last stage of a digital evidence examination is to integrate all findings and conclusions into a final report that conveys the findings to others and that the examiner may have to present in court.
Writing a report is one of the most important stages of the process because it is the only view that others have of the entire process.
A sample report structure is provided here:
Introduction: case number, who requested the report and what was sought, and who the wrote report, when, and what was found.
Evidence Summary: summarize what evidence was examined and when, MD5 values, laboratory submission numbers, when and where the evidence was obtained and from whom, and its condition (note signs of damage or tampering).
Examination Summary: summarize tools used to perform the examination, how important data were recovered (e.g., decryption or undeletion), and how irrelevant files were eliminated.
File System Examination: inventory of important files, directories, and recovered data that are relevant to the investigation with important characteristics such as path names, date-time stamps, MD5 values, and physical sector location on disk. Note any unusual absences of data.
Analysis: describe and interpret temporal, functional, and relational analysis and other analyses performed such as evaluation of source and digital stratigraphy.
Conclusions: summary of conclusions should follow logically from previous sections in the report and should reference supporting evidence.
Glossary of Terms: explanations of technical terms used in the report.
Appendix of Supporting Exhibits: digital evidence used to reach conclusions, clearly numbered for ease of reference.