Introduction

Digital forensics is probably the most intricate part of the cyber crime investigation process. It is often where the strongest evidence will come from. Digital forensics is the scientific acquisition, analysis, and preservation of data contained in electronic media whose information can be used as evidence in a court of law. The practice of Digital Forensics can be a career all in itself, and often is. Other times it is a subset of skills for a more general security practitioner. Although the corporate digital forensic practitioner is not a law enforcement officer, it is a wise practice to follow the same procedures as law enforcement does when performing digital forensics. Even in a corporate environment, the work one performs can quickly make it to a courtroom. Regardless if the case is civil or criminal the evidence will still be presented the same.

The Evolution of Computer Forensics

Traditional digital forensics started with the seizure of a computer or some media. The drives and media were duplicated in a forensically sound manner bit by bit. Way back—if there is such a thing in computer technology—the forensic duplication would be combed through using a hex or disk editor application. Later the forensic applications and suites evolved and automated some of the processes or streamlined them. The forensic practitioner would undelete files, search for temporary files, recover e-mail, and perform other functions to try and find the evidence contained on the media.

Today there are more user-friendly programs that present data in a GUI, and automate much of the extremely technical work that used to require in-depth knowledge and expertise with a hex editor. There is also a wealth of hardware to make the practice even more conducive, but the reality is the processes thus far have not changed that much.

From the time of those first primordial seizures to today, a set of Best Practices has emerged; the attempt is to provide a foundation for the work performed under the heading Digital Forensics:

* Do not alter the original media in any way.

* Always work on a duplicate copy, not the original.

* The examination media must be sterile as to ensure that no residual data will interfere with the investigation data.

* The investigator must remain impartial and report the facts.

For the most part, best practices and methodology have remained unchanged since the origins of digital forensics. The system is documented; the hard drives are removed and hooked to a write-blocking device. The imaging utility of choice was used to create a torensic image, and the forensic application of choice is used for examination. The Best Practices were not viewed as guidelines; but as absolutes. This has worked well to date, but some elements are beginning to become dated. Although these best practices have served as a cornerstone for the current procedure, many of the elements of the best practices are beginning to fall behind the technology curve and may need to be changed or adjusted.

Unlike other forensic sciences, digital forensics subject matter continues to evolve, as do the techniques. Human fingerprints may be changing and evolve over time, but it won't be noticeable to the fingerprint specialists in their lifetime. The trace chemicals in a piece of hair may change, but the hair itself is going to stay pretty much the same. The techniques may evolve, but the subject matter does not noticeably. Digital evidence on the other hand continues to change as the technology does. Operating systems and file systems will progress and change. Realistically, operating systems change nearly every five years. Storage arrays continue to grow larger and larger as the technology improves, magnetic data density increases, and the price points come down. Flash media drives continue to grow larger in capacity and smaller in form factor. The volume of devices with potential storage for evidence has grown exponentially and will continue to. Gaming systems, digital audio player, media systems, Digital Video Recorders—the list continues to grow. The boom in the digital camera market created a tremendous volume of devices and analysis need that traditionally were in the reahn of photographic examiners, not the computer geek. As the assortment of potential evidence sources continues to grow, the methodologies need to expand greatly.

For example, a cellular phone normally needs to stay powered on to retain all the data. If the device stays on it may connect to a wireless network. To ensure the device is isolated from the network the investigator will need to use a Faraday device—but in reality by removing the device from the network we actually change the data on the device. The device will make a note to itself of the details of going off the network.

In the pages that follow I will address some of the difficulties that occur and how some of the technologies and best practices are falling behind the technology curve. These include not only technical challenges but the procedural challenges.

Phases of Digital Forensics

Traditional digital forensics can be broken down into four phases. Some of the work performed may overlap into the different phases, but they are very different:

* Collection

* Examination

* Analysis

* Reporting

Collection is the preservation of evidence for analysis. Current best practices state that digital evidence needs to be an exact copy—normally a bit stream copy or bit-for-bit duplication—of the original media. The bit stream copy is then run through a cryptographic hashing algorithm to assure it is an unaltered copy. In modern digital forensics often this is done by physically removing the hard drive from the device, connecting it to a write blocking unit, and using a piece of forensic software that makes forensic duplicates. Examination is the methodical combing of the data to find the evidence. This includes work such as document and e-mail extraction, searching for suspicious binaries, and data carving. Analysis is the process of using the evidence recovered to work to solving the crime. The analysis is the pulling together of all the bits and pieces and deciphering them into a story of what happened. Report is the phase where all the other phases are documented and explained. The report should contain the documentation of the hardware, the tools used, the techniques used, and the findings. All the individual phases have their own issues and challenges.

Collection

Traditional digital forensics best practices are to make a full bit stream copy of the physical volume. This normally entails physically removing the hard drives from the suspect system, and attaching the drive to another system for forensics duplication. A forensic image is a bit-by-bit copy of the original media. It copies all the data on a storage device, including unused portions, the deleted files, and anything else that may have been on the device. The suspect hard drive should be protected from alteration (remember the procedure?) by a hardware solution, a software solution, or both. The hardware solution is normally either a write-blocker or a hardware imaging device. A write-blocker blocks the write commands from the examination system that some operating systems would normally perform. Software solutions entail mounting the suspect drive or device as read-only by the operating system.

The data must be unaltered and the chain of custody must be maintained. Where practical, all the work should be performed on a copy; the originals need to be preserved and archived. To be able to ensure the data is unaltered, the original drive and the imaged drive are hashed and the hashes are compared to ensure that an exact bit-by-bit copy has been acquired.

Digital evidence needs to be:

* Admissible: It must conform to certain legal rules before it can be put before a court.

* Authentic: The data must be proven to relate to the incident. This is where additional documentation is important.

* Complete: It must be impartial and tell the entire account.

* Reliable: There can be nothing relative to the collection and handling of the evidence that could create any doubt. Chain of Custody procedures become crucial.

* Believable: The reports and documentation must present everything so it is believable and understandable by a judge or jury.

Any digital evidence collected must meet these requirements. The challenge that is surfacing is the admissibility. There are the traditional rules and best practices that concentrate on data from static or powered down systems. As we will see next, there are issues where this approach is either difficult, impossible, or may leave large amounts of data behind. Challenges to collecting the data for analysis can be getting the files off the systems, and once they are off the system. Does the system have some way of connecting external storage or is there even physical access to do so? If there is no physical access, how long will it take to move the data off the system to work with it? An option may be to work with the data on the system, but is there enough storage on it to be able to duplicate and analyze it? If the system was compromised, can the use of the utilities and binaries on it be trusted? Most likely not.

The next option is to move the data off via the network connection. How large is the network link to move the data off? If the data cannot be worked onsite, do you have the storage to transport it? Do you have the storage to work with it later? Do you have systems powerful enough to comb and query through all the data? Are all the systems in the same data center, or do you have to travel or have multiple teams working simultaneously? There are a multitude of questions, and some preplanning can be essential.

Incidents at a large business or other large network can aggravate these issues, and can be extremely complex. The cyber crime responder will almost surely find a variety of systems running a multitude of operating systems. The devices can encompass nearly everything and anything. The most important step when responding to a large cyber crime incident is to take a few minutes and first figure out what kind of systems you are dealing with. It's worth the time to gather any available documentation, such as network diagrams and system configurations.

The key early on is to avoid tunnel vision. There can be a multitude of systems that need data to be recovered from them, needing possibly as many ways to get at the data. It is easy to fall into the trap of centering on the first system found to be compromised or involved, when that system may be the tip of the iceberg. If all the concentration of the investigation is centered on the first system, then all the other evidence may be missed initially. Or if the retention times of logs or volatile data are too short, then the data may be gone forever. Just like a lost hiker searching for the path, work in circles out from the point of" discovery. From that initial machine of interest, begin to look outward, concentrating on access paths that lead to it. Do not forget physical paths to a system—access controls and video surveillance is present in most data centers or offices, and physical access logs definitely should be reviewed.

Preparation

An assortment of tools are needed, both hardware and software. If you have the opportunity, try and get as much information as possible before you go to the machines. If it is in your native environment, preplan what is required for a normal engagement, and for the contingencies. A few extra phone calls or extra minutes to gather extra tools can save hours later trying other acquisition methods or struggling with inadequate hand tools. It can also help you determine if you need additional resources, or if it is over your head. If you are in a corporate environment you should have the specifications for the critical systems available to assist law enforcement in working with your systems if you are not going to do the acquisitions in-house. Most likely this information should be available for disaster recovery or hardware failure issues.

Be sure to have enough drives or storage to hold all the forensic images that will be collected. The drives should be prepared beforehand. The preparation should entail wiping the drive so that there is no data that could contaminate the data collected. It also eliminates the allegation that there could be data planted or that the evidence collected was tainted. A log should be kept that documents the preparation of the storage media.

(Continues...)

---

Excerpted from Alternate Data Storage Forensics by Tyler Cohen Amber Schroader Copyright © 2007 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---