Embed Size (px)
Citation preview
COEN 252 Computer Forensics
Forensics Process for Hard Drive Examination
Best Evidence
Best evidence is original evidence. FRE: multiple copies of electronic
files are considered “original”. Evidence need to be protected
against Normal accidents. Accidents in the analysis process. Tampering.
Best Evidence
Computer data are “writings” and “records”.
Need to be authenticated. Whoever collected them should
testify during direct examination that the information is what the proponents claim.
Best Evidence
If not authenticated, documents and writings are usually inadmissible.
Hence, careful record keeping needed.
In addition to careful handling of evidence.
Best Evidence
Chain of Custody Protects evidence against
advertent or inadvertent tampering.
Evidence needs to be traced from the moment it was collected to the moment it was presented in judicial proceedings.
Best Evidence
Hard drive yields a byte stream. Protect with cryptographically
secure checksum A.k.a. hash A.k.a. signature
Best Evidence
Cryptographically secure checksum Small byte string calculated from
byte stream X as f (X). Given c, “computationally
impossible” to find a byte stream X with f (X) = c.
I.e. nothing better than brute force, which takes too long.
Change even a bit in X and f (X) changes.
Best Evidence
Collect c =f (X) from original byte stream.
Maintain c securely, e.g. with evidence log.
Prove that X has not changed by recalculating c = f (X ).
Best Evidence
Cryptographically secure checksums MD5 (a classic, 16B checksum)
Considered broken SHA1 (a classic 20B checksum) SHA256 etc. (much longer
checksum)
What is computationally possible, changes with progress.
Best Evidence
Chain of custody for physical objects Inventoried and labeled by
evidence custodians. Booked into evidence locker. Access documents by evidence
technician.
Evidence Collection from Computer Media Identify computer media. Detailed report of situation.
Evidence custodian inventories best evidence and logs it in the Evidence log.
Perform a forensic duplication of the original media to storage media.
If the original can be kept, use it as the best evidence. If not, duplicate the data immediately, and use the media as the best evidence. Label the best evidence and store it in evidence locker.
Make a duplicate of the best evidence and use it for forensic analysis.
Make more working copies as necessary, e.g. in order to mount the file system for quasi-life investigations.
Make backup of best evidence.
Evidence Handling Procedures Before examining the contents of a hard
drive, record information about the computer system.
Take digital photographs of the system and the media that is being duplicated.
Fill out an evidence tag for the original media and / or for the forensic duplicate.
Label all media appropriately with an evidence label.
Evidence Handling Procedures Store the best evidence copy in the
evidence locker. An evidence custodian enters a record
of the best evidence into the evidence log. Each access to the best evidence is also entered into the log.
All examinations on the forensics copy are performed on a forensic copy, the working copy.
Evidence Handling Procedures An evidence custodian ensures that
backup copies of the best evidence are created.
An evidence custodian ensures that all disposition dates are met. The dates are assigned by the principal investigator.
An evidence custodian performs a monthly audit to ensure all of the best evidence is present, properly stored, and labeled.
Evidence Handling ProceduresEvidence System Description
Describe Location Individuals
Who occupy the room or office where the original evidence was found.
Have access to it. Who can actually use it. Who are present.
Evidence Handling ProceduresEvidence System Description Location of system in room. State of the system
Powered on/off. Data on screen. Time/date of system BIOS Network connections. Serial numbers, make etc. of hard drives
and peripherals. Peripherals attached to the system
Evidence Handling ProceduresDigital Photos Used
For protection against unwarranted claims.
To ensure returning the system to the exact state prior to forensic duplication.
To capture current configuration. For investigative hints.
Label photos clearly, make log entries for pictures taken.
Evidence Handling ProceduresEvidence Tags
Needs to satisfy federal and state guidelines.
Contains info on Place, Person from whom item was received. If item requires consent to search. Description of item. If the item is a storage device, what is contained in
it. Date / time when taken. Full name and signature of individual initially
receiving the evidence. Case and tag number related to the evidence.
Evidence Handling ProceduresEvidence Labels
Label physical items, i.e. suspect hard drive With case number and evidence tag
number. Date and time evidence was
collected. A brief description of the items
contained within the envelope.
Evidence Handling ProceduresEvidence Pouch
Evidence Handling Procedures
Evidence Handling Procedures
Evidence Handling Procedures
Evidence Handling ProceduresEvidence Storage
Investigator needs to maintain positive control of the evidence at all times.
Evidence protection includes protection against the environment such as electromagnetic fields.
Evidence Handling ProceduresEvidence Log
Every time evidence is accessed, log Evidence tag number Date Action taken Consultant performing the action Identify information on the action Audits
Evidence Handling ProceduresEvidence Disposition
Initial disposition: Analysis and case finished. Working copies are no longer needed. Only backup might be needed.
Final disposition: Backups are no longer needed.
Evidence Handling ProceduresAudits Labs should get certified for their
procedures. Internal audit to
Ensure compliance with internal standards by reviewing evidence locker access log forms.
Perform an inventory. Check disposition requirements. Perform checks for needed backups. Review case folders.
Develop goal of investigation and stick to it.
Analyst should make and state findings.
An analyst that offers opinions, is an expert witness.
Data Analysis
More art than science. Feed-back with investigator. Needs accurate documentation. Analyst needs to be able to testify
months after analysis. Findings need to be repeatable.
Data Analysis
Report
Report all steps in the investigation.
Immediately Clearly
Testify
Report
Accurately describe details of an incident.
Be understandable to decision makers.
Be able to withstand a barrage of legal scrutiny.
Be unambiguous and not open to misunderstanding.
Be easily referenced (Bates numbers)
Contain all information required to draw conclusions.
Report
