Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Computer Forensics
Similar to Computer Forensics (20)
Computer Forensics
- 1. Computer Forensics Neil Greenberg
- 2. Forensics Page Specializing in or having to do with the application of scientific knowledge to legal matters, as in the investigation of a crime.
- 3. Computer Forensics Page Computer forensics is the process of collecting, preserving, and analyzing computers and computer media for the purpose of determining the presence of evidence.
- 4. Evidence Page Anything properly admissible in a Court, that will aid the function of a criminal / civil proceeding in establishing guilt or innocence.
- 13. The Process An Overview
- 29. Forensic Analysis Intellectual Property
Editor's Notes
- Computer evidence requires the same chain of custody procedures as other types of evidence. The custodian must strictly control access and keep accurate records to show who has examined the evidence and when. When evidence is presented to a court, council must be ready to show that the “thing” they offer is the same “thing” originally seized. “When that evidence is not distinctive but fungible (whether little bags of cocaine, bullet shell casings, or electronic data), the "process or system" (to use the language of Fed. R. Evid. 901(b)(9)) which authenticates the item is a hand-to-hand chain of accountability.” [1] Fungible adj.: (law) of goods or commodities; freely exchangeable for or replaceable by another of like nature or kind in the satisfaction of an obligation. This means to the computer forensic examiner that they must have a continuing awareness that all the actions that they take during a technical examination are subject to review by all parties in a civil or criminal investigation. The procedures detailed below will assist in providing a guideline for handling and processing computer-related evidence. [1] Federal Guidelines for Searching and Seizing Computers , Page 119.
- Prevent the subject from having access to the system. This means: Remove them from keyboard from the moment you begin the search Disable any access they have to the network they are on Don’t allow them to “assist” you with your examination of the computer General Principles during Evidence Collection Adhere to your site's Security Policy and engage the appropriate Incident Handling and Law Enforcement personnel Capture as accurate a picture of the system as possible. Keep detailed notes. These should include dates and times. If possible generate an automatic transcript. (e.g., The 'script' program can be used, however the output file it generates should not be to media that is part of the evidence). Be prepared to testify (perhaps years later) outlining all actions you took and at what times. Detailed notes will be vital. Minimize changes to the data as you are collecting it. This is not limited to content changes; you should avoid updating file or directory access times. Remove external avenues for change. When confronted with a choice between collection and analysis you should do collection first and analysis later. Though it hardly needs stating, your procedures should be implementable. If possible procedures should be automated for reasons of speed and accuracy. Be methodical. Speed will often be critical so your team should break up and collect evidence from multiple systems (including network devices) in parallel. However on a single given system collection should be done step by step, strictly according to your collection procedure. Proceed from the volatile to the less volatile (see the Order of Volatility below). You should make a bit-level copy of the system's media. If you wish to do forensics analysis you should make a bit-level copy of your evidence copy for that purpose, as your analysis will almost certainly alter file access times. Avoid doing forensics on the evidence copy. Chain of Custody You should be able to clearly describe how the evidence was found, how it was handled and everything that happened to it. The following need to be documented Where, when and by whom was the evidence discovered. Where, when and by whom was the evidence handled or examined. Who had custody of the evidence, during what period. How was it stored. When the evidence changed custody, when and how did the transfer occur (include shipping numbers, etc.). Portions of the above are from “Guidelines for Evidence Collection and Archiving” by Dominique Brezinski and Tom Killalea which is a draft document
- A common practice is to make at least two copies of the evidential computer. One of these is sealed in the presence of the computer owner and then placed in secure storage. This is the MASTER copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy. If the computer itself has been seized and held in secure storage by the Police, this will constitute "best evidence". If the computer has not been seized then the MASTER copy becomes best evidence. In either case, the assumption is that whilst in secure storage there can be no possibility of tampering with the evidence. This does not protect the computer owner from the possibility that secured evidence may be tampered with. A growing practical problem with this method of evidential copying occurs not with the security aspect but because of the increasing sizes of fixed disks found in computers. A size of 2 Gigabytes is no longer unusual and it is common to find more than one fixed disk within a single machine. The cost of the media is decreasing slowly but this is still significant when considering the quantity of information to be copied and stored (even though the system does allow for media re-use). There is also the problem of the length of time individual copies may take to complete. A sizable saving in both time and expense might therefore be achieved if an alternative method of evidential security could be arranged. SafeBack is a sophisticated evidence preservation tool that was developed specifically for the U. S. Treasury Department in the processing of computer evidence. It is a unique piece of software that has become an industry standard in the processing of computer evidence around the world. SafeBack can also be used covertly to duplicate all storage areas on a computer hard disk drive. Drive size creates essentially no limitation for this unique computer forensics tool. SafeBack is used to create mirror-image backup files of hard disks or to make a mirror-image copy of an entire hard disk or partition. Backup image files can be written to essentially any writeable magnetic storage device, including SCSI tape backup units. SafeBack preserves all the data on a backed-up or copied hard disk, including inactive or 'deleted' data. Cyclical redundancy checksums (CRCs) distributed throughout the backup process enforce the integrity of backup copies to insure the accuracy of the process. Backup image files can be restored to another system's hard disk. Remote operation via parallel port connection allows the hard disk on a remote PC to be read or written by the master system. A date and time stamped audit trail maintains a record of SafeBack operations during a session and software dongles are not involved or required for operation. From an evidence standpoint, SafeBack is ideal for the computer forensics specialist because the restored SafeBack image can be used to process the evidence in the environment in which it was created. This is especially important when system configurations and/or application settings are relevant to the display or printing of the evidence.
- It should be acknowledged that almost all forensic examinations of computer media are different and that each cannot be conducted in the exact same manner for numerous reasons, however there are four essential requirements of a competent forensic examination. These are: Forensically sterile media must be used, many utilities are available that will clean media to government security standards Any examination must maintain the integrity of the original media Positive control must be maintained for all attempts by software or hardware to write to the examined media Examination results must be properly marked, controlled and transmitted.
- In many instances a complete examination of all of the data on media may not be authorized, possible, necessary or conducted for various reasons. In these instances, the examiner should document the reason for not conducting a complete examination. Some examples of limited examinations would be: The search warrant or the courts limit the scope of examination. The equipment must be examined on premises. (This may require the examination of the original media. Extreme caution must be used during this type of examination.) The media size is so vast that a complete examination is not possible. The weight of the evidence already found is so overwhelming that a further search is not necessary. The material required to prove the case is very specific and addition examinations would be unnecessary or of no value. It is just not possible to conduct a complete examination because of hardware, operating systems or other conditions beyond the examiner’s control.
- Slack Space The unused space in a disk cluster . The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file . The unused space is called the slack space. DOS and older Windows systems use a 16-bit file allocation table (FAT) , which results in very large cluster sizes for large partitions . For example, if the partition size is 2 GB , each cluster will be 32 K . Even if a file requires only 4 K, the entire 32 K will be allocated, resulting in 28 K of slack space. Windows 95 OSR 2 and Windows 98 resolve this problem by using a 32-bit FAT ( FAT32 ) that supports cluster sizes as small as 4 K for very large partitions. Unallocated space The space on a hard drive that is not reserved for use by a file in the file allocation table. Where data may be hidden - Word processing programs routinely store backup files of the document that is currently being worked on. - System programs routinely use portions of files currently in use to fill in blank or dead spots at the end of saved files. This means that portions of a document that is prepared or viewed on a computer could be stored in several locations on the computer ’ s hard drive without the operator ’ s knowledge. (ie slack space)
- A graphical chart can help investigators establish the most significant areas of an investigation and aid decision makers in effectively allocating resources. Etrust Network Forensics can provide this graphical representation and can be used in techniques such as link analysis involved in any type of fraud investigation. As the relationships between individuals, accounts, and calling volumes are uncovered, the graphs grow in complexity. Investigators can then focus on individual aspects of their case, producing simplified charts that cut to the heart of the case. As data is captured from various sources and organized, investigators need to clearly understand which pieces of information are relevant, how they relate to each other, and what it means to their case. Investigators assigned to cases can use Etrust Network Forensics to uncover hidden links in their data and focus on the most likely suspects. Etrust Network Forensics can be commonly used in investigations to help identify the following: New investigation targets Significant links, patterns and dates New hot numbers for fraud detection systems