Introduction
Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is based on verifiable and repeatable reported results that represent direct evidence of suspected wrongdoing or possible exoneration. This article sets out a series of best practices for the computer forensic practitioner, representing the best evidence for defensible solutions in the field. The best practices themselves are intended to capture those processes that have repeatedly proven successful in use. This is not a cookbook. Best practices are intended to be reviewed and applied based on the specific needs of the organization, the case, and the case environment.
Job knowledge
An examiner can only be informed when he enters the field. In many cases, the customer or customer representative will provide some information on how many systems are in question, their specifications, and their current status. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, laptop cracking, password hacking, and device interfaces. A seizure that returns equipment to the laboratory should always be the first line of defense, providing maximum flexibility. If you must act on the site, create a comprehensive worklist of information that will be collected before going out into the field. The list should consist of small steps with a check box for each step. The examiner must be fully informed of his next step and not have to “think on his feet.”
Overestimate
Overestimate the effort by at least a factor of two, the amount of time it will take to complete the job. This includes accessing the device, initiating the forensic acquisition with the appropriate write-lock strategy, completing the appropriate paperwork and chain of custody documentation, copying the acquired files to another device, and restoring the hardware to its initial state. Note that you may need shop manuals that tell you how to disassemble small devices to access the unit, creating more difficulties in acquiring and restoring hardware. Live by Murphy’s Law. Something will always challenge you and take longer than anticipated, even if you have done it many times.
Inventory equipment Most examiners have a sufficient variety of equipment to enable them to perform robust forensic acquisitions in a number of ways. Decide in advance how you would like to ideally go about your site acquisition. We will all see that the equipment breaks down or that some other incompatibility becomes an obstacle at the most critical moment. Consider bringing two write blockers and an additional mass storage drive, clean and ready. Between jobs, be sure to check your gear with a hashing exercise. Double check and inventory all your equipment using a checklist before taking off.
Flexible purchasing
Rather than trying to make “best guesses” about the exact size of the customer’s hard drive, use mass storage devices and, if space is an issue, an acquisition format that will compress your data. After collecting the data, copy it to another location. Many examiners limit themselves to traditional acquisitions where the machine is broken, the drive removed, placed behind a write blocker, and purchased. There are also other acquisition methods offered by the Linux operating system. Linux, booted from a CD drive, allows the browser to make a raw copy without compromising the hard drive. Become familiar enough with the process to understand how to collect hashes and other records. Live acquisition is also discussed in this document. Leave the unit with the image with the attorney or client and take the copy to your laboratory for analysis.
Pull the plug
There is a heated discussion about what one should do when encountering a running machine. There are two clear options; unplug or perform a clean shutdown (assuming you can log in). Most browsers disconnect, and this is the best way to prevent any kind of malicious process from running that might wipe and wipe data or some other similar error. It also allows the browser access to create a snapshot of swap files and other system information as it was last run. It should be noted that disconnecting the connector can also corrupt some of the files that are running on the system, making them unavailable for examination or user access. Companies sometimes prefer a clean closure and should be given the option after the impact is explained to them. Documenting how the machine was brought down is essential because it will be absolutely essential knowledge for analysis.
Live acquisitions
Another option is to do a live acquisition. Some define “live” as a working machine as is, or for this purpose, the machine itself will be working during acquisition through some medium. One method is to boot into a custom Linux environment that includes enough support to take a hard drive image (often among other forensic capabilities), but the kernel is modified so that it never touches the host computer. There are also special versions that allow the examiner to take advantage of the window’s auto-run feature for incident response. These require advanced knowledge of Linux and experience in computer forensics. This type of acquisition is ideal when, for reasons of time or complexity, disassembling the machine is not a reasonable option.
The basics
One surprisingly blatant oversight that testers often make is neglecting to boot the device once the hard drive is out of it. Verification of the BIOS is absolutely essential to be able to perform a fully validated scan. The time and date reported in the BIOS should be reported, especially when time zones are an issue. There is a wide variety of additional information available depending on the manufacturer who wrote the BIOS software. Remember that drive manufacturers can also hide certain areas of the disk (hardware protected areas) and your acquisition tool should be able to make a full bitstream copy that takes this into account. Another key for the examiner to understand is how the hashing mechanism works: some hashing algorithms may be preferable to others, not necessarily because of their technological robustness, but because of the way they can be perceived in a courtroom.
Store safely
Acquired images must be stored in a protected and non-static environment. Examiners must have access to a locked safe in a locked office. Units must be stored in antistatic bags and protected by using non-static packaging materials or the original shipping material. Each unit should be labeled with the client’s name, attorney’s office, and evidence number. Some examiners copy the disk drive labels to the copier, if they have access to one during acquisition and this should be stored with the case documentation. At the end of the day, each unit must be linked with a chain of custody document, a job, and an evidence number.
Establish a policy
Many clients and attorneys will push for the immediate acquisition of the computer and then stay in the evidence for months. Make it clear to the attorney how long you are willing to keep the evidence in your lab and charge a storage fee for critical or large-scale work. You may be storing critical evidence of a crime or civil action, and while from a marketing perspective it may seem like a good idea to keep a copy of the unit, it may be better from a case perspective to return all copies to the attorney. or client with appropriate chain of custody documentation.
conclusion
Computer examiners have many options on how to conduct an on-site acquisition. At the same time, on-site acquisition is the most volatile environment for the examiner. Tools can fail, time constraints can be severe, observers can add pressure, and suspects can be present. Examiners must be serious about maintaining their tools and developing continuous knowledge to learn the best techniques for each situation. Using the best practices in this document, the examiner should be prepared for almost any situation he may face and have the ability to set reasonable goals and expectations for the effort in question.
