Digital Evidence Incident Response and Computer ForensicsWhat do you see?Computer-Related CrimeSlide 4Search and SeizureSlide 6ACPO Guidelines – System offACPO Guidelines – System onACPO Guidelines – On IIACPO Guidelines - What should be seized?ACPO Guidelines - Other Sources of Digital EvidenceACPO Guidelines Four StagesThe Daubert Test - Validity of Expert Evidence and Forensic TechniquesNIST Forensic Tool TestingWhat is lost if following ACPO?Tools and TechniquesLive Response LabImaging RAMImaging a Hard DiskCompute Hash on ImageImaging a USB DiskFinDigital EvidenceIncident Response and Computer Forensics"Any sufficiently advanced technology is indistinguishable from magic." Clark's Third LawArthur C ClarkeWhat do you see?Computer-Related CrimeMore citizens and businesses have computers and Internet serviceMore crimes and investigations now involve some form of digital evidenceMore lawsuits involve some form of digital evidence discoveryComputer-Related CrimeA computer can be The object of a crime (target)The subject of a crime (collateral victim)A tool in the crime (instrumentality) A symbol of a crimeSearch and Seizure Corporate - Policies and Informed Consent Govt - Requires a Warrant or Court OrderExceptions:1. Consent 2. Exigent Circumstances 3. Plain View 4. Search Incident to a Lawful Arrest 5. Inventory Searches 6. Border SearchesSearch and Seizure Seizing Hardware Versus InformationEither can be Contraband or Fruits of a CrimeAn Instrumentality of a CrimeEvidence of a CrimeIn cases where it is mere evidence of a crime, a qualified forensic duplicate can be sufficientIf the computer is found to hold contraband or be an instrumentality of a crime, it is typically seizedACPO Guidelines – System ofDon’t, in any circumstances, switch the computer on!Secure and take control of the area containing the equipmentMove people away from any computers and power suppliesAllow any printers to finish printingUnplug the power and other devices from sockets - Remove the battery from laptop computersLabel and photograph (or video) all the components in situLabel the ports and cablesCarefully remove the equipment and record all unique identifiersSearch area for diaries, notebooks or pieces of paperConsider asking the user if there are any passwords and, if these are given, record them accuratelyMake detailed notes of all actions taken in relation to the computer equipmentACPO Guidelines – System onSecure the area containing the equipmentMove people away from computer and power supplyDisconnect the modem if attachedRecord what is on the screen by photograph and by making a written note of the content of the screenIf the computer is believed to be networked, seek advice from the case officerDo not take advice from the owner/user of the computerLabel and photograph or video all the componentsRemove all other connection cables leading from the computer to other wall or floor sockets or devicesCarefully remove the equipment and record the unique identifiersACPO Guidelines – On IIEnsure that all items have signed exhibit labels attached to them as failure to do so may create difficulties with continuity and cause the equipment to be rejected by the forensic examinersAllow the equipment to cool down before removalSearch area for diaries, notebooks or pieces of paper with passwords on which are often stuck to or close to the computerConsider asking the user if there are any passwords and if these are given, record them accuratelyMake detailed notes of all actions taken in relation to the computer equipmentDo not touch the keyboard or click the mouse and if the screen is blank or a screen saver is present, the case officer should be asked to decide if they wish to restore the screenIf no specialist advice is available, remove the power supply (at PC end) from the back of the computer without closing down any programsACPO Guidelines - What should be seized?Main unitMonitor, keyboard, and mouse only necessary in certain casesPower supply unitsHard disks not fitted inside the computerDonglesModems (some contain phone numbers)External drives and other external storage devices Wireless network cards Digital camerasFloppy disksBack up tapesJaz/zip cartridgesCDsDVDsHard disks not connected to the computerPCMCIA cards Memory sticks and memory cardsACPO Guidelines - Other Sources of Digital EvidenceMobile telephonesPagersLand line telephonesAnswering machinesFacsimile machinesDictating machinesDigital camerasTelephone e-mailersInternet capable digital TVACPO Guidelines Four StagesCollectionExaminationAnalysisReportThe Daubert Test - Validity of Expert Evidence and Forensic TechniquesDaubert V Merrell Dow PharmaceuticalsFive TestsCan it be (and has been) tested? Has it been subjected to peer review and publication?Is there a known or potential rate of error?Is there a maintenance of standards controlling the particular technique's operation?Is it generally accepted in the scientific community?NIST Forensic Tool TestingDisk Imaging - dd (passed), Encase 3.20 (failed), Safeback (passed)Hardware Write Blocker ReportsSoftware Write Blocker Reports Deleted File Recovery (not complete)What is lost if following ACPO?All Volatile Data!RAM Stack Running ProcessesOpen Ports Open SessionsThis data may be gathered by conducting a “Live Response” - Depends on type of investigationDownside: Touched MAC Timestamps - Be prepared to document and testify regarding what was changed and whyTools and TechniquesRAM Stack – Image using dd and netcatRunning Processes – pslist and other tools – userdump, dumpchkOpen Ports: netstat –na, fportRemotely: nmap, scanrandOpen Sessions – netstat –na, nbtstat –cOthers: route, at, etcLive Response LabInsert Helix CDRun \Helix.exeSelect 3rd Icon Down - Click Right Arrow Run FRED & Send Output to USB DriveReview Log File and Batch FileDiscussion - How can this information help an investigation?Imaging RAMImaging a Hard DiskOn Linux Hostifconfig (note ip address)cd /evidencenc –l –p 8888 > w2k-image.ddImage to IP of Linux Host using HelixIn W2k VM, run Helix and image using dd to the VM IP address port
View Full Document