Digital Evidence Incident Response and Computer ForensicsWhat do you see?Computer-Related CrimeSlide 4Search and SeizureSlide 6ACPO Guidelines – System offACPO Guidelines – System onACPO Guidelines – On IIACPO Guidelines - What should be seized?ACPO Guidelines - Other Sources of Digital EvidenceACPO Guidelines Four StagesThe Daubert Test - Validity of Expert Evidence and Forensic TechniquesNIST Forensic Tool TestingWhat is lost if following ACPO?Tools and TechniquesLive Response LabImaging RAMImaging a Hard DiskCompute Hash on ImageImaging a USB DiskFinDigital EvidenceIncident Response and Computer Forensics"Any sufficiently advanced technology is indistinguishable from magic." Clark's Third LawArthur C ClarkeWhat do you see?Computer-Related CrimeMore citizens and businesses have computers and Internet serviceMore crimes and investigations now involve some form of digital evidenceMore lawsuits involve some form of digital evidence discoveryComputer-Related CrimeA computer can be The object of a crime (target)The subject of a crime (collateral victim)A tool in the crime (instrumentality) A symbol of a crimeSearch and Seizure Corporate - Policies and Informed Consent Govt - Requires a Warrant or Court OrderExceptions:1. Consent 2. Exigent Circumstances 3. Plain View 4. Search Incident to a Lawful Arrest 5. Inventory Searches 6. Border SearchesSearch and Seizure Seizing Hardware Versus InformationEither can be Contraband or Fruits of a CrimeAn Instrumentality of a CrimeEvidence of a CrimeIn cases where it is mere evidence of a crime, a qualified forensic duplicate can be sufficientIf the computer is found to hold contraband or be an instrumentality of a crime, it is typically seizedACPO Guidelines – System ofDon’t, in any circumstances, switch the computer on!Secure and take control of the area containing the equipmentMove people away from any computers and power suppliesAllow any printers to finish printingUnplug the power and other devices from sockets - Remove the battery from laptop computersLabel and photograph (or video) all the components in situLabel the ports and cablesCarefully remove the equipment and record all unique identifiersSearch area for diaries, notebooks or pieces of paperConsider asking the user if there are any passwords and, if these are given, record them accuratelyMake detailed notes of all actions taken in relation to the computer equipmentACPO Guidelines – System onSecure the area containing the equipmentMove people away from computer and power supplyDisconnect the modem if attachedRecord what is on the screen by photograph and by making a written note of the content of the screenIf the computer is believed to be networked, seek advice from the case officerDo not take advice from the owner/user of the computerLabel and photograph or video all the componentsRemove all other connection cables leading from the computer to other wall or floor sockets or devicesCarefully remove the equipment and record the unique identifiersACPO Guidelines – On IIEnsure that all items have signed exhibit labels attached to them as failure to do so may create difficulties with continuity and cause the equipment to be rejected by the forensic examinersAllow the equipment to cool down before removalSearch area for diaries, notebooks or pieces of paper with passwords on which are often stuck to or close to the computerConsider asking the user if there are any passwords and if these are given, record them accuratelyMake detailed notes of all actions taken in relation to the computer equipmentDo not touch the keyboard or click the mouse and if the screen is blank or a screen saver is present, the case officer should be asked to decide if they wish to restore the screenIf no specialist advice is available, remove the power supply (at PC end) from the back of the computer without closing down any programsACPO Guidelines - What should be seized?Main unitMonitor, keyboard, and mouse only necessary in certain casesPower supply unitsHard disks not fitted inside the computerDonglesModems (some contain phone numbers)External drives and other external storage devices Wireless network cards Digital camerasFloppy disksBack up tapesJaz/zip cartridgesCDsDVDsHard disks not connected to the computerPCMCIA cards Memory sticks and memory cardsACPO Guidelines - Other Sources of Digital EvidenceMobile telephonesPagersLand line telephonesAnswering machinesFacsimile machinesDictating machinesDigital camerasTelephone e-mailersInternet capable digital TVACPO Guidelines Four StagesCollectionExaminationAnalysisReportThe Daubert Test - Validity of Expert Evidence and Forensic TechniquesDaubert V Merrell Dow PharmaceuticalsFive TestsCan it be (and has been) tested? Has it been subjected to peer review and publication?Is there a known or potential rate of error?Is there a maintenance of standards controlling the particular technique's operation?Is it generally accepted in the scientific community?NIST Forensic Tool TestingDisk Imaging - dd (passed), Encase 3.20 (failed), Safeback (passed)Hardware Write Blocker ReportsSoftware Write Blocker Reports Deleted File Recovery (not complete)What is lost if following ACPO?All Volatile Data!RAM Stack Running ProcessesOpen Ports Open SessionsThis data may be gathered by conducting a “Live Response” - Depends on type of investigationDownside: Touched MAC Timestamps - Be prepared to document and testify regarding what was changed and whyTools and TechniquesRAM Stack – Image using dd and netcatRunning Processes – pslist and other tools – userdump, dumpchkOpen Ports: netstat –na, fportRemotely: nmap, scanrandOpen Sessions – netstat –na, nbtstat –cOthers: route, at, etcLive Response LabInsert Helix CDRun \Helix.exeSelect 3rd Icon Down - Click Right Arrow Run FRED & Send Output to USB DriveReview Log File and Batch FileDiscussion - How can this information help an investigation?Imaging RAMImaging a Hard DiskOn Linux Hostifconfig (note ip address)cd /evidencenc –l –p 8888 > w2k-image.ddImage to IP of Linux Host using HelixIn W2k VM, run Helix and image using dd to the VM IP address port