Introduction
Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is based on verifiable and repeatable reported results that represent direct evidence of suspected wrongdoing or potential exoneration. This article sets out a series of best practices for the computer forensics professional, which represents the best evidence for defensible solutions in the field. The best practices themselves are intended to capture those processes that have repeatedly proven successful in use. This is not a cookbook. Best practices are intended to be reviewed and applied based on the specific needs of the organization, the case, and the case environment.
Job knowledge
An examiner can only be so informed when entering a field setting. In many cases, the customer or customer representative will provide information on how many systems are involved, their specifications, and their current status. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, laptop hacking, password hacking, and device interfaces. A seizure that returns equipment to the lab should always be the first line of defense, providing maximum flexibility. If you must perform on site, create a comprehensive worklist of information to be collected prior to reaching the field. The list should be understood as small steps with a check box for each step. The examiner must be fully informed of their next step and not have to “think on the fly”.
overestimate
Overestimate the effort by at least a factor of two the amount of time it will take to complete the job. This includes accessing the device, initiating forensic acquisition with the appropriate write lock strategy, completing the appropriate paperwork and chain of custody documentation, copying the acquired files to another device, and restoring the hardware to its original state. Note that you may need shop manuals that tell you how to disassemble small devices to access the unit, which creates more difficulties in achieving hardware acquisition and restoration. Live by Murphy’s Law. Something will always challenge you and take longer than anticipated, even if you’ve done it many times.
inventory team Most examiners have a sufficient variety of equipment that they can perform forensically sound acquisitions in a variety of ways. Decide ahead of time how you would ideally like to go about your site acquisition. All of us will see equipment crashes or some other incompatibility become a hindrance at the most critical moment. Consider carrying two write blockers and an extra mass storage drive, wiped and ready. Between jobs, be sure to check your computer with a hash exercise. Recheck and inventory all of your gear using a checklist before you take off.
flexible procurement
Instead of trying to make “best guesses” about the exact size of the customer’s hard drive, use mass storage devices and, if space is an issue, an acquisition format that compresses your data. After you collect the data, copy it to another location. Many examiners stick to traditional acquisitions where you break the machine, remove the drive, place it behind a write blocker, and acquire. There are also other acquisition methods available by the Linux operating system. Linux, booted from a CD drive, allows the browser to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hashes and other records. Live acquisition is also covered in this document. Leave the disk image with the attorney or client and take the copy to your lab for analysis.
pull the plug
A heated discussion ensues about what one should do when one comes across a working machine. There are two clear options; either by pulling the plug or by performing a clean shutdown (assuming you can log in). Most browsers disconnect, and this is the best way to prevent any kind of malicious process from running that might delete and erase data or some other similar pitfall. It also allows the browser access to create a snapshot of swap files and other system information as it was last run. It should be noted that shutting down the system may also corrupt some of the files running on the system, making them unavailable for examination or access by users. Companies sometimes prefer a clean close and should be given the option after explaining the impact. Documenting how the machine was shut down is critical because it will be absolutely essential knowledge for analysis.
live acquisitions
Another option is to perform a live acquisition. Some define “live” as a machine running as-is, or for this purpose the machine itself will be running during the acquisition through some medium. One method is to boot into a custom Linux environment that includes enough support to take a hard drive image (often among other forensic capabilities), but the kernel is modified so that it never touches the host computer. There are also special versions that allow the examiner to take advantage of the Windows Autorun feature to perform Incident Response. These require advanced knowledge of Linux and experience with computer forensics. This type of acquisition is ideal when for reasons of time or complexity, disassembling the machine is not a reasonable option.
the basics
A surprisingly blatant oversight that examiners often make is not booting the device once the hard drive is out of it. Verifying the BIOS is absolutely critical in order to perform a fully validated scan. The time and date reported in the BIOS should be reported, especially when time zones are an issue. There is a wide variety of information available depending on the manufacturer that wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the drive (hardware-protected areas) and your acquisition tool should be able to perform a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hash mechanism works: some hash algorithms may be preferable to others, not necessarily because of their technological strength, but because of how they might be perceived in a court situation.
store safely
The acquired images must be stored in a protected and non-static environment. Examiners must have access to a locked safe in a locked office. Units should be stored in antistatic bags and protected with non-static packing materials or the original shipping material. Each unit must be labeled with the client’s name, the attorney’s office, and the exhibit number. Some examiners copy unit labels on the photocopier if they have access to one during acquisition and this should be stored with the case documentation. At the end of the day, each unit must be linked with a chain of custody document, a job and an evidence number.
Set a policy
Many clients and attorneys will push for an immediate takeover of the computer and then sit on evidence for months. Make it clear to the attorney how long you are willing to keep the evidence in your lab and charge a storage fee for large-scale or critical work. You may be storing critical evidence for a crime or civil action, and while it may seem like a good idea from a marketing perspective to keep a copy of the disk, it may be better from a case perspective to return all copies to the attorney. or customer with proper chain of custody documentation.
conclusion
Computer examiners have many options as to how they will conduct an on-site acquisition. At the same time, on-site acquisition is the most volatile environment for the examiner. Tools can fail, time constraints can be severe, observers can add pressure, and suspects can be present. Examiners must be serious about maintaining their tools and developing ongoing knowledge to learn the best techniques for each situation. Using the best practices in this document, the examiner should be prepared for almost any situation that may be encountered and have the ability to set reasonable goals and expectations for the endeavor at hand.
