COEN 252 Computer Forensics Process for Hard Drive

  • Slides: 33
Download presentation
COEN 252 Computer Forensics Process for Hard Drive Examination

COEN 252 Computer Forensics Process for Hard Drive Examination

Best Evidence n n n Best evidence is original evidence. FRE: multiple copies of

Best Evidence n n n Best evidence is original evidence. FRE: multiple copies of electronic files are considered “original”. Evidence need to be protected against n n n Normal accidents. Accidents in the analysis process. Tampering.

Best Evidence n n n Computer data are “writings” and “records”. Need to be

Best Evidence n n n Computer data are “writings” and “records”. Need to be authenticated. Whoever collected them should testify during direct examination that the information is what the proponents claim.

Best Evidence n n n If not authenticated, documents and writings are usually inadmissible.

Best Evidence n n n If not authenticated, documents and writings are usually inadmissible. Hence, careful record keeping needed. In addition to careful handling of evidence.

Best Evidence n n n Chain of Custody Protects evidence against advertent or inadvertent

Best Evidence n n n Chain of Custody Protects evidence against advertent or inadvertent tampering. Evidence needs to be traced from the moment it was collected to the moment it was presented in judicial proceedings.

Best Evidence n n Hard drive yields a byte stream. Protect with cryptographically secure

Best Evidence n n Hard drive yields a byte stream. Protect with cryptographically secure checksum A. k. a. hash A. k. a. signature

Best Evidence Cryptographically secure checksum n Small byte string calculated from byte stream X

Best Evidence Cryptographically secure checksum n Small byte string calculated from byte stream X as f (X). n Given c, “computationally impossible” to find a byte stream X with f (X) = c. n I. e. nothing better than brute force, which takes too long. n Change even a bit in X and f (X) changes.

Best Evidence n n n Collect c =f (X) from original byte stream. Maintain

Best Evidence n n n Collect c =f (X) from original byte stream. Maintain c securely, e. g. with evidence log. Prove that X has not changed by recalculating c = f (X ).

Best Evidence Cryptographically secure checksums n MD 5 (a classic, 16 B checksum) n

Best Evidence Cryptographically secure checksums n MD 5 (a classic, 16 B checksum) n SHA 1 (a classic 20 B checksum) n SHA 256 etc. (much longer checksum) What is computationally possible, changes with progress.

Best Evidence Chain of custody for physical objects n Inventoried and labeled by evidence

Best Evidence Chain of custody for physical objects n Inventoried and labeled by evidence custodians. n Booked into evidence locker. n Access documents by evidence technician.

Evidence Collection from Computer Media n n n Identify computer media. Detailed report of

Evidence Collection from Computer Media n n n Identify computer media. Detailed report of situation. Evidence custodian inventories best evidence and logs it in the Evidence log. Perform a forensic duplication of the original media to storage media. If the original can be kept, use it as the best evidence. If not, duplicate the data immediately, and use the media as the best evidence. Label the best evidence and store it in evidence locker. Make a duplicate of the best evidence and use it forensic analysis. Make more working copies as necessary, e. g. in order to mount the file system for quasi-life investigations. Make backup of best evidence.

Evidence Handling Procedures n n Before examining the contents of a hard drive, record

Evidence Handling Procedures n n Before examining the contents of a hard drive, record information about the computer system. Take digital photographs of the system and the media that is being duplicated. Fill out an evidence tag for the original media and / or for the forensic duplicate. Label all media appropriately with an evidence label.

Evidence Handling Procedures n n n Store the best evidence copy in the evidence

Evidence Handling Procedures n n n Store the best evidence copy in the evidence locker. An evidence custodian enters a record of the best evidence into the evidence log. Each access to the best evidence is also entered into the log. All examinations on the forensics copy are performed on a forensic copy, the working copy.

Evidence Handling Procedures n n n An evidence custodian ensures that backup copies of

Evidence Handling Procedures n n n An evidence custodian ensures that backup copies of the best evidence are created. An evidence custodian ensures that all disposition dates are met. The dates are assigned by the principal investigator. An evidence custodian performs a monthly audit to ensure all of the best evidence is present, properly stored, and labeled.

Evidence Handling Procedures Evidence System Description Describe n Location n Individuals n n Who

Evidence Handling Procedures Evidence System Description Describe n Location n Individuals n n Who occupy the room or office where the original evidence was found. Have access to it. Who can actually use it. Who are present.

Evidence Handling Procedures Evidence System Description n n Location of system in room. State

Evidence Handling Procedures Evidence System Description n n Location of system in room. State of the system n n n Powered on/off. Data on screen. Time/date of system BIOS Network connections. Serial numbers, make etc. of hard drives and peripherals. Peripherals attached to the system

Evidence Handling Procedures Digital Photos n Used n n n For protection against unwarranted

Evidence Handling Procedures Digital Photos n Used n n n For protection against unwarranted claims. To ensure returning the system to the exact state prior to forensic duplication. To capture current configuration. For investigative hints. Label photos clearly, make log entries for pictures taken.

Evidence Handling Procedures Evidence Tags n n Needs to satisfy federal and state guidelines.

Evidence Handling Procedures Evidence Tags n n Needs to satisfy federal and state guidelines. Contains info on n n n Place, Person from whom item was received. If item requires consent to search. Description of item. If the item is a storage device, what is contained in it. Date / time when taken. Full name and signature of individual initially receiving the evidence. Case and tag number related to the evidence.

Evidence Handling Procedures Evidence Labels n Label physical items, i. e. suspect hard drive

Evidence Handling Procedures Evidence Labels n Label physical items, i. e. suspect hard drive n n n With case number and evidence tag number. Date and time evidence was collected. A brief description of the items contained within the envelope.

Evidence Handling Procedures Evidence Pouch

Evidence Handling Procedures Evidence Pouch

Evidence Handling Procedures

Evidence Handling Procedures

Evidence Handling Procedures

Evidence Handling Procedures

Evidence Handling Procedures

Evidence Handling Procedures

Evidence Handling Procedures Evidence Storage n n Investigator needs to maintain positive control of

Evidence Handling Procedures Evidence Storage n n Investigator needs to maintain positive control of the evidence at all times. Evidence protection includes protection against the environment such as electromagnetic fields.

Evidence Handling Procedures Evidence Log n Every time evidence is accessed, log n n

Evidence Handling Procedures Evidence Log n Every time evidence is accessed, log n n n Evidence tag number Date Action taken Consultant performing the action Identify information on the action Audits

Evidence Handling Procedures Evidence Disposition n Initial disposition: Analysis and case finished. n n

Evidence Handling Procedures Evidence Disposition n Initial disposition: Analysis and case finished. n n n Working copies are no longer needed. Only backup might be needed. Final disposition: Backups are no longer needed.

Evidence Handling Procedures Audits n n Labs should get certified for their procedures. Internal

Evidence Handling Procedures Audits n n Labs should get certified for their procedures. Internal audit to n n n Ensure compliance with internal standards by reviewing evidence locker access log forms. Perform an inventory. Check disposition requirements. Perform checks for needed backups. Review case folders.

Data Analysis n n n Develop goal of investigation and stick to it. Analyst

Data Analysis n n n Develop goal of investigation and stick to it. Analyst should make and state findings. An analyst that offers opinions, is an expert witness.

Data Analysis n n n More art than science. Feed-back with investigator. Needs accurate

Data Analysis n n n More art than science. Feed-back with investigator. Needs accurate documentation. Analyst needs to be able to testify months after analysis. Findings need to be repeatable.

Report n Report all steps in the investigation. Immediately n Clearly n

Report n Report all steps in the investigation. Immediately n Clearly n

Testify

Testify

Report n n Accurately describe details of an incident. Be understandable to decision makers.

Report n n Accurately describe details of an incident. Be understandable to decision makers. Be able to withstand a barrage of legal scrutiny. Be unambiguous and not open to misunderstanding.

Report n n Be easily referenced (Bates numbers) Contain all information required to draw

Report n n Be easily referenced (Bates numbers) Contain all information required to draw conclusions.