OnScene Triage of Electronic Evidence OnScene Triage Identification
- Slides: 187
On-Scene Triage of Electronic Evidence
On-Scene Triage • • Identification of electronic evidence Identifying wireless networks Capturing volatile data pt. 1 – RAM dumps Encryption On-scene imaging of electronic data Capturing volatile data pt. 2 – Router interrogation Seizure/transportation/storage
Identification of Electronic Evidence
What is “electronic evidence”? • Items of interest in a criminal investigation which contain evidence in the form of electronic data • • Computers External storage media Mobile devices Gaming devices Networking devices Navigation devices Etc.
Computers • Desktop • Laptop
Desktop computers
i. Mac all-in-one
All-in-one PCs
Mac Mini
Laptop PC
Mac. Book laptop
Netbooks
Internal hard drives
IDE vs. SATA
Internal drive dock
External Drives
Multi-drive externals
Other externals
Network Attached Storage (NAS)
USB flash media
Some “different” ones
Would you seize this?
These, however, are not storage devices
Media • Floppy Disk/Zip/Jaz/Super. Disk • CD/DVD • Flash media cards
Floppy Disks
Zip disks
Jaz drives
Super. Disk
CD/DVD
Do we need to seize these? How About this?
Flash media cards
Let’s say I’m serving a search warrant for files such as documents, spreadsheets, etc. Is this something I should be interested in?
Mobile devices • Cell phones • Tablets • PDAs
Cell Phones
Smartphones
And what do a lot of phones have in them?
Tablets
PDAs
Gaming devices
Media players
Networking devices
GPS
Printers/Copiers
Accessories/Supplemental Devices • Chargers • Manuals • Software
Do I need to take everything? • Short answer: yes • Longer answer: maybe not
Why should I take everything? • You may need to recreate the suspect’s system, for court or analysis • Forfeiture • To make it more difficult for him to continue/renew criminal activity • Some devices may be specialized and/or rare/obsolete; your examiner may be unable to complete exam without them
Why should I not take everything? • Much of it will not be useful in your investigation • You may just end up returning it later • It will fill up your evidence room and really annoy your evidence custodian
A word of caution: • We cannot seize computers, etc. , from a business or an individual that needs that equipment for employment or business activity, and not provide the business or individual access to the (non-contraband) data he needs.
Additionally: • We cannot seize data that is “work product” from journalists, authors, artists, etc. , and not give them access to the (noncontraband) data.
So we’ve got a warrant, and we know what electronic evidence looks like. Now what? First, some general guidelines/principles to be aware of…
• At the scene officer safety is the number one priority. Make sure you have enough manpower to secure the scene. If your bad guy isn’t home, don’t cut everyone loose while you search the house. Remember, some of the crimes we are talking about will result in these people going to jail for a long, long time; they may act foolishly.
• Also with regard to officer safety, be aware of what brought you there. A lot of computer evidence relates to crimes such as child porn. Do not touch the keyboard without gloves. Don’t take home something you don’t want.
• Do not let the suspect, witness or anyone else access the devices (for example, to enter a password for you, or show you where a file is located) • This includes you; don’t sit down at the keyboard and “look around”
• Be aware that it is not always possible for items to be seized and removed from the scene for examination.
• If things look really complicated, or something about the situation makes you nervous, call for help. Electronic evidence that is seized incorrectly can be lost forever. There is no shame in asking for help from a specialist. Trust your instincts.
• Get a good interview with the bad guy while you are at the scene. He may be willing to tell you things that will help you. • Encryption keys • Locations of files • Confession
Can I just shut it down? • NOT YET!! • • • We need to document what is going on We need to determine if data is encrypted We need to determine if any volatile data needs captured
• Once the scene is secured, before we start fiddling around with the evidence, take photographs to document everything.
Documentation • Why do we care what the computer is doing when we arrive? • Chatting • Downloading • Opened files which may not be saved • System date and time
What happens to this unsaved document if I just yank the plug? Is there any way to preserve this evidence?
• We can testify to the jury about what was going on when we arrived, and what we subsequently discovered during the examination, but a picture has a lot more impact with them. • Document, document
Before we get started… • One of the tools we are going to use in a lot of the following procedures is FTK Imager Lite • Let’s get it set up
First, let’s prepare our media • Most thumb drives will be formatted with a FAT file system by default. THIS WILL NOT WORK ON NEWER SYSTEMS! • 4 GB file size limit • How do we change that?
• So let’s re-format it with an NTFS file system, which will handle files larger than 4 GB.
FTK Imager Lite • Free download • We want the “Lite” version
FTK Imager Lite • The download is a. zip file • Unzip it to your thumb drive/external drive • Create a folder on the drive to direct your output to
• We’ll talk about the other tools as we go along
Identifying Wireless Networks
Identifying wireless networks • Why do we need to? • Do we need a specialized device?
• Note: prior to using the following techniques, you need to “sterilize” your equipment by forgetting all the stored networks, so that the device will not automatically connect to the router if it recognizes its SSID.
• Using your laptop’s wifi utility, locate the suspect network – it will give the name, and indicate whether or not it is secured
• You can also use the wifi utility in your phone or tablet, if so equipped
• There also mobile apps which will give us info about the wireless network to which the device is connected
• Things change quickly in the world of computer technology • We must be willing to adjust our methods accordingly
Encryption
Encryption • Encryption vs. password • Can we access the encrypted data?
Encryption • Quality encryption is readily available to non-geeks • Bit. Locker • EFS • True. Crypt • Free* • User friendly
• What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?
• What can we, as examiners do with files or disks that are encrypted, if we don’t know the key? - NOTHING
Some common types of encryption • Full disk encryption – entire physical or logical disk • • Can be software or hardware based Files or systems in use are not protected Files at rest are protected Protects against situations like laptop theft, etc. • PGP, Bit. Locker, File. Vault, some hard drives
Some common types of encryption • Filesystem-level encryption – Individual files or folders are encrypted • Can add further security to a fully encrypted disk • Metadata, such as file names, sizes, timestamps, and directory structure are not encrypted • EFS is a filesystem-level encryption
Bit. Locker • Bit. Locker is included in the Ultimate and Enterprise versions of Vista, 7 and 8 • Bit. Locker is full disk encryption
Bit. Locker
Here’s how a Bit. Locker encrypted drive appears in Windows Explorer
• Some versions of Windows also allow us to encrypt files or folders using EFS (encrypting file system) • Drive must be formatted NTFS (most thumb drives are not)
Now the encrypted files and folders will be green in Windows Explorer
True. Crypt • True. Crypt WAS a free on-the-fly encryption utility which could be used to encrypt an entire physical or logical disk, or to create an encrypted container • As of May 28, 2014, True. Crypt is no longer supported or maintained, and advised its users find other solutions
Does this mean we will no longer encounter True. Crypt?
True. Crypt • Using True. Crypt, we can either encrypt the whole drive, or we can create an “encrypted container” • We select how large we want the container to be, and what the encryption key will be
Here is an attempt to open a previously created encrypted True. Crypt container; note that the OS doesn’t know what to do with it.
Now, we assign a vacant drive letter to the soon-to-be decrypted container, direct True. Crypt to the container we had previously created, and tell it to mount the container…
True. Crypt prompts us to enter the encryption key.
And True. Crypt decrypts and mounts the container, making it available to us.
And we can now access the decrypted contents.
• So, if we encounter a computer and are aware that True. Crypt is running… …it behooves us to secure that encrypted data prior to shutdown (we’ll discuss how shortly).
• So, now that we’re sufficiently convinced that our bad guy has convenient choices for encrypting his stuff, what do we do?
Encryption detection • Tools are available which will assist us in detecting if encryption is present • FTK Imager Lite • os. Triage • Crypt. Hunter • None are perfect (but, on the positive side, all are free!)
Before we start… • In order to run these tools, we have to insert a thumb drive into a running suspect system • Are we changing data? • Is this a problem?
• We add our evidence item • And then check for encryption
Here is FTK Imager looking at the thumb drive containing the EFS encrypted files
If we drill down to the files on the drive, we see the key icon next to them, indicating that they are EFS encrypted
• Great; problem solved, Right? …not so fast.
Here are our other two thumb drives, one encrypted with Bit. Locker and one encrypted with True. Crypt
• FTK Imager only detects EFS encryption • Is that good enough?
Let’s try it with os. Triage
2 out of 3
• “os. Triage currently detects True. Crypt, Best. Crypt, PGP, and Bitlocker” • os. Triage Manual
Those same three drives as seen by Crypt. Hunter
What’s the moral of the story? • None of the tools are perfect • You may need to use more than one • You need to evaluate your suspect and your scene, and don’t rely solely on the tools
Capturing Volatile Data pt. 1 RAM Dumps
Volatile Data • What exactly are we talking about? • Memory that will lose its contents if power is removed • RAM • Router memory
RAM – Random Access Memory • Data can be written and read in the same amount of time regardless of what order the data is stored in • By contrast, with direct access memory (hard drives, CDs, etc. ) data read and write speeds depend on physical location of the data on the medium
• RAM is memory available to the operating system and programs for processing and functioning, not storage
What is a pagefile? • In most systems, a portion of the computer’s hard drive space is set aside as “virtual RAM” to extend the RAM capacity of the system • Results in additional (although slower) RAM; data is swapped back and forth from this pagefile (also called a swap file sometimes) to the RAM
RAM – Random Access Memory • Data is stored as electrical impulses which disappear when power is removed • Everything present must, therefore, have been created since the computer was turned on
• Remember, this is memory that will lose its contents if power is removed • We can’t seize these items and take them back to our office and examine it there – it must be done on-scene, or it’s gone forever
Things to remember • You can’t put 8 GB of RAM on a 4 GB thumb drive (or an 8 GB thumb drive, for that matter) • This is called a memory “dump” for a reason • You are making changes to the system
FTK Imager Lite
Select the Browse button
Direct it to a prepared folder on your thumb drive
Rename it And don’t forget to capture the pagefile, too
Capture Memory
…and wait
Until you see:
Hit the close button:
In your “Acquired Data” folder
Now? • We examine the dump using a forensic tool, such as En. Case or FTK • Let’s take a look at some things we found in a sample RAM dump…
• First, let’s look at what I did before I dumped the RAM…
I mounted a True. Crypt volume…
I did a search for tips on poisoning my wife…
And I typed a note to a friend…
• Can we find any sign of these activities in our RAM dump?
Loaded into En. Case…
How about our True. Crypt key? • In plain text! (and it actually appears four times in the dump)
Our threatening note (that was never saved)
Our Google Search
• Lots of good data may be available to us in the RAM dump • We can’t seize it and examine it later
On-Scene Imaging
On-scene Forensic Imaging • First, what is a forensic image? • What tools do we use to create them? • And in what situations would we need to create them onscene?
FTK Imager Lite • There are several tools which can create images of different format • FTK Imager Lite is the one we recommend • Industry standard from industry leader Access Data • Fast, reliable • FREE!
FTK Imager Lite • Some considerations… • • • How big is the source drive? How big is the target drive? How much time do you have?
Here is the icon for creating an image…
FTK Imager Lite • In most situations, we are going to be creating images of physical drives
FTK Imager Lite • Now, we select the drive we are going to create an image of • What’s that second listed drive?
What do these mean?
Very Important
• And then turn it loose… • …and wait
FTK Imager Lite • What are we going to do with the resulting image? • Examining the image is a more advanced, complex, and time-consuming procedure • But we have preserved the evidence, and made sure that it is available to our examiner
Capturing Volatile Data pt. 2 Router Interrogation
Router Interrogation • This is a brief overview of the process of router interrogation, not a detailed tutorial • Before trying this at a scene, seek further training, and practice, practice
How do we connect to the router? • First, disconnect the router from the internet (i. e. , “the outside world”)
How do we access a router? • First, we need to attach our laptop to the router via one of the LAN ports • Then, we need to know the IP address and username/password for the router • This is not the internet username and password
Why don’t we connect wirelessly? • So we can say for sure we connected to the correct device – what if there are several wifi networks in range? • We need a password to connect to a secured network via wifi, but not via direct physical connection
Now, we type the IP address into a web browser, and enter the username/password.
Router Log
DHCP Client List
• Did we make any changes to the data contained in this router? • Entry in DHCP client list for our machine • Entry in log for administrative access • Did we just screw up our case?
• There is a lot of other interesting information contained in the router – security settings, date/time, filtering data, etc. – that may be valuable to your investigation • If this is something that interests you, get more training, and practice
Seizing Electronic Evidence
Operating system • The method we will use to shut down the computer will be determined by the operating system • Windows (server? ) • Linux • Mac OS
• If the computer is turned off, leave it off • If the computer is on, but the screen is blank, move the mouse to wake it up
How can you tell what the OS is? • Most of us are familiar with the general look of a Windows machine
What does Linux look like?
How about Mac OS?
Windows • If it is a Windows machine, and is not Windows Server, pull the plug from the back of the machine. • Why not the wall? • How about a laptop?
Windows Server • If it is Windows Server, turn the computer off using the appropriate commands.
Linux • Turn the computer off using appropriate commands.
Mac OS • Turn the computer off using appropriate commands.
• Once it’s off, label the cords as you remove them from the back of the machine, and label the ports to which those cords are attached.
Mobile devices – isolate? • Why would we want to isolate a mobile device from the network? • Prevent changes to the data • Protect evidence • Ensure we are in compliance with our warrant
• Why would we not want to isolate a mobile device from the network? • Prevent device from locking us out • Prevent rapid battery drain
Low-tech options • Remove the battery? • Pros: easy, cheap and takes no skill • Cons: Some batteries can’t be removed (i. Phone) and it may also activate the PIN. • Airplane mode? • Pros: cheap, and effective • Cons: You are changing data. Can you successfully turn on airplane mode without accidentally screwing something up? Does airplane mode disable wifi access?
Other options • • • Faraday bags Foil Signal jammers?
I am not going to tell you how you should do it. The bottom line is that you should develop an SOP and stick to it… …and don’t be afraid to break it (as long as you can explain why you did).
Now it’s off; what do we do with it? • Transport it in the car like a person; put a seatbelt on it • Keep it in the position in which it was found
• Keep it away from: • • Heat Cold Water Magnetic fields
Once it’s back at your station: • Package it in two containers: • Items that will be examined • • Computers Mobile devices Media External devices • Items that will not be examined • • Monitors Keyboards Mice Speakers
Accurately label the items • Make, model, serial number • Do cell phones have serial numbers? • MEID/ESN • IMEI • Do Dell computers have serial numbers? • Service tag
Some final thoughts… • • • Evidence that is not seized cannot be examined Don’t be afraid to make (justifiable) changes to the data Don’t be afraid to ask for help or advice • Most importantly, be careful
- Presumptive identification vs positive identification
- Electronic component
- Electronic field production examples
- Scrip exchange
- Multiplicity and me
- Best practices for seizing electronic evidence
- Jobs vancouver
- Appeal to pity examples
- Class evidence vs individual evidence
- Primary evidence vs secondary evidence
- Why are fibers class evidence
- Secondary sources
- Class evidence vs individual evidence
- Primary evidence vs secondary evidence
- Explain how class evidence may be useful
- Secondary sources
- Orientation verb
- Disaster triage tag system
- Reverse triage lightning
- Esi urgencia
- Ob triage unm
- Pediatric start triage
- Chest pain triage
- Function of triage
- Field triage decision scheme
- Pt demographics
- Advantages of triage
- Start triage
- Salvation army triage
- Os triage
- Triage sort
- Triage jump start
- Sweeping triage
- Name
- Bug triage programs
- Triage szintek
- Rapid triage
- Atls moulage scenarios
- Manuale triage regione lazio
- Brad keating
- Triage
- Psystart triage
- A&ox1 shirt
- Work request process
- Peec triage
- Field triage decision scheme
- Isabel castelo
- Triage sort
- Educational triage
- Ukons acute oncology guidelines
- Oncology haematology helpline triage tool
- Draw-d wildland
- Triage sort
- Jumpstart mci
- Triage igd
- Boston marathon
- Field triage decision scheme
- Jump start in field traige assessment
- Triage cueing
- Avpu schema
- Deshidratación signos
- Triage start
- Jump triage
- Ciampeds
- Kennspieren cervicaal
- Emergency care system framework
- Tarjeta triage
- Salt sort
- Wat is triage
- Esi level 5 examples
- Mass casualty triage guidelines
- Naru triage sieve
- Triage sort
- Triage
- Triage forensik adalah
- Prinsip triage
- Salt triage colors
- Alma street mental health triage
- Oncology triage tool
- Wat is triage
- Alert and oriented scale
- Retts vitalparametrar
- Triage color code
- Jumpstart pediatric triage
- Goals of triage
- Define a routing list as it pertains to incoming calls
- Oncology haematology helpline triage tool
- Ukons triage tool
- Reverse triage evacuation order
- Jumpstart triage age
- Jump triage
- What is this weed?
- Lycopodium spore method for percentage purity
- Risk identification process
- Projective identification.
- Bermuda mites
- Hazop example
- Toolmark definition
- Hira assessment
- Concept of market and market identification
- Identification with the aggressor
- Mineral dichotomous key
- The study of fingerprints for identification purposes
- Step wise project planning
- What is a us tin number
- Weed identification
- E id sweden
- Psychodynamic explanation of schizophrenia evaluation
- Asset identification risk management
- Scope and objectives of research problem
- Sedimentary rocks examples
- Net realisable value
- Chemdraw stationery document
- Insect identification
- Specific identification method
- Livestock breed identification swine assessment
- Artillery ammunition identification
- Unit 30 agriscience
- Livestock breed identification swine - vocabulary
- Opportunity identification and selection
- California finfish and shellfish identification book
- Dendrology tree identification
- Rhythm identification
- Different market forms of meat
- System identification
- Specific identification example
- Identification of corrective or preventive actions
- Project identification process
- "tribu san antonio"
- Green section of erg
- Spiegel relaskop
- Genome identification
- Patient identification and procedure matching
- Russian ammunition markings
- Coho salmon range map
- Hazpak risk assessment tool
- Chemical test for aloe
- Kajala v noble
- Hazard identification
- Hazard identification card
- Jewish ear
- Nid identification
- Methods of personal identification
- Small engine parts identification
- System identification
- Gfipm
- Disaster victim identification
- Nc tree identification
- The more time spent butchering a piece of meat, the
- Subject and verb identification
- Specific identification method accounting
- Cell type identification
- Datum feature simulator
- Sheep breed identification
- Good breast bad breast theory
- Opportunity identification and selection
- Automatic data capture methods
- Radio frequency identification
- Shrub identification tool
- Hyster forklift serial number guide
- Difference between creaming and cracking of emulsion
- Fingerprint island ridge
- Gas cylinder identification colours
- Entity identification problem in data integration
- Ranked vulnerability risk worksheet
- Father of bloodstain identification
- Identifying engine parts
- Aircraft wire identification
- Peptide identification
- Livestock identification methods
- Isa identification letters
- The flow of food purchasing receiving and storage
- Immunofluorescence
- Principle of fingerprints
- What are s-cam type foundation brakes mounted to
- Florence flask is used for
- Secondary hin location
- Laboratory flask
- Opportunity identification and selection
- Chicken parts identification
- Theme identification adalah
- Vehicle hull identification number
- Identification screening eligibility included
- Birds of utah identification
- Taiwan logistics industry
- 1806 valentin ross
- Bulb plant identification
- Cotation soudure d'angle