Best Practices for Computer Forensics in the Field

Introduction

Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity during investigations. Success is principled upon verifiable and repeatable reported results that represent direct evidence of suspected wrong-doing or possible exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are meant to be reviewed and applied based on the specific needs of the organization, the case and the case setting.

Job Knowledge

An examiner can only be so informed when they walk into a field setting. In many situations, the client or the client’s representative will provide some information about how many systems are in question, their specifications, and their current state. And just as often, they are critically wrong. This is especially true when it comes to hard excursion sizes, cracking laptop computers, password hacking and device interfaces. A seizure that brings the equipment back to the lab should always be the first line of defense, providing maximum flexibility. If you must perform onsite, create a comprehensive working list of information to be collected before you hit the field. The list should be comprised of small steps with a checkbox for each step. The examiner should be completely informed of their next step and not have to “think on their feet.”

Overestimate

Overestimate effort by at the minimum a factor of two the amount of time you will require to complete the job. This includes accessing the device, initiating the forensic acquisition with the proper write-blocking strategy, filling out the appropriate paperwork and chain of custody documentation, copying the acquired files to another device and restoring the hardware to its initial state. Keep in mind that you may require shop manuals to direct you in taking apart small devices to access the excursion, creating more difficulty in accomplishing the acquisition and hardware restoration. Live by Murphy’s Law. Something will always challenge you and take more time than expected — already if you have done it many times.

Inventory Equipment Most examiners have enough of a variety of equipment that they can perform forensically sound acquisitions in several ways. Decide ahead of time how you would like to ideally carry out your site acquisition. All of us will see equipment go bad or some other incompatibility become a show-stopper at the most basic time. Consider carrying two write blockers and an additional mass storage excursion, wiped and ready. Between jobs, make sure to verify your equipment with a hashing exercise. Double-Check and inventory all of your kit using a checklist before taking off.

Flexible Acquisition

Instead of trying to make “best guesses” about the exact size of the client hard excursion, use mass storage devices and if space is an issue, an acquisition format that will compress your data. After collecting the data, copy the data to another location. Many examiners limit themselves to traditional acquisitions where the machine is cracked, the excursion removed, placed behind a write-blocker and acquired. There are also other methods for acquisition made obtainable by the Linux operating system. Linux, booted from a CD excursion, allows the examiner to make a raw copy without compromising the hard excursion. Be familiar enough with the time of action to understand how to collect hash values and other logs. Live Acquisition is also discussed in this document. Leave the imaged excursion with the attorney or the client and take the copy back to your lab for examination.

Pull the Plug

Heated discussion occurs about what one should do when they encounter a running machine. Two clear choices exist; pulling the plug or performing a clean shutdown (assuming you can log in). Most examiners pull the plug, and this is the best way to avoid allowing any sort of malevolent course of action from running that may delete and wipe data or some other similar pitfall. It also allows the examiner access to create a snapshot of the swap files and other system information as it was last running. It should be noted that pulling the plug can also damage some of the files running on the system, making them unavailable to examination or user access. Businesses sometimes prefer a clean shutdown and should be given the choice after being explained the impact. It is basic to document how the machine was brought down because it will be absolutely basic knowledge for examination.

Live Acquisitions

Another option is to perform a live acquisition. Some define “live” as a running machine as it is found, or for this purpose, the machine itself will be running during the acquisition by some method. One method is to boot into a customized Linux ecosystem that includes enough sustain to grab an image of the hard excursion (often among other forensic capabilities), but the kernel is alternation to never touch the great number computer. Special versions also exist that allow the examiner to leverage the Window’s autorun characterize to perform Incident Response. These require an progressive knowledge of both Linux and experience with computer forensics. This kind of acquisition is ideal when for time or complexity reasons, disassembling the machine is not a reasonable option.

The Fundamentals

An amazingly brazen oversight that examiner’s often make is neglecting to boot the device once the hard disk is out of it. Checking the BIOS is absolutely basic to the ability to perform a fully-validated examination. The time and date reported in the BIOS must be reported, especially when time zones are an issue. A high variety of other information is obtainable depending on what manufacturer wrote the BIOS software. Remember that excursion manufacturers may also hide certain areas of the disk (Hardware Protected Areas) and your acquisition tool must be able to make a complete bitstream copy that takes that into account. Another meaningful for the examiner to understand is how the hashing mechanism works: Some hash algorithms may be preferable to others not necessarily for their technological soundness, but for how they may be perceived in a courtroom situation.

Store Securely

Acquired images should be stored in a protected, non-static ecosystem. Examiners should have access to a locked safe in a locked office. Drives should be stored in antistatic bags and protected by the use of non-static packing materials or the original shipping material. Each excursion should be tagged with the client name, attorney’s office and evidence number. Some examiners copy excursion labels on the copy machine, if they have access to one during the acquisition and this should be stored with the case paperwork. At the end of the day, each excursion should link up with a chain of custody document, a job, and an evidence number.

Establish a Policy

Many clients and attorneys will push for an immediate acquisition of the computer and then sit on the evidence for months. Make clear with the attorney how long you are willing to continue the evidence at your lab and charge a storage fee for basic or largescale jobs. You may be storing basic evidence to a crime or civil action and while from a marketing perspective it may seem like a good idea to keep a copy of the excursion, it may be better from the perspective of the case to return all copies to the attorney or client with the appropriate chain of custody documentation.

Conclusion

Computer examiners have many choices about how they will carry out an onsite acquisition. At the same time, the onsite acquisition is the most volatile ecosystem for the examiner. Tools may fail, time constraints can be harsh, observers may add pressure, and suspects may be present. Examiners need to take seriously the maintenance of their tools and development of current knowledge to learn the best techniques for every situation. employing the best practices herein, the examiner should be prepared for almost any situation they may confront and have the ability to set reasonable goals and expectations for the effort in question.

Leave a Reply