Before you can prove that you maintained the integrity of data you present as evidence, you must prove that you maintained the integrity of the hardware that contains the data. From the beginning of your investigation, you must take precautions, and document those precautions, to protect the hardware.
The main goal of evidence preservation is to ensure that absolutely no changes have taken place since the evidence was collected. Your collection and handling procedures will be examined. Take all necessary precautions to protect collected evidence from damage that might change its state. Static discharge is a significant concern. You must bring static protection devices with you to each investigation. Use them, and make notes to explain the steps you take to avoid inadvertent damage.
You will have to address several concerns throughout your investigation. Do not handle any evidence until you are absolutely sure you can legally acquire the evidence and that the collection and analysis process will not change that evidence. The following sections cover some of the general issues regarding evidence preservation.
Pull the Plug or Shut It Down?
One of the classic debates in computer forensic circles is the correct approach to handling a live system. If the computer system in question is operating when you approach it, should you turn it off? The question becomes more pronounced when you are brought in as part of an incident response team during an ongoing attack. Before you switch into investigator mode, you need to limit the extent of the damage. However, disconnecting the computer from the network or power supply can damage or destroy crucial evidence.
Let’s assume you want to “freeze” the system as it is and immediately halt all processing. You can accomplish this by literally pulling the power plug out of the wall (or pull it from the back of the computer). Removing power immediately stops all disk writes, but it destroys anything in memory. Such an abrupt crash could also corrupt files on the disk. You may find that the very file you want to use as evidence has been corrupted by the forced crash.
One client once unknowingly tested their disaster recovery plan in a very real way. Early one morning, the UNIX computer that hosted the company’s central database had the power cord pulled from the back of the computer. When power was restored, the file system detected one file that was hopelessly corrupted and promptly deleted it. Unfortunately, that file was a core database file, so the client lost their entire database. Fortunately, the backup process had been completed only 15 minutes prior to the crash, and no data had been entered afterward. Although newer operating systems tend to behave less destructively, be aware that a sudden loss of power can produce negative results.
On the other hand, you may want to perform a proper system shutdown. Although shutting a system down protects any files from accidental corruption, the shutdown process itself writes many entries to activity log files and changes the state of the evidence. Further, a suspect computer could run procedures that cleanse log files on shutdown. Thus, a proper shutdown might wipe out crucial evidence.
A third option is to leave the system up and running. Several of the popular computer forensic software suites support live forensics. With a small footprint, these tools allow you to take a snapshot of the entire system, including memory and disks, while it is still running. The easiest way to do this is to install the small monitor program on the computer prior to any incidents. Of course, this approach only works if you have a manageable number of workstations and you have the authority to install such programs. This is possible in an environment where the organization owns the hardware and can dictate what software is loaded. If you are fortunate enough to deploy forensic software on all of the computers in your organization, the forensics process can be greatly simplified.
You can still run live forensics even if you have had no previous access to the computer. One common way to do this is to carry the required forensic software on a USB drive. You can run the forensics directly from the USB drive, and save any output to that drive as well. This option gives you the ability to take a snapshot of the live system without changing its state. The availability of large-capacity USB drives that fit on a key ring makes it possible to carry your entire tool set with you inconspicuously wherever you go.
Returning to the credit card investigation scene, you need to look for the files that match the name found written on the white board. Because you carry your USB flash drive preloaded with the forensic program ProDiscover Incident Response from Technology Pathways (www.techpathways.com), all you have to do is plug in the USB drive, run the program, and begin examining the evidence.
We haven’t talked about specific forensic tools at this point, but stay tuned. We cover many of the most common hardware and software tools used in computer forensic investigations in Chapter 8, “Common Forensic Tools.”
You immediately have access to the utility you need to search for the files in question. Because you can only search the suspect’s computer and not seize it, you need to search the drive without copying it first. That may sound like a strange restriction, but you’ll probably run into many interesting situations as an investigator. Now, search away!
Proving That a Forensic Tool Does Not Change the Evidence
If your investigation ends up in court, be prepared to provide evidence that the tools you use do not corrupt the evidence. That can be a tough sell if you try to prove this by yourself. An easier course is to use commercially available forensic tools that have already been accepted by courts. If in doubt, ask a local law enforcement contact which tools are accepted in local courts. If you use tools a judge has seen before, you are likely to avoid a lot of wasted time. Another valuable resource is the Computer Forensic Tool Testing (CFTT) Project from the National Institute of Standards and Technology or NIST (www.cftt.nist.gov).
Supply Power As Needed
Some types of evidence require uninterrupted power to maintain memory contents. The most common type of hardware in this category is the personal digital assistant (PDA) and some cell phones. PDAs and cell phones can contain valuable evidence. They also come in a variety of shapes and sizes. You can find traditional hand-held PDAs, as well as PDAs that are integrated into mobile devices, wireless phones, and even wristwatches. Regardless of their design, some cell phones and PDAs share a common trait: when the power runs out, the data is lost. (Note: smartphones usually include flash memory cards where they store information, so that running out of power or a dead battery doesn’t result in data loss.)
Let’s assume you find a gold mine of information on a suspect’s PDA or cell phone. You extract the information and analyze it to find just what you were looking for. After a job well done, and after the self-congratulations, you lock up all the evidence in the evidence locker and await the assigned trial date. When your trial date arrives, you open the evidence locker and find that the battery has run out of juice. Your original evidence is gone. Well, your analysis report should still exist. You can proceed with documentation of your findings, but it would be a lot easier to show the device with the data still on it. Although you know what was there, it no longer corresponds to the device from which it was originally taken.
If you seize devices that require power to maintain data, seize their chargers as well. Make sure you either seize the charger or are prepared to buy a charger for that device. Also be prepared to explain your actions in court. Another interesting feature of PDAs is that their very operation changes the stored data. You may have to explain to a judge or jury how PDAs keep track of current time in order to notify the user of timed events. Be careful when asked if the data in the PDA has changed since it was seized; it has. It is also highly recommended to place mobile devices and cellular phones into a product like the StrongHold Bag from Paraben Corporation (http://www.paraben.com/stronghold-bag.html) to block electronic wireless signals from reaching the devices and further changing the evidence. You simply have to explain that the evidence in question did not change.
Provide Evidence of Initial State
So, you have the system you need to analyze. How do you poke around the data and convince a judge or jury that you didn’t change anything in the process? If you’re talking about a disk drive, the answer is really quite simple. Just take a snapshot of the contents of the drive before you touch anything, and then compare the snapshot to the drive after your analysis. If they are the same, you didn’t change anything.
hash
A mathematical function that creates a fixed-length string from a message of any length. The result of a hash function is a hash value, sometimes called a message digest. Hash functions are one-way functions. That is, you can create a hash value from a message, but you cannot create a message from a hash value.
The most common method for performing a drive integrity check is to calculate a hash for the entire drive. A hash is a unique value generated for a collection of data. It is a “signature value,” which means that if any single bit in the hashed data set changes, so also will the hash value. Most forensic tool sets include a utility to calculate some kind of hash value, usually a Message Digest 5 (MD5) or Secure Hashing Algorithm Version 1.0 (SHA-1) hash value. Although other valid methods exist to generate a single value for a file, or collection of files, MD5 and SHA-1 hash values are the most common. Both algorithms examine the input and generate a single value, but SHA-1 is considered to be stronger and more mathematically secure than MD5. For either algorithm, any change to the input (in this case, an entire drive’s worth of content) will result in a different hash value.
After you ensure the physical integrity of the media (static electricity countermeasures, stable workspace, etc.) you can mount the media and access it in read-only mode. It is important that you explicitly separate suspect media from other media during any access to the data. The only safe way to ensure that nothing changes the data on the drive is to use trusted tools to access the original evidence media only once. The only reason to directly access suspect media is to copy it for later analysis.
Write Blockers
When available, use a write-blocking device to access suspect media. You can use software or hardware write blockers (see Chapter 3). Software write blockers prevent any operating system write operations from modifying the media. In essence, a software write blocker lives between the operating system and the device driver. Any requests for writes to the media are rejected.
Hardware write blockers are physical devices that sit between the drive itself and its controller card. The cable that transmits write instructions and data is physically altered to disallow any writes. The hardware write blocker is harder to bypass and is generally easier to explain in court, so you should use it instead of the software write blocker if you can.
If you have no access to either software or hardware write blockers, you can mount media in read-only mode. You will have to meticulously document the mount options you use to provide evidence to the judge or jury that you allowed no writes during analysis.
State Preservation Evidence
After you mount the suspect media, the first step you take is to create a hash. Use your own utility or a tool from your forensic tool set to create an SHA-1 or MD5 hash of the entire media. This provides a reference to the initial state of the media, and you will use this reference throughout your investigation to prove that any copies you make have the same content as the original media. After the volume is mounted and you have calculated the hash, you can create a bit-for-bit copy of the suspect media. You will perform all further actions on this copy, not on the original media.
That’s all you do with the original media. After the copy operation, discontinue access to the original. It is important that you follow these steps with each media device you analyze:
1. Mount the suspect media in read-only mode (use a write blocker when possible).
2. Calculate an SHA-1 or MD5 hash for the entire device.
3. Create a bit-by-bit copy of the media.
4. Recalculate the SHA-1 or MD5 hash for the original and for the copy: both must be identical to the original SHA-1 or MD5 hash.
5. Unmount the media and return it to the evidence locker.
Take extra precautions to protect the original media and the initial hash. You will need both at the time of trial so that you can ensure that evidence you find is admissible. Even if your investigation does not go to court, being able to prove that your activities made no changes to a disk drive is helpful. You need the initial hash to substantiate that claim.
The next step in the investigative process is the most time-consuming. After you have copies of the original media, it is time to start the analysis.