CHAPTER 5
Choosing Your Procedures
We’ll Cover
 
image   Forensic imaging methods
image   How to determine your comfort level with various methods
image   How to create standard forms and a lab manual
 
Chapter 4 discussed how to approach and prepare for your first investigation. In this chapter, you’ll learn how to decide what forensic imaging procedures (which are covered fully in Chapter 8) you are best suited to use. A wide set of established procedures and knowledge is available to you, but the choice of which you can use with the least amount of risk to your case is what this chapter is about. Your first decision, and one of the most important, is to choose which procedures you will make part of your standard practices when imaging and examining media for your investigation.
Forensic Imaging
The first step in any computer forensic examination is creating a forensic image of the media you are going to examine.
You’ll need to choose which type of forensic imaging methods you will use, such as the following:
 
image   Forensic imaging with hardware write blockers
image   Forensic imaging with software write blockers
image   Forensic imaging with dedicated devices
image   Forensic imaging of live systems
image   Forensic imaging using custom boot CD/DVDs
LINGO
A forensic image is not like what most IT people think of when they think of imaging. Unlike an image made with Acronis, Norton Ghost, or other system deployment tools, a forensic image captures not only the part of the storage media in use by the system, but also the rest of the media known as the unallocated space. The unallocated space is where deleted items reside for recovery using forensic techniques. In addition, forensic imaging requires a hash value that uniquely represents the data residing in the forensic image; this value allows a future examiner to detect whether even a single bit of data had been modified since the forensic image was created.
Each of these methods will create the same forensic image as an output, and all are equally valid. The method you choose will depend on which works best in your situation and your comfort level with them. Your level of confidence in explaining and defending your actions will determine which method you choose.
IMHO
When I first got started in computer forensics, in 1999 (ancient history I know), we didn’t have write blockers. Instead, we had two options: we could boot up off of a DOS or Linux floppy and transfer the data over the serial or parallel port (network was available if you did crossover—we didn’t have access to a lot of RAM from DOS), or we could buy a drive duplicator. Back in those days, the drive duplicators cloned the disk sector-by-sector, meaning that the data wasn’t actually contained in an image when I was done. This is why wiping a disk before creating a clone became so important. If you didn’t wipe the disk first, old data from a prior drive might still be on the cloned drive, confusing you about what existed. We don’t have these problems today, and we have a large variety of cost-efficient solutions that we couldn’t dream of in 1999 (although I still wipe a reused drive prior to use as a part of my sanitization procedure to counter accusations of comingling of data from old cases).
Determining Your Comfort Level
So how can you determine what forensic imaging method you are best suited to defend? Answer the following questions as your guide. Get out a pencil and mark yes or no to each question. In doing so, you’ll have a quick self-assessment that will help you determine which forensic imaging method is right for you.
There is nothing stopping you from using all of the following methods. What you will want to do is try those that you are most comfortable with and use the method(s) with which you have achieved the most amount of success. Over time, your comfort level will grow and you can revisit methods that may have advantages you can make use of as your investigations grow more complex. Remember that your first goal is to pick the method that you feel most comfortable with and can explain/defend the best.
1. Are You Comfortable with the Linux Command Line?
Yes   Consider using one of the many Linux bootable CD/DVD options for forensic imaging. They allow for a read-only environment with the option of using any tool available; many tools are provided on these bootable CD/DVDs, all of which will make a forensic image. In Chapter 8, you’ll learn how to use a Linux-bootable CD/DVD to forensically image a drive.
No   Many times when using Linux bootable CD/DVDs, you will have to drop to the command line to resolve unforeseen issues with some systems, such loading RAID drivers or dealing with new device types. If you don’t feel comfortable working from the Linux command line, you should look at other options.
image Note
Although a Linux bootable CD or DVD can be modified to be read-only by default for any media attached, not all of these CDs and DVDs are, in fact, forensically sound. If you plan to use one and will likely need to defend it in the future, make sure you choose one that either has documented testing that shows it does not modify devices attached to it or one that you can test on your own and show the documented results. These results, documented before you forensically image your first piece of evidence, will allow you to defend your process later.
2. Do You Have the Budget for a Write Blocker?
Yes   If you have the budget, consider buying something like the UltraBlock USB Write Blocker from Digital Intelligence. Using UltraBlock or a similar write blocker, you can attach different types of media (UltraBlock products are available for IDE, SATA, SCSI, SAS, USB, FireWire, and other types) to your computer as a read-only device. This will allow you to use any type of forensic imaging or forensic analysis tools without risk of modifying the original evidence. For many examiners who are uncomfortable with Linux or who do not think they have the technical qualifications to defend their choice of a Linux-bootable distribution, a write blocker can help create a great sense of comfort, because they are designed not to allow writes.
Budget Note
Write blockers used to be expensive, averaging $1000 each. Now, with the multitude of vendors offering write blockers, the cost has dropped to less than $400. This makes the relative low risk of a write blocker accessible even to those on a low budget.
No   If you do not have the budget for a write blocker, don’t be concerned that you can’t make a reliable forensic image. Three other options are available at no cost. Linux-bootable CD/DVDs, USB write block Windows registry modifications, and Windows bootable CD/DVDs are all forensically sound. Keep reading through this section to decide which is right for you.
In Actual Practice
Write blockers are not perfect. There have been issues in the past that showed flaws in some write blockers, so make sure that you stay informed by following postings regarding the manufacturer of your write blocker to learn of any issues or updates to firmware: register for support, newsletters, and support forums. Also, make sure that you test to be sure it works before you use it.
IMHO
You don’t have to choose only one method. I use every method available to me, depending on what the case requires. I always prefer the method that will complete the forensic image the fastest, because all write blockers equally protect the integrity of the image when the process is performed correctly. Which method you choose depends on which machine you are forensically imaging.
3. Do You Have a Large Budget but a Low Tolerance for Risk?
Yes   This book is not meant for criminal investigations, for those who might face them, or for those who have a lower tolerance for risk. You can apply more funds to achieve a lower risk tolerance with self-contained hardware forensic imaging systems. These remove the operating system and user error from the picture in most situations. They can be quite pricey, at the time of this writing between $1500 and $4000 per device. An example of such a device is the HardCopy 3P, which can create a forensic image with speeds up to 6 GB a minute, with a very small opportunity for user error. That’s not to say, however, that these units can’t have their problems as well, and if you run into an issue, fixing it will require a firmware update from the manufacturer.
No   If you are not comfortable with either the Linux or Windows command line and you have a small budget with a low tolerance for risk, you may want to reconsider moving on. If you plan to perform forensic imaging for your organization or for a client, make sure that you can provide the services they are expecting and that you can defend your results.
4. Are You Comfortable Testing and Explaining Windows Registry Changes?
Yes   If you feel comfortable making, explaining, and testing a change to the Windows registry and you are not afraid of regedit, then this is a great and easy way to write block USB ports. Windows 8, the current version of Windows at the time of writing, and versions before it, have a registry change that can place USB devices into a read-only state. Many people have tested this registry change and found that it does, in fact, protect devices from being written to from the OS. Applying the change to the registry will render any USB device plugged in afterward as read-only, which will allow you to create a forensic image using any of the programs discussed in this book. When you are done with the forensic image process, you can remove the device and set the registry back to normal, which allows you to write to USB storage devices again.
image Note
For versions of Windows prior to Windows 8 and 7, you may have to reboot between the application of the registry changes to have the change take effect. Always make sure to test your particular operating system to make sure that the write protection is working as you expect.
IMHO
One of the largest difficulties of this method is choosing where to store the forensic image when you are creating it. Since you can’t write to USB storage, you will have to write to another type of interface such as FireWire, eSATA, network storage, or another internal drive.
No   Not everyone is comfortable changing registry settings if they haven’t done them in the past. As you get further into forensic examinations, you’ll do a lot of work within the registry to recovery your suspect’s preferences and history. If you are not comfortable with the registry now, you will be in a couple of years!
If you’ve answered No to all of the preceding questions, there is still one remaining method that you should consider. See question 5.
5. Are You Comfortable with the Windows Command Line?
Yes   If you are comfortable with the Windows command line, another type of bootable forensically safe environment exists, a bootable Windows forensic environment. You start at a command line, not a GUI though, so make sure you are comfortable with it. A bootable CD/DVD Windows distribution called Windows Forensic Environment (Windows FE) treats all attached media as read-only unless you specifically mark it to be written to. This is similar to the functionality you can get with a Linux CD/DVD forensic distribution, except you can use all the standard Windows forensic utilities. Windows FE works well for many examiners looking for the benefits of a forensically sound bootable environment without having to learn another operating system.
No   The command line can be confusing to those examiners who started working in a graphical user interface. Hopefully, you have the budget to get a write blocker so you can stay in the environment you are comfortable with.
image Note
If you have not answered yes to any question in this section, I do not have a suitable forensically sound imaging method to offer you. That does not mean one does not exist for you, however. Consider waiting until such time you can say yes to one of these questions, or consider limiting your examinations to cases in which legal action is not an option and thus the defensibility of your actions is not a concern.
Your Choice
Congratulations, you’ve completed your self-assessment. Now, take your list of yes answers and create a list of methods you have available to you. Your next task is to test the methods you want to use in your investigation. These forensic imaging methods are detailed in the following sections in this chapter and in Chapter 8.
image Note
This chapter discusses traditional methods of forensic imaging. If you are looking for nontraditional methods, such as live imaging and capturing system memory, Chapters 7 and 9 discuss these methods.
image
Into Action
Create your list of forensic imaging methods by answering these questions:
 
image   Are you comfortable with the Linux command line?
image   Do you have the budget for a write blocker?
image   Do you have a large budget but a low tolerance for risk?
image   Are you comfortable testing and explaining Windows registry changes?
image   Are you comfortable with the Windows command line?
image
Forensic Imaging Method Pros and Cons
There is no one best method for every situation and as new interfaces, techniques, and equipment become available what works best changes. Every method has its pros and cons.
Hardware Write Blocking
A hardware write blocker is a physical device that sits between your computer and the evidence.
Pros
 
image   Hardware offers reliable write protection with documentation and testing provided by the vendor.
image   Any forensic imaging program, operating system, or analysis tool can be used without the risk of modifying the evidence.
image   In some cases, device-specific imaging programs allow for optimized forensic imaging.
image Tip
Tableau, for example, provides the Tableau Imager, which allows for multithreaded forensic imaging. It is free and can be downloaded at http://www.tableau.com/index.php?pageid=products&model=TSW-TIM.
Cons
 
image   The number of devices you can forensically image at one time is limited by the number of write blockers in your possession.
image   The types of devices you can forensically image are limited by the type of write blocker in your possession.
image   Hardware write blockers are moderately expensive.
Software Write Blocking
Software write blocking offers control that is either built into the operating system by design, such as a bootable forensically safe environment, or via a change to a setting, such as the Windows registry change allowing USB devices to be read-only to prevent writes from affecting the evidence.
Pros
 
image   The number of devices you can forensically image at once is limited to the number of bootable CD/DVDs or to the systems on which you can place a registry change.
image   With a bootable CD/DVD, you can image any type of media as long as it has drivers allowing the OS to recognize the media.
image   Software write blockers are free.
Cons
 
image   Software write blockers can be slower than hardware write blockers or dedicated units.
image   Without good prior testing and procedures, software write blockers can fail.
Dedicated Units
Dedicated forensic imaging units such as Logicube Talon or Hardcopy 3 allow even nontechnical users to forensically image a device safely. Liquid crystal display (LCD) touch menus allow the user to access the interface to capture forensic images without an operating system or additional computer.
Pros
 
image   These devices are created for the sole purpose of creating forensic images.
image   They are typically the fastest method of imaging.
Cons
 
image   They are typically expensive.
image   The number of devices you can forensically image at one time is limited by the number of dedicated units in your possession.
image   Many types of media are not supported by dedicated units.
image   Issues with the hardware require a firmware update to fix.
IMHO
When I started performing forensic imaging, I relied on Linux and DOS boot floppies. I’ve moved on to Linux boot CDs and hardware write blockers (now that they are so affordable). Having said that, I’m always looking for new methods and will always choose the method that gets me a reliable forensic image in the fastest way possible.
Creating Forms and Your Lab Manual
One of the most difficult things to get together when you are starting your lab and defining your chosen methods is creating the forms you will use. For years, people have been asking each other on forums, mailing lists, and conferences, “Hey, does anyone have sample forms?” Most people are hesitant to share their internal forms because they are unsure of their quality or they fear they will be revealing some kind of weakness.
IMHO
When you’re starting out in computer forensics, it can be difficult to understand what kinds of forms you’ll need. Many people latch on to any rumor, theory, or voodoo ritual they can find to create forms that prove that their evidence will be admissible in court. I’ve been testifying since 2003, and I’ve walked through the authentication and admission process for evidence many times; it is not as complicated as people make it. Here’s a simple tip: After creating an image, fill out a form that identifies where it came from and how you forensically imaged it, that validates that your hashes match, and that indicates when the evidence is no longer in your custody. That’s it! The notes about how you imaged it and validation of the image are not actually part of the chain of custody process; they are just there to help you remember in the future when you are asked.
A number of groups have attempted to put together a standard set of forms and documents, but I’ve seen only one that truly solves the problem, from the Scientific Working Group on Digital Evidence (SWGDE) at www.swgde.org. SWGDE is a combination of law enforcement, government, industry, and academia that works together creating standards and documents for anyone’s use. These documents and this group’s hard work are your best friends. They provide a set of peer-reviewed and approved forms that you can use today and have the security of their validation. The following sections discuss the need for specific forms and where to get them from SWGDE for your customization and use.
Chain of Custody Forms
The chain of custody form we adapted for Hacking Exposed: Computer Forensics (McGraw-Hill, 2009) was a popular download. Chain of custody forms, as simple as they should be, are easily the most feared forms to make for someone new to the field.
Although I have adapted our updated form at G-C Partners, LLC (www.g-cpartners.com,) for this book, you don’t have to use mine. SWGDE offers a sample chain of custody form that is simpler than mine, and you can download it from www.learndfir.com (the SWGDE link is too long to type).
The SWGDE form, A-8-ChainOfCustody-05132011.doc, is shown in Figure 5-1. It is true to the definition of what a chain of custody form should be: It defines what was taken into your custody, who it was received from, any defects, and who it was transferred to. At its most basic, this is all a chain of custody form needs to have. The Hacking Exposed form goes beyond this to help you as the examiner, but either form will hold up equally well in a court of law.
image
Figure 5-1   The SWGDE sample chain of custody form
IMHO
I’ve said this before but I think it bears repeating. The additional fields in our Hacking Exposed form, available on the book’s web site, are there for you and not to track the custody of the evidence. Information such as what the evidence was forensically imaged with, the name of the user of the computer, the time zone the computer was in, the BIOS time are all there to help you remember this information if you need it in the future. I’ve added these fields based on my experience in the field and find them helpful both when processing evidence and when testifying to it, which sometimes occurs years apart.
Request Forms
When you are working inside of a company as a forensic examiner, you may find it difficult to get the people you work with to understand your forensic process and needs. Creating a request form that captures the following will help:
 
image   Who is requesting the information
image   Who is being investigated
image   The devices you are being authorized to access
image   What you are being asked to investigate
image   The date of the request
You should require that your coworkers fill out a request form. This information will help you easily recall later why you performed your investigation. If an internal investigation gets political, having this documentation can help protect you from unhappy executives.
Report Forms
Everyone looks for sample reports, and many forensic tools come with some kind of reporting option. In this book, Chapters 16 and 17 are dedicated to report writing. Our friends at SWGDE also offer a sample report available for your use if you are looking for an alternative trusted template to use. The form, A-1-REX-05132011.doc, provides a good baseline report that you can fill in. Your work will be judged by the report, so don’t just generate a report from a forensic tool—take the time to fill out a report template like the one from SWGDE (shown in Figure 5-2) and explain in human terms what you’ve found. For more on this topic, read Chapters 16 and 17.
image
Figure 5-2   SWGDE Report of Examination
Standard Operating Procedures Manual
More labs are getting accredited, and more organizations are demanding transparency and repeatable processes. Many people have defended computer forensics as an art that cannot be turned into a series of processes; however, to be considered a true forensic science, our process must be repeatable. SWGDE has issued a framework standard operating procedures (SOP) manual that you can customize to fit your environment; it will quickly help you get started toward documenting your processes and procedures. The “Model Standard Operating Procedures for Computer Forensics” should be your starting point toward formalizing your lab and helping you scale it as your needs grow; you can download it from the web site www.learndfir.com.
We’ve Covered
You’ve been exposed to a lot of new information in this chapter, but we’re not done yet. In the following chapters, you’ll learn how to test your tools and handle nontraditional situations, and you’ll be introduced to step-by-step directions for how to capture forensic imaging before we get into actual forensic analysis. This book is meant to get you started on your first computer forensic investigations; you have the rest of your career to master this field and become a success.
You’ve learned how to select processes, how to choose tools and procedures, and how to create the documentation you need. As you continue reading, we’ll start getting into the technical areas of computer forensics, but the foundation of processes and procedures you’ve learned in these early chapters will form the foundation of your success.
Forensic imaging procedures
 
image   Several risks are associated with different forensic imaging methods.
image   Pros and cons are associated with different forensic imaging methods.
How to determine your comfort level with various methods
 
image   Determine your comfort level with various methods.
image   Be aware of the different traditional forensic imaging methods.
How to create standard forms and a lab manual
 
image   Use example forms from Hacking Exposed or the SWGDE.
image   Create a standard operating procedure manual for your lab.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.190.182