At one time it was recommended that the first step to analyzing a computer was to shut it down. However, it soon became apparent that one could lose valuable evidence found in running processes or memory. It also may be the case that the computer is using hard drive encryption. If you simply shut the system down, you may not be able to get back into the system. Before you shut the system down, at a minimum, you need to see what is currently running on the computer. Remember, you want to touch it as little as possible, so it is important to be careful. But you do need to find out if someone is currently accessing the computer—or if there is malware running on the computer—before you shut it down. Although the specifics may vary depending on the installed operating system, this section focuses on Windows because it is the most common desktop operating system.

The first thing to do is to check for running processes. In Windows (all versions), you press the Ctrl+Alt+Delete keys simultaneously, then select Task Manager. When the Task Manager window opens, select the Processes tab. The Windows 8 version of the Task Manager Processes tab is shown in FIGURE 4-1. You should note that this is much the same in Windows 10 or in Windows Server.

Now take a picture of the screen so you have a record of the running processes. In this case, “take a picture” means taking an actual photo with a camera, not taking a screenshot. In many cases, these photos are also subject to the rules of the chain of custody for evidence. You should assume that they are. Next, it is important to see if there are live connections to this system. Fortunately, there are built-in commands that will help you with that (most work in Linux as well as Windows). The following sections cover a few of those commands.

Using openfiles

The openfiles command is very useful. It tells you if any shared files or folders are open and who has them open. Before shutting down the suspect machine, this is a critical command to run. You can see an example of openfiles in FIGURE 4-4.

You should run each of these commands and photograph the results before shutting down the machine. Also document that you ran them, the time, and the results. Then power down the machine. Most sources recommend you simply pull the plug. This may be contrary to how you usually power down a machine, but the idea is to interrupt normal operations. It is possible, though not likely, that there is some malware on the machine that would delete files, clear the swap, or otherwise destroy evidence during a normal power down or the subsequent power up of a machine.

If you believe that you may wish to analyze the system memory at a later time, then it is imperative that you capture the memory now. Many tools exist that will capture memory. Remembering Locard’s principle of transference (see chapter 1), you will want to run these tools from a USB device, not actually on the suspect system. OSForensics can be installed to USB and can capture the system memory. You can see this in FIGURE 4-5.

Magnet Ram Capture and Dumpit are two free tools that will capture memory. Both can be found easily on the Internet using your favorite search engine. Access Data’s FTK (which you will see used later in this chapter to capture a drive image) can also be used to capture memory.

Seized computers are often stored in less-than-secure locations. Both law enforcement agencies and corporations sometimes fail to transport and store suspect systems properly. It is imperative that you treat a subject computer as evidence and store it out of reach of curious computer users. Sometimes, individuals operate seized computers without knowing that they are destroying potential evidence and the chain of custody. A seized computer left unattended can easily be compromised. Someone could plant evidence or destroy crucial evidence. Lack of a proper chain of custody can make a savvy defense attorney’s day. Without a proper chain of custody, you can’t ensure that evidence was not planted on the computer after the seizure.

During the transport, you must be aware that this seized computer is evidence. It should be locked in a vehicle and the vehicle should be driven directly to the lab. This is not a time to stop for lunch. Any period of time that you cannot account for the evidence is a break in the chain of custody. And it is certainly possible for someone to break into the vehicle while you are stopped at your favorite lunch spot.

If the device you have seized is a computer, you need to remove the drive(s) from the suspect machine even if the drive(s) are not currently attached to any cabling. Create a chain of custody form. You can see a sample evidence form in FIGURE 4-6.

Some forensic examiners have a separate chain of custody form.FIGURE 4-7 shows one from an actual police department.

The specifics of your chain of custody form will vary depending on your jurisdiction and your organizational policies. You typically need to use a separate chain of custody form for each drive you have removed. Depending on your level of comfort in reliably describing and recreating the technology present in the suspect system, you may want to take photographs of all of the drive connections, cable connections to the case, and general work area for future use. Photos, however, are not required for admittance into court, but you should take photographs whenever possible. Any time you can use photographs to enhance your investigation or your reporting, you should do so. You can also leave the drives in the system and acquire them with some forensically safe boot disks, CD-ROMs, or thumb drives.

In the case of phones, it is often necessary to remove the SIM card. It is possible to examine a phone without removing the SIM card, however, and some modern phone forensic devices allow you to simply dock the phone into the device.

Before dismantling the computer, it is important to take pictures of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important, so that you can easily reconnect each one when the system configuration is restored to its original condition. You should also record BIOS (basic input/ output system) information. Note that many modern systems use Unified Extensible Firmware Interface (UEFI) rather than BIOS, but you can get the same information from UEFI that you would otherwise retrieve from BIOS.

At this point, the drives are removed and you have identified and removed the media from the system. You can now safely boot up the system to check the BIOS information. In the chain of custody form, enter information about the BIOS of the system; you can typically access this information by pressing Esc, Delete, F2, F9, F10, or F11 (the specific key depends on the system, but F2 seems to be the most common) during the initial boot screen. But this varies depending on the system manufacturer, so always try to search the system manufacturer’s website ahead of time to determine how to access this information. Once you’ve accessed the BIOS information, you need to record the system time and date in the chain of custody form. The BIOS time is important because it can differ significantly from the actual time and time zone set for the geographical area in which you are located. The importance of the BIOS time varies by the file system (NT File System [NTFS] stores Greenwich Mean Time, for example) and operating system, and some update the time using network time servers. If the BIOS time is different, you need to note this and then adjust the times of any files you recover from the image to determine the actual time and date they were created, accessed, or modified. After the power has been restored to the system, eject all media contained in drives that cannot be operated without power (such as some CD-ROMs and DVD-ROMs) and remove them. Then fill out a separate chain of custody form for each of the items removed. If you forget to eject the CD-ROM before powering it down, do not worry, because most CD-ROM drives can be opened by sticking the end of a paper clip into the tiny hole near the eject button.

You must be able to prove that you didn’t alter any of the evidence after taking possession of a suspect computer. Such proof helps rebut allegations that the investigator changed or altered the original evidence. After imaging any drive, you must always create a hash of the original and the copy. Compare the hashes. If they do not match exactly, then something was altered. You must also document what hashing algorithm you used (SHA1 is the most common, but SHA2 is being used increasingly) and what the results were. Linux has built-in tools for hashing, but many forensic tools such as EnCase and Forensic Toolkit (FTK) hash the suspect drive after it is imaged to check for copy errors. OSForensics will also create a hash of the suspect drive when imaging is complete.

In Linux, the following command hashes a partition:

md5sum /dev/hda1

This assumes the partition is hda1. If your partition is different, then substitute your partition name. If you want to send that hash to a target machine (such as your forensic server), use this command:

md5sum /dev/hda1 | nc 192.168.0.2 8888 −w 3

This says to create the hash of the partition, then use netcat to send it to IP 192.168.0.2 port 8888. Obviously, your IP address and port could be different.