Handling Evidence
Once you have appropriately transported the device and prepared it for forensic examination, you have to handle the evidence. There are specific steps to utilize.
Preserving computer evidence requires planning and training in incident discovery procedures. The following sections describe tasks related to handling evidence and measures to take when gathering evidence. To review, a system forensics specialist has three basic tasks related to handling evidence:
Find evidence
Preserve evidence
Prepare evidence
Collecting Data
There are three primary types of data that a forensic investigator must collect: volatile data, temporary data, and persistent data. As an investigator, you must attempt to avoid permanently losing data. Therefore, you must carefully secure the physical evidence. Then you can collect volatile and temporary data. Such data is lost whenever a system is used. You should collect it first to minimize corruption or loss. The following are examples of volatile data:
Swap file: The swap file is used to optimize the use of random access memory (RAM). Data is frequently found in the swap file. The details on how to extract data from the swap file vary depending on the installed operating system.
State of network connections: This data is captured before the system is shut down.
State of running processes: This data is captured before the system is shut down.
After collecting volatile data, you collect temporary data—data that an operating system creates and overwrites without the computer user taking a direct action to save this data. The likelihood of corrupting temporary data is less than that of volatile data. But temporary data is just that—temporary—and you must collect it before it is lost. Only after collecting volatile and temporary data should you begin to collect persistent data.
Documenting Filenames, Dates, and Times
From an evidence standpoint, filenames, creation dates, and last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and “erased” files. Sort the files based on the filename, file size, file content, creation date, and last modified date and time. Such sorted information can provide a timeline of computer usage. The output should be in the form of a word processing–compatible file to help document computer evidence issues tied to specific files.
Identifying File, Program, and Storage Anomalies
Encrypted, compressed, and graphics files store data in binary format. As a result, text search programs can’t identify text data stored in these file formats. These files require manual evaluation, which may involve a lot of work, especially with encrypted files. Depending on the type of file, view and evaluate the content as potential evidence. Reviewing the partitioning on seized hard disk drives is also important. Evaluate hidden partitions for evidence and document their existence. With Windows operating systems, you should also evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fact that they have been selected for deletion may have some relevance from an evidentiary standpoint. If you find relevant files, thoroughly document the issues involved. Those issues can include the following:
How did you find the files?
What condition were they in (i.e., did you recover the entire file or just part of the file)?
When was the file originally saved?
Remember that the more information you document about evidence, the better.
Evidence-Gathering Measures
Forensic specialists should take the following measures when gathering evidence:
Avoid changing the evidence: Before removing any equipment, forensic specialists should photograph equipment in place and label wires and sockets so that computers and peripherals can be reassembled in a laboratory exactly as they were in the original location. When transporting computers, peripherals, and media, forensic specialists must be careful to avoid heat damage, jostling, or touching original computer hard disks and compact discs (CDs). Forensic specialists should also make exact bit-by-bit copies, storing the copies on an unalterable medium, such as a CD-ROM.
Determine when evidence was created: Timelines of computer usage and file accesses can be valuable sources of computer evidence. The times and dates when files were created, last accessed, or modified can make or break a case. However, forensic specialists should not trust a computer’s internal clock or activity logs. It is possible that the internal clock is wrong, that a suspect tampered with logs, or that simply turning on the computer changes a log irrevocably. Before logs disappear, an investigator should capture the time a document was created, the last time it was opened, and the last time it was changed. The investigator can then calibrate or recalibrate evidence, based on a time standard, and work around log tampering.
Search throughout a device: Forensic specialists must search at the bit level (the level of 1s and 0s) across a wide range of areas inside a computer. This includes email, temporary files, swap files, logical file structures, and slack and free space on the hard drive. They must also search software settings, script files, web browser data caches, bookmarks and history, and session logs. Forensic specialists can then correlate evidence to activities and sources.
Determine information about encrypted and steganized files: Investigators should usually not attempt to decode encrypted files. Rather, investigators should look for evidence in a computer that tells them what is in the encrypted file. Frequently, this evidence has been erased, but unencrypted traces remain and can be used to make a case. For steganized information, concealed within other files or buried inside the 1s and 0s of a picture, for example, an investigator can tell if the data is there even though it is inaccessible. The investigator can compare nearly identical files to identify minute differences.
Present the evidence well: Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. The jury must be able to understand the evidence, and the evidence must be solid enough that a defense counsel cannot rebut it. The forensic examiner must be able to create a step-by-step reconstruction of actions, with documented dates and times. In addition, the forensic examiner must prepare charts, graphs, and exhibits that explain both what was done and how it was done, and also can withstand scrutiny. The forensic examiner’s testimony must explain simply and clearly what a suspect did or did not do. The forensic examiner should remember that the jury and judge are rarely savvy computer technologists, and the ability of a forensic examiner to explain technical points clearly in plain English can make or break a case.
This chapter has so far discussed general preparations involved in the initial seizing, duplication, and finding of digital evidence. There’s much more to learn, especially about examining data to find incriminating evidence—evidence that shows, or tends to show, a person’s involvement in an act, or evidence that can establish guilt. One of the three techniques of forensic analysis is live analysis, which is the recording of any ongoing network processes. The remaining two techniques are physical analysis and logical analysis, which both deal with hard drive structures and file formats.
Physical analysis is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Logical analysis involves using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. Put another way, physical analysis is looking for things that may have been overlooked, or are invisible, to the user. Logical analysis is looking for things that are visible, known about, and possibly controlled by the user.
Physical Analysis
Two of the easiest things to extract during physical analysis are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer. The user may have attempted to delete these, but you can reconstruct them from various places on the hard drive. Next, you should index the different kinds of file formats.
The file format you start with depends on the type of case. For example, you might want to start with graphics file formats or document formats in a pornography or forgery case. There are lots of other file formats: multimedia, archive, binary, database, font, game, and Internet-related. Computers generally save things in file formats beyond the user’s control. For example, all graphics files have header information. Collectors of pornography usually don’t go to the trouble of removing this header information, so it’s an easy matter of finding, for example, one graphics header at the beginning of a JPEG (Joint Photographic Experts Group) file and doing a string search for all other graphics of that type.
The following sections describe some of the places that an investigator must physically analyze.
The swap file
You read briefly about the swap file earlier in this chapter. A swap file is the most important type of ambient data. Windows uses a swap file on each system as a “scratch pad” to write data to when additional RAM is needed. A swap file is a virtual memory extension of RAM. Most computer users are unaware of the existence of swap files. The size of these files is usually about 1.5 times the size of the physical RAM in the machine. Swap files contain remnants of word processing documents, emails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. Swap files can be temporary or permanent, depending on the version of Windows installed and the settings selected by the computer user. Permanent swap files are of the greatest forensic value because they hold larger amounts of information for longer periods of time. However, temporary, or dynamic, swap files are more common. These files shrink and expand as necessary. When a dynamic swap file reduces its size to close to zero, it sometimes releases the file’s content to unallocated space, which you can also forensically examine.
Unallocated space, or free space, is the area of a hard drive that has never been allocated for file storage, or the leftover area that the computer regards as unallocated after file deletion. The only way to clean unallocated space is with cleansing devices known as sweepers or scrubbers. Although the term “scrubber” implies they clean, they are actually writing over the unallocated old fragments to remove that evidence. A few commercial products scrub free space to Department of Defense (DoD) standards, meaning they rewrite up to seven times, but more often the process is done once or twice. The fragments of old files in free space can be anywhere on the disk, even on a different partition, but they tend to fall next to partition headers, file allocation tables (FAT), and the last sectors of a cluster.
Logical Analysis
You must examine the logical file and directory structure to reconstruct what the user was doing with his or her computer. Rarely does an investigator run across a signed confession in the My Documents folder. Most perpetrators are smarter than that. They use various tactics to hide what they’ve been doing. For example, perpetrators often use unusual file paths. In addition, many try to thwart investigators by using encryption to scramble information or steganography to hide information, or both together. Or they may use metadata to combine different file formats into one format. You can also expect to find lots of deleted, professionally scrubbed data.
An investigator hopes to trace the uses that a suspect computer has been set up for. Certain types of criminals optimize their systems for different uses. For example, a programmer optimizes for speed, a pornographer for storage, and a stalker for messaging. You must go about logical analysis methodically. Divide the data on the hard drive into layers and try to find evidentiary information at each layer. Look for peculiarities on each layer and then choose the right extraction tool.
Creating a Timeline
To reconstruct the events that led to corruption of a system, create a timeline. This can be particularly difficult when it comes to computers, however. Clock drift, delayed reporting, and different time zones can create confusion. Never change the clock on a suspect system. Instead, record any clock drift and the time zone in use.