Electronic crime is difficult to investigate and prosecute. Build your case on data that remains on storage media after an attack.

Computer transactions are fast, including transactions with criminal intent. They can be conducted from anywhere, through anywhere, and to anywhere. They can be in clear text, encoded, encrypted, or anonymized. Unlike handwriting or signatures, computer transactions have no intrinsic identifying features. Perpetrators can modify or destroy any paper trail or computer records. Also, auditing programs intended to monitor transaction accuracy may automatically destroy data remnants left by computer transactions.

You can often restore the details of transactions through analysis. Even so, tying a transaction to an attacker is difficult. Attaching identifying information such as personal identification numbers does not automatically prove who was responsible for a transaction. Such information shows that whoever did it either knew or could get past those identifiers. Systems must be designed with protected methods for recording responsibility for transactions. Forensic examinations must document that those access controls were in place and functional at the time the system recorded the data.

Legal proceedings recognize three types of evidence:

In your role as forensic investigator, take these three categories of evidence into consideration to ensure that the data you collect is useful.

Follow these five rules when collecting electronic evidence:

Use the preceding five rules to derive some basic do's and don'ts of data collection:

A system should be running a system logging function. Keep these logs secure and back them up periodically. Effective system logs are time stamped, showing when each activity occurred. So, digitally sign and encrypt any logs collected to protect them from contamination.

You should copy and remove a log from the machine on which it was created. If logs are kept locally on a compromised machine, an attacker could possibly alter or delete them. Storing logs on a remote device can reduce this risk. However, it is still possible for an attacker to add decoy or junk entries to the logs prior to the date on which you copied them.

Regular auditing and accounting of a system is useful for detecting intruders. The forensic expert can draw on audit results as evidence. You can use messages and logs from programs to show what damage an attacker did. Audits and log reviews can verify the timing of when various events occurred.

Monitoring network traffic can be useful for many reasons. For example, it can help gather statistics to provide a usage profile, identify irregular activity and possibly stop an intrusion in process, and trace where an attacker is coming from and what he or she is doing. Monitoring logs as they are created can provide important information and help identify suspiciously missing information.

You can compile information gathered while monitoring network traffic into statistics to define normal behavior for a system. Then use these statistics to get early warning of an attacker's actions. In addition, monitoring the actions of users can provide early warning: Unusual activity or the sudden appearance of unknown users should trigger closer inspection.

Investigators work with two basic methods of data collection: freezing the scene and honeypotting. The two aren't mutually exclusive. It is possible to collect frozen information after or during any honeypotting.

Freezing the scene involves taking a snapshot of the system in its compromised state. The organization must notify the necessary authorities—the police and the organization's incident response and legal teams. However, the organization should avoid letting the media find out about the incident yet, if possible.

As a forensic specialist, your job is to collect whatever data is available and put it on removable nonvolatile media in a standard format. The programs and utilities you use to gather the data should also be collected onto the same media as the data. Create a cryptographic message digest for all the data you pull together, and then compare the digests to the originals for verification.

Honeypotting is the process of creating a replica system and luring an attacker into it to monitor his or her activities. A related method, sandboxing, involves limiting what an attacker can do while still on the compromised system, so you can monitor the attacker without much further damage. The placement of misleading information and the attacker's response to it is a good method for determining the attacker's motives. Either remove or encrypt any data on the system related to the attacker's detection and actions. Otherwise, the attacker can cover his or her tracks by destroying this data.

Honeypotting and sandboxing are extremely resource intensive, so they may be infeasible. They also involve legal issues such as entrapment. As in any other questionable situation, an organization should obtain legal advice before beginning honeypotting and sandboxing operations.

Depending on the computer operating system, shutting down the computer usually involves pulling the plug or shutting down a network computer by using the necessary commands. You may wish to take pictures of the screen image. However, keep in mind that destructive processes may be operating in the background. These can be in memory or available through a connected modem. Depending on the operating system involved, a password-protected screen saver may also kick in at any moment. This can complicate the computer's shutdown. Generally, time is of the essence, and you should shut down the computer system as quickly as possible.

Move the subject computer system to a secure location where you can maintain a proper chain of custody and begin processing evidence. Before dismantling the computer, it is important to take pictures of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important, so that you can easily reconnect each one when the system configuration is restored to its original condition.

Seized computers are often stored in less-than-secure locations. Both law enforcement agencies and corporations sometimes fail to properly transport and store suspect systems. It is imperative that you treat a subject computer as evidence and store it out of reach of curious computer users.

Sometimes, individuals operate seized computers without knowing that they are destroying potential evidence and the chain of custody. A seized computer left unattended can easily be compromised. Someone could plant evidence or destroy crucial evidence. Lack of a proper chain of custody can make a savvy defense attorney's day. Without a proper chain of custody, you can't ensure that evidence was not planted on the computer after the seizure.

You should be able to prove that you didn't alter any of the evidence after taking possession of a suspect computer. Such proof helps rebut allegations that the investigator changed or altered the original evidence.

Since 1989, law enforcement and military agencies have used a 32-bit mathematical process to support device authentication. Mathematically, a 32-bit validation is accurate to approximately 1 in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32-bit cyclical redundancy check (CRC) can be compromised. Some forensic tools can mathematically authenticate data with a high level of accuracy. You can use these programs to authenticate data at both a physical level and a logical level. New Technologies, Inc. (NTI), offers two such programs: CrcMD5 and DiskSig Pro. (For more information on these tools, see http://www.forensics-intl.com.)

Modern hard drives are voluminous. It is impossible for a computer specialist to manually view and evaluate every file on a computer hard drive. Therefore, you need state-of-the-art automated forensic text search tools to help find the relevant evidence. One such tool is NTT's TextSearch NT, which is certified for use by the U.S. Department of Defense. Intelligent filtering tools can also be helpful in crafting lists of keywords for use in computer evidence processing. Some examples are NTT's NTA Stealth, Filter_N, FNames, Filter_G, GExtract, and GetHTML. (For more information on these tools, see http://www.forensics-intl.com.)

Usually some information is known about the allegations, the computer user, and any alleged associates. Gather information from individuals familiar with the case to help compile a list of relevant keywords. Then apply these keywords in a search of all computer hard drives and CDs using automated software. Keeping the list as short as possible is important, and the list should avoid common words or words that make up part of other words.

The following sections discuss three areas to search for keywords: the Windows swap file, file slack, and unallocated space.

Use the list of relevant keywords identified in the previous step to search all pertinent computer hard disk drives and removable media. Several forensic text search utilities are available in the marketplace. For example, NTT's TextSearch NT and TextSearch Plus are state-of-the-art tools that federal government intelligence agencies have validated as security review tools (see http://www.forensics-intl.com).

It is important to review the output of the text search utility. It is equally critical to document relevant findings. When you have identified relevant evidence, note the fact and then completely review the identified data for additional keywords. You should then add these new words to the original list of keywords and conduct a new search using the text search utility.

From an evidence standpoint, filenames, creation dates, and last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and "erased" files. Sort the files based on the filename, file size, file content, creation date, and last modified date and time. Such sorted information can provide a timeline of computer usage. The output should be in the form of a word processing-compatible file to help document computer evidence issues tied to specific files.

Encrypted, compressed, and graphics files store data in binary format. As a result, text search programs can't identify text data stored in these file formats. These files require manual evaluation, which may involve a lot of work, especially with encrypted files. Depending on the type of file, view and evaluate the content as potential evidence.

Reviewing the partitioning on seized hard disk drives is also important. Evaluate hidden partitions for evidence and document their existence.

With Windows operating systems, you should also evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fact that they have been selected for deletion may have some relevance from an evidentiary standpoint. If you find relevant files, thoroughly document the issues involved.

Depending on the application software involved, you may need to run programs to learn their purpose. Destructive processes tied to relevant evidence can prove willfulness on the attacker's part. Such destructive processes can be tied to hot keys or the execution of common commands linked to the operating system or applications.

When you identify issues and discover evidence, document these findings. In addition, document all the software used in a forensic evaluation of evidence, including the version numbers of the programs you use.

When appropriate, your documentation should indicate licensure to use the forensic software involved. Screen captures of the operating software also help to verify the version of the software and how you used it to find and/or process the evidence.

As part of the documentation process, include a copy of any software used for an investigation with the output of the forensic tool involved. Normally, this is done on an archive CD or an external storage device such as an external hard drive. This documentation methodology eliminates confusion about which version of the software was used to create the output. Often it is necessary to duplicate forensic-processing results during or before trial. Duplication of results can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained. Most commercial software is upgraded routinely, but it may take years for a case to go to trial. Retention of archival copies of programs should be included in software license agreements.

To reconstruct the events that led to corruption of a system, create a timeline. This can be particularly difficult when it comes to computers. Clock drift, delayed reporting, and different time zones can create confusion. Never change the clock on a suspect system. Instead, record any clock drift and the time zone in use.

Log files usually use timestamps to indicate when an entry was added. Timestamps must be synchronized to make sense within an event timeline. For example, timestamps on remote systems should be synchronized to the time of the subject computer. You should also use timestamps. After all, you are not just reconstructing events but making a chain of events that you can account for.

When analyzing backups, it is best to use a dedicated host. This examination host should be secure and clean, with a fresh, hardened installation of the operating system. Also, isolate the host from any network so that it can't be tampered with and so problems aren't accidentally sent out to other machines. Once the dedicated host system is available, you can begin analyzing the backups.

After collecting data, an organization can attempt to reconstruct the chain of events leading to and following a break-in. As an investigator, correlate all the evidence gathered. When reconstructing the attack, include all the evidence you find, no matter how small. It is possible to miss important connections or interactions if evidence is left out.