101Incident Response and Digital Forensics
to write zeros over every bit of a drive. This is not an exhaustive list of items,
but it gives you an idea of what types of things need to be considered when
preparing for a digital forensic investigation.
5.4.2 Collection
Part of the evidence collection is to document the scene. This includes docu-
menting things like the model and make of the devices under investigation
as well as photographing the surroundings. For example, the investigator
may take a photo of the screen to show what was happening when the scene
was entered. In addition, the investigator may check out the task bar and
take a photo of the maximized applications running. If the investigator is
subpoenaed to come to court, one of the things the lawyer may do is attempt
to put some doubt surrounding his or her credibility. The lawyer may ask the
color of the door to the ofce where the computer resided. If the investigator
says brown and it was dark blue, that will be strike one.
Once the scene is documented, the electronic data need to be dealt with. In
responding to an incident thirty years ago, a forensic investigator would not
have thought twice about the “pull the plug” method, which means shutting
it down, bringing it back to a lab, and duplicating the hard drive. Due to the
increase in complexity in today’s computing, the investigator’s response is not
the same for every incident, so powering it down right away may not be in
the best interest of this investigation (Note: taking it off the network is a good
idea to avoid further damage.) The reason that the computer should not be
turned off is that the volatile data (e.g., running processes or network connec-
tions) are lost. In addition, there is a risk that a rogue application may start a
malicious attack when a shutdown is detected. Even the duplication step has
changed. Not only have hard drive sizes increased considerably, but also the
server that needs to be analyzed may be on the other side of the world!
I am not saying that the plug is never pulled; rather, the decision is not black
and white anymore. Accordingly, there are a few ways to respond to live data
collection: focusing on the collection of the volatile data, collecting volatile data
AND log les (e.g., IDPS, router, rewall), or conducting a full investigation by
collecting everything (a forensic duplication where every bit of data is copied).
A duplication (or disk image) is necessary if court proceedings are imminent.
The image is stored on an external drive, or you may send it over the network
using a network utility such as netcat or cryptcat. Netcat is a networking
utility that reads and writes data across a network connection. Cryptcat is
Netcat with encryption. Never use the suspect system to do any analysis.
Doing so will overwrite evidence.
For example, if the incident merits collecting the volatile data, the investi-
gator may run a script from a USB drive on the suspect machine. The script
will run different commands to determine the following: open ports, who
is logged on to the system, dates/times, running processes, applications
running on certain ports, unauthorized user accounts and privileges, etc.