Introduction
Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is based on verifiable and repeatable reported results that represent direct evidence of suspected wrongdoing or potential exoneration. This article sets out a series of best practices for the computer forensics professional, which represents the best evidence for defensible solutions in the field. The best practices themselves are meant to capture those processes that have repeatedly proven successful in use. This is not a cookbook. Best practices are intended to be reviewed and applied based on the specific needs of the organization, the case, and the case environment.
Job knowledge
An examiner can only be so informed when entering a field setting. In many cases, the customer or customer representative will provide information on how many systems are in question, their specifications, and their current status. And just as often, they are critically wrong. This is especially true when it comes to hard drive sizes, laptop hacking, password hacking, and device interfaces. A seizure that returns equipment to the lab should always be the first line of defense, providing maximum flexibility. If you must act on site, create a complete work list of the information that will be collected before you arrive in the field. The list should be understood as small steps with a check box for each step. The examiner must be fully informed of your next step and not have to “think on the fly”.
overestimate
Overestimate the effort by at least a factor of two the amount of time it will take to complete the job. This includes accessing the device, initiating the forensic acquisition with the proper write lock strategy, completing the proper paperwork and chain of custody documentation, copying the acquired files to another device, and restoring the hardware to its initial state. Keep in mind that you may need shop manuals that tell you how to disassemble small devices to access the unit, which makes it more difficult to achieve hardware acquisition and restoration. Live by Murphy’s Law. Something will always challenge you and take longer than you anticipated, even if you’ve done it many times.
inventory equipment Most examiners have a sufficient variety of equipment that they can make forensically sound acquisitions in a number of ways. Decide in advance how you would like to ideally go about acquiring your site. All of us will see equipment break down or some other incompatibility get in the way at the most critical moment. Consider bringing two write blockers and an extra mass storage drive, wiped and ready. Between jobs, be sure to check your equipment with a hash exercise. Recheck and inventory all your equipment using a checklist before you take off.
flexible procurement
Instead of trying to make “best guesses” about the exact size of the client’s hard drive, use mass storage devices and, if space is an issue, an acquisition format that compresses your data. After collecting the data, copy it to another location. Many examiners stick to traditional acquisitions where you break the machine, remove the drive, put it behind a write blocker, and acquire it. There are also other acquisition methods available by the Linux operating system. Linux, booted from a CD drive, allows the browser to make a raw copy without compromising the hard drive. Be familiar enough with the process to understand how to collect hashes and other records. Live acquisition is also covered in this document. Leave the disk image with the attorney or client and take the copy to your lab for analysis.
pull the plug
A heated discussion ensues about what one should do when encountering a running machine. There are two clear options; pulling the plug or performing a clean shutdown (assuming you can log in). Most browsers shut down, and this is the best way to prevent any kind of rogue process from running that can delete and wipe data or some other similar pitfall. It also allows the browser access to create a snapshot of swap files and other system information as it was last executed. It should be noted that taking the system offline can also corrupt some of the files running on the system, making them unavailable for browsing or user access. Businesses sometimes prefer a clean shutdown and should be given the option after explaining the impact. Documenting how the machine was shut down is essential because it will be absolutely essential knowledge for the analysis.
live acquisitions
Another option is to perform a live acquisition. Some define “live” as a working machine as-is, or for this purpose the machine itself will be running during acquisition through some means. One method is to boot into a custom Linux environment that includes enough support to take a hard drive image (often among other forensic capabilities), but the kernel is modified so that it never touches the host computer. There are also special versions that allow the examiner to take advantage of the Windows autorun feature to perform Incident Response. These require advanced knowledge of Linux and experience with computer forensics. This type of acquisition is ideal when for reasons of time or complexity, disassembling the machine is not a reasonable option.
the basics
One surprisingly blatant oversight that testers often make is not booting the device once the hard drive is out of it. Verifying the BIOS is absolutely critical in order to perform a fully validated scan. The time and date reported in the BIOS should be reported, especially when time zones are an issue. There is a wide variety of information available depending on the manufacturer that wrote the BIOS software. Remember that drive manufacturers may also hide certain areas of the drive (hardware protected areas) and your acquisition tool should be able to do a full bitstream copy that takes that into account. Another key for the examiner to understand is how the hash mechanism works: some hash algorithms may be preferable to others, not necessarily because of their technological strength, but because of how they may be perceived in a court situation.
Store safely
Acquired images must be stored in a protected, non-static environment. Examiners must have access to a locked safe in a locked office. Units should be stored in anti-static bags and protected with non-static packing materials or the original shipping material. Each unit must be labeled with the client’s name, the attorney’s office, and the exhibit number. Some examiners copy unit labels onto the photocopier if they have access to one during acquisition and this should be stored with the case documentation. At the end of the day, each unit must be linked to a chain of custody document, a job, and an evidence number.
set a policy
Many clients and lawyers will push for an immediate acquisition of the computer and then sit on the evidence for months. Make it clear with the attorney how long you are willing to keep the evidence in your lab, and charge a storage fee for critical or large-scale work. You may be storing critical evidence for a crime or civil action, and while it may seem like a good idea from a marketing perspective to keep a copy of the drive, it may be better from a case perspective to return all copies to the attorney. or customer with appropriate chain of custody documentation.
Conclusion
Computer examiners have many options for how they will conduct an on-site acquisition. At the same time, on-site acquisition is the most volatile environment for the examiner. Tools can fail, time constraints can be severe, bystanders can add pressure, and suspects can be present. Examiners must be serious about maintaining their tools and developing ongoing knowledge to learn the best techniques for each situation. Using the best practices in this document, the examiner should be prepared for almost any situation that may be encountered and have the ability to set reasonable goals and expectations for the effort at hand.
