Cyber Forensics: A Field Manual for Collecting,

Examining, and Preserving Evidence of Computer

Crimes, Second Edition
by Albert J. Marcella, Jr. and Doug Menendez
Taylor & Francis Group, LLC. (c) 2008. Copying Prohibited.

Reprinted for Dany Romero Sanzonetty, ISACA

danyqromero@hotmail.com

Reprinted with permission as a subscription benefit of Books24x7,

http://www.books24x7.com/

All rights reserved. Reproduction and/or distribution in whole or in part in

electronic,paper or other forms without written permission is prohibited.
 i

Table of Contents
Appendix I: Questions That Every Cyber Investigator Should Ask; Before, During, and
after an Investigation........................................................................................................................1
Overview................................................................................................................................1
Review of Search Warrant or Consent..................................................................................1
Preparation............................................................................................................................2
Where Is Seized Equipment Stored? Heat Humidity, CMOS Battery Life, or PDA—Keep
Devices Charged....................................................................................................................2
Fingerprinting: Must Tie the Evidence to a Person, Do Forensic First, Then Fingerprints....2
Seize All Peripherals. Smart Keyboards, Other Devices May Have Fingerprints..................3
Look for Media in the Area of Computer, Passwords, ISP Info..............................................3
Photograph Scene, Computer, Monitor, Screen. Work with Digital Photos to Make Sure
You Have "Evidence Grade" Pictures.....................................................................................3
If Off, Leave Off. If On, Pull Plug............................................................................................4
Questions That Every Cyber Investigator Should Ask, Before, During, and After an
Investigation ….......................................................................................................................4
At the Scene …......................................................................................................................5
Upon Transport ….................................................................................................................5
 Appendix I: Questions That Every Cyber Investigator
Should Ask; Before, During, and after an
Investigation

Overview
Following the Best Practice for the Seizure of Electronic Evidence as set forth by the National High
Tech Crime Unit, published by the Association of Chief Police Officers.

In a preliminary stage that should precede the "Discovery of Computer or Digital Equipment to be
Seized," several items need to be determined before launching the investigation. These preliminary
steps should include:

1. The computer that will become evidence, what is the role in this case?

2. Is it the suspect's computer? Is it a victim's computer?

3. Is it a computer that is used as an intermediate tool to commit a crime?

4. Because the lead investigator of a case is often not the individual that actually performs the
forensic analysis of the computer, what is it that the investigator is looking for?

5. What evidence is being sought? Besides simple cases of possession of child pornography,
where an investigator can easily find evidence with today's tools, the forensic analyst must
have a thorough understanding of what the lead investigator is seeking.

A good interview of the suspect—this is probably the most important part of the investigation beside
the actual analysis of the electronic evidence. Computer crime investigators have indicated that this
is an important fact finding opportunity if you have a cooperative suspect.

This interview, coupled with a thorough background check, can give you insight to the technical
skills of your suspect. By using a variety of interview techniques, a skilled investigator may get a
suspect to reveal passwords, tips to unusual system configurations, and identify the potential for
unusual circumstances like logic bombs or booby traps.

Review of Search Warrant or Consent

1. If it is consent, will it be considered valid in court?

2. Are you sure that the person giving consent is authorized to do so?

3. Is the computer that you are going to analyze the computer that you think it is?

4. Could someone have switched computers?

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 2

5. Determining the situation that will be encountered at the scene—is the computer that is to be
seized at the incarcerated suspect's apartment, where no one else lives? Or is it a
workstation in a business.

6. If it is at a business, is the network or system administrator considered friendly and reliable?

They may be able to assist in identifying important information about their configuration. It
may be that a suspect's betrayed spouse may give you information such as where
passwords are written down or where evidence may be hidden.

Preparation
Do not plan to image a desktop computer and show up to find a server farm. Again, proper
preliminary investigations will prevent this. Make sure you have the proper tools in order, that
policies are followed, investigative tools checked and validated, proper crime scene processing
equipment is available (camera, gloves, paper bags, anti-static bags, logs, labels).

Another important consideration is the availability of expert advice. It is doubtful that most agencies
have an efficient communication system set up where there are contact people for unusual
situations. The time to set up those lines of communications is not in the mist of a raid or an
emergency.

Most municipal police departments do not have the expertise on staff to handle computer crime.
They rely on county or state police agencies, or regional task forces and those resources are often
thin as well. The depth of available computer expertise for some law enforcement agencies is only
one layer deep.

Where Is Seized Equipment Stored? Heat Humidity, CMOS

Battery Life, or PDA—Keep Devices Charged
Consideration of how to move and store seized equipment is an important part of both the
preliminary stage and transportation stage of a computer crime investigation and seizure. Police
often encounter a single personal computer tower or desktop unit. But what if the seizure ends up
being dozens of computers, or large rack mounted computer equipment?

1. Where will numerous computer hardware units be stored and how can they be safely
transported? Many local police departments have limited space for evidence and that space
is not always conducive to housing electronic equipment long term.

Fingerprinting: Must Tie the Evidence to a Person, Do Forensic

First, Then Fingerprints
1. What other crime scene processing is going to be done for this case?

Fingerprinting can severely damage a computer and should be done after the computer forensic
analysis is completed. But the same protections used on other crime scene items should be
afforded to computer crime scenes.

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 3

Seize All Peripherals. Smart Keyboards, Other Devices May

Have Fingerprints
Many departments seize only the CPU (tower or desktop unit), leaving monitors, keyboards, and
printers behind. Each case will have to be evaluated on its own. If you are working a forgery case,
then it would be appropriate to seize the printer.

Technology keeps changing and investigators must keep up on new devices and trends. A popular
computer enthusiast magazine recently demonstrated how some USB keyboards can be modified
to fit a USB hub inside. With the addition of high capacity USB thumb drives, the modified keyboard
could conceal several gigabytes of storage.

Look for Media in the Area of Computer, Passwords, ISP Info

The Investigator must make a thorough search for passwords and other documentation that will
help with the investigation. Obviously this could be a very difficult task. Although many people will
write passwords down on the back of the keyboard or on a post it stuck to the monitor. Other people
may have concealed their passwords reasonably well, intentionally, or unintentionally in mounds of
paper and clutter on their desk.

Other things to consider are manuals and documentation for the computer, software disks, software
manuals, and retail software boxes. If you cannot seize those items, make sure they are
documented in your crime scene report. This becomes important when dealing with a suspect that
uses proprietary software (like some accounting system) or evidence cleansing programs.

The fact that a particular piece of software was at the scene may save your computer forensic
analyst a few hours of trying to figure out what those unusual files are or why usual files are not
there.

Other considerations include how the computer is connected to the outside world.

1. Is the computer hooked up to a modem, if so what is the number?

2. Is in attached to a broadband connection, if so, who is the ISP?

3. Could there be backups of the computer you are investigating?

4. Could your suspect be technically advanced enough to use hidden networked storage
devices, control a remote system, use IPods or X boxes as a storage device?

Photograph Scene, Computer, Monitor, Screen. Work with

Digital Photos to Make Sure You Have "Evidence Grade"
Pictures
Treat this computer crime scene as any other crime scene. Do not be intimidated because it is a
computer. Get general computer experience or training until you feel comfortable with seizing
computers for evidence. This scene is no diffierent than other crime scenes.

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 4

The e-crime scene will be secured for unauthorized access, it will be photographed, every
procedure documented and, a diagram of the setup will be made.

The cables will be labeled in respect of how they were connected. Be sure to photograph the
computer screen making sure that the time is displayed and if there were any visibly identifiable
programs are running. Note if there is a difference in the time displayed on the computer and the
actual time.

Digital photos are suggested because it is easy to review the quality of the pictures because some
of the necessary angles may be close up shots or have reflectivity off of the monitor.

Also, treat the chain of custody of these items the same as you would for other evidence. That may
be stating the obvious, but better very safe and sure than sorry after the fact.

If Off, Leave Off. If On, Pull Plug

Serious consideration needs to be made for a networked server. If there are business applications
running, a sudden power down may cause data corruption and loss. This could have serious liability
issues for an agency, auditor or cyber forensics investigator.

Questions That Every Cyber Investigator Should Ask, Before,

During, and After an Investigation …
1. Have I learned everything that I can from the suspect?

2. Do I have a sense of his or her technical skills?

3. Did he or she reveal anything about his or her set up that may help my investigation?

4. Based on his or her background and interview, do I have to be concerned with booby traps?

5. Does he or she use passwords in protecting the computer?

6. Is the computer networked, and if so, could he or she be using unusual devices to store
data?

7. If the computer is in a work environment, is there someone there that will be in a position to
assist me?

8. Is the search warrant accurate?

9. Is the consent valid and does it everything check out (computer ownership can be validated,
the person giving consent is who they claim to be and they have the right to give consent)?

10. Have I prepared for unusual circumstances by setting up lines of communications in

advanced?

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 5

11. Do I have MOU (Memos of Understanding) with agencies that can assist me?

12. Have I prepared for physically transporting any evidence collected at the scene, and do I
have the ability to maintain secured storage of that evidence?

13. If I am doing an onsite image, have I properly prepared my tools (performed checks and
validations)? Do I have "clean" media to image to? Am I prepared for things like using
diffierent adapters? Do I have items such as anti-static bags or other appropriate storage
materials?

14. Does my investigation follow my department's policy for computer forensic investigations?

15. Does my investigation follow good forensic methodologies that are widely accepted and will
it stand up to judicial review?

At the Scene …
1. Did I take photographs of the scene, both general shots of the layout , and specific shots like
how the peripherals are hooked up to the computer in back and the screen to include the
time and any visibly identifiable programs running?

2. Did I document who was on scene and anyone else who had access to the computer?

3. Have I properly documented and logged activities?

4. Did I document and label the configuration of peripheral connections?

5. Did I search for and document other items of interest in the area, such as the actual time,
program manuals, program disks, and potential passwords?

6. Will I need to take extra care to preserve fingerprint or other trace evidence?

7. Will I need to take just the CPU, or does the case dictate that the monitor, keyboard, printer,
and other equipment be seized as well?

8. Are there others available to interview to determine unusual circumstances, passwords, or

potentially hidden evidence?

Upon Transport …
1. If I have a large number of CPU's or rack mounted equipment, where will these items be
stored and how will they be securely transported?

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 6

2. Has a defensible chain of custody for the evidence been maintained?

This appendix was prepared for this text by Brian O'Neil, president of Confidential Computers, 857
Carriage Hills Drive, St. Peters, MO 63304, (314) 210-4400, Brianoneil@charter.net, brian@
confidentialcomputers.com, used with permission.

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited