Digital Evidence Collection

A. Vijayakumar
vijisbi@gmail.com

15 Sep 2019 Digital Evidence Collection 1

 Forensics - Overview
 Forensics  From Latin ‘Forensis’
 Meaning: Discussion
 Current Definition of Forensics:
‘Process of Using Scientific Knowledge for
Collecting, Analyzing, And Presenting Evidence to
the Courts’
 Deals Primarily With the Recovery and Analysis of
Latent Evidence
 Traditional Crimes – Fingerprints, Blood Stains, DNA

10/02/17 Anti-Forensics 2
 Forensics - Overview
 Rules a Piece of Evidence Must Satisfy:
 Admissible – Should be Usable In Court or Elsewhere.
 Authentic - Evidence Relates to Incident in a Relevant Way.
 Complete - No Tunnel Vision, Exculpatory Evidence for
Alternative Suspects.
 Reliable - No Question About Authenticity and Veracity.
 Believable - Clear, Easy to Understand, and Believable by a
Jury

10/02/17 Anti-Forensics 3
 Forensics - Overview
 Edmond Locard’s Principle: "It is Impossible for a
Criminal to Act, Especially Considering the Intensity
of a Crime, Without Leaving Traces of This
Presence.“
 Meaning: Criminal Will Leave Something at the
Scene of the Crime. At The Same Time, Criminal Will
Also Take Something Back From the Crime Scene.

10/02/17 Anti-Forensics 4
 Digital Forensics - Overview
 Same Principles Apply to the Digital Crime
 What Changes is
 Nature of Evidence – Digital Data
 Cannot be Read/ Seen With Our Eyes
 Preserving and Verification Challenges
 Requires Use of Special Tools
 Multiplicity of Tools and Techniques

10/02/17 Anti-Forensics 5
 Digital Forensics - Overview
 Acceptability of Tools/ Techniques Used
Handle Digital Evidence – Ground Rules Laid
Down in Daubert v. Merrell:
 Whether the theory or technique has been reliably tested?
 Whether the theory or technique has been subject to peer
review and publication?
 What is the known or potential rate of error of the method
used?
 Whether the theory or method has been generally accepted
by the scientific community?

10/02/17 Anti-Forensics 6
 Digital Forensics - Overview
 What is Digital Forensics?
 Initially Referred to as Computer Forensics
 Dealt With Stand Alone Systems
 Evolved to Digital Forensics
 Deals With Networked (LAN/ WAN) Systems
 Ranging From Super Computers to Mobile Phones
 Includes Tablets, Laptops, PCs, Servers, Mini
Computers, Appliances with Embedded Systems (like
Washing Machines, Micro-ovens, etc.)
 We Now Talk of Cyber Forensics
 Deals with Above Systems Connected Through Internet

10/02/17 Anti-Forensics 7
 Digital Forensics - Overview
 What is Digital Forensics?
 With Multiple Technologies and Systems, Different
Specialisations Required for Different Aspects
 Each Specialised Area is Considered a Separate
Branch of Digital Forensics
 Disk Forensics – Dealing With Storage Media and Files
 OS Forensics – Dealing With Operating Systems
 Network Forensics – Dealing Network Traffic & Packets
 Mobile Forensics – Dealing with Mobile Phone Memory,
Call Data Records, etc.
 Email Forensics – Dealing with Emails, Headers,
Spoofing, etc.
 Internet Forensics – Dealing with Internet Related
10/02/17
Activities, Cookies, Browsers, etc. 8
Anti-Forensics
 Digital Forensics - Overview
 Approaches to Digital Forensics
 Traditional “Dead Box” Approach
 “Pull The Plug” Immediately Approach
• Normal Shutdown – OS Cleans up Logs/ Files
 Disadvantages – Lose Critical Information
• Memory Contents, Users Info, Network Connections
• Encrypted Disk and Files
 Ideal Approach – “Live Forensics”
 Use Utility to Take Control of System Without Changing
System Status
 Ideal But NO Tool Available
 Preferred Approach
 Use Trusted Tools – To Extarct Volatile Data
 “Pull The Plug” & Image the Storage
10/02/17 Anti-Forensics 9
 Digital Forensics - Overview
 Preferred Approach to Digital Forensics
 Use Trusted Tools – To Extract Volatile Data
 Run Commands to Capture User and Network
Information
 Image of RAM
 “Logical Image” of Disks, if Encryption Found
 i.e. Copy Unencrypted Files as They are
 “Pull The Plug” & Image the Storage
 Bit by Bit Copy of Disks
 Preserves Deleted Files, Slack Spaces, etc.
 Storage Write-Protected to Stop Overwriting

10/02/17 Anti-Forensics 10
Digital Evidence Collection -
Introduction

 Collection Based on the Life Expectancy of

the Evidence
 Order of Volatility of Evidence
 CPU, Cache and Register Content (Most Volatile)
 Routing Table, ARP Cache, Process Table, Kernel Statistics
 Memory
 Temporary File System / Swap Space
 Data on Hard Disks and Other Media
 Remotely Logged Data
 Data Contained on Archival Media (Least Volatile)

10/02/17 Anti-Forensics 11
 Digital Evidence Collection –
Best Practices
A. If the Computer is off, DO NOT Turn it on. Photograph the
Computer and Scene
 Capture From all Angles
 Capture All Systems – Both ON and OFF, Network Connections
 Capture Screens as well as Blinking Lights
 Can Detect Extraneous Objects
 Both Plugged in as well as Lying Around (Including Non-Electronic
Items – Writing Boards, Flip Charts, USB, Cell Phones, etc.)
 Console/ Monitor Screens Show Current Processes, Commands
 Can Show Systems That Should be UP but are Down & Vice Versa
 Can Detect Abnormal Network Connections
 Can Capture Possible Biological Evidence (e.g. Blood Stains)

10/02/17 Anti-Forensics 12
 Digital Evidence Collection –
Best Practices
B. Collect Live Data
 Start With RAM Image (Live Response Locally or Remotely via F-
Response)
 Collect Other Live Data
 Network Connection State, Logged on Users, Currently Executing
Processes, etc.

C. If Hard Disk Encryption Detected — Collect "logical image" of

Hard Disk using dd.exe, Helix - Locally or Remotely via F-
Response

10/02/17 Anti-Forensics 13
 Digital Evidence Collection –
Best Practices
D. Unplug the Power Cord From the Back of the Tower
 If the computer is a laptop and does not shut down when the cord
is removed, then remove the battery
E. Diagram and Label all Cords
 Mark Connections and Disconnections
F. Document all Device Model Numbers and Serial Numbers
 Use Good Logical Sequence Numbers for Items
 Sub-Assemblies to Show Parent’s Identity
G. Disconnect all Cords and Devices
H. Check for HPA. Then Image Hard Drives Using Helix or any
Other Hardware Imager
 Ensure Write Blocker is in Place
 Compute Necessary Hash Values
10/02/17 Anti-Forensics 14
 Digital Evidence Collection –
Best Practices
I. Package all Components (Using Anti-Static Evidence Bags)
 Avoid Plastic Containers – Risk of Static Electricity
 Additional Waterproof Packing Material
 Pack in Strong Numbered Cartons (Preferably Metallic Ones)
 Tight Packing to Minimise Shaking/ Rolling During Transit
 Pack Mobile Phones in Signal-Blocking Material (Like Aluminium
Foil, Faraday Isolation Bags, etc.)
 Packing List in Each Carton – Additional Copies With Teams
 Control Temperature and Humidity During Transit/ Storage
 During Transportation, Packages Should Always be Monitored
 Kept Away From Magnetic and Electric Fields
 Transhipments – Chain of Custody Documents to be Updated

10/02/17 Anti-Forensics 15
 Digital Evidence Collection –
Best Practices
J. Seize all Additional Storage Media (Create Respective Images
and Place Original Devices in Anti-Static Evidence Bags)
 Can Help in Identifying Software Newly Installed
K. Keep all Media Away From Magnets, Radio Transmitters and
Other Potentially Damaging Elements
L. Collect Instruction Manuals, Documentation and Notes
M. Document all Steps Used in the Seizure

10/02/17 Anti-Forensics 16
 End

15 Sep 2019 Digital Evidence Collection 17