Professional Documents
Culture Documents
Digital Evidence Collection Process
Digital Evidence Collection Process
A. Vijayakumar
vijisbi@gmail.com
10/02/17 Anti-Forensics 2
Forensics - Overview
Rules a Piece of Evidence Must Satisfy:
Admissible – Should be Usable In Court or Elsewhere.
Authentic - Evidence Relates to Incident in a Relevant Way.
Complete - No Tunnel Vision, Exculpatory Evidence for
Alternative Suspects.
Reliable - No Question About Authenticity and Veracity.
Believable - Clear, Easy to Understand, and Believable by a
Jury
10/02/17 Anti-Forensics 3
Forensics - Overview
Edmond Locard’s Principle: "It is Impossible for a
Criminal to Act, Especially Considering the Intensity
of a Crime, Without Leaving Traces of This
Presence.“
Meaning: Criminal Will Leave Something at the
Scene of the Crime. At The Same Time, Criminal Will
Also Take Something Back From the Crime Scene.
10/02/17 Anti-Forensics 4
Digital Forensics - Overview
Same Principles Apply to the Digital Crime
What Changes is
Nature of Evidence – Digital Data
Cannot be Read/ Seen With Our Eyes
Preserving and Verification Challenges
Requires Use of Special Tools
Multiplicity of Tools and Techniques
10/02/17 Anti-Forensics 5
Digital Forensics - Overview
Acceptability of Tools/ Techniques Used
Handle Digital Evidence – Ground Rules Laid
Down in Daubert v. Merrell:
Whether the theory or technique has been reliably tested?
Whether the theory or technique has been subject to peer
review and publication?
What is the known or potential rate of error of the method
used?
Whether the theory or method has been generally accepted
by the scientific community?
10/02/17 Anti-Forensics 6
Digital Forensics - Overview
What is Digital Forensics?
Initially Referred to as Computer Forensics
Dealt With Stand Alone Systems
Evolved to Digital Forensics
Deals With Networked (LAN/ WAN) Systems
Ranging From Super Computers to Mobile Phones
Includes Tablets, Laptops, PCs, Servers, Mini
Computers, Appliances with Embedded Systems (like
Washing Machines, Micro-ovens, etc.)
We Now Talk of Cyber Forensics
Deals with Above Systems Connected Through Internet
10/02/17 Anti-Forensics 7
Digital Forensics - Overview
What is Digital Forensics?
With Multiple Technologies and Systems, Different
Specialisations Required for Different Aspects
Each Specialised Area is Considered a Separate
Branch of Digital Forensics
Disk Forensics – Dealing With Storage Media and Files
OS Forensics – Dealing With Operating Systems
Network Forensics – Dealing Network Traffic & Packets
Mobile Forensics – Dealing with Mobile Phone Memory,
Call Data Records, etc.
Email Forensics – Dealing with Emails, Headers,
Spoofing, etc.
Internet Forensics – Dealing with Internet Related
10/02/17
Activities, Cookies, Browsers, etc. 8
Anti-Forensics
Digital Forensics - Overview
Approaches to Digital Forensics
Traditional “Dead Box” Approach
“Pull The Plug” Immediately Approach
• Normal Shutdown – OS Cleans up Logs/ Files
Disadvantages – Lose Critical Information
• Memory Contents, Users Info, Network Connections
• Encrypted Disk and Files
Ideal Approach – “Live Forensics”
Use Utility to Take Control of System Without Changing
System Status
Ideal But NO Tool Available
Preferred Approach
Use Trusted Tools – To Extarct Volatile Data
“Pull The Plug” & Image the Storage
10/02/17 Anti-Forensics 9
Digital Forensics - Overview
Preferred Approach to Digital Forensics
Use Trusted Tools – To Extract Volatile Data
Run Commands to Capture User and Network
Information
Image of RAM
“Logical Image” of Disks, if Encryption Found
i.e. Copy Unencrypted Files as They are
“Pull The Plug” & Image the Storage
Bit by Bit Copy of Disks
Preserves Deleted Files, Slack Spaces, etc.
Storage Write-Protected to Stop Overwriting
10/02/17 Anti-Forensics 10
Digital Evidence Collection -
Introduction
10/02/17 Anti-Forensics 11
Digital Evidence Collection –
Best Practices
A. If the Computer is off, DO NOT Turn it on. Photograph the
Computer and Scene
Capture From all Angles
Capture All Systems – Both ON and OFF, Network Connections
Capture Screens as well as Blinking Lights
Can Detect Extraneous Objects
Both Plugged in as well as Lying Around (Including Non-Electronic
Items – Writing Boards, Flip Charts, USB, Cell Phones, etc.)
Console/ Monitor Screens Show Current Processes, Commands
Can Show Systems That Should be UP but are Down & Vice Versa
Can Detect Abnormal Network Connections
Can Capture Possible Biological Evidence (e.g. Blood Stains)
10/02/17 Anti-Forensics 12
Digital Evidence Collection –
Best Practices
B. Collect Live Data
Start With RAM Image (Live Response Locally or Remotely via F-
Response)
Collect Other Live Data
Network Connection State, Logged on Users, Currently Executing
Processes, etc.
10/02/17 Anti-Forensics 13
Digital Evidence Collection –
Best Practices
D. Unplug the Power Cord From the Back of the Tower
If the computer is a laptop and does not shut down when the cord
is removed, then remove the battery
E. Diagram and Label all Cords
Mark Connections and Disconnections
F. Document all Device Model Numbers and Serial Numbers
Use Good Logical Sequence Numbers for Items
Sub-Assemblies to Show Parent’s Identity
G. Disconnect all Cords and Devices
H. Check for HPA. Then Image Hard Drives Using Helix or any
Other Hardware Imager
Ensure Write Blocker is in Place
Compute Necessary Hash Values
10/02/17 Anti-Forensics 14
Digital Evidence Collection –
Best Practices
I. Package all Components (Using Anti-Static Evidence Bags)
Avoid Plastic Containers – Risk of Static Electricity
Additional Waterproof Packing Material
Pack in Strong Numbered Cartons (Preferably Metallic Ones)
Tight Packing to Minimise Shaking/ Rolling During Transit
Pack Mobile Phones in Signal-Blocking Material (Like Aluminium
Foil, Faraday Isolation Bags, etc.)
Packing List in Each Carton – Additional Copies With Teams
Control Temperature and Humidity During Transit/ Storage
During Transportation, Packages Should Always be Monitored
Kept Away From Magnetic and Electric Fields
Transhipments – Chain of Custody Documents to be Updated
10/02/17 Anti-Forensics 15
Digital Evidence Collection –
Best Practices
J. Seize all Additional Storage Media (Create Respective Images
and Place Original Devices in Anti-Static Evidence Bags)
Can Help in Identifying Software Newly Installed
K. Keep all Media Away From Magnets, Radio Transmitters and
Other Potentially Damaging Elements
L. Collect Instruction Manuals, Documentation and Notes
M. Document all Steps Used in the Seizure
10/02/17 Anti-Forensics 16
End