Chapter 7 Data Acquisition: Never Work On The Original Make

Chapter 7data Acquisition1never Work On The Originalmake Forensically

Chapter 7 Data Acquisition 1 Never Work on the Original Make forensically sound copies Keep a master copy and make several working copies Calculate a hash value of each copy and make sure they match Each copy must have a unique identifier Order of Volatility RAM Temporary files Local disks External storage media Network attached storage (NAS or SAN) Archival backups Memory and Running Processes Memory can hold passwords Can be difficult to extract, but in a pinch may be all you have Running processes can identify malware running on the system Routing tables can be extracted from memory Network connections reside in RAM Capturing Memory Memory is a device Memory can be dumped into a file The amount of memory capture may be different from the amount of installed RAM Some utilities capture device cache memory Some utilities don’t capture installed RAM devoted as a device cache Memory Capture Utilities Most commercial forensic suites offer memory capture capability DD utility (both Windows and Linux) Dumpit Memoryze Memory Capture Tips Keep your memory footprint to a minimum Run from a flash drive if possible Copy memory image to an external device Make sure device capturing image can handle large files Computers today have large amounts of RAM Many USB drives continue to be formatted to FAT32 (4GB maximum file size) Memory Capture Procedures Start the documentation process Run a batch file that collects user information, network connections, time/date, and open files Collect a memory dump Copy the paging file Copy any hibernation files Media Capture Document everything Use a forensic write-blocker when copying any data Do NOT use standard copy utilities to make copies Store all images on forensically sound media Disk Image File Formats DD Images (bit-for-bit) Expert Witness Format (EWF) Advanced Forensic Format (AFF) Safeback (by NTI) ILook Imager ProDiscover File Format Chapter 6 First Response and The Digital Investigator 1 Forensics and Computer Science Just what does “forensics†mean? Suitable for presentation in court Digital forensics combines legal process with technology The job of the digital forensic investigator NEVER do harm to the investigation Acquire evidence from computer devices that can be used as evidence Locard’s Principle If you touch it, you change it Whatever a criminal touches, there is evidence to be found Whatever an investigator touches, there is evidence to be destroyed BUT… changing the evidence does not necessarily render it unusable Characteristics of Evidence Class characteristics A large group can share the same characteristic Used to narrow the search pattern Individual characteristics A descriptive element that is unique to a sample Colors are not unique—but serial numbers are Digital Versus Physical Evidence A paper document is physical May carry fingerprints or chemical elements to analyze Will not prove who created it Will not carry metadata for further analysis A digital document has the metadata and can be traced to the owner They are not the same piece of evidence Digital Media A paper document that is burned is gone for good A digital document that is deleted can be restored Digital sources carry evidence of the document other than the document itself File system metadata Registry entries Temporary files First on the Scene Always find out who is in charge before you begin It will never be you There might be multiple “owners†of the scene Secure the scene People’s safety first Integrity of the evidence next Identify potential sources of evidence Document the Scene Take a LOT of photographs Always carry a digital camera Try to make it a point to also carry a video camera Make an inventory of all potential devices that might contain evidence (start a chain of custody) Make notes on your observations (and remember that they can be subpoenaed) Identifying Data Sources Obvious sources Computers PDAs Cell phones External drives CDs Other media Less obvious sources Less Obvious Sources Digital cameras and video recorders Game machines Digital audio recorders Printer/Fax machines Answering machines Owner’s manuals may point to sources not present Handling Evidence Identify and photograph the evidence Document the evidence (make, model, S/N, etc.) Package the evidence for transport Should you block signals? Should power be maintained? Transport the evidence safely and securely Store the evidence safely and securely Chain of Custody Must identify the material in a way unique to that individual item One of the most critical pieces of documentation Follows each piece of evidence around everywhere it goes Must be updated each time it moves or changes hands Documenting Evidence Where was it found? What state was it in? What time and on what date was it collected? Give a physical description of the evidence Type of device Capacity, condition, etc. Identify make, model, S/N if applicable Packaging Evidence Protect from impact Protect from electro-magnetic radiation Protect from extreme temperature and moisture Protect from tampering Make sure it is clearly labeled Transporting Evidence Never assume that a computer is stand-alone Determine if it should remain powered up If it must be shut down, document the state of the computer before breaking it down What application was active? Running processes (if possible) Network connections (if possible) Protect portable devices and media from external corruption Storing Evidence Chain of custody rules apply to storage Log in/log out must include who, what, when, where, and why Rules of protection during transport apply equally to storage Access to storage must be limited and monitored Disposition of Evidence When the job is done, evidence must be destroyed or returned All contraband must be destroyed, regardless of provenance Private or intellectual property may be either returned or destroyed, depending on the courts If destroyed, the material must be rendered completely unrecoverable

Paper For Above instruction

Digital forensics entails meticulous processes geared toward the collection, preservation, and analysis of electronic evidence, ensuring its integrity for potential court presentation. The foundational principle emphasizes that one should never work on the original data; instead, forensically sound copies must be created and verified through hashing to maintain integrity. This process involves generating hash values for each copy and ensuring they match, thereby confirming that the copies are identical and unaltered. Multiple copies, each uniquely identified, are essential in forensic investigations to prevent contamination of the original evidence and allow for detailed analysis without risking data loss or corruption.

A critical aspect of data acquisition involves understanding and prioritizing evidence based on the order of volatility. This is essential because different types of evidence—in particular, volatile data like RAM, temporary files, and network connections—can be lost if not promptly captured. RAM, for instance, may contain passwords, malware, network routing tables, and active network connections, all of which are crucial for understanding ongoing activity on a suspect machine. Memory can be dumped into a file using specialized utilities such as FTK Imager, Memoryze, or the DD utility, with the process documented thoroughly to ensure the chain of custody and evidentiary validity. Because memory captures can fluctuate based on the size, many utilities offer options to minimize their memory footprint, run from portable media, and handle large files efficiently.

In addition to memory, other volatile and non-volatile evidence sources include the system’s paging files, hibernation files, and external media devices such as USB drives and optical discs. Proper procedures involve documenting all collection steps, using write-blockers to prevent unintentional modifications, and storing images on forensically sound media—such as DD images or Expert Witness Format (EWF)—to ensure bit-for-bit integrity. These images facilitate analysis while preserving the original evidence in a pristine state. Proper storage, labeling, and transportation of evidence are paramount, ensuring chain of custody is maintained at each stage to establish a clear trail from collection to court presentation.

Furthermore, digital forensic investigators are tasked not only with acquisition but also with securing the scene and understanding the context from which evidence arises. The initial response involves establishing who is in charge, securing the scene, and identifying both obvious and less obvious data sources. Devices such as computers, mobile phones, external drives, and even less conventional sources like game consoles or digital cameras, may contain valuable evidence. Photographing, cataloging, and making detailed notes about each device, including make, model, serial number, and physical condition, help in building a comprehensive chain of custody and safeguard the integrity of the evidence.

During handling, evidence must be carefully documented, packaged, and transported in a manner that prevents damage, tampering, and external contamination. Whether maintaining power during transport depends on the evidence type; often, the best practice is to preserve the original condition by documenting all active states before any shutdown procedures. Proper labeling and secure storage are crucial, and stored evidence must be accessible only to authorized personnel, with explicit records of each transfer or handling operation.

Finally, the disposition of evidence—whether its conclusion involves destruction or return—must adhere to legal and procedural standards. Contraband or illegal items are destroyed to prevent misuse, while other evidence may be returned or disposed of in accordance with court orders. Throughout these processes, the overarching goal of digital forensics remains the preservation of evidence integrity, adherence to legal standards, and facilitation of a credible case presentation in court.

References

• Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. Academic Press.
• Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.
• Strom, R. (2012). Computer Forensics: Incident Response Essentials. Syngress.
• Rogers, M. K., & Seigmund, D. (2009). Principles of Computer Security and Forensics. CRC Press.
• Kuhn, R., & Westmacott, J. (2014). Guide to Computer Forensics and Investigations. Cengage Learning.
• Mandia, K., Prosise, C., & Pepe, M. (2003). Incident Response & Computer Forensics, Second Edition. McGraw-Hill Education.
• Whitman, M. E., & Mattord, H. J. (2010). Principles of Computer Security. Cengage Learning.
• Nelson, B., Phillips, A., & Steuart, C. (2014). Guide to Computer Forensics and Investigations. Cengage Learning.
• Hopper, N. (2018). Digital Evidence and Investigation Techniques. Elsevier.
• Santos, R. (2020). Modern Digital Forensics. Routledge.