Guide to Network Security
1st Edition
Chapter Twelve
Digital Forensics
Objectives
• Explain how U.S. law enforcement and the U.S.
legal system affect digital forensics
• Describe the roles and responsibilities of digital
forensic team members
• List the steps involved in collecting digital evidence
• Discuss the process used to analyze evidence
• Explain how encryption can thwart digital forensic
analysis
© 2013 Course Technology/Cengage Learning. All Rights Reserved
2
Introduction
• Computer forensics
– Use of technical investigation and analysis
techniques to collect, preserve, and analyze
electronic evidence
• Digital forensics
– Applies to all modern electronic devices
© 2013 Course Technology/Cengage Learning. All Rights Reserved
3
Legal Matters
• Prosecution
– Most important outcome of digital forensics process
• Various aspects of U.S. legal system influence
digital forensics process
• Important to understand how to interact with law
enforcement personnel
© 2013 Course Technology/Cengage Learning. All Rights Reserved
4
Search and Seizure
• Private sector requirements to search an
employee’s computer
– Employee was made aware of organizational policy
establishing possibility of search
– Search has legitimate business reason
– Search has specific focus and is constrained to that
focus
– Organization has clear ownership to container in
which the material was discovered
– Search is authorized by the responsible manager
© 2013 Course Technology/Cengage Learning. All Rights Reserved
5
Interacting with Law Enforcement
• Must notify authorities when incident violates civil
or criminal law
– Appropriate agency depends on type of crime
– Example: FBI handles computer crimes categorized
as felonies
• State, county, and city law enforcement agencies
– Better equipped for processing evidence than
business organizations
– Prepared to handle warrants and subpoenas
© 2013 Course Technology/Cengage Learning. All Rights Reserved
6
Interacting with Law Enforcement
(cont’d.)
• Disadvantages of involving law enforcement
– Loss of control of the chain of events
– Long delays in resolution due to heavy caseloads or
resource shortages
– Organizational assets can be removed, stored, and
preserved as evidence
• Involving law enforcement unnecessary if
organization simply wants to reprimand or dismiss
an employee
© 2013 Course Technology/Cengage Learning. All Rights Reserved
7
Adversarial Legal System
• U.S. legal system is adversarial in nature
– Parties attempt to prove own views are correct
– Everything is open to challenge by opposing counsel
• Methods used in collecting evidence will be
challenged
– Ensures all parties “follow the rules”
© 2013 Course Technology/Cengage Learning. All Rights Reserved
8
Digital Forensics Team
• Team of experts responsible for translating a realworld problem into questions to be answered by
digital forensic analysis
• First response team
– Assesses location, identifies sources of relevant
digital evidence, and collects and preserves
evidence
• Analysis and presentation team
– Analyzes the collected information to identify
material facts relevant to the investigation
© 2013 Course Technology/Cengage Learning. All Rights Reserved
9
First Response Team
• Size and makeup of team varies based on
organization size
• Roles and duties
– Incident manager
• Identifies sources of relevant information and
produces photographic documentation
– Scribe or recorder
• Produces written record of team’s activities and
maintains control of field evidence log and locker
– Imager
• Collects copies or images of digital evidence
© 2013 Course Technology/Cengage Learning. All Rights Reserved
10
First Response Team (cont’d.)
• Incident manager prioritizes collected evidence
– Guiding principles: value, volatility, and effort
required
• Incident manager photographs equipment to be
removed
– Imager sets up equipment and begins imaging items
– Image hash information is documented in the record
– Image is logged into the field evidence locker
• Team returns items to the scene after imaging
© 2013 Course Technology/Cengage Learning. All Rights Reserved
11
Analysis Team
• Analysis performed by specially trained digital
forensics personnel
• Tasks
– Recover deleted files
– Reassemble file fragments
– Interpret operating system artifacts
• Larger organizations may divide functions
– Forensic examiner
– Forensic analyst
– Subject matter expert (if required)
© 2013 Course Technology/Cengage Learning. All Rights Reserved
12
Analysis Team (cont’d.)
• Presentation
– Creating forensic reports
– Present investigation’s findings
• Documentation should be easily understood by the
audience (judge and jury)
– Communicate highly technical matters without
sacrificing critical details
– Analogies often used
© 2013 Course Technology/Cengage Learning. All Rights Reserved
13
Dedicated Team or Outsource?
• Factors affecting decision to employ in-house
investigatory team or outsource
– Size and nature of the organization
– Available resources
– Cost
• Tools, hardware, staffing, and training
– Response time
• Outside consultant needs time to get up to speed
– Data sensitivity
• Outside consultant may have access to highly
sensitive information
© 2013 Course Technology/Cengage Learning. All Rights Reserved
14
Forensic Field Kit
• Prepacked field kit
– Also known as a jump bag
– Contains portable equipment and tools needed for
an investigation
• Equipment in the kit should never be borrowed
– Always ready to respond
• See Figure 12-1 for example of a forensic field kit
© 2013 Course Technology/Cengage Learning. All Rights Reserved
15
Figure 12-1 Example of a forensic field kit
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
16
Forensic Field Kit (cont’d.)
• Example forensic field kit contents
–
–
–
–
–
–
Dedicated laptops with multiple operating systems
Call list with subject matter experts
Mobile phones with extra batteries and chargers
Hard drives, blank CDs, DVDs, and thumb drives
Imaging software or hardware
Forensic software and tools to perform data
collection and analysis
– Ethernet tap to sniff network traffic
© 2013 Course Technology/Cengage Learning. All Rights Reserved
17
Forensic Field Kit (cont’d.)
• Example forensic field kit contents (cont’d.)
– Cables to provide access to other devices
– Extension cords and power strips
– Evidence bags, seals, permanent markers for storing
and labeling evidence
– Digital camera with photographic markers and
scales
– Incident forms, notebooks, and pens
– Computer toolkit with spare screws, anti-static mats
and straps, mirrors, lights, and other equipment
© 2013 Course Technology/Cengage Learning. All Rights Reserved
18
Digital Forensics Methodology
• Digital investigation begins with allegation of
wrongdoing
• Authorization is sought to begin investigation
– Public sector: search warrant
– Private sector: affidavit, or other form specified by
organization’s policy
© 2013 Course Technology/Cengage Learning. All Rights Reserved
19
Figure 12-2 Flow of a digital investigation
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
20
Assessing the Scene
• Assess the scene and document its state:
– Before evidence collection begins
• Assessment process
– Interviewing key contacts
– Documenting the scene as it is
• Typical tools used
– Photography
– Field notes
© 2013 Course Technology/Cengage Learning. All Rights Reserved
21
Assessing the Scene (cont’d.)
• Photographic evidence
– Plays a major role in documenting evidence
• Digital camera best practices
– Sterilize the media card by formatting to destroy
existing content
– Set the camera’s clock to ensure accurate recorded
dates/times
– Take the first exposure of a “begin digital
photography” marker to make media selfdocumenting
© 2013 Course Technology/Cengage Learning. All Rights Reserved
22
Assessing the Scene (cont’d.)
• Digital camera best practices (cont’d.)
– Make an “end of photography” exposure
– Remove card from the camera, place it in a static
bag, and seal in an evidence envelope
– Do not make hashes of digital photographs until the
first time the evidence envelope is opened
• Field notes
– Purpose: help investigators remember key aspects
of the scene
– See Figures 12-3 through 12-6 for example forms
© 2013 Course Technology/Cengage Learning. All Rights Reserved
23
Figure 12-3 Scene sketch form
Figure 12-4 Field activity log form
© Cengage Learning 2013
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
24
Figure 12-5 Field evidence log form
Figure 12-6 Photography log form
© Cengage Learning 2013
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
25
Acquiring the Evidence
• Organization’s IR policy spells out procedures for
initiating investigative process
– Obtain authorization to conduct an investigation
– Private organization can be sued if investigation
proves groundless
• Collect digital evidence
–
–
–
–
Identify sources of evidentiary material
Authenticate the evidentiary material
Collect the evidentiary material
Maintain a documented chain of custody
© 2013 Course Technology/Cengage Learning. All Rights Reserved
26
Acquiring the Evidence (cont’d.)
• Identifying sources
– Can be complex in the digital world
• Data collection may involve:
– Hundreds of gigabytes of information
– A wide variety of devices
• Volatile information
– Contents of a computer’s memory
– Currently challenging to capture without sacrificing
information on disk
© 2013 Course Technology/Cengage Learning. All Rights Reserved
27
Acquiring the Evidence (cont’d.)
• Authenticating evidentiary material
– Must be able to demonstrate data is a true and
accurate copy of the original
• Authentication method: cryptographic hash
– Data is fed through the hash function
– Fixed size output results
– Infeasible that another input could produce the same
output value as a given input
– Hash value is recorded with the digital evidence
– Two commonly used hashes: MD-5 and SHA-1
© 2013 Course Technology/Cengage Learning. All Rights Reserved
28
Acquiring the Evidence (cont’d.)
• Collecting evidence
– Live acquisition
• Collecting evidence from a currently running system
– Dead acquisition
• Powering down the system to copy data from the hard
drives
• Important to make no changes to the evidence
– Labels and seals are crucial
• Media used to collect digital evidence must be
forensically sterile
– Contains no residue from previous use
© 2013 Course Technology/Cengage Learning. All Rights Reserved
29
Acquiring the Evidence (cont’d.)
• Live acquisition
– Investigator uses a trusted set of CD-based tools
– Stand-alone tools can also be used
– Live response tools modify the state of the system
• Renders hard drive information inadmissible in a legal
proceeding
• Windows Forensic Toolchest (WFT)
– Driver script that identifies and lists running
processes, active network connections, and other
activity
– Saves output on external media
© 2013 Course Technology/Cengage Learning. All Rights Reserved
30
Figure 12-10 Integrity checks from WFT
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
31
Figure 12-11 Hash generation of evidence from WFT
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
32
Acquiring the Evidence (cont’d.)
• Examples of situations that require live acquisition
– Running server
– Logs
• State is changing on a continual basis
– PDAs and cellular phones
• Could continue to receive calls or be accessed
wirelessly
• To prevent: block wireless access using a Faraday
Cage
© 2013 Course Technology/Cengage Learning. All Rights Reserved
33
Acquiring the Evidence (cont’d.)
• Dead acquisition often used with:
–
–
–
–
Computer disks
Thumb drives
Memory cards
MP3 players
• Investigator seeks to obtain a forensic image of
disk or device
– Includes active files and directories and deleted files
and file fragments
© 2013 Course Technology/Cengage Learning. All Rights Reserved
34
Figure 12-14 Small portion of a file system
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
35
Acquiring the Evidence (cont’d.)
• Bit-stream (sector-by-sector) copying
– Used when making a forensic image of a device
– Copies all sectors on the suspect drive
• Tools used
– Specialized hardware tools
• Generally faster than software tools
– Software running on a computer
© 2013 Course Technology/Cengage Learning. All Rights Reserved
36
Figure 12-15 Intelligent Computer Solutions’ ImageMaSSter
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
37
Acquiring the Evidence (cont’d.)
• Write blockers
– Blocks any write requests the laptop might generate
– Allows read requests
– Ensures information on the suspect media is not
changed accidentally
• The imaging process
– Document origin and description of disk media
– Ensure forensically sterile media for imaging
– Connect suspect media to the imaging setup
© 2013 Course Technology/Cengage Learning. All Rights Reserved
38
Acquiring the Evidence (cont’d.)
• The imaging process (cont’d.)
– Calculate and record baseline cryptographic hash of
suspect media
– Perform a bit-stream image of the suspect media
– Calculate and record hash of the target
– Compare the hashes to verify they match
– Package the target media for transport
© 2013 Course Technology/Cengage Learning. All Rights Reserved
39
Acquiring the Evidence (cont’d.)
• Maintaining a chain of custody
– Purpose: protecting evidence from accidental or
purposeful modification
– Legal record of where the evidence was at each
point in its lifetime
– Document each and every access to evidence
• Field investigator usually maintains personal
custody of sealed item until logged into evidence
storage room
© 2013 Course Technology/Cengage Learning. All Rights Reserved
40
Figure 12-19 Sample chain of custody log
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
41
Acquiring the Evidence (cont’d.)
• Proper storage
– Controlled temperature and humidity
– Freedom from strong electrical and magnetic fields
– Protection from file and other physical hazards
© 2013 Course Technology/Cengage Learning. All Rights Reserved
42
Analyzing Evidence
• First step in analysis: obtain evidence from the
storage area
– Make a copy for analysis
– Return original to storage
• Major tools in forensic analysis
– EnCase Forensic from Guidance Software
– Forensic Toolkit from AccessData
© 2013 Course Technology/Cengage Learning. All Rights Reserved
43
Searching for Evidence
• Identifying relevant information
– Important task
• FTK preprocessing
– Constructs index of terms found on the image
– Results available under the Search tab
• FTK also allows searching on user-specified terms
• EnCase offers flexible search interface
– Includes predefined filters for common items
© 2013 Course Technology/Cengage Learning. All Rights Reserved
44
Figure 12-20 FTK’s processing step
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
45
Reporting the Findings
• Findings must be reported in a written presentation
– And often in legal testimony
• Report audiences
–
–
–
–
Upper management
Forensic expert retained by the opposition
Attorneys, judges, and juries
Other professionals
• Prepare a single report
– Summarizes detailed records contained in the case
file, analyst’s notebooks, and other documentation
© 2013 Course Technology/Cengage Learning. All Rights Reserved
46
Encryption Concerns
• Retrieving information can pose a threat to privacy
and confidentiality of information assets
• Encrypted information can present challenges to
forensic investigators
– Common encryption method destroys key when user
powers down or logs off
• Data unreadable without the key
• Encrypted information may exist in unencrypted
form in temporary work files or the paging file
© 2013 Course Technology/Cengage Learning. All Rights Reserved
47
Summary
• Computer forensics uses investigation and analysis
techniques to identify, collect, preserve, and
analyze electronic evidence
• First response team secures and collects the
devices or media
– Analysis and reporting done later by specially trained
forensic analysts
• When incident violates law, organization is required
to inform law enforcement
• Forensic tools can be used to obtain deleted
information
© 2013 Course Technology/Cengage Learning. All Rights Reserved
48