Collecting digital evidence can be a tricky job as most of the digital data are volatile and they can also be tampered easily, and a forensic investigator or a first responder must follow some crucial steps to maintain the integrity of the evidence, documenting the chain of custody and follow a protocol to make the evidence admissible to the court of law. This is where the importance of Digital Forensics comes in.
The forensic investigator or a first responder must carry proper forensic forensic field kit which includes:
- Digital Camera
- New/Sterilized Hard Drives, SSDs and Removable Media
- Write Blocking Device
- Bootable drives with operating system targeted to Forensic investigation
- Hardware to take computers apart if needed
- Forensic computer
- Mobile device acquisition hardware
- Evidence Packaging material such as zip lock bags and faraday cages, clean plastic bags
Before an investigation, the crime scene should be photographed by a professional photographer of the digital forensics team including every minor detail starting from computer ports, router location, router lan ports to the position of cursor on the display, the position of any handheld device, the power outlet the devices are connected to.
Examination of a device
Examination of a device must be done in an orderly manner
- Visual Inspection: This is where the investigator determines the type of evidence while figuring out the tools and methodologies that can be applied to conduct the investigation properly.
- Forensic Imaging: The investigator must image or make an identical copy of the system using proper forensic grade hardware and conduct forensic investigation on the imaged data while keeping the original media safe to prevent contamination of the evidence.
This is a very important stage where investigator prioritizes some of the evidence at the scene over others depending on urgency and gravity of the case.
Evidence Seizure and Preservation
The forensic investigator must cooperate with the investigating officer of the case and also obtain authority to seize and preserve the preserve evidence inside and outside the scope of the case.
The investigator must preserve the collected evidence in a proper way so that the integrity of the data remains and the evidence does not get contaminated by any means.
Investigators must follow different approach to different types of digital evidence which can be categorized as:
- Networked Computers: Disconnecting Computers connected to a network should be avoided as it may cause that evidence to be seen as tampered, this can also cause tampering data on other computers on the same network.
- In such cases after capturing and documenting the current state of the device the device should be isolated from the network.
- Non Networked Computers: These are not affected by loss of data connection but neither networked nor Non Networked computers should be powered off if the computer is on, or should be turned on if the computer is off before taking precaution, as turning off a live system will cause loss of volatile data, mainly stored in RAM and session cache as well. Document and preserve any open file in such cases, and capture the live memory before disconnecting the power.
The investigator must try to maintain the current state of any device before photographing and documentation, which means the investigator must not shut the system down if the system is live or power the system up if the system is not live. To prevent the system from going to sleep mode or standby mode the investigator may use a mouse jiggler, but doing so will cause some RAM data loss, and also change in system configuration, usage of any additional tool must be documented properly.
If the investigator needs to force shutdown a system they must pull the power connector from the back of the device, not from the power outlet otherwise the investigator must follow proper system shutdown procedure, In case of laptops the battery should be removed.
Pulling the connector out may lead to data loss or system failure.
In exceptions such as, If a networked computer is at a risk of online attack the computer should be disconnected or if the investigator suspects that the computer is running some data removal software in the background the computer should be shut down.
Additional measures should be taken while seizing a powered down computer by disconnecting power adapters, batteries (in case of laptops) and taping the connector with evidence tape.
While seizing a digital storage media such as Hard Drives, they should be handled with care to avoid any kind of physical damage and should be kept away from strong magnetic field, high temperature and humidity as well.
Any removable media attached to the computer should be kept attached to a live computer unless the lead investigator instructs otherwise, any removable media should be disconnected from the computer if the computer has been shut down.
Mobile Device ForensicS
Mobile devices can give out a lot of useful information but they tend to be susceptible to tampered evidence, a network connected device can also accumulate extra information over time which may slow down investigation or even mislead the investigator, in such case the investigator will need to triage the information gained from the device.
A mobile device kept in a faraday cage can discharge quickly and shut down, and also overheat due to increased radio frequency transmission and may cause data loss, in such cases the mobile devices should be powered down properly or the battery should be disconnected if possible.
In some cases powered down mobiles may need additional authentication, PIN to boot up and the investigator must consider this factor before powering down a mobile device.
A pin or password protected device should not be forced to bypass authentication as in many cases that may lead to automatic system reset and data destruction, proper forensic tools should be used to bypass lock screen or in some cases interviewing the owner of the device is needed to get the authentication information.
Software, Hardware and Imaging methodology
- Forensic Imaging: This is one of the most important stages of digital forensics as this step ensures the integrity of the data as well as makes it admissible in front of the court of law.
- Memory Dump: As the RAM contains volatile data, it should be dumped before proceeding to any other step or powering down the system, and the investigator should follow these steps to successfully execute the task:
- Sterilized removable media, the storage space must be larger than the available physical memory or committed memory (RAM+Allocated Paging memory, SWAP Partition) for a successful data dump.
- The investigator must use forensically sound tools and software in this procedure and refrain from using any third party, open source, unknown software for the same.
- Inserting a USB drive changes the configuration file of the system, and running a tool will also cause a part of the RAM’s memory to be overwritten which can not be prevented.
- System Imaging: The investigator should use a linux boot media with imaging software for basic imaging if imaging hardware is not available, otherwise a proper imaging hardware should be used, the investigator should always use a write blocker to prevent system configuration or evidence data change during the process, and using a hardware write blocker is preferable over a software one. The investigator must use a destination drive with larger storage capacity than the system, and the destination drive should be wiped before using, even if the destination drive is new. The investigator should image the drive in industry approved .E01 format, and also a RAW data dump should be done in a different destination drive for further investigation.
- If the investigator uses a live forensic system to image the system, he/she must not fail to control the boot order of the system, a failure will change the integrity of the evidence.
After system imaging or RAW data dump the investigator must calculate the hash value of the data and document the same to prove the integrity of the data, in the case of a hash mismatch the evidence will not be admissible in court.
Digital Forensics Hardware & Software
- Paraben’s First Responder bundle, DeepSpar Disk Imager, FRED, Falcon, Logicube, CRU Data Port, Cellebrite (Mobile forensics)
- Linux Tools: Helix, SPADA, Autopsy
- Windows tools: Win32dd.exe (for RAM Dump), FTK Imager, EnCase, Mobiledit Forensic kit
- Extra tools:
- Bootable Linux media, Bootable Data rescue tool, malware detection tool, Signal Jammer, Password Cracking tools, Acquisition tools, File type conversion tools, File HEX checker, File Hash checker.
For Wikipedia entry on Digital Forensics, click here.
For more posts on Digital Forensics, click here.
For more posts in The Cyber Cops project, click here.