Chapter 23 Outline

I.     Evidence
A.   Evidence consists of the documents, verbal statements, and material objects admissible in a court of law.
B.    Evidence is critical to convince management, juries, judges, or other authorities that some kind of violation has occurred.
C.    Computer evidence presents more challenges because the data itself cannot be sensed with physical senses.
1.    Users may see printed characters, but not the bits where that data is stored, such as a magnetic pulse on a disk or some other storage technology.
2.    It must always be evaluated through some kind of “filter” rather than sensed directly by human senses.
3.    This is often of concern to auditors, because good auditing techniques recommend accessing the original data or a version as close as possible to the original data.
D.   Standards for evidence.
1.    To be credible, especially if it is to be used in court proceedings or in corporate disciplinary actions which could be challenged legally, evidence must meet these three standards:
a)    Sufficient – The evidence must be convincing or measure up without question.
b)    Competent – The evidence must be legally qualified and reliable.
c)    Relevant – The evidence must be material to the case or have a bearing on the matter at hand.
E.    Types of evidence.
1.    All evidence is not created equal and some evidence is stronger and better than other, weaker evidence.
2.    There are several types of evidences:
a)    Direct evidence – Oral testimony that proves a specific fact (such as an eyewitness's statement).
(1)   The knowledge of the facts is obtained through the five senses of the witness.
(2)   There are no inferences or presumptions.
b)    Real evidence (also known as associative or physical evidence) – Tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime.
c)    Documentary evidence – Evidence in the form of business records, printouts, or manuals. Much of the evidence relating to computer crimes falls in this category.
d)    Demonstrative evidence – Used to aid the jury. It may be in the form of a model, experiment, or chart, offered to prove that an event occurred.
F.    Three rules regarding evidence.
1.    There are some rules that guide the use of evidence, especially if they could result in court proceedings:
a)    Best evidence rule – Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred.
(1)   There are instances when a duplicate can be accepted, such as when the original is lost or destroyed.
(2)   A duplicate is also acceptable when a third party beyond the court's subpoena power possesses the original.
b)    Exclusionary rule – The Fourth Amendment to the United States Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. Additionally, if evidence is collected in violation of the Electronic Communications Privacy Act (ECPA) or other related violations of the United States Code, it may not be admissible to a court.
c)    Hearsay rule – Hearsay is second-hand evidence, which is evidence not gathered from the personal knowledge of the witness. Computer-generated evidence is considered hearsay evidence—see Tipton and Krause's Information Security Management Handbook, p. 608–609.
The laws just mentioned are U.S. laws; other countries and jurisdictions may have other laws that are similar and would need to be considered in a similar manner.
II.   Collecting Evidence
A.   When information or objects are presented to the management or admitted to a court to support a claim, that information or those objects can be considered as evidence or documentation supporting the investigative efforts.
1.    Individuals collecting the evidence must be prepared to answer second- and third-order questions that are raised by the senior management. Also, in a court, credibility is critical.
2.    Therefore, evidence must be properly acquired, identified, protected against tampering, transported, and stored.
B.    Acquiring evidence.
1.    When an incident occurs, individuals would need to collect data and information to facilitate the investigation. If people commit a crime or intentionally violate a company policy, they will try to hide the fact that they were involved. Therefore, it is important to collect as much information, because as time passes, evidence can be tampered or destroyed. To look for evidences, individuals should:
a)    Look around on the desk, under the keyboard, in desktop storage areas, and on cubicle bulletin boards for any information that might be relevant.
b)    Secure floppy disks, CDs, flash memory cards, USB drives, tapes, and other removable media.
c)    Request copies of logs as soon as possible. Most Internet service providers (ISPs) will protect logs that could be subpoenaed.
d)    Take photos (some localities require use of Polaroid photos, as they are harder to modify without obvious tampering) or video tapes.
(1)   This includes photos of operating computer screens and hardware components from multiple angles.
(2)   Photographs of internal components should be taken before removing them for analysis.
2.    When an incident occurs and the computer being used is to be secured, there are two facts to consider: whether it should be turned off, and whether it should be disconnected from the network.
3.    In case of turning a computer on or off, some forensic professionals state that the plug should be pulled to freeze the current state of the computer.
a)    However, this results in the loss of data associated with an attack in progress from the machine. Any data in RAM will also be lost.
b)    Further, it may corrupt the computer's file system and could call into question the validity of the findings.
c)    On the other hand, it is possible for the computer criminal to leave behind a software bomb that is not known, and any commands that are executed, including shutting down or restarting the system, could destroy or modify files, information, or evidence.
d)    The criminal may have anticipated such an investigation and altered some of the system's binary files.
e)    If the computer being analyzed is a server, it is unlikely that the management will support taking it offline and shutting it down for investigation.
f)     From an investigative perspective, either course may be correct or either course may be incorrect, depending on the circumstances surrounding the incident. It is important for individuals to be diligent in their work, document their actions, and explain the reason for their actions.
4.    There are many investigative methods. Figure 23-1 shows the continuum of investigative methods from simple to more rigorous.

Figure 23-1: Investigative method rigor
5.    Figure 23-2 shows the relationship between the complexity of the investigation and both the reliability of forensic data and the difficulty of investigation.

Figure 23-2: Rigor of the investigative method versus both data reliability and the difficulty of investigation
6.    It is a good practice not to examine a system with the utilities provided by that system.
7.    Individuals should always use utilities that have been verified as correct and uncorrupted.
8.    They should not open any files, or start any applications.
9.    If possible, current memory and swap files, running processes, and open files should be documented.
10.  Users should unplug the system from the network and immediately contact the senior management.
11.  If the organization has Computer Incidence Response Team (CIRT) procedures, follow them.
12.  Mail, Domain Name Service (DNS), and other network service logs on supporting hosts should be captured and secured.
13.  A forensic expert should be called if the individuals do not have appropriate forensic training and experience.
C.    Identifying evidence.
1.    Evidence must be properly marked as it is collected so that it can be identified as the particular piece of evidence gathered at the scene.
a)    Properly label and store evidence. Ensure that the labels cannot be easily removed.
b)    Keep a log book to identify each piece of evidence (in case the label is removed), the persons who discovered it, the case number, the date, time, and location discovered, and the reason for collection. This information should be specific enough for recollection later in court.
c)    Log other identifying marks, such as device make, model, serial number, and cable configuration or type, and so on.
d)    Note any type of damage to the piece of evidence.
2.    Being methodical is extremely important while identifying evidence.
3.    While collecting evidences, have a second person witness the actions.
D.   Protecting evidence.
1.    Protect the evidence from electromagnetic or mechanical damage.
2.    Ensure that the evidence is not tampered, damaged, or compromised by the procedures used during the investigation.
3.    Do not damage the evidence to avoid potential liability problems later.
4.    Protect the evidence from extremes in heat and cold, humidity, water, magnetic fields, and vibration.
5.    Use static-free evidence protection gloves instead of standard latex gloves.
6.    Seal the evidence in a proper container with evidence tape, and mark it with the individual’s initials, date, and case number.
E.    Transporting evidence.
1.    Properly log all evidence in and out of controlled storage.
a)    Use proper packing techniques, such as placing components in static-free bags, using foam packing material, and using cardboard boxes.
b)    Be cautious while transporting evidence to ensure its custody is maintained and that it is not damaged or tampered.
F.    Storing evidence.
1.    Store the evidence in a room that has restricted access, camera monitoring, and entry logging capabilities.
2.    Store components in static-free bags, foam packing material, and cardboard boxes.
3.    Computer devices that are subject to effects of magnetism must not be stored on steel shelving or in steel cabinets. If need be, precautions must be taken to reduce the effects of magnetism from the steel.
G.   Conducting the investigation.
1.    When analyzing computer storage components, it is important to use extreme caution.
a)    Always a copy of the system should be analyzed and never the original system, as that will have to serve as evidence.
b)    A system specially designed for forensics examination should be used.
c)    Analysis should be conducted in a controlled environment with strong physical security, and controlled access.
2.    Remember that witness credibility is extremely important.
3.    Use DOS instead of standard Windows for image processing, unless there are tools specifically designed to take forensic images under Windows.
a)    Boot from a floppy disk or CD, and have only the minimal amount of software installed to prevent propagation of a virus or the inadvertent execution of a Trojan horse or other malicious program.
b)    Windows can then be used when examining copies of the system.
4.    Although each investigation will be different, the following image backup process is a good example of a comprehensive investigation (see Tipton and Krause's Information Security Management Handbook, p. 634).
a)    Remove or image only one component at a time.
b)    Remove the hard disk and label it. Be sure to use an anti-static or static-dissipative wristband and mat before conducting forensic analysis.
c)    Identify the disk type (IDE, SCSI, or other type). Log the disk capacity, cylinders, heads, and sectors.
d)    Image the disk by using a bit-level copy, sector by sector. This will retain deleted files, unallocated clusters, and slack space.
e)    Make either three or four copies of the drive.
(1)   One replaces the drive removed if the system is to be returned to its owner and this is most common in cases where the information that the drive has been exchanged should not be divulged.
(2)   The second is marked, sealed, logged, and stored with the original, unmodified disk as evidence.
(3)   The third will be used for file authentication.
(4)   The last copy is for analysis.
f)     Check the disk image to ensure there were no errors during the imaging process.
g)    Before analyzing the suspect disk, generate a message digest for all system directories, files, disk sectors, and partitions.
(1)   MD5 and SHA are suitable and are superior to the older CRC32 or weaker hashing algorithms.
(2)   Remember that even creating the message digest can change file access times, so it is important to have the files locked and to use the image, not the original evidence.
(3)   Keep a good log of the hash values.
h)    Inventory all files on the system.
i)     Document the system date and time.
II.   Chain of Custody
A.   Evidence, once collected, must be properly controlled to prevent tampering.
B.    The chain of custody accounts for all persons who handled or had access to the evidence. It shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence.
C.    The critical steps in a chain of custody include:
1.    Record each item collected as evidence.
2.    Record who collected the evidence along with the date and time.
3.    Write a description of the evidence in the documentation.
4.    Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time.
5.    Record all message digest (hash) values in the documentation.
6.    Securely transport the evidence to a protected storage facility.
7.    Obtain a signature from the person who accepts the evidence at the storage facility.
8.    Provide controls to prevent access to and compromise of the evidence while it is being stored.
9.    Securely transport it to the court for proceedings.
III.  Free Space versus Slack Space
A.   When a user deletes a file, the file is not actually deleted. Instead, a pointer in a file allocation table is deleted.
1.    This pointer was used by the operating system to track the file when it was referenced, and the act of “deleting” the file merely removes the pointer and marks the sector(s) holding the file as available for the operating system to use.
2.    The actual data originally stored on the disk remains on the disk (until that space is used again). The operating system does not recognize it as a coherent file.
C.    Free space.
1.    Since the “deleted” file is not actually completely erased or overwritten, it remains in the hard disk until the operating system uses that space for another file or application.
a)    Sometimes, the second file that is saved in the same area does not occupy as many sectors as the first file, so there will still be a fragment of the original file.
b)    The sector that holds the fragment of this file is referred to as free space because the operating system has marked it as usable when needed.
c)    As soon as the operating system stores something else in this sector, it is referred to as allocated.
d)    The unallocated sectors still contain the original data until the operating system overwrites those unallocated sectors.
e)    Looking at the free space might reveal information left over from files the user thought were deleted from the drive.
D.   Slack space.
1.    Another place that should be reviewed is slack space, which is different from free space.
a)    When a file is saved to a storage media, such as a hard drive, the operating system allocates space in blocks of a predefined size, called sectors.
b)    The size of all sectors is the same on a given system or hard drive.
c)    Even if a file contains only 10 characters, the operating system will allocate a full sector of, say 1,024 bytes—there will be space left over in the sector and this is slack space.
2.    It is possible for a user to hide malicious code, tools, or clues in slack space, as well as in the free space.
3.    Evidence can be gathered from information in slack space from files that previously occupied that same physical sector on the drive.
4.    Therefore, an investigator should review slack space using utilities that can display the information stored in these areas.
IV.  Message Digest and Hash
A.   If files, logs, and other information are to be captured and used for evidence, it is important to ensure that the data is not modified.
B.    In most cases, a tool that implements a hashing algorithm to create message digests is used.
C.    A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclical redundancy check (CRC).
1.    It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file).
2.    If a subsequent analysis on the same data stream produces a different result, there is a very high probability that the data stream was changed.
D.   The hash tool is applied to each file or log and the message digest value is noted in the investigation documentation.
1.    When the case actually goes to trial, the investigator may need to run the tool on the files or logs again to show that they have not been altered in any way.
2.    The logs may also need to be written to a write-once media, such as a CD-ROM.
V.   Analysis
A.   After successfully imaging the drives to be analyzed and calculating and storing the message digests, the analysis phase begins.
B.    The details of the investigation depend on the particulars of the incident being investigated. The steps involve:
1.    Checking the Recycle Bin for deleted files.
2.    Checking the Web browser history files and address bar histories.
3.    Checking the Web browser cookie files.
4.    Checking the Temporary Internet Files folders.
5.    Searching files for suspect character strings. To conserve time, choose the correct words, such as “confidential,” “sensitive,” “sex” or other explicit words and phrases related to the investigation.
6.    Searching the slack and free space for suspect character strings.