Vous êtes sur la page 1sur 6

Computer Forensics

Kourtney Ashley 4/29/2011

Page |1

Section 1: Seizing Digital Evidence When seizing digital evidence there are several steps one should take to ensure the integrity of the evidence. No matter what the cause, all evidence should be seized as though it were for a criminal investigation. The first step in seizing digital evidence would be to devise a search strategy. This step includes finding out as much as you can about the future seizing job. It gives you a general idea as to what should be seized so it can be included in the search warrant. The search strategy helps with planning if more than one person should go to ensure all possible evidence is gathered. And it also help with planning out how much equipment should be taken along on the job. Equipment you will need on the scene is the following: Camera Cardboard boxes Notepads Gloves Chain of evidence forms Evidence tape Evidence bags Labels, tags, stickers Antistatic bags* Permanent markers Nonmagnetic tools Crime scene tape

The second step is drafting the warrant. Included in the warrant should be all of the items digital evidence may be found on. Items in the warrant should include but not be limited to: Stand-alone computer systems o Monitor o Tower o Keyboard o Mouse Storage devices o External hard drives o Networking storage devices o Internal hard drives o Smart media cards (SM cards) o Secure digital cards (SD cards) o Mini/micro SD cards Removable media o Floppy disk o Compact disc (CD) o Digital versatile disc (DVD) Handheld devices o Cell phones o PDA o MP3 players o GPS o Digital audio recorders Networking equipment o Modems o Wireless cards o Wireless USB sticks o Wireless network servers Other o Video game consoles o SIM card* readers o Reference material o Email

*Antistatic bags- a bag used for shipping components prone to damage by electrostatic discharge *SIM Card- Subscriber Identity Module, memory chip used in cell phones

Page |2

After the warrant is approved and signed by the judge next is arriving to the scene and securing it. No matter how many officers or people may have come before, the forensic investigator should always be aware of their surroundings to ensure they make it home at the end of the night. Safety first! The scene is finally secure so its on to the next step, photographing/diagraming the scene. Any room that contains digital evidence should be photographed, diagramed or recorded before any evidence is touched or removed. Not only does this provide a good visualization for recalling where evidence was found but it also helps dispute any claims of damaged property and such. It is also a good idea to document the scene with words that way anyone found in any room contain evidence when the investigator arrives will be noted. So now the scene is photographed and everything is in good order. The next step would be to begin collecting the evidence. First, check to see if the computer is on or not. This can be done by listening for a spinning hard drive or looking for any lights that may indicate the computer is on, if the monitor is off. If the computer is on apply gloves, turn on the monitor and photograph it. Then proceed to pull the power cord from the back of the tower. Do not shut the computer down! After the power cable is disconnected begin following cords documenting where one begins and ends. Use the stickers, labels, or tags to do such. When all of the cords have been followed and documented, photograph/diagram the cords before unplugging them and putting them in the proper evidence bag. So all of the cords have been documented and all of the evidence is ready for collection. Now the chain of evidence form is taken and filled out. On this form the following items are recorded: Investigators name Location Address Location obtained Date/Time obtained Name of person received Item number Quantity Description* Signature of investigator Date

After the chain of evidence is filled out the items should be placed into antistatic bags then in the cardboard boxes for transport.

*Description should include serial numbers, models, sizes, distinguishing marks, etc

Page |3

Section 2: Forensic Copy/Clone and Image A forensic copy/clone is an exact bit-by-bit copy of digital media which includes slack space* and unallocated space*. A forensic copy/clone is also bootable, which means you can connect the hard drive to a computer and it will start up as though it were the original suspect hard drive. A forensic image is an exact bit-by-bit duplicate of digital media. A forensic image is not bootable which means that it requires 3rd party software to view the data. An image however is data protected meaning it cannot be written to so a write blocker is not needed to view the information stored. There are several tools and devices used to create images, clones, write blocks and forensic wipes. Here are only a few used by forensic investigators. Access Data Forensic Toolkit (FTK) is one of the standard data acquisition tools designed to run in the Windows operating system therefore any information you run through it should be write blocked*. According to the website, FTK is used to create images, conduct investigations, decrypt files, crack passwords, analyze the registry and build reports. It also has password recovery capabilities and can decrypt files. EnCase is another of the standard acquisition tools. EnCase allows investigators to acquire data from RAM, document, images, e-mail, webmail, internet artifacts, web history and cache, chat sessions, workstations, servers and more, according to the website. EnCase also supports multiple file system formats meaning it can view forensic images created from other software. Voom Hardcopy is a device which write-blocks, creates forensic images and forensic copies/clones, and does forensic wipes. It is very simple and easy to use as it contains three buttons and a very simple menu. Voom Shadow is a device used to write block. Simply plug it in, turn it on and wait for the green light.

*Slack space- portions of a hard drive not fully used and may contain data from deleted files *Unallocated space- free space an operating system can write to *Write block- a device that allows acquisition of a hard drive without accidently changing the drive

Page |4

Section 3: Creating a Forensic Image/Copy The first step is to acquire the suspect drive and document the model and serial number, and drive type (ex. IDE, SCSI etc). Taking a picture is always recommended. Not only is this for documentation but also to ensure the original evidence is not used during the actual investigation. Next you would connect the suspect drive to a write-block. Depending on the hardware/software available this step may or may not be necessary. If using the Voom Hardcopy a write-blocker is not needed as it will automatically do so. If using FTK Imager, EnCase, or any other type of software an item such as the Voom Shadow is a good device to have around since it is a write blocker. When the drive is write-blocked, the chosen hardware/software should be used to generate a MD5 Hash* or SHA-1* value for the suspect drive. This will be used later to check the integrity of the forensic clone/image that will be created. If using the Hardcopy this is as easy as selecting the option of creating a hash from the menu provided on the device. With FTK Inager evidence must be added then Verify Drive/Image would be selected. The drive has been hashed out so next step is to use the hardware/software to create the forensic copy/image. With the Hardcopy, connect the drive that will be the clone then scroll through the menu until either clone or image appears and select the option that will best serve the needs for the job at hand. FTK Imager select create disk image from the file menu. When the forensic image is completed the final step is validating the forensic image against the original drive. This can be accomplished by comparing MD5 Hash/SHA-1 values against the original.

*MD5 Hash- Message Digest Algorithm 5, used to check the integrity of files *SHA-1- Secure Hash Algorithm, designed to be part of the Digital Signal Algorithm* Digital Signal Algorithm- government standard for digital signatures.

Page |5

Biblography 1. "EForensix :: Creating a Forensic Image." EForensix.com. ActiveKB Knowledge Management

System. Web. 27 Apr. 2011. <http://eforensix.com/activekb/questions.php?questionid=4>. 2. Voom Technologies, Inc.| Computer Forensic and Data Backup and Recovery Products. Web. 27 Apr. 2011. <http://www.voomtech.com/shadow2.html>. 3. Voom Technologies, Inc.| Computer Forensic and Data Backup and Recovery Products. Web. 25 Apr. 2011. <http://www.voomtech.com/hc3p.html>. 4. "Searching and Seizing Computers With a Warrant." Cybercrime.gov. United States Department of Justice. Web. 26 Apr. 2011. <http://www.cybercrime.gov/ssmanual/02ssma.html>. 5. "Forensic Toolkit (FTK) Computer Forensics Software | AccessData." E-Discovery, Computer Forensics & Cyber Security Software | AccessData. AccessData Group, LLC. Web. 27 Apr. 2011. <http://accessdata.com/products/forensic-investigation/ftk>. 6. "Encase | Forensic | Forensics | Computer Forensic | Computer Forensics | Digital Forensic | Digital Forensics | Computer Forensics Investigation." Encase | Cyber Security | Computer Forensics | Network Security | E-Discovery | EDiscovery | Forensics | Forensic. Guidance Software, Inc. Web. 27 Apr. 2011. <http://www.guidancesoftware.com/forensic.htm>. 7. Nelson, Bill. Guide to Computer Forensics and Investigations. Boston, MA: Course Technology, Cengage Learning, 2010. Print. 8. Carvey, Harlan A., and Eoghan Casey. Windows Forensic Analysis: DVD Toolkit 2E. Burlington, MA: Syngress Pub., 2009. Print. 9. Volonino, Linda, and Reynaldo Anzaldua. Computer Forensics for Dummies. Hoboken, NJ: Wiley Pub., 2008. Print. 10. Mukasey, Michael B., Jeffrey L. Sedgwick, and David W. Hagy. Electronic Crime Scene Investigation: a Guide for First Responders. 2nd ed. Washington, DC: U.S. Dept. of Justice, Office of Justice Programs, National Institute of Justice, 2008. Print.