First Response and the Digital Investigator - Digital Archaeology (2014)

Digital Archaeology (2014)

6. First Response and the Digital Investigator

The actions that are taken—or are not taken—in the first hours of any investigation are often the ones that will later help or hinder the search for evidence. Far too often, the first people on the scene know too little about collecting and archiving digital evidence, and they do more harm than good. In recent years, law enforcement agencies around the world have spent a great deal of time and money training personnel to deal with digital information at the scene of a crime in a more effective manner. In 2001, the U.S. Department of Justice (DOJ) published a paper entitledElectronic Crime Scene Investigation: A Guide for First Responders as a preliminary set of guidelines for law enforcement to follow when first on the scene. While some of the recommendations contained in the paper have subsequently been superseded by updated recommendations, for the most part it is still recommended reading for all law enforcement personnel.

Forensics and Computer Science

Due to the popularity of several television shows featuring the forensic end of law enforcement, the public has developed an almost jaundiced eye toward the subject. In fact, the term CSI effect was coined to describe the public perception that all hard drives could be analyzed, all passwords cracked, and all DNA evidence analyzed in 60 minutes or less. Another misconception is that every investigator involved in digital forensics is a computer scientist. This is not always the case, nor is it necessary for it to be.

Defining Digital Forensics

The word forensic is derived from the Latin word forensis, meaning “public.” This Latin term is the same root as of the word “forum.” The Merriam-Webster Online Dictionary (2009) defines the word forensic as “belonging to, used in, or suitable to courts of judicature or public discussion and debate.” The astute reader immediately notices that there is nothing about science or computers in the definition. Further reading will show that in addition to digital forensics and forensic science, there are also fields such as entomological forensics, forensic psychiatry, etymological forensics, and a plethora of other terms related to presenting information regarding specific areas of study to the courts. For the purposes of this book, the definition of digital forensics will be the one used by Marcella and Menendez in their book Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. They define computer forensics as a discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law (Marcella and Menendez 2008, 5).

While this book will deal with internal investigations as well as civil and criminal enquiries, the philosophy will always remain the same. If the job is important enough for the client to engage the services of a forensics professional, it is important enough that the case should hold up in court if it should come to that. Prepare every case as if it will appear before a judge.

Computer Science and Digital Forensics

Analyzing stores of digital information does require a substantial knowledge about how computer systems work, how file systems work, and how operating systems (OSs) access and store data. It does not, however, presuppose that every digital forensic investigator (DFI) is qualified as a computer scientist. The knowledge required to extract deleted files and trace e-mails across the planet is completely different from the knowledge required to design a microchip, write the code for an OS, or design and build a file server.

The digital investigator will do well to have a strong understanding of file systems. Good hardware skills are in order so that hard disks can be removed without damage and information extracted from firmware stored on devices in the computer. Without a solid foundation in basic networking skills, it will not be possible for the DFI to track the actions of an individual breaking into a corporate network over a TCP/IP connection.

The best way to understand the difference between a computer scientist and the digital investigator is that the scientist knows a great deal about a specifically defined body of knowledge, while the DFI must have a familiarity with a wide range of subject matter. So while the argument goes on about whether or not digital forensics is a science, suffice it to say that to be a good DFI, a person must be a scientist, an artist, a craftsman, as well as a very good detective.

Locard’s Exchange Principle

Edmond Locard was a scientist living in Lyon, France, who first postulated in the early part of the twentieth century that everything that enters a crime scene does two things. It leaves part of itself behind, and it takes part of the scene with it. Paul L. Kirk further refined that principle in his book Crime Investigation: Physical Evidence and the Police Laboratory, when he said:

Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value. (Kirk 1953)

While the French scientist and the famed professor of criminology from the University of California, Berkeley, were both referring to physical evidence, the principles they espouse hold just as true to the digital world as they do the physical. Every file copied to a hard disk changes the electrical charges on the disk’s platter, makes changes to the file system, alters and creates files, and even makes changes in the registry. When a knowledgeable criminal goes to great efforts to disguise these changes, all that happens is that more changes occur.

The indisputable fact that investigators must constantly keep in the backs of their minds is that actions they perform can have the same effect if they are not careful. One primary law reigns supreme in the world of digital investigation. Do Not Change the Evidence. This concept will be repeated again and again throughout this book.

Comparing Digital Evidence to Physical Evidence

Casey (2001) states that there are two types of evidence: that which possesses class characteristics and that which possesses individual characteristics. Class characteristics define an aspect shared by a large group of similar objects or people. Individual characteristics are traits unique to a particular sample. For example, if there are two white 2007 Saturn Sky convertibles parked side by side in a lot, the drivers might have trouble distinguishing which vehicle is theirs. However, one of them has a New York license plate, and the other is from Massachusetts. As a group, both vehicles qualify as “cars.” Two class characteristics that they share are that they are both Saturn Skys and they are both white. The license plate gives each one an individual characteristic.

Why does the white color not qualify as an individual characteristic? If it was the only white Saturn Sky in the world, it most certainly would. Even if the investigator could point out that there were only ten white Saturn Skys in the whole world, and only four are in the United States, the color would still qualify. But with nearly 20% of this specific make and model on the road being white, the color only gives us a more narrowly defined class characteristic.

Additionally, evidence can be patent, or it can be latent. These terms are most commonly used when describing transient evidence, such as fingerprints; but they can apply to virtually any evidence. Patent evidence is something easily seen, picked up, handled, and photographed. Using fingerprints as an example, a patent fingerprint is the big, gooey thumbprint in blood that every investigator dreams of finding but never does. The more common latent fingerprint is the one that is only picked up by the observant eye and must be dusted, lifted, and processed before it can be identified.

The vast majority of digital evidence is latent. Even the documents that might appear to be patent on the outset are latent. Just because a Microsoft Word document opens easily in a wide variety of word processing applications for anybody in the world to read does not make it patent evidence. There are two reasons for that. First, the document does not open by itself. It requires a rather complex computer application to be launched by the user or the computer, then the application has to load the document, and second, it can be read on the screen. Or someone can print it out. Once it is printed on paper, the paper document can be considered evidence—but it cannot be considered the same piece of evidence as the electronic version. That is a key difference. Why?

• The paper document contains none of the metadata of the electronic file.

• It does not prove who created the document.

• There is no indication on when the document was created.

• Judges and juries cannot see if the printed document was modified since its creation.

• The electronic file could contain additional information concealed in either the metadata, in steganographically concealed form, or tucked into the structure of the file.

• The paper document does not indicate what computer housed it when it was discovered or how many times it has been copied from computer to computer.

Physical and digital evidence differ in several other substantial aspects as well. A key difference is in longevity and stability. Over the past few years, several people have been released from prison based on comparisons of DNA samples that were several years old. Earl Washington was released in 2000 after serving 16 years in prison. The DNA samples from 1984 proved that he did not commit the crime for which he was convicted (ACLU 2003). More recently, viable samples of DNA were taken from skeletons of Vikings over 1,000 years old (Melchior et al. 2008). While the Vikings from which the samples were extracted were not suspected of any crime (not recently, anyway), the incident demonstrates how long a sample can be retained and successfully used as evidence. Similarly, digital investigators need to be able to demonstrate how long the evidence they collect can remain viable in its environment. As we will see, memory does not retain evidence as satisfactorily as magnetic media.

A floppy disk from just a few years ago might be unreadable without special help. The information stored on a live computer system changes every second that the system is running. Computer data is extremely volatile and easily deleted, and can be destroyed, either intentionally or accidentally, with a few mouse clicks. It will be an amazing feat if archaeologists a thousand years from now are able to read a DVD unearthed from a radioactive ruin.

The DFI can generally retrieve a deleted file, either partially or fully, and that floppy disk can probably be read by the professional investigator. The hard part comes in proving that the evidence is reliable. As discussed in the previous chapter, evidence must be authentic and it must be relevant. The Federal Rules of Evidence (U.S. DOJ 2008) is a 41-page document that clearly defines what evidence is, how it must be handled and presented, and a myriad of other regulations. It is imperative that the investigator understands the rules—especially as they pertain to authenticity and relevance.

Relating these two characteristics to digital evidence, remember the following: For the evidence to be authentic, the DFI must be able to prove that the information presented came from where he or she claims and was not altered in any way during examination, and that there was no opportunity for it to have been replaced or altered in the interim. To be relevant, the information must have a bearing on the event being investigated, either directly or indirectly. If a DFI is tasked to locate pornography and in the process unearths evidence of illegal gambling, then great pains must be taken to preserve the newly found evidence while at the same time pretending it doesn’t exist. Until authorization is issued that allows the extraction of that data, it is not relevant to the case at hand.

This brings up the final issue to be discussed pertaining to evidence. In addition to its authenticity and relevance, it must be legally obtained. In Chapter 1, “The Anatomy of a Digital Investigation,” there was a brief discussion on three types of investigation—internal, civil, and criminal—and it was pointed out that different regulations and laws govern how the types of investigation may be conducted. The criminal investigation is the most restrictive in terms of legal requirements. As mentioned before, the DFI should always treat every project as if it were a criminal investigation unless circumstances or orders dictate otherwise.

Controlling the Scene of the Crime

The first thing a DFI has to do is determine precisely what the scene of the crime actually is. At a genuine crime scene where a dozen emergency vehicles, a SWAT team, and the mayor are competing for attention, it might be pretty obvious. When conducting an internal investigation to determine whether or not a recently axed employee took confidential information with her when she left, there is no evidence of a real crime. All anyone really has is a suspicion. In either situation, there will be a specifically defined “area” that the DFI will be allowed to enter. There are protocols to follow.

Determining Who Is in Charge

Who is in charge can frequently be the most difficult question to answer—especially in internal investigations or civil litigation. As a DFI, one thing will always remain constant. Whoever is in charge, it isn’t you. Always remember that when the general walks into a room of colonels and asks, “Who’s in charge here?” the answer is always, “You, sir.” Except in this line of work, rank is not always prominently displayed, nor is it always indicative of who is in charge.

Find out as soon as possible what the chain of command is, and respect that chain. As soon as possible, the DFI should create a document that defines who has what authority, as it is defined to him or her, and include that with the case documentation.

In internal investigations, the organization contracting the services will almost certainly assign a person to conduct the investigation. This person will act as the DFI’s primary contact and work through him or her to access whatever resources are required to complete the task at hand.

Civil cases will generally be initiated by either the counsel for the plaintiff or the counsel for the defendant. In these situations, the DFI will be reporting directly to one (or more) of the attorneys representing in the case. By default, the focus of the investigation will be to prove one side’s claim over the other. Depending on which side the DFI represents, access to the data might be easy, or it might be dependent on what is released as a result of an e-discovery order.

Criminal cases can get very confusing. There must be a determination of what level of government (state or federal) or what agency has jurisdiction. Once jurisdiction is assigned, a lead investigator will be appointed. This is the person to whom the DFI will most likely report. Warrants will specify precisely what and where the DFI can search and what type of information is being sought.

Securing the Scene

The first rule of any newly developing case is Safety First. In a case involving computer crime, it is unlikely that the safety of any people is at risk; but it is not out of the question either. Consider the situation where a pedophile is actively luring a young child into a predatory situation. Securing the child would take precedence over securing the data.

Following the safety of people, the DFI must consider the safety and integrity of the computer, the data, or the network. If a network intrusion is in process, then it essential to secure critical data on the network before worrying about who is after it. Preferably, a way can be found to lock down proprietary information without alerting intruders that they have been detected.

Now is the time to secure the evidence. A rule espoused by DOJ in its first responders’ guide is this: If it is off, leave it off. If it is on, leave it on. Consider the volatile data, such as active memory, paging files, and so forth. Do not assume that only the computer systems present can hold data. The following items are very likely to have information valuable to the investigation:

• PDAs

• Digital music players

• External storage devices (hard disks, flash drives, etc.)

• Cell phones

• Caller ID boxes

• Answering machines

• Digital cameras

• Digital audio recorders

This is merely a list of the obvious devices. The astute DFI will survey the scene with a critical eye to determine if other possible sources of digital evidence exist. If one or more computers are running, it is a good idea to get a digital photograph of the screen. Be particularly cognizant of USB drives. The BitLocker encryption used by Windows Vista (and later) adds an extra layer of security by allowing the user to configure the encryption keys to be read from a thumb drive. Such a device that doesn’t appear to have any other useable data stored on it is likely a candidate for hardware encryption keys.

If a device such as a cell phone is present and on, secure the device immediately in a Faraday bag to prevent outside intervention. A Faraday bag is an enclosure engineered of a variety of materials that work together to block all electromagnetic radiation. Do not turn the device off. Document it properly, and transport it as soon as possible to a secure place for analysis if the field investigator is not equipped to handle it on the scene.

Documenting the Scene

As part of the case documentation, it is important to have an accurate description of the scene as it was initially found. A high-quality digital video camera should be part of every DFI’s arsenal of tools. Video documentation is valuable for identifying what was at the scene when it was first uncovered. Position of user interface devices (is the mouse on the right or left side of the keyboard?) can be used as evidence later on down the road. Examine all suspect systems and make notes of the following:

• Record the brand, make, model, and serial number of every device present.

• Note whether the computers present are on, off, or in sleep mode.

• Determine if the computers are part of a network.

• Look for a modem. If present, determine whether it is connected to another system somewhere.

• Record the status of all lights on the system. Flashing network lights can indicate a live TCP/IP connection.

• Listen to the system for excessive hard disk activity. This could indicate an active connection or data transfer.

• Identify any peripherals that are installed or connected. Document them whether they are to be collected or not.

• Look for documentation specific to devices not currently present. This could suggest other devices exist somewhere that might be relevant to the investigation.

• Photograph the back of the computer, and identify what devices are plugged into what ports.

Before the investigator leaves the scene, each person present should be added to a contact list with names, titles, phone numbers, and e-mail addresses for future contact. Provide a brief description of their role in the drama.

Identifying the Data Sources

The investigator began identifying data sources during the documentation of the scene. The inventory of hardware taken will identify the obvious sources of potential evidence. Now it is time to look for the less obvious. Here is where the investigator finally becomes an investigator. Look for documentation for devices that do not exist. The reason for this is to help find sources of data not present at the scene of the initial investigation. For example, there might be no sign of a digital camera, nor any memory cards for such a device present at the scene. But the presence of the owner’s manual for a professional digital camera suggests that it exists somewhere. It also suggests approaches to take while searching hard disks, DVDs, and such.

Many of the popular “all-in-one” copy/scanner/printer machines have a function known as scan once/print many. In order to perform this technological trickery, the page (or pages) being printed are stored in memory. This should be checked and recorded.

A proprietary cable hanging out of a FireWire port tells the investigator to find whatever device gets connected to that cable. In some cases, the cable can help identify the device in question.

Look around for evidence that the suspect makes use of Internet storage or operates a Web site, even if Internet data transfer is not the issue. It has become more common for people to use offsite storage for information they don’t want prying eyes to see. Web site hosting ranges from inexpensive to free and provides several megabytes or even multiple gigabytes of storage space on the Internet service provider’s (ISP) server farm. What better way to provide global access to contraband information than to set up a secure Web site and distribute the material via unpublished Universal Resource Locators (URL)?

Interview anyone who may have useful information. The person or persons under investigation may or may not prove to be cooperative in providing passwords or locations of other data sources. However, other people can prove to be a wealth of information, especially in environments where there are multiple users and multiple systems. I was involved in one situation where the receptionist knew the user names and passwords of each person in her office. Security is a wonderful thing. Other bits of information that may be of use would be whether or not the suspect system or systems were used by multiple individuals. What was the primary use for the system?

Carefully search the area for concealed passwords that will allow investigators to gain access to data sources. Encrypted hard disks, Web sites, Internet services, and so forth will all require password authentication for access. In another situation I worked, a sticky note with the sentence “Pick up alphabits” gained the investigators access to an encrypted drive. The actual password turned out to be @lphab1ts.

Don’t overlook a laser printer. It won’t by necessity store any useful digital information, but the transfer roller can possibly retain an image of the last document printed. This may change in the very near future. Researchers at Purdue University have proposed a process by which characteristics of specific printers can be embedded in every page created on the machine (Chiang et al. 2008).

Handling Evidence

On the scene there are a variety of evidence sources, and not all of them are digital. Prior to handling any physical evidence, confirm with the lead investigator that all preliminary processing has been completed. Depending on the level of effort going into the case, this may include photographing the scene, identifying and collecting fingerprints, and possibly collecting DNA samples. Once the DFI has the authority to begin collecting devices, there are procedures to follow to insure that the integrity of the data is not impacted.

Evidence Handling Workflow

From beginning to end, a repeatable and logical process contributes to consistent success. The acquisition of evidentiary materials is a significant step that can impact the entire case and therefore should be accomplished systematically and efficiently. The basic steps in collecting equipment are

1. Identify the evidence.

2. Photograph the evidence in situ (if possible).

3. Document the evidence (where found, by whom, make, model, serial number, etc.).

4. Package the evidence for transport.

5. Transport the evidence.

6. Store the evidence while in possession.

All of these steps are noted in the chain of custody with time, date, location, personnel involved, and case number documented. Figure 6.1 is an illustration of the workflow used in processing evidence.

Image

Figure 6.1 Evidence-handling workflow

Chain of Custody

A critical function of any investigation is the continuous process of logging each and every action that is taken on or against a piece of evidence and recording every movement that evidence makes. This log of actions and movement is called the chain of custody. From the instant an object is identified as having evidentiary value, these records become a living document that is updated with every touch. Even if an object is simply removed from a cabinet to be viewed by a supervisor, that action must be recorded. During the actual examination of the evidence, the chain of custody must match up to the procedural log (which will be discussed in more detail later in the book). If an action is recorded in the procedural log and there is no entry in the chain of custody to show that the material changed hands from evidence storage to the investigator, the entire chain is broken. The chain of custody can be challenged, and the evidence can potentially be declared inadmissible.

In United States v. McKeever, the court defined a seven-part test for determining the usability of evidence in court. In this particular situation, the list referenced video tapes used as evidence; however, this list (now known as the McKeever test) has been used as the precedent of other forms of evidence. The seven parts of the McKeever test are (words in parenthesis added by author) as follows:

1. The recording device (or computer) was capable of making the recording.

2. The operator of the device (or computer) was competent to make the recording.

3. The recording (or data file or artifact) is authentic and correct.

4. No changes, additions, or deletions have been made to the recording (or forensic image).

5. The recording (or digital evidence) has been preserved in the manner as seen by the court.

6. The speakers (heard or seen in the recording or identified in the digital files) are identified.

7. The conversation recorded (or material stored on the computer) was made voluntarily and not induced in any way.

Digital cases do not always involve tape recordings. However, the McKeever test can be applied to any form of evidence. While chain of custody is not specifically listed, it is addressed in points 3, 4, and 5. If there is any moment in which a critical piece of evidence cannot be accounted for, a case can be made that it is not the same device or file, that alterations may have been made, or that the evidence has been tampered with or corrupted.

A good chain of custody log specifically identifies the evidence in a way that is clear to all who read the log or view the evidence. Identifying information might include data such as make, model, and serial number of the device. The log is generally accompanied by a photograph of the device when possible. The time, date, and location at which the evidence was seized is recorded. From that point forward, every person who has any exposure to the evidence must be identified, along with the time and date of the exposure and the reason for it. Every transfer of the item from one location to another and every action taken against it must be recorded, listing the time, date, persons involved, point of origin, destination, and how transported.

Computer Systems

It is unlikely that the DFI will ever collect every computer system from a site unless the investigation centers on an individual or a very small organization. Therefore, it is likely that individual computers will be selectively seized. There may be laptop computers, standalone computers, and perhaps networked computers. Standalone computers are desktop machines or workstations that are not connected to a corporate or organizational network. This could include laptops. Network workstations can be more complex and should be treated differently.

Standalone Computers

Whether a desktop PC or a laptop, the standalone computer is identified by the fact that it is not joined to a larger network. Note that even private residences can have relatively complex networks configured these days. Therefore, it is not safe to assume that just because a computer is being seized from an individual’s house it should not be checked for network connectivity. It could be part of a home network or linked to a corporate network via a virtual private network (VPN). A VPN is a way of configuring a network connection over the Internet, allowing people to work at home. This is a very common situation in today’s business environment.

Earlier in the chapter, it was heavily emphasized that everything about the system should be documented, including status, condition, make, model, and serial number. The DFI should make sure this process is completed before anything is touched. If the computer is on, but the monitor is off, turn the monitor on and give it time to fire up. If the monitor is on, move on to the next step. If the desktop is visible, make a photograph of the screen as it is displayed. If the monitor is on but there is no apparent display, move the mouse slightly in an attempt to wake the system. If the system wakes, photograph the display. If not, do not push any buttons or press any keys.

Now is the time to determine if there should be any attempt to capture live information from the system. That is a very complex issue that will be discussed in more detail later on. For now, suffice it to say that if live capture is decided to be the best choice, move to that step. If the system is to be packed up and carried away for analysis, remove the power cable from the back of the computer. Do not unplug it from the wall, and do not shut the system down gracefully. If the system is a laptop or other portable system, remove the battery (if possible). Note that many models of laptop computer offer the option of installing a second battery in a multipurpose bay. Verify if this is the situation, and if so, remove that battery as well.

Check floppy disk drives, if present, for the presence of diskettes. If found, remove the diskette from the drive, being cautious not to pollute any potential evidence such as latent fingerprints. Store the media in antistatic sleeves. Do not remove CDs or DVDs from their respective drives.

Prior to transport, place a layer of tape over the power plug connector and over all drive bays or slots. Label cables and connectors so that they can be reconnected precisely as they were when disconnected. While transporting the evidence, label it as fragile and confidential. Make sure that a chain of custody is maintained from the moment of seizure to the moment of return.

Networked Computers

In a complex environment such as a corporate network or a governmental organization, it may not be possible to seize individual computers or components. At this point, live capture becomes the norm. It won’t be simply local data that serves as possible evidence. Specialized procedures and utilities are used in processing this type of environment. See Chapter 12, “Searching the Network,” for a detailed description of processes used. However, there is a good deal of information to be collected by first responders:

• Contact information for network administrators

• A list of affected hardware, including servers, switches, routers, and workstations

• Copies of relevant log files, as described in Chapter 12, “Searching the Network

• Live analysis of current network connections, open sessions, and open files on suspect systems

• A topographic map of the network, if available

Photographing Evidence

Items collected during first response should be photographed in exactly the place and position where they are initially found. Digital cameras should be configured to place a time-date stamp into the actual image as well as embedded in the image metadata. Demonstrating that the creation date of the image matches that of the time-date stamp displayed on the image lends credibility to the fact that investigators indeed found the materials at the time and place where they claim. The photographs may also be used to demonstrate that the device under investigation is the same one found at the scene.

Documenting Evidence

At the time evidentiary materials are collected, several things should be recorded. Here is where the chain of custody starts. The chain of custody will record every movement it makes, every person who has had possession, and every place it has been stored. It starts with documenting

• Where the evidence was found

• Time and date the evidence was collected

• Who found the evidence

• Description of the evidence

• Make, model, and S/N of device (if applicable)

Packaging Evidence

When preparing evidence to be moved from the scene of the incident to the location where it will be stored until the conclusion of the investigation, it is essential that proper care is taken. It is not sufficient to simply throw a computer onto the back seat of a car and drive it to the lab. Materials collected should be packaged in appropriate containers that are well padded against temperature and physical impact. Devices such as cell phones should be protected from exposure to electromagnetic waves as well. The Faraday bags mentioned earlier in the chapter are used for this purpose. Each package should be labeled, indicating to what case it relates, time and date collected, and a brief description of contents.

Transporting Evidence

How evidence is transported from the scene to its destination can be critical to the success of the case. The investigator needs to be able to demonstrate that there were no opportunities for evidence to be altered, tampered with, or otherwise compromised. When arriving on the scene, the team should be prepared with proper packaging materials for packing and transporting evidence. Critical items include

• Packing boxes

• Antistatic bags

• Antistatic bubble wrap

• Cable ties

• Packing tape

• Evidence tape

• Faraday containers

• A hand truck

Before packaging components, be sure to label each one with the following concepts in mind. You must be able to match components to systems in order to examine them precisely as they existed in situ. If multiple users are involved, devices must be identified as to primary user. When devices are seized from multiple rooms or locations, the originating location must be listed.

While transporting evidence, follow these rules:

• Electronic devices and media must be protected from electronic and magnetic interference.

• Devices (especially computers) must be protected from impact or excessive vibration.

• Evidence must be protected from heat and humidity.

• Precautions must be taken to prevent loss or theft of evidence materials.

• The chain of custody report must be rigorously maintained.

Always remember that in a contested situation, the opposition will be looking for any opportunity to discredit the procedures or practices at every step of the way.

Storing Evidence

Many of the rules of transporting evidence apply equally to the storage of evidence. As soon as any piece of evidence arrives at a storage facility, it must be inventoried, identified, and stored safely according to the type of material it represents. Be aware of how long any particular piece of evidence might reside in storage. Devices that depend on batteries require special attention. If the batteries are allowed to die, there is a strong potential for losing valuable data. If a power adapter or alternate power supply cannot be provided, the device should be processed immediately. A high-capacity uninterrupted power supply is a good addition to the field kit.

Some devices, such as cell phones or other networked devices, might require that they be stored in a manner that prevents unauthorized access. Faraday boxes are useful for this. Some larger facilities are equipped with Faraday rooms. These allow the devices to be stored and examined without danger of outside interaction.

In all cases, evidence materials need to be protected from heat, humidity, electromagnetic exposure, and other damaging environmental conditions. This would include contaminating or oxidizing gases or particulate matter such as dust and sand. All storage lockers or rooms should be constructed from fire-retardant materials with an automated fire extinguishing system.

Wiles and Reyes (2007) list four factors that a secure evidence storage facility must meet:

• Access to storage is limited to the evidence custodian.

• All access to the evidence locker is rigorously documented.

• Chain of custody for all items in possession of the facility must be rigorously maintained.

• Some form of independently auditing the aforementioned rules exists.

Physical access to the storage area should be highly restricted. Documented rules and regulations for storage and access must be prepared and followed to the letter. Twenty-four-hour video surveillance and intrusion detection systems should be installed that meet these requirements:

• Video capture and recording equipment is not accessible to anyone but authorized personnel.

• Images taken by the system must be of sufficient quality to be usable.

• Surveillance views should include all entrance and exit points for the storage area as well as the public access area.

• Intrusion detection should be able to detect entry through doors and windows as well as catastrophic entry that would include the destruction of walls, floors, and ceilings.

• Walls, floors, and ceilings should be hardened to deflect forced entry.

• Air ducts and other conduits should be sized to prevent human entry.

• Air filtration and other systems should be designed to prevent the infiltration of harmful substances.

Security systems for accessing the evidence storage areas should include some form of twin-check system. These checks can include password access, biometric recognitions (such as retinal scans or fingerprint identification), security cards, tokens, and so forth.

Destruction or Return of Evidence

The phrase “destruction of evidence” usually sends chills down the spine of a good investigator. Inadvertent destruction or spoilage of evidence is the one event that nearly all practices are designed to avoid. However, once a case is concluded, one of two things will happen to evidence materials. Either it will be returned to the original owner or it will be destroyed. Generally speaking, courts will order the destruction of certain types of evidence, including pornography, evidence of illegal gambling, and contraband such as pirated software or other stolen intellectual property. Also, if seized hardware is ordered by the courts to be donated to another organization, all data contained by the target devices must be destroyed. Laws can vary from state to state. It is not the responsibility of the investigator to decide whether or not to destroy evidentiary materials. Such orders would come from officers of the court in criminal cases or possibly from officers of the corporation in the case of internal investigations.

Should the request to destroy materials be made, make sure that the request comes in writing and that it is made by someone with authority to make such a request. Once the decision to destroy is finalized, it is time to select the method of destruction. Many state and federal organizations require the physical destruction of the media storing the sensitive data. Where possible, this would include incineration. Devices such as hard drives or optical disks that either cannot be incinerated or would pose health or environmental hazards if incinerated can be destroyed in some very creative and stress-relieving methods. While working for a federal agency, I was once asked to destroy a number of hard disk drives using a large sledge hammer. Other methods include driving a spike through the disk and physically dismantling the drive.

If the device is to be reused, but the data destroyed, there are a number of data wiping utilities that can do the job effectively enough that the average user could never extract it—and that most professionals would find difficult, if not impossible, to recover. One method that is free and quite effective is the use of the dd utility. The command dd if5/dev/urandom of5/dev/hda will overwrite the entire contents of the hard disk identified as hda by the system with random data. Repeating this operation several times, followed by a format of the drive, will sanitize the device for future use. dd if5/dev/zero of5/dev/hda is a command that will overwrite the device with zeros.

WIPE.EXE is a Windows utility for cleansing disk drives. This interesting little applet has an additional talent for deleting files selectively, and it can remove residual entries in the MFT. Also available for Windows is a freeware program called Active@KillDisk (AKD). AKD is recognized by the Department of Defense as conforming to all government standards for data destruction. This free download is currently available at http://killdisk.com/.

Linux users have several options as well. The dd utility previously mentioned works on all file systems and can be run from either a Windows or a Linux machine. Most, if not all, Linux distributions ship with a utility called Shred that deletes the inode for the file and overwrites the allocated space with zeros. A more powerful option is the Disk Scrub Utility that destroys the inode and overwrites the allocated space with one or more passes over the space.

Chapter Review

1. Explain Locard’s principle, and describe how it is relevant to a digital investigation.

2. List three or four things that can be described as class characteristics and three or four others that qualify as individual characteristics. Use a house as an example.

3. You have a printed version of a document along with the digital file that was used to create that document. List two things that the digital document has that the paper document doesn’t. What are two pieces of evidence that might be obtained from the paper document that you wouldn’t get from the digital file?

4. What makes the transportation of evidence such a critical factor in an investigation. Explain how the opposition might latch onto an error in the transportation cycle to disqualify evidence.

5. Describe the function of a Faraday box, and explain what purpose it serves in the evidence collection process.

Chapter Exercises

1. Using the information provided in this chapter, put together a shopping list of items that a first responder should always have at immediate disposal in a field kit. Using current pricing, provide your manager (or instructor) with a purchase requisition that includes items, prices, and a total.

2. You have been assigned to investigate whether or not an employee at a local hospital has been accessing patient records and selling information to online pharmacies. It is your first day of the investigation. Put together a list of data sources that must be examined during the investigation.

3. Using a standard word processing application, such as Microsoft Word or OpenOffice, create a standard template that you will use as a chain of custody for the remainder of this text.

References

American Civil Liberties Union. 2003. A question of innocence. www.aclu.org/capital-punishment/question-innocence (accessed December 22, 2009).

Casey, E. 2001. Digital evidence and computer crime. New York: Elsevier Academic Press.

Chiang, P., N. Khanna, et al. 2009. Printer and scanner forensics. IEEE Signal Processing Magazine 26(2):72–83.

Kirk, P. 1953. Crime investigation: Physical evidence and the police laboratory, p.4. New York: Laboratory Interscience Publishers.

Marcella, A., and R. S. Menendez. 2008. Cyber forensics: A field manual for collecting, examining, and preserving evidence of computer crimes. New York: Auerbach Publications.

Melchior, L., T. Kivisild, N. Lynnerup, and J. Dissing. 2008. Evidence of authentic DNA from Danish Viking Age skeletons untouched by humans for 1,000 years. PLoS ONE. www.plosone.org/article/info3Adoi2F10.13712Fjournal.pone.0002214 (accessed December 24, 2009).

Merriam-Webster Online Dictionary. s.v. “forensic.” http://www.merriam-webster.com/dictionary/forensic (accessed May 23, 2013).

U.S. Department of Justice. 2001. Electronic crime scene investigation: A guide for first responders. Washington, DC: National Institute of Justice.

U.S. Department of Justice. 2008. Federal rules of evidence. Washington, DC.

Wiles, J., and A. Reyes. 2007. The best damn cybercrime and digital forensics book: Period. Burlington: Syngress Publishing.