The Cyber Rabbit Hole: Computer Forensics

This blog is for anyone daring and brave enough to follow the rabbit hole into the realm of computer forensics where there lies the truth. The main objective for an analyst is to be able to dig up the digital past with no judgement of the outcome. There must be a legitimate need to conduct a computer investigation with proper and prior authorization. It is highly recommended that Directors of IT Security / IT Security Managers incorporate this facet into their company’s security policy with respect to privacy laws in your area. The advice of legal counsel is pertinent prior to involving forensics.

A person who practices forensics would tell you it is imperative to have clearly defined policies and procedures that you adhere to while conducting investigations. If a case were to go to court, a defense attorney will try to poke holes in your process and it’s the analyst’s job to not follow them down their rabbit hole that leads to doubt. Speculation is never an option.  Being able to articulate your findings is crucial when presenting your report. Regular people need to be able to understand what you’re talking about, so speaking from a highly technical perspective is frowned upon. A simple way to describe the overall process is by using the safety net concept to ensure electronic evidence is not altered, is properly preserved and protected, can be authenticated, and is maintained with a Chain of Custody. This concept also helps protect the examiner against liability issues and judicial challenges to the authenticity will be met.

The safety net procedures begin at first response. From the moment you begin evidence collection, you will begin documenting everything you do. You must be able to recount everything you did - how, when, where, and with what tools, etc. Some first response procedures at the scene are photograph, notes, and / or sketch the evidence, any peripherals, and area around the evidence. Take note and photograph the location of wires, cables, ports, passwords, admin credentials, names of individuals with access, etc.

The next safety net procedure is system checking.  Check the BIOS date / time, boot order, attached hardware, configurations, etc. This will be a crucial part of the process - determining whether to take down the machine by pulling the plug or doing a proper shutdown, provided the machine is even on. This depends on the circumstances - such as running process, presence of malware, wipe utility, operating system considerations, etc.

The Controlled Boot Process is used when booting to the subject’s computer using a self-validated control boot disk, such as SAFE (System Acquisition Forensic Environment), a Windows control boot disk. Here is where you can take a physical image and hash of the suspect hard drive and save to your forensically wiped target media. The other option is to disconnect the hard drive from the computer and connect it to your forensically sound workstation via a hardware write blocker. The write blocker is a must and ensures the media is not written to or altered in any way, and software write blocker functions the same. Tools for forensic imaging are FTK Imager and EnCase Imager.

When it’s time to transfer and store the data, be sure it is kept out of harm’s way and out of any extreme temperatures. The Chain of Custody will come into play here when the evidence is taken from one location to another. Anyone handling the evidence must maintain this documentation with respect to dates, times, procedures performed, etc. Properly label and bag anything being transported.

In summary, by following these guidelines you will be ensuring best practices while maintaining the integrity of the evidence. There are so many variables and different circumstances that could alter your procedures, and this is okay, but most importantly must be documented and able to be explained.