Computer Forensics

by Dr. Greg Miles - 9/6/00

Computer Forensics is a two-sided coin. One side is the technical aspects of finding what was done to a system or by a system and being able to point that information to a specific individual or entity. The other side focuses on the law and making sure that what ever is found, it can be admitted as evidence in a court of law. This is where it gets extremely complicated, that is why it is essential that if you are going to be involved in computer forensics, you are trained in how to handle the evidence.

Forensic analysis is the technical side of what we discussed above. The goal of forensic analysis is to discover evidence that proves:

• What happened
• Where it happened
• When it happened
• Who did it
• How they did it

Since it may not be apparent at the beginning of an incident investigation that the outcome will be a legal case, treat every investigation as if it will lead to a court case. Establish and maintain an evidentiary chain for all electronic and physical evidence collected during the investigation. Keep detailed logs of your actions and findings as investigators. Most computer crime investigations lack an evidentiary chain and detailed investigative logs, and that is a primary reason why it has been difficult to gain convictions in criminal cases. Also, be aware that this information will be available to the defense counsel through the information discovery process and may become public. Do not include company confidential information unless it is necessary.

To maintain an evidentiary chain the following information needs to be recorded:

• Where, when, and who discovered the evidence
• Who has handled or examined the evidence and when
• Who has had custody of the evidence, during what time period, and where it was stored/secured
• If the evidence has changed custody, how and when the transfer occurred (include shipping numbers etc.)

All digital data analysis should be performed on trusted systems that can only be accessed by incident investigators. Every precaution must be taken to not contaminate or co-mingle digital data from separate investigations. Keep clean copies of all software used in the analysis to assure its availability when the case goes to court. Be aware that you will need to work closely with lawyers and law enforcement officials when conducting this computer forensics, and that the data was not corrupted or compromised by the forensics investigation, the process and techniques used are acceptable, and that the credibility and capability of the people conducting the forensic analysis is beyond reproach.

If you are the one that must conduct the forensics as a result of an incident, keep the following in mind:

• Do not rush. Sacrifice time for thoroughness.
• Preserve as much evidence in its original form as possible. This includes making bit for bit copies of hard drives and other electronic media, before trying to conduct the analysis. Conduct the analysis on the copies, not the original.
• Take detailed notes on your actions and the actions of those around you, including the time of the action. Include your reason for taking the action. Sign and date the bottom of each page of notes.
• Record each piece of evidence you find, including a description, location, time found, and other distinguishing attributes. If it is physical evidence, record who handled the evidence before it came into your possession. If it is electronic evidence, record any processing of the evidence that occurred prior to your possession of the evidence. This data will help maintain an evidentiary chain and record of possible modification.
• If it is possible that a person who physically accessed the system caused the incident, preserve the physical evidence. Wear white cotton gloves when using the computer and handling physical evidence. Do not allow non-investigative personnel to enter the crime scene. Record the names and contact information of all people present when you entered the area. Make a record of all physical security controls in the area.
• Restrict information about the incident on a need to know basis. Only management and technical personnel (sysadmin, network-eng, development, etc.) that can significantly contribute to the resolution or investigation of the incident should be informed. Only disclose information that is immediately needed to solve the problem or task at hand.

If you don't have the experience, don't try to conduct the investigation without professionally trained assistance. This may prove detrimental to being able to admit evidence into the courtroom.

As we discussed, computer forensics has two sides. The technical analysis side and the legal side. The key to success is making the two meet up in the end for the ultimate goal of catching the criminal.