| Unless completely unavoidable, data should
never be analyzed using the same machine it is collected from. Instead,
forensically sound copies of all data storage devices, primarily
hard drives, must be made.
To ensure that the machine can be analyzed as
completely as possible, the following sequence of steps must be
followed:
Examine the machine's surroundings
Look for notes, concealed or in plain view, that
may contain passwords or security instructions. Secure any recordable
media, including music mixes. Also look for removable storage devices
such as keydrives,
MP3 players or
security tokens. In some cases, these can be
worn as jewelry.
Record open applications
If the machine is still active, any intelligence
which can be gained by examining the applications currently open should
be recorded. If the machine is suspected of being used for illegal
communications, such as terrorist traffic, not all of this information
may be stored on the hard drive. If information stored solely in
RAM is not recovered before powering down, it
will be lost. For most practical purposes, it is not possible to
completely scan contents of RAM modules in a running computer. Though
specialized hardware could do this, the computer may have been modified
to detect chassis intrusion (some Dell machines,
for example, can do this stock; software need only monitor for it) and
removing the cover could cause the system to dump the contents. Ideally,
prior intelligence or surveillance will indicate what action should be
taken to avoid losing this information.
Modern RAM cannot be analyzed for prior content
after erasure and power loss with any real probability of success.
Power down carefully
| DOS |
Pull the plug |
| Windows 3.1 |
Pull the plug |
| Windows 95 |
Pull the plug |
| Windows 98 |
Pull the plug |
| Windows NT |
Pull the plug |
| Windows NT Server |
Shut down |
| Windows 2000 |
Pull the plug |
| Windows 2000 Server |
Shut down |
| Windows XP |
Pull the plug |
| Windows 2003 |
Shut down |
| Linux |
Shut down |
| Unix |
Shut down |
| Macintosh OS 9 and older |
Pull the plug |
| Macintosh OS X |
Shut down |
If the operating system cannot be determined,
pulling the plug will suffice.
When pulling the plug make sure that you pull
the lead out from the computer unit itself. This is because if the
computer has an
uninterruptible power supply connected and the
power to this is turned off, the power to the computer will remain
powered.
Shutting the computer down by the correct
method is critical if certain data is normally stored only in memory, to
be committed back to disk when the machine is powered off.
Shutting down computers which do not normally
store data in memory (such as Windows XP) by the usual method will
result in possible changes to the data on the hard drive. This is to be
avoided at all cost, especially if there is no benefit in shutting down
the computer in this way. For this reason it is recommended that the
plug is pulled on these computers
Inspect for traps
Inspect the chassis for traps, intrusion detection
mechanisms, and self-destruct mechanisms. It takes a lot to destroy a
hard drive to the point where no data at all can be recovered off of
it-- but it doesn't take much to make recovery very, very difficult.
Find a hole in the chassis you can use for inspection (cooling fans are
a good bet), or pick a safe spot in the chassis to drill one, and use an
illuminated
fiberscope to inspect the inside of the
machine. Look specifically for large
capacitors or batteries, nonstandard wiring
around drives, and possible
incendiary or explosive devices. PC hardware
is fairly standardized these days, and you should treat anything you
don't recognize as cause for concern until proven otherwise. Look for
wires attached to the chassis-- PCs aren't normally grounded this way,
so those are cause for concern.
You should specifically look for a wire running
from anything to the CMOS battery or "CMOS clear" jumper.
CMOS memory
can be used to store data on the motherboard itself, and if power is
removed from it, the contents will be lost. You must avoid causing CMOS
memory to lose power. Encryption keys, etc., may be stored here.
Once you have determined that the case is safe
to open, proceed to remove the cover.
Fully document
hardware configuration
Completely photograph and diagram the entire
configuration of the system. Note serial numbers and other markings. Pay
special attention to the order in which the hard drives are wired, since
this will indicate boot order, as well as being necessary to reconstruct
a RAID
array. A little time being thorough here will save you more later.
Duplicate the hard drives
Using a standalone hard-drive duplicator or
similar device, completely duplicate the entire hard drive. This
should be done at the
Sector
level, making a bit-stream copy of every part of the user-accessible
areas of the hard drive which can physically store data, rather than
duplicating the file system. Be sure to note which physical drive each
image corresponds to. The original drives should then be moved to secure
storage to prevent tampering.
Use some kind of hardware write protection to
insure no writes will be made to the original drive. Even if operating
systems like Linux can be configured to prevent this, a hardware write
blocker is the best practice. The process is often called Imaging.
You can image to another hard disk drive, a tape, or other media. Tape
is a preferred format for archive images, since it is less vulnerable
for damage and can be stored for a longer time. There are two goals when
making an image:
- Completeness (imaging all of the
information)
- Accuracy (copying it all correctly)
The imaging process is verified by using a
MD5
message digest
algorithm or higher (SHA1,
etc.). To make a forensic sound image, you need to make two reads that
results in the same MD5. Generally, a drive should be hashed in at least
two algorithms to help ensure its authenticity from modification in the
event one of the algorithms is cracked. This can be accomplished by
first imaging to one tape labeled as the Master and then make an image
labeled Working. If onsite and time is critical, the second read can be
made to Null
E-Mail Review
E-mail
has become one of the primary mediums of communication in the digital
age, and vast amounts of evidence may be contained therein, whether in
the body or enclosed in an attachment. An e-mail may exist in a variety
of places, so all is not lost if the culprit simply deletes the e-mail;
examples of such places are:
- On the hard-drives of the sender
and recipients
- In a
network drive
- In a
mailbox
Sorting Through the Masses
While theoretically possible to review all
e-mails, the sheer volume that may be subject to review may be a
daunting task; large-scale e-mail reviews cannot look at each and every
e-mail due to the sheer impracticality and cost. Forensics experts use
review tools to make copies of and search through e-mails and their
attachments looking for incriminating evidence using keyword searches.
Some programs have been advanced to the point that they can recognize
general threads in e-mails by looking at word groupings on either side
of the search word in question. Thanks to this technology vast amounts
of time can be saved by eliminating groups of e-mails that are not
relevant to the case at hand.
|
