Introduction - Part 2

Evidence Acquisition




Handling the evidence is one of the most important aspects in the expanding field of computer forensics. An investigator should take precautions while collecting, preserving and transporting the digital evidence. Some steps should be followed by the first responders in handling the digital evidence at an electronic crime scene.

  • Steps :

    • 1. Recognize, identify, seize and secure all the digital evidence at the crime scene.
    2. Document the entire crime scene and the specific location of the evidence found.
    3. Collect, label, and preserve the digital evidence.
    4. Package and transport digital evidence in a secure manner.

    Before collecting evidence at a crime scene, first responders should ensure that the legal authority exists to seize the evidence, the scene has been secured and documented and appropriate personal protective equipments are used.

    Evidence Preservation Steps (Follow in order):

    1. Photograph the computer and scene
    2. If the computer is off do not turn it on
    3. If the computer is on photograph the screen
    4. Collect live data - start with RAM image and then collect other live data "as required" such as network connection state, logged on users, currently executing processes etc.
    5. If hard disk encryption detected such as full disk encryption i.e. PGP Disk — collect "logical image" of hard disk using recommended tools.
    6. Unplug the power cord from the back of the tower - If the computer is a laptop and does not shut down when the cord is removed then remove the battery.
    7. Diagram and label all cords.
    8. Document all device model numbers and serial numbers.
    9. Disconnect all cords and devices
    10. Image hard drives using a write blocker.
    11. Package all components (using anti-static evidence bags).
    12. Seize all additional storage media (create respective images and place original devices in anti-static evidence bags).
    13. Keep all media away from magnets, radio transmitters and other potentially damaging elements.
    14. Collect instruction manuals, documentation and note.
    15. Document all steps used in the seizure.



    Write Blockers




    Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.

  • Two ways to build a write-blocker :

    • 1. The blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.
    2. The blocker can specifically block the write commands and let everything else through.

    Write blockers may also include drive protection which will limit the speed of a drive attached to the blocker. Drives that run at higher speed work harder (the head moves back and forth more often due to read errors). There are two types of write blockers, Native and Tailgate. A Native device uses the same interface for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block.

    Steve Bress and Mark Menz invented hard drive write blocking (US Patent 6,813,682). There are both hardware and software write blockers. Some software write blockers are designed for a specific operating system. One designed for Windows will not work on Linux. Most hardware write blockers are software independent.

    A hardware write blocker (also referred to as a forensic bridge) is a device that sits between the host computer and hard drive to be connected to the system. Most hardware write blockers support multiple interfaces and allow the end user to connect IDE and SATA internal hard drives or USB and FireWire external hard drives to a host system. The write blocker allows the host computer to read from the target drive but blocks all write requests.

    There are also various software applications that provide write blocking functionality. While using a software write blocker sounds more practical and affordable, it comes with associated risks. Most software write blockers are not 100% forensically reliable and they also have limitations. For example, Ms Windows Service Pack 2 and higher allows USB ports to be write blocked using a registry hack. While this simple method may work in most cases, it is effective only on USB devices that are connected after the change was made. In other words, a USB device that was connected before the registry hack will remain writeable until it is removed and reinserted.


    To Be Continued...

    Comments

    Post a Comment

    Popular posts from this blog

    Exif's Image File Directory - Forensics Perspective (Part 1)

    Image
    Exif IFD Tags Exif data contains different exif tags and each exif tag has its own value (eg. time, data, GPS etc). Exif tags are used to encode additional information related to an image when the image is generated or captured by the digital cameras. NOTE : There are many exif tags in exif's image file directory but I will cover the most important once from which one can find evidences. Tags 1. ExposureTime Exposure time is measured in seconds (eg. 1/500 (0.002 sec)). The main purpose of an exposure time is to describe the brightness of an image or the amount of light a sensor receives. Evidence : You can find out whether the photograhp is taken in brightness or darkness. If the exposure time is around 10 to 30 seconds then you can consider it as a night time photography and if the exposure time is around 1100 to 1125 seconds you can consider it as a day time photography. NOTE : Exposure timings are not always between the above mentioned values, they can set as per the ...
    Read more

    Introduction - Part 1

    Image
    Digital Forensics is a branch of forensic science that uses scientific knowledge or methods to gather evidence and solve crimes. It has some scientifically proven methods to preserve, collect, validate, identify, analyze, interpret, document and present the digital evidence. The main aim of a digital forensic investigation is to find facts and recreate the truth of an event. Digital Forensics has three main categories : Acquisition Analysis Presentation 1. Acquisition : Acquisition means collecting the digital media to examine. It includes optical media, hard drives, storage cards from camera, mobile phones, embedded chips from devices etc. The collected evidence should be treated delicately and a duplicate should be made of the collected evidence to maintain the record. 2. Analysis : In this category a media is actually examined with appropriate analysis methods. It includes file content examination, file system analysis, statistical analysis etc. and finally the results a...
    Read more

    Exif Data - Introduction

    Image
    Exchangeable Image File Format Exif Data is a metadata that is generated and stored by your camera whenever you take a photo and this data is embedded within your images and includes information about GPS coordinates (location), that is why many websites are stripping the exif data from the uploaded images due to privacy concern. Apart from your GPS coordinates exif stored many sensitive information and some of them are Camera Model Name, Modify Date, Date/Time Original, Create Date, File Source, Camera Firmware Version, Owner Name, Image Type etc. and all this information is then processed by Exif/DCF reader of the website, if not stripped by the server. This type of information is formatted according to the TIFF specification and may be found in JPG, TIFF, PNG, JP2, PGF, MIFF, HDP, PSP and XCF images, as well as many TIFF-based RAW images and even some AVI and MOV videos. The EXIF meta information is organized into different Image File Directories (IFD’s) within an image. Exif...
    Read more