Understanding data acquisition
So, let’s recap: you have received training as a digital forensic investigator and may have received certification. You have built or purchased a digital forensic workstation and a forensic laptop and have created your response kit. You have responded to the scene and ensured that it had been made secure. You have verified that no one has altered the scene, and you have documented the scene with photographs. Now, it is time to process the scene and collect that digital evidence. We will now discuss the acquisition of data, otherwise known as evidence.
There are multiple scenarios where someone may call on you to acquire data for a digital forensic investigation. For example, as a law enforcement officer, you may respond to the scene, identify potential sources of digital forensic evidence, and then seize those items. As a private sector or corporate investigator, you may be called on to take an employee’s workstation or respond to the server room (either physically or remotely) to collect the data you need to analyze. The procedures we will discuss in the next section can be utilized in every environment.
A source of potential evidence is volatile memory. In the past, the data contained within volatile memory was ignored with a “pull the plug” mentality. This was based on whether officers responded to a scene and the computer was up and running. Best practice required officers to pull the plug to shut the system down.
However, volatile memory is only available while a system is up and running. Therefore, when the investigator pulled the plug, they lost all that data, including any potential evidence. As the field of digital forensics has matured, we have learned that what we once considered best practice was, in reality, not.
To collect volatile evidence, we should start from the most to the least volatile. This is called the order of volatility, and it goes like this:
- Live system
- Running
- Network
- Virtual
- Physical
We approach volatile data collection with the same mindset as creating forensic images. You must document the steps you take because you will interact with the machine to collect volatile data, which will change the evidence. In reality, the changes you make typically do not affect what you are investigating. But you should know that changes are being made to the system; you may get asked a question about potential changes to the evidence while testifying at the administrative or judicial proceeding. If you don’t know the answer, it could be professionally embarrassing.
The changes you make while collecting the volatile data will impact the processes found in RAM. That is why you need to take notes and document everything you do. Some examples of volatile data we collect are the current state of the system networking information (the ARP table, connections, routing table, and name cache), the logged-on users, running services, running processes, shared drives, remote activity, and open encrypted containers.
We have to balance our changes versus the evidence that may be potentially lost forever. The term “forensically sound manner” means leaving the smallest possible footprint during collection to minimize the amount of data being changed with the collection. The order of collecting volatile data is significant because if you collect volatile data in the wrong order, you may destroy the evidence you are looking for. RAM is considered to be the most volatile of all volatile data, so we would want to collect that first.
Keep the following in mind:
- Collecting the volatile data may not always be possible, depending on the specific set of circumstances you encounter on the scene.
- If you find there is a destructive process running on the machine and the information you want to collect is being altered or overwritten, you may not want to take the time to collect the RAM as evidence is being manipulated.
- If it is a remote connection causing the destructive process, you need to document the connection, sever the connection, and then collect the RAM. Again, it depends on your investigation and the information you are trying to acquire.
- If the attacker is connected remotely and is accessing highly sensitive data, do you want the attacker to maintain access while you collect the RAM, or do you want to interrupt the connection? What if it is not critical information?
- Do you want to let the attacker continue to have access while you continue your processing?
Ultimately, the goal of digital forensics is to create a forensic image for analysis. Therefore, under normal circumstances, it is not appropriate to change digital evidence during collection.
In today’s environment, that is not always possible. Due to the easy availability of full disk encryption or full volume encryption, it is no longer acceptable to pull the plug on computer systems.
Let’s take a slight detour and talk about what encryption is. At a basic level, encryption is encoding information to protect the confidentiality of the information and allow only the person with the decryption key to access it. All encryption can be broken if the attacker has enough time.
With today’s level of equipment, that time factor is measured in hundreds of years. As technology advances with increases in processing power, the time taken to decrypt top-level encryption decreases. So, what was considered secure encryption in the 1990s is now regarded as weak. That is why it is imperative not to pull the plug on a system where it is possible that encryption is being used. Without gaining access to the decryption key, you cannot get to the data.
Every situation, every crime scene, and investigation will be different, which means the actions you take will be based on the specific set of circumstances you encounter. Utilize your problem-solving skills and make quick decisions based on the limited information you have available.
Now we have the evidence, how do we keep control of it? Let’s talk about the chain of custody.
Chain of custody
Maintaining the chain of custody is an integral part of preserving and authenticating physical and digital evidence for an administrative or judicial proceeding. The chain of custody documents all access to the evidence, who accessed it, when it was accessed, and for what purpose it was accessed.
NIST provides a chain-of-custody document, shown in the following figure. It is a generic chain-of-custody form for you to use and adjust as needed and can be downloaded at https://www.nist.gov/document/sample-chain-custody-formdocx. The form is used to track the chain of custody and will be maintained every time evidence changes hands:
Figure 2.1: An evidence form
As you can see, some fields may not be pertinent to you. For example, as a corporate digital forensic investigator, you may not need the Victim field, so you can change it or remove it altogether.
The goal of this form is to track the digital evidence and maintain control so that you may authenticate the evidence later. In the Description of Evidence field, you describe the container holding the digital evidence. It could be non-reusable media, such as a DVD with log files burned for later examination.
In the following figure, you can see the Description of Evidence section. The Item number refers to a sequential numbering system to help track the items. Quantity is the physical number of items, and the Description of Item field is self-explanatory:
Figure 2.2: A description of the evidence
For example, in the previous figure, a DVD is listed as item CD-001. You might impound several CDs or DVDs and have the problem of trying to differentiate one disk from another. It’s not just CDs or DVDs but also hard drives. It won’t often be that you will impound a single item of a specific media type.
I use the following numbering system as a part of my process:
- CD/DVD: CD-XXX
- Hard drive: HD-XXX
- Thumb drive: TD-XXX
- Cell phone: CP-XXX
- Mobile device (not a cell phone): MD-XXX
Note
As a side note, you also need to make a permanent mark on the items being seized, but you should try to do so in a manner that will not reduce the value of the item.
You can see in the following figure that the hard drive is marked as HDD001 with the date and the initials of the officer seizing the device:
Figure 2.3: A hard drive
When the forensic image is created, the device will be referred to as HDD001 for the rest of the process.
If you cannot write on a device without permanently reducing its value, such as an iPad, do not use a permanent marker to write MD-XXX. Instead, use an adhesive label to mark the information.
Note
Use a system that works for you. When you have developed your system, make sure you use it every time. It will save you from losing evidence or mismarking evidence.
When we are on the scene and seizing evidence and containers containing digital evidence, we want to make sure we do so in a forensically sound manner. Therefore, we do not analyze the original evidence; we create a copy to do the exam to ensure we do not make any changes to the original evidence.
We have three choices for making a working copy:
- A forensic copy: This is a straight bit-for-bit copy of the source to the destination. This is not common in today’s environment. Ensure that your destination device has no old data from previous investigations. You do not want to cause cross-contamination between the current digital forensic investigation and a past investigation. We will recover deleted files, file slack, and partition slack. We will discuss wiping hard drives later on in this book.
- A forensic image or forensic evidence file: We create a bit-for-bit copy of the source device, but we store that data in a forensic image format. This could be a DD image, an E01 image, or an AFF image. We take that source data and wrap it in a protective wrapper of the forensic image. We will recover deleted files, file slack, and partition slack.
- A logical forensic image: Sometimes, we are restricted to only accessing specific datasets. They do not allow us to access the entire container. We cannot create a bit-for-bit copy forensic image/forensic evidence file or a forensic copy. This can be used when we extract data from a server, and we cannot shut the server down to create a forensic image from the source hard drives. So, we can make logical copies of the files and folders pertinent to the investigation. We will not recover deleted files, the file slack, and partition slack.
Later on in Chapter 3, Acquisition of Evidence, we will address creating a forensic image from the devices we have seized or the data seized at the scene.
Now that we have discussed what you need to consider when acquiring a dataset, we will discuss what you need to understand when analyzing data.