Computer forensics is the analysis of data processing equipment-- typically a home computer, laptop, server, or office workstation-- to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose.
Understand the suspects
It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which provably prohibits the machine modifying the drives, or in exactly the same way they would.
If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action happens. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in RAM, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.
Secure the machine and the data
Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made.
To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed:
Examine the machine's surroundings
XD Picture Card with a
pennyLook for notes, concealed or in plain view, that may contain passwords or security instructions. Secure any recordable media, including music mixes. Also look for removable storage devices such as keydrives, MP3 players or security tokens. In some cases, these can be worn as jewelry. See Category:Solid-state computer storage media
Record open applications
If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down, it will be lost. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.
Modern RAM cannot be analyzed for prior content after erasure and power loss with any real probability of success.
Power down carefully
The machine should be powered down exactly the same way the suspects power it down. This is critical if information is normally stored only in memory, is wiped from the drive after booting, and is only committed back to disk when the machine is powered off. Data may be encrypted during this process, but encrypted data is better than nothing.
Keep in mind that many modern machines (ATX motherboards in particular) aren't "off" when they've been powered down--after the machine has shut down, physically remove power from the supply and wait 30 seconds.
Inspect for traps
Inspect the chassis for traps, intrusion detection mechanisms, and self-destruct mechanisms. It takes a lot to destroy a hard drive to the point where no data at all can be recovered off of it-- but it doesn't take much to make recovery very, very difficult. Find a hole in the chassis you can use for inspection (cooling fans are a good bet), or pick a safe spot in the chassis to drill one, and use an illuminated fiberscope to inspect the inside of the machine. Look specifically for large capacitors or batteries, nonstandard wiring around drives, and possible incendiary or explosive devices. PC hardware is fairly standardized these days, and you should treat anything you don't recognize as cause for concern until proven otherwise. Look for wires attached to the chassis-- PCs aren't normally grounded this way, so those are cause for concern.
You should specifically look for a wire running from anything to the CMOS battery or "CMOS clear" jumper. CMOS memory can be used to store data on the motherboard itself, and if power is removed from it, the contents will be lost. You must avoid causing CMOS memory to lose power. Encryption keys, etc., may be stored here.
Once you have determined that the case is safe to open, proceed to remove the cover.
Fully document hardware configuration
Completely photograph and diagram the entire configuration of the system. Note serial numbers and other markings. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later.
Duplicate the hard drives
Using a standalone hard-drive duplicator or similar device, completely duplicate the entire hard drive. This should be done at the sector level, making a bit-stream copy of every part of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering.
Use some kind of hardware write protection to insure your Forensic PC cannot write to the original drive. Even if operating systems
like Linux can be configured to prevent this, a HW write blocker is the best practice. The process is often called Imaging.
You can image to a new HD, a tape or a file. Taped is the preferred format, since it is less vulnerable for damage and can be stored
for a longer time. The imaging process is verified by using a MD5 message digest algorithm or higher (SHA1, etc.). To make a forensic sound image, you need to make two reads that results in the same MD5. This can be accomplished by first imaging to one tape labelled as the Master and then make an image labelled Working. If onsite and time is critical, the second read can be made to Null. This method applies to
images made to HD's and files as well. The software used must support this and also how to manage bad blocks.
See also
External links
