3. Executive Summary
Computer forensics is a complex science that requires specialized skills and resources to perform
correctly. If sound procedures are not followed, wrong conclusions may be reached and the legal
process degraded.
A skilled forensic investigator will not only know how to perform the required technical steps but will
have a good understanding of the law and the legal procedures necessary to protect evidence during the
investigation. The investigator will also know how to interpret the evidence, reach a conclusion and
present the findings to a court of law.
3
4. Introduction
In October of 2004, a substitute teacher was accused of viewing pornography on a middle-school
computer. Having this material on a school computer was grounds for dismissal and possibly
prosecution. The case went to court and the defense argued that the pornography was not displayed by
the teacher’s actions but by spyware on the computer that automatically popped-up the questionable
images. The jury did not buy that argument and the teacher was convicted on felony charges. However,
the case did not end there and the decision was overturned in November of 2008 – four years later.
Why all the confusion? The problem is that computer forensics is a relatively new science and is more
complex than most people realize. What are the proper procedures that should be followed when
performing computer investigations?
This report will provide an overview of computer forensics and outline basic steps for an investigator to
follow.
1.0 Forensic Concepts
1.1 Forensics Defined
According to US-CERT, a federal agency tasked with protecting the nation’s computer resources,
forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence
to the courts (forensics 1).
1.2 The Importance of Proper Forensic Procedures
The first principle for computer investigators to follow is to observe the same guidelines used in
traditional forensics. Each case should be handled as if the evidence will need to be admissible in court.
Even if the case is not criminal, the accused person may file a lawsuit if incorrect procedures lead to
wrongful accusations. Many of the procedures around evidence preservation can be adapted from
traditional forensic techniques used by law-enforcement and private investigators.
According to a report by the U.S. Department of Justice, the following procedural principals should be
applied (Faulk et al. 12).
• Actions taken to secure and collect digital evidence should not affect the integrity of
that evidence.
• Persons conducting an examination of digital evidence should be trained for that
purpose.
• Activity relating to the seizure, examination, storage, or transfer of digital evidence should
be documented, preserved, and available for review.
4
5. 1.3 Standards of Evidence
Before we dig into the investigation, there are a few basic types of evidence discussed in this report. The
first type of evidence is called real evidence. “Real evidence is anything that you can bring into court.
Real evidence can be touched, held, or otherwise observed directly.” (Solomon 53). An example of real
evidence from traditional forensics is a fingerprint from a crime scene.
A fingerprint is an example of
Real Evidence.
Figure 1 – Fingerprint
A file on a computer disk is an example of real digital evidence. Once real evidence is accepted by a
court as valid, it is not something that is generally disputed. Using our example of the fingerprint, either
it came from the crime-scene or it did not. What is generally disputed is the conclusion about the
fingerprint (e.g. whose fingerprint is it and how did it get there?). Similarly, the conclusion about digital
evidence is the main point of contention during a computer investigation.
A conclusion about evidence is called expert testimony and the person making it is called an expert
witness. In the case of a fingerprint, an expert witness might be a forensic technician who would say that
a specific fingerprint matches the fingerprint of a specific person. In the examination of a computer file,
an expert witness might conclude that a specific user created the file at a specific time. For this
conclusion to be valid, another expert examining the same evidence should reach the same conclusion.
This process is called peer review.
A special type of evidence to be aware of during an investigation is exculpatory evidence. “Exculpatory
evidence is [any] evidence favorable to the defendant in a criminal trial, which clears or tends to clear
the defendant of guilt. “ (Exculpatory evidence). An investigator has a moral obligation and a legal
responsibility to report exculpatory evidence. In the example given at the beginning of this report (the
substitute teacher), the exculpatory evidence might be the existence of spyware on the computer which
would support the teacher’s position. If the prosecuting investigator had found this, they would have
been legally obligated to inform the defense.
1.4 Chain of Custody
5
6. A chain of custody is simply a detailed record of the history of the evidence from the time it came into
an investigator’s possession to its release to another party (e.g. a court or the original owner). This
record should include the time and date, a description of the evidence, the name of all people who
handled it, transported it or had access to it (Solomon 60). The chain of custody ensures that evidence is
not tampered with and is therefore admissible in court. A chain of custody form should be attached to
evidence and remain with it for the entire course of the investigation. Table 1 is an example of a basic
chain of custody form.
Basic information to record when transferring evidence.
Item Description Serial Number Date and Time Released By Received By
Table 1: Chain of Custody
1.5 Taking Notes
Possibly the most important evidence from any investigation is the written notes of the investigator.
This is called documentary evidence (Solomon 55). Police officers always carry a notepad and write down
every detail when conducting an investigation. However, technical investigators often consider note
taking tedious and do not realize the importance of this step. Everything done during the investigation
must be documented so that details can be accurately recalled and the peer review process can be
completed. Some consider hand-written notes better than typed because they are harder to tamper
with. In addition, a notebook with page numbers helps detect tampering.
2.0 Instructions on Processing the Evidence
2.1 Collecting Live Evidence
Two new developments in computer forensics are driving the need to collect live evidence. Live evidence
is evidence collected from a machine that is still powered on from the suspect use. The first
development is the prevalence of spyware or viruses and the impact they can have on a case. The
second reason is that if the system is using encryption, the files may not be accessible once the system is
restarted. There are also a few other pieces of evidence that can be recorded from a live system that
may be lost after the system is turned off.
Some of the most important things to capture on a live system are (Carvey 10-11):
• System time (correctly set?)
• Logged-on user(s)
6
7. • Open files
• Network connections
• Running processes
• Contents of the clipboard
Begin your documentation with a chain of custody form, case details, and these items if they are
available. Copy relevant data files from the suspect system to an external disk before shutting the
system off. Encryption may prevent retrieval of this data once the system is powered off. Unfortunately,
doing anything on a live system can go against the concept of protecting original evidence (see section
2.2). Consider the overall situation and goal of the investigation and determine how best to proceed.
2.2 Protecting the Original Evidence
Before taking any action on computer evidence (other than collecting live evidence if necessary), take
precautions to prevent changes to the original evidence. Use a write-block device at all times to access
the original evidence. This ensures that the evidence is not unintentionally modified. Even powering a
computer off or on can make changes to the data. Document any inadvertent changes made to the
system during investigation and be ready to explain the impact they had on the overall case.
2.3 Making a Copy of the Evidence
U.S. law specifies that in order for electronic evidence to be admissible in court, it must be an original or
an exact reproduction of the original. The original, or the exact reproduction, is referred to as best
evidence. Special forensic software is used to make exact copies of a suspect computer and a
mathematical signature is used to prove the integrity (see section 2.4). A copy of evidence that cannot
be proven forensically may not be admissible in court.
Doing a complete copy of a suspect hard disk is called imaging. The resulting exact copy produced is
referred to as an image of the original. This image will include an exact copy of every bit of information
on the suspect hard disk including active files, deleted files and even empty space (which can sometimes
contain hidden or previously deleted data). This is possible because even when a file is “deleted”, the
data is still present on the disk unless it has been overwritten by new data.
A good forensic program that can be used for imaging (and later searching) the evidence is ProDiscover
Basic from Technology Pathways. The “Basic” version is available free but more involved investigations
may require a purchased version.
Imaging a suspect hard disk requires a large amount of storage space. You will need storage equal to the
total size of the hard disk you are imaging! This will likely require the use of a high capacity, external
hard disk. It may also take several hours to complete the process.
Figure 2 shows how to use ProDiscover to capture an image of a hard disk.
Capturing an image with ProDiscover.
7
8. Figure 2 – ProDiscover Capture www.ProDiscover.com
Once you have the required storage space and are ready to begin, open ProDiscover (or the imaging
program of your choice) and create an image. Make two images of the original disk. Store one image in
its original condition and use the other image to extract the evidence. Remember to note where the
original is stored in the chain of custody and in your notes.
2. 4 Verifying the Image
To prove that the image is an exact copy of the original, you need to create a mathematical signature of
the evidence. This signature is called a hash. To prove to the court that a copy of the evidence is an
exact reproduction of the original, run a hashing program on the original, and then the copy. If the
8
9. resulting signature is the same, the evidence is as good as the original. If the signature does not match,
the evidence may be inadmissible. In ProDiscover, this process is referred to as an image checksum.
2.5 Checking for Malware
Computer viruses, spyware, trojans and adware are a class of programs that perform unwanted or
covert actions on a computer. These programs are collectively referred to as malware. Scan all files
using a good antivirus program before performing an in depth analysis of the evidence. Scanning does
not always ensure that a computer is completely free of malware, but provides reasonable assurance. If
malware is detected, you will need to conduct further analysis to determine its impact on the evidence.
3.0 Examining the Evidence
3.1 Where to Look for Evidence
Using the copies of the evidence created in section 2.3, it is now time to search for clues within the data.
Places to look for evidence on a typical computer are:
• Email
• Internet history
• Existing files (documents, graphic files, data files)
• Deleted files
First, do a cursory examination and identify what types of data are present. Next, identify some search
terms that are related to the investigation. Talk to the person(s) ordering the investigation and get some
idea of what you are looking for. For example, if the person is suspected of viewing pornography, use
terms like “sex”, “nude” or “xxx”. Develop a working list (in your notes) of the terms you intend to look
for.
Plug your list of words into ProDiscover and begin the search. Note each discovery in your notes.
Remember to note the name of any suspect file along with the time and date on the file. From one
result, you may get new ideas of additional searches to perform. Make sure to note the location of the
discovery so that it can be quickly recalled later.
3.2 Creating a Timeline
Another technique that may provide a useful perspective on the evidence is the creation of a timeline. A
timeline is a list of the files sorted by time and date (instead of by name or content). This helps build a
complete picture of the actions taken by a suspect and match it to other events. You can produce a
timeline by creating a list of all files and then sorting them by time and date.
3.3 Running in a Virtual Environment
A new technique in computer forensics is the use of virtualization. Virtualization is the process of
starting up a duplicate of the suspect machine in a controlled environment so that you can see what the
9
10. suspect was seeing and observe the running system. This may allow you to capture some of the same
information that can be captured from a live system (see section 2.1).
4.0 Making your Case
4.1 Recording your Findings
When wrapping up a case, consolidate all the evidence (notes, files, images, etc.) and store it in a safe
place. In some cases, you may need to produce a formal report. Have notes and other evidence
documented thoroughly so it can be quickly and accurately recalled. As in our case above, court actions
can last for years.
4.2 Testifying in Court
Most forensic professionals testify as expert witnesses. This means that the testimony you give should
be tied directly to the facts (and conclusions from the facts) without bias. You should not decide “guilt or
innocence” but simply state “this is the evidence, this is likely what it means, and here is why I think
that”. Again, remember that any conclusion you present should be the same conclusion a peer would
reach given the same evidence.
Conclusion
Computer forensics can be complex, time consuming and require resources some organizations may not
have. However, because of the potential ramifications, organizations should invest in and implement a
good computer forensic program. Organizations need to be prepared to hire a professional or train
internal staff on how to perform forensics correctly. SANS has a good training and certification program.
This report should only serve as an overview.
Good forensics techniques should be practiced and followed on every case since it is difficult to tell
which cases will end up in court. Following these techniques ensure that evidence is admissible in court
proceeding and that the process is fair for all involved.
10
11. Works Cited:
Carvey, Harlan. Windows Forensic Analysis. Syngress, 2007
"Exculpatory evidence." Wikipedia.org. 2005. Wikimedia 28 Nov. 2008
<http://encyclopedia.thefreedictionary.com/Exculpatory+evidence>
Faulk, Charles J., et al. Forensic Examination of Digital Evidence: A Guide for Law Enforcement. April
2004. National Institute of Justice. October 17, 2008. <http://www.ncjrs.gov/pdffiles1/nij/199408.pdf>
“Forensics”. 2005. US-CERT. October 17, 2008. <http://www.us-cert.gov/reading_room/forensics.pdf>
Solomon, Michael, Diane Barrett and Neil Broom. Computer Forensics Jumpstart. Sybex 2005
Works Consulted:
Cloward, Tom. A Guide to Basic Computer Forensics. 2008. Microsoft Corp. (Technet) October 17, 2008.
<http://technet.microsoft.com/en-us/magazine/cc137738.aspx>
Krebs, Brian. Security Fix. November 24, 2008. Washington Post. November 28, 2008.
<http://voices.washingtonpost.com/securityfix/2008/11/ct_drops_felony_spywareporn_ch.html?
nav=rss_blog>
Pscheidt, Edward. The Basics of Computer Forensics. July 2004. ExpertLaw Library. October 17, 2008.
<http://www.expertlaw.com/library/forensic_evidence/basics_forensics.html>
11
12. Glossary
Best Evidence Original evidence or a legal duplicate.
Chain of Custody A record of the history of evidence.
Conclusion A logical judgment reached after examination of evidence.
Documentary Evidence Written evidence.
Exculpatory Evidence Evidence favorable to the defendant in a criminal trial, which clears or tends to
clear the defendant of guilt.
Expert Testimony A conclusion about evidence.
Expert Witness A witness making a professional conclusion about evidence.
Forensics The process of using scientific knowledge for collecting, analyzing, and presenting evidence to
the courts.
Hash A mathematical signature used to prove the integrity of digital evidence.
Image An exact duplicate of digital evidence.
Image Checksum See hash.
Imaging The process of creating an exact duplicate of digital evidence.
Live Evidence Evidence created from system while it is operating.
Malware A class of programs that perform unwanted or covert actions on a computer.
Peer Review Another expert examining the same evidence to verify the conclusions of another.
ProDiscover Basic A free forensic program from Technology Pathways.
Real Evidence Evidence that can be touched, held, or otherwise observed directly.
Spyware A computer program that performs covert actions.
Timeline A list of events sorted by date and time.
Virtualization The process of starting up a suspect machine in a controlled environment.
Write-Block Preventing a computer from writing or making changes to evidence.
12