Digital Crime Scene Investigative Process

1

Acknowledgments

Dr. David Dampier and the

Center for Computer Security Research (CCSR)

2

3

Digital Crime Scene Investigation Process

No one right way to do it!

Evidence Searching Phase

System Preservation Phase

Event Reconstruction Phase

Carrier, B., Page. 5, Figure 1.1

4

System Preservation Stage

Crime Scene PreservationDepending on the situation, this will vary.Take pictures of everything.

Room setup Connections Open windows on computers

Label all wires and connections.Bag and Tag all evidence.

5

System Preservation (cont.)

Evidence PreservationSeize all hardware that is necessary to

reconstruct evidenceJam or disable all wireless connections if

possibleMake 2 (3) copies of all mediaAuthenticate all copies of media with MD-5

and SHA-1 hash algorithms

Evidence Preservation

The data has to be protected physically and logically. Physically, make sure when transporting hard drives that it is stabilized and is not damaged by excessive vibrations. Another thing to look out for is static electricity.

Logically preserving evidence means that that the information contained on the drive down to the last bit never changes during seizing, analysis and storage.

6

Evidence Preservation – Write Blockers

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands. These can be in the form or hardware or software blockers. It is very important that some type of write blocker is tested and used when working with data.

7

Evidence Preservation – Write Blockers (contd.)

On our systems, we would use software write blockers to preserve the integrity of the data. We have included a tool that would do that (disable_usb_write.reg). BEFORE attaching the usb drive, the write-blocker needs to be invoked. Now, the usb drive can be attached, and this would ensure that nothing would be written on the usb drive.

In a real scenario, a hardware write blocker would provide much stronger protection.

8

Evidence Preservation – Making Copies

With the write blocker in place, you can now make several copies of the image. It is important that an image is made of the hard drive and not a copy or a backup. The reason for this is that an image will make sure to preserve important information such as slack space, time stamps, unallocated space and file system structures, which would not necessarily be there in a copy or a backup.

9

Evidence Preservation – Making Copies (contd.)

It is a good idea to make at least 2 working images – one to be used as a backup and one to work on. In our tools folder, there is a Image command that actually uses the dd command to create an image of a hard drive.

Most texts also suggest making a third image for discovery.

10

Evidence Preservation – Authenticating and Hash Functions

It is now necessary to prove that all of these images are exactly the same, down to the very last bit!

A hash function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.

11

Evidence Preservation – Hashing (contd.)

In authentication, hashing is used to create a set of numbers that represent a drive or set of files. This is similar to fingerprinting someone. With hashing, a finger print is created from the evidence. No details about the evidence can be determined from the hash value, but if the evidence is altered in any way, the hash value will also change.

12

Evidence Preservation – Hashing (contd.)

Two examples of hash functions are MD5 and SHA-1. MD5 was developed by Professor Ronald L. Rivest of MIT. The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit fingerprint of the input.

13

Evidence Preservation – Hashing (contd.)

SHA stands for Secure Hash Algorithm. The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA). The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-1 produces a message digest that is 160 bits long; the number in the other four algorithms' names denote the bit length of the digest they produce.

14

Evidence Preservation – Hashing (contd.)

Hashing tools can be found in the tools directory. The md5sum tool produces an md5 message digest (hash value). The hashcalc application can also create hash values using different hashing methods.

The hashing is done on the data itself, and not on the names of files. There are existing databases of hash values for images, that can be used to find child pornography.

15

16

Evidence Searching Stage

Once everything is preserved, analysis must begin.

Forensics is a science, so there should be a hypothesis from which to work.

Direct searching activities to support this hypothesis.

17

Evidence Searching (cont.)

If you are looking for a specific file, i.e., child porn, compare hash values.

If you are looking for keywords, most software gives you a search capability.

Be specific to what you are looking for: If you are looking for web activity, look in

web files; history, cache, cookies, etc.

18

Event Reconstruction Stage

Last phase of investigation. Trying to answer the question of what

happened and how. Evidence discovered during searching

phase is reconciled with non-digital evidence to create a sequence of events to support the hypothesis.

19

General Guidelines

Use a write-blocking device to prevent accidentally writing to the suspect media.

Always work from a copy, not from the original. Authenticate the copy so that you can prove that

evidence discovered was on the original media. Minimize file creation on working media to

prevent over-writing of free space. Be especially careful of opening files, especially

without a write-blocker, because CMA times will change.