Introduction To Forensic Methodologies

eDiscovery: Forensic Challenges

Introduction to Forensic Methodologies

Phil SenécalLegal Counsel and Chief Technical Advisor

Consulting Inc.

AgendaFrom Ink to Bits

Electronic documents vs. paper documentsTangibles and intangibles

Digital EvidenceWhat to look forHandling the evidence

Chain of CustodyDefinitionObjectives

File system structure

3

Electronic DocumentCriminal Code (R.S., 1985, c. C-46)

841 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, print-out or other output of the data and any document, record, order, exhibit, notice or form that contains the data.

Canada Evidence Act (R.S., 1985, c. C-5)31.8 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.

Personal Information Protection and Electronic Documents Act (2000, c. 5)31 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.

Canada Business Corporations Act (R.S., 1985, c. C-44)

252.1 “electronic document” means, except in section 252.6, any form of representation of information or of concepts fixed in any medium in or by electronic, optical or other similar means and that can be read or perceived by a person or by any means.

4

Electronic Document vs. Paper

Virtual Intangible

Prolific Highly fertile

Omnipresent Dispersed

Enduring Perpetual

Metadata Data information

Vulnerable Easily alterable and vulnerable to deterioration

5

Locations

6

Media

Hard Drive (office, notebook, home, printer, etc.)

Cellular Telephone et Digital Personal Information Manager

Digital Cameras

MP3 Players

CDs and DVDs

USB Flash Drives

Voice Mail

Online / Web 2.0 (Blog, Wiki)

Backup Media (tapes, CDs)

…

7

Digital EvidenceSummary

Any data that can be stored and read by an electronic device. (bits)

On any type of media that can be accessed with an electronic device. (Hard drives, floppy disks, optical disks, USB flash drives, digital cameras, watches, PDAs, cellular phones, MP3 devices, etc.)

No fixed location. (Office or home PC, servers, on person, internet, etc.)

8

Preliminary ConsiderationsStorage of Data

Cameras, MP3 players, cell phones and PDAs do not necessarily show data stored. (bits)

Computers (home or office) Who has access to files?Who has access to computers?

Type of digital evidence

9

Handling the EvidencePrecautions

Electrostatic Discharge (ESD)Anti-static wrist strap and storage bags

Handling the hard drive (fragile mechanical components)

Internal and external hard drives

Circuit boardsAltering data on storage device

Write blockers

10

Handling the EvidenceProcedure

Log out all computer media and machines seized and to be analyzed.

Perform a visual inspection/inventory of the physical makeup of the seized computer. It is most important to document the computer condition thoroughly. Photograph the system to document its condition.

Open/remove the CPU case. Examine its internal circuitry, make note of all media (hard drives, removable media drives, floppy drives, etc.). Where appropriate, make note of all internal expansion cards (e.g., where unusual cards are located, or where the internal devices could be pertinent to the investigation). Look for alternative storage devices such as flash memory, disconnected hard drives, etc. Verify that the system is configured to boot from floppy diskette, and record which floppy drive is the boot disk.

Determine if the CPU (case itself) contains potentially valuable information that would justify analysis. Verify that the CPU is functional, or at least contains some form of media.

Record the position of all internal devices, to include hard drives, floppy drives, expansion cards, etc.

11

Handling the EvidenceProcedure (continued)

Check the computer's CMOS settings to be sure the computer is configured to boot from floppy diskette and boot the machine from a boot disk.

Verify that the system clock reflects the actual date and time. Record in your analysis notes the correct date, time, and time zone, the date, time and time zone reported by the computer, and log the difference.

Identify all hard drives by make, model, capacity and condition. Record this information, as well as whether the device is internal or external. Where necessary, photograph individual hard disks to document damage or other unusual condition.

Power down the computer and identify the hard drive master/slave settings (if IDE). Record these settings, and change where necessary to mount into the government-owned forensic examination computer. Be sure to note any and all changes to evidentiary media.

Locate the parameters of the hard drive itself by going to the manufacturer's home page. Where necessary, manually modify the computer's CMOS settings to accurately reflect the correct settings for the particular drive being analyzed.

12

Handling the EvidenceChecklists

13

Handling the EvidenceCollecting the data

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands.*

Source: http://www.forensicswiki.org

14

Document Preservation:DefinitionDigital preservation is defined as: long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span the information is required for.

Long-term is defined as "long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long Term may extend indefinitely".

"Retrieval" means obtaining needed digital files from the long-term, error-free digital storage, without possibility of corrupting the continued error-free storage of the digital files.

"Interpretation" means that the retrieved digital files, files that, for example, are of texts, charts, images or sounds, are decoded and transformed into usable representations. This is often interpreted as "rendering", i.e. making it available for a human to access. However, in many cases it will mean able to be processed by computational means.

Source: http://en.wikipedia.org/wiki/Digital_preservation

15

Document Preservation: Objectives

Preservation: ensure that all of the bits composing an electronic document do not alter with the passage of time.

Access: continued, ongoing access to the content of a digital library (information resource) that still retains and protects all qualities of integrity, authenticity, accuracy and functionality found when the digital material was originally created and/or acquired.

Steps are required to attain these goals: supervision, control and maintenance (refreshing, media migration, and backups).

16

Chain of Custody:Definition

Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. *

* Source: http://en.wikipedia.org/wiki/Chain_of_custody

17

Chain of Evidence:Objectives

Because evidence can be used in court, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can seriously compromise the credibility of a witness and jeopardize the outcome of a case.

Since electronic data can be easily altered, it is important to prove that the integrity of the evidence has been maintained from seizure through production in court. Chain of custody logs should document how the data was gathered, analyzed, and preserved for production.

The chain of custody log must show the method used to ensure that the data was properly copied, transported and stored; that the information has not been altered in any way, and that all media has been secured throughout the process.

18

W5

Who has or has had the item

What item are we referring to

When did something happen to the item

Where did this transaction take place

Why did the transaction take place

19

Chain of Custody:Policy

There should be a person (chokepoint) that is in control of all data.

The more people you introduce to the mix the easier it will be to have a problem with chain of custody.

There should be a policy and procedure manual for dealing with evidentiary items.

There should be someone responsible for reviewing policies and procedures on evidence control.

Items being taken into possession should be documented at the earliest possible time.

Receipts should be left at the client location.

Client should sign a copy of receipt for items being taken.

Items should be tagged (labeled) to ensure proper processing.

20

Chain of Custody:Process

The following must be included in a chain of custody log A list of all media that was secured.The precise information that has been copied, transferred, and collectedDate & time stampWho processed the itemWho is the owner of the item; where it was taken fromAll electronic evidence collected must be properly documented each time the evidence is viewedSuch documentation must be made available throughout the discovery process. (If the client in the middle of the case wants to see the log, it has to be made available.)

* Source: http://en.wikipedia.org/wiki/Chain_of_custody

21

Lost of data

Destruction/Alteration (Spoliation)

Prejudicial presumption

Uncorroborated testimony

Dismissal of action

Undermine credibility

Etc.

Risks and Consequences

22

File System StructureHow is data written to a PC hard drive?

Hard drive formatVolumeSectors (typically 512 bytes/sector)Clusters/allocation units (for example 4096 bytes/cluster (8 sectors))

23

File System StructureHow is data written to a PC hard drive?

File Allocation Table (FAT)Tracks file namesTracks the location of the data on the hard drive

Directory StructureName, Cluster, Size, Access, Written, Created

24

File System StructureHow is data written to a PC hard drive?

Saving one (1) 760 bytes file to the hard drive

25

File System StructureHow is data written to a PC hard drive?

Saving one (1) 10,240 bytes file to the hard drive (3 clusters)

26

File System StructureHow is data written to a PC hard drive?

Saving three (3) more 1000 bytes files to the hard drive (3 clusters)

27

File System StructureHow is data written to a PC hard drive?

Saving one (1) more 10,240 bytes file to the hard drive (3 clusters)

28

File System StructureDirectory Structure

Directory Structure

Name Cluster Size Accessed Written Created

File01.TXT 2 760 10/02/22 09/12/31 09/11/21

Files02.JPG 3 10240 10/02/22 08/06/30 07/10/21

File03.DOC 7 1000 10/02/22 07/09/26 07/09/26

File04.DOC 8 1000 10/02/22 09/01/09 09/01/05

File05.WPD 10 1000 10/02/22 10/02/22 09/12/01

File06.JPG 6 10240 10/02/22 10/01/16 09/11/23

29

File System StructureDeleting files

Directory Structure

Name Cluster Size Accessed Written Created

E5ile01.TXT 2 760 10/02/22 09/12/31 09/11/21

Files02.JPG 3 10240 10/02/22 08/06/30 07/10/21

File03.DOC 7 1000 10/02/22 07/09/26 07/09/26

File04.DOC 8 1000 10/02/22 09/01/09 09/01/05

File05.WPD 10 1000 10/02/22 10/02/22 09/12/01

E5ile06.JPG 6 10240 10/02/22 10/01/16 09/11/23

30

ReferencesDew Associates Corporation: http://www.dewassoc.com/kbase/index.html

Forensics Wiki:

http://www.forensicswiki.org/wiki/

Windows Seven Forums:

http://www.sevenforums.com/

Computer Crime Research:

http://www.crime-research.org

Guidance Software:

EnCase onDemand Training

Questions?

Phil Sené[email protected]