Chapter 5Processing Crime and Incident
Scenes
Guide to Computer Forensicsand Investigations
Fourth Edition
Guide to Computer Forensics and Investigations 2
• Explain guidelines for seizing digital evidence at the scene
• Describe how to secure a computer incident or crime scene
• Describe how to preserve the evidence and establish the chain of custody
• Enumerate some general guidelines to process crime and incident scene
Objectives
Guide to Computer Forensics and Investigations 3
Introduction
• A principle in criminal investigation called Locard’s Exchange Principle – Anyone or anything entering a crime scene takes something
of the scene with them and leaves something of themselves behind
Victim
Crime Scene
Suspect
Evidence
Source: http://www.fbi.gov/stats-services/publications/law-enforcement-bulletin/august-2011/digital-evidence 4
Don’t let amateurs collect digital evidence
Introduction (Cont.)
General Rule: Harm Nothing!
Guide to Computer Forensics and Investigations 5
Introduction (Cont.)
• Digital Evidence– Digital data that establish that a crime has been
committed, can provide a link between a crime and its victim, or can provide a link between a crime and the perpetrator (Carrier & Spafford, 2003)
– Can be any information stored or transmitted in digital form
Guide to Computer Forensics and Investigations 6
Introduction (Cont.)
• Digital Evidence (Cont.)– All investigations must follow the following rules of
evidence:• Digital evidence integrity must be preserved to be
admissible in court.– If the evidence is contaminated it cannot be de-
contaminated• Digital evidence must be reliable: Authenticity
evidence, clear easy to understand, and believable by a jury
• Digital evidence must be complete : Exculpatory evidence for alternative suspects
Guide to Computer Forensics and Investigations 7
Introduction (Cont.)
• Digital Crime Scene– The electronic environment where digital evidence
can potentially exist (Rogers, 2005)– Collecting computers and processing a criminal or
incident scene must be done systematically• Computer Forensics Crime Scene Investigation
Process– No one right way to do it!
Guide to Computer Forensics and Investigations 8
Introduction (Cont.)
• Responding to a computer forensics incident or crime– Generally involves the following steps:
1. Seizing Digital Evidence at the Scene
2. Securing a computer incident or crime scene
3. Preserving the data
4. Establishing the chain of custody
5. Examining data for evidence
Guide to Computer Forensics and Investigations 9
Introduction (Cont.)
• Responding to a computer forensics incident or crime– Generally involves the following steps:
1. Seizing Digital Evidence at the Scene
2. Securing a computer incident or crime scene
3. Preserving the data
4. Establishing the chain of custody
5. Examining data for evidence
Guide to Computer Forensics and Investigations 10
Seizing Digital Evidence at the Scene
• Preparing to Acquire Digital Evidence– The evidence you acquire at the scene depends on
the nature of the case (Crime or Violation)– Ask your supervisor or senior forensics examiner in
your organization the following questions:• Do you need to take the entire computer and all
peripherals and media in the immediate area?• How are you going to protect the computer and media
while transporting them to your lab?• Is the computer powered on when you arrive?• Is it possible the suspect damaged or destroyed the
computer, peripherals, or media?
Guide to Computer Forensics and Investigations 11
Seizing Digital Evidence at the Scene (Cont.)
• Using a Technical Advisor– Can help you list the tools you need to process the
incident or crime scene and guide you about where to locate data (extract log records or other evidence from large RAID servers)
– Responsibilities• Know aspects of the seized system• Direct investigator handling sensitive material• Help secure the scene• Document activities
Guide to Computer Forensics and Investigations 12
• Why securing a computer incident or crime scene?– Protecting the crime scene is crucial because if
evidence is contaminated, it cannot be decontaminated.
– The main goals of securing the crime scene are the following:• Preserve the evidence (No damage during collection,
transportation, or storage)• Keep information confidential
– Depending on the situation, crime scene preservation will vary.
– Professional curiosity can destroy evidence• Involves police officers and other professionals who
aren’t part of the crime scene processing team
Seizing Digital Evidence at the Scene (Cont.)
Guide to Computer Forensics and Investigations 13
Securing a Computer Incident or Crime Scene(Cont.)
• How securing a computer incident or crime scene?– Define a secure perimeter
• Use yellow barrier tape
Guide to Computer Forensics and Investigations 14
Securing a Computer Incident or Crime Scene (Cont.)
• How securing a computer incident or crime scene? (Cont.)– Physical surroundings of the computer should be
photographed and clearly documented• Photographs should be taken before anything is touched
Guide to Computer Forensics and Investigations 15
Securing a Computer Incident or Crime Scene (Cont.)
• How securing a computer incident or crime scene? (Cont.)– Physical surroundings of the computer should be
photographed and clearly documented• Photograph and label all equipment • Cables connected to the computer should be labeled to
document the computer’s hardware components and how they are connected
Guide to Computer Forensics and Investigations 16
Securing a Computer Incident or Crime Scene (Cont.)
• How securing a computer incident or crime scene? (Cont.)– Take custody of computer, peripherals, and media.– Bag and tag all evidence
• Assign one person to collect and log all evidence• Record the current date and time, serial numbers or
unique features, make and model, and the name of the person who collected it
• Maintain two separate
logs of collected
evidence
– Use antistatic bags
Guide to Computer Forensics and Investigations 17
Preserving the Data
• Capture volatile data– Computer forensics team first captures any volatile
data that would be lost when computer is turned off and moves data to a secure location• Contents of RAM• Current running processes• Current network connections (recent connections and
open applications/sockets)• Logon sessions• Open files: File system time and date stamps
Guide to Computer Forensics and Investigations 18
Preserving the Data (Cont.)
• Acquire image– Reboot will change disk images. Do not reboot!– After retrieving volatile data, focus on the hard drive– Make forensic backup = system image = bit-
stream backup• Copy every bit of the file system, not just the disk
files!• Its accuracy meets evidence standards
– Example tools include:• Prodiscover• EnCase• FTK
– OS does not influence which tools to use for bit-image capture
Guide to Computer Forensics and Investigations 19
Preserving the Data (Cont.)
• Acquire image (Cont.)– Copy all image files to a large drive– Run an MD5 or SHA-1 hashing algorithm on the
image files to get a digital hash
Guide to Computer Forensics and Investigations 20
Establishing the Chain of Custody
• As soon as the team begins its work, must start and maintain a strict chain of custody
• Chain of custody protects the integrity and reliability of the evidence– It documents that evidence was under strict control
at all times and no unauthorized person was given the opportunity to corrupt the evidence
– Effective process of documenting the complete journey of the evidence during the life of the case• Who collected it?• How & where?• Who took possession of it?• How was it stored & protected in storage?
Guide to Computer Forensics and Investigations 21
Establishing the Chain of Custody (Cont.)
• Create or use an evidence custody form• An evidence custody form serves the following
functions:– Identifies the evidence– Identifies who has handled the evidence– Lists dates and times the evidence was handled
Guide to Computer Forensics and Investigations 22
General Guidelines
• Keep a journal to document your activities• Record all active windows or shell sessions• Make notes of everything you do when copying data from a
live suspect computer• Close applications and shut down the computer
Guide to Computer Forensics and Investigations 23
General Guidelines (Cont.)
• Useful information to collect– Seize all hardware that is necessary to reconstruct
evidence (Hardrive disk, USB, CDs, DVDs, floppies, papers)• Better to collect too much than too little
– IDS, Firewall, and System logs– Suspect’s web pages, emails, internet activities– Suspect’s access of files (created/modified/viewed)– Authenticate the copy so that you can prove that
evidence discovered was on the original media.– Always work from a copy, not from the original.
Guide to Computer Forensics and Investigations 24
General Guidelines (Cont.)
• Useful information to collect (Cont.)– Use a write-blocking device to prevent accidentally
writing to the suspect media.– Use write blockers devices that allow acquisition of
information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands. • Can be hardware or software
– With the write blocker in place, you can now make several copies of the image.
– It is a good idea to make at least 2 working images – one to be used as a backup and one to work on.