Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

Companies are spending millions each year to ensure that their networks and data are properly protected against intrusion. Operating systems are hardened, firewalls are installed, intrusion detection systems are put in place, honeypots are implemented, security policies and procedures are established, security awareness programs are rolled out, and systems are monitored. This defense-in-depth approach is used because companies know that people will try to gain unauthorized access to their systems. When unauthorized access does occur, the last line of defense is legal action against the intruder. However, if evidence of an intrusion is not properly handled, it becomes inadmissible in a court of law. It is important to remember one of the basic rules of our legal system: If there is no evidence of a crime, there is no crime in the eyes of the law. Therefore, it is of paramount importance that utmost care is taken in the collection and seizure of data evidence.

Some of the most common reasons for improper evidence collection are poorly written policies, lack of an established incident response plan, lack of incident response training, and a broken chain of custody. For the purposes of this chapter, the reader should assume that policies have been clearly defined and reviewed by legal counsel, an incident response plan is in place, and necessary personnel have been properly trained.

Conclusions Drawn from Evidence Collection and Data Seizure

• Admissible is the most basic rule (the evidence must be able to be used) in court or otherwise.

• If you can’t tie the evidence positively with the incident, you can’t use it to prove anything.

• It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you collect evidence that can prove the attacker’s actions, but also evidence that could prove their innocence.

• Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity.

• The evidence you present should be clearly understandable and believable by a jury.

• There are six fundamental rules to guide an investigator during a search and seizure. In essence, these rules are devised to help prevent the mishandling of evidence and encourage the documentation of search and seizure activities. In other words, the rules help to ensure an investigation’s chain of custody, which is critical to the success of any case.

• The preparation and team-structuring activities that take place help to ensure a successful investigation. Without these activities, the chain of custody is put at great risk.

• The next three stages of the search and seizure process are: approach and secure the crime scene, document the crime scene, and search for evidence.

• The crime scene security may range from locking doors to (for law enforcers) arresting trespassers.

• The documentation can be rough, but must be adequate in its depiction of the crime scene layout, and the location of evidence.

• The search for evidence can involve looking in a variety of places, but the legalities of searching must always be considered.

• The virus protocol is a means of preventing and containing the threat to electronic evidence by computer viruses.

An Agenda for Action in Evidence Collection and Data Seizure

The following is a provisional list of actions for evidence collection and data seizure. The order is not significant; however, these are the activities for which the researcher would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these evidence collection and data seizure topics have been mentioned in passing already:

1. Once you’ve created a master copy of the original data, don’t touch it or the original itself—always handle secondary copies.

2. Sometimes evidence alteration is unavoidable. In these cases, it is absolutely essential that the nature, extent, and reasons for the changes be documented.

3. If you don’t understand what you are doing, you can’t account for any changes you make and you can’t describe exactly what you did. If you ever find yourself out of your depth, either go and learn more before continuing (if time is available) or find someone who knows the territory.

4. No one is going to believe you if they can’t replicate your actions and reach the same results. This also means that your plan of action shouldn’t be based on trial-and-error.

5. The faster you work, the less likely the data is going to change.

6. Some electronic evidence is more volatile than others are. Because of this, you should always try to collect the most volatile evidence first. You should then proceed from volatile to persistent evidence.

7. You should never, ever shutdown a system before you collect the evidence.

8. Rebooting is even worse than shutting a system down and should be avoided at all costs. As a general rule, until the compromised disk is finished with and restored, it should never be used as a boot disk.

9. Because the attacker may have left trojaned (trojan horse) programs and libraries on the system, you may inadvertently trigger something that could change or destroy the evidence you’re looking for. Any programs you use should be on read-only media (such as a CD-ROM or a write-protected floppy disk), and should be statically linked.

10. A planning stage must take place prior to any investigator arriving at the computer crime scene, including two ways to structure a team of investigators.

11. Good case management software can go a long way in easing the burden of carrying out a search and seizure.