Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

The latter part of the 20^th century was marked by the electronic transistor and the machines and ideas made possible by it. As a result, the world changed from analog to digital. Although the computer reigns supreme in the digital domain, it is not the only digital device. An entire constellation of audio, video, communications, and photographic devices are becoming so closely associated with the computer as to have converged with it.

From a law enforcement perspective, more of the information that serves as currency in the judicial process is being stored, transmitted, or processed in digital form. The connectivity resulting from a single world economy, in which the companies providing goods and services are truly international, has enabled criminals to act transjurisdictionally with ease. Consequently, a perpetrator may be brought to justice in one jurisdiction while the digital evidence required to successfully prosecute the case may reside only in other jurisdictions.

This situation requires that all nations have the ability to collect and preserve digital evidence for their own needs as well as for the potential needs of other sovereigns. Each jurisdiction has its own system of government and administration of justice, but in order for one country to protect itself and its citizens, it must be able to make use of evidence collected by other nations.

Though it is not reasonable to expect all nations to know about and abide by the precise laws and rules of other countries, a means that will allow the exchange of evidence must be found. This chapter was a first attempt to define the technical aspects of these exchanges.

Conclusions Drawn from Duplication and Preservation of Digital Evidence

• The laws surrounding the collection and preservation of evidence are vast and complex.

• Even if local law enforcement does not have a computer forensics expert on staff, they will know the basic rules of evidence collection and should have contacts within the law enforcement community who are experts in computer forensics.

• A clearly documented plan is essential for an investigation team to be successful in collecting admissible evidence. The plan should be designed with the assistance of legal counsel and law enforcement agencies to ensure compliance with all applicable local, state, and federal laws.

• Once a plan has been drafted and the incident team is assembled, practice should begin.

• Configure a test network in a lab environment and invite members of the IT staff to attempt to circumvent the security measures installed in the lab network.

• Treat the intrusion as an actual incident and follow the incident handling and evidence collection procedures.

• Review the results with the team and evaluate whether evidence collected would be admissible, based on the procedures followed and the analysis results.

• When possible, include legal staff and local law enforcement in practice sessions.

• When in doubt, hire an expert.

• If resident security staff members are not equipped to perform the investigation, do not hesitate to bring in outside assistance.

• It is in the best interest of the company to ensure that the investigation is handled properly.

• The goal is to collect and preserve evidence in such a way that it will be admissible in a court of law.

An Agenda for Action in Duplication and Preservation of Digital Evidence

The following is a provisional list of actions for duplication and preservation of digital evidence. The order is not significant; however, these are the activities for which the researcher would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these duplication and preservation of digital evidence topics have been mentioned in passing already:

1. Shut down the computer.

2. Document the hardware configuration of the system.

3. Transport the computer system to a secure location.

4. Make bit stream back-ups of hard disks and floppy disks.

5. Mathematically authenticate data on all storage devices.

6. Document the system date and time.

7. Make a list of key search words.

8. Evaluate the Windows swap file.

9. Evaluate file slack.

10. Evaluate unallocated space (erased files).

11. Search files, file slack, and unallocated space for key words.

12. Document file names, dates, and times.

13. Identify file, program, and storage anomalies.

14. Evaluate program functionality.

15. Document your findings.

16. Retain copies of software used.

17. A solid relationship should be established with local law enforcement, as they will be a valuable resource in the evidence collection process.