UNIT-3

DUPLICATION AND PRESERVATION OF DIGITAL EVIDENCE

Preserving the Digital Crime Scene
 After securing the computer, we should make a complete bit stream backup of all computer
data before it is reviewed or processed.
 Bit stream backups are much more thorough than standard backups.
 They involve copying of every bit of data on a storage device, and it is recommended that two
such copies be made of the original when hard disk drives are involved.
 Any processing should be performed on one of the backup copies.
 IMDUMP was the first software for taking bit stream back-ups developed by Michael White.
SafeBack
 SafeBack has become a law enforcement standard and is used by numerous government
intelligence agencies, military agencies, and law enforcement agencies worldwide.
 SafeBack program copies and preserves all data contained on the hard disk.
 Even it goes so far as to circumvent attempts made to hide data in bad clusters and even sectors
with invalid CRCs.
SnapBack
 Another bit steam back-up program, called SnapBack, is also available and is used by some
law enforcement agencies primarily because of its ease of use.
 Its prices several hundreds of dollars higher than SafeBack.
 It has error-checking built into every phase of the evidence back-up and
restoration process.
 The hard disk drive should be imaged using specialized bit stream back-up software.
 The floppy diskettes can be imaged using the standard DOS DISKCOPY program.
 When DOS DISKCOPY is used, it is recommended that the MS DOS Version
6.22 be used and (data verification) switch should be invoked from the command line.
 Know and practice using all of your forensic software tools before you use them in
the processing of computer evidence.
 We may only get one chance to do it right.
Computer Evidence Processing Steps
There really are no strict rules that must be followed regarding the processing of computer
evidence.
The following are general computer evidence processing steps:
1. Shut down the computer.
 Depending on the computer operating system, this usually involves pulling the plug or shutting
down a network computer using relevant commands required by the network involved.
 Generally, time is of the essence, and the computer system should be shut down as quickly as
possible.
2. Document the hardware configuration of the system.
 Be-fore dismantling the computer, it is important that pictures are taken of the computer
 from all angles to document the system hardware components and how they are connected.
 Labeling each wire is also important, so that it can easily be reconnected when the system
configuration is restored to its original condition at a secure location.
3. Transport the computer system to a secure location.
 A seized computer left unattended can easily be compromised. Don’t leave the computer
unattended unless it is locked up in a secure location.
4. Make bit stream backups of hard disks and floppy disks.
 All evidence processing should be done on a restored copy of the bit stream backup rather than
on the original computer.
 Bit stream backups are much like an insurance policy and are essential for any serious computer
evidence processing.
5. Mathematically authenticate data on all storage devices.
 You want to be able to prove that you did not alter any of the evidence after the computer came
into your possession.
 Since 1989, law enforcement and military agencies have used a 32- bit mathematical process to
do the authentication process.
6. Document the system date and time.
 If the system clock is one hour slow because of daylight-savings time, then file timestamps will
also reflect the wrong time.
 To adjust for these inaccuracies, documenting the system date and time settings at the time the
computer is taken into evidence is essential.
7. Make a list of key search words.
 It is all but impossible for a computer specialist to manually view and evaluate every file on a
computer hard disk drive.
 Gathering information from individuals familiar with the case to help com-pile a list of relevant
keywords is important.
  Such keywords can be used in the search of all computer hard disk drives and floppy diskettes
using automated soft-ware.
8. Evaluate the Windows swap file.
 The Windows swap file is a potentially valuable source of evidence and leads.
 When the computer is turned off, the swap file is erased. But the content of the swap file can
easily be captured and evaluated.
9. Evaluate file slack.
 It is a source of significant security leakage and consists of raw memory dumps that occur
during the work session as files are closed.
 File slack should be evaluated for relevant keywords to supplement the keywords identified in
the previous steps.
 File slack is typically a good source of Internet leads.
 Tests suggest that file slack provides approximately 80 times more Internet leads than the
Windows swap file.
10. Evaluate unallocated space (erased files).
 Unallocated space should be evaluated for relevant keywords to supplement the keywords
identified in the previous steps.
11. Search files, file slack, and unallocated space for keywords.
 The list of relevant keywords identified in the previous steps should be used to search all
relevant computer hard disk drives and floppy diskettes.
 It is important to review the output of the text search utility and equally important to document
relevant findings.
12. Document file names, dates, and times.
 From an evidence standpoint, file names, creation dates, and last modified dates and times can
be relevant.
 The output should be in the form of a word-processing-compatible file that can be used to help
document computer evidence issues tied to specific files.
13. Identify file, program, and storage anomalies.
 Encrypted, compressed, and graphic files store data in binary format. As a result, text data
stored in these file formats cannot be identified by a text search program.
 Manual evaluation of these files is required. Depending on the type of file involved, the
contents should be viewed and evaluated for its potential as evidence.
 14. Evaluate program functionality.
 Depending on the application software involved, running programs to learn their purpose may
be necessary.
 When destructive processes that are tied to relevant evidence are discovered, this can be used to
prove willfulness.
15. Document your findings.
 It is important to document your findings as is-sues are identified and as evidence is found.
Documenting all of the software used in your forensic evaluation of the evidence, including the
version numbers of the programs used, is also important.
 Be sure you are legally licensed to USE the forensic software. ‘
 Screen prints of the operating software also help document the version of the software and how
it was used to find or process the evidence.
16. Retain copies of software used.
 As part of your documentation process, it is recommended that a copy of the software used be
included with the output of the forensic tool involved.
 Duplication of results can be difficult or impossible to achieve if the soft-ware has been
upgraded and the original version used was not retained.
Legal Aspects of Collecting and Preserving Computer Forensic
Evidence

Definition
 A chain of custody is a roadmap that shows how evidence was collected,
analyzed, and preserved in order to be presented as evidence in court.
 Preserving a chain of custody for electronic evidence requires proving that:

 No information has been added or changed.

 A complete copy was made.

 A reliable copying process was used.

 All media was secured.

Legal Requirements

 When evidence is collected, certain legal requirements must be met. These

legal requirements are vast, complex, and vary from country to country.
 CERT Advisory CA-1992-19 suggests the following text be tailored to a
corporation’s specific needs under the guidance of legal counsel:
 This system is for the use of authorized users only.
Individuals using this computer system without authority, or
in excess of their authority, are subject to having all of their
activities on this system monitored and recorded by system
personnel.
 In the course of monitoring individuals improperly using this
system, or in the course of system maintenance, the activities
of authorized users may also be monitored.
 Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals
possible evidence of criminal activity, system personnel may
provide the evidence of such monitoring to law enforcement
officials.
 The legality of workplace monitoring depends primarily on whether
employment policies exist that authorize monitoring and whether that
policy has been clearly communicated to employees.
 To prove that the policy has been communicated, employees should sign a
statement indicating that they have read, understood, and agreed to
comply with corporate policy and consent to sys-tem monitoring.
Evidence Collection Procedure
When the time arrives to begin collecting evidence, the first rule that must be followed is
Do not rush.
 The investigation team will need a copy of their incident-handling
procedure, an evidence collection notebook, and evidence identification
tags.
 They may also need to bring tools to produce reliable copies of electronic
evidence, including media to use in the copying process.
  In some cases, legal counsel will want photographs of the system prior to
search and seizure. Then include a Polaroid camera in the list of tools.
The Incident Coordinator
Policy and procedure should indicate who is to act as incident coordinator.

The Incident coordinator

 will contact the other members of the response team as outlined in

the Incident Response Policy, when an incident is reported.
 will be responsible for ensuring that every detail of the incident-handling
procedure is followed, upon arrival at the incident site.
 will assign team members the various tasks outlined in the incident-handling
procedure.

 serve as the liaison to the legal team, law enforcement officials,

management, and public relations personnel.
Ultimate responsibility for ensuring that evidence is properly collected and
preserved, and that the chain of custody is properly maintained, belongs to the
incident coordinator.
The Evidence Notebook

 One team member will be assigned the task of maintaining the evidence note-book.
 This person will record the who, what, where, when, and how of the
investigation process. At a minimum, items to be recorded in the notebook
include the following task.
a) Who initially reported the suspected incident along with time, date, and
circumstances surrounding the suspected incident?
b)Details of the initial assessment leading to the formal investigation.

c) Names of all persons conducting the investigation.

d)The case number of the incident.

e) Reasons for the investigation.

 f) A list of all computer systems included in the investigation, along with
complete system specifications. Also include identification tag numbers
assigned to the systems or individual parts of the system.
g)Network diagrams.

h)Applications running on the computer systems previously listed.

i) A copy of the policy or policies that relate to accessing and using the systems
previously listed.
j) A list of administrators responsible for the routine maintenance of the system.

k)A detailed list of steps used in collecting and analyzing evidence.

Specifically, this list needs to identify the date and time each task was
performed, a description of the task, who performed the task, where the task
was performed, and the results of the analysis.
l) An access control list of who had access to the collected evidence at what date and time.

 A separate notebook should be used for each investigation. It should be

bound in such a way that it is obvious if a page or pages have been removed.
 This notebook is a crucial element in maintaining chain of custody.
Therefore, it must be as detailed as possible to assist in maintaining this
chain.
Evidence Collection
 Another team member (or members) will be assigned the task of evidence collection.

 To avoid confusion, the number of people assigned this task should be kept to a minimum.

 This member (or members) should also be highly proficient with copying and analysis
tools.

 This person will tag all evidence and work with the person responsible for the
evidence notebook to ensure that this information is properly recorded.
 Next, the person will also be responsible for making a reliable copy of all
data to be used as evidence.
 The data will include complete copies of drives on compromised or suspect
systems, as well as all relevant log files.
This can be done on-site or the entire system can be moved to a forensics lab,
as needs dictate.
A binary copy of the data is the proper way to preserve evidence.

A reliable copy process has three critical characteristics.

 The process must meet industry standards for quality and reliability.

 The copies must be capable of independent verification.

 The copies must be tamperproof.

Once all evidence is collected and logged, it can be securely transported to the
forensics lab.
 A detailed description of how data was transported and who was
responsible for the transport, along with date, time, and route, should be
included in the log.
Storage and Analysis of Data
 The lab must provide some form of access control; a log should be kept
detailing entrance and exit times of all individuals.
 It is important that evidence never be left in an unsecured area.

 If a defense lawyer can show that unauthorized persons had access to the
evidence, it could easily be declared inadmissible.
 As analysis of evidence is performed, investigators must log the details of
their actions in the evidence notebook. The following should be included at
a minimum:
 The date and time of analysis

 Tools used in performing the analysis

 Detailed methodology of the analysis

  Results of the analysis.

 Finally, once all evidence has been analyzed and all results have been
recorded in the evidence notebook, a copy of the notebook should be made
and given to the legal team.
 If the legal team finds that sufficient evidence exists to take legal action, it
will be important to maintain the chain of custody until the evidence is
handed over to the proper legal authorities.
 Legal officials should provide a receipt detailing all of the items received for
entry into evidence.

COMPUTER IMAGE VERIFICATION AND AUTHENTICATION

2.2 Special Needs of Evidential Authentication

 During an investigation, it is decided that evidence may reside on a computer system.

 It may be possible to seize or impound the computer system, but this risks
violating the basic principle of innocent until proven guilty, by depriving an
innocent party of the use of his or her system.
 It should be perfectly possible to copy all the information from the computer
system in a manner that leaves the original system untouched and yet makes
all contents available for forensic analysis.
 The courts may rightly insist that the copied evidence is protected from either
accidental or deliberate modification and that the investigating authority
should prove that this has been done. Thus, it is not the content that
needs protection, but its integrity.

 This protection takes two forms:

 A secure method of determining that the data has not been altered
by even a single bit since the copy was taken.
  A secure method of determining that the copy is genuinely the one
taken at the time and on the computer in question.
 These elements are collectively referred as the Digital Image
Verification and Authentication Protocol.
DIGITAL IDS AND AUTHENTICATION TECHNOLOGY
 Without an assurance of the software’s integrity, and without knowing who
published the software, it’s difficult for customers to know how much to
trust software.
 It’s difficult to make the choice of downloading the software from the Internet.

 For example (when using Microsoft Authenticode coupled with Digital

IDs™ from VeriSign®), through the use of digital signatures, software
developers are able to include information about themselves and their code
with their programs.
 When customers download software signed with Authenticode and verified
by VeriSign, they should be assured of content source, indicating that the
software really comes from the publisher who signed it, and content
integrity, indicating that the software has not been altered or corrupted since
it was signed.
Authenticode
 Microsoft Authenticode allows developers to include information about
themselves and their code with their programs through the use of digital
signatures.
 Through Authenticode, the user is informed:

1. Of the true identity of the publisher

2. Of a place to find out more about the control

3. The authenticity of the preceding information

 Users can choose to trust all subsequent downloads of software from the
same publisher and all software published by commercial publishers that
has been verified by VeriSign.
Public Key Cryptography
 In public key cryptographic systems, every entity has two complementary
keys (a public key and private key) that function only when they are held
together.
 Public keys are widely distributed to users, whereas private keys are kept safe
and only used by their owner.
 Any code digitally signed with the publisher’s private key can only be
successfully verified using the complementary public key.
 Code that successfully verified using the publisher’s public key, could only
have been digitally signed using the publisher’s private key, and has not
been tampered with.
Certificate Authorities
 Certification Authorities such as VeriSign are organizations that issue digital
certificates to applicants whose identity they are willing to vouch for. Each
certificate is linked to the certificate of the CA that signed it.
 VeriSign has the following responsibilities:

1. Publishing the criteria for granting, revoking, and managing certificates

2. Granting certificates to applications who meet the published criteria

3. Managing certificates

4. Storing VeriSign’s root keys in an exceptionally secure manner

5. Verifying evidence submitted by applicants

6. Providing tools for enrollment

7. Accepting the liability associated with these responsibilities
8. Time-stamping digital signatures.

Digital ID
 A Digital ID/Certificate is a form of electronic credentials for the Internet.
  A Digital ID is issued by a trusted third party to establish the identity of the ID holder.

 The third party who issues certificates is known as a Certificate Authority (CA).

 Digital ID technology is based on the theory of public key cryptography.

 The purpose of a Digital ID is to reliably link a public/private key pair with its owner.

 When a CA such as VeriSign issues a Digital IDs, it verifies that the owner
is not claiming a false identity.
 When a CA issues you a digital certificate, it puts its name behind the
statement that you are the rightful owner of your public/private key pair.
How Authenticode works with VeriSign Digital IDs?

Authenticode: VeriSign Digital ID process

1. Publisher obtains a Software Developer Digital ID from VeriSign

2. Publisher creates code

3. Using the SIGNCODE.EXE utility, the publisher

 Creates a hash of the code, using an algorithm such as MD5 or SHA

 Encrypts the has using his/her private key

 Creates a package containing the code, the encrypted hash, and the
publisher’s certificate
4. The end user encounters the package
 5. The end user’s browser examines the publisher’s Digital ID. Using the
VeriSign root Public Key, which is already embedded in Authenticode
enabled applications, the end user browser verifies the authenticity of
Software Developer Digital ID (which is itself signed by the VeriSign root
Private Key)
6. Using the publisher’s public key contained within the publisher’s Digital ID,
the end user browser decrypts the signed hash.
7. The end browser runs the code through the same hashing algorithm as the
publisher, creating a new hash.
8. The end user browser compares the two hashes. If they are identical, the
browser messages that the content has been verified by VeriSign, and the end
user has the confidence that the code was signed by the publisher identified in
the Digital ID, and the code hasn’t been altered since it was signed.
Time Stamping: Because key pairs are based on mathematical relationships that
can theoretically be ―cracked‖ with a great deal of time and effort, it is a well-
established security principle that digital certificates should expire.
2.3 Practical Consideration
 It is useful to present some fundamental requirements of a forensic data
collection system before considering how these can be securely protected.
 Other forensic experts may argue against some or all of them:
a. Forensic data collection should be complete and non-software
specific,
avoiding software traps and hidden partitioning.
b. In operation, it should be as quick and as simple as possible to avoid error or delay.
c. It should be possible for anyone to use a forensic data collection
system with the minimum amount of training.
d. Necessary costs and resources should be kept to a minimum.
 To meet the conditions specified in items 2, 3, and 4, the digital integrity
verification and authentication protocol must be tailored to suit.
 Only investigators issued with a valid digital signature would be able to complete copies.
2.4 Practical Implementation
 A minimum amount of reliance is placed on the technical
ability of the operator/investigator.
 It must be understood that during the copying process, procedures are
implemented to trap and handle hardware errors, mapping exceptions where
necessary.
 It must also be understood that procedures are implemented to verify that
information is copied correctly.
 This information is stored on each cartridge within a copy series.

 Also stored on each cartridge is a reference area containing copy-specific

information such as CPU type and speed, hardware equipment indicators,
copying drive serial number, cartridge sequence number, exhibit details and
reference comments, operator name together with a unique password, and the
real date and time as entered by the operator.
 The cartridge is divided into blocks of an arbitrary chosen size. Blocks may
contain reference, ROM, CMOS, or disk data depending on their location on
the cartridge. Each cartridge contains the information copied from the suspect
drive on a sector by sector basis.
Safe Boxes and the Vault
 As each block is copied and verified, a hash value is generated such that a
single bit change anywhere within the block would produce a different hash.
The result is stored in the relevant safe box and copying to the next block.
 Once all the blocks relevant to a particular cartridge have been copied and
treated in this way, the whole group of safe boxes, collectively referred to as
the vault, are treated as an individual block and a vault hash value is
generated and stored in the final safe box. The vault is then copied to another
area of the cartridge and this second copy is encrypted.
 The vault hash value for each cartridge is stored in a separate area in memory
and the operator is prompted to insert a new cartridge until the copy is
completed. The final cartridge will contain similar information to the others
in the series and in addition will have the accumulated vault hash values from
all other cartridges in the series.
 Once the final cartridge has been copied, the operator is prompted to insert a
 preformatted floppy disk into the drive used to start the DIBS process. All of
the accumulated vault hash values are then written to a floppy disk together
with the reference details of the whole copy procedure. At least two identical
floppy disks are created in this manner.
 The floppy disks are then sealed in numbered, tamperproof bags and both
numbers are written on both envelops. The computer owner is given his or
her chosen floppy and the other is placed in secure storage.
Security Considerations
 Computer forensics investigators are constantly discovering new vulnerabilities
in old image verification and authentication products.
 As a result CIOs (Chief information Officers) are devoting more money and
time to image verification and authentication security.
 Staff-members are the ones who make sure viruses don’t come in and holes
aren’t created in the firewall.
 They have to understand that most business is built on trust, and their role in
maintaining trust is crucial.
 It’s difficult, perhaps impossible, to measure the return on investment in security.
 You have to protect your data. It only takes one time ---one hacker getting
in and hacking all your financial data.
 It would be irresponsible on CIO’s part not have the toughest image
verification and authentication security possible.