3.

Building environments
for digital forensics
 Topics

• Forensic Laboratories
• Policies and Procedures
• Quality Assurance
• Hardware and Software
• Accreditation v. Certification
Forensic Laboratories
 Forensic Labs

• Most are run by law enforcement agencies

• FBI's crime lab in Quantico, VA is largest in the world
• Regional Computer Forensic Laboratory (RCFL)
– FBI Program
– 16 facilities throughout US
– They process smartphones, hard drives, GPS units, and flash
drives
 Virtual Labs

Drive
• Evidence repository separate
images
from the examiner on
• This is how the FBI does it server
• Saves money, increases access
to resources
• Role-based access Examiner
– Examiners and management get full access connects
– Investigators, prosecutors, and attorneys get remotely
restricted access
 Concerns with Virtual
Labs
• Security
– Must retain integrity or evidence will be inadmissible in court
• Performance
– High-speed connectivity required
• Cost
 Lab Security

• Physical security
– Keep unauthorized people out of critical areas
• Examination stations
• Evidence storage
– Keys, swipe cards, access codes
– Digital access control is better than keys
• Keeps an audit trail to support chain of custody
– Protection from fire, flood. etc.
 Chain of Custody

• Evidence must be signed in and out of storage

• Evidence log must be complete
 Work in Isolation

• Forensic examination computer should not be connected

to the Internet
• This avoids arguments over contamination by malware
• Evidence drives may contain malware
– Scan them with antivirus software
 Evidence Storage

• Data safe
– Protects evidence from tampering
– Fireproof and waterproof
• Evidence log
– Must record who entered, when, and what they removed or returned
• Data storage lockers must be kept locked
Policies and Procedures
 Standard Operating
Procedures (SOPs)
• Documents that detail evidence
collection, examinations, etc.
• These ensure consistency and
reliability
• Very important to handle questions
in court
• Unusual situations will often require
special handling
 Best Practices for Evidence
Collection
• For proper evidence preservation, follow these procedures in order (Do not use the computer or
search for evidence)

1. Photograph the computer and scene

2. If the computer is off do not turn it on
3. If the computer is on photograph the screen
4. Collect live data - start with RAM image (Live Response locally or remotely via F-Response) and
then collect other live data "as required" such as network connection state, logged on users,
currently executing processes etc.
5. If hard disk encryption detected (using a tool like Zero-View) such as full disk encryption i.e.
PGP Disk — collect "logical image" of hard disk using dd.exe, Helix - locally or remotely via F-
Response
6. Unplug the power cord from the back of the tower - If the computer is a laptop and does not
shut down when the cord is removed then remove the battery
 Best Practices for Evidence
Collection

7. Diagram and label all cords

8. Document all device model numbers and serial numbers
9. Disconnect all cords and devices
10. Check for HPA then image hard drives using a write
blocker, Helix or a hardware imager
11. Package all components (using anti-static evidence bags)
12. Seize all additional storage media (create respective
images and place original devices in anti-static evidence
bags)
13. Keep all media away from magnets, radio transmitters
and other potentially damaging elements
14. Collect instruction manuals, documentation and notes
15. Document all steps used in the seizure
Quality Assurance
 Quality Assurance

• A well-documented system of protocols used to

assure accuracy and reliability
• Peer reviews of reports
• Evidence handling
• Case documentation
• Training of lab personnel
 Reviews

• Technical review
– Focuses on results and conclusions
– Are the results reported supported by the evidence?
• Administrative review
– Ensures all paperwork is present and completed correctly
 Proficiency Testing

• Examiner's competency must be

confirmed and documented
• Open test
– Examiner is aware they are being tested
• Blind test
– Examiner is not aware they are being tested
• Internal test
– Conducted by agency itself
• External test
– Conducted by independent agency
• Results must be documented
• West Virginia State Police forensics expert
who testified in hundreds of criminal cases
• Very persuasive in court
• …became something of a forensics "star,"
sought after by prosecutors who wanted to
win convictions in difficult cases
 Lies

• Falsified his own credentials

• Fabricated and altered evidence
• Convicted an innocent man of sex crimes in 1997
– He was freed when DNA evidence proved he was innocent
– Sued State of West VA
– That exposed Fred Zain
• Real rapist was caught 24 years later
 Tool Validation

• Each tool, software or hardware, must be tested

before use on an actual case
• Paper records are necessary to prove this
 Documentation

• Case File
– Case submission forms
– Requests for assistance
– Chain of custody reports
– Examiner's notes
– Crime scene reports
– Examiner's final reports
– Copy of search authorizatity
– All collected in a case file
• Preprinted forms help maintain uniformity
 Examiner Notes

• Must be detailed enough to enable another

examiner to duplicate the process
– Discussions with key players including prosecutors
and investigators
– Irregularities found and actions taken
– OS versions & patches
– Passwords
– Changes made to the system by lab personnel and
law enforcement
• It may be years before trial, and you
will need to understand your notes
 Examiner's Final Report

• Formal document delivered to prosecutors.

investigators, opposing counsel, etc.
• Remember the audience is nontechnical
• Avoid jargon, acronyms, and unnecessary details
 Examiner's Final Report
Contents
• Identity of the reporting agency
• Case ID #
• Identity of the submitting person and case investigator
• Dates of receipt and report
• Detailed description of the evidence items submitted
– Serial numbers, makes, models, etc.
• Identity of the examiner
• Description of the steps taken during the examination
process
• Results and conclusions
 Examiner's Final Report
Sections
• Summary
– Brief description of the results
• Detailed findings
– Files pertaining to the request
– Files that support the findings
– Email, Web cache, chat logs, etc.
– Keyword searches
– Evidence of ownership of the device
• Glossary
Digital Forensic Tools
 Digital Forensic Tools

• NIST's Forensic Tool Testing Project

Sample Report
 Hardware Tools

• Cloning devices
• Cell phone acquisition devices
• Write blockers
• Portable storage devices
• Adapters
• Cables
• Much more
• From textbook
 Computer
Recommendations
• Multiple multicore processors
• As much RAM as possible
• Large, fast hard drives
• FTK 4 recommends:
– 64-bit processor, Quad core
– 8 GB RAM
– A dedicated 150 GB hard disk for the PostgreSQL database; SSD
or RAID preferred
– 1 GB network
 Non-PC Hardware

• Cellebrite's UFED
– Supports over 3,000 phones
 Paraben

• Competes with
Cellebrite
• Supports more
than 4,000 phones,
PDAs, and GPS
units
 Cloners and Kits

• Hardware Cloners
– Faster, can clone multiple drives at once
– Provide write protection, hash authentication, drive wiping, audit trail…
• Crime scene kits
– Preloaded with supplies to collect digital evidence
– Pens, digital camera, forensically clean storage media, evidence bags,
evidence tape, report forms, markers…
 Software: Open-Source

• SIFT: SANS Investigative Forensic Toolkit

• SIFT Workstation is free, based on Ubuntu
 SIFT Capabilities

• File carving • Windows (MSDOS

• Analyzing file FAT, VFAT, NTFS)
systems • Mac (HFS)
• Web history
• Solaris (USF)
• Recycle bin
• Linux (ext2/3/4)
• Memory
• Timeline
 SIFT Capabilities

• Evidence Image Support

– Expert Witness (E01)
– RAW (dd)
– Advanced Forensic Format (AFF)
 SIFT Capabilities

• The Sleuth Kit (File system Analysis Tools)

• log2timeline (Timeline Generation Tool)
• ssdeep & md5deep (Hashing Tools)
• Foremost/Scalpel (File Carving)
• WireShark (Network Forensics)
• Vinetto (thumbs.db examination)
• Pasco (IE Web History examination)
• Rifiuti (Recycle Bin examination)
• Volatility Framework (Memory Analysis)
• DFLabs PTK (GUI Front-End for Sleuthkit)
• Autopsy (GUI Front-End for Sleuthkit)
• PyFLAG (GUI Log/Disk Examination)
 Commercial Tools

• EnCase & FTK have similar capabilities

– Searching
– E-mail ananysis
– Sorting
– Reporting
– Password cracking
 EnCase & FTK

• Search tools
– E-mail addresses
– Names
– Phone numbers
– Keywords
– Web addresses
– File types
– Date ranges
 Don't Trust Tools

• Using a tool without understanding what it's

doing is a trap
• Verify all findings with a second tool, like a
simple hex editor
• You must figure out how the data got on the
system and what it means
 Other Multipurpose Tools

• Acquisition, verification, searching, reporting,

wiping, etc.)
– SMART
– ProDiscover
– X-Ways Forensics
– Helix (Linux-based)
– Raptor (Linux-based)
 Other Tools

• Mac Tools
– Softblock
– Macquisition
– Blacklight
– BlackBag
– Mac Marshall
 Other Tools

• Dossier from LogiCube

– Hardware acquisition
• Tableau
– Write-blockers
• Weibetech
– Write-blockers
Accreditation v. Certification
 Accreditation

• Endorsement of a crime lab's policies

and procedures
– ASCLD/LAB does this
• Very burdensome to achieve
• Not possible for every lab
– ASTM also accredits labs
 Certification

• Applies to examiners, not the lab

– SWGDE Core Competencies for Forensic Practitioner Certification
• Pre-examination procedures and legal issues
• Media assessment and analysis
• Data recovery
• Specific analysis of recovered data
• Documentation and reporting
• Presentation of findings
 Q&A

http://fpt.edu.vn 05/20/24 50