In my first column on this subject, I introduced a set of seven guidelines for IT departments when considering the forensic investigation of a suspect computer system. In part two, Ill offer seven more best practices and recommended steps to be used in conducting the actual examination.
These columns started as a conversation with John Colbert, president and CEO of Guidance Software, a publisher of forensic software and a provider of professional investigative services. An ex-cop, Colbert ran the professional services business before recently becoming president of the company.
Following our conversation, John was kind enough to summarize the discussion into the bullet points presented here. My hope is that this information will keep well-meaning IT staff out of trouble and encourage proper investigative technique.
If an investigation is going to be conducted by an IT professional, the following seven steps should be considered:
Using Best Practices: Enter into the investigation with the understanding that the courts rely on best practices when making a judgment regarding the admissibility of evidence. Even though the initial thought is that a simple investigation is not going to court, an unexpected discovery could change the entire direction. Thats why it is always important to follow best practices.
Taking an introductory course to computer forensics would be extremely helpful to learn the basic best practices for data collection. NIST Special Publication 800-61, called the “Incident Handling Guide,” provides a good overview on incident handling, including technical best practices.
How Much Data Should Be Collected?: It is important to decide whether the collection will include a few files or the entire hard drive. This decision should be based upon whether other data in the computer, which most likely will be destroyed or altered if not collected now, may be needed after the investigation. If deleted files are to be recovered, it is essential to make a complete copy of the entire hard drive, unless an enterprise remote-forensic software is used.
Dont forget that the files or data sought may be imbedded in database records, compression files, encrypted files, e-mail files, etc. It may not be simple to locate the files or data in question. Under these conditions, it may be wise to collect the entire drive, so a subsequent examination can take place offline.
How Will the Data Be Preserved?: It is important to preserve the data in a manner that confirms it was not altered during or after collection. One method is to copy the data to a CD-ROM, though there is still an intermediary period where the data could have been altered. Another is to use commercially available computer forensic tools to collect the data. Best practices strongly favor this process.
The top-of-the-line forensic tools, such as Guidance Softwares EnCase, will automatically preserve data and authenticate that it has not changed during or since collection, while also tracking chain of custody.
Access to the Computer: Will the computer be accessed physically or through the network? If the computer is going to be accessed physically, the hard drive can be removed and copied. Most computer forensic investigators use forensic write-blocking devices when this process is chosen.
- Turn the computer off. (Computer forensic experts have significant training on when and how to power off computers depending on the operating system and the state of the machine.)
- Photograph the exterior and attached devices.
- Inspect and document the exterior.
- Inspect and document the interior.
- Document the details of the hard drive(s).
- Use a trusted computer and a freshly wiped and formatted hard drive for the collection.
- Connect the drive(s) to a write-blocking device, if available.
- Copy the data from the hard drive(s) to the newly formatted hard drive. Or create an evidence file with the forensic software.
- After the copy is complete, verify the integrity of the copied data. This is done by taking before and after MD5 hash values. Forensic software does this automatically.
- Replace the hard drive in the computer, and complete any documentation.
If the computer is going to be accessed remotely–through the network–there is a very good chance that the date and time stamps for the files will be altered in the process. There is only one network-enable computer forensic tool available that can collect the data in a forensic manner, which is Guidance Softwares EnCase Enterprise Edition.
Examine the Data: After the data has been collected, it should be examined. If the examination takes place prior to the collection, the metadata of the file may be altered and permanently destroyed. This is especially true for live systems.
Do not examine the original collected data if it is in raw format. The metadata will be permanently altered. Work from a copy, or use a forensic tool that makes an evidence file that prevents any changes whatsoever. Best practices today strongly favor using a forensic tool.
Report or Present the Findings: Whether the information was found or not, a report should be prepared documenting the findings or lack thereof, unless otherwise directed by management or legal counsel. Some computer forensic tools have a reporting mechanism to aid in this step.
Archive the Data: Copy the data and any associated electronic findings to CD-Rom, DVD or digital tape. Label the storage media appropriately. Store it in a safe, secure environment until authorized to destroy it.
There you have the 14 guidelines, best practices and steps an IT staff should follow in conducting an investigation. As I said, its my hope this information will fall into the hands of everyone who might someday be asked to “look into” someones computer and doesnt really understand what that process entails.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.