Digital Crime Scene Investigation Methodology
Last updated
Last updated
There is no single way to conduct an investigation.
It does not matter which process is used.
As long as we find the right person and do not break any laws in the process.
However, some are more efficient than others.
The four major phases – based on the physical crime scene investigation process
Physically identifying the origin of the digital evidence.
Choose the best approach to analyze it.
Equipment seizure.
preserve the state of the digital crime scene.
reduce the amount of evidence that may be lost.
legal requirements may cause you to unplug the system and make a full copy of all data or,
could be a case involving a spyware infection or a honeypot and no preservation is performed,
if it’s not going to court, techniques in between can be used.
pull the plug to reduce the amount of evidence that is overwritten.
make duplicate copies of all data.
use write blockers to prevent evidence from being overwritten.
kill or suspend suspect processes unplug or limit network connection.
use an empty hub or switch to prevent log messages about a dead link.
use network filters to avoid a remote connection from perpetrator to delete data.
backup important data (logs, files, etc)
When important data are saved during a post-mortem or live analysis, a cryptographic hash should be calculated to later show that the data have not changed.
this algorithm is broken since 2004.
use only for retro compatibility purposes.
it is possible to create collisions – different files with the same hash value examples.
Hash values by itself are not enough.
given a message M, its hash value is H(M) = h.
someone can change both M and h, because h doesn’t depend on a secret.
Possible solution:
Digital Signatures.
depends on a private key.
better if done with a secure device.
Goal: find data that support or refute hypotheses about an incident.
Typically starts with a survey of common locations based on the type of incident:
Web-browsing habits: look at the Web browser cache, history file, and bookmarks.
Linux intrusion: look for signs of a rootkit or new user accounts.
It is important to look also for evidence that refutes your hypothesis instead of only looking for evidence that only supports your hypothesis.
define the general characteristics of the object for which we are searching.
look for that object in a collection of data.
two key steps:
determining for what we are looking.
where we expect to find it.
Most searching for evidence is done in a file system and inside files.
Search for files based on:
Their names, or patterns in their names.
A keyword in their content.
Temporal data, such as the last accessed or written time.
Hash values and compare them against a database.
Allows to find all files of a given type even if someone has changed their name National Software Reference Library (NSRL) database.
Analyzing network data based on:
Packet headers, such as IP addresses, port number, protocol, ...
Keywords inside packets content.
Goal: try to answer questions about digital events in the system.
During the Evidence Searching Phase we might find several files that violate a law.
But it doesn’t answer questions about events.
The file may have been the effect of an event, but what application downloaded it? a web browser? a malicious software? - several cases have used malware as a defense.
It may be possible to correlate the digital events with physical events.
Event reconstruction requires knowledge about the applications and the OS that are installed on the system so that you can create hypotheses based on their capabilities.