Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • Principles of Digital Evidence Handling.
  • Route of the Digital Evidence
  • Guidelines
  • Identification
  • Preservation
  • Isolate
  • Correlate
  • Log
  1. Introduction to Digital Forensics

Digital Evidence Handling

Last updated 1 year ago

Principles of Digital Evidence Handling.

Principles by EU-OLAF recommendation.

  1. The actions triggered by the first responders should not alter the data maintained on a computer or in a storage device that may be submitted to a court as evidence;

  2. In exceptional circumstances, if it is considered necessary to access the original data stored on a computer or in a storage device, those who do so must have skills to be able to provide evidence, explaining the relevance and implications of his actions;

  3. A chain of custody, or other record of all processes applied to digital evidence must be created and preserved. An independent third party should be able to examine these processes and obtain the same result;

  4. The person responsible for the investigation must assume overall responsibility for compliance with the law and the present principles.

Route of the Digital Evidence

Guidelines

Identification

Data states

  • stored – data permanently stored in a storage device, e. g. an hard drive;

  • in transit – data being sent through a local network, or Internet, to a reception device;

  • in reception – data being received in a device, but not yet available to the user;

  • in creation – data being locally produced and only partially available to the user;

Data sources

  • storage devices – hard drives, SSD, USB drive, tapes, ...

  • temporary location – RAM, page files, swap partitions, cache files, ...

  • peripheral devices – printers, plotters, memory card readers, ...

  • active network devices – switches, routers, modems, print servers, ...

Logical and physical location of the data

  • local or remote devices.

  • dedicated storage systems (usually on data centers).

  • computational systems (e. g. PC, laptop) has at least one storage device.

Main data types

  • simple and human readable, e. g. photos, text documents, spread sheets.

  • complex and/or structured data, e. g. data bases, file system.

  • raw data, streams of data.

Preservation

Do not modify any data that could have been evidence.

  • Copy important data, put the original in a safe place, and analyze the copy so that you can restore the original if the data is modified;

  • Calculate hash values of important data so that you can later prove that the data has not changed – better yet if you do a digital signature;

  • Use a write-blocking device during procedures that could write to the suspect data;

  • Minimize the number of files created during a live analysis because they could overwrite evidence in unallocated space;

  • Be careful when opening files on a live analysis because you could be modifying data, such as the last access time;

Prioritize the evidence to be collected.

Order of volatility:

  1. CPU, cache, and register content;

  2. routing table, ARP cache, process table, kernel statistics.

  3. RAM.

  4. temporary file system, swap space.

  5. data on local storage media.

  6. remotely logged data.

  7. data contained on archival media (backups).

Sorting

Some times it is not possible to bring all devices due to several constrains: legal, time, technically unfeasible, ...

In those situations a pre-analysis is required, but can only be performed if authorized accordingly to the country’s laws.

Isolate

Isolate yourself from the suspect data because you do not know what it might do.

  • an executable from the suspect system could delete all files on your computer, or it could communicate with a remote system;

  • opening an HTML file from the suspect system could cause your Web browser to execute scripts and download files from a remote server;

Create an isolated environment.

  • use virtual machines (VMware, VirtualBox, Xen, . . . ).

  • use an analysis network that is not connected to the outside world, or that is connected using a firewall that allows only limited connectivity.

  • isolation is very difficult, or impossible, with live analysis.

Correlate

Correlate data with other independent sources.

  • helps reduce the risk of forged data.

  • timestamps can be easily changed in most systems.

  • find log entries, network traffic, or other events that can confirm the file activity times.

This task is time consuming, specially if done without the help of software.

Log

Log and document all of your actions.

  • helps identify what you have already done and what your results.

  • helps identify what searches you have not done yet.

  • in a live analysis, or performing techniques that will modify data, it is important to document what you do so that you can later document what changes in the system were made because of your actions.

Identify devices:

  • Create tags to uniquely identify devices e. g. PC01, PC01.1, PC01.2, ...

  • Take photographs.

    • After placing tags.

    • Should be easy to read any relevant information, if needed take an overview photo and then a close up shot.

    • Computer brand, model, serial number, ...

    • Network cable connections, etc

Templates

Create templates with the required info to identify devices and services.

Reception and Tagging

Verify the list of devices delivered for analysis.

Tag the devices, taking into account that one process may have:

  • one suspect with several devices,

  • or several suspects and many devices.

  • There are processes with 30+ suspects and 200+ devices.

Tagging rules

Letters to identify the owners of the devices in a given process.

  • A, B, C, ...

Set of acronyms for each device type, followed by a 2 digits number.

  • FPHxx, SPHxx, SIMxx, MCxx, GPSxx, CAMxx, PCxx, LAPxx, HDDxx, SSDxx, PENxx, ...

A tag is composed by

  • ownerID.deviceID[.inside deviceID]

Example of a smartphone with 2 SIM cards and a memory card:

  • A.SPH01 - the handset from the owner A

  • A.SPH01.SIM01 - first SIM card.

  • A.SPH01.SIM02 - second SIM card.

  • A.SPH01.MC01 - memory card.

Photograph rules

Include the scale of a ruler in the photo.

  • photograph all the important views.

    • there are mandatory views by device type and some optional attention to details, like serial numbers, IMEI, etc.

  • Apply the view names accordingly to the 3D box.

    • The position of the device is important for some devices that might be ambiguous such is the front, e.g. SIM card.

  • Photos filenames: tagID-view name[-detail].jpg examples:

    • A.SPH01-front.jpg,

    • A.SPH01-back-serial.jpg,

    • A.SPH01.MC01-front.jpg,

Catalog the device to uniquely identify it

  • tag ID device type

  • brand and model number

  • serial number, IMEI, UICCID, ...

  • type of intervention (logical or physical acquisition)

  • device’s condition (working/ non-working)

  • contents, e. g. has SIM or memory card

  • worthy observations

  • etc