03 - Digital Devices and Processing Crime Scenes

#forensics

Identify Digital Evidence

Identify important information
Document everything
- You have to journal always! and with something tangible that will serve as evidence in the courtroom
A software package can do this for you

Understanding Rules of Evidence

Repeatable processes and practices you must follow
Evidence submitted in a criminal case can be submitted to a civil case
- Criminal Case: someone did something out of law
- Civil Case: more private -> doesn't really involve a crime
- Sometimes they both overlap!
  - On our digital forensics world this can be something like a hash
Digital evidence is different to Physical evidence because it can change and can be copied
Hearsay = secondary digital evicence
- Email can be a hearsay
- Does Email have a verification and know who really sent that email?
Sometimes the juries don't understand the differences between that

Example:

The professor leaving is laptop logged in while he is getting a coffee
It is now his responsibility to prove that he didn't sent that email
He has a digital receipt from starbucks that says that he went for a coffee at the time of that email

Example:

Be careful of what we call metadata
Turn in some homework, then download it and look at the file properties, the owner will have a name
You might have a picture that have a date
The process of establishing digital evidence's trustworthiness originated with written documents and the "best evidence rule"
Copies can be admitted in court, although they aren't considered best evidence
- But again, this is reviewed by software to provide a sense of trustworthiness

Collecting Evidence in Private-Sector Incident Scenes

Small businesses can be 1-person, but normally ~15 employees
Non-government orgs have to comply with public state
ISPs can investigate computer abuse committed by their employees, but not by customers
Typically businesses have inventory databases of computer hardware and software
- What is Step 1 of CIS v8?
  - 01 inventory and Control of Enterprise Assets
Companies should display a warning banner and publish a policy
- Is a warning banner necessary by law?
  - No, it is just policy, as a student you just sign the document, as employer you do the same
  - The reason for these to exists, is for the jury:
    - "I own them, I watch them, they are mine"
Employers are usually interested
If you discover evidence of a crime during a company policy investigation
- You can call FBI or an authority to take care of that

...

Processing Law Enforcement Crime Scenes

With probable cause, a police officer can obtain a search warrant from a judge
- That authorizes a search and seizure of specific evidence related to the criminal complaint
The Fourth Amendment states that only warrants "particularly describing the place to be searched, and the persons or things to be seized" can be issued

Understanding Concepts and Terms Used in Warrants

Innocent information
- Unrelated information
- Often included with the evidence you're trying to recover
Judges often issue a limiting phrase to the warrant
- Allows the police to separate innocent information from evidence
Plain view doctrine
- Objects falling in plain view of an officer who has the right to be in position to have that view are subject to seizure without a warrant and may be introduced into evidence
- In digital forensics is a little bit trickier.
- Three criteria must be met:
  - Officer is where he or she has a legal right to be
  - Ordinary senses must not be enhanced by advanced technology in any way
    - They can't be on the top of a hill miles apart and then seeing you dealing credit cards, no they can't do that unless they have a warrant.
  - Any discovery must be by chance
The plain view doctrine's applicability in the digital forensics world is being rejected
Example - In a case where police were searching a computer for evidence related to illegal drug trafficking:
- If an examiner observes an .avi file and find child pornography, he must get an additional warrant or an expansion of the existing warrant to continue the search for child pornography

Preparing for a Search

Preparing for a computer search and seizure
- Probably the most important step in digital investigations
To perform these tasks
- You might need to get answers from the victim and an informant
  - Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation

Identifying the Nature of the Case

First think about if its private or public
When you're assigned a digital investigation case
- Start by identifying the nature of the case
  - Including whether it involves the private or public sector
The nature of the case dictates how you proceed
- And what types of assets or resources you need to use in the investigation

Identifying the Type of OS or Digital Device

For law enforcement
- This step might be difficult because the crime scene isn’t controlled
If you can identify the OS or device
- Estimate the size of the drive on the suspect’s computer
  - And how many devices to process at the scene
Determine which OSs and hardware are involved

Notes:

Protect evidence from other law enforcement people
Need to figure out what you are dealing with

Determining Whether You Can Seize Computers and Digital Devices (1 of 2)

The type of case and location of the evidence
- Determine whether you can remove digital evidence
Law enforcement investigators need a warrant to remove computers from a crime scene
- And transport them to a lab
If removing the computers will irreparably harm a business
- The computers should not be taken offsite
Additional complications:
- Files stored offsite that are accessed remotely
- Availability of cloud storage, which can’t be located physically
  - Stored on drives where data from many other subscribers might be stored
If you aren’t allowed to take the computers to your lab
- Determine the resources you need to acquire digital evidence and which tools can speed data acquisition

Getting a Detailed Description of the Location

Get as much information as you can about the location of a digital crime
Identify potential hazards
- Interact with your HAZMAT (hazardous materials) team
HAZMAT guidelines
- Put the target drive in a special HAZMAT bag
- HAZMAT technician can decontaminate the bag
- Check for high temperatures

Notes:

What if you get a bloody scene? you have to think about that

Determining Who Is in Charge

...

Using Additional Technical Expertise

Determine whether you need specialized help to process the incident or crime scene
You may need to look for specialists in:
- OSs
- RAID servers
- Databases
Finding the right person can be a challenge
Educate specialists in investigative techniques
- Prevent evidence damage

Notes:

Do not touch anything
Watch you teamates
Be careful

Determining the Tools You Need

Prepare tools using incident and crime scene information
Create an initial-response field kit
- Should be lightweight and easy to transport
Create an extensive-response field kit
- Includes all tools you can afford to take to the field
- When at the scene, extract only those items you need to acquire evidence

Notes:

Be careful when taking picture of evidence with iPhones, they now use AI to modify the picture itself

Preparing the Investigation Team

Before initiating the search:
- Review facts, plans, and objectives with the investigation team you have assembled
Goal of scene processing
- To collect and secure digital evidence
Digital evidence is volatile
- Develop skills to assess facts quickly
Slow response can cause digital evidence to be lost
- Watch Mr. Robot
- "You need to have a program ready to nuke that drive"

Securing a Computer Incident or Crime Scene

Goals
- Preserve the evidence
- Keep information confidential
Define a secure perimeter
- Use yellow barrier tape
- Legal authority for a corporate incident includes trespassing violations
- For a crime scene, it includes obstructing justice or failing to comply with a police officer
Professional curiosity can destroy evidence
- Involves police officers and other professionals who aren't part of the crime scene processing team
Automated Fingerprint Identification System (AFIS)
- A computerized system for identifying fingerprints that's connected to a central database
- Used to identify criminal suspects and review thousands of fingerprint samples at high speed
Police can take elimination prints of everyone who had access to the crime scene

Notes:

Make sure nobody gets around, protect the investigation
Prevent contaminated evidence, if they touch evidence they will have a fingerprint
- You will be part of it if you do something stupid

Seizing Digital Evidence at the Scene

Law enforcement can seize evidence
- With a proper warrant
Corporate investigators might have the authority only to make an image of the suspect's drive
When seizing digital evidence in criminal investigations
- Follow U.S. DOJ standards for seizing digital data
Civil investigations follow same rules
Consult with your attorney for extra guidelines

Notes:

You are not going to be doing this alone, you need an expert with you

Preparing to Acquire Digital Evidence

...

Processing an Incident or Crime Scene

Guidelines
- Keep a journal to document your activities
- Secure the scene
  - Be professional and courteous with onlookers
  - Remove people who are not part of the investigation
- Take video and still recordings of the area around the computer
  - Pay attention to details
- Sketch the incident or crime scene
- Check state of computers as soon as possible
Guidelines (cont'd)
- Save data from current applications as safely as possible
- Record all active windows or shell sessions
- Make notes of everything you do when copying data from a live suspect computer
- Close applications and shut down the computer
- Bag and tag the evidence, following these steps:
  - Assign one person to collect and log all evidence
  - Tag all evidence you collect with the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it
  - Maintain two separate logs of collected evidence
  - Maintain constant control of the collected evidence and the crime or incident scene
- Look for information related to the investigation
  - Passwords, passphrases, PINs, bank accounts
- Collect as much personal information as possible about the suspect or victim
- Collect documentation and media related to the investigation
  - Hardware, software, backup media, documentation, manuals

Notes:

You need to document the scene (take pictures of connections and network configurations) because eventually you need to replicate the environment in a lab
Traditionally we only one person to collect the evidence
- For consistency
Sometime we maintain 2 separate logs of collected evidence
- Notepad and formal documentation for example
- You need to note all kind of things (environment and scene related) -> EVERYTHING is documented.

Processing Data Centers with RAID Systems

Sparse acquisition
- Technique for extracting evidence from large systems
- Extracts only data related to evidence for your case from allocated files
  - And minimizes how much data you need to analyze
Drawback of this technique
- It doesn't recover data in free or slack space

Notes:

When you format your drive, the OS does it for you. It can't fit a lot of bits on that drive perfectly, these are called slack spaces, and we can use tools to find it.
- Attackers could use those to store malicious stuff

Using a Technical Advisor

A technical advisor can help:
- List the tools you need to process the incident or crime scene
- Guide you about where to locate data and helping you extract log records
  - Or other evidence from large RAID servers
- Create the search warrant by itemizing what you need for the warrant
Responsibilities
- Know all aspects of the seized system
- Direct investigator handling sensitive material
- Help secure the scene
- Help document the planning strategy
- Conduct ad hoc trainings
- Document activities
- Help conduct the search and seizure

Documenting Evidence in the Lab

Record your activities and findings as you work
- Maintain a journal to record the steps you take as you process evidence
Your goal is to be able to reproduce the same results
- When you or another investigator repeat the steps you took to collect evidence
A journal serves as a reference that documents the methods you used to process digital evidence

Notes:

Three things in digital forensics
- Puzzles, scape rooms, and journals

Processing and Handling Digital Evidence

Maintain the integrity of digital evidence in the lab
- As you do when collecting it in the field
Steps to create image files:
- Copy all image files to a large drive or a SAN
- Start your forensics tool to analyze the evidence
- Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash
- Secure the original media in an evidence locker

Notes:

MD5 and SHA-1 have what we call collisions
- We have 2 different files, when we run the hashing function, the hash comes up to be the same, this is a collision!

Storing Digital Evidence

The media you use to store digital evidence usually depends on how long you need to keep it
CDs, DVDs
- Lifespan: 2 to 5 years
Solid-state USB drives
- Optimum choice
- More durable
Magnetic tapes - 4 -mm DAT
- Capacity: 40 to 72 GB
- Slow read and write speeds
- Lifespan: 30 years

Notes:

What is a SCSI card?
- you needed an adapter for this, etc.

Evidence Retention and Media Storage Needs

To help maintain the chain of custody for digital evidence
- Restrict access to lab and evidence storage area
Lab should have a sign-in roster for all visitors
- Maintain logs for a period based on legal requirements
You might need to retain evidence indefinitely
- Check with your local prosecuting attorney's office or state laws to make sure you're in compliance

Notes:

Copies of your evidence must remain intact, these are serious things you have to think about

Documenting Evidence

...

Obtaining a Digital Hash

Cyclic Redundancy Check (CRC)
- Mathematical algorithm that determines whether a file’s contents have changed
- Not considered a forensic hashing algorithm
- Can only go for like 32-bits
- Used only when you have to check if something in your program is causing an error
Message Digest 5 (MD5)
- Mathematical formula that translates a file into a hexadecimal code value, or a hash value
- If a bit or byte in the file changes, it alters the hash value, which can be used to verify a file or drive has not been tampered with
Three rules for forensic hashes:
- You can't predict the hash value of a file or device
- No two hash values can be the same
- If anything changes in the file or device, the hash value must change
Secure Hash Algorithm version 1 (SHA-1)
- Another hashing algorithm
- Developed by the National Institute of Standards and Technology (NIST)
In both MD5 and SHA-1, collisions have occurred
Most digital forensics hashing needs can be satisfied with a nonkeyed hash set
- A unique hash number generated by a software tool, such as the Linux md5sum command
Keyed hash set
- Created by an encryption utility's secret key
You can use the MD5 function in FTK Imager to obtain the digital signature of a file or an entire drive

Notes:

A good hash cannot be reversed engineered

Reviewing a Case

General tasks you perform in any computer forensics case:
- Identify the case requirements
- Plan your investigation
- Conduct the investigation
- Complete the case report
- Critique the case

Notes:

Think of project management stuff, what went well? what went wrong?
Leadership 101

Sample Civil Investigation

Most cases in the corporate environment are considered low-level investigations
- Or noncriminal cases
Common activities and practices
- Recover specific evidence
  - Suspect's Outlook e-mail folder (PST file)
- Covert surveillance
  - Its use must be well defined in the company policy
  - Risk of civil or criminal liability
- Sniffing tools for data transmissions

Notes:

"A lot of justice is revenge"

Summary

Digital evidence is anything stored or transmitted on electronic or optical media
In the private sector, incident scene is often in a contained and controlled area
Companies should publish the right to inspect computer assets policy
Private and public sectors follow same computing investigation rules
Criminal cases
- Require warrants
Protect your safety and health as well as the integrity of the evidence
Follow guidelines when processing an incident or crime scene
- Security perimeter
- Video recording
As you collect digital evidence, guard against physically destroying or contaminating it
Forensic hash values verify that data or storage media have not been altered
To analyze computer forensics data, learn to use more than one vendor tool
You must handle all evidence the same way every time you handle it
After you determine that an incident scene has digital evidence, identify the digital information or artifacts that can be used as evidence