Computer forensic examiners are responsible for technical acuity, knowledge of the law, and objectivity in the course of investigations. Success is principled upon verifiable and repeatable reported results that represent direct evidence of suspected wrong-doing or potential exoneration. This article establishes a series of best practices for the computer forensics practitioner, representing the best evidence for defensible solutions in the field. Best practices themselves are intended to capture those processes that have repeatedly shown to be successful in their use. This is not a cookbook. Best practices are meant to be reviewed and applied based on the specific needs of the organization, the case and the case
An examiner can only be so informed when they walk into a field setting. In many
cases, the client or the client’s representative will provide some information about
how many systems are in question, their specifications, and their current state.
And just as often, they are critically wrong. This is especially true when it comes to
hard drive sizes, cracking laptop computers, password hacking and device
interfaces. A seizure that brings the equipment back to the lab should always be
the first line of defense, providing maximum flexibility. If you must perform onsite,
create a comprehensive working list of information to be collected before you hit
the field. The list should be comprised of small steps with a checkbox for each
step. The examiner should be completely informed of their next step and not have
to “think on their feet.”
Overestimate effort by at least a factor of two the amount of time you will require to
complete the job. This includes accessing the device, initiating the forensic
acquisition with the proper write-blocking strategy, filling out the appropriate
paperwork and chain of custody documentation, copying the acquired files to
another device and restoring the hardware to its initial state. Keep in mind that you
may require shop manuals to direct you in taking apart small devices to access the
drive, creating more difficulty in accomplishing the acquisition and hardware
restoration. Live by Murphy’s Law. Something will always challenge you and take
more time than anticipated — even if you have done it many times.
Most examiners have enough of a variety of equipment that they can perform
forensically sound acquisitions in several ways. Decide ahead of time how you
would like to ideally carry out your site acquisition. All of us will see equipment go
bad or some other incompatibility become a show-stopper at the most critical time.
Consider carrying two write blockers and an extra mass storage drive, wiped and
ready. Between jobs, make sure to verify your equipment with a hashing exercise.
Double-Check and inventory all of your kit using a checklist before taking off.
Instead of trying to make “best guesses” about the exact size of the client hard
drive, use mass storage devices and if space is an issue, an acquisition format that
will compress your data. After collecting the data, copy the data to another
location. Many examiners limit themselves to traditional acquisitions where the
machine is cracked, the drive removed, placed behind a write-blocker and
acquired. There are also other methods for acquisition made available by the Linux
operating system. Linux, booted from a CD drive, allows the examiner to make a
raw copy without compromising the hard drive. Be familiar enough with the
process to understand how to collect hash values and other logs. Live Acquisition
is also discussed in this document. Leave the imaged drive with the attorney or the
client and take the copy back to your lab for analysis.
Pull the Plug
Heated discussion occurs about what one should do when they encounter a running
machine. Two clear choices exist; pulling the plug or performing a clean shutdown
(assuming you can log in). Most examiners pull the plug, and this is the best way to
avoid allowing any sort of malevolent process from running that may delete and
wipe data or some other similar pitfall. It also allows the examiner access to create
a snapshot of the swap files and other system information as it was last running. It
should be noted that pulling the plug can also damage some of the files running on
the system, making them unavailable to examination or user access. Businesses
sometimes prefer a clean shutdown and should be given the choice after being
explained the impact. It is critical to document how the machine was brought down
because it will be absolutely essential knowledge for analysis.
Another option is to perform a live acquisition. Some define “live” as a running
machine as it is found, or for this purpose, the machine itself will be running during
the acquisition through some means. One method is to boot into a customized
Linux environment that includes enough support to grab an image of the hard drive
(often among other forensic capabilities), but the kernel is modified to never touch
the host computer. Special versions also exist that allow the examiner to leverage
the Window’s autorun feature to perform Incident Response. These require an
advanced knowledge of both Linux and experience with computer forensics. This
kind of acquisition is ideal when for time or complexity reasons, disassembling the
machine is not a reasonable option.
An amazingly brazen oversight that examiner’s often make is neglecting to boot the
device once the hard disk is out of it. Checking the BIOS is absolutely critical to the
ability to perform a fully-validated analysis. The time and date reported in the BIOS
must be reported, especially when time zones are an issue. A rich variety of other
information is available depending on what manufacturer wrote the BIOS software.
Remember that drive manufacturers may also hide certain areas of the disk
(Hardware Protected Areas) and your acquisition tool must be able to make a full
bitstream copy that takes that into account. Another key for the examiner to
understand is how the hashing mechanism works: Some hash algorithms may be
preferable to others not necessarily for their technological soundness, but for how
they may be perceived in a courtroom situation.
Acquired images should be stored in a protected, non-static environment.
Examiners should have access to a locked safe in a locked office. Drives should be
stored in antistatic bags and protected by the use of non-static packing materials or
the original shipping material. Each drive should be tagged with the client name,
attorney’s office and evidence number. Some examiners copy drive labels on the
copy machine, if they have access to one during the acquisition and this should be
stored with the case paperwork. At the end of the day, each drive should link up
with a chain of custody document, a job, and an evidence number.
Establish a Policy
Many clients and attorneys will push for an immediate acquisition of the computer
and then sit on the evidence for months. Make clear with the attorney how long
you are willing to maintain the evidence at your lab and charge a storage fee for
critical or largescale jobs. You may be storing critical evidence to a crime or civil
action and while from a marketing perspective it may seem like a good idea to keep
a copy of the drive, it may be better from the perspective of the case to return all
copies to the attorney or client with the appropriate chain of custody
Computer examiners have many choices about how th
ey will carry out an onsite
acquisition. At the same time, the onsite acquisition is the most volatile
environment for the examiner. Tools may fail, time constraints can be severe,
observers may add pressure, and suspects may be present. Examiners need to take
seriously the maintenance of their tools and development of ongoing knowledge to
learn the best techniques for every situation. Utilizing the best practices herein,
the examiner should be prepared for almost any situation they may face and have
the ability to set reasonable goals and expectations for the effort in question.