You’ve watched the TV shows, but what really happens – or should happen – when a digital forensics professionals arrives on a crime scene? Andrew Moore, Lecturer Practitioner at Anglia Ruskin University explores the real facts.
Let's assume there's been a crime where a computer was the weapon, or at least the criminal's tool of choice. And let's also assume you've been called in by the police after they have arrested the criminal. To help gather evidence, you're the first person to enter the suspect's computer room. What do you do? What are your objectives, your tools and what are the rules?
Digital forensics or digital forensic science is a branch of forensic science. It encompasses the recovery, investigation, examination and analysis of data that’s been found on digital devices.
The specialism has its roots in the personal computing revolution of the late 1970s and early 1980s. It evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.
As you read on, Andrew Moore, Lecturer Practitioner takes us on a tour of crime scene process, tools and best practice.
As a forensics expert – what's your goal or your primary objective?
The primary objective is to identify, scientifically secure and preserve potentially relevant digital devices. This could be anything from a PC turned off, or a device commonly found turned on, such as a mobile phone, smartwatch on a person's wrist, or an internet wi-fi router.
Once these devices have been identified and secured, it's a case of prioritising them one by one. For example, devices that are switched off and unplugged from the wall are not likely to have data that is currently being modifed just by the gadget sitting there. This is in contrast to a mobile phone that will likely be connected to the internet, have a cell signal, and have a variety of apps running in the background.
All these apps can potentially change data constantly or could be wiped remotely. So the phone would be the priority and would need to be put into aeroplane mode so it loses all wireless connectivity to help prevent change. As the phone is still turned on, data locally on the phone will continue to change until it is powered off.
Talk to us about good practice in the seizure phase – how do you preserve evidence? Do you yank the network connection immediately?
From experience, you will be given a briefing by law enforcement on the nature of the case. Operationally, you’ll be given a list of instructions and the investigation stages the officer wants you to follow.
Before starting, it is good practice to have a clear plan of how you wish to process devices systematically with documentation to show what you did and when. Typically you progress room by room and mark devices or link them to a specific hotspot on the premises. These will all be things that police intelligence has deemed important.
You are looking for devices whose data is in danger of being modified, while leaving the other computers switched off. You can leave the other devices – these can wait for later extractions.
Extractions are done on-site if devices contain a small amount of data. If they are too large or the data is deemed illegal, they will be seized for later examination. Forensic scientists may wish to process a device before you can handle it. This depends on the device in question and the nature of the case. For example, if a device was covered in blood and appeared switched off, it is more critical that wet forensics handle it first.
Another example is a PC turned on and logged into a well known private forum or TOR chat room. Pulling the network connection could potentially lose vital evidence and a link to other suspects. This would require live forensics on the machine using triaging software to gather and record files such as browser artefacts and a RAM dump. You might also explore whether any remotely connected devices are present – hard drives hidden under floorboards are not unheard of!
Do you try and capture the most ephemeral data first and work towards the most solid? Is there a standard acquisition methodology?
Different forensic methodologies can vary depending on where you are in the world. For example, in the UK, there are five steps: identification, preservation, collection, analysis, and reporting. Along with these, it pays to have a solid working knowledge of the Association of Chief Police Officers (ACPO) good practice guidelines.
We want to identify the device and work out if it contains electronically stored information (ESI). Unfortunately, we can not tell if a device holds potentially relevant evidence or not. So, we must err on the side of caution.
Once identified, we want to preserve this information and document and photograph the device. This is quite important as a device can be damaged on-site. These photographs will show that you didn't do it. Evidence preservation then can be done by removing the hard drive or memory card from a switched-off device and copying it using a forensic write blocker. This aligns with ACPO principle 1.
A write blocker is a device that stops our forensic machine from modifying the data. They allow you to read information on a drive without the risk of accidentally damaging or changing the drive’s contents. Live devices, those which are powered on, need to be handled differently. No one process fits all. A different process exists for phones compared to PCs – they are very different machines.
But, typically, the process involves copying artefacts – maybe a RAM dump – to an external device for later analysis. We then power down the device. However, this is not always necessary and can eat up a lot of on-site time.
Remember though – this process has changed the data on the device. You ran a program or plugged in the device. So, you must document this in detail as per ACPO guidelines (ACPO principles 2 and 3).
Back-up seems an important part of the acquisition phase. Talk to us about the level and type of backup you do and the tools you use.
Extractions from computer devices are a snapshot of time – the time when you had that device in your possession. Going back later due to data being missing or corrupted may not be an option. So, when you create a forensic image of a device, you must also make a scientific copy of that forensic image on another separate storage system. A matching pair as such.
If one drive becomes contaminated or simply dies, you can go to your backup and create another copy right away, without requiring access to the original evidence. A backup can also be stored on a local server that contains a RAID array, likely RAID 6. RAID 6 is striping with double parity. This means, effectively, maybe two drives can die in that array and no data will be lost.
So, you've got your bit-level copy of a suspect's hard drive. What do you find are the best and most revealing troves to look at first? Do you look to reinstate deleted files? Is there a standard playbook?
Bit-level or bit-for-bit copies are not really correct. If you copy a hard drive, you can't guarantee all data has been reproduced as there may be unreadable sectors. In a report, we would state this as: “During data extraction, we copied all addressable data from the hard drive, followed by running a verification with MD5/SHA1 hashing to validate the data.”
As for forensic artefacts, it depends on what the suspect is believed to have done on the system (or if you’re asked to prove if malware ‘did it’.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Shellbags are also useful. They are part of Windows and are intended to enhance a user’s experience by remembering their preferences when exploring folders. Effectively, Shellbags store user preferences for GUI folder display within Windows Explorer. They are stored in sets of registry keys.
By reading Shellbag data you can see if a person was using a device at the particular time and if they launched a specific program. Prefetch files are great for this. They allow an investigator to see how many times a program ran, from which location it ran, and how many times it ran. The SANS DFIR posters would be a fantastic resource for this information if you wanted to learn more.
What happens if the suspect hardens their device? Full hard-disk encryption? You can duplicate the suspect's hard disk, but can you actually read what's on it if the suspect uses something like AES-256?
Full disk encryption can be a nightmare as, due to the encryption strength of these algorithms, its not really possible to get into them unless they write the password on a sticky note beside the device. Yes, you would be surprised at how often this happens!
However, if the user also uses a common password with slight changes, it could be possible to guess it.
BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. It creates a backup file that will give access to the device if you lose the password. So locating this can be an option.
But, what if we can prove a suspect owns a device but we can’t get into it? In that case, the police can use the Regulation of Investigatory Powers Act (RIPA) to request the password from the user. If they refuse, they face a potential prison sentence.
Reporting. This seems like the most unglamourous part of the work? But the most necessary?
The presentation of data for legal teams or a court can be pretty challenging. The wording must be consistently understandable to a technical layperson and use as few words as possible.
Most companies will use a specific template, so its unlikely things will be missed when you fill it out correctly. Another person will always check each report for everything from spelling, grammar to factual accuracy. A process or rule of thumb is to follow ACPO principle 3 (above) and make sure all paperwork is signed and dated correctly.
We've focused here on just PC forensics. How realistic is this as a scenario? In reality are cases spread across SD cards, phones, satnavs, smart cars… fitness trackers? Does today's smart-world make a forensic professional’s life harder?
More people have phones than PCs, and you are more likely to see someone or one or more mobiles on them than a laptop. With the seemly weekly introduction of many new smart devices, you will always encounter something you have never seen or heard of before.
Most of which will likely all be connected via the wi-fi router in a home. So they need to be isolated and powered down to be copied. Some devices only have evidential value when powered on (as they have no onboard storage), or their data is stored in the cloud only. Research: Ask colleagues and plan before acting as once data is changed, it cannot be unchanged.
Finally, how can somebody interested in forensics, practice? Are there some good sandboxes?
There are loads of great resources, and I recommend checking out some BCS webinars that I ran in how to get into cyber forensics for the complete list. These can be found on the BCS website, where I go over soft and hard skills and software: Sandboxes, imaging software, training materials, guides, all designed to help you gain a good understanding of digital forensics.