3 Methods to Preserve Digital Evidence for Computer Forensics

Critical Informatics Forensics - 3 Methods to Preserve Evidence

Picture a scene from an episode of CSI or one of its many spinoffs, except Critical Informatics Forensics is at the scene.  Instead of dead things, dark lighting, and plain-clothed cops, you see a hard drive, a monitor, and a few other unidentifiable objects on a desk. It’s a rather innocent looking scene.

Yet, as our story unravels, investigators inevitably reveal evidence of a crime and submit it to authorities.  They can do this when they and the victim avoid evidence destruction, correctly address data integrity, and assure legal defensibility through proper chain of custody documentation.

Criminal and HR investigations requiring computer forensics are more common than one would think. Cyber crimes and violations of Acceptable Use Policies can occur in the workplace, at home, or anywhere else for that matter. When a crime takes place, corporations, customers, or prosecutors may request a full investigation. Defendants or targets of investigation may even request access to computer forensic evidence as well, especially if could exonerate them. Activities warranting investigation can range across the spectrum of criminal activity – from hacks, fraud, spoofed emails, and child pornography, to theft of personal data or destruction of intellectual property.

Some clients who hire us to conduct forensic investigations have had their critical systems compromised and need to recover deleted files, images, logs, and emails. Others need legally admissible evidence to submit to the courts.  As a Computer Forensics Investigator at Critical Informatics, my job is to provide the most complete timeline of what happened when a cyber crime occurred by using all available information. A successful outcome rests partially on my shoulders but it also depends on what you do prior to my arrival.

Investigation Initiation

The hardware, software, and other tools needed to perform computer forensics are quite expensive. Companies must choose between building out their own forensics team and contracting out any forensics work. It is generally cheaper for medium and large organizations to field their own team as they will likely to run into problems that require forensics/IR frequently enough to make the investment pay off.

Smaller organizations are generally fine without a dedicated team, contracting out any critical forensics/IR work. For those small companies, outsourcing is often better than paying for the tools you need and reallocating already busy employees or paying someone new a full-time salary to do the job. For businesses of any size, it is important for the business to secure the data for forensic analysis, and that’s where many run into trouble.

The most effective methods to ensure legal admissibility while preparing to engage a forensic analyst include the following:

  1. Drive Imaging
  2. Hash Values
  3. Chain of Custody

1. Drive Imaging

Before investigators can begin analyzing evidence from a source, they need to image it first. Imaging a drive is a forensic process in which an analyst creates a bit-for-bit duplicate of a drive. This forensic image of all digital media helps retain evidence for the investigation. When analyzing the image, investigators should keep in mind that even wiped drives can retain important recoverable data to identify and catalogue. In the best cases, they can recover all deleted files using forensic techniques.

As a rule, investigators should exclusively operate on the duplicate image and never perform forensic analysis on the original media. In fact, once a system has been compromised, it is important to do as little as possible – and ideally nothing – to the system itself other than isolating it to prevent connections into or out of the system and capturing the contents of live memory (RAM), if needed.  Limiting actions on the original computer is important, especially if evidence needs to be taken to court, because forensic investigators must be able to demonstrate that they have not altered the evidence whatsoever by presenting cryptographic hash values, digital time stamps, legal procedures followed, etc. A piece of hardware that helps facilitate the legal defensibility of a forensic image is a “write blocker”, which investigators should use to create the image for analysis whenever one is available.

2. Hash Values

When an investigator images a machine for analysis, the process generates cryptographic hash values (MD5, SHA-1). The purpose of a hash value is to verify the authenticity and integrity of the image as an exact duplicate of the original media.

Hash values are critical, especially when admitting evidence into court, because altering even the smallest bit of data will generate a completely new hash value. When you create a new file or edit an existing file on your computer, it generates a new hash value for that file. This hash value and other file metadata are not visible in a normal file explorer window but analysts can access it using special software. If the hash values do not match the expected values, it may raise concerns in court that the evidence has been tampered with.

I will address how metadata is used in analysis in a later article.

3. Chain of Custody

As investigators collect media from their client and transfer it when needed, they should document all transfers of media and evidence on Chain of Custody (CoC) forms and capture signatures and dates upon media handoff.

It is essential to remember chain-of-custody paperwork. This artifact demonstrates that the image has been under known possession since the time the image was created. Any lapse in chain of custody nullifies the legal value of the image, and thus the analysis.

Any gaps in the possession record, including any time the evidence may have been in an unsecured location are problematic.  Investigators may still analyze the information but the results are not likely to hold up in court against a reasonably tech-savvy attorney. Forms that investigators use to clearly and easily document all records of change of possession are easy to find on the Internet; we use the NIST Sample CoC to maintain the chain of custody audit trail.

A Team Effort

What happens if an organization is not cognizant of the legal requirements of computer forensics?

The highest risk is legal inadmissibility when litigation is involved. If evidence of a crime is suspected on a piece of digital media, the media should be immediately quarantined and put under chain of custody – an investigator can create an image later. Evidence destruction is also a common problem. If threat actors installed applications on a server, future forensic analysis will rely on the application being available and not deleted from the system. Additionally, if the media remains in service, the risk of vital evidence destruction grows with the amount of time that has lapsed since the incident took place.

Computer forensics is an important mechanism that can ultimately lead to finding out the truth, but only with partnership between investigators and clients. Preserve data, collect forensically-sound digital copies of media, create hash values, and manage chain of custody paperwork to keep your investigation on the right path.

Ramel Prasad
Ramel Prasad
Ramel Prasad is a Security Analyst/Lead Forensics Consultant at Critical Informatics. His focus is primarily on digital forensics alongside analyzing data, information security, incident response, penetration testing, etc. He helps finding out the truth of what really happened. LinkedIn: https://www.linkedin.com/in/ramel-prasad/