Computer Forensics: Seizing a Computer
by Priscilla Oppenheimer
The purpose of this white paper is to teach you how to seize a computer from a crime scene. The techniques that you learn can also be used in non-criminal cases. For example, perhaps your job is to seize a computer from an employee who engaged in activities that go against the policies of your company. In either situation, it is imperative that you proceed with care to avoid tainting any evidence residing on the computer.
You have probably watched crime scene investigation programs on TV and know about the risk of tainting evidence. When detectives enter a crime scene, they don't touch anything unless they are wearing gloves. With computers, things get a bit trickier. You need to protect the data on the computer, not just the physical hardware.
Data on computers is volatile. It changes easily. Simply clicking the mouse in the wrong place could close a window, erasing evidence of what the user was doing. Shutting down a system could activate a script written by the suspect that deletes all the suspect's incriminating files. This white paper will teach you the proper procedures to follow to avoid any problems.
Data on computers is also latent. It's not obvious or visible. In fact, sometimes computer users think they have deleted the data and that it's gone from the computer's hard drive. It may not be gone. Even deleted files can often be recovered.
You may know about latent evidence from all those TV crime dramas. Blood, for example, can often be latent. Fluorescence spectroscopy can be used to make the blood visible. Computer forensics is just as amazing. It can reveal seemingly invisible data. However, for this to be possible, the investigator who seizes the computer from a crime scene must be very careful not to destroy data.
Chain of Custody
As is the case with all evidence, it's important to maintain a chain of custody for computer evidence. The term "chain of custody" refers to documentation that identifies all changes in the control, handling, possession, ownership, or custody of a piece of evidence. You need to be able to trace the route that evidence takes from the moment you collect it until the time it is presented in court or at a corporate briefing. Don't stop for a cold beer on the way home from the crime scene while the computers are in the trunk of your car!
When seizing hardware, you will tag it with an evidence tag that documents the date and time, your name, the case number, where you found the item, other facts relevant to the case, and other information depending on the policies and procedures of your investigation team. After you tag the evidence, you will then bag the evidence and give it to an evidence custodian. Some experts call this process "bagging and tagging."
NOTE: An evidence custodian is an individual who is in charge of documenting, transporting, and storing all evidence. The evidence custodian ensures that evidence is safely transported to an evidence locker, a locked repository for items related to pending cases. Most police departments have employees who are designated as evidence custodians. If this is a civil case, you should still appoint one person to be the evidence custodian.
Legally Seizing Computer Evidence
Computer evidence is like any other evidence in many ways. It's no different from a car that gets impounded in a drunk-driving case or a frying pan that gets seized in a domestic dispute case. For evidence to be admissible in a court of law it must be legally obtained. In the U.S., don't seize computer evidence unless you have a search warrant.
In civil cases, the organization's policies and procedures must be carefully followed. Corporations often have incident response plans that you should follow. Even with civil cases, keep in mind that federal and state laws related to search and seizure may come into play. The case may become a legal matter, especially if it's related to fraud, security breaches, or privacy infringements. In both criminal and civil cases, evidence must be:
Legally obtained. Adhere to the instructions in the search warrant or incident response plan.
Complete. Don't leave behind computer evidence just because you think it might exonerate the suspect, even if you think the suspect is an awful person.
Reliable. The evidence must be untainted. It should remain unchanged from its original. Following careful procedures will help you ensure that fragile computer evidence doesn't get altered, deleted, enlarged, or changed in any way. Maintaining the chain of custody will also ensure that evidence remains reliable.
Authentic. It has to be the real thing, not a fake.
Believable. A jury and a judge (or corporate managers and auditors) need to understand and accept the evidence. Sometimes, this is challenging with highly technical, computer evidence.
Evaluating, Securing, and Documenting the Crime Scene
First things first: make sure that you are safe. Although the image we often have of computer crime scenes is of harmless nerds hunched over their laptops, don't assume that's the case. Computers become part of a crime scene for many reasons. Computer technology is so pervasive that conventional criminals, as well as terrorists, use computers to plan their crimes. These criminals may be at the scene and they may be armed.
Evaluate the scene for any danger to yourself and co-workers. If necessary, be sure to get medical treatment for any injured people. You may also be working with police investigators who will arrest suspects and escort them off the premises. Once these important necessities are dealt with, clear the scene of superfluous people and then walk around the crime scene to get an idea of its scope. Mark the perimeter of the scene with crime-scene tape and post a guard if that is appropriate.
Your next step should be to recognize computer evidence. Computer technology shows up in all sorts of places these days. Evaluate the scene for possible places that digital evidence can reside, including:
Computers
External hard drives
CDs and DVDs
Thumb drives
Floppy disks
Cell phones
Voice over IP phones
Answering machines
iPods
Electronic game devices
Digital video recorders (Tivos)
Digital cameras
PDAs
GPSs
Routers
Switches
Wireless access points
Servers
Fax machines
Printers that buffer files
Photo-copiers that buffer files
Scanners that buffer files
The search warrant (or corporate equivalent) states which devices you should seize. This white paper focuses on seizing computers, but regardless of what you will be seizing, before you do anything else, document what you see. In a journal or activity log, jot down what you see and what you plan to take. Some investigators "jot down notes" digitally, by recording themselves talking in to a digital voice recorder.
Next, using a digital camera, document the scene by taking photos of:
The overall scene, 360-degree coverage if possible
The condition and location of each computer system
The front, sides, and back of each computer, including cables
Monitors (active screens may require video taping)
The position of all computer components, mice, cables, and so on
The state of on/off switches and any LEDs or other status indicators
To Pull the Plug or Not
The computer forensics field is going through a transformation. In the past, most computer forensics experts recommended pulling the power cable on a computer right away, even if the computer is running. Most experts agreed that you should not go to any extraordinary efforts to gather volatile data stored in Random Access Memory (RAM). Data stored in RAM disappears when the computer loses power, but nonetheless, most experts until recently recommended pulling the power cable from the computer as one of the first steps. The advantages of pulling the power cable include:
Any script the suspect has written that should execute upon shut-down doesn't get a chance to run. (Suspects sometimes write scripts that tell the computer to delete incriminating files when a user selects Shut Down from the Start menu.)
Temporary word-processing and other interim files remain on the hard drive, whereas they might get deleted if the software applications shut down more gracefully. (Microsoft Office and other software applications write temporary files to the hard drive as the user works on documents. The files get deleted when the application is shut down in the normal way.)
Modern forensics classes teach both classic forensics, which says to pull the power cable from the computer very soon after you discover the computer, and state-of-the-art forensics, which teaches techniques for gathering volatile, live evidence. This white paper focuses on classic forensics. Perhaps future papers will focus on gathering live data.
NOTE: If you're dealing with servers or other high-end computers that are necessary for a business to keep running, you might not be allowed to pull the power cable, but for the purpose of this discussion, assume you're working with lower-end equipment and that you have the legal justification and paperwork (search warrant) to disable and seize the computer.
Seizing a Computer
Once you have secured and documented a crime scene, you are ready to seize the computer hardware. The first step is to put on your gloves so that you don't add your fingerprints to the physical evidence.
If a computer is turned off, leave it off. Never boot (or reboot) a computer that you are seizing. If the computer is on, depending on the facts of the case, you may want to carefully gather some volatile evidence in RAM, but as soon as possible, pull the power cable. Be sure to jot down in your journal (or digital voice recorder) whether the computer was on.
Don't use the computer. Stories abound of computer evidence being thrown out in court because the investigators at the crime scene got bored and played games on the computers. Save your games till later when you're home on your own computer!
Pull the power cable from the computer and then pull the cable from the wall socket. Adhere a sticky, colored label to the end of the cable. Use the same color for a label that you attach to the interface from which you pulled the cable. This color-coding will make reassembly back at your forensics lab easier. Sure, figuring out the right place to insert the power cable might sound easy, but you will follow this same process for networking and phone cables, which aren't so obvious. (If you're color blind, consider writing matching numbers on the labels.)
Next, using masking tape, tape over the power receptacle on the back of the computer. The idea here is to make it harder for someone to put the cable back and restart the computer and possibly taint the evidence. The other goal is to cover yourself. As a computer forensics investigator, you should do whatever it takes to avoid a computer being tampered with. Should any questions come up, you want to be able to state unequivocally that you followed standard operating procedures and the rules regarding chain of custody.
Bag the power cable in an evidence bag along with an evidence tag. The evidence tag should document the date and time, the case number, your name, the location where the cable was found, and other information depending on the policies and procedures of your investigation team.
If the computer is a laptop and it remains on after you pull the power cable, then it has a working battery. Find the power button and turn off the power. Then open the computer and remove the battery. Bag the laptop battery with an evidence tag. The computer should no longer be on after you do this, which is a good thing. Laptop computers can often communicate wirelessly. The computer might have been engaged in hacking into other computers, or the suspect might have still been communicating with the laptop, perhaps deleting incriminating files.
Seizing a Computer's Peripherals
After pulling the power cable from the computer, you next set your sights on all peripherals and extraneous equipment. You will bag and tag mice and keyboards, and depending on what the search warrant says, you may collect floppy disks, DVDs, networking equipment, and so on.
Remove any floppy disks, tapes, CDs, or DVDs that are still in the computer. Set the floppy disks to read-only. This avoids any perception that data was changed. To set a floppy disk to read-only, find the notch at the top-right corner and make sure that it is open. A mnemonic for remembering that open means read-only is that both "open" and "only" start with the letter O. Tag the floppy disk with an evidence tag and put it in an evidence bag.
Insert a dummy, plastic floppy disk in the computer's floppy-disk slot to protect the slot and make it hard for someone to use. A dummy, plastic floppy disk can't store data; it's literally just plastic. But it comes in handy for maintaining that all-important chain of custody and proving that data wasn't copied onto the hard drive from the floppy drive after the computer was seized. The dummy disk also protects the floppy disk drive while the computer is being transported to the evidence locker back at headquarters.
NOTE: Issues related to floppy disks are becoming somewhat irrelevant, as so many computers don't ship with a floppy disk drive anymore. But don't assume that you won't need to know about floppy drives during your computer forensics career. All sorts of old equipment shows up at crime scenes.
Disconnect any monitors (computer screens). Generally, tower (desktop) computers include at least one monitor that is connected to the back of the computer via a video cable and a power cable. The monitor gets power from the computer. Disconnect, label, and bag and tag the cables (unless they are permanently attached to the monitor, which is often the case). Label the interface on the computer where you disconnected the cable with a label of a matching color. Tag the monitor and set it aside. It will probably be too big to bag. Be sure to disconnect and tag all monitors. It's becoming common for people to use multiple monitors with their computers, so be sure to check for more than one monitor.
Next remove any phone or networking cables. Label, tie, and bag each cable. Include an evidence tag with the cable in its bag. On the computer, label the interface from which the cable was removed with a label of the same color that you used on the cable. This color-coding will ensure correct reassembly later. When analyzing the evidence, you may want to put the computer and its peripherals back exactly the way you found them. Color-coding your labels will help with this.
If the networking cables lead to networking equipment that's within the perimeter of the crime scene, check your search warrant or corporate policies regarding seizing this equipment. Generally, it would be permissible to seize a local hub, switch, or low-end home router. Don't seize a high-end router that runs the entire company, however, unless you know what you're doing and your search warrant allows this.
If your search warrant allows this, then also collect, bag, and tag extra devices that are near the computer, including cell phones, PDAs, answering machines, digital cameras, GPS units, etc. Place wireless devices in Faraday bags. A Faraday bag disables wireless communications. You want to make sure that the suspect doesn't call his or her phone and wipe it out, or worse yet, use the phone to set off a bomb. (Bomb-sniffing dogs have hopefully checked the scene, but just in case, don't let suspects communicate with their wireless phones, laptops, or PDAs.)
NOTE: A Faraday bag is a container made of woven copper, nickel, and silver that keeps a phone or other wireless device from sending or receiving data. The bag is named after Michael Faraday, (1791-1867), an English physicist who was an expert on electromagnetism.
Collect and bag and tag any printouts and computer documentation, if the search warrant or incident response plan permits this. Printouts are often a treasure trove of information about what a suspect was up to.
Printouts and documentation also sometimes include a suspect's password. You probably know people who write their passwords down on papers near their computers. Criminals often do this too. Knowing the password may come in handy when accessing the suspect's files during your analysis of the computer evidence, especially if the files are encrypted and you need the suspect's password to decrypt them.
Be sure the search warrant covers collecting paperwork. The last thing you want is for your analysis of a suspect's files to be thrown out in court because you illegally seized the paperwork that documented the password.
Transporting Evidence
To prepare a computer for transport, place tape over all the drive slots and other openings. On the evidence tag for the computer, record the manufacturer, make, model, and serial number of the computer. Bag the computer (if you have a bag that is big enough). Finally, ask the evidence custodian to log each piece of evidence in an evidence log.
Pack up all the computer evidence that you have gathered, being careful with sticky labels and smaller bags that are easy to drop. When transporting the evidence back to the evidence locker at your headquarters, be sure to keep it away from any magnetic sources such as radio transmitters in police cars.
Always maintain a chain of custody. Keep the computer evidence in your possession at all times. Don't stop at the local arcade on the way back to headquarters from the crime scene, and don't use the computers or cell phones that you seized. Save your game playing for later on your own home computer.
Summary
In this white paper you learned how to seize a computer from a crime scene or corporation. In criminal cases, a search warrant dictates what you can seize. In corporate cases, an incident response plan will help you know what procedures to follow. In either case, the computer and peripherals must be carefully seized as they may become evidence. Evidence must be complete, reliable, authentic, and believable, so care must be taken to seize a computer so that the data isn't lost, damaged, or changed.
This white paper introduced legal concepts such as "chain of custody" and then provided advice on evaluating, securing, and documenting a crime scene. The paper then focused on the details of pulling the power plug and other cables from a computer, labeling the cables, and packing the evidence with bags and tags.
As computers become even more important in everyone's work, including criminals' work, information technology and law enforcement representatives will often find the need to respond to a situation where computers must be seized. Learning how to properly seize a computer is a good first step in preparing yourself for the new world where computers and crime are intrinsically linked.
Quiz
1. Why do computer forensics investigators label cables with a color-coded label?
A. To ensure correct reassembly of computer components back at headquarters
B. To maintain a chain of custody
C. To block wireless communications to the computer
D. To document the manufacturer, make, and model of the cable
Check your answer here!
2. Why is maintaining a chain of custody so important?
A. Evidence must be relevant.
B. Evidence must be material.
C. Evidence must be reliable.
D. Evidence must be legally obtained.
Check your answer here!
For More Information
Computer Technology Investigators Northwest
CyberCrime.gov
Internet Crime Complaint Center
SecurityFocus
The PC Guide
Computer Forensics Jeopardy
Copyright © Priscilla Oppenheimer.
Hosted by Open Door Networks.
X
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment