Slashdot Mirror

← Back to Stories (view on slashdot.org)

Guidelines For Data Gathering And Forensics?

Posted by Cliff on from the data-that-can-testify dept.

lyapunov asks: "I recently attended the Rocky Mountain SANS conference and one of the topics that was brought up was data forensics. The part that I was most interested in was how does one go about gathering data and analyzing it to best facilitate law enforcement agencies and insure that it will withstand the scrutiny of the courtroom. I have poked around the NSA and FBI websites and have not been able to find anything. I would like to hear stories from the Slashdot community of what does and doesn't work, what to be cautious of, and if there are any resources that deal with this subject." I've always wondered how data from a computer is allowed into the courtroom. Considering that such things as a text file are highly volatile, even printouts of said data are suspect: how do you know that text file wasn't edited by a disgruntled law-enforcement officer to get the conviction he needs? What ways do courts use to ensure the validity and integrity of such data?

13 of 64 comments (clear)

  1. More guidelines by datajack · · Score: 5
    Firstly, IA(definately)NAL, but I have had some data forensics training (to the standards required by UK courts, apparently), but I personally haven't been involved in any real data-recovery, I needed the full training in case I get involved further down the line (analysis of file-systems, data structures etc.).
    As you pointed out, the key to the whole business is to try and prove that the data has not been tampered with in any way. Here's (roughly) our procedure for dealing with the data recovery task.
    1. Take a camera and photograph everything before you start.
    2. Have a good notepad for a journal and write down everything that you do and why and sign each page.
    3. If the machines are running and the data is believed to exist on the HDD, not in RAM, (if the data is in RAM, then you have a problem) then power the machines down, do not shut them down cleanly, just hit the button - this is to prove that the shutdown procedure did not change anything on disk.
    4. Next, take a byte-for-byte image of the HDD(s). We do this onto an MO disk hanging off the parallel port, using software from a bootable DOS floppy. Also, use fresh disks - do not break the cellophane seal until you are about to insert them into the drive. OK, MO is expensive but it's not gonna get accidentally corrupted and cannot be modified/wiped without using a proper drive. I suppose now that DVD-RW is coming down in price, it might be more convenient to use that. Make sure that the system does not boot off the HDD (for the same reason you don't shut the machine down cleanly).
    5. The software we use generates a set of floppy disks containing digital signatures of the content of the MO disks. Two copies of these floppies are generated and placed in tamper evident bags. One copy stays with the owner of the data, one copy goes with us. The bags are signed by both parties to sprove acceptance that the image was generated fairly.
    6. The MO disks are properly labelled and treated as evidence (with all the signing in & siging out stuff).
    7. When we come to analyse the data, the MO disks are restored onto a blank HDD in a machine in a specially secured room on our site. All work is done on the copy on the HDD (which can be re-restored at any time). The signed diskettes can be used as proof that the copy of the data on the MO disks hasn't changed since the image was taken.
    I think that's about it. The key technologiecal bits are the digital signatures, the use of media that can't be externally modified and the use of an imaging system that is guarranteed to not modify the host drive. The other thing needed to make the evidence stand up is the journal - this is vital.
  2. Computer Forensics at UCF by tadprime · · Score: 3
    I am currently taking the first class of the graduate certificate in Computer Forensics at UCF. We don't have a book yet (hasn't been printed), and right now the class is pretty free-form. This is in association with the National Center for Forensic Science. Right now, we are doing all of our work with diskettes, but when the new building is built there will be a lab that has the facilities to work with hard drives.

    Basically, in order for anything to be admitted in court you have to have a clear chain of posession and be very sure of your methods. You do all of your work on disk images or clones whenever possible, using MD5 and SHA1 and other ways of proving the clone is identical before proceeding (more confirmation the better).
    But, one interesting thing is that people seem to be a bit afraid of digital evidence. Most of the criminal cases apparently result in confessions if you find good enough evidence...

  3. Re:There's a reason by anticypher · · Score: 4

    it doesn't take a brain surgeon to forge dot matrix printer logs

    You've never seen log paper. No, not the kind with a logarithmic scale, but serial numbered pages. You can get it from speciality catalogs, or have a print shop make some for you. Basically a box of tractor paper where it was once run through a printer and every page has a sequential number printed on it. Missing pages are easy to spot, and its difficult to insert falsified pages.

    In use where collecting hard copy evidence is necessary, such as during legal battles where the court requires both sides to document the reliability or malfunctioning of a system, or on classified security audit systems. The first few pages is where the lawyers sign off on the box, then the printer cabinet is locked with a couple of padlocks, one for each legal team. Then the system runs for a while, and the printer hopefully has logged the problems. The court keeps the original as forensic evidence, and both sides get copies.

    Log paper must be pretty rare now, but IBM, Digital, Wang, and Burroughs used to have them as stock items.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  4. Re:Depends who you trust... by agentZ · · Score: 3

    Has nothing really to do with whom the court trusts, but rather the defense attorney. If they are willing to stipulate that the evidence is admissable, then it gets in. (Or leads to an out of court settlement, which is what happens with most computer crime cases.) Defense attorneys are not computer experts, nor are juries. What they look for are mistakes; deviations from established procedures. A word to the wise: Develop a policy for what to do in the event of an intrusion. Then stick to it.

  5. Re:That's not too hard... by agentZ · · Score: 4

    Of course, you're going to have to show that the PGP key is authentic somehow... How does the court know you didn't alter the evidence and the key and then re-sign them? (Serious question... I'm trying to argumentative because that's exactly what a defense attorney is going to do... )

  6. Printouts, etc. by No+Such+Agency · · Score: 3
    I would say printouts of a file should be worthless (except, like everything else, to a stupid or gullible judge) as evidence in and of themselves. Of course, once the contents of the file have been confirmed by other methods, notarized text copies could be used for the convenience of courtroom/legal research use during the case. Notaries are not 100% untouchable of course, but they do have powerful disincentives to not bear false witness.

    We've seen a thousand examples that show that judges nearly always trust the police and their "experts" when it comes to computer crime. If they say they have enough probable cause to arrest teenagers from their bedrooms, raid gaming publishers, sieze computers/phones/Gameboys etc. as evidence or as "proceeds of crime" then who is some judge (who spends too much time keeping up with the law to become a computer expert) to say otherwise? As we've seen, this opens the system up to myriad abuses, but I'm not sure what is the greater danger: police misconduct/corruption or the possibility that if swift action to obtain electronic evidence is NOT taken, that criminals (yes, there are BAD hackers/crackers out there) will have the opportunity to get to the records first and make them disappear. I'm NOT saying that police should have carte blanche to go digging in peoples' systems for evidence, but I do think that the ability to obtain accurate and trusted electronic records ultimately works to the advantage of the innocent accused.

    I'm not sure if I have a coherent point here, I just thought I'd raise some points before the usual Slashdot flood of "police are evil and ignorant, they want to take my boxen" hits this story.

    --
    Freedom: "I won't!"
  7. Fabricating evidence by XNormal · · Score: 3
    how do you know that text file wasn't edited by a disgruntled law-enforcement officer to get the conviction he needs?

    You don't. But then how do you know that in cases not involving computers?

    I know that quite a lot of readers on this site are very mistrustful of law enforcement officials but don't think about accusing them of anything like this. They don't that it and if they catch any one of their colleagues doing it they will deal with him unmercifully.

    Their world view may be very different from yours and you may not agree on a lot of things when it comes to computers and freedom but don't even think about this.

    -
    --
    Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
  8. Re:Evidence by No+Such+Agency · · Score: 3

    There is in law enforcement a concept called "chain of evidence", which is why on TV cop shows they always have to sign items out of the evidence locker to examine them. This helps to reduce or prevent abuses by law enforcement personnel (there are hefty penalties for tampering). As for "planted" or evidence altered by others, there are pretty sophisticated physical forensics methods to detect tampering/discrepancies. The question here is: when electronic records (which can in theory be altered undetectably) become vital evidence, how do we obtain the same degree of protection?

    --
    Freedom: "I won't!"
  9. That's not too hard... by Anomolous+Cow+Herd · · Score: 3
    Just make sure that, if you are in the crime-commiting business, you cryptographically sign all of your documents, using something like PGP.

    That way, if someone modifies the document between the time that it is seized and the time that it appears in court, it would at least be inadmissable.

    Of course, you can count on law enforcement to conviently modify all of the documents that would have shown the defendent in a good light...

    --

    "I don't know that atheists should be considered citizens, nor should they be considered patriots." - George Bush
  10. Standards for forensic evidence by dazed-n-confused · · Score: 5

    Advertised on the UK site of Deloitte & Touche Forensic Services: "Evidential data recovery - we are able to recover data according to the standards demanded by the police, the Serious Fraud Office, the FBI, the US authorities and the US courts from a wide variety of IT equipment."

    I know from working with these guys that this is a real Black Art. Don't think about doing it yourself -- even if you can get it right, the other side's lawyers will crucify you. Get a forensic specialist involved ASAP.

  11. "Maintaining the Forensic Viability of Logfiles" by artch · · Score: 3

    See the excellent paper by Tom Ceresini at http://www.sans.org/infosecFAQ/incident/viability. htm. The paper is valuable not only for it content and discussion, but also for the links it provides. While the paper focuses on "logfiles", its suggestions apply to any copies (e.g., disk image) that may be created as part of the data collection process.

  12. Important things to remember by agentZ · · Score: 3
    Some guidelines:

    • It's a crime scene - If you came into the server room and found a dead body, chances are you wouldn't touch it; you'd call the police without disturbing anything. But when somebody hacks your box, it's tempting to look around and see what's been done. This is a Bad Thing(tm). You can hide the attacker's footprints. As soon as you know there's been an intrusion, start gathering evidence. Only type the minimum number of commands on the victim system and keep a record of everything you do. Avoid writing to the victim system as much as possible. You may overwrite recently deleted (and thus not really gone) files.

    • Evidence to gather includes (but is not limited to), what programs are running, where those files are on the disk (which may be only in /proc if the attacker has run a program and then erased the executable), who is logged on, and anything else that will disappear when the system is turned off.

    • If possible, do a full backup of the system (dump to tape, another computer's drive, etc.) without powering down.
    • Maintain a chain of custody for this backup(s) and any other records you take. It is important for court purposes to be able to show who had access to what evidence (to show that it's hasn't been tampered with.) If you have a personal safe, great. But put it somewhere where the least number of people have access to it. Keep a record of who touched the evidence at what times and what they did with it.

    • You don't have to call law enforcement right away. There are many things you can do that law enforcement cannot. As a system administrator you can do anything (monitor all traffic, read files) in order to maintain the integrity of the system. Law enforcement often requires court authorization to do those and it's a lengthy process. But be aware in everything that you do that you might tip off the attacker that you're on to her. It's a risk you have to consider before doing anything.

    This list is by no means complete, but it's a good start for right now.

  13. Notarized? by mindstrm · · Score: 3

    When it comes to evidence, you cannot expect each piece to be validated 100%.

    Who says the drugs the cop *supposedly* found in my car when he pulled me over weren't planeted?
    Who says I was speeding? Some cop? What if he LIED?

    How is digital evidence any different?