"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

Forensics: An Overview

Computer forensics involves the complex task of accurately investigating events or activities on computer systems without adversely affecting the integrity of the data contained on those systems. This is a difficult task to perform properly, requiring expert handling and care. A forensics investigator is asked to answer fundamental questions surrounding an event: who did what, when did they do it, and how was it accomplished?

At the same time, they are expected to take precautions that ensure the integrity of the original data is maintained. To that end, investigators follow precise procedures to safeguard the data while allowing the investigation to proceed. These procedures include maintaining a chain of custody for all evidence material, maintaining the integrity of the data source media, and creating accurate mirror images of data sources. Only after these important steps are taken can an investigator begin the forensics analysis of mirrored data.

Chain of Custody and Data Integrity

The phrase “chain of custody” refers to the accurate auditing and control of original evidence material that could potentially be used for legal purposes. Knowing the current location of evidence is not enough. There should be accurate logs tracking the movement and possession of evidence material at all times. For investigators performing forensics analysis, it is essential to track the location of original data material from the moment it enters into the investigator’s possession until it is released into the custody of another person or organization. In addition, investigators must control and audit physical access to the original data while it is in their possession.

For instance, if data is stored in a safe, anyone with access to that safe must be accounted for and noted. Any logs created and kept by the forensics investigators could potentially be used for legal purposes. Consequently, maintaining a proper chain of custody is important to both the owner of the data as well as authorities who may want to pursue legal action.

While evidence data is in the possession of the investigator, they must ensure that the original state and condition of the data is maintained. Preserving the integrity of the original data source is the most important aspect of performing forensics analysis. Not only does preserving data integrity maintain a credible data source from a legal perspective, it also allows subsequent investigations to utilize the same base starting point for performing replication of the analysis. Performing analysis on the original data source can cause irreparable loss of forensics information. There are techniques investigators employ that inherently cause minor changes and modification to various aspects of the data. For example, turning on and booting a computer system from an evidence disk can make timestamp changes to files and modify audit logs on the data disk drive. Even the simple act of displaying the contents of a file can make changes to a file’s attributes. Unless an original, un-altered, clean copy of the evidence data is maintained, those modifications can permanently destroy valuable information. Moreover, this information may be needed for subsequent forensic testing and analysis.

Data Mirroring: An Essential Step

The single best action an investigator can take to preserve the integrity of data is to create accurate mirror copies of all original data. Consequently, one of the goals of an investigator is to handle the original data as little as possible. To that end, the first copy made is referred to as the “master copy”, and is not used for performing analysis, but rather for creating additional mirror copies on which analysis will be performed. In this manner, the original data only needs to be handled once to make the “master copy”, after which it the originals are returned to safe storage or released from custody.

While safeguarding the original data source is critical, it isn’t the only data needing protection. Maintaining strict control of the additional mirrored data is also important, as the data contained within the copies may be sensitive and/or confidential. While a strict chain of custody does not need to be maintained for data copies, they should be strictly controlled and protected in a separate physical location from the original data, such as in a second safe or locked cabinet, with access to the copies restricted and audited. Authorized investigators and personnel should be given access to the data on a need-to-know basis only.

Handling Online Systems

A majority of forensics efforts will involve the examination of offline data physically provided to the investigators, but in some cases a live online system will be the target of analysis. The procedures for handling such cases will vary depending upon the requirements of the system owners, but as with offline systems, data integrity is important. There are important issues to consider with performing forensics analysis on an online system. An online system may hold important data in memory that will be lost when the power is removed. In addition, the normal shutdown procedures for most operating systems will modify file system properties or file contents that may be forensically important, so clean shutdowns should be avoided. Lastly, in rare circumstances, an investigator may be reviewing a system that is still being accessed by the unauthorized individuals who are the cause of the investigation.

To safely retrieve data from an online system, a knowledgeable investigator must gain access to the operating system and gather data from system memory while limiting access to the system’s hard drives or drawing attention to the investigator’s presence. It is essential that the investigator know what commands can be executed safely and what commands should be avoided. Attempts to gain access to data in memory should not come at the expense of corrupting additional data on the drives. In addition, unauthorized users still on the system might detect the presence of an investigator and perform desperate acts to protect their identity, such as erasing all data on a hard drive or deleting sensitive files containing forensically valuable data.

When examining online systems, no new console or remote logons should be made, as this will often overwrite files or timestamps essential to the forensics analysis process. Access to an already logged on account should be used to gather the minimal amount of information needed that could not otherwise be obtainable from the hard drive during offline analysis. Once the memory data is obtained, the power should be removed from the system without going through the operating system’s standard shutdown process but cutting the power to the computer. Once in an offline state, the system’s data drives can be mirrored safely without affecting integrity of the data contained within the drives.

Mirroring Data Safely and Effectively

Once in the offline state, a state where a system is completely powered down, a system’s data drives should be mirrored and the originals stored in a protected manner. There are many different physical forms the original data may arrive in, and an investigator must be prepared to handle all of them. In general, most data will arrive as hard disk drives, but data can also come in the form of removable media such as CD disks, DVD disks, floppy disks, and magnetic backup tapes. The primary source of data, however, will be hard drives, which usually are one of two types: SCSI or IDE. The process of imaging hard drives is much more complex than that of removable media, generally because of the much larger amounts of data involved.

Hard drive imaging must be carefully and cautiously conducted to ensure no accidental overwrite of data occurs and that the hard drives themselves are physically unharmed. Hard drives do not normally have any sort of write-protect switch to prevent accidental overwriting of data, so special care must be taken. During the forensics process there are a few different techniques for imaging hard drives. The main methods are dedicated forensics system imaging, original system imaging, and system-to-system imaging:

Dedicated Forensics System

The Dedicated Forensics System is a platform special built and designed to be able to accommodate numerous types of hard drive connections. An investigator connects the original data hard drive and a blank hard drive to the forensics system, and then uses specialized imaging software to transfer bit-level information from the original drive to the blank drive. The blank drive can either be the exact dimensions as the original drive or larger. If larger, smaller disk partitions are usually created to contain the copied data.

Once the first master copy is made, the original disk is removed from the system and securely stored, and the master copy is used to image additional drives. This method is preferred over the others for its speed, adaptability, and ease of control.

Original System Imaging

Original System Imaging uses the original computing platform to perform the imaging. A new blank drive is added to the system, and a special boot disk is used to run the imaging software and create the image. This method may be necessary if it is not possible to remove the original drives from the system. However, it requires that the system have room to add the additional blank drive, and that the system be able to boot from the investigator’s forensics media disk that holds the imaging software. This method is most often used when the investigator has to travel to where the original system is located, instead of being able to take receipt of the original drives for imaging.

System-to-System Imaging

The System-to-System Imaging method uses two different computer systems, typically the original system and a forensics imaging system. Both are booted from a special CD or floppy disks that load imaging software for transferring data between the computers using parallel, serial, Ethernet, or USB connection ports. This method is slower than the others, but may be necessary when trying to create an image from two incompatible hard drive formats, such as SCSI and IDE.

Removable media will normally be imaged using a dedicated forensics system. The images are stored on a local hard drive and duplicate copies of disks or tapes are burned/recorded from these images. From the standpoint of data integrity and protection, CD and DVD disks are easiest and safest to handle, as they typically exist in a read-only mode that provide inherent protection against accidental overwrites. Investigators can create an image file for an entire CD/DVD disk and subsequently burn that image file onto new digital media to create additional copies. Floppy disks are also easily duplicated in the same manner, but additional care must be taken to ensure the floppy disk is not written to. Floppy disks have a write-protect tab that can either be set to allow or disallow writing. When imaging floppy disks, the tab should be set in the write-protected (open) position. Backup tapes are similar to floppy disks in that they are magnetic media that typically have a write-protect tab for preventing accidental overwriting of data. Again, the tab must always be set in the write-protected position before performing any imaging.

Summary

Forensics analysis is not just about searching for or discovering information about a particular incident, it is about the responsible handling of sensitive, irreplaceable data. While many techniques exist to create exact disk images for forensics investigations, there are numerous precautions that need to be taken to prevent data corruption during the process. It takes trained, qualified forensics experts to know the right steps to follow, and which commands to execute or not execute. Many system administrators make the mistake of rushing to take investigation matters into their own hands, only to find that they inadvertently overwrite the small, important bits of information a forensics investigator may need. Mistakes made during a forensics investigation can result in an irreversible disaster if the necessary precautions have not been made. Likewise, a break in the chain of custody of evidence can create an insurmountable obstacle for legal authorities to contend with. It is essential that the forensics investigator pay the utmost attention to detail throughout all steps of the analysis process.

Visit the Authors Web Site