Performing Forensic Duplication: When a Clone Really Is a Clone

In any critical incident response, the preferred methodology is to prepare for trial whether there is going to be one or not. Following the most stringent procedures will allow investigators to introduce their evidence regardless of future legal circumstances. Consequently, investigators should always follow the rules of evidence in performing their investigation.

Here are some areas that will likely trigger future legal action:

• Is the incident considered high-profile receiving significant internal and external attention?

• Does the incident involve unequal treatment?

• Does the incident involve criminal allegations?

• Does the incident involve individual privacy?

• Has there been a significant financial or business loss attributed to the incident?

• Is there a need to forensically examine slack space and unallocated free space in the examination to collect evidence in proving the case?

Here are some rules that have been formulated to make it difficult to limit successful legal challenges that the evidence has been altered in any fashion thereby reducing its value.

• The examination of evidence is performed on forensically sterile media. This means that it has been forensically proven that the media on which the original was copied was devoid of any electronic characters. Examining the media with a disk editor or creating a hash of it will generally suffice proving it to be sterile. An exact bit-by-bit copy is made of the original to the sterile media. Examinations and analyses are performed on copies, never on the originals.

• The target system and related data must be protected during the collection ensuring that the data is not altered in any fashion. This includes measures that preclude the target machine's operating system from accessing the media containing the evidence at any point.

• Examinations of media must be made in such a fashion, as the file attributes are not changed from the original. When this is not possible, examiners will perform analyses giving priority to examining the media rather than preserving attributes.

• All examinations are accompanied by an investigator's activity log. In this document, all examination/investigative activities are logged including but not limited to the following:

  • Time/date/place media was acquired for examination

  • Name and title of examiner

  • Hardware and software configuration of machine on which the examination took place

  • Software tools and their versions

  • Commands used in examination

  • Tools and respective commands used in examination

  • Logging should reflect case-relevant discoveries

  • Serial numbers, identification numbers, and other relevant identification of original and examined media

  • Screen prints of examined evidence should be made according to a formal procedure rather than on a random basis

Steps to Follow when Collecting Evidence

Collecting digital evidence consists of securing the target system, conducting an examination of the system and its surrounding environment, forensically duplicating the target media, and preserving the forensic copies. The following are suggested steps provided to assist investigators in collecting evidence:

• Secure the crime scene. Physically control people and possible evidence-items from entering and leaving the target area. In other words, when responders are notified about a possible critical incident, the physical and logical areas should be immediately secured so the critical incident cannot spread. Once this is performed, all persons not directly connected with the investigation should be asked leave the area. Of course, all employees should drop what they are doing and leave the area immediately. At no time is any employee allowed to remove anything from the area or access any device remotely. Designated first-response employees should immediately contain the spread of any damage. In these cases, first-responders are chosen to use finely tuned people-skills when securing an area in advance of the responders.

  Investigators must do their jobs while controlling the comings and goings of people and potential evidence inside the target-area. Regardless of who wants to enter the area, and position in the organization, unless that person is part of the investigation, he should be courteously asked to wait until evidence collection is completed.

• Shut down the victim-machine. Do not touch the keyboard; just unplug the machine from the power supply. There is a significant degree of discussion about this topic involving interacting with the system while an attack is live or concern about lost data when the power is extinguished on the target machines. This is an area where responders must use their experience and training.

• • Depending on the machine and its software, going through a normal shutdown may trigger logic bombs or other data-destroying software. It is also possible that going through the normal shut down routine could change file attributes. This is one of these judgment areas where it is possible that evidence may be lost versus the spread of any damage. Preference in this case must go to the prevention of more damage.

  • Physically secure the system. If the machine is going to be seized and transported, it must be sealed before it is transported. Take photographs of the cabling and label all cables before disconnecting. Cables may be left attached to the machine for future reference and examination depending on circumstances. Machines and cables should be wrapped in electrostatically neutral plastic wrap and sealed before being entered as evidence. Wrapping the machine precludes contaminates from entering the machine during transportation and initial storage. The first person who removes the wrapping should be the examiner. It is recommended that a virgin blank floppy disk should be inserted into the corresponding drive to act as spacer.

  • If the examination is going to take place on the target machine or if the target machine is going to be used to make forensic duplicates of the hard drive, then changing the boot sequence is going to be required. Investigators must determine the operating platform of the target machine before they begin their task. They should know how to change the boot settings before starting the machine. Change the boot sequence so that it recognizes the floppy drive first, then the CD drive, then hard drive. This process will allow investigators to use bootable floppy disks or bootable CDs to take control of the subject-machine away from its native operating system. Bootable floppy disks or bootable CDs have utilities that block writing to the original hard drives or other media as well as other utilities that allow a forensically viable copy to be made of the target media.

  Different Approaches to Media Duplication

  If there is going to be an examination that will possibly lead to legal action, there needs to be a defined procedure for creating a forensically sound duplicate. Forensically sound media duplicates must be bit-by-bit duplicates of the entire target media. In making forensic duplications there are essentially three approaches:

  1. Image the storage medium by removing it from the target machine and connecting it to the forensic computer for duplication. The forensic computer will have software already installed:

     • Allowing an exact duplicate to be made

     • Block any writing to the target medium

     • Survive a critical third-party expert analysis as part of its use as a duplication tool

       This method removes the target media from the BIOS or any other hardware configuration of the original machine. In most cases, this is the preferred duplication procedure.

  2. Image the storage media by attaching virgin-storage media to the target machine. This method usually involves using utilities that prevent writing to the target medium and delivers forensically sound duplicates of the target.

  3. Image the storage medium by sending the disk image over a closed network to the forensics workstation remotely as it is forensically duplicated. For many, this is the preferred method. If this method is used, it must be thoroughly qualified so juries and judges will understand the process. It must also be shown that through the connected systems, none of the digital information was changed or missing.

  Removing the Target Hard Drive

  Trained and experienced forensic investigators have the ability to remove the target media, duplicate it on their specially prepared forensic machine and return it to the target. Many private and law enforcement investigators have already invested in purchasing or building forensic computers with the software required to complete a forensically sound duplicate, software that will not allow the target medium to be changed in any fashion, removable drive bays, and connections to complete most tasks. Carefully investigators document all physical details, cable attachments, model names, serial numbers, appropriate jumper settings, peripheral equipment, and cable connections.

  Investigators must be trained to use specialized software proven to deliver forensically sound duplications. Hard drives and other electronic media may be duplicated with such software as Safeback, EnCase, Ghost, or the UNIX dd command. These are applications that have been popular with investigators for many years and have successfully withstood legal challenges when used correctly.

  • Safeback is available from www.forensics-intl.com.

  • EnCase is available from www.guidancesoftware.com.

  • Ghost is available from www.symantec.com.

  Information about using the UNIX or Linux dd command is available in the "man dd," the systems manuals that are accessible from the command line interface.

There are several advantages to using the investigator's machine in the duplication method:

• The investigators are in control of the situation by not allowing the target machine's operating system to be launched during any duplication or examining operation.

• The investigators can testify about the level professional due diligence they exercised in using their own tested machine.

• There should not be any surprises like configurations that unless discovered will result in files being changed during the startup process.

• This duplication method has been introduced many times previously in judicial proceedings and is understandable by individuals who do not have a great deal of background in technology matters.

• Using the investigator's forensic machine, rather than the target machine for duplication, eliminates problems of compatibility.

Attaching a Hard Drive

There is another duplicating approach — attaching another hard drive or other storage device to the target machine.

The above two duplication methods are basically the same with the exception one is performed on the investigator's machine and the other is performed on the target machine. Attach a forensically cleansed hard drive to the target machine, while the power is off, then as the power comes on, enter the BIOS process and make certain it "sees" the new hard drive.

Safeback, Ghost, and EnCase duplication applications are sufficiently small — they can fit on a floppy disk or bootable CD, so the target machine boots to them and a forensically sound duplicate can be made. In this fashion, the target machine is not allowed to launch its own operating system thereby preserving file attributes.