Performing Forensic Duplication: When a Clone Really Is a Clone

In any critical incident response, the preferred methodology is to prepare for trial whether there is going to be one or not. Following the most stringent procedures will allow investigators to introduce their evidence regardless of future legal circumstances. Consequently, investigators should always follow the rules of evidence in performing their investigation.

Here are some areas that will likely trigger future legal action:

• Is the incident considered high-profile receiving significant internal and external attention?

• Does the incident involve unequal treatment?

• Does the incident involve criminal allegations?

• Does the incident involve individual privacy?

• Has there been a significant financial or business loss attributed to the incident?

• Is there a need to forensically examine slack space and unallocated free space in the examination to collect evidence in proving the case?

Here are some rules that have been formulated to make it difficult to limit successful legal challenges that the evidence has been altered in any fashion thereby reducing its value.

• The examination of evidence is performed on forensically sterile media. This means that it has been forensically proven that the media on which the original was copied was devoid of any electronic characters. Examining the media with a disk editor or creating a hash of it will generally suffice proving it to be sterile. An exact bit-by-bit copy is made of the original to the sterile media. Examinations and analyses are performed on copies, never on the originals.

• The target system and related data must be protected during the collection ensuring that the data is not altered in any fashion. This includes measures that preclude the target machine's operating system from accessing the media containing the evidence at any point.

• Examinations of media must be made in such a fashion, as the file attributes are not changed from the original. When this is not possible, examiners will perform analyses giving priority to examining the media rather than preserving attributes.

• All examinations are accompanied by an investigator's activity log. In this document, all examination/investigative activities are logged including but not limited to the following:

  • Time/date/place media was acquired for examination

  • Name and title of examiner

  • Hardware and software configuration of machine on which the examination took place

  • Software tools and their versions

  • Commands used in examination

  • Tools and respective commands used in examination

  • Logging should reflect case-relevant discoveries

  • Serial numbers, identification numbers, and other relevant identification of original and examined media

  • Screen prints of examined evidence should be made according to a formal procedure rather than on a random basis

Steps to Follow when Collecting Evidence

Collecting digital evidence consists of securing the target system, conducting an examination of the system and its surrounding environment, forensically duplicating the target media, and preserving the forensic copies. The following are suggested steps provided to assist investigators in collecting evidence:

• Secure the crime scene. Physically control people and possible evidence-items from entering and leaving the target area. In other words, when responders are notified about a possible critical incident, the physical and logical areas should be immediately secured so the critical incident cannot spread. Once this is performed, all persons not directly connected with the investigation should be asked leave the area. Of course, all employees should drop what they are doing and leave the area immediately. At no time is any employee allowed to remove anything from the area or access any device remotely. Designated first-response employees should immediately contain the spread of any damage. In these cases, first-responders are chosen to use finely tuned people-skills when securing an area in advance of the responders.

  Investigators must do their jobs while controlling the comings and goings of people and potential evidence inside the target-area. Regardless of who wants to enter the area, and position in the organization, unless that person is part of the investigation, he should be courteously asked to wait until evidence collection is completed.

• Shut down the victim-machine. Do not touch the keyboard; just unplug the machine from the power supply. There is a significant degree of discussion about this topic involving interacting with the system while an attack is live or concern about lost data when the power is extinguished on the target machines. This is an area where responders must use their experience and training.

• • Depending on the machine and its software, going through a normal shutdown may trigger logic bombs or other data-destroying software. It is also possible that going through the normal shut down routine could change file attributes. This is one of these judgment areas where it is possible that evidence may be lost versus the spread of any damage. Preference in this case must go to the prevention of more damage.

  • Physically secure the system. If the machine is going to be seized and transported, it must be sealed before it is transported. Take photographs of the cabling and label all cables before disconnecting. Cables may be left attached to the machine for future reference and examination depending on circumstances. Machines and cables should be wrapped in electrostatically neutral plastic wrap and sealed before being entered as evidence. Wrapping the machine precludes contaminates from entering the machine during transportation and initial storage. The first person who removes the wrapping should be the examiner. It is recommended that a virgin blank floppy disk should be inserted into the corresponding drive to act as spacer.

  • If the examination is going to take place on the target machine or if the target machine is going to be used to make forensic duplicates of the hard drive, then changing the boot sequence is going to be required. Investigators must determine the operating platform of the target machine before they begin their task. They should know how to change the boot settings before starting the machine. Change the boot sequence so that it recognizes the floppy drive first, then the CD drive, then hard drive. This process will allow investigators to use bootable floppy disks or bootable CDs to take control of the subject-machine away from its native operating system. Bootable floppy disks or bootable CDs have utilities that block writing to the original hard drives or other media as well as other utilities that allow a forensically viable copy to be made of the target media.

  Different Approaches to Media Duplication

  If there is going to be an examination that will possibly lead to legal action, there needs to be a defined procedure for creating a forensically sound duplicate. Forensically sound media duplicates must be bit-by-bit duplicates of the entire target media. In making forensic duplications there are essentially three approaches:

  1. Image the storage medium by removing it from the target machine and connecting it to the forensic computer for duplication. The forensic computer will have software already installed:

     • Allowing an exact duplicate to be made

     • Block any writing to the target medium

     • Survive a critical third-party expert analysis as part of its use as a duplication tool

       This method removes the target media from the BIOS or any other hardware configuration of the original machine. In most cases, this is the preferred duplication procedure.

  2. Image the storage media by attaching virgin-storage media to the target machine. This method usually involves using utilities that prevent writing to the target medium and delivers forensically sound duplicates of the target.

  3. Image the storage medium by sending the disk image over a closed network to the forensics workstation remotely as it is forensically duplicated. For many, this is the preferred method. If this method is used, it must be thoroughly qualified so juries and judges will understand the process. It must also be shown that through the connected systems, none of the digital information was changed or missing.

  Removing the Target Hard Drive

  Trained and experienced forensic investigators have the ability to remove the target media, duplicate it on their specially prepared forensic machine and return it to the target. Many private and law enforcement investigators have already invested in purchasing or building forensic computers with the software required to complete a forensically sound duplicate, software that will not allow the target medium to be changed in any fashion, removable drive bays, and connections to complete most tasks. Carefully investigators document all physical details, cable attachments, model names, serial numbers, appropriate jumper settings, peripheral equipment, and cable connections.

  Investigators must be trained to use specialized software proven to deliver forensically sound duplications. Hard drives and other electronic media may be duplicated with such software as Safeback, EnCase, Ghost, or the UNIX dd command. These are applications that have been popular with investigators for many years and have successfully withstood legal challenges when used correctly.

  • Safeback is available from www.forensics-intl.com.

  • EnCase is available from www.guidancesoftware.com.

  • Ghost is available from www.symantec.com.

  Information about using the UNIX or Linux dd command is available in the "man dd," the systems manuals that are accessible from the command line interface.

There are several advantages to using the investigator's machine in the duplication method:

• The investigators are in control of the situation by not allowing the target machine's operating system to be launched during any duplication or examining operation.

• The investigators can testify about the level professional due diligence they exercised in using their own tested machine.

• There should not be any surprises like configurations that unless discovered will result in files being changed during the startup process.

• This duplication method has been introduced many times previously in judicial proceedings and is understandable by individuals who do not have a great deal of background in technology matters.

• Using the investigator's forensic machine, rather than the target machine for duplication, eliminates problems of compatibility.

Attaching a Hard Drive

There is another duplicating approach — attaching another hard drive or other storage device to the target machine.

The above two duplication methods are basically the same with the exception one is performed on the investigator's machine and the other is performed on the target machine. Attach a forensically cleansed hard drive to the target machine, while the power is off, then as the power comes on, enter the BIOS process and make certain it "sees" the new hard drive.

Safeback, Ghost, and EnCase duplication applications are sufficiently small — they can fit on a floppy disk or bootable CD, so the target machine boots to them and a forensically sound duplicate can be made. In this fashion, the target machine is not allowed to launch its own operating system thereby preserving file attributes.

Evidence Tags

Investigators should prepare evidence tags for all collected items. All items are tagged whether retained or returned to the owner. These are generally small gummed or self-adhesive tags that can be secured to outside of the item. Evidence tags may be attached to heat-sealed, electostatically neutral plastic bags containing magnetic media or other types of digital evidence. Storing media in this fashion secures it from static electricity, the elements, and tampering. Sealing the bag with two witnesses present signing the chain of custody schedule avoids future legal arguments challenging changes and custody.

Evidence tags should have the case number, an item number, and date-time-place information as well as the name and initials of the collecting person. In some cases, investigators have a policy that two individuals must witness the collection of evidence. Many law enforcement officers use scribes or markers placing their initials, date, time, and place on the evidence, in addition to the evidence tag, so they can positively identify it in the future. Some investigators think evidence handling is a tedious process. It is. But conscientious attention to details, accompanied by intelligent redundancy, has successfully defused many legal challenges.

Activity Log

On receiving a critical incident notification, the person receiving the call should begin an activity log. It is a complete responder activity log and includes all activities such as:

• Initial notification (Who, What, When, Where, How, Why)

• Interviews

• Management contacts and interaction

• Law enforcement contacts

• Evidence searches, seizures, and inventory

• On-the-spot evidence analysis

• Tools and commands used by responders

• Any other relevant responder activities

This log is a flowing document kept by individuals and later compiled as a single document encompassing all activities by all relevant persons. Notes should be kept, as they will be necessary as part of future legal discovery processes.

Witness Reports

Everyone that is interviewed should have his or her comments noted by the investigator and documented in the form of a written report after the interview is completed. Notes should be made of every person who is interviewed whether they have anything of value or not. Interviewees should answer the questions: who, why, when, where, what, and how. Direct the interview addressing those facts that are known to the witness directly leaving conjecture, speculation, guessing, and "gut-feelings" to the end of the interview. Witness interview reports are not supposed to be verbatim transcripts of the interview, rather they are summaries of important details. Investigators should take careful notes, because from these notes the witness' statement will be formalized into a report. Witness interview reports should be reduced to a formal document reflecting the following information:

• Witness' full name

• Witness' address and identifying information such as the beginning date of employment, business unit, supervisor, duties, etc.

• Purpose of the interview should be briefly explained to the interviewee and documented in the interview

• Identity of the investigators

• Information provided by the witnesses

• Time-date-location of the interview (It is possible that the interview report should mention the specific location of the interview such as a conference room. Current court rulings have made interviews held in hostile locations excludable.)

• Case file number

• Any evidence or materials delivered to the investigators by the witness

If the interview is very important and it is possible the witnesses may later change or recant their statements, witnesses may be requested to reduce their statements to writing. This can be accomplished in several ways, but one of the most successful is to have the witnesses write their statements in their own words. It is a prudent step to have the witnesses review their statements, making any changes they wish as to reflect their recollection of pertinent events.

Signed witness statements should be signed by the interviewee, dated, noting the time and place, and witnessed by at least two other people that must have been present during the entire interview and written statement process.

Some interviews are noted in logs where details of the interview are documented:

• Time of first contact with interviewee

• Place of interview

• Identities of those present during the interview

• Times of any person leaving or entering the interview

• Any requests from the interviewee, for example, food, restroom, union representation, or attorney

Statements used in criminal court proceedings must pass the test of "voluntariness." For example, if an employee were threatened with dismissal if she did not describe how she stole proprietary information from the company and she made a statement admitting it. It is likely this statement will not be admissible in criminal proceedings due to the coercive circumstances under which the statement was obtained.

Recorded Statements

Other types of recordings may be acceptable to memorialize witness statements. Under some circumstances, audio and video recordings may be used documenting interviews. Record the entire interview from start to finish if investigators are going to use audio/video media. This step eliminates arguments that the witness was forced or intimidated while the recording device was not operating. The recording media of the witness' statement is evidentiary. It is handled exactly like all evidence. There should be a chain of custody, evidence identification tag, and storage. In some cases, there are laws regulating audio/video recordings; consult with legal counsel before proceeding.

Hostile Interview Environments

Environments can be considered hostile and intimidating to the witness:

• Was the interview site one where the witness was in a small room with two interviewers? Was the witness advised that they were free to leave the room/building?

• Was the witness under arrest?

• Was the witness threatened with dismissal if they did not cooperate?

• Were the interviewers acting as law enforcement agents?

• Was the witness physically searched before being interviewed?

• Was the interview tone conversational or was it an interrogation where the tone was accusatory?

• Was the witness physically touched in any way?

• Was the witness' liberty significantly impeded in any way?

• Was the room temperature comfortable?

• Were the room's furnishings or lighting unusual or intimidating?

Legal challenges have been successfully filed eliminating witness interviews as it was decided that the surroundings were inherently coercive and intimidating to the witness. For example, investigators should be mindful that unless a person is under arrest, the witness is free to depart the interview at any time. Failing to allow the witness to leave the interview or denying access to medications, food, or restrooms, will likely precipitate a lawsuit and possible criminal charges against the investigators and their employer.

Collecting Evidence

Collecting Evidence

Before the information age, when investigators wanted to collect documentary evidence, by consent, search warrant, or some other legal means, they searched a suspect's wallet, pocketbook, office file cabinet, or trash containers. In today's business environment, many of these areas are still valid places for evidence; however, they pale when compared to the amount of evidence that can be found in the workstation, PDA, laptop, or other mobile device.

What Is Evidence?

The simplest way to define evidence is information, of probative value, confirming or dispelling an assertion. In more common language, evidence either supports allegations or it does not. This is a good reference for electronic evidence, found at the U.S. Department of Justice Web site available at www.usdoj.gov/criminal/cyber-crime/s&smanual2002.htm.

At this point, it may be a good idea to examine the role of computers, networks, and systems and their role as evidence:

• Computers may be used as instruments to commit unlawful acts. For example, if a person launched a denial-of-service attack directed to your E-commerce Web site, the computer used to launch this attack would be considered an instrument of the unlawful act.

• Computers may be used to store evidence of an unlawful act. For example, if an employee downloads pornography on his office workstation, storing it on the hard drive as well as removable media, the workstation and related media have the same role as a file cabinet holding the evidence.

• Organizations and their related systems can be victims of unlawful acts. For example, if an attacker gained access to a server and modified sensitive data, in this instance the organization is a victim of the unlawful act.

• Computers may be physically stolen and thereafter are considered fruits of an unlawful act. For example, a truck loaded with PDAs is hijacked. The handheld computers would be considered fruits of the crime.

In seizing, examining, and analyzing information technology, there are many relevant legal decisions impacting investigative acts. If law enforcement agents want to seize computer systems that form part of a network, unless done correctly, the resulting damaged evidence presents prosecutors with substantial barriers. So formidable are these issues, the prosecutor might decide judges and juries cannot be convinced of the case's merits. Consequently, the prosecution declines to take legal action.

For more information regarding computers and electronic evidence search and seizure, there is substantial information available at www.usdoj.gov/criminal/cyber-crime/searching.html.

Examining the contents of target hard drives and other related media must be driven by the needs of the investigation. In short, this is another one of those "bang for the buck" priority matters. With the average workstation having more than 60 Gb of storage capacity, it is virtually impossible to completely examine every file and byte of stored or deleted information from a practical standpoint.

Data stored centrally on a network server may contain incriminating e-mail, but it also stores irrelevant e-mail of innocent third parties that have a reasonable expectation of privacy. Investigators sifting through messages considered private or privileged might find themselves the object of civil suits and depending on the circumstances criminally prosecuted. Seizing electronic evidence where communications are considered privileged, as e-mail exchanges between clergy and their parishioners, medical doctors and their patients, attorneys and their clients, and husbands and wives, can also result in the materials being excluded from legal actions. At times, determining if media contain privileged communications is an issue decided by the presiding judge; consequently, it is a matter for judicial hearings listening to arguments and evidence from opposing sides.

Evidence Prioritization

In relative terms, 24 Gb of printed data would amount to a stack of paper roughly 500 feet high. Obviously, it would require a large team of investigators to catalog and understand such a large amount of information. Computer forensic examiners must follow standards of evidence collection and analysis in the pursuit of their cases.

Despite the fact examiners may have a legal right to examine and search every file in the system, time constraints or legal limitations may not permit it. Therefore, the examination of files is practically limited to those identified as being case-relevant having evidentiary value. However, there is a voice in opposition to merely looking at the case-relevant files ignoring other evidence in the examination process. For example, an investigator viewing files containing stolen intellectual property should not ignore the files where the subject stored financial information about laundering the financial proceeds of that stolen property. Investigators must prioritize their efforts looking for relevant case-related information and perform sufficient examinations so they are convinced that all files do not contain anything of further evidentiary value.

Examining Computer Evidence

In physical terms, computer evidence generally consists of central processing units, storage media, monitors, printers, routers, firewalls, switches, logs, and software. Evidence stored on physical items is considered latent and needs to be essentially "lifted" to another medium for collection, examination, and preservation. Collection, examination, and analysis are performed on this recovered media and must remain unchanged if going to be considered of evidentiary value.

Often senior managers ask why copied media must remain unaltered if it is going to be used in legal proceedings. The answer is not simple. In the most basic terms, opposing legal sides routinely challenge the media's authenticity and if it is discovered the content has been changed, it feeds arguments that the evidence was intentionally or accidentally altered rendering it useless. Judges and juries have been convinced that although the content was slightly altered by the collection or examination process, the argument was sufficiently enlarged by opposing lawyers that they chose to exclude the digital evidence from their deliberations. Consequently, if digital evidence is to have full evidentiary impact, it must remain unaltered.

To further support this concept, review the following quote from the Federal Rules of Evidence for year 2002:

• Rule 1001. Definitions

  • The following definitions are applicable:

    1. Writings and recordings. — ''Writings'' and ''recordings'' consist of letters, words, or numbers, or their equivalent, set down by handwriting, typewriting, printing, photocopying, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation.

    2. Photographs. — ''Photographs'' include still photographs, x-ray films, video tapes, and motion pictures.

    3. Original. — An ''original'' of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. An ''original'' of a photograph includes the negative or any print therefrom.

       If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original''.

    4. Duplicate. — A "duplicate'' is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original.

• Rule 1002. Requirement of Original

  • To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.

• Rule 1003. Admissibility of Duplicates

  • A duplicate is admissible to the same extent as an original unless

    1. A genuine question is raised as to the authenticity of the original or

    2. In the circumstances it would be unfair to admit the duplicate in lieu of the original.

These rules permit investigators to use forensic software and other tools to reconstruct an accurate representation of the original data stored on the system. This means the data copied from the target computer may be introduced if it can be proven that this data is a fair and accurate representation of the original.

Of course, opposing sides are going to attack the integrity of the collected evidence; for this reason, it is imperative that when collecting evidence, no one exceeds her expertise, as it could render evidence useless.

Policies and Procedures

Policies and procedures provide instructions and structures and apply to the examination of computers and related media. Their adherence ensures quality and good practices by investigators making sure their efforts are planned, performed, monitored, and recorded. Formalized procedures ensure the integrity and quality of the work performed. Policies should require electronic examinations to be performed on forensically sound copies of the original evidence. This principle is based on the fact that bit-by-bit copies can be made of original digital evidence resulting in exact and true copies of the original.

Policies and procedures must dictate that investigative methods used recovering digital information from computers are valid and reliable. These methods must be technologically and legally acceptable ensuring all relevant information is recovered and preserved. Duplication methods must be legally defensible so nothing in the original was altered when it was forensically copied and that forensic copy is an exact duplicate of the original down to the last bit.

Common Mistakes when Handling Evidence

These are some common mistakes when collecting and preserving evidence:

• Altering the MAC (modify, access, and create) times

• Updating or patching affected systems before responders arrive at the scene

• Using tools that alter the content of the original media

• Writing over evidence by installing software on the target media

• Performing collection and analysis exceeding training and expertise

• Failing to initiate and maintain accurate documentation including chain of custody schedules, commands on the target system, tools to recover digital evidence, and history of actions taken by the responders