Evidence, Its Collection, Preservation, Analysis, and Introduction at Trial

For the record, what is evidence, anyway? All types of legal matters are pursued based on the amount of available evidence. Evidence is defined as something physical and testimonial, material to an act. In order to pursue any legal action, administrative, civil or criminal, there needs to be a sufficiency of evidence supporting an allegation or complaint.

Evidence is something that must be collected in order to prove an event actually happened. The process by which evidence is collected usually follows one or more of these methods:

• Obtained by means of witness examination or deposition

• Obtained by means of interview or interrogation

• Obtained by means of conducting an inspection

• Obtained by means of legal discovery

• Surrendered to an investigator

• Through a search where authorized consent was obtained

• Obtained through the execution of search warrants

• Obtained by means of legal search without a search warrant

• Through court order or summons

• Obtained through a grand jury subpoena

• Obtained by means of a judicial subpoena

Evidence collection is a science governed by laws and regulations and refined by the courts. Unlike some movies and television shows, investigators, law enforcement authorities, and private investigators cannot legally enter into a room or an office uninvited, without a search warrant, and begin rifling through desks and cabinets, and downloading computers. Acts such as these hold our attention, but have dire consequences for the investigators and their evidence. The reason is simple. The evidence that is seen, seized, or derived from an unlawful search and seizure is considered "fruits of a poisonous tree" and will be excluded from any legal proceedings. In addition to having the evidence excluded from the case, investigators and possibly their managers or departments will be fired and sued into oblivion.

As a matter of course, investigators and attorneys have to answer this question with electronic evidence collection: Do the investigators have the right and authority to search and seize the computer, its contents and media, and search the surrounding area? An organization's policies and procedures likely grant this right. If employees understand and acknowledge that they do not have a reasonable expectation of privacy in the workplace, then the investigator's job is relatively simple. However, even with regard to employees that have waived their reasonable expectation of privacy, it is possible that they might have reserved their right to privacy by exchanging private e-mail, using instant messaging, or installing personal software. If their employer failed to take sufficient steps to discover and preclude these prohibited practices, it may be possible that a reasonable expectation of privacy exists. In such cases, investigators might find they cannot routinely search an employee's workstation, office, or e-mail stored on the company's servers. Regardless, investigators still must be very careful and consult with legal counsel before entering an office or equipment room and begin to search or seize evidence.

UNIX-Based Investigations

UNIX File System Analysis

Briefly reviewing the UNIX file system, each disk drive is divided into one or more disk partitions with each containing a single file system. Within each file system is a list of inodes and a set of data blocks. Each inode holds almost all of the information that describes an individual file, including the size of the file, the location of disk blocks, etc. Inode numbers and their corresponding file names are stored in directory entries.

Data blocks are blocks of regularly sized data. The UNIX file system divides any data request to or from a file into logical blocks of data that correspond to the physical blocks on the disk. The downside of this methodology is that the data blocks are not necessarily contiguous to one another. Typically, the UNIX file system uses 8 KB as the size of its logical data blocks.

In UNIX when a file is deleted, the name remains in the directory, but the inode number, the name to which the name points, is removed. The inode itself is changed; consequently, the ctime is updated and the data block location is erased. As a file is deleted, UNIX decrements the inode's internal link to zero.

Removing all directory entry file name inode pairs performs this erase action. When the inode is deleted, the kernel marks its resources as available. The inode still contains all the data about the file and remains until it has been reallocated and overwritten. Having inodes containing some data but having a link count of zero reveals deleted inodes. Without having the file's content available, investigators can learn much about the file with only the metadata remaining in the directory entries and inodes.

To mount a file system, the UNIX kernel needs the sizes and locations of the file system metadata. The first piece of metadata is the super-block and it is stored at a known drive location. The super-block contains information such as the number of inodes and data blocks, size of a data block, etc. Predicated on the information contained in the super-block, the kernel is able to calculate the locations and sizes of the inode table and data portion of the disk. Inodes and data blocks are clustered together in groups scattered across the hard drive media. Usually UNIX maintains more than one super-block, one inode table, and one block array in the event of a disastrous data loss.

Undeleting UNIX

Undeleting UNIX files is different than handling Windows restoration issues. UNIX can be configured to make frequent backups, and it is not unusual for backups to be made hourly. Hopefully, there will be an easily accessed backup and it may be stored in /class/.snapshot. Examining this file will reveal that it is a backup of the home directory from several points in the past. It is possible to copy from this directory the items lost or corrupted in the regular home directory.

There is a UNIX command that should find which directory the home account is stored in: find/class/.snapshot/hourly.0 -name $USER -prune 2>/dev/null

Backups may be in the following path examples:

• /class/.snapshot/hourly.0/01

• /class/.snapshot/hourly.1/01

• /class/.snapshot/weekly.0/01

• /class/.snapshot/weekly.1/01

Retrieving lost e-mail is a very similar process. UNIX makes copies of e-mail in a similar manner as it makes a copy of the home directory. Access to copies of e-mail can be accomplished through /var/mail/.snapshot. By reviewing this directory, backups of deleted e-mail may be seen and captured. Be mindful that viewing e-mail contained in this folder will require it to be loaded into an e-mail client.

Data Hiding Techniques

Data "deleted" from UNIX files can be located by investigators with hex editors searching for specific files and file extensions. However, there is a technique where malicious individuals may attempt to "hide" data from forensic investigations. For the most part, it is effective in systems not using the Berkley Fast File System or FFS.

Experience Note

FFS deprecated the bad data blocks inode, preventing individuals from hiding data in there.

By way of explanation, the bad blocks inode has been used to reference data blocks occupying bad sectors on the target disk thereby preventing these data blocks from being rewritten by live files. If investigators run the file system checker utility, fsck, it is possible that the file system can been seen as having been radically altered.

The first inode that is capable of allocating block resources on an ext2 file system is the bad blocks inode (inode 1) and not the root inode (inode 2). Because of this positioning, it is possible to store data on the blocks allocated to the bad blocks inode and have it hidden from many forensic tools. Malicious individuals have tools that will allow them to exploit flaws in the UNIX file system and store data outside the view of forensic tools. It is for this reason that investigators should look at the physical level of UNIX bad inode blocks before moving on to other areas.

Coroner's Toolkit

Responding to reports of critical incidents happening on UNIX-based systems, investigators establish a timeline of events beginning from the last time the system was stable and uncorrupted through the actual event and until it was discovered and brought to a halt. The Coroner's Toolkit is a collection of utilities that attempt to gather and analyze data in the target UNIX-based system where investigators can accomplish their goals.

The Coroner's Toolkit contains the following data-gathering tools:

• grave-robber, the main data-gathering program

• file, Ian Darwin's file command

• icat, copies a file by inode number

• ils, list file system inode information

• lastcomm, a portable lastcomm command

• mactime, the MAC time file system reporter

• md5, the RSA-based MD5 digital signature tool

• pcat, copies the address space of a running process

• unrm, uncovers unallocated blocks from a raw UNIX file system

• Lazarus, attempts to resurrect deleted files or data from raw data

Within the Coroner's Toolkit, available at www.porcupine.org/forensics/, there is a tool called unrm that can emit all the unallocated data blocks on a UNIX file system. It functions by reading the list of free data blocks, locating each logical block, and looking to see if they contain any blocks of unallocated data. The unrm should be used if investigators are looking for a specific file known to be deleted.

Another effective data recovery tool is Lazarus. Lazarus attempts to give unstructured data some structure that can be viewed and manipulated. Lazarus depends on UNIX never writing file data except in well-defined boundaries. UNIX generally writes files in contiguous data blocks, when possible, attempting to boost performance. For this reason, UNIX should never need a defragmenting utility, unlike some other popular operating systems. Lazarus maps the disk that is created and provides visibility into the disk seeing the data by content type. Lazarus is a very comprehensive program in that it takes a very broad view of deleted files.

Using unrm and Lazarus will fill significant amounts of disk space on the forensic machine. Because Lazarus takes a large view of its work, it does not run in just a few minutes, so investigators are advised to let it run for several hours, if not days, before being able to see the results.

Using unrm and Lazarus is not as easy as using a Windows file recovery tool, using them is a time consuming and laborious process. It would best be described as a "hit and miss" process.

Experience Note

There is an interesting series of short articles about UNIX/Linux file system recoveries located at recover.sourceforge.net/linux.

Success rates restoring deleted UNIX files are spotty at best. The easiest way to restore deleted files from a UNIX system is to access an uncorrupted backup copy. UNIX administrators should back up all critical files on a regular basis observing the risk manager's axiom… the more important a file is, the more often it should be backed up.

Hiding Files

Users will go to many extremes to cover their tracks. Regrettably, employees and attackers employ a variety of ways to hide their nefarious acts by concealing files, including:

• Placing them in storage facilities located outside the workplace

• Secreting data in hidden hard disk partitions hoping no one will think to look there

• Encrypting data partitions of their hard drives with complex algorithms

• Encrypting data through the use of steganography

Web sites provide storage for users and may be accessed from any system with Internet access. For a small fee, files may be securely and privately stored on remote sites ready for access at some future date. In order for investigators to locate such services on target machines, it is recommended that a thorough review is made of pertinent files resident on subject's computer. Look for URLs in the history, temporary, and bookmark files indicating that files may have been stored there. If you have a very sophisticated user who could conceal his activities, check the user logs where access is made from the inside to the outside network for online storage sites.

In the case of having files, storage media, and hard drives encrypted by a password, investigators may try to obtain access by running a password cracking application. It is important to identify the application such as Word, Excel, or WordPerfect, as many cracking applications are specific to individual programs. With password protected files, it may be possible to run a tool like John the Ripper and brute force the password.

With encrypted hard drives, if investigators can identify the protection application, there are some manufacturers that provide a universal password that permits access in the event the hard drive owner forgot her password. By way of application, the encryption key is based on the password. If the drive's content is completely encrypted, consequently, working at a physical level is not going to provide any insight. Having the password is the only way to access an encrypted drive.

Steganography

Steganography is a concealment application where information is hidden in plain sight. By secreting data in an otherwise innocuous multimedia object (usually image or sound files) called carriers, steganography can hide information remaining essentially impervious to detection. Steganographic applications accomplish their task by first hiding the data's existence in the carrier and then encrypting it. Detecting these data-carrier files is a two-prong problem; first the multimedia file containing the data must be identified and then the data must be deciphered. With a workstation containing possibly hundreds or even thousands of such files, the task is formidable indeed.

Investigators can possibly determine if they have a steganography user by locating the program on the workstation's target hard drive or locating it at another location. Finding such an application might indicate the user has encrypted files with hidden data in them. Placing image or sound files in a steganographic application will result in a password prompt. This prompt does not necessarily mean the target file contains hidden data, so these tools cannot be used to screen potential files for hidden data. Most steganographic applications will prompt for passwords whether the file has data concealed in it or not.

There is one tool that claims to be able to detect steganographically hidden .jpg files and is available at www.outguess.org/download.php.

A wide variety of steganography tools are available at members.tripod.com/steganography/stego/software.html.

Creative investigators may well be served to obtain the passwords from the owner before attempting to brute force passwords in an effort to decipher encrypted files and drives. Failing this effort, using a technique such as the installation of a keyboard monitor to capture all the user's keystrokes may prove to be the answer. Outside of law enforcement, employers may implement keystroke monitors where employees do not have any reasonable expectation of privacy in their workstation or systems use.

Experience Note

Within the statutory constraints applicable to law enforcement agencies, search warrants and court ordered wiretaps govern the use of keyboard monitors.

Software keyboard monitors and similar tools made by Spector Soft are available at www.spector.com.

Hardware keyboard monitors are available at www.keykatcher.com/index.htm.

Locating hardware keyboard monitors is a matter of tracing desktop cabling. These are small cylindrical or box-shaped devices that are placed in-series with cables connecting keyboards to desktop towers or between the desktop and the network. Investigators should be aware that keykatcher makes a keyboard that acts as a keyboard monitor eliminating the inline device.

Finding hardware keyboard monitor information is available at www.spy-cop.com/keyloggerremoval.htm.

Finding software keyboard monitor software information is available at www.spy-cop.com/spycop-free-product.htm.

Before using such a technique, it would be prudent to consult with prosecutors or corporate legal counsel. Also, consult with your legal counsel before attempting to provide the results of a keyboard monitor to law officers.

Strong Encrypted Protections

There seems to be a growing use of encryption with very strong protection features. While there are many talented investigators and analysts in the world today, the conversion of encrypted data to plain text data in most cases is virtually impossible. Unless data may be captured from the target keyboard through legal means, investigators have to accept the idea there will be information that cannot be accessed within the limits of current technology and resources.

File Recovery Alternatives for UNIX/Linux

There is an alternative file recovery utility for Ext2 files systems used in Linux and some flavors of UNIX. It uses proprietary technology and flexible settings providing control over the data recovery process. It is called R-Linux and is available at www.rtt.com/RLinux.shtml. It is interesting to note that R-Linux is a Windows-based utility used to recover Linux data.

Evidence Collection: Interviewing for Evidence of Controls

Interviewing for Evidence of Controls
Interviews can be very useful in obtaining evidence of the existence of controls and the procedures. By way of widely accepted measures, there are already formulated audit programs to address internal controls and their implementation. Examples of these programs are ISO 17799, available at www.iso.ch and COBIT™ (Control Objectives for Information and related Technology) and ISACA, available at www.isaca.org. These programs attempt to provide generally accepted internal control guidance for auditors and are worth reviewing before beginning an IT audit engagement.

The object of the auditor's employee interview is to determine the present condition of the system and compare this condition with the audit program criteria. In the pursuit of interviews, the auditor should ask employees for evidence of the controls in the form of questions:

May I see it?

Please show me how you _______.

May I observe you working?

How do you perform the process of _______?

Is it possible for you to delete transaction logs?

Please show me if you can do this _______ operation.

An experienced auditor will interview several employees having similar jobs in order to compare results and decide whether policies and procedures are being practiced or not.

Interview Analysis
As soon as possible after the interview, the auditor should prepare a written report of the interview from the notes taken. Be certain to separate fact from inference and speculation.

Facts are those things that the interviewee has heard, seen, or in which she has materially participated. They know the facts because they were there. Inference is a logical extension of the interviewee's mind — for example, if a cat and a mouse were placed in a box and the top closed and placed where it is under constant observation. A few minutes later the box is opened; the mouse is discovered to be gone. It is inferred that the cat ate the mouse even though no one actually observed it. Speculation is merely that the interviewee is guessing about something. For example, if there is a sudden increase in system processing time and the interviewee indicates the reason is attributable to increased input error rates, but cannot offer any observation or other substantive proof, then the response is speculative.

Do not discount the value of speculation. Wise auditors give speculation due consideration depending on the credibility, experience, and training of the interviewee. Many experienced auditors include speculation at the end of their interview report accompanied by proper qualifications.

Interview notes and written reports should be retained as permanent parts of the auditors' work papers. Senior managers should not be surprised when knowledgeable attorneys or investigators request audit interview notes and reports as legal processes. They are looking for evidence that the audit work papers can reconstruct audit events.

Questionnaires
Auditors may use written questionnaires as effective means to collect evidence. Responses obtained to questions asked on questionnaires indicate the presence or absence of controls or the incorrect application of controls. They can elicit users' comments about the effectiveness and efficiency of a system or subsystems. There are basically three major aspects of their design:

1. Design of questions

2. Design of responses

3. Design of layout and structure

The primary focus on questionnaire design is the crafting of questions to ensure the respondents understand the facts required. It is not unreasonable that some questions are redundant ensuring the respondents understand which facts are being requested. Questions need to be self-explanatory. If the question asks about input field limits, then it is expected the anticipated respondent already knows what input field limits are and when they apply. Here are a few questionnaire best practices:

Make certain the questions are specific. Rather than ask if input fields are controlled, ask which applications examine input field correctness.

Use simple, plain language.

Avoid technical jargon.

Avoid abbreviations; use specific language instead.

Avoid ambiguous language.

Avoid leading questions. Leading questions suggest answers that respondents should reply. For example, "Do employees use the human resources system interface?" A much better question is phrased as, "How is human resources information obtained online, and by whom?"

Avoid hypothetical questions. Stick to the facts. Do not ask questions based on assumptions. For example, "How often would you use the human resources system in a month's time?" This presupposes that the respondent knows about the human resources system and uses it monthly.

Avoid questions that require extensive and accurate recall. "How many times did you use the human resources system during the past two months?" This is a question that cannot be easily answered. Instead, ask the respondent if he/she keeps a record of their use of a particular system.

If the questionnaire has a scale of responses, make certain they are applicable to the topic. If the questionnaire asks the location of fire extinguishers in the warehouse, then ask if fire extinguishers are present, how many are present, and their locations. Make certain the questionnaire is directed to the right employees. Asking the finance unit questions about the location of fire extinguishers in the warehouse is not going to produce relevant answers.

The layout and structure of a questionnaire affect its accuracy. If the questionnaire is mailed, its layout and structure will likely affect the response rate. Its objective is to be well-received with clear, simple, logical, and appealing construction. The length of a questionnaire also affects the success of completion. If questions and questionnaires are too long, respondents lose interest and provide answers that may not accurately reflect their observations. Care must be taken to craft the flow of questions through the questionnaire. At the beginning, general questions should be asked placing little stress on the respondent with more difficult questions placed toward the middle or end of the topic areas.