Computer Evidence Processing Steps
NTI conducts hands-on computer forensics training courses which expose computer professionals to the many hazzards and risks associated with computer evidence processing and computer security. NTI's computer forensics training courses designed to drive home several important points, i.e., computer evidence is fragile by its very nature and the problem is compounded by the potential for destructive programs and hidden data.
Even the normal operation of the computer can destroy computer evidence that might be lurking in temporary operating system files, temporary application working files and ambient data storage areas. NTI provides its training clients with a solid foundation built upon technical knowledge so that they will understand the technical issues concerning the creation, modification and storage of computer data. Without this knowledge they will be unable to testify about their computer forensic findings. NTI also wants its clients to have a complete understanding of the technical issues so that they can make the right decisions about computer security risk management and computer evidence processing issues. It is not enough to run a computer forensics program and get results. Good decisions are made by knowledgable individuals who understand the underlying technical issues tied to the potential security risks and evidence processing issues tied to personal computers.
There are no strict rules that must be followed concerning the processing of computer evidence. Every case is different and flexibility and good technical knowledge make the difference between success and failure. However, many times decisions need to be made without full the knowledge of the issues involved. For that reason NTI has provided the following guidelines which are intended to assist its clients. Please remember that these guidelines do not represent 'the only true way'. They are intended to be general guidelines which are provided as food for thought. If you have an emergency and you are not yet formally trained, click here for emergency guidelines.
General evidence processing guidelines follow:
Shut Down the Computer
Depending upon the computer operating system involved, this usually involves pulling the plug or shutting down a net work computer using relevant operating system commands. At the option of the computer specialists, pictures of the screen image can be taken using a camera. However, consideration should be given to possible destructive processes that may be operating in the background. These can be resident in memory or available through a modem or network connection. Depending upon the operating system involved, a time delayed password protected screen saver may potentially kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down or powered down as quickly as possible.
Document the Hardware Configuration of The System
It is assumed that the computer system will be moved to a secure location where a proper chain of custody can be maintained and the processing of evidence can begin. Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Labeling each wire is also important so that the original computer configuration can be restored. Computer evidence should ideally be processed in a computer hardware environment that is identical to the original hardware configuration.
Transport the Computer System to A Secure Location
This may seem basic but all too often seized evidence computers are stored in less than secure locations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential computer evidence and the chain of custody. Furthermore, a seized computer left unintended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make the day' for a savvy defense attorney. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Do not leave the computer unattended unless it is locked in a secure location!
NTI provides a program named Seized to law enforcement computer specialists free of charge. It is also made available to NTI's business and government in various suites of software that are available for purchase. The program is simple but very effective in locking the seized computer and warning the computer operator that the computer contains evidence and should not be operated. Click here for information about NTI's software suites or click here for the law enforcement order form.
Make Bit Stream Backups of Hard Disks and Floppy Disks
The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing. More information about bit stream backups has been provided on this site. Click here for the article about making bit stream backups. In March 2000, NTI purchased SafeBack software from Sydex, Inc. This is a very popular bit stream backup tool that has become an international standard since 1991. NTI covers the use of this software in its computer forensics training courses.
Mathematically Authenticate Data on All Storage Devices
You want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law enforcement and military agencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, NTI includes two programs in its forensic suites of tools that mathematically authenticate data with a high level of accuracy. Large hashing number, provides a mathematical level of accuracy that is beyond question. These programs are used to authenticate data at both a physical level and a logical level. The programs are called CrcMD5 and DiskSig Pro. The latter program was specifically designed to validate a restored bit stream backup and it is made available free of charge to law enforcement computer specialists as part of NTI's Free Law Enforcement Suite. The programs are also included in our various suites of forensic software which are sold NTI's clients.
Document the System Date and Time
The dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight-saving time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. NTI has created a program called GetTime which is used for this purpose. It is included in the NTI various suite of tools.
Make a List of Key Search Words
Because modern hard disk drives are so voluminous, it is all but impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. One such tool is NTI's TextSearch NT which is certified for use by the U. S. Department of Defense. Usually, some information is known about the allegations in the case, the computer user and the alleged associates that may be involved. Gathering information from individuals familiar with the case to help compile a list of relevant key words is important. Such key words can be used in the search all computer hard disk drives and floppy diskettes using automated software. Keeping the list as short as possible is important and you should avoid using common words or words that make up part of other words. In such cases, the words should be surrounded with spaces. Intelligent filtering tools can also be helpful in crafting lists of key words for use in computer evidence processing, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML.
Evaluate the Windows Swap File
The Windows swap file is potentially a valuable source of evidence and leads. The evaluation of the swap file can be automated with several of NTI's forensic tools, e.g., NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. These intelligent filters automatically identifies patterns of English language text, phone numbers, social security numbers, credit card numbers, Internet E-Mail addresses, Internet web addresses and names of people.
In the past this tedious task of analyzing Windows swap files was done with hex editors and the process took days to evaluate just one Windows swap file. By using automated tools, that process now takes just a few minutes. When Windows 95/98 is involved, the swap file may be set to be dynamically created as the computer is operated. This is the default setting and when the computer is turned off, the swap file is erased. However, not all is lost because the content of the swap file can easily be captured and evaluated by NTI's GetFree program. This program automatically captures erased file space and creates a file that can be evaluated by NTI's various intelligent filter programs mentioned above.
The NTA Stealth program relies upon artificial intelligence fuzzy logic to identify patterns of text associated with past Internet activities. This program is used by probation and parole officers to montior the computer and Internet activity of convicted sex offenders. It is also used in corporations to identify inappropriate uses of computers in the workplace and it is used in law enforcement and military agencies.
The output from NTA Stealth, Filter_N, FNames, Filter_G, GExtract and GetHTML. can be successfully used to identify 'unknown key words' that can supplement the key word list created in the step above. The automated review of the Windows swap file takes just a few minutes with these automated tools. A manual review of the Windows swap file can take days or even weeks if the process is done manually using programs like the Norton utilities.
Evaluate File Slack
File slack is a data storage area of which most computer users are unaware. It is a source of significant 'security leakage' and consists of raw memory dumps that occur during the work session as files are closed. The data dumped from memory ends up being stored at the end of allocated files, beyond the reach or the view of the computer user. Specialized forensic tools are required to view and evaluate file slack and it can prove to provide a wealth of information and investigative leads. Like the Windows swap file, this source of ambient data can help provide relevant key words and leads that may have previously been unknown.
On a well used hard disk drive, as much as 900 million bytes of storage space may be occupied by file slack. File slack should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list of key words for use later. Because of the nature of file slack, specialized and automated forensic tools are required for evaluation. NTI has created a forensic utility called GetSlack that captures file slack from hard disk drives and floppy disks. The output from the GetSlack program can be evaluated in the same fashion as a Windows swap file using the intelligent filter programs listed above. File slack is typically a good source of Internet leads.
Evaluate Unallocated Space (Erased Files)
The DOS and Windows 'delete' function does not completely erase file names or file content. Many computer users are unaware the storage space associated with such files merely becomes unallocated and available to be overwritten with new files. Unallocated space is a source of significant 'security leakage' and it potentially contains erased files and file slack associated with the erased files. Often the DOS Undelete program can be used to restore the previously erased files. Like the Windows swap file and file slack, this source of ambient data can help provide relevant key words and leads that may have previously been unknown to the computer investigator.>
On a well used hard disk drive, millions of bytes of storage space may contain data associated with previously erased files. Unallocated space should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list of key words for use in the next processing step. Because of the nature of data contained in unallocated space and its volume, specialized and automated forensic tools are required for evaluation. NTI has created a forensic utility called GetFree that quickly captures all unallocated space from hard disk drives and floppy disks. The output from the GetFree program can be evaluated in the same fashion as the other types of ambient data mentioned previously using intelligent filter programs. Unallocated space is typically a good source of data that was previously associated with word processing temporary files and other temporary files created by various computer applications. It is also a good source of leads concerning graphics files that have been viewed over the Internet and NTI's GExtract software can be used very effectively to identify these graphic file remnants left behind in unallocated storage space.
Search Files, File Slack and Unallocated Space for Key Words
The list of relevant key words identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. There are several forensic text search utilities available in the marketplace. NTI's forensic search TextSearch NT can be used for that purpose and it has been tested and certified for accuracy by the U. S. Department of Defense. This powerful search tool is also included as part of NTI's suites of software tools. It was designed to be a state-of-the-art search tool for use as a security review tool by U. S. government intelligence agencies. This program and other NTI forensic tools also provide significant benefits in cases involving computer related evidence. For this reason and to help stretch limited law enforcement budgets, NTI makes all of its forensic software tools and training available to law enforcement computer crime specialists for discounted prices.
It is important to review the output of a forensic text search utility. When relevant evidence or leads are identified, the fact should be noted and the identified data should be documented. When new key words are identified in the searching process, then they should be added to the list and a new search should be conducted using the text search utility again with the updated search list. Text search utilities are also used, on a regular basis, in classified government agencies for security reviews. When evidence or unexpected findings are uncovered in government security reviews, they should also be documented and archived as potential evidence. NTI's TextSearch NT is certified by the U. S. Department of Defense and its little brother, TextSearch Plus has been used for years in classified U. S. government agencies to process evidence and to conduct computer security reviews.
Document File Names, Dates and Times
From an evidence standpoint, file names, creation dates, last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and 'erased' files. NTI includes a program called FileList Pro in its various suites of forensic tools. The FileList Pro program generates its output in the form of a database file. The file can be sorted based on the file name, file size, file content, creation date, last modified date and time. Such sorted information can provide a timeline of computer usage. When FileList Pro created databases can be combined from several computers in the same case and the sorted output can provide conspiratorial leads for further investigation. This powerful inventory tool is used to evaluate all Microsoft-based computer systems in computer related investigations.
NTI also created another forensic documentation tool called NTIDOC. This program is used to take electronic snapshots of relevant computer files. The program automatically records the file name, time and date along with relevant file attributes. The output is in the form of a word processing compatible file that can be used to help document computer evidence issues tied to specific files.
Identify File, Program and Storage Anomalies
Encrypted, compressed and graphic files store data in binary format. As a result, text data stored in these file formats cannot be identified by a text search program. Manual evaluation of these files is required and in the case of encrypted files, much work may be involved. NTI's TextSearch Plus program has built in features that automatically identify the most common compressed and graphic file formats. The use of this feature will help identify files that require detailed manual evaluation. Depending on the type of file involved, the contents should be viewed and evaluated for its potential as evidence.
Reviewing the partitioning on seized hard disk drives is also important. The potential exists for hidden partitions and/or partitions formatted with other than a DOS compatible operating system. When this situation exists it is comparable to finding a hidden hard disk drive and volumes of data and potential evidence can be involved. The partitioning can be checked with any number of utilities including the DOS FDISK program or Partition Magic. When hidden partitions are found, they should be evaluated for evidence and their existence should be documented.
If Windows is involved, it makes sense to evaluate the files contained in the Recycle Bin. The Recycle Bin is the repository of files selected for deletion by the computer user. The fact that they have been selected for deletion may have some relevance from an evidentiary standpoint. If relevant files are found, the issues involved should be documented throughly.
Evaluate Program Functionality
Depending on the application software involved, running programs to learn their purpose may be necessary. NTI's training courses make this point by exposing the students to computer applications that do more than the anticipated task. When destructive processes are discovered that are tied to relevant evidence, this can be used to prove willfulness. Such destructive processes can be tied to 'hot keys' or the execution of common operating commands tied to the operating system or applications. Before and after comparisons can be made using the FileList Pro program and/or mathematical authentication programs. All these tools are included in most of NTI's suites of forensic tools
Document Your Findings
As indicated in the preceding steps, it is important to document your findings as issues are identified and as evidence is found. Documenting all of the software used in your forensic evaluation of the evidence including the version numbers of the programs used is also important. Be sure that you are legally licensed to use the forensic software. Software pirates do not stand up well under the riggers of a trial. Smart defense lawyers will usually question software licensing and you don't want to testify that you used unlicensed software in the processing of computer evidence. Technically, software piracy is a criminal violation of federal copyright laws.
When appropriate, mention in your documentation that you are licensed to use the forensic software involved. With NTI's software, a trail of documentation is automatically created for the computer investigator and the name of the licensed user is listed in most output files. This feature aids in establishing who did the processing and the exact time and date when the processing was done. Screen prints of the operating software also help document the version of the software and how it was used to find and/or process the evidence.
Retain Copies of Software Used
As part of your documentation process, we recommend that a copy of the software used be included with the output of the forensic tool involved. Normally this is done on an archive Zip disk, Jazz disk or other external storage device, e.g. external hard disk drive. When this documentation methodology is followed, it eliminates confusion at trial time about which version of the software was used to create the output. Often it is necessary to duplicate forensic processing results during or before trial. Duplication of results can be difficult or impossible to achieve, if the software has been upgraded and the original version used was not retained. Please note that there is a high probability that you will encounter this problem because most commercial software is upgraded routinely but it may take years for a case to go to trial.