file000118
TRANSCRIPT
Module V - First Responder Procedures
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Sam, a system administrator, was surprised to see critical files missing from his office server. He suspected that the server was compromised. He did not want to take a chance by investigating the system himself.
Sam reported the incident to Bob, an Information Security Officer employed with the same firm. Bob took note of the request from Sam. Being a CHFI, seizing Sam’s system and following the basic procedures in investigating the case was easy for Bob.
He investigated the image file of the hard disk of the server. His investigation revealed the presence of rootkit in one of the directories of the server
During the investigation process, Sam recalled downloading a patch management tool from the Internet from a third party source. He realized that the rootkit could have been bundled with the patch management tool.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Mobile Handsets Becoming A 'Smoking Gun'
Source: http://www.darkreading.com/
Rise in mobile devices in the enterprise adds new challenges to incident response Dec 01, 2008 | 02:42 PMBy Kelly Jackson Higgins
DarkReading You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery or still-live signal could wipe out or taint the evidence stored on it. As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices and freezing the evidence on them isn't so easy.
"The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine for the finder."
But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she said during a presentation at the recent CSI 2008 conference.
The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile" devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance, Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough forensic examiners to keep up with them.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Electronic Evidence• First Responder• Role of the First Responder• Electronic Devices: Types and Collecting Potential Evidence• First Responder Toolkit• Evidence Collecting Tools and Equipment• First Responder Procedures• Securing and Evaluating Electronic Crime Scene • Conducting Preliminary Interviews • Documenting Electronic Crime Scene • Collecting and Preserving Electronic Evidence• Packaging Electronic Evidence• Transporting Electronic Evidence• Reporting the Crime Scene• First Responder Common Mistakes
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Securing and Evaluating Electronic Crime Scene
Collecting and Preserving Electronic Evidence
Documenting Electronic Crime Scene
Reporting the Crime Scene
Transporting Electronic Evidence
Packaging Electronic Evidence
Conducting Preliminary Interviews
First Responder Common Mistakes
First ResponderElectronic Evidence
First Responder Procedures
Role of First Responder
Evidence Collecting Tools and Equipment
Electronic Devices: Types and Collecting Potential
EvidenceFirst Responder Toolkit
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Evidence
• It is hidden, similar to fingerprint evidence or DNA evidence
• It can be broken, altered, damaged, or destroyed by improper handling
• It expires within a pre-set time
Properties of the electronic evidence:
“Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device”
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder
First responder is a person who arrives first at the crime scene and accesses the victim’s computer system after the incident
He may be network administrator, law enforcement officer, or investigation officer
He is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Roles of First Responder
Identifying the crime scene
Protecting the crime scene
Preserving temporary and fragile evidence
Collecting the complete information about the incident
Documenting all the findings
Packaging and transporting the electronic evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence
• Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape
Computer systems:
• To collect the evidence, check text , picture, video, multimedia, database, and computer program files
Hard drive:
• To collect the evidence, check text, graphics, image, and picture files
Thumb drive:
• To collect the evidence, check event logs, chat logs, test file, image file, picture file, and browsing history of Internet
Memory card:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• Evidence is found by recognizing or verifying the information of the card with the user, level of access, configurations, permissions, and in the device itself
Smart card, dongle, and biometric scanner:
• Evidence is found in voice recordings such as deleted messages, last number called, memo, phone numbers, and tapes
Answering machine:
• Evidence is found in images, removable cartridges, video, sound, time, and date stamp
Digital camera:
• To collect the evidence, check address information, text messages, e-mail, voice messages, and phone numbers
Pager:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• Evidence is found in address book, appointment calendars or information, documents, and e-mail
Personal digital assistants:
• Evidence is found through usage logs, time and date information, and network identity information
Printer:
• Evidence is found in the devices themselves
Removable storage devices tape, CD, DVD, floppy:
• Evidence is found through names, phone numbers, caller identification , information, and appointment information
Telephones:
• Evidence is found on the device itself
Modem:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and Collecting Potential Evidence (cont’d)
• Evidence is found through names, phone numbers, caller identification, information, and appointment information
Scanner:
• Evidence is found in documents, user usage logs, and time and date stamps
Copiers:
• Evidence is found through card’s expiration date, user’s address, credit card numbers, and user’s name
Credit Card Skimmers:
• Evidence in found through address book, notes, appointment calendars, phone numbers, and emails
Digital Watches:
• Evidence is found through documents, phone numbers, film cartridge, and send or receive logs
Facsimile (Fax) Machines:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder Toolkit
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder Toolkit
First responder toolkit is a set of tested tools which helps first responder in collecting genuine and presentable evidence
It helps first responder to understand the limitations and capabilities of electronic evidence at the time of collection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Creating a First Responder Toolkit
• Choose the related operating system• Completely sanitize the forensics computer• Install the operating system and required software• Update and patch the forensics computer• Install a file integrity monitor to test the integrity of the
file system
Create a trusted forensic computer or testbedby:
• Version name and type of the operating system• Name and types of different software• Name and types of the installed hardware
Document the details of the forensics computer with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Creating a First Responder Toolkit (cont’d)
• It helps the first responder to understand how a tool works• The summary comprises of:
• Acquisition of the tool• Detailed description of the tool• Working of the tool• Tool dependencies and the system affects
Document the summary of the collected tools:
• Test the collected tools on the forensics computer and examine the performance and output
• Examine the affects of the tool on the forensics computer
Test the tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collecting Tools and Equipment
Documentation Tools:
• Cable tags• Indelible felt tip markers• Stick-on labels
Disassembly and Removal Tools:
• Flat-blade and Philips-type screwdrivers• Hex-nut drivers• Needle-nose pliers• Secure-bit drivers• Small tweezers• Specialized screwdrivers • Standard pliers• Star-type nut drivers• Wire cutter
Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, and markers)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Antistatic bags• Antistatic bubble wrap• Cable ties• Evidence bags• Evidence tape• Label tag• Tape• Packing materials • Sturdy boxes of various sizes
Package and Transport Supplies:
• Gloves• Hand truck• Magnifying glass• Printer paper• Seizure disk• Unused floppy diskettes
Other Tools:
Evidence Collecting Tools and Equipment (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collecting Tools and Equipment (cont’d)
• Licensed software• Bootable CD• External hard drives• Network cables
Notebook Computers:
• DIBS® Mobile Forensic Workstation• AccessData's Ultimate Toolkit• TEEL Technologies SIM tools
Software Tools:
• Paraben Forensics Hardware• Digital Intelligence Forensic Hardware• Tableau Hardware Accelerator• Wiebetech forensics hardware tools• Logicube forensics hardware tools
Hardware Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response Basics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response Rule
Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information
Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in files being inadmissible in legal or administrative proceedings
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response: Different Situations
The three groups are:
• System administrators• Local managers or other non-forensic
staff• Laboratory forensic staff
First response to an incident may involve three different groups of people, and each will have differing skills and need to carry out differing tasks based on the incident
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response for System Administrators
The actions taken by the system administrator after discovery of a potential computer violation will play a vital role in the investigation
Once an incident has been discovered by a system administrator, they must report it according to the current organisational incident reporting procedures
The systems administrator should then not touch the system unless directed to by either the incident or duty manager or one of the forensic analysts assigned to the case
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response by Non-Laboratory Staff
To secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises
Make notes about the scene that will eventually be handed over to the Forensic Team
The whole area surrounding a suspect computer and not just the computer itself is the incident scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response by Laboratory Forensic Staff
• Search warrant for search and seizure• Plan for search and seizure• Conduct the initial search of the scene• Health and safety issues
1: Securing and evaluating electronic crime scene
• Ask questions• Check the consent issues• Witness signatures• Initial interviews
2: Conducting preliminary interviews
First response by laboratory forensic staff involves six stages:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response by Laboratory Forensic Staff (cont’d)
• Photographing the scene• Sketching the scene
3: Documenting electronic crime scene
• Evidence collection• Exhibit numbering• Dealing with powered OFF/ON computers at the seizure time• Seizing portable computers
4: Collecting and preserving electronic evidence
5: Packaging electronic evidence
• Handling and transportation to the Forensic Laboratory• Ensure the ‘Chain of custody’ is strictly followed
6: Transporting electronic evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing and Evaluating Electronic Crime Scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing and Evaluating Electronic Crime Scene: A Check-list
Follow the policies of legal authority for securing the crime scene
Verify the type of the incident
Make sure that the scene is safe for you and for other responders
Isolate other persons who are present at the scene
Locate and help the victim
Verify the data related to offenders
Transmit additional flash messages to other responding units
Request for additional help at the scene if needed
Establish a security perimeter to see that the offenders still exist in the crime scene area
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing and Evaluating Electronic Crime Scene: A Check-list (cont’d)
Protect the evidence that is at risk of being lost or signed as agreement
Protect perishable data (e.g. pagers and Caller ID boxes) physically and electronically
Make sure that the devices that contain perishable data is secured, documented, and/or photographed
Recognize the telephone lines that are connected to devices such as modems and caller ID boxes
Document, disconnect, and label telephone lines or network cables
Observe the situation at the scene and record those observations
Protect physical evidence or hidden fingerprints that is found on keyboards, mouse, diskettes, and CDs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing the Crime Scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Warrant for Search and Seizure
• Electronic storage device search warrant allows first responder to search and seize the victim’s computer components (such as: Hardware, Software, storage devices, and documentation)
Electronic storage device search warrant
• Service provider search warrant allows the first responder to get the victim’s computer information (such as: service records, billing records, subscriber information) from the service provider
Service provider search warrant
Search warrant allows the first responder to perform the search and seizure of the electronic evidence that are mentioned in the search warrant
Search warrants for electronic devices basically focus on the following:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Planning the Search and Seizure
• Description of the incident• Incident manager running the incident• Case name/title for the incident• Location of the incident• Applicable jurisdiction and relevant legislation• Location of the equipment to be seized:
• Structure’s type and size• Where are the computer(s) located (all in one place, spread across the
building or floors)• Who will be present at the incident?• Is there a friendly atmosphere at the location?
A search and seizure plan contains the following details:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Planning the Search and Seizure (cont’d)
Details of what is to be seized (make, model, location, ID etc.):
• Type of the device & number to be seized• Will the computing be running at seizure or will they be shut down• Are they networked
• If so, what type of network, where is data stored on the network, where are the backups held, is the system administrator a ‘friendly’ person, will it be necessary to take the server down and what is the business impact of this action
Search and seizure type (overt / covert)
Local management involvement
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Initial Search of the Scene
Isolate of a computer system (workstation, stand alone, or network server) and other media devices that can contain digital evidence
Include search and seizure evidence log which contain brief descriptions of all computers, devices or media located during the search for evidence
Make a note of the locations on the crime scene sketch as well
Photograph and sketch the crime scene, along with a detailed accounting of all computer evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Health and Safety Issues
It is important to consider the health and safety factors in the work carried out at all stages of the forensic process conducted by the forensic analysts
All forensic teams should wear protective latex gloves for searching and seizing operations on site
This is to protect both the staff and preserve any fingerprints that may be required to be recovered at a later date
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Preliminary Interviews
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Questions to ask When Client Calls the Forensic Investigator
Description of the incident
Incident manager running the incident
Case name / title for the incident
Location of the incident
What jurisdiction the case and/or seizure is to be performed under
Details of what is to be seized (make, model, location, ID etc.)
Other work to be performed at the scene (e.g. full search, evidence required, etc.)
Whether the search and seizure is to be overt or covert and whether local management should know
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Consent
There are times that the user is present and that consent from the user of the hardware is required and also consent is given
In cases such as this, appropriate forms for the jurisdiction should be used and carried in the grab bag
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample of Consent Search Form
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Witness Signatures
Depending on the legislation of the jurisdiction, a signature (or two) may or may not be required to certify collection of evidence
Typically, where one signature is required, the Forensic Analyst or Law Enforcement Officer performs the seizure
Where two signatures are required, guidance should be sought to determine whose second signature should be taken into consideration
Whoever signs as witness, needs clear understanding of their role and may be required to provide a witness statement or attend court
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Preliminary Interviews
Interview separately and identify all persons (witnesses and others) available at the scene and record their location at the time of entry
Be consistent with the departmental policies and applicable laws, and collect information from individuals like:
• Owners and/or users of electronic devices found at the scene• User names and Internet service provider• Passwords required to access the system, software, or data• Purpose of using the system• Unique security schemes or destructive devices• Any offsite data storage• Documents explaining the hardware or software installed on the system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Initial Interviews
If the suspect is present at the search and seizure time, the Incident Manager or the Laboratory Manager may consider asking some questions to the suspect, but these must comply with the relevant Human Resources or legislative guidelines for the jurisdiction
At initial interviews, the suspect often has little time to concoct any alibis etc, and often when asked questions, they answer truthfully even to such questions like ‘what are the passwords for the account’
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Initial Interviews (cont’d)
An individual who has physical possession of a piece of evidence is responsible for its security
Evidence should be secured in such a manner that only the individual who has signed for it can gain access to it, though it is noted that this is not always possible
Typical questions could include:
• Are there any keys – some computer cases have physical key locks• What are the user IDs and passwords for the computer?• What email addresses are used and what are the user IDs and passwords for them?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Witness Statement Checklist
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Witness Statement Checklist (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documenting the Electronic Crime Scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documenting Electronic Crime Scene
Documentation of the scene creates an unchanging historical record of the scene
Document the physical scene, such as the position of the mouse and the location of components near the system
Document related electronic components that are difficult to find
Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer
Take a photograph of the computer’s screen and write notes on what you have seen on the screen
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Photographing the Scene
Photographing a scene should be the first step taken by the Forensic Team on arrival
Photographing of the crime scene should be done in a manner not to alter or damage the scene
The ideal situation is to first take several photographs that will establish the location of the scene, followed by an entry photograph, followed by a series of ‘360 degree’ photographs
‘360 degree’ photographs are simply overlapping photographs depicting the entire crime scene
The key to remember in crime scene photography is to go from the overall scene down to the smallest piece of evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Photographing the Scene (cont’d)
Photographs should also be taken of the immediate work area to include computer disks, handwritten notes, and other computer equipment (printers and external drives)
Photographs should also be taken of the rear of the computer to accurately display how the leads are connected
If this cannot be done, then all cables must be labelled and the PC reconnected back at the Forensic Laboratory should be photographed
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sketching the Scene
A crime scene sketch should be prepared which details the overall scene
This should include the locations of items within the office area
Again, the rule of thumb for crime scene sketching is to go from the overall scene to the smallest piece of evidence
This may require several sketches to accurately depict the scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Video Shooting the Crime Scene
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving Electronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving Electronic Evidence
When an incident is reported where a computer is assumed to be a part of the incident, it is often the case that this is the first and only item sized. This is wrong.
The scene should be searched in a circular motion with the concept of the computer being at the centre of the circle
Items of evidence, as located, should be photographed, identified within notes and then collected
Evidence should be identified, recorded, seized bagged, and tagged on site with no attempts to determine contents or status
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Order of Volatility
When collecting evidence, the collection should proceed from the most volatile to the least volatile. The list below is the order of volatility for a typical system:
• Registers, cache• Routing table, process table, kernel statistics, and memory• Temporary file systems• Disk or other storage media• Remote logging and monitoring data that is relevant to the
system in question• Physical configuration, network topology• Archival media
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Powered OFF Computers at Seizure Time
If equipment is switched OFF – leave it OFF
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Powered ON Computers
The first step to take when approaching an active, powered on, and running computer is:
• STOP and THINK• The contents of RAM in an active computer system
undoubtedly hold some information and occasionally this can be important to a case• For example, data which is likely to be found
encrypted on a disk might be found in an unencrypted state in memory, or a running process might need to be identified and examined before power is removed
• Any such information in memory will be lost when the power supply to the device is removed
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with a Powered ON Computers (cont’d)
If a computer is switched on and the screen is viewable, then the following must be done:
• Record the programs running on screen• Photograph the screen
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Networked Computer
Unplug the network cable from the router and modem
If computer is off, leave it off
If the computer is ON, photograph the screen
If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen
Label all the connected devices and cords for later identification
Unplug all the cords and devices connected to the computer
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Open Files and Startup Files
• Open the recently created document from startup or system32 folder for Window and rc.local file for Linux
• Note down the date and time of the files• Examine the open file for sensitive data such as password, image
etc.• Search for unusual MAC times on vital folders and startup files
Follow the listed procedures to find the evidence:
Malware attacks on the computer system create some files in the startup folder to run the malware program
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Operating System Shutdown Procedure
• Take a photograph of the screen• If any program is running, give a brief explanation• Unplug the power cord from the wall socket
MS DOS/Windows 3.X/NT 3.51/95/98/NT 4.0 operating system:
It is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files
Different operating systems have different shut down procedures
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Operating System Shutdown Procedure (cont’d)
• Right click Menu -> click Console• If root user’s prompt is set to #sign mode:
• Enter the password if available and type sync;sync;halt to shutdown the system• If password is not available, unplug the power cord from the wall socket
• If it is set to console #sign mode:• Enter the user ‘s ID and press Enter • If the user‘s ID is root, type sync;sync;halt to shutdown the system• If user’s ID is not root, unplug the power cord from the wall socket
UNIX/Linux Operating Systems
• Record time from the menu bar• Click Special -> Shutdown• Unplug the power cord from the wall socket
MacOS Operating System
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computers and Servers
Photograph the computer and ancillary (connected) equipment
Photograph the connectors behind the computer and individually label them
Record the cables and the respective ports to which they are connected
Seal the power socket with tape to prevent inadvertent use
Disconnect the monitor, keyboard, mouse, and CPU
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Electronic Evidence
Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals
Take a photo of the monitor screen if the computer is in “on” state
Photograph the connections of the computer and the corresponding cables and label them individually
If any electronic devices such as PDA, cell phone are present, take a photograph, label the device and collect all the cables, and transport them along with the device
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Seizing Portable Computers
Photograph the portable and ancillary (connected) equipment
Photograph the connectors in the back of the portable and individually label them
Record which cables are connected to what ports in the portable
Remove the battery
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Switched ON Portables
Portables with their power on should be handled in the same way as a powered on PC
The date and time when the portable "wakes up" must be recorded
Prior to pulling the power on a portable, the battery must be removed
If it is not possible to remove the battery, pressing down on the power on/off switch for 30 seconds or so will force a hard power off
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and PreservingElectronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and PreservingElectronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and PreservingElectronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and PreservingElectronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Packaging and Transporting Electronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Bag Contents List
The panel on the front of evidence bags must be filled in with at least the following details:
Date and time of seizure
Seized by whom
Exhibit number
Seized from which place
Details of the contents of the evidence bag
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Packaging Electronic Evidence
Make sure that the collected electronic evidence is properly documented, labeled, and listed before packaging
Focus on hidden or trace evidence and take necessary actions to preserve it
Pack the magnetic media in antistatic packaging
Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives
Make sure that all the containers that hold the evidence is labeled in an appropriate way
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Packaging Electronic Evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exhibit Numbering
• aaa/ddmmyy/nnnn/zz• Where,• aaa are the initials of the Forensic Analyst or
Law Enforcement Officer seizing the equipment
• dd/mm/yy is the date of the seizure• nnnn is the sequential number of the exhibits
seized by aaa- starting with 001 and going to nnnn
• zz is the sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ –the Monitor, ‘C’ – the keyboard etc.)
All evidence collected should be marked as exhibits using this format:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Transporting Electronic Evidence
Keep electronic evidence away from magnetic sources while transporting
Store the evidence in a secure area that is away from high temperature and humidity
Avoid storing electronic evidence in vehicles for a longer period
Make sure that computers and other electronic components are not packed in containers
Maintain the chain of custody on the evidence that is to be transported
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handling and Transportation to the Forensics Laboratory
Avoid turning the computer upside down or laying it on its side during transport
When transporting a computer or other computer devices, they should not be placed in a car trunk or any other area where there is the possibility of possible dramatic temperature and humidity changes
In a vehicle, the ideal place for transport would be on the rear seat, placed in a manner where the computer will not fall if break is applied suddenly or quick maneuver
All evidence must avoid any sources of magnetism or similar sources of power that could affect the integrity of the electronic evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Storing Electronic Evidence
Ensure that the electronic evidence is listed in accordance with the departmental policies
Store the electronic evidence in a secure area and weather controlled environment
Protect the electronic evidence from magnetic field, dust, vibration, and other factor that may damage the integrity of the electronic evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody
‘Chain of Custody’ refers to a written account of individuals who had the sole physical custody of a piece of evidence from the time it was seized until the end of the case
By becoming a ‘link’ in the ‘Chain of Custody’ and taking possession for a piece of evidence, an individual has the responsibility to secure it in a manner which can later stand legal scrutiny in case that there is a claim of evidence tampering
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody (cont’d)
• Case number• Name and title from whom received• Address and telephone number• Location from where the evidence is obtained• Date/time of evidence• Item number/quantity/description of items
It contains the following information:
Chain of custody document contains the complete information about the obtained evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Simple Format of the Chain of Custody Document
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form (cont’d)
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody on Property Evidence Envelope or Bag
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Property Sign-out Sheet
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reporting the Crime Scene
• Date and time of the crime• Model, size, and partition of the hard disk to find hidden or missing data• Name and version of the operating system running on the victim’s computer• Result of the program such as DOS ScanDisk or DOC ChkDisk to find the accuracy of any
data found• Result of the virus scanning process• Software present on the victim’s computer• List of files stored on the victim’s computer with creation and updating time• Name and version of the software used in the processing of computer evidence• Name of the interviewed person and his views
The report should include:
First responder creates a final report after completing the forensics process that contains complete information of the forensics process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Note Taking Checklist
Crime Scene Checklist Crime Scene Checklist
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Note Taking Checklist (cont’d)
Crime Scene Checklist
Crime Scene Checklist
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder Common Mistakes
Most of the time, system or network administrator work as a first responder at the crime scene
They cannot handle the security incidents in a proper way because they do not know the first responder procedure
Common mistakes committed by the first responder are as follows:
• Shutting down or rebooting the victim’s computer• Assuming that some components of the victim’s computer
may be reliable and usable• Not having access to baseline documentation about the victim
computer• Not documenting the data collection process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device
There are times that the user is present and that consent from the user of the hardware is required and also consent is given
Documentation of the scene creates an unchanging historical record of the scene
The ‘Chain of Custody’ refers to a written account of individuals who had sole physical custody of a piece of evidence from the time it was seized until the end of the case
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited