Read an Excerpt

Handbook of Digital Forensics and Investigation

Academic Press

Chapter One

CONTENTS

Forensic Soundness 3

Forensic Analysis Fundamentals 5

Crime Reconstruction 13

Networks and the Internet 15

Conclusions 16

References 16

Computers and networks have become so ubiquitous in our society, such an integral part of our daily lives, that any investigation or legal dispute will likely involve some form of digital evidence. Crimes like child exploitation, fraud, drug trafficking, terrorism, and homicide usually involve computers to some degree (see Chapter 2, "Forensic Analysis"). Electronic discovery has become so common in civil disputes that countries are updating their legal guidelines to address digital evidence (see Chapter 3, "Electronic Discovery"). Investigations of intrusions into corporate and government IT systems rely heavily on digital evidence, and are becoming more challenging as offenders become more adept at covering their tracks (see Chapter 4, "Intrusion Investigation").

Media reports at the time of this writing clearly demonstrate the wide diversity of cases that involve digital evidence:

* The University of California at Berkeley notified students and alumni that an intruder had gained unauthorized access to a database containing medical records of over 160,000 individuals.

* Members of an international child exploitation enterprise were sentenced for participating in an illegal organization that utilized Internet newsgroups to traffic in illegal images and videos depicting prepubescent children, including toddlers, engaged in various sexual and sadistic acts.

* David Goldenberg, an executive of AMX Corp, pled guilty to gaining unauthorized access to and stealing sensitive business information from the e-mail systems of a marketing firm that was working for a competitor, Crestron Electronics.

* The FBI is investigating a security breach of Virginia Prescription Monitoring Program (VPMP) computer systems. The data thief placed a ransom message on the VPMP web site, demanding payment of $10 million for the return of 8 million patient records and 35.5 million prescriptions.

* Computers seized during military operations in Iraq contained details about enemy operations.

Criminals are becoming more aware of digital forensic and investigation capabilities, and are making more sophisticated use of computers and networks to commit their crimes. Some are even developing "anti-forensic" methods and tools specifically designed to conceal their activities and destroy digital evidence, and generally undermine digital investigators. The integration of strong encryption into operating systems is also creating challenges for forensic examiners, potentially preventing us from recovering any digital evidence from a computer (Casey & Stellatos, 2008).

Over the past few years, practitioners and researchers have made significant advances in digital forensics. Our understanding of technology has improved and we have gained the necessary experiences to further refine our practices. We have overcome major technical challenges, giving practitioners greater access to digital evidence. New forensic techniques and tools are being created to support forensic acquisition of volatile data, inspection of remote systems, and analysis of network traffic. Detailed technical coverage of forensic analysis of Windows, Unix, and Macintosh systems is provided in Chapters 5, 6, and 7, respectively.

These advances bring with them great promise, and place new demands on digital forensics and investigations, changing the terrain of the field and causing new practices to evolve, including forensic analysis of embedded systems (Chapter 8), enterprise networks (Chapter 9), and mobile telecommunications systems (Chapter 10). The recent advances and some of the current challenges were recognized in the 2009 National Academy of Sciences report:

Digital evidence has undergone a rapid maturation process. This discipline did not start in forensic laboratories. Instead, computers taken as evidence were studied by police officers and detectives who had some interest or expertise in computers. Over the past 10 years, this process has become more routine and subject to the rigors and expectations of other fields of forensic science. Three holdover challenges remain: (1) the digital evidence community does not have an agreed certification program or list of qualifications for digital forensic examiners; (2) some agencies still treat the examination of digital evidence as an investigative rather than a forensic activity; and (3) there is wide variability in and uncertainty about the education, experience, and training of those practicing this discipline. (National Academy of Sciences, 2009)

All of these advancements and challenges bring us to the underlying motivations of this work; to improve technical knowledge, standards of practice, and research in digital forensics and investigation. Furthermore, by presenting state-of-the-art practices and tools alongside the real-world challenges that practitioners are facing in the field and limitations of forensic tools, the Handbook hopes to inspire future research and development in areas of greatest need. As far and quickly as this discipline has progressed, we continue to face major challenges in the future.

FORENSIC SOUNDNESS

As the field of digital forensics evolved from primarily dealing with hard drives to include any and all types of computer systems, one of the most fundamental challenges has been updating the generally accepted practices. There is an ongoing effort to balance the need to extract the most useful digital evidence as efficiently as possible, and the desire to acquire a pristine copy of all available data without altering anything in the process. In many situations involving new technology, particularly when dealing with volatile data in computer memory, mobile devices, and other embedded systems it is not feasible to extract valuable evidence without altering the original in some manner. Similarly, when dealing with digital evidence distributed across many computer systems, it may not be feasible to preserve everything.

In modern digital investigations, practitioners must deal with growing numbers of computer systems in a single investigation, particularly in criminal investigations of organized groups, electronic discovery of major corporations, and intrusion investigations of international scope. In such large-scale digital investigations, it is necessary to examine hundreds or thousands of computers as well as network-level logs for related evidence, making it infeasible to create forensic duplicates of every system.

Existing best practice guidelines are becoming untenable even in law enforcement digital forensic laboratories where growing caseloads and limited resources are combining to create a crisis. To address this issue, the latest edition of The Good Practice Guide for Computer-Based Electronic Evidence from the UK's Association of Chief Police Officers has been updated to include preservation of data from live systems, as discussed in Chapter 3 (ACPO, 2008). As the quantity of digital evidence grows and case backlogs mount, we are moving away from the resource intensive approach of creating a forensic duplicate and conducting an in-depth forensic examination of every item. A tiered approach to digital forensic examinations is being used to promptly identify items of greatest evidentiary value and produce actionable results, reserving in-depth forensic analysis for particular situations (Casey, 2009).

At the same time, there have been developments in preserving and utilizing more volatile data that can be useful in a digital investigation. Memory in computer systems can include passwords, encrypted volumes that are locked when the computer is turned off, and running programs that a suspect or computer intruder is using. Developments in memory forensics, mobile device forensics, and network forensics enable practitioners to acquire a forensic duplicate of full memory contents and extract meaningful information. The DFRWS2005 Forensic Challenge (www.dfrws.org) sparked developments in analysis of physical memory on Microsoft Windows systems, leading to ongoing advances in tools for extracting useful information from Windows, Unix, and Macintosh operating systems. Techniques have even been developed to recover data from random access memory chips after a computer has been turned off (Halderman, 2008). Forensic acquisition and analysis of physical memory from mobile devices has gained more attention recently and is covered in Chapter 8, "Embedded Systems Analysis." As shown in Chapter 9, "Network Investigation," memory forensics has been extended to Cisco network devices.

We can expect continued advancement in both our ability to deal with large-scale digital investigations and to extract more information from individual systems. Whether we acquire a selection of logical files from a system or the full contents, we must keep in mind the overarching forensic principles. The purpose of a forensically sound authentication process is to support identification and authentication of evidence. In lay terms, this means that the evidence is what you claim and has not been altered or substituted since collection. Documentation is a crucial component of forensic soundness. Functionally, this process involves documenting unique characteristics of the evidence, like device IDs and MD5 hashes of acquired data, and showing continuous possession and control throughout its lifetime. Therefore, it is necessary not only to record details about the collection process, but also every time it is transported or transferred and who was responsible.

From a forensic standpoint, the acquisition process should change the original evidence as little as possible and any changes should be documented and assessed in the context of the final analytical results. Provided the acquisition process preserves a complete and accurate representation of the original data, and its authenticity and integrity can be validated, it is generally considered forensically sound. Imposing a paradigm of 'preserve everything but change nothing' is impractical and doing so can create undue doubt in the results of a digital evidence analysis, with questions that have no relation to the merits of the conclusions. (Casey, 2007)

Considerations of forensic soundness do not end with acquisition of data. When analyzing and producing findings from digital evidence, forensic practitioners need to follow a process that is reliable and repeatable. Again, documentation is a critical component, enabling others to evaluate findings.

To appreciate the importance of forensic soundness, it is instructive to consider concrete problems that can arise from improper processing of digital evidence, and that can undermine a case as well as the underlying credibility of the forensic practitioner. Some worst-case scenarios resulting from sufficiently large breaks in chain of custody include misidentification of evidence, contamination of evidence, and loss of evidence or pertinent elements (e.g., metadata). In one case, evidence was collected from several identical computer systems, but the collection process was not thoroughly documented, making it very difficult to determine which evidence came from which system.

(Continues...)

---

Excerpted from Handbook of Digital Forensics and Investigation Copyright © 2010 by Elsevier Inc.. Excerpted by permission of Academic Press. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---