GUCI_ESMIR
The storage and management of forensic evidence(1) is an important part of the criminal justice system. Before you enter a suspected bomb builder’s lair(2), you need to be wary of booby traps. The same holds true when you come across a computer that belongs to a suspected hacker, a pedophile suspected of storing or sharing child pornography or any other suspect.
Hackers are good at what they do because they know computers inside and out. It is possible to booby trap a computer system so that any evidence of a crime is destroyed as soon as a single key is pressed. This means that it is important for you to know what to do when you need to access a computer which has been used in a crime. Time is critical when investigating a crime. If a computer is powered down you might lose essential information and also may not be able to power it up again or login.
The Virtual Machine (VM) software “tricks” the Operating System (OS) and apps into thinking that they are running directly on a computer when in reality, they are running on a simulated computer.
Using a VM saves money by reducing the amount of hardware required – multiple VMs can share the same physical computer and access the same storage. This is how many modern corporate networks are configured: Your OS and your files are inside one VM which is running on the same big computer as dozens or hundreds of VMs from other users.
But before you can re-create a suspect’s machine in a VM, you need to create an image of it from the real computer on which it is running. Various forensic tools are available to “image” a hard drive, each having their own merits, but while you can build a VM yourself, this can be a time-consuming process, riddled with driver errors and Blue Screens of Death (BSoD errors). Special software is available that can take a forensic image (including the OS, apps and all user generated files) of a computer and convert it to a working VM, literally in seconds, giving you access to this valuable intelligence in a short period of time.
Standard forensic principles often deny an investigator the opportunity to turn a computer back on once it has been powered down. The use of a VM lets the forensic examiner fire it back up as many times as they like – and poke around it without affecting the original evidence.
In the same way a dead body from physical crime scene can give up clues and evidence to a medical examiner as to who the perpetrator was and how the crime happened, use of a forensic VM from a “dead box” hard-drive (or an image of that hard drive) can offer up clues and powerful evidence to the digital examiner that are not available via standard forensic software. The VM enables a virtual autopsy of the suspect’s computer.
So if your suspect has been mixed up in a financial crime, you’ll have access to their accounting records; with a VM, you can export them to Excel and then copy them to your host system (extracting them from the virtual environment) to perform further analysis on – just like if you’d been able to turn on their actual computer. If they have been downloading or sharing illegal content, you will be able to take a screenshot of how and where the files were stored or show the sharing software actively attempting to send or receive material.
If the user was accessing files stored in proprietary databases, it is quite possible that the software to decrypt or interpret those databases resides on the suspect’s computer. Without access to the original computer, there is often no other way to access those files, so they become unusable – and they may contain the smoking gun evidence the examiner needs.
The forensic image captures the files but it also captures the original software that was used to access that information. By recreating the suspect’s machine as a VM, and performing a similar action on any other machine where proprietary databases are located, you can use the original software or even create a virtual network which links all of the VMs together, enabling you to access what otherwise might be inaccessible files.
On the other hand, challenges to data security have reached epidemic proportions(3), as evidenced by recent consumer and government breaches that have put hundreds of millions of Americans' credit and debit cards, email addresses and other personal information at risk. The number of people affected by cyberattacks has intensified the spotlight on how organizations, including government, respond to data breaches.
The field of computer forensics investigation is growing(4), especially as law enforcement and legal entities realize just how valuable information technology (IT) professionals are when it comes to investigative procedures. With the advent of cyber crime, tracking malicious online activity has become crucial for protecting private citizens, as well as preserving online operations in public safety, national security, government and law enforcement. Tracking digital activity allows investigators to connect cyber communications and digitally-stored information to physical evidence of criminal activity; computer forensics also allows investigators to uncover premeditated criminal intent and may aid in the prevention of future cyber crimes. For those working in the field, there are five critical steps in computer forensics, all of which contribute to a thorough and revealing investigation.
1. Policy and Procedure Development
Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity professionals understand the value of this information and respect the fact that it can be easily compromised if not properly handled and protected. For this reason, it is critical to establish and follow strict guidelines and procedures for activities related to computer forensic investigations. Such guidelines can include the followings issues to preserve digital evidence:
a. Document Device Condition
This is often overlooked during the identification phase. Make sure to take pictures of the device holding the digital media you will be collecting. Document its physical condition and where it was located.
b. Get Forensic Experts Involved
It is important to know when to stop working with evidence and let the experts take over. But the process of preserving and analyzing data still usually requires forensic expertise.
c. Have a Clear Chain of Custody
Document the transfer of media and digital evidence between every person and agency that comes in contact with it. Gaps in these records can prevent evidence from being admitted in court should legal action need to be taken. While a chain of custody can be recorded on paper, an authoritative digital record is often more reliable.
d. Don’t Change the Power Status
Leave the device in its current power state as long as possible during evidence identification and collection. If the device is on, leave it on. If it is off, leave it off.
Leave battery-powered devices in their current state as long as possible. Obviously, for wired devices, such as desktop PCs, you will eventually need to turn them off for transport. For highly sensitive investigations, it is best to bring in forensic experts before you do whenever possible.
e. Secure the Device
Ensure proper chain of custody for both hardware and data with strong physical security. Don’t store the device in an open access area. Try not to leave it unattended when it is being worked on. Poor chain of custody can reduce the value of evidence during proceedings.
f. Never Work on the Original Data
Sometimes data collection involves just copying readable files from media storage. But often other metadata can be collected from devices by forensic experts. Metadata is data about the condition of files on the device or about the device itself. Useful metadata can include how files were accessed, whether a shutdown or delete command was issued, or whether the user tried to copy files to another device.
Working directly on the original media will often delete valuable metadata. Professional data retrieval and forensic services always perform their analyses and reporting on virtual copies of media whenever possible.
g. Keep the Device Digitally Isolated
Another way to preserve metadata is to keep the device isolated from other storage systems. Keep it off Wi-Fi and wired network connections.
Sometimes well-intentioned staff can accidentally overwrite valuable metadata if they plug in a thumb drive attempting to copy files via conventional means for analysis. Leave the data copying to professional forensic experts.
h. Prepare for Long-Term Storage
Consider whether off-site storage is needed for long-term evidence management, or whether an on-site modular evidence management system can accommodate your needs. Modular systems will be able to scale if evidence retention needs or available space change.
i. Monitor Evidence Transactions
Staff will need to periodically sign out evidence for reporting or attorney consultations. Recording all of these transactions is essential for maintaining a proper chain of custody.
This can be difficult for most organizations that aren’t staffed with a full-time evidence manager. Even those law enforcement agencies that do have evidence managers can’t have them on duty around the clock. Consider whether automated evidence lockers can simplify transaction monitoring.
j. Periodically Audit Your Evidence Management Program
New electronic devices are constantly hitting the market. In particular, the advent of Internet of Things (IoT) technology means many more types of devices now hold data. You should regularly review your digital evidence management practices to ensure they accommodate all new types of devices and forms of digital storage that might come into your possession.
Law enforcement agencies are becoming increasingly reliant on designated IT departments, which are staffed by seasoned cybersecurity experts who determine proper investigative protocols and develop rigorous training programs to ensure best practices are followed in a responsible manner. In addition to establishing strict procedures for forensic processes, cybersecurity divisions must also set forth rules of governance for all other digital activity within an organization. This is essential to protecting the data infrastructure of law enforcement agencies as well as other organizations.
An integral part of the investigative policies and procedures for law enforcement organizations that utilize computer forensic departments is the codification of a set of explicitly-stated actions regarding what constitutes evidence, where to look for said evidence and how to handle it once it has been retrieved. Prior to any digital investigation, proper steps must be taken to determine the details of the case at hand, as well as to understand all permissible investigative actions in relation to the case; this involves reading case briefs, understanding warrants, and authorizations and obtaining any permissions needed prior to pursuing the case.
2. Evidence Assessment
A key component of the investigative process involves the assessment of potential evidence in a cyber crime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand and thus, the classification of cyber crime in question. For instance, if an agency seeks to prove that an individual has committed crimes related to identity theft, computer forensics investigators use sophisticated methods to sift through hard drives, email accounts, social networking sites, and other digital archives to retrieve and assess any information that can serve as viable evidence of the crime. This is, of course, true for other crimes, such as engaging in online criminal behavior like posting fake products on eBay or Craigslist intended to lure victims into sharing credit card information. Prior to conducting an investigation, the investigator must define the types of evidence sought (including specific platforms and data formats) and have a clear understanding of how to preserve pertinent data. The investigator must then determine the source and integrity of such data before entering it into evidence.
3. Evidence Acquisition
Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process; detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated. This step is where policies related to preserving the integrity of potential evidence are most applicable. General guidelines for preserving evidence include the physical removal of storage devices, using controlled boot discs to retrieve sensitive data and ensure functionality, and taking appropriate steps to copy and transfer evidence to the investigator’s system.
Acquiring evidence must be accomplished in a manner both deliberate and legal. Being able to document and authenticate the chain of evidence is crucial when pursuing a court case, and this is especially true for computer forensics given the complexity of most cybersecurity cases.
4. Evidence Examination
In order to effectively investigate potential evidence, procedures must be in place for retrieving, copying, and storing evidence within appropriate databases. Investigators typically examine data from designated archives, using a variety of methods and approaches to analyze information; these could include utilizing analysis software to search massive archives of data for specific keywords or file types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.
Analyzing file names is also useful, as it can help determine when and where specific data was created, downloaded, or uploaded and can help investigators connect files on storage devices to online data transfers (such as cloud-based storage, email, or other Internet communications). This can also work in reverse order, as file names usually indicate the directory that houses them. Files located online or on other systems often point to the specific server and computer from which they were uploaded, providing investigators with clues as to where the system is located; matching online filenames to a directory on a suspect’s hard drive is one way of verifying digital evidence. At this stage, computer forensic investigators work in close collaboration with criminal investigators, lawyers, and other qualified personnel to ensure a thorough understanding of the nuances of the case, permissible investigative actions, and what types of information can serve as evidence.
5. Documenting and Reporting
In addition to fully documenting information related to hardware and software specs, computer forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties. As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her process could compromise the validity of that evidence and ultimately, the case itself.
For computer forensic investigators, all actions related to a particular case should be accounted for in a digital format and saved in properly designated archives. This helps ensure the authenticity of any findings by allowing these cybersecurity experts to show exactly when, where, and how evidence was recovered. It also allows experts to confirm the validity of evidence by matching the investigator’s digitally recorded documentation to dates and times when this data was accessed by potential suspects via external sources.
In short words, being able to access an identical (but virtual) replica of the suspect’s machine means you can interact with the files and the software on their system without fear of making a mistake that could modify or destroy it. If you have an accident, you can just go back to the previous system state (called a snapshot). And because a VM is just a piece of software, it can be moved from place to place or can be sent to the Regional Computer Forensics Laboratory (RCFL) or a vendor, specializing in forensic work.
All in all, a VM can give you access to otherwise elusive evidence and can help you present it in court in a non-technical manner.
Sources:
[1] Jay Palter (April 19, 2021). Preserving Digital Evidence the Right Way: Your 10-Step Guide, from https://www.realtimenetworks.com/blog/preserving-digital-evidence-the-right-way-your-10-step-guide
[2] Ron LaPedis (Jan 2, 2019). Key steps to managing a cybercrime scene, from https://www.police1.com/police-products/investigation/articles/key-steps-to-managing-a-cybercrime-scene-efXbxFKKY5gRCetb/
[3] Jayne Friedland Holland (DECEMBER 18, 2014). AR/VR — Managing a cyber crime scene from https://fcw.com/security/2014/12/managing-a-cyber-crime-scene/254880/
[4] Norwich University Online (September 11th, 2017). 5 Steps for Conducting Computer Forensics Investigations from https://online.norwich.edu/academic-programs/resources/5-steps-for-conducting-computer-forensics-investigations