Compiled by Don Penven 

Digital evidence is fragile; and it is easily altered, damaged or destroyed, say experts in digital
forensic examination techniques. And the cause of anyone of these problems is generally not the suspect—it is from improper handling or examination. Obviously then, very special precautions must be taken with the goal of preserving any potential evidence an electronic device my hold.

Thus…some special steps are needed to ensure that the evidence is both protected and preserved in such a manner that it remains intact even during transport or temporary storage.

Those investigators charged with locating evidence on these devices are skilled and well-trained

In recovery methods and are acutely aware of the necessity for extracting the secrets held in the device’s memory. But the all too often, the crime scene investigators have had little or no specific training in dealing with digital evidence.

The point is that collectors and examiners should be exposed to virtually similar training. For the collectors of the evidence, departmental guidelines should be followed—if such guidelines exist. If not, an excellent source of information for “First Responders” is supplied in the “Guide of First Responders,” published by the Dept. Of Justice:  http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm.

For the digital forensic examiner, the following points are basic to a successful outcome:

• Document all hardware and software configurations of the examiner's working tools.
• The examiner must verify operation of his/her computer system to include hardware and software.
• Disassemble and remove the case of the computer to be examined in order to permit direct physical access to the storage devices while taking care to ensure the equipment is protected from static electricity and stray magnetic fields.
• Identify all storage devices that need to be examined. This includes devices can be internal, external, or both.
• Document internal storage devices and hardware configuration. Pay particular attention to the component’s condition as well as listing make, model, size, jumper settings, location and drive interface. Internal components such as the sound and video card, access control address, and PCMCIA cards.
• Disconnect storage devices using the power connector or data cable from the back of the drive or from the motherboard to prevent the destruction, damage, or alteration of any data present.
• Retrieve configuration information from the suspect's system through controlled boots   to capture CMOS/BIOS information and test functionality.
• Boot sequence (this may mean changing the BIOS to ensure the system boots from the floppy or CD-ROM drive).  Record time and date as well as any power-on passwords.
• Perform a second controlled boot to test the computer's functionality and the forensic boot disk.
• Ensure the power and data cables are properly connected to the floppy or CDROM drive, and ensure the power and data cables to the storage devices are still disconnected.
• Place the forensic boot disk into the floppy or CD-ROM drive. Boot the computer and ensure the computer will boot from the forensic boot disk.
• Reconnect the storage devices and perform a third controlled boot to capture the drive configuration information from the CMOS/BIOS.

• Ensure there is a forensic boot disk in the floppy or CD-ROM drive to prevent the computer from accidentally booting from the storage devices. Drive configuration information includes logical block addressing (LBA); large disk; cylinders, heads, and sectors (CHS); or auto-detect.
• Power system down.

Whenever possible, remove the subject storage device and perform the acquisition using the examiner's system. When attaching the subject device to the examiner's system, configure the storage device so that it will be recognized.

Exceptional circumstances, including the following, may result in a decision not to remove the storage devices from the subject system:

• RAID (redundant array of inexpensive disks). Removing the disks and acquiring them individually may not yield usable results.
• Laptop systems. The system drive may be difficult to access or may be unusable when detached from the original system.
• Hardware dependency (legacy equipment). Older drives may not be readable in newer systems.
• Equipment availability. The examiner does not have access to necessary equipment.
• Network storage. It may be necessary to use the network equipment to acquire the   data.

When using the subject computer to acquire digital evidence, reattach the subject storage device and attach the examiner's evidence storage device (e.g., hard drive, tape drive, CD-RW, MO).

Ensure that the examiner's storage device is forensically clean when acquiring the evidence. Write protection should be initiated, if available, to preserve and protect original evidence.

Note: The examiner should consider creating a known value for the subject evidence prior to acquiring the evidence (e.g., performing an independent cyclic redundancy check (CRC), hashing). Depending on the selected acquisition method, this process may already be completed.

If hardware write protection is used:

• Install a write protection device.
• Boot system with the examiner's controlled operating system.

If software with write protection is used:

• Boot system with the examiner-controlled operating system.
• Activate write protection.

Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g., non-host specific data such as the partition table matches the physical geometry of the drive).

Capture the electronic serial number of the drive and other user-accessible, host-specific data.

Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools, such as:

• Stand-alone duplication software.
• Forensic analysis software suite.
• Dedicated hardware devices.

Verify successful acquisition by comparing known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy.

Sources:

1. Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the NIJ

2. Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition by the National Institute of Justice

Cyber Crime is replacing drug trafficking.

By Don Penven

Recent government findings indicate that cybercrime has pushed aside the illicit drug trade as one of the top sources for hundreds of millions of dollars in ill-gotten gains the world over. In its infancy, the Internet seemed like something that could develop into a useable tool for scientific research. If we had only known back then what potential it held, perhaps more thought would have gone into its protection. 

Today the newswires are filled with reports of massive thefts of personal information as well as depleted bank accounts—all due to the criminal element that, for a small investment in a computer and an Internet connection, is changing the landscape of criminal investigation. One highly regarded research survey stated that 8.1 million Americans were victims of identity theft in 2010. Losses were in the hundreds of millions.

The Locard Exchange Principle (LEP)

Dr. Edmond Locard (1877–1966), known to many as the French “Sherlock Holmes,” was a pioneer in forensic evidence investigation. Locard formulated the basic principle of forensic science, “Every contact leaves a trace,” Of course Locard’s theory dealt with the physical contact made by the perpetrator to items in the crime scene. But today’s crime scene may not involve a physical structure—more than likely the crime scene is located out there in cyberspace.

So the question evolves, “Does Locard’s Exchange Principle apply to an electromagnet passing over a spinning disk?”  Some digital detectives believe that it does. For example, a hacker gains access to a computer system that may or may not be secure. Is any computer completely secure? Granted, security software is effective against many such invasions, but a secure system will only take the hacker a little longer to get into it. Now, the question is, does the exchange principle apply?

Cybercrimes leave no physical evidence

On the surface, the infiltrator would leave no physical trace of his having been there. But other electronic trace evidence may be present. If the computer’s file access logs were accessible, it’s possible that a record will be available showing that the file was, in fact, accessed, and even that a network transmission followed. Also a possibility is that a side-channel analysis of any activity on the hard drive will uncover network operations. As a last resort, the examiner may check the access logs of the Internet Service Provider (ISP) to uncover surreptitious entry. This step will not necessarily divulge what specific data was removed, but it will indicate that data was, in fact, lifted from the line. 

Industrial espionage is becoming commonplace

Personal information and cash are not the only targets of this spreading menace. Online industrial espionage is a growing threat to the U.S. economy as well as our national security. U.S. intelligence agencies recently warned elected officials that China and Russia are engaged in cyber-espionage. “Trade secrets developed over thousands of working hours by our brightest minds are stolen in a split second and transferred to our competitors,” said one counterintelligence executive. These foreign governments deny this claim.

The Cyber Exchange Principle

Perhaps when relating to cybercrime, the “Cyber Exchange Principle” applies. Forensic examination of a computer or server will uncover artifacts of invasion. The investigator is then, faced with a situation that the crime scene is not limited to a single computer and may involve another computer half the world away.

The hacker will not be leaving latent fingerprints, foot prints, or traces of physiological fluids in the wake of his intrusion. But electronic activity in this case can be far more valuable in the bits and bytes this activity leaves behind.  The principle that Locard espoused so long ago must be forefront in the minds of our digital detectives as they seek what clues an invaded computer holds as well as what traces are awaiting discovery out there in cyberspace. 

According to a leading manufacturer of cyber security software, the annual take by cyber criminals in 2011 was about $114 billion from 431 million adult victims globally. Learn more about cybercrime at Introduction to Cyber Crime

By Don Penven

Steganographic methods are numerous. We see examples in spy movies and novels like invisible ink, microdots and plain cyphers. It seems only natural then that this covert means of sending messages would migrate into the cyber world of computers.

Computer technology opened up a whole new avenue of hiding messages using the hidden code on a page.  In fact using the electronic means of communication as most of us do, messages can be hidden within Web pages, images and online video and audio.

The term Steganography comes to us from the Greek-steganos (covered or protected) and graphei (writing). Cryptography (hidden-writing) is a term we are much more familiar with. But the two terms mean pretty much the same thing…and the terrorist element has learned how to use it.

USA Today reported a while back that (the late) Osama bin Laden and others "are hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other websites, U.S. and foreign officials say."

This technique is a practice of embedding secret messages in other messages -- in a way that prevents an observer from learning that anything unusual is taking place. Encryption, on the other hand, relies on ciphers or codes to scramble a message in plain view.

Forensic cyber specialists cite the advantage for the “dark side” employing steganographic techniques. It should be noted that encrypted messages in plain sight—even if they are indecipherable—attract attention. Thus, steganography protects both the encrypted message but also the people sending and receiving them.

Steganography now includes the concealment of information inside of computer files, but In digital steganography, such communications may include coding inside of a carrier, like a Word  file, photographic file, and even software programs. Media files present the ideal platform for steganographic encoding mainly because of larger file sizes. As an example, a sender might start with an ordinary downloaded family photograph and manipulate the color of every so many pixels to correspond to a letter in the alphabet. This change is so subtle that someone not specifically trained to look for it is unlikely to see it.

I recently saw a stunning example of steganography that began with an image of a line of treetops, but hidden within this photo was a shot of cat curled up on a colorful blanket. We must never underestimate the abilities of those hell-bent on destroying us. Chances are that the very cryptographers plying this trade were educated right here in some of our finest U.S. universities.

Steganography is a really an interesting subject and it is outside of the common cryptography and system administration that most of us deal with day after day. But it is also quite real; this is not just something that's played with in the lab or some off-the-wall subject of study in academia. This threat may, in fact, be all too real — there have been unconfirmed reports that the terrorist’s behind the September 11 attacks used steganography as one of their means of communication.

It is very unlikely that the corner “Bookie” or embezzler will be using steganography any time soon. But look how the iPhone and iPad have revolutionized our daily lives in such a short time. A number of entrepreneurs have developed programs to seek out this form of encryption. Watch for updates on Digital Forensic News:  http://www.dfinews.com/  

Learn when new posts are made to this blog: Sign up For "Cyber" Alerts

By: Don Penven

Rarely does a day go by that we don’t come across the preface “Cyber.” We hear it in conversation, on TV and radio. We see it in print. Regardless of the source, we mostly tend to think of the term as having some relation to computers and the Internet.

Cyberspace is recognized in my Word spell-checker, but cyberstudy is not. And to further cloud the issue, cyber is often used as a single word, i.e. cyber crime, cyber intelligence. As time passes, what we once used as two words are now often merged into one. “Website” is now recognized as a single word in the Associated Press (AP) Style Manual (the guidebook for journalists).

After a lengthy search of more than a dozen websites for a definition of cyber and cyberspace, here’s what I found:

• Three different forums had subscribers say it stood for computer sex (we know where they are coming from).
• Webopedia: A metaphor for describing the non-physical terrain created by computer systems. Online systems, for example, create a cyberspace within which people can communicate…
• Wikipedia: Cyberspace is the electronic medium of computer networks, in which online communication takes place.
• And some believe the term cybernetics, and in particular “cyber” derives from the Greek for steersman, rudder, or pilot. Cybernetics is a term that referred to electronic communication and control science.
• The term cyberspace even appears on whitehouse.gov website.

Yes …I do have better things to do, but since I’ve been working on a series of articles about digital detectives, I wondered how a prosecution witness would define cyberspace or cybercrime if it was used during testimony.

In recent TV news broadcasts I heard representatives from the NSA, Homeland Security and the military express their beliefs that the greatest threat to the U.S. is not a terrorist attack. These officials believe that cyberspace will be the means whereby villains cross into our boundaries…through the Internet.

Statistics indicate that our federal government experienced over 41,000 cyberattacks in 2010 , and these are the ones they were able to detect. They spent close to $12 billion on Information Technology (IT) security that year—most of which covered employee salaries and benefits.

Identity theft is a growing problem. Chances are you have experienced it yourself or know someone who has. In my case I recovered a voicemail message from our home phone one Sunday afternoon. We were asked to call our bank’s credit card fraud unit. They verified that we used our credit card to pay for dinner on a Friday evening (in Raleigh, NC), and the next day our card made a number of purchases in Palm Beach, FL. The purchases continued through Sunday until the card was maxed out.

More recently, I received an Email from Facebook security (yes, they really have a security department). They asked if I had made posts on my page that morning. I had not. It seems that some chap in a Russian province (which I can’t pronounce, let alone spell) had been using my account.

Yes, law enforcement has made magnificent strides in the investigation of cybercrime. But will this prevent it? No it won’t. IT security experts tell us that over 800 million personal records have been stolen by hackers over the recent past. And despite the most complex, hi-tech security software available, some cybercreep will eventually hack into it.

Cyber forensics grew out of the screaming demand for greater law enforcement involvement in cybercrime. Today many agencies have created units that deal with this online mayhem, and many more are gearing up for it.  The trouble is that these computer specialists may never see the light at the end of tunnel called cyberspace.

We created a blog to provide online training in crime scene technology, and we will continue to post timely, easily understood posts covering criminalistics. But here of late we also see a pressing need for training in the dark world of cybercrime. Watch for more posts on this subject. 

To be alerted when new posts are made to this blog, Sign Up For <a href=http://www.sirchie.com/about/news.html>Email Alerting</a>