Digital evidence is fragile; and it is easily altered, damaged or destroyed, say experts in digital
forensic examination techniques. And the cause of anyone of these problems is generally not the suspect—it is from improper handling or examination. Obviously then, very special precautions must be taken with the goal of preserving any potential evidence an electronic device my hold.
Thus…some special steps are needed to ensure that the evidence is both protected and preserved in such a manner that it remains intact even during transport or temporary storage.
Those investigators charged with locating evidence on these devices are skilled and well-trained
In recovery methods and are acutely aware of the necessity for extracting the secrets held in the device’s memory. But the all too often, the crime scene investigators have had little or no specific training in dealing with digital evidence.
The point is that collectors and examiners should be exposed to virtually similar training. For the collectors of the evidence, departmental guidelines should be followed—if such guidelines exist. If not, an excellent source of information for “First Responders” is supplied in the “Guide of First Responders,” published by the Dept. Of Justice: http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm.
For the digital forensic examiner, the following points are basic to a successful outcome:
- Document all hardware and software configurations of the examiner's working tools.
- The examiner must verify operation of his/her computer system to include hardware and software.
- Disassemble and remove the case of the computer to be examined in order to permit direct physical access to the storage devices while taking care to ensure the equipment is protected from static electricity and stray magnetic fields.
- Identify all storage devices that need to be examined. This includes devices can be internal, external, or both.
- Document internal storage devices and hardware configuration. Pay particular attention to the component’s condition as well as listing make, model, size, jumper settings, location and drive interface. Internal components such as the sound and video card, access control address, and PCMCIA cards.
- Disconnect storage devices using the power connector or data cable from the back of the drive or from the motherboard to prevent the destruction, damage, or alteration of any data present.
- Retrieve configuration information from the suspect's system through controlled boots to capture CMOS/BIOS information and test functionality.
- Boot sequence (this may mean changing the BIOS to ensure the system boots from the floppy or CD-ROM drive). Record time and date as well as any power-on passwords.
- Perform a second controlled boot to test the computer's functionality and the forensic boot disk.
- Ensure the power and data cables are properly connected to the floppy or CDROM drive, and ensure the power and data cables to the storage devices are still disconnected.
- Place the forensic boot disk into the floppy or CD-ROM drive. Boot the computer and ensure the computer will boot from the forensic boot disk.
- Reconnect the storage devices and perform a third controlled boot to capture the drive configuration information from the CMOS/BIOS.
- Ensure there is a forensic boot disk in the floppy or CD-ROM drive to prevent the computer from accidentally booting from the storage devices. Drive configuration information includes logical block addressing (LBA); large disk; cylinders, heads, and sectors (CHS); or auto-detect.
- Power system down.
Whenever possible, remove the subject storage device and perform the acquisition using the examiner's system. When attaching the subject device to the examiner's system, configure the storage device so that it will be recognized.
Exceptional circumstances, including the following, may result in a decision not to remove the storage devices from the subject system:
- RAID (redundant array of inexpensive disks). Removing the disks and acquiring them individually may not yield usable results.
- Laptop systems. The system drive may be difficult to access or may be unusable when detached from the original system.
- Hardware dependency (legacy equipment). Older drives may not be readable in newer systems.
- Equipment availability. The examiner does not have access to necessary equipment.
- Network storage. It may be necessary to use the network equipment to acquire the data.
When using the subject computer to acquire digital evidence, reattach the subject storage device and attach the examiner's evidence storage device (e.g., hard drive, tape drive, CD-RW, MO).
Ensure that the examiner's storage device is forensically clean when acquiring the evidence. Write protection should be initiated, if available, to preserve and protect original evidence.
Note: The examiner should consider creating a known value for the subject evidence prior to acquiring the evidence (e.g., performing an independent cyclic redundancy check (CRC), hashing). Depending on the selected acquisition method, this process may already be completed.
If hardware write protection is used:
- Install a write protection device.
- Boot system with the examiner's controlled operating system.
If software with write protection is used:
- Boot system with the examiner-controlled operating system.
- Activate write protection.
Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g., non-host specific data such as the partition table matches the physical geometry of the drive).
Capture the electronic serial number of the drive and other user-accessible, host-specific data.
Acquire the subject evidence to the examiner's storage device using the appropriate software and hardware tools, such as:
- Stand-alone duplication software.
- Forensic analysis software suite.
- Dedicated hardware devices.
Verify successful acquisition by comparing known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy.
Sources:
1. Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the NIJ
2. Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition by the National Institute of Justice