The Rules for Computer Forensics
The recovery of evidence from electronic devices is fast becoming another component of many the IT Manager’s remit. Electronic evidence gathered is often valuable evidence and as such should be treated in the same manner as traditional forensic evidence – with respect and care.
Essentially, this area is known as computer forensics and can be described as the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. Subject matter can include:
- the secure collection of computer data
- the examination of suspect data to determine details such as origin and content
- the presentation of computer based information to courts of law (if necessary)
- the application of a country’s laws to computer practice.
In short, the objectives of a forensics analysis are to, determine what happened, the extent of the problem, determine who was responsible and present this information as evidence in court if required.
It is used by internal investigators of public and private organisations for a variety of reasons, in particular where a computer user is suspected of a breach of organisational policy. Indeed, in the past couple of years awareness amongst the legal community in Ireland of the need for professional computer forensic services and equipment has increased substantially.
The methods of recovering electronic evidence whilst maintaining evidential continuity and integrity may seem complex and costly, but experience has shown that, if dealt with correctly, it will produce evidence that is both compelling and cost effective.
When talking about computer forensics, it is easy to get caught up in the technical minutiae – the bits and the bytes, the ones and the zeros, slackspace and pagefiles. Given the language used by many forensic investigators it is little wonder that many people consider it to be a black art, forever damned to the world of the ponytails.
In reality however, digital forensics is concerned primarily with forensic procedures, rules of evidence and legal processes. The principal reason given that forensic evidence fails to deliver in a court is not the technical merit of the evidence itself, but rather issues relating to how it was gathered, who gathered it, what training and experience they have, chain of custody, proper documentation, and even, believe it or not, the storage facilities used. A certain case here in Ireland springs to mind, where the evidence storage facility was brought into question. Who had access to it? What security measures are in place to ensure only authorised personnel have access to the evidence? What chain of custody documentation is kept? These are ultimately the key questions and are among the crucial considerations for any IT team if they find themselves central to an internal investigation.
Although the document is not intended to be a definitive manual of every single operation that may take place during an investigation, it does provide some first-rate guidance and advice. Interestingly, the thrust of the guide is about forensic procedures, rules of evidence and legal process, and is a great resource for anyone tasked with drafting incident response policies and procedures.
From the outset, I would like readers to note that when tasked (usually by the HR department) with conducting an investigation relating to computer equipment there are some key “rules’ to be followed:
Rule 1. An examination should never be performed on the original media.
Rule 2. A copy is made onto forensically sterile media. New media should always be used if available.
Rule 3. The copy of the evidence must be an exact, bit-by-bit copy. (Sometimes referred to as a bit-stream copy).
Rule 4. The computer and the data on it must be protected during the acquisition of the media to ensure that the data is not modified. (Use a write blocking device when possible)
Rule 5. The examination must be conducted in such a way as to prevent any modification of the evidence.
Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of whom might have accessed the evidence and at what time.
All of the does not come without difficulties. There is an enhanced awareness amongst offenders of the nature of electronic evidence and the use of techniques to hide evidence. The skillful user makes the examiner’s job difficult, if not impossible. There is an increasing use of tools to hinder forensics – secure deletion tools, encryption tools, automated “scrubbing” tools, digital compression, steganography, remote storage, and audit disabling. Add to this the difficulty in placing a specific person at a specific computer without additional evidence, be it CCTV or Access Control Systems. Computer forensics is useful, but not always a silver bullet.
Not all incidents require of justify the full rigor of a forensic analysis. There are a number of factors affecting the decision to proceed, for instance, the seniority of staff. It is generally accepted that senior staff are more likely to appeal disciplinary procedures or otherwise respond. The background of staff is another important consideration. Staff with a legal, HR or union background may have other motivations. Obviously, if an investigation involves staff with a financial motive to appeal a disciplinary action, a forensic analysis that uncovers some compelling evidence may offer the organization a strong negotiation tool.
Computer forensics is much much more than technical wizardry. It is about keeping a clear head, and being aware of what NOT to do, as much as what you should do. The IT department is becoming an obvious point of call for any organization seeking to analyse a computer or computers that could be central to an internal investigation. As a consequence, there is a growing need to find not only the technical skills, but also the softer “decision-making’ and “investigative’ expertise that will help resolve a wide range of issues quickly, and more importantly, discreetly.