1.

Briefly explain the role of a first responder, SOCO (Scene of Crimes Officer) of Computer Forensics Investigator (CFI) [From this point forward the term first responder will be synonymous with SOCO or CFI.] The role of the first responder is as the name suggests being the first person to respond to an incident. It is therefore imperative that the first responder does only what is legally permitted for them to do with respect to attending and gathering evidence from an incident scene. 2. What preparation would a first responder undertake before visiting the scene of a crime/incident? Before attending the scene, the first responder will need to have some understanding of a number of issues. Some of the issues are technical, but some are also to do with necessity and proportionality and the rights of a person to expect some basic privacy. The list below is not exhaustive, but shows some things that should be considered or asked prior to any activity. 1. What are they going to seize? For example, is it a laptop, desktop, PDA, data from a network etc. 2. Where is the system? 3. Has it been quarantined or is it still in use? 4. How many users can or do use this system? 5. Will the system be live or dead? 6. The type and capacity of any drives to be taken (or imaged). 7. The file system in use. 8. The operating system(s) in use. 9. Is any encryption or anti-forensics likely to be in use? 10. Has the manager or responsible person ensured that proper authority for the seizure/removal/forensic copy has been granted? 11. Is the activity necessary and proportional? 12. Have the person under suspicions rights been properly addressed? 13. Are there any possible contractual issues?

216SE First Responder Tutorial 1

BB ver 1.0

3. What tools, hardware and software might a first responder wish to take with them and why? The role of the first responder is to respond to an incident; therefore it is not unusual for them to be sent to unfamiliar environments. It is important that when they arrive they can perform their duties and maintain the integrity of the evidence gathered. It is therefore prudent that they are prepared for many different eventualities, as diverse as, failing hardware, non-cooperation from staff, obsolete equipment, lack of available power outlets, poor lighting, awkward operating environment etc. Given the list of unknowns at each new scene, the first responder should (at least) consider the following: 1. 2. 3. 4. 5. Proper notebook to make contemporaneous notes. Digital camera to take pictures of items seized. A forensic workstation. A torch and spare batteries for the torch (and perhaps a spare torch or bulb) A few standard light bulbs (a few spare bulbs can often be invaluable if the environment is dark or poorly lit). 6. An extensive toolkit including a full range of different types and sizes of screwdrivers, specialist Allan keys, torques, pliers, crimps and anti-static protection straps, mats etc. 7. A range of power cables, network and USB attachments and an extension power socket with capability to power both the suspect and forensic workstations (if required). 8. All removable media types, such as floppy, CD, DVD, USB media, smart media and if older equipment is in use even 5 Inch disks. 9. Spare peripherals, a spare monitor may be useful and a keyboard and mouse (with accompanying adaptors to ensure they can work as PS or USB devices accordingly) would also be advisable. Someone may deliberately damage peripherals to obstruct your activities and you must consider this. 10. Appropriate forensic tools for the operating system(s) in use that are also on appropriate media for use with those systems. 11. Spare hard drives or USB hard drives should it be necessary or appropriate to make forensic data copies on site. 12. Based on experience the first responder will get a feel of what each different type of incident will require them to prepare. However, in order to not be caught out they will often over-prepare.

216SE First Responder Tutorial 1

BB ver 1.0

4. Assume you are a first responder and arrive at an organisation to remove a desktop computer. What steps would you take to secure the evidence and how would you assess whether any 'live' forensics would take place? In the first instance the computer should be treated like any other potential crime scene (with emphasis on potential as the person may have done nothing wrong). It would be necessary to ensure that neither the area is nor the device is contaminated, so the first step is likely to be the quarantining of the area around the suspect device (or devices). This is a little more complicated if a network of systems is suspected, however, the first responder is unlikely to attend to such an incident on their own. The basic steps would be: 1. Move anyone else within a certain range away from the area. 2. Cordon it off to prevent physical contamination. 3. Identify and photograph the suspect device and make a note of any connections and their status (visible status, for example, the network card is connected via RJ-45 cable and network light appears to be indicating network traffic). 4. Identify the overall status of the device. Can the power be removed without causing mass disruption to the activities of the organisation? 5. Identify the nature of the suspected activities 6. Once the device has been photographed and the nature of the devices role in the system and the nature of the suspected activity divulged, the first responder may need to make a choice of whether live or dead analysis is appropriate. In general, it is often deemed to be safer to pull the plug and perform a dead analysis. However, often in practice the choice is not so clear cut and the first responder may need to make a difficult choice between whether to lose potential evidence or carry out live analysis and the risks associated with this. 5. Assume you are a first responder and arrive at an organisation to remove a laptop computer. What steps would you take to secure the evidence and how would you assess whether any 'live' forensics would take place? Tackling the second part of the question first, the decision to carry out 'live' forensics is normally associated with what evidence would be lost or what the implication would be should the power be removed should be paramount. If it were not believed that the system was mission critical nor that the user is likely to be using encryption or anti-forensic software the steps would be: 1. Photograph the laptop and its connections, remembering to label any if necessary 2. Remove the battery 3. Remove the power lead directly from the AC inlet on the laptop

216SE First Responder Tutorial 1

BB ver 1.0

4. Proceed with the standard acquisition steps Should it be considered that the system is mission critical (rather unlikely with a laptop, but not impossible), or may have some encryption or other anti-forensic capabilities, the steps would be: 1. 2. 3. 4. Photograph the laptop and its connections, remembering to label any if necessary Note any processes running Insert the live forensics media and progress to a live acquisition or analysis It is imperative that every action is documented or video the entire process.

6. During the evidence capture stage of a criminal investigation, it becomes apparent that a home computer system is comprised of several networked devices. What must you do to ensure that all of the network devices are located and seized? It will be necessary to 'trace' each of the networked devices that are attached via the media that is in use. This may mean following cables to identify what is connected to them and obviously where they are located. Regardless of whether wired devices are connected or not, it may be advisable to do a quick 'wireless' sweep of the area just in case a wireless device has also been in use. 7. Investigations need to be justified, appropriate and proportionate. Explain what this statement means. This essentially means that there should be adequate 'grounds' for undertaking the investigation. For example, there must be at least some suspicion of wrongdoing and the steps taken to investigate should be appropriate (the right thing to do) and proportional to the suspected wrongdoing. Let's assume that a computer user was suspected of violating the Acceptable Use Policy by say surfing for leisure purposes more than the policy allows. A justifiable and proportionate response would be to perhaps send an email to the individual indicating that they should reduce their non-work based Internet activity to avoid any further action being taken against them. Mounting an extensive investigation involving the seizure of their desktop computer, acquisition of data from the same and subsequent analysis would be unnecessary, disproportionate and unjustified. However, should the person be suspected of taking part in terrorist activities, a full investigation would be necessary, proportionate (as what stands to be gained is worth far more than what may be lost if the situation is not investigated) and therefore justifiable. 8. Explain the significance of taking photographs of how a computer system was setup at the time of seizure. It may be necessary to 'recreate' the scene for a number of reasons. Labelling and photographing the computer setup can help to show which devices were or were not connected at the time of seizure and may also play a role in supporting or discrediting and evidence given by the user(s) of the computer system.

216SE First Responder Tutorial 1

BB ver 1.0

9. In the UK there are some guidelines for handling and processing digital devices. What are their guidelines called? The guidelines are called the ACPO (Association of Chief Police Officers) Good Practice Guide for Computer-Based Electronic Evidence 10. Provide a brief description of the principles contained in the guidelines named in the previous question. The four principles are: Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. ACPO (2007) To summarise the above: 1. 2. 3. 4. The evidence must maintain its 'integrity' to be used in court. Only competent people should be working with the evidence. Records of everything done must be kept and the process must be repeatable. Someone must be responsible for making sure that principles 1 -3 are maintained.

11. Explain the purpose of quarantining equipment prior to seizure. Quarantining equipment in standard procedure, which is also necessary to maintain the first ACPO principle. When equipment is quarantined, it means that no-one is permitted physical or logical access to that equipment, therefore reducing the likelihood that it could be tampered with or accidentally modified.

216SE First Responder Tutorial 1

BB ver 1.0

12. Why must a first responder record the status of devices after quarantining them? The status of the device is important as it will drive the next step that they will make. For example, if a desktop PC is being seized and it has already been powered down and the leads removed from any obvious power supply, this is a different situation than if the desktop were still powered up and appeared to be say accepting network traffic. The status is therefore important in identifying the first responder's next step (or steps). 13. Why is it important that the first responder correctly identifies and locates any connections to the suspect device or devices? In the first instance what may appear to be the simple seizure of an isolated computer may after inspection of the connections show that there are a number of computers or 'storage' devices that must also be seized. This is only possible if the first responder takes the time and effort to properly assess the scene. 14. Once a system has been identified for seizure, quarantined and the status of the device identified as being live, what should the first responder do next? The first responder must make the decision whether to pull the plug (remove the power), or to proceed with a live acquisition. 15. On seizing a particular computer system, what else might the first responder wish to gather as evidence? In some cases the first responder may decide that it is prudent and necessary to take and attached peripherals, even if they are just I/O devices, such as a keyboard or mouse. They may be useful for more 'standard' forensics or perhaps even to show that they had been modified (perhaps to become a key logger or similar) for some malicious purpose. 16. Describe some of the risks that a 'seized system' may come under during and after seizure? Risks include loss, damage and modification. In general, the biggest risk is likely to be the data becoming contaminated or losing its integrity. This is why it is so important to make a forensic copy as soon as practicable after the seizure. 17. Explain why it is not always a simple task of going in to take away a standard PC. If the information supplied before attending the scene is incomplete, wrong or misleading, the first responder could be faced with one of many different types of computer system. Increasing computers are being made to look less like computers and often the only giveaway that it is actually a computer is the presence of USB ports or some other IO device that indicates that it could be a computer.

216SE First Responder Tutorial 1

BB ver 1.0

18. There are a variety of storage devices that may contain data of interest to a computer forensic investigation. Describe some of these devices and the issues surrounding their identification and use. The obvious storage device is the hard drive. Most machines with the exception of some newer eeePC systems and PDAs have some sort of long-term storage, which is normally a hard drive. (Please note this answer is not really taking into consideration iPods, phones, Blackberries, games consoles etc., as they are deemed slightly more 'specialist'.) Therefore, the devices generally considered to be interesting include:

Hard drives Hard drives come in a variety of types ranging from 3.5 enclosures with anything from a few megabytes up to terabytes on high end workstations or server systems, to 2.5 enclosures that are used in the majority of laptop and notebook computers (typical capacities of between 20Gb and 120Gb). The principles for using them are generally the same as they are all electro-mechanical devices. Regardless of the type of drive, they normally have a power connector and a data 'ribbon'. The specific type of drive will determine the former cable types. Drives types vary from basic IDE, EIDE, SATA, PATA and SCSI types. In order to acquire data from any type of drive it is 'normally' necessary that the drive is functional. However, if a drive is non-functional there are specialist labs that can 'recover' data from even deliberately damaged devices. Whilst 'acquiring' an image from a device, it is imperative that no data be changed on the 'original' device and that the copy is forensically sound. This is achieved through the use of a 'writeblocker'. Write-blockers can be hardware or software. Removable media All removable media, whether it is floppy, CD-ROM, or DVDROM can be considered as 'interesting' for the purposes of digital forensics. Anything that stores data long-term can be considered as a possible source of evidence for a computer forensics investigation. Other than the fact that it is removable media, the media listed above can be treated as being similar to a hard drive. The techniques used to make a forensically sound copy are essentially the same. The removable media must be protected from change and the final copy must have a 'checksum' generated which must be compared to a checksum generated from the original media. An additional issue is that floppy disks in particular can become non-functional simply due to poor handling, so care must be taken when working with removable media.

216SE First Responder Tutorial 1

BB ver 1.0

USB Storage There are a number of different types of USB storage. The most common types are small capacity (up to around 8Gb as of 2009) and are effectively small EEPROM devices giving a re-writable device that also has random access. There are also USB Hard drives which essentially use the USB (or 1394 FireWire) interface to connect to what is essentially a standard hard drive (and therefore treated as such). Other USB devices include the myriad of music enabled USB devices that can also store data. Despite the differences in many of these types of USB device, one thing they all have in common is that in order to store anything on them, they require a file system. Many USB devices are simply FAT-32 file systems, meaning that there are forensic tools available to analyse them. Regardless of the file system, there will be tools available to carry out acquisition and analysis.

19. Describe the general issues surrounding a large scale networked system and a computer forensics investigation. Large scale networked environments bring with them a significant number of issues: 1. Large volumes of data stored across multiple systems 2. RAID data storage 3. Traffic still on the network. 4. Identifying what should be acquired. 5. Ensuring that acquisition does not affect the normal running of the organisation. There are a number of excellent resources at http://www.e-evidence.info/thiefs_page.html visit this site and download a selection that deal with large scale network forensics. 20. Contamination of evidence must be considered at all stages of an investigation. Explain the two distinct areas of contamination that a computer forensics investigation must consider and avoid. The two distinct areas of contamination for computer forensics are physical and digital contamination. Physical Contamination Although it is still not common practice for digital devices to be examined for physical evidence such as fingerprints, fibres and DNA, some work in this area [26] has suggested that physical evidence may have a role to play in corroborating or disproving theories about the physical processes undergone by devices. (Marshall 2008) This shows that whilst physical contamination was previously not considered as important, some research in the area has been instigated.

216SE First Responder Tutorial 1

BB ver 1.0

Digital Contamination Digital contamination is generally considered to be the most problematic. The first ACPO principle is to maintain the integrity of the evidence collected. Steps must be taken to ensure that any acquisition or analysis does not modify the original evidence (in this case digital evidence) in any way unless absolutely necessary. This type of contamination has become increasingly difficult to prevent, especially given the ubiquitous nature of wireless networks and associated devices. Should an investigator have a WLAN or Bluetooth device enabled simply by entering certain space may contaminate evidence. An expert criminal may use this unknown device activity as an early warning system and it may trigger software to destroy evidence on the machine or machines to be investigated.

216SE First Responder Tutorial 1

BB ver 1.0