Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures, and flexibility is expected and encouraged when encountering the unusual.
It is unfortunate that computer forensics is sometimes misunderstood as being somehow different from other types of investigations. For instance, if you were investigating a murder that took place in Times Square, you would photograph the scene, look for evidence, and take samples of the crime scene, including control samples to compare to the evidence. The collection of evidence proceeds similarly in a computer investigation, but for some reason, some people want to recreate the entire system, be it a standalone PC, a server with a terabyte RAID system, or even an entire network. Nobody expects the prosecution to rebuild Times Square in the courtroom, but that is often the expectation in a computer crime case. Admittedly, digital data can be highly volatile. General unfamiliarity not only with computer forensics, but also with computers themselves, makes this field a highly challenging one, but this book can help you prepare for it.
This is a good place to remind ourselves that we have to treat every case as if it will end up in court. Take a minute to think of the consequences; don't start poking around a computer, decide that you have a problem, and then start handling it as evidence. It is easier to regard the computer as evidence from the start, easing up on the evidentiary process if you discover that a crime wasn't committed. The opposite approach is more difficult, if not impossible. However, if you reasonably ("reasonableness" is a key to most laws) believe when you start "looking around" on the computer that it doesn't warrant a forensic analysis and later discover an overtly illicit act was committed, make sure that you fully document what you did and why. Your evidence may still be defensible if explained to a judge and jury that you initially had no reason to suspect that the computer was involved in a criminal act, and subsequently discovered the crime when conducting routine troubleshooting, but only if you fully documented your activities. The key to any investigation, particularly a computer crime investigation, is documentation.
Computer forensics has a brief history. It has been only a few short years since the largest drives available were under 20MB and a zip drive, a DOS disk, and a hex editor were a sufficient forensic toolset. You would be hard-pressed today to find enough zip disks in a computer store to capture the hard drive image of a standard PC, but the highly conservative criminal justice world strongly encourages the continued use of the same techniques we used in the zip drive days. In this book, we share some new techniques appropriate for rapidly changing technology, but remember that basic forensic methodology remains consistent—it doesn't change just because drives get bigger and computers get smaller.
The basic methodology consists of what you can think of as the three As:
- Acquire the evidence without altering or damaging the original.
- Authenticate that your recovered evidence is the same as the originally seized data.
- Analyze the data without modifying it.
We expand on each of these three topics in the sections that follow; they are the framework of every forensic game plan. The details of your specific game plan will depend upon the circumstances and your goals, but the plan will always follow these same three steps.
There are many possible goals other than successful criminal prosecution. Sometimes forensics is conducted to determine the root cause of an event to ensure that it will not happen again. This goal is important—you have to fully understand the extent of your problem before you can be reasonably sure that it will not be exploited again. You also have to fully understand a problem before you know how to respond to it. A friend recently confided a story about unexpectedly finding a high-port telnet daemon. After removing it, he thought that he had removed the intruder and "resecured" his system, but two weeks later, he found the same unauthorized process running. If you do not conduct a complete analysis and find the entire extent of the compromise, it is only a matter of time before you have a bigger problem. It's kind of like termites, but worse—termites don't deliberately retaliate!
In addition to helping us determine what happened, forensics can also address the question of who was responsible. Forensics are used in investigations internal to private organizations and, increasingly, by law enforcement during investigations of all sorts of illegal activity that isn't necessarily characterized as computer crime. Just a few short years ago, as members of an emergency response team, we assisted in a raid on a drug dealer's home. While the detectives were collecting anything that they thought had potential as evidence, we asked if they were going to seize the drug dealer's personal computer. The lead detective replied with certainty that they did not need it. Perhaps they didn't realize how rich a source of information a computer can be about its user's activities. This attitude is much less common today, although the need for law enforcement officers trained for digital investigations still far outweighs the supply.
Most computer crime cases are not prosecuted, but we should still consider acceptability in a court of law as our standard for investigative practice. We can debate whether or not to pull the plug, or if we should use DOS/Windows or Linux for our analysis, but those are minor details. Our ultimate goal is to conduct our investigation in a manner that will stand up to legal scrutiny. Treat every case like a court case, and you will develop good investigative habits.
If your company has been lucky enough to avoid the need for computer forensics (or so you think), congratulations; it will come soon enough. What do you do when you are asked to investigate an incident, but your management wants the server reloaded and backed up as soon as possible? Do you tell the boss that you need several hours, if not several days, to analyze the system? Instead, you end up performing a watered-down version of forensics, and your results reflect the effort. Even under less-than-ideal circumstances, whatever level of rigor you can apply to the investigation will bear some fruit, and maybe it will convince your boss to give you more leeway during future events.
About the Authors
Warren G. Kruse and Jay G. Heiser specialize in computer forensics, incident response, and cybercrime. They are frequent media commentators and lecturers on these topics. They are also the authors of Computer Forensics: Incident Response Essentials, published by Addison Wesley Publishing.