First Responder Course:8 Digital Evidence Collection

Phil HugginsFebruary 2004

Agenda

Description Acquisition Guidelines Data Handling

Description

This phase collects data from a suspect system and saves it on a trusted server or disk

This data preserves the scene so that it can be introduced into court

A copy of this data can be used in the forensic lab

Different amounts of data are gathered depending on the scenario

Acquisition Guidelines

Document crime scene and all actions that you take. You may need to testify exactly what you did, so even record the mistakes. Record all serial and part numbers of hard drives, servers, and

other equipment. It helps to make labels for the hard drives with comments on them. Use a digital camera to record what cables are connected to what.

Minimize system activity Kill schedulers Do NOT make a backup using normal backup software and

hardware Do NOT reconfigure the system Do NOT install new software (use a CD if necessary)

Acquire the data as soon as possible, otherwise it may change

Acquisition Guidelines

Maintain Chain of Custody (CoC) forms at all times

After the data is acquired, make a MD5 checksum of it and record in a notebook. This value should be verified periodically during the analysis. For static data, such as a hard disk, the MD5 of the original and copy should be verified after acquisition.

Data Handling: Chain of Custody

Any data that could be entered into court, must have a Chain of Custody (CoC) form with it.

A CoC form identifies who was responsible for the data at a given time.

Ensure this is created and maintained throughout the acquisition and investigation

Data Handling: Chain of Custody

Data Handling: Transportation To keep the chain of custody, transport

data with a trustworthy courier. Keep the shipping statement with the CoC form.

If flying, it is best to carry the drives instead of checking them in. As this is usually not possible with increased security checks and other luggage, such as a laptop, a courier may still be the best option.

The data should be stored in a secure place at all times. A dedicated forensics lab should contain a safe with security cameras.

Data Handling: System Acquisition Form

For each system that you work on, fill out a System Description form.

This form could contain fields for: Manufacturer, Model number, Serial number Operating System Type Number of hard drives with model and serial

number. MAC address of network card(s) Physical security of system Owner’s name Time it was acquired from owner and when it

was given back

Data Handling: System Acquisition Form

Data Handling: Hard Drive Form All hard drives look alike The Hard Drive Form keeps track of which

drive contains what data and where it has been installed

These should be created for both evidence drives and suspect drives

Labels & Post-It notes are also useful to mark the contents of drives (but they can fall off!)

Document when jumpers are moved and which systems it is installed in

Data Handling: Hard Drive Form

Data Acquisition Checklist1. Document the scene using a notebook and a

System Acquisition Form. If possible unplug it from the network and plug it into an empty hub or switch.

2. If the system has not been rebooted since the incident was detected, collect volatile data. This should be done with trusted binaries on a CD or floppy.

3. If the system can be turned off, then unplug it for static data acquisition. If it can not be turned off, then perform static data acquisition over the network.

4. After the acquisition, create a Chain of Custody form and maintain control of data at all times.