Date post: | 18-Nov-2014 |
Category: |
Business |
Upload: | phil-huggins |
View: | 120 times |
Download: | 0 times |
First Responder Course:8 Digital Evidence Collection
Phil HugginsFebruary 2004
Agenda
Description Acquisition Guidelines Data Handling
Description
This phase collects data from a suspect system and saves it on a trusted server or disk
This data preserves the scene so that it can be introduced into court
A copy of this data can be used in the forensic lab
Different amounts of data are gathered depending on the scenario
Acquisition Guidelines
Document crime scene and all actions that you take. You may need to testify exactly what you did, so even record the mistakes. Record all serial and part numbers of hard drives, servers, and
other equipment. It helps to make labels for the hard drives with comments on them. Use a digital camera to record what cables are connected to what.
Minimize system activity Kill schedulers Do NOT make a backup using normal backup software and
hardware Do NOT reconfigure the system Do NOT install new software (use a CD if necessary)
Acquire the data as soon as possible, otherwise it may change
Acquisition Guidelines
Maintain Chain of Custody (CoC) forms at all times
After the data is acquired, make a MD5 checksum of it and record in a notebook. This value should be verified periodically during the analysis. For static data, such as a hard disk, the MD5 of the original and copy should be verified after acquisition.
Data Handling: Chain of Custody
Any data that could be entered into court, must have a Chain of Custody (CoC) form with it.
A CoC form identifies who was responsible for the data at a given time.
Ensure this is created and maintained throughout the acquisition and investigation
Data Handling: Chain of Custody
Data Handling: Transportation To keep the chain of custody, transport
data with a trustworthy courier. Keep the shipping statement with the CoC form.
If flying, it is best to carry the drives instead of checking them in. As this is usually not possible with increased security checks and other luggage, such as a laptop, a courier may still be the best option.
The data should be stored in a secure place at all times. A dedicated forensics lab should contain a safe with security cameras.
Data Handling: System Acquisition Form
For each system that you work on, fill out a System Description form.
This form could contain fields for: Manufacturer, Model number, Serial number Operating System Type Number of hard drives with model and serial
number. MAC address of network card(s) Physical security of system Owner’s name Time it was acquired from owner and when it
was given back
Data Handling: System Acquisition Form
Data Handling: Hard Drive Form All hard drives look alike The Hard Drive Form keeps track of which
drive contains what data and where it has been installed
These should be created for both evidence drives and suspect drives
Labels & Post-It notes are also useful to mark the contents of drives (but they can fall off!)
Document when jumpers are moved and which systems it is installed in
Data Handling: Hard Drive Form
Data Acquisition Checklist1. Document the scene using a notebook and a
System Acquisition Form. If possible unplug it from the network and plug it into an empty hub or switch.
2. If the system has not been rebooted since the incident was detected, collect volatile data. This should be done with trusted binaries on a CD or floppy.
3. If the system can be turned off, then unplug it for static data acquisition. If it can not be turned off, then perform static data acquisition over the network.
4. After the acquisition, create a Chain of Custody form and maintain control of data at all times.