June 19, 2009
Digital Evidence Collection
Today it’s not if your organization will have an electronic incident it’s when will that incident occur. Regardless of the type of incident there is a high likelihood your organization will need to collect digital evidence and build some form of a case file. However, it is often in the first moments after an incident is detected that crucial mistakes are made by the organization.
Most organizations are not able to justify having a fulltime forensic examiner on staff. The result of this is when incidents do occur the first responders often have not been properly trained on sound evidence collection procedures. This post is going to cover some of the basic steps and precautions that first responders should follow to ensure they aren’t permanently damaging, altering or destroying critical digital evidence.
More times than not the organization’s IT staff is called upon as the first responders.
While these individuals have a deep understanding of the internal technical details
of the organizations electronic systems they often do not realize the importance of
the physical world surrounding the systems. When first arriving at the scene care
should be taken by all to not alter the physical environment. Extensive photographs
of the cubical, room, etc should be taken to document the location of all items in
Once the collection of items begins, proper protection should be taken to preserve
physical evidence such as fingerprints on keyboards as well as protect the responders
from any harmful substances in the area. Additionally, proper storage containers used
to collect physical evidence ensuring there is no opportunity for contamination as
the evidence is transported.
Volatile storage evidence
The proliferation of Web 2.0 applications has greatly complicated the collection of
digital evidence as many times the information is either scattered in render scraps
across a massive hard drive or only stored in a systems volatile RAM while the application
is being accessed. Therefore, when the system is powered off the data is lost forever
unless it can be captured while the system is still live.
A number of forensic tool vendors have developed solutions to aid in the capture of
volatile information from systems. e-fense
Live Response USB key allows first responders to acquire a comprehensive copy
of all critical system settings and memory contents from a live system.Guidance
application has a privileged read-only process running on your organizations
systems that can be used to transfer volatile information from a system to a central
repository without alerting the user of the system or requiring physical access to
Critical business system
Finally I want to discuss how to handle a critical business system being involved
in an incident. Obviously these systems usually cannot be taken off-line and sent
to a forensics lab for processing. They tend to be multi-user systems with a high
volume of traffic and activity. This means that the system state is changing quickly
and potential evidence may be lost if not captured in a timely manner. The challenge
is how to make an image of the system while it’s still online and constantly changing.
Again, there are many vendors with different tools available that can do network-based
image transfers of live systems including Access
Software or even the open source dd utility piped over a netcat tunnel (for those
who aren’t looking to spend a lot of money). While this may not be as ideal as a standalone
drive imaging process given the restrictions of dealing with these critical systems
this is the best option available and any image (even a smeared one) is better than
In the end organizations should be prepared to handle incidents when they occur. By acquiring a few key tools, having documented and proper incident response procedures and providing those who will be initial responders with some basic training can be the difference in success or failure of building sound evidence backed cases.