This is the process of preserving the collected evidence while maintaining its integrity and ensuring the chain of custody is not broken. The evidence needs to be preserved on sustainable media using reproducible methodologies. Due care must be taken to document all steps taken to capture the data and any changes to the evidence must also be documented – including what the change was and the rationale behind it. You may need to prove the integrity of the evidence in a court of law so you should always remember that taking any shortcuts might eventually result in the loss of your case.
For the evidence to remain admissible in the court of law, the Preservation activity must adhere to a well-defined structured approach governed through a set of best practices. Following are the key areas for the Preservation phase:
The following figure provides a high level set of general actions that are always useful in performing a highly effective forensics activity:
|Dos Involve a forensic analyst Comply with local legal and regulatory requirements Make meticulous logs of all the activities (including photos) Minimize the interactions with the original evidence Unplug any network cable/Wi-Fi/Bluetooth connections Collect evidence in the order of volatility Use proven, appropriate and tested tools Take possession of all suspect devices Store evidence in a secured location, on-site and off-site. Ensure that no unauthorized person has access to evidence Involve HCM/Legal department for their input||Do Not’s Power on or off the device (leave it as it is) Remove the batteries to collect information. Ask IT personnel to conduct a forensic investigation. Use the suspect device – log in to or run programs Leave devices connected to network and/or the Internet. Attempt to investigate on the device itself Delete or destroy any data on the evidence device Inform any unauthorized person about the investigation Investigate on the crime scene Exceed your knowledge Access evidence without prior formal approval|
1.2. Evidence Acquisition
The preservation process starts with evidence collection which involves the search for, recognition of, collection of and documentation of computer-based electronic evidence. The collection phase can involve volatile real-time and stored information that may be lost unless precautions are taken at the scene. For a successful evidence collection a proper legal consultation is required due to the complexity of the subject.
Always make sure that you use appropriate tools for live capture keeping in mind the following Order of Volatility (OOV) within a computer and supporting storage media:
- CPU, memory cache, and the registers;
- Routing tables;
- ARP Cache;
- Process state and processes running;
- Kernel modules and statistics;
- Main memory (RAM);
- Temporary system files;
- Swap files;
- Network configuration and connections;
- System settings;
- Command history;
- Open files, clipboard data, logged on users;
- The file system.
The rest of this section briefly describes each of the focus areas that are required for this activity:
1.2.1. What Constitutes Valid Evidence?
For any evidence to stand in court it must adhere to the following guidelines – due care must therefore be taken during any evidence collection activity to ensure none of these factors are violated:
- Admissibility: This is the most basic rule – the evidence must be able to be used in court or elsewhere. This is so important that failure to comply with this rule is equivalent to not collecting the evidence in the first place.
- Authenticity: The evidence must be able to be related to the incident. If it does not, it does not stand in the court.
- Completeness: The evidence must cover all perspectives – perspective not only to prove its value but also any elements that may diminish the acceptability of other evidence. This may also include evidence to prove why the subject(s) are the only party to have orchestrated this activity and no one else.
- Reliability: The evidence’s authenticity and veracity must not be put into doubt due to your methods of collection.
- Believability: The evidence you present should be clear and easy to understand for it to be believable. This means it should be presented in the format and language comprehensible by the audience.
1.2.2. Sources of Digital Evidence
The following figure provides possible places that digital evidence can reside. Please note this is not an exhaustive list as digital evidence is any probative data stored or transmitted in digital form.
|Computers External hard drives CDs and DVDs Thumb drives Floppy disks Cell phones Voice over IP phones Answering machines iPods Electronic game devices Digital video recorders||Digital cameras PDAs Routers Switches Wireless access points Servers Fax machines Printers that buffer files Photo-copiers that buffer files Scanners that buffer filesTablets|
Figure 2: Sources of Digital Evidence
1.2.3. Evidence Collection Guidelines
Digital evidence is very fragile and can be easily altered, damaged, destroyed or simply loose its value if not handled properly. Failure to do so may either render the evidence useless or in some cases may lead to inaccurate conclusion. Therefore, due care must be taken to collect digital evidence in a manner that ensures its protection and preservation. The follow areas should be kept in mind during the acquisition phase:
- Follow Established Policies and Guidelines: Secure evidence adhering to laid out policies in line with industry best practices. Engage the appropriate Incident Handling and Law Enforcement personnel as soon as possible.
- Document and Verify System, Software and Environment Configurations: Document examiner’s systems configurations and also the operations that are going to be taken. Document the state and configuration of the environment, network and each of the systems as they were found. Photograph computer front and back as well as cords and connected devices. Photograph surrounding area prior to moving any evidence. Document all steps involved in the seizure of a computer and components. Collect instruction manuals, documentation and notes.
- Take Notes as you go Along: Don’t wait till the last minute. Start taking notes as soon as you start the process. These notes should include dates and times. If possible, use an automated note taking tool that is suitable. Never take any notes on the evidence itself. Notes and print-outs should be signed and dated. If taking audio notes, always remember to record the date and time and your name and title and the capacity in which you are involved in the case.
- Note the time difference from UTC: Always remember to indicate whether UTC or local time is used for each timestamp provided.
- Collection first, Analysis later: If ever have to choose between the Collection and Analysis of the evidence, always favor collection first and analysis later.
- Equipment Power Cycle Considerations: All care must be taken to avoid accidental restart of the system. If computer is “off”, do not turn “on”. Unplug the power cord from the system. If the laptop does not shutdown when the power cord is removed, locate and remove the battery pack. Once the battery is removed, do not return it to or store it in the laptop. If in a networked information system, also unplug power to router or modem.
- Photograph the scene: Capture as accurate a picture of the system as possible. If computer is “on” and something is displayed on the monitor, photograph the screen. If computer is “on” and the screen is blank, move mouse or press space bar (this will display the active image on the screen). After image appears, photograph the screen.
|Capture the overall scene, 360-degree coverage if possible|
|The condition and location of each computer system|
|The front, sides, and back of each computer, including cables|
|Monitors (active screens may require video-taping)|
|The position of all computer components, mice, cables, and so on|
Figure 3: Capturing evidence through Camera
- Search Protocol: Search the scene for passwords, account numbers, or other pertinent information. Never use the equipment in question or attempt to search for evidence on the equipment.
- Record Live State: Document and preserve any open file(s) on the computer and capture live memory. Create a diagram and label cords to later identify connected devices. Once done, disconnect all cords and devices from the system.
- Document Operations and Logistics: Document steps taken to disassembling the physical systems to gain access to parts such as storage wherever required. Package components adequately and transport or store marked as FRAGILE.
- Storage: Keep all media, including CPU tower, away from magnets, radio transmitters and other potentially damaging elements.
- Write Protection: Write protection should be initiated to protect and preserve the original evidence wherever possible. If hardware write protection is used, install a write protection device and boot the system with examiner’s controlled operating system. If software write protection is used, boot system with the examiner-controlled operating system and activate write protection.
- Verification: Verify successful acquisition by comparing known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy.
- Maintain Records for the Testimony: Be prepared to testify which may be years after the actual incident. You must keep all notes that outline your actions and including their chronology. This is where your notes will be vital to refresh your memory.
- Avoid making any changes: Ensure you take all necessary steps to minimize changes to the data as you are collecting it. This is not only for content changes and consideration should also be given to avoid updating directory and file access and modification times.
- Respect the Order of Volatility: Always work your way for evidence collection in the order of volatility. A non-exhaustive reference list is provided in the Evidence Acquisition section above to give you an idea of level of priority regarding each evidence media.
1.2.4. Maintain User Privacy
During the course of the evidence collection, care should be taken to protect the privacy of the end users whose systems are being investigated. The following serves as an example of sensitive personally identifiable information that should be handled with care:
|Personal email-idBank account numbersCredit / Debit card numberPassport numberPasswords||Personal photographsTravel informationHealth recordsPersonnel chat historyPayment Card Details|
Figure 4: Sensitive Personally Identifiable Information
Due care should be taken while considering any other sensitive information that could possibly be identified at a personal or private level. If there is a need to search for any such information, or treat any of the above information as an evidence then it should be done in consultation with the legal experts and after taking due approvals from the relevant stakeholders and the legal team.
Please remember all Personally Identifiable Information is not sensitive and it is always a good idea to seek legal guidance as and when necessary especially during the policy formation exercise.
1.2.5. Evidence Review
The evidence collected and documented should be reviewed by the following personnel to ensure that the right evidence is collected and meets the necessary legal requirements.
- Chief Information Security Officer (CISO)
- Head of Legal and Internal Audit
- Information Security Incident Response Team (ISIRT) Team
- Independent Forensic Expert from the Rapid Response Team
1.2.6. Sample Computer Evidence Capture Form
Each captured piece of evidence must be accompanied by a duly completed Evidence Capture Form. This includes a brief description of evidence collected, date and time of collection, collection method and storage description amongst other attributes. Please find a snapshot of the form below followed by the actual form.
1.1. Establish Chain of Custody
The Chain of Custody refers to a written account of individuals who had sole physical custody of a piece of evidence from the time it was seized until the end of the case. Although not a specific step in its own right – this should always be an important underlying theme of any forensic investigation. Strict policies and procedures must exist to deal with the management of evidence. It is essential that any items of evidence can be traced from the crime scene to the courtroom, and everywhere in between. This is known as maintaining the ‘Chain of Custody’ or the ‘Continuity of Evidence’.
If the chain of custody is broken, the forensic investigation may be fatally compromised. Chain of Custody allows proof that a particular piece of evidence was at a particular place, at a particular time and in a particular condition. This applies to the physical hardware as well as the information being retrieved from that hardware. The aim of maintaining Chain of Custody during the management of evidence allows:
- Being able to determine which evidence came from which piece of hardware
- Where that piece of hardware was retrieved from
- Documenting all persons handling the evidence
- Ensuring secure storage of the evidence with limited accessibility
- Documenting all processes used to extract the information
- Ensuring that those processes used are reproducible, and would produce the same result
1.1.1. Best Practices
- An Evidence Custodian must be appointed to safeguard seized evidence securely prior to transportation to the designated facility / forensic laboratory. This is helpful in circumstances where more than one device is seized.
- All exhibits must preferably be stored in the Property Store in the Forensic Laboratory with access restricted to a single Evidence Custodian accountability.
- Ensure that every individual in the Chain of Custody that becomes the holder of the evidence at any time fully understands their responsibility to secure the evidence in a manner that its validity can stand in court.
- Evidence should be secured in a manner where access can be restricted only to authorized personnel.
- All individuals in the Chain of Custody should understand and appreciate the importance of the process. A great piece of evidence may be rendered worthless in court if found to have been tampered with or handled in an unauthorized manner.
- Every employee must ensure they can fulfil their duties to maintain Chain of Custody before assuming responsibility for the evidence.
1.1.2. Chain of Custody Form Description
To prove the Chain of Custody, it’s important to know all the details on how the evidences were handled at each stage. This is achieved through an age old but still valuable formula used in the investigations to evaluate the Who, What, When, Where, Why and How the evidence was transferred.
The record of Chain of Custody is to be managed through a Chain of Custody Form which is maintained to record people who are entrusted with the evidence. This includes personnel responsible for collecting the evidences, transferring evidences and also who are responsible for analysis of the evidence.
As electronic evidences are easy to tamper and damage, it is challenging to prove the integrity of evidence if the Chain of Custody is not properly documented and updated at every stage of the investigation.
A Sample Chain of Custody form has been developed for Dolphin Energy for their use in Forensics activities. This form adheres to the following set of best practices to allow adherence to the industry standards::
- General Information: This section provides details on the initial handoff of the evidence and provides background to why the evidence is being transferred. Document clearly the following related to the evidence at each stage of the investigation:
- Who accessed the evidence
- When was the evidence accessed
- What type of the evidence was accessed
- Where was the evidence accessed
- Why was the evidence accessed
- What time duration the evidence was accessed
- Was evidence taken out from the physical premises where it was stored
- Media Description Information: This section goes over the details of the evidence being acquired. It is important to be as specific as possible here and provide make/model/SN# of all evidence. For example, if you receive a laptop, you should record the make/model/SN# for the laptop as well as the internal hard drive.
- Quality and Risk Management: This section provides the details of how the evidence was given to you and what tools/methods you used to ensure its integrity.
- Chain of Custody Log: This is where you keep track of change of possession of the evidence. This is the most important aspect of the chain of custody and all fields are required to be filled out.
- Notes/Comments: You can provide any notes/comments in this section that are either overflow from other sections or to note something that didn’t apply to any of the other sections.
Every time the evidence is accessed, the chain of custody must be updated as per the above details and it should be signed by the person taking the evidence and a senior authority who is in charge of the evidence.
1.1. Evidence Storage
The preservation of digital evidence is a critical part in any forensic process to avoid compromise through:
- Inadvertent Spoliation: Referring to unintentional/improper handling of evidence that leads to compromise of the evidence.
- Software Spoliation: Referring to permanent deletion of a file from the system. Usually when a file is deleted from the system it still exists on the physical hard drive and can be easily recovered unless overwritten. It should be noted that computer files contain “signatures” which reflect the true type of files. Extraction and analytic techniques can be used to read these signatures and reveal actual information of file.
Based on a number of factors including but not limited to the environment, corporate policies, legal implications, logistical constraints, compliance requirements, etc., evidence may either be collected and stored on-site or transported to the Forensics Laboratory. Following is a brief account of consideration for the both scenarios:
- On-Site Secure Evidence Storage: If the digital evidence cannot be taken away from the premises, care should be taken to ensure it is maintained securely and without any threat of compromise. The first and the foremost are to establish and apply a physical security and access control protocol. Only authorized personnel should be able to access the premises and strict audit guidelines should be followed. The storage area should be maintained at normal room temperature without being subjected to any extremes of humidity. The area must be made free from magnetic influence such as radio receivers, speakers, etc. Where the equipment is reliant on an internal battery to maintain internal data, care should be taken to ensure the battery is tested once at the start of seizure and regularly afterwards. The environment should be made free from dust, smoke, sand, water and lubricants such as oil, WD-40, etc.
In certain circumstances the storage devices containing evidence may not be located on the premises where the search and seizure is conducted. Extra care should be given to maintain and secure the link to those devices in this case. Any devices or storage media that constitutes evidence should be catalogued and must be kept in secure storage when not being used and a system set in place for it to be signed in and out when it is removed from the storage facility.
For devices with radio transmitters including mobile phones should be kept in a shielded box. Please remember once shielded the mobile will increase its power to detect and catch network signal thus resulting in a quicker drain on the battery. In some cases the shield may be created through the use of tents however the cables going into the tent for electrical purposes may have a tendency to act as antenna.
It is of value to make clone of the digital data where possible and transport it away from the scene to off-site storage to ensure backups are available if first hand evidence is compromised.
- Off-site Secure Evidence Storage: If the resources and circumstances allow, ideally any captured digital evidence should be removed from the crime scene and stored securely in the dedicated off-site secure facility for analysis and conservation. It is easily understandable that a dedicated storage facility, if built and managed properly, has direct advantages over a temporary setup established on-site. It is purpose built and considers a number of factors that are essential for the successful storage of digital evidence in a threat free environment.
Logistics from the scene to the off-site secure storage are the key area which should be performed with utmost care to ensure evidence is not compromised. Few areas to consider are below:
- Main computer unit: Handle with care. Place upright to avoid serious physical shocks. Keep away from magnetic sources (loudspeakers, heated seats & windows and police radios).
- Monitors: These are best transported screen down on the back seat of a car and belted in.
- Hard disks: As for the main unit, protect from magnetic fields. Place in anti-static bags or in tough paper bags or wrap in paper and place in aerated plastic bags.
- Floppy Disks, Jaz & Zip cartridges, Memory Sticks and PCMCIA cards: As for the main unit, protect from magnetic fields. Do not fold or bend. Do not place labels directly onto floppy Disks.
- Personal Digital Organizers, Electronic Organizers and Palmtop computers: Protect from magnetic fields as their largely flash based memory is likely to get compromised.
- Keyboards, leads, mouse and modems: Place in plastic bag. Do not place under heavy objects.
- Batteries: Most computers are capable of storing internal data, including CMOS (see Glossary) settings, by using batteries. Batteries must be checked at regular intervals to preserve the evidence, until all examinations are complete and the data secured.
- Other Considerations: Please store equipment in normal humidity and temperature. Do not store under conditions of excessive heat, cold, dampness or humidity. Using aluminum powder on electronic devices can be dangerous and result in the loss of evidence. Before any examination using this substance, consider all options carefully.
Off-site storage facilities offer all the considerations built-in by default that have been discussed above for on-site storage, e.g. devices with radio transmitters have designated shielded areas and a redundant power supplies and charging arrangements. They have customized arrangements and processes to manage and store a vast variety of digital evidence vectors.
Off-site facilities provide services aimed at providing an environment conducive for digital evidence storage. These environments are and must be regularly audited to ensure established guidelines are followed and also continuously improved to suit the evolving needs of cyber space.
The following considerations can help protect against common threats and pave way for developing an environment that is conducive to maintaining evidence integrity for as long as necessary.
1.1.1. Proper Evidence Labeling
Create an evidence tag for each piece of evidence gained during the security incident as a matter of best practice. This assists with efficient cataloguing, storage and retrieval of the evidence whenever required. Following figure provides a set of non-exhaustive guidelines related to information that should be captured on the label:
|Information captured on the front side of the tag|
|The time and date of the actionThe number assigned to the case – the case number may follow the format – “Process Name-DDMMYY”The number of the particular evidence tagWhether consent is required and the signature of the person who owns the information being seizedWho the evidence belonged to before the seizure, or who provided the informationA complete description of the evidence|
|Information captured on the back side of the tag|
|Who the evidence was received from The date of receiptThe reason the evidence was given to another personWho received the evidence and where it was received and subsequently locatedThe individuals occupying the officeThe names of employees that may have access to the officeThe location of the computer systems in the roomThe state of the system (whether it was powered on, and what is visible on the screenNetwork connections or modem connectionsThe people present at the time forensic duplication was performedThe serial numbers, models and makes of the hard drives and the components of the systemThe peripherals attached to the system|
Figure 5: Evidence Labelling Guidelines
Above figure provides a good checklist that can be useful for evidence labelling. As with all other best practices, this list should only form the basis of defining your own standard to provide maximum value in your environment.
1.1.2. Storage Considerations
While great focus and consideration is given to the acquisition process, it is equally important to maintain integrity and validity of the gathered evidence. Following table lists a few of the considerations to help with providing a structure to this exercise:
|Preserving Evidence and Corresponding Media|
|Keep the seized digital media in anti-static cover with all the details and tag/barcode.Keep separate inventory list for all media seized with a unique case number. Always store media in a cool and dry place.Store in a good storage device which is fire proof and tamper proof.Copy the digital evidence to a backup medium, such as an external hard drive.In cases of evidences stored electronically on systems, restrict logical access.Document the access and modification dates on all the evidence files (electronic or physical).Restrict physical access to the backup medium and/or information systems used for storing evidence data.Keep updating the chain of custody, if media is taken out for any reason.|
Figure 6: Digital Evidence Storage Considerations