Digital Evidence Management
Written by Jason Sachowski   

This is a book excerpt from Implementing Digital Forensic Readiness: From Reactive to Proactive Process (2nd Ed.)

EVIDENCE IS A CRITICAL COMPONENT of every digital forensic investigation. Whether it is physical or digital, the methodologies and techniques used to gather, process, and handle evidence ultimately affect its meaningfulness, relevancy, and admissibility. Appropriate safeguards must exist throughout the investigative work to provide assurance that the lifecycle of evidence is forensically sound.

Following a High-Level Digital Forensic Process Model, each phase of the investigative workflow will be examined to determine and establish the requirements for managing evidence through its lifetime.

Like how the Confidentiality, Integrity, and Availability (CIA) Triad outlines the most critical components for implementing the Information Security program, the Administrative, Physical, and Technical (APT) Triad describes the most critical components for implementing Information Security controls in support of digital forensic investigations.

Types of Digital Evidence

Criteria for what type of data constitutes an admissible business record falls within the following categories:

• Technology-generated data, or background evidence, is any electronically stored information (ESI) that has been created and is being maintained because of programmatic processes or algorithms (i.e. log files). These records fall within the rules of hearsay exception on the basis that the data is proven to be authentic because of properly functioning programmatic processes or algorithms.

• Technology-stored data is any ESI that has been created and is being maintained because of user input and interactions (i.e. word productivity document). These records fall within the rules of hearsay exception on the basis that the individual creating the data is reliable, trustworthy, and has not altered the data in any way.

Building off these evidence categories, the following groupings can also be applied to provide another perspective on types of evidence:

• Background Evidence is any ESI that has been created as part of normal business operations that are used to establish facts and conclusions during an investigation. Examples of this type of evidence include, but are not limited to:

– network devices such as routers, switches, or firewalls;

– authentication records such as Directory Services or physical access systems;

– data management solutions such as backups, archives, or classification engines; or

– audit information such as system, application, or security logs.

• Foreground Evidence is any ESI that has been created as the result of an object’s—whether human, application, or system—interactions or activities that directly support an investigation or identify perpetrators. Examples of this type of evidence include, but are not limited to:

– real-time monitoring systems such as Intrusion Prevention Systems (IPS), packet sniffers, or anti-malware technologies;

– application software such as File Integrity Monitoring (FIM), Data Loss Prevention (DLP);

– business process systems such as fraud monitoring;

– address books, calendar entries, to-do lists, memos; or

– electronic communication channels such as email, text, chat, instant messaging, or web browsing history.

With both technology-generated and technology-stored data, it is important to keep in mind that historically the legal system viewed all digital artifacts as hearsay evidence and would not admit them as evidence. However, given how technology evolved to become so pervasive, the courts amended their ruling where exceptions can be made given the authenticity and trustworthiness of the digital evidence being presented.

Common Sources of Digital Evidence

Traditionally, digital evidence was primarily gathered from computer systems such as desktops, laptops, and servers. However, the reality now is that digital evidence exists in the form of structured and unstructured ESI across many different technologies, inclusive to traditional computer systems, such as networks, removable devices (i.e. Universal Serial Bus (USB)), mobile devices, and cloud computing environments.

With the widespread use of technology in business operations, every organization will have ESI that is considered potential digital evidence generated across various sources. Because of this, careful consideration needs to be given when identifying data sources of potential digital evidence. While the examples below are by no means exhaustive or a complete representation of where digital evidence can be identified, the following data sources should be included as a source of relevant and meaningful ESI to be used as digital evidence.

NOTE: While this book does cover the fundamental principles, methodologies, and techniques of digital forensics, it largely focuses on outlining how the people, process, and technology areas are used to defend the enterprise through integrating digital forensic capabilities with key business functions. This book is not designed to provide readers with technical knowledge about digital forensics, including the “hands-on” and “how to” aspects of the discipline—such as how to forensically acquire technology devices.

Log Files

As a form of background evidence, log files are typically generated from the operation of many different systems and applications. When used as evidence, these logs can be a valuable source of information to correlate and reconstruct what events occurred (and in what order). For example, different technology-generated logs that can exist within an enterprise environment include, but are not limited to:

• Access logs—Contain records of authentication, authorization, and admittance by systems and users into systems and information assets.

• Audit logs—Contain records of specific operations, procedures, or activities associated with interactions and communications between systems and users.

• Error logs—Contain records of faults, unexpected events, or abnormal behaviors that occur during normal system operations.

• External logs—Contain records of interactions and communications between Scotiabank and external systems or users.

• Infrastructure logs—Contain records of specific operations, procedures, or activities associated with operational systems and services.

• Transactional logs—Contain records associated with the interaction with and transmission of information assets between systems and users.

• Security logs—Contain records of events associated with continuous security monitoring of systems and users.

Depending on the type of log file, there will be different data attributes available that can be logged as part of a single event record. However, across all log types there are common data attributes that should be recorded; including, but not limited to:

• Unique Identifier is a distinctive value representing a single event record (ex. A1728C27F0).

• Log Timestamp is the full date and time of when the event was recorded in the log file—including relevant time-zone information if not in Coordinated Universal Time (UTC).

• Event Timestamp is the full date and time of when the event occurred, including relevant time-zone information if not in Coordinated Universal Time (UTC).

• Event Type ranks the event specific to the type of record entry created.

• Event Priority is the ranking of the event specific to its potential impact.

• Event Category is the ranking of the event specific to the type of interaction and communication occurring between systems and users.

• Event Message is the additional detailed information about the event that is not contained within any other attribute field of the event record.

• Account Name is the full name of the account associated with the event.

• Source IP Address is the IP Address where the event originated.

Computer Systems

Perhaps the oldest technology where digital evidence existed includes traditional computing systems such as servers, workstations, and laptops. For decades, these form factors were predominantly used to support both personal and business users where many formats of digital evidence could exist in some variation—including both technology-generated (background) or technology-stored (foreground) ESI.

Within computer systems, there are many different digital artifacts created, some of which are unbeknownst to users, that can be used as digital evidence. For example, the following are digital artifacts that can be gathered from computer systems as background evidence:

• Random Access Memory (RAM) containing information such as username and passwords, running processes, and network connections;

• Event Log files maintaining records of security, system, or access events;

• Temporary files such as caches (i.e. browsing history), dump files, or paging/swap files; and

• Registry hives and keys containing artifacts associated with applications and the host Operating System (OS).

In addition to the background evidence artifacts, computer systems have also incorporated and support a wide variety of third-party software applications that allow users to create, interact, and store many types of ESI. For example, the following are digital artifacts that can be gathered from computer systems as foreground evidence:

• Configuration and application-specific files (i.e. data outputs, runtime instructions)

• Malicious code or applications (i.e. root kits, backdoors)

• Unstructured Documents (i.e. word processing)

With all digital evidence on computer systems, it is important to consider the order of volatility when deciding which digital evidence needs to be gathered. Understanding that there are several different OS used with traditional computer systems, the types of digital artifacts that can exist will be inherent to each and may not be present in all instances.

Infrastructure Devices

From the point where network communications were introduced, the potential sources of digital evidence have expanded beyond stand-alone computer systems. In today’s technology world—most notably within an enterprise environment—infrastructure devices (i.e. routers, firewalls, proxies, etc.) are actively monitoring and capturing all communications and actions passing through their backplanes. The events captured and recorded by these technologies, as technology-generated data, is an excellent source of background evidence that can be used to correlate and corroborate the movement of an attack through the organization. Further discussion about network forensics can be found in the chapter titled “Forensic Readiness in Infrastructure”.

In line with the statements made in the previous section, it is important to remember that legal admissibility of technology-generated data requires that authenticity and trustworthiness of the digital evidence is demonstrable.

Virtual Systems

Virtualization has become an extremely attractive option to operate both computer systems and infrastructure devices because they are a cost-effective means of quickly provisioning technology resources. For the most part, the systems hosted in these virtual environments will produce similar digital artifacts as found in traditional computer systems with physical hardware. However, within these rapidly elastic virtual environments exists a networking backplane of system communications that do travel beyond the physical host system where virtualization is being run.

Because of how this internal backplane operates, all indicators that an attack is moving between virtualized systems are not going to be available—in typical technology-generated log files—because of the way in which virtualization works. Where this type of internal communication exists, digital forensic practitioners need to remember that the network communications between virtualized systems can only be observed using network forensic tools and techniques directly on the physical host system.

As illustrated in Figure 1 below, virtualized systems have an underlying host environment (hardware and software) where digital evidence can be generated and collected. When a virtual system is involved in an incident, or discovered during an investigation, it is important that all data objects associated with the virtual systems are gathered from both host and guest systems, such as:

• virtual machine images, files that contain a guest operating system, file system, and data objects;

• log files containing information such as virtual disk partitioning, virtual networking settings, or state configurations; or

• dump files from Random Access Memory (RAM) or paging files.


Figure 1—Virtualization Architecture

Cloud Computing

Through the combination of several major technology concepts, cloud computing has evolved over several decades to become the next stage in computing models. As cloud computing continues to mature—providing organizations with an inexpensive means of deploying computing resources—it is driving a fundamental change in the way technology is becoming a common layer of service-oriented architectures. Cloud computing presents a unique challenge because of the dynamic nature in which information exists, and a shift where organizations have less control over physical infrastructure assets. This leads to the inherent challenge of maintaining best practices for cloud computing while continuing to enable digital forensic capabilities.

Cloud computing has revolutionized the ways ESI is stored, processed, and transmitted. There are numerous challenges facing the digital forensic community when it comes to gathering and processing digital evidence in cloud computing environments. These challenges—broadly categorized as technical, legal, or organizational—can impede or ultimately prevent the ability to conduct digital forensics. While cloud computing possesses similarities to its predecessor technologies, the introduction of this operating model presents challenges to digital forensics.

With cloud-based systems managed by Cloud Service Providers (CSP), organizations may not have direct access to the hardware to gather and process evidence following traditional methodologies and techniques. As a result, collection and preservation of cloud-based evidence that is relevant to a specific organization’s investigation can be challenging where factors such as multi-tenancy, distributed resourcing (cross-borders), or volatile data are persistent.

Mobile Devices

From significant technology advancements made over the last decade, business has evolved into a much more dynamic and mobile workforce. Since its inception, the world of mobile technologies has evolved quickly where new devices, operating systems, and threats are emerging every day. Mobile devices present a unique challenge because of how quickly these technologies are changing and the shifting of traditional concepts—such as establishing a perimeter around systems and data. This leads to the inherent challenge of maintaining best practices for mobile device usage while continuing to enable digital forensic capabilities.

In today’s world of technology, mobile devices (including smartphones and tablets) have allowed for business to transform into a much more mobile and dynamic workplace where employees can work anywhere at any time. However, with a mobile workforce it is quite common that mobile devices—both personally and corporate owned—have been used to access business information that may need to be gathered and processed during an investigation.

External Sources

Aside from cloud-computing environments, there will be cases where digital evidence exists beyond the boundaries of the organization’s control that is both relevant and meaningful to an investigation. Examples of where digital evidence can be found include but are not limited to: Collaboration and communication platforms, such as web-based email or social media platforms; or managed service providers (MSP), who provide defined sets of services to clients.

Within these external sources, like other sources of evidence, much of the same type of background and foreground digital evidence can exist—subjective to what ESI the systems or applications within these sources create. Where digital evidence has been identified to exist in an external source, like a cloud environment, it is not as easily or readily available for organizations. In most cases, it is necessary to involve law enforcement agencies to facilitate gathering digital evidence from external sources, which can prove to be a troublesome and challenging task. Alternatively, formalized legal contracts can be drafted as a mechanism for guaranteeing that third parties will cooperate in gathering digital evidence when required by the organization.

The above examples are by no means a definitive representation of every location where potential digital evidence can exist, because every organization is unique and will need to determine the relevance and usefulness of each data source as it is identified.

Federal Rules of Evidence

Laws of evidence govern the proof of facts, and the conclusions drawn from these facts, during legal proceedings. Up until the 20th Century, evidence presented during trial was largely the result of laws derived from case law, or decisional law. During the 20th Century, work began to arrange these common laws into formal evidence rules. Enacted in 1975, and last amended in 2015, the United States Federal Rules of Evidence (FRE) applies to legal proceedings by regulating when, how, and for what purpose evidence can be placed before a trier of fact for consideration.

Issues of relevance and authenticity are commonly put into question about whether, when validated as part of a general acceptance testing program, evidence is justifiable to be presented before a court of law. Within this context, relevancy is not inherently a characteristic of a specific piece of evidence, but instead exists within its relationship with other pieces of evidence that demonstrate proof of fact. For example, FRE 401 states that evidence is deemed relevant if it has “any tendency to make a fact more or less probable than it would be without the evidence” and that “the fact is of consequence in determining the action”. Reinforcing this, FRE 901 states that in order “to satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is”.

Traditionally, legal systems—such as the United States—have viewed digital evidence, otherwise referred to as ESI, as being hearsay evidence because there was no scientific technique to demonstrate that the data is indeed factual. This meant that digital evidence being presented before the courts would commonly be dismissed because its authenticity could not be determined beyond a reasonable doubt. However, as digital evidence became more prevalent with the global adoption of technology and its use in criminal activities, exceptions to admissibility began to arise. Under FRE 803(6), an exception to viewing ESI as hearsay evidence exists whereby digital evidence is admissible if it demonstrates “records of regularly conducted activity” as a business record—such as an act, event, condition, opinion, or diagnosis.

Qualifying business records under this exception require that the digital data is demonstrated as authentic, reliable, and trustworthy. As described in U.S. Federal Rules of Evidence 803(6), the requirements for a qualifying business record are achieved by proving:

1) the record was made at or near the time by—or information was transmitted by—someone with knowledge;

2) the record was kept in the course of a regularly conducted activity of a business, organization, occupation, or calling, whether or not for profit;

3) making the record was a regular practice of that activity;

4) all these conditions are shown by the testimony of the custodian or another qualified witness, or by a certification that complies with FRE 902(11) or (12) or with a statute permitting certification; and

5) neither the source of information nor the method or circumstances of preparation indicate a lack of trustworthiness.

Business records are commonly challenged on issues of whether the data was altered or damaged after its creation (integrity) and validation/verification of the programmatic processes used (authenticity). As a means of lessening these challenges, FRE 1002 describes the need for proving the trustworthiness of digital evidence through the production of the original document. To meet this requirement, organizations must implement a series of safeguards, precautions, and controls to ensure that when digital evidence is admitted into a court of law it can be demonstrably proven as authentic against its original source.

Investigative Process Methodology

As discussed in the chapter titled “Investigative Process Methodology”, the High-Level Digital Forensic Process Model consists of the following phases:

• Preparation includes activities to ensure administrative, technical, and physical provisions are in place;

• Gathering involves following proven techniques to identify, collect, and preserve evidence;

• Processing reveals data and reduces volumes based on the contextual and content relevancy; and

• Presentation includes preparing the reporting documentation.

This process model supports the investigative workflow by establishing the sequence and relationship between phases to ensure that activities and tasks that must be completed are not bypassed, switched, or not followed. By not consistently following an investigative methodology, there is potential for dire consequences with respect to the authenticity, integrity, and legal admissibility of digital evidence. Throughout the sections to follow, each phase of the High-Level Digital Forensic Process Model has been expanded to explore requirements for digital evidence management.

Preparation

As the first phase of the investigative workflow, Preparation is essential for the activities and steps performed in all other phases of the workflow. Ultimately, if the preparation activities and steps are deficient in any way, whether they are not comprehensive enough or not reviewed regularly for accurateness, there is a greater risk that evidence may be interfered with, altered in some form, or even unavailable when needed.

Information Security Management

The establishment of information security management is a must so that the organization has defined its overall goals. Management, with involvement from key stakeholders such as legal, privacy, security, and human resources, works to define a series of documents that describe exactly how the organization will go about achieving these goals. Figure 2 illustrates the hierarchy of the information security governance framework and the relationship between these documents in terms of which have direct influence and precedence over others.


Figure 2—Information Security Governance Framework

In the context of digital forensics, the implementation of these documents serves as the administrative groundwork for indirectly supporting the subsequent phases where digital evidence is involved. The sections to follow explore these documents individually and provide specifics on the types that contribute to digital forensic readiness.

Policies

At the highest level of documentation, policies are built as formalized blueprints used to describe the organization’s goals affecting evidence. These documents address general terms and are not intended to contain the level of detail that are found in standards, guidelines, procedures, or processes. Before writing a policy, the first step is to define the scope and purpose of the document, what technical and physical evidence is included, and why it is included. This allows the organization to consider all possibilities and determine what types of policies must be written or how many policies are required.

A common mistake organizations face is writing a single policy document that encompasses a broad scope which is not easily understood and is difficult to distribute. Instead of having one large document to support all digital forensics requirements, multiple policies should be written to focus on specific evidence sources.

The type of policies to be written is subjective to the organization and its requirements for gathering and maintaining evidence. While there might be a specific type of policy document absent from the table below, Figure 3 contains a list of common policies your organization must have in place to support digital forensics.

Figure 3—Common Policies

Policy Scope
Acceptable Use Defines acceptable use of equipment and computing services and the appropriate end-user controls to protect the organization's resources and proprietary information.
Business Conduct Defines the guidelines and expectations of individuals within the organization to demonstrate fair business practices and encourage a culture of openness and trust.
Information Security Defines the organization’s commitment to globally manage information security risks effectively and efficiently, and in compliance with applicable regulations wherever it conducts business.
Internet and Email Defines the requirements for proper use of the organization’s Internet and Electronic Mail systems to make users aware of what is considered acceptable and unacceptable use.

Guidelines

Following the implementation of a policy, guidelines provide recommendations for how the generalized blueprints can be implemented. In certain cases, security cannot be described through the implementation of specific controls, minimum configuration requirements, or other mechanisms. Unlike standards, these documents are created to contain guidelines for end-users to use as a reference to follow proper security.

Consider how a policy requires a risk assessment to be routinely completed against a specific system. Instead of developing standards or procedures to perform this task, a guideline document is used to determine the methodologies that must be followed, allowing the teams to fill in the details as needed.

The type of guidelines to be written is subjective to the organization and its requirements for gathering and maintaining evidence. While there might be a specific type of guideline document absent from the table below, Figure 4 contains a list of common guidelines your organization must have in place to support digital forensics.

Figure 4—Common Guidelines

Guideline Scope
Data Loss Prevention Awareness for end-users on how to safeguard organizational data from unintentional or accidental loss or theft.
Mobile/Portable Devices Recommendations for end-users to protect organization’s data stored on mobile and/or portable devices.
Passcode Selection Considerations for end-users to select strong passcodes for access into organizational systems.
Risk Assessments Direction for assessors to use documented methodologies and proven techniques for assessing organizational systems.

Standards

After policies are in place—or, because of a guideline—a series of standards can be developed to define more specific rules used to support the implemented policies. Standards are used as the drivers for policies. By setting standards, policies that are difficult to implement—or that encompass the entire organization—are guaranteed to work in all environments. For example, if the information security policy requires all users to be authenticated to the organization, the standard for using a solution is established here.

Standards can be used to create a minimum level of security necessary to meet the predetermined policy requirements. Standard documents can contain configurations, architectures, or design specifications that are specific to the systems or solutions they directly represent, such as firewalls or logical access. While standards might or might not reflect existing business processes, they represent a minimum requirement that must be adaptable and change to meet evolving business requirements.

The type of standard to be written is subjective to the organization and its requirements for gathering and maintaining evidence. While there might be a specific type of standard document absent from the table below, Figure 5 contains a list of common standards your organization must have in place to support digital forensics.

Figure 5—Common Standards

Standard Scope
Backup, Retention, and Recovery Defines the means and materials required to recover from an undesirable event, timely and reliably, that causes systems and/or data to become unavailable.
Email Systems Defines the configurations necessary to minimize business risk and maximize use of email content because of the available and continuity of the supporting infrastructure.
Firewall Management Defines the configurations necessary to ensure the integrity and confidentiality of the organization’s systems and/or data is protected as a result of the available and continuity of the supporting infrastructure
Logical Access Defines the requirements for authenticating and authorizing users access to mitigate exposure of the organizations systems and/or data.
Malware Detection Defines the configurations necessary to ensure the attack surface of vulnerable systems is mitigated against known malicious software.
Network Security Defines the requirements for controlling external, remote, and/or internal access to the organizations systems and/or data.
Platform Configurations Defines the minimum-security configurations necessary to ensure the organization’s system mitigates unauthorized access or unintended exposure of data.
Physical Access Defines the methods used to ensure adequate controls exist to mitigate unauthorized access to the organization’s premise.

Procedures

From the guidelines and standards that have been implemented, the last type of document to be created is the procedures used by administrators, operations personnel, analysts, etc. to follow as they perform their job functions.

Policies, standards, and guidance documents all have a relationship with digital evidence whereby they do not have direct interactions with the systems and/or data. On the other hand, procedures are documents whereby interactions with digital evidence is directly associated through clearly defined activities and steps.

To better understand the different procedures involved with digital evidence management, each procedure will be explored throughout the remainder of this chapter as they apply to the different phases within the High-Level Digital Forensic process model.

Essentially, the culture and structure of each organization influences how these governance documents are created. Regardless of where (internationally) business is conducted or the size of the organization, there are five simple principles that should be followed as generic guidance for achieving a successful governance framework:

Keep It Simple: All documentation should be as clear and concise as possible. The information contained within each document should be stated as briefly as possible without omitting any critical pieces of information. Where documentation is drawn out and wordy, they are typically more difficult to understand, are less likely to be read, and harder to interpret and implement.

Keep It Understandable: Documentation should be developed in a language that is commonly known throughout the organization. Leveraging a taxonomy, as discussed in the addendum titled “Building a Taxonomy”, organizations can avoid the complication of using unrecognized terms and/or jargon.

Keep It Practicable: Regardless of how precise and clear the documentation might be, if it cannot be practiced then it is useless. An example of an unrealistic documentation would be a statement indicating that incident response personnel are to be available 24 hours a day, even though there is no adequate means to contact them when they are not in the office. For this reason, documentation that is not practicable is not effective and will be quickly ignored.

Keep It Cooperative: Good governance documentation is developed through the collaborative effort of all relevant stakeholders—such as legal, privacy, security, and human resources. If a key stakeholder has not been involved in the development of these documents, it is more likely that problems will arise during its implementation.

Keep It Dynamic: Useful governance documents should be, by design, flexible enough to adapt with organizational changes and growth. It would be impractical to develop documentation that is focused on serving the current needs and desires of the organization without considering what could come.

Lab Environment

Generally, a forensic lab environment is a secured facility used to process and, depending on the organization, store evidence gathered from a crime scene, security event, or incident. Foundationally, these facilities are built following a similar methodology applied when building a data center where strict security measures are implemented to guarantee contents are protected from unauthorized access and external contamination.

Planning

Foremost, as with any new project, proper planning of the lab environment needs to be done so that, as the project progresses, issues arising later can be reduced and the project will result in a successful completion. This means taking necessary actions to carefully and deliberately set out the scope, schedule, and cost for the forensic lab environment before any work begins on construction.

Within the planning activities, it is important to follow a systematic approach when performing the following sequence of activities:

Identify and analyze the organization’s needs for building a forensic lab environment. Having previously understood the business risk scenarios for having digital forensic capabilities, along with establishing a governance framework, the work done in this stage should be not be exhaustive.

Assemble a team of individuals who will provide knowledge and support (i.e. management funding approval) in the subsequent activities and tasks. Having previously identified key stakeholders, identifying the project team should not be exhaustive.

Define the strategy, structure, and schedule by which the remaining activities and tasks will follow. For example, a register of all activities should be developed to include a complete list of tasks that need to be completed—accompanied by the individual (or team) who is responsible for completing the task, the allotted timeline for completing the task, and any dependencies that exist between individual tasks so that critical paths to success can be identified.

Design

Next comes the task of designing the structure and layout of the forensic lab environment. Unfortunately, there is no “cookie cutter” approach that can be universally applied when designing a forensic lab because each environment is subjective to the types of evidence, governance framework, and needs of the organization. Considering the functional requirements of the forensic lab, such as equipment and workspace, organizations should design their lab environment to be flexible enough so that it supports evolving business needs and continued growth in digital forensic capabilities.

As a foundational principle, the forensic lab environment must be both physically and logically secured from the organization’s general network and office space so that the work being done with digital evidence does not result in contamination, loss, or unauthorized disclosure. Working from the principles and concepts of data centers, the following design elements must be incorporated to guarantee the integrity, authenticity, and admissibility of evidence:

• Construction in a fully enclosed room located in the interior of a building with true floor to ceiling walls and no windows

• Access doors having internally facing hinges with fire safety windows reinforced with wire mesh material

• Walls constructed with permanent materials (i.e. concrete)

• Raised flooring with fire-suppression system

Building off the above physical design considerations, the following are logical design elements that need to be factored when designing a lab environment:

• Principles of least-privilege access is applied where only authorized individuals are permitted unattended access

• Unattended physical access is granted using multi-factor authentication mechanisms, including something you know (i.e. passcode), something you have (i.e. smartcard), and something you are (i.e. manager)

• Visitor access must be logged and escorted always

• Evidence lockers and safes must remain locked always

• Chain of Custody logs for tracking evidence ownership must be tracked always

• Inventory control mechanisms must be implemented to track and maintain complete, accurate, and up-to-date records of all lab equipment (i.e. software, forensic workstations, servers, etc.)

• Governance documents, such as standard operating procedures (SOP) and runbooks, must be readily available to lab personnel (i.e. software currency, evidence management)

• Assignment of a lab manager who is responsible for the ongoing maintenance and safeguarding of the lab and its contents (i.e. digital evidence)

In addition to the physical and logical design elements required to secure the lab environment, this is where the identification and placement of hardware and software comes into play. When determining what equipment is needed as part of the forensic toolkit, it is important to refer to the work completed when documenting the business risk scenarios as the basis for acquiring forensic equipment. Also, it is important to keep in mind that each investigation is unique and, as noted previously, might require specific activities to be conducted either in the field or within the lab environment. Therefore, a variety of different tools and equipment may be required to fulfill a broad scope of potential investigative circumstances.

Selecting the right tools and equipment to properly support digital forensic capabilities requires having a good understanding of the organization’s business-risk scenarios and the technologies used to support their respective business functions. As part of the selection process, it is important that tools and equipment are not blindly purchased without first validating and verifying that it provides the functionality required to gather or process evidence existing throughout the organization.

Digital forensic practitioners must go through proper evaluation and assessment of tools and equipment before purchasing to demonstrate that these technologies will generate repeatable and reproducible results when following their governance documentation to gather or process their respective digital evidence. By completing a proof-of-concept (POC), the organization will have a level of assurance that the tools and equipment being used to support their digital forensic capabilities is forensically sound and will not introduce doubt into the evidence’s integrity.

Whether selecting open-source or commercial-off-the-shelf (COTS) technologies for the forensic toolkit, there are many different solutions that can fit within the requirements of the organization’s needs. As outlined in the introduction of this book, the focus of topics discussed throughout is not to get into the detailed technical execution discussion about how to perform digital forensics. In keeping with this scope, references have been made available in the “Resources” chapter at the end of this book where lists of forensic tools and equipment can be found. It is important to note that, given how technology is a constantly evolving and changing landscape, the inclusion of a forensic tool or equipment over another does not suggest that these are better or recommended over others that were not included.

Piecing all physical and logical components together, the team must thoroughly document their design plan so that they have a complete view of the final lab environment design. With this plan in place, the team should now review what has been identified for inclusion in the lab facility to ensure that what has been included meets the original requirements defined by the organization. If there are missing components identified, it is important that the team take time to sort out the design before proceeding to the next step so that issues arising during the construction work will be reduced and the project will result in a successful completion.

Construction

Transforming the plan and design into a physical lab environment is where organizations will invest most of their resources (i.e. time, effort, cost). However, before any construction work can begin, the team needs to secure management approval and the funding necessary to build the facility. Doing so is done by creating a business case that illustrates the cost-benefit so that stakeholders have enough details to support their decision-making on whether the organization should proceed with implementing the final recommendation. A business case template has been provided in the “Templates” section of this book.

With the business case approved and funding available, construction of the lab environment can begin. It is important that the construction work stays within the expected scope, schedule, and cost as outlined in the business case, because any additional funding needed due to delays or issues will require the team to go back to management for approval and explain the unaccounted overages. Keeping to the expected scope, schedule, and cost requires having a dedicated individual, such as a project control officer (PCO), to oversee all work being done on the lab. Ultimately, the PCO will be responsible for managing all project resources (i.e. people, funding) to ensure that agreed-upon deliverables meet the requirements within defined timelines and budget. As a strategy, keeping to the project plan might require that multiple streams of work are done in parallel by different members of the project team to procure and build:

• the physical lab environment, such as walls, floors, and access points (doors)

• internal workspace equipment, such as desks, evidence lockers, and server racks

• forensic hardware and software, such as workstations, write-blockers, and storage units

As work is being completed and project milestones are met, it is important to remember that there can be dependencies for how each stream of work can come together for a final deliverable. For example, the physical lab environment must be finished before any equipment or tools can be set up in the facility’s workspace; and in some cases, having workspace equipment needs to come before setting up the forensic hardware and software. However, where there are configuration and setup activities required before hardware and software can be setup, use of a staging area can help to do this while waiting for equipment to be finalized.

Throughout the construction work, communication is essential to achieving a successful project completion. It is important that the PCO track and maintain an up-to-date record of the work being done and completed by scheduling periodic spot-checks at critical milestones during the construction.

Hardware and Software

With the digital forensic lab built, the team should begin to acquire a series of hardware equipment and software tools that will be needed to conduct investigations in a forensically sound manner. It is important that the digital forensic team keep in mind that each investigation is unique and may require a variety of different tools and equipment to maintain evidence integrity.

To identify and select the proper tools and equipment to perform their investigative activities and steps, the digital forensic team must have a good understanding of how different business environments function respective to the hardware and operating systems they use. This assessment will determine what tools and equipment are required to gather and process evidence from the organization’s data sources.

All digital forensic tools and equipment work differently, and may behave differently, when used on different evidence sources. Before using any tools or equipment to gather or process evidence, investigators must be familiar with how to operate these technologies by practicing on a variety of evidence sources. This testing must demonstrate that the tools and equipment used generate repeatable and reproducible results. This process of testing introduces a level of assurance that the tools and equipment being used by investigators are forensically sound and will not introduce doubt into the evidence’s integrity.

Forensic Workstations

Forensic workstations are a combination of specialized hardware and software technologies that, together, allow for digital evidence to be gathered and processed in a forensically sound manner. In the marketplace, there are several COTS manufacturers of forensic workstations that come pre-built with the hardware and software required to gather and process digital evidence.

If a decision is made to build a custom forensic workstation internally, it is important to note that this has some obvious advantages—and disadvantages—when compared to the COTS hardware. On one hand, when building a forensic workstation, the forensic team can ensure that they have all the right hardware and software needed to support their needs. However, pre-built systems come with a level of assurance that all components have been configured and integrated correctly to ensure that the integrity, authenticity, and legal admissibility of digital evidence is maintained when being used. Whether a COTS system or custom built, a forensic workstation should include the following components to provide the required digital forensic capabilities:

• Standard operating hardware such as a Central Processing Unit (CPU), Random Access Memory (RAM), and primary hard drive. The performance and capacity required of these components is dependent on the forensic team’s requirements to support the needs of their organization.

• Add-on hardware components, considered optional, subjective to the forensic team’s needs, such as:

– Optical disc bays to read a variety of Compact Discs (CD) formats (i.e. Digital Video Disc (DVD, Blu-Ray).

– Network adaptors to interface with evidence storage networks. Refer to the section below in this chapter for discussions on evidence storage networks.

– Connectors to access a variety of removable devices (i.e. Universal Serial Bus (USB) Drives, FireWire).

– Additional internal or external hard drive bays, verified as write-block enabled, to access a variety of hard drive formats (i.e. Integrated Drive Electronics (IDE), Serial Advanced Technology Attachment (SATA), Small Computer System Interface (SCSI), Solid State Drive (SSD))

• A primary Operating System (OS) that supports the execution of required forensic software. Where needed, additional OS versions can be run using Virtual Machine (VM) or emulation software application from the primary OS.

Before putting the forensic workstation into use, it is important that the forensic team complete thorough testing to verify and validate that the hardware and software components are working as expected and that they do not result in the forensic viability of digital evidence being lost.

Gathering

As the second phase of the investigative workflow, gathering is made up of the activities and steps performed to identify, collect, and preserve evidence. These activities and steps are critical in maintaining the meaningfulness, relevancy, and admissibility of evidence for the remainder of its lifecycle.

Operating Procedures

Prior to gathering evidence, there must be a series of written and approved operating procedures to assist the forensic team when performing evidence gathering activities and steps. The combination of governance that was developed through the Information Security Management program, along with the validation and verification results from tool and equipment testing, are the backbone for investigators to follow as they work through the investigation.

Identification

Identification of evidence involves a series of activities and steps that must be performed in sequence. It is important to know what data sources, such as systems, peripherals, removable media, etc. are associated or have an impacting role to the investigation.

When a data source has been identified, proper evidence handling must be followed always. If the evidence is handled incorrectly, there is high probability that the evidence will no longer be meaningful, relevant, or admissible.

Operating procedures are required to support the investigative workflow and provide investigators with direction on how to execute their tasks in a repeatable and reproducible way.

Securing the Scene

Although one of the main focuses of digital forensics is about digital evidence, it is critical that digital forensic practitioners consider both electronic and physical evidence within the scope of every investigation they conduct. Like how the first step that law enforcement takes is to establish a perimeter around a crime scene to secure evidence, the same first step must be done during a digital forensic investigation. Whoever is responsible for securing the scene must be trained and knowledgeable in the accepted activities, steps, and procedures to be followed.

Securing the physical environment, the current state of evidence can be documented and a level of assurance is established that evidence will be protected against tampering or corruption. While the activities, steps, and procedures used will vary and are subjective depending on the environment, it is critical that they are followed to minimize the potential for errors, oversights, or injuries.

An important rule to remember in all crime scenes is that everyone who enters or leaves a crime scene will either deposit something or take something with them. It is crucial that no unauthorized individuals are within a reasonable distance of the secured environment, as these persons can interfere with evidence and potentially disrupt the investigation.

At this phase, the information and details collected about the state of the scene is done at the highest level. Proper planning must take place to develop and implement operating procedures that address the different scenarios for how to physically and logically secure crime scenes.

Documenting the Scene

Having secured the physical environment, the next step is to document the scene and answer questions around what is present, where it is located, and how it is connected.

The most effective way to answer these questions is by videotaping, photographing, or sketching the secured environment before any evidence is handled. When capturing images of the physical environment, the following aspects of the scene must be documented:

• A complete view of the physical environment (ex. floor location, department, workspace)

• Individual views of specific work areas as needed (ex. book shelves, systems, open cabinets, garbage cans)

• Hardwire connections to systems and where they lead (ex. USB drives, printers, cameras)

• Empty slots or connects not in use on the system as evidence that no connection existed

• Without pressing mouse or keypad buttons, what is visible on the monitor (ex. running processes, open files, wallpaper)

Just like police officers record events in their notebooks, forensic investigators must maintain documentation for every interaction on the presumption that the investigation could end up in a court of law. The investigator’s notes must include (at a minimum): date, time, and investigator’s full name, and all interactions. The notes should also illustrate page or sequence number and have no whitespace present. Fill that space with a solid line to prevent supplementary comments from being inserted.

Search and Seizure

Once the scene is secured and thoroughly documented, investigators work on seizing evidence. But the goal of seizing evidence is not to seize everything at the scene. Through the knowledge and experience of trained investigators, educated decisions can be made about what forms of evidence need to be seized and then they can document the justifications for doing so.

Digital evidence comes in many forms: application logs, network device configurations, badge reader logs, or audit trails. Given that these are only examples and depending on the scope of the investigation, there are potentially significantly more relevant evidence forms. Identifying and seizing all evidence can prove to be a challenging task to which technical operating procedures will provide guidance and support. However, from time to time investigators might encounter situations where these technical operating procedures do not address collecting a specific evidence source. In these situations, having a trained digital forensic professional is essential in providing the knowledge and skills necessary to apply the fundamental principles, methodologies, and techniques of forensic science in seizing the evidence.

Documentation is at the center of the investigative workflow and is equally important when it comes to seizing evidence. When a physical (i.e. computer) or logical (i.e. text file) artifact has been identified as relevant to an investigation, the act of seizing it as evidence initiates the chain of custody to establish authenticity by tracking where it came from, where it went after it was seized, and who handled it for what purpose. Custody tracking must accompany the evidence and be maintained throughout the lifetime of the evidence.

All digital evidence is subject to the same rules and laws that apply to physical evidence where prosecutors must demonstrate, without doubt, that evidence is in the exact and unchanged state as it was when the investigator seized it. The Good Practices Guide for Computer Based Electronic Evidence was developed by the Association of Chief Police Officers (ACPO) in the United Kingdom to address evidence handling steps for the types of technologies commonly seized during an investigation. Within this document, there are four overarching principles that investigators must follow when handling evidence to maintain evidence authenticity:

Principle #1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle #2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle #3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle #4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

Collection and Preservation

The transition between a physical investigation into digital forensic activities starts with the collection of digital evidence. Digital evidence is volatile by nature and investigators are responsible for ensuring that the original state of seized evidence is preserved. Working in a controlled lab environment, investigators must create an exact, bit-level duplicate of original evidence using digital forensic tools and equipment that have been subject to validation and verification testing programs.

FRE 1001 describes that duplicates of digital evidence are admissible in court instead of the original when it is “the product of a method which insures accuracy and genuineness”. To guarantee that the bit-level copy is an accurate and genuine duplicate of the original evidence source, one-way cryptographic algorithms such as the Message Digest Algorithm family (i.e. MD5, MD6) or the Secure Hashing Algorithm family (i.e. SHA-1, SHA-2, SHA-3) are used to generate hash values of both original and duplicate. Not only does the use of one-way cryptographic hash algorithms provide investigators with assurance that the bit-level copy is an exact duplicate of the original, but they also provide investigators with the means of verifying the integrity of the bit-level duplicate throughout the subsequent activities and task of the investigative workflow.

Having generated an exact bit-level duplicate to use during the processing phase, the original evidence must be placed back into secure lockup with an update to the chain of custody reflecting the investigator’s interactions with the original evidence sources. In addition, a new chain of custody for the bit-level duplicate must be created and maintained throughout the remainder of the evidence’s lifetime.

In 2004-2005, it was discovered that both MD5 and SHA-1 algorithms contain flaws whereby two different data files or data sets have a cryptographic hash value that are identical even though there are distinctly different properties and characteristics in the data themselves.

Otherwise known as “hash collisions”, these flaws created concerns among the forensic community about the potential impact on the admissibility of digital evidence in a court of law. From a digital forensic perspective, this meant that a hash collision could be engineered so that separate pieces of digital evidence return the same hash value.

However, during a forensic investigation both the MD5 and SHA-1 algorithms are used as a way of demonstrating to the courts that the digital evidence being presented is in the same state as it was when it was obtained and that it has not been altered in any way—demonstrating the authenticity and integrity of digital evidence.

In the 2009 trial of United States v. Joseph Schmidt III, findings of facts and conclusions of law determined that the SHA-1 digital fingerprint for a file produced a unique digital algorithm that specifically identified the file. Further, it was ruled that the chances of a hash collision are not mathematically significant and is not at issue.

Legally, this means that if digital evidence was cryptographically hashed using either MD5 or SHA-1 when it was obtained, and then validated later using the same cryptographic algorithm, then the authenticity and integrity of the digital evidence can be relied upon in a court of law.

Processing

As the third phase of the investigative workflow, processing involves the activities and steps performed by the investigator to examine and analyze digital evidence. These activities and steps are used by investigators to examine duplicated evidence in a forensically sound manner to identify meaningful data and subsequently reduce volumes based on the contextual and content relevance.

All activities and steps performed during the processing phase should occur inside a secure lab environment where digital evidence can be properly controlled and is not susceptible to access by unauthorized personnel or exposure to contamination. Before performing any examination or analysis of digital evidence, investigators must complete due diligence by proving the integrity of the forensic workstations that will be used, including inspecting for malicious software, verifying wiped media, and certifying the host operating system (ex. time synchronization, secure boot).

Maintaining the integrity of digital evidence during examination and analysis is essential for investigators. By using the one-way cryptographic hash algorithm calculated during the gathering phase, investigators can prove that their interactions do not impact the integrity and authenticity of the evidence. Digital forensic tools and equipment provide investigators with automated capabilities, based on previous professional knowledge and criteria, which can be used to verify and validate the state of evidence.

On occasion, the programmatic processes or algorithms provided through tools and equipment require extended and potentially unattended use of digital evidence. During this time, the investigator remains the active custodian of all digital evidence in use and is responsible for maintaining its authenticity, reliability, and trustworthiness while unattended. Within the controlled lab environment, access to evidence can be restricted from unauthorized access using physical controls, such as individual work areas under lock/key entry, or logical controls, such as the use of individual credentials for accessing tools and equipment.

Presentation

As the fourth and last phase of the investigative workflow, presentation involves the activities and steps performed to produce evidence-based reports of the investigation. These activities and steps provide investigators with a channel of demonstrating that processes, techniques, tools, equipment, and interactions maintained the authenticity, reliability, and trustworthiness of the digital evidence throughout the investigative workflow.

Having completed the examination and analysis, all generated case files and evidence must be checked in to secure lockers and the chain of custody updated. Unless otherwise instructed by legal authorities, the criteria for retaining digital evidence must comply with, and not exceed, the timelines established through policies, standards, and procedures. Proper disposal of digital evidence must be done by using the existing chain of custody form.

Documentation is a critical element of an investigation. In alignment with established operating procedures, each phase of the investigative workflow requires several types of documentation to be maintained that is as complete, accurate, and comprehensive as possible. From the details captured in these documents, investigators can demonstrate for all digital evidence the continuity in custody and interactions with authorized personnel.

Layout and illustration of the final report must clearly articulate to the audience a chronology of events specific to evidence interactions. This chronology should be structured in sequence to the phases of the investigative workflow and accurately communicate through defined section headings the activities and steps performed.

Evidence Storage Networks

With technology being so pervasive across both our personal and business lives, and the rate at which ESI proliferates across different technologies, it is reasonably safe to say that gone are the days when the scope of a digital forensic investigation is limited to a single computer system. The reality is, management of complex investigations where digital evidence is being extracted from multiple sources—such as traditional computer systems, networks, mobile devices, and cloud computing environments—has become a major challenge. In some cases, evidence only needs to be held for the duration of the investigation (or trial). However, in other cases evidence needs to be held beyond the duration of the investigation (or trial). Where this is the case, the resulting cause is that organizations need to preserve and store these massive amounts of digital evidence for extended periods.

Traditionally, organizations have leveraged digital backup solutions, such as tapes or external hard drives, to preserve digital evidence long-term. However, digital media technology is constantly changing and what is available now may not be accessible years from now. Also, digital media degrades over time and few, if any, can guarantee the integrity of the evidence stored on them beyond a given period. Furthermore, in multi-national enterprise environments, where digital forensic practitioners are in different geographies, digital evidence needs to be accessible to all those involved in the investigation to allow for collaboration. Continued storage of digital evidence in isolated or offline environments is introducing challenges given the massive amounts of evidence being gathered today. Ideally, what is needed is an efficient way for storing, preserving, and accessing the growing volumes of digital evidence from any location throughout the enterprise.

Evidence Storage Networks are a centralized repository where digital evidence can be stored, preserved, and accessed over extended periods. It is designed to support secure access to digital evidence from throughout the enterprise, eliminating the need to maintain digital evidence backup systems. Generally, the primary technologies available today to implement network-based storage solutions include:

Network Area Storage (NAS), a scalable technology attached to a network and accessible via standard network protocols (i.e. Transmission Control Protocol/Internet Protocol (TCP/IP)). It comes embedded with an operating system and, in some cases, comes pre-built in appliances for increased ease of use.

Storage Area Networks (SAN), a segmented area of the organization’s network that is used to handle and store ESI. SAN removes the need for creating and maintaining any storage devices because it is essentially a part of the enterprise network environment. It is only dedicated to storage-heavy traffic.

Any combination of NAS and SAN can be used to achieve an Evidence Storage Network for long-term storage of digital evidence. The decision to use any of these technologies for extended preservation of digital evidence goes back to the business need for implementing it as well as the cost-benefit of selecting one over the other.

A common solution for supporting an Evidence Storage Network is to build an Enterprise Data Warehouse (EDW) designed specifically for maintaining the authenticity and integrity of digital evidence and at no time introduce risk of spoilage that renders evidence legally inadmissible.

Summary

Evidence is the cornerstone from which fact-based conclusions are established. Guaranteeing that evidence remains legally admissible and forensically viable requires following consistent and repeatable methodologies and techniques throughout the entire lifecycle of evidence. Organizations must employ a complimentary series of administrative, physical, and technical controls to effectively maintain the authenticity and integrity of business records that could be used as potential digital evidence.


Glossary

Forensically Sound qualifies and, in some cases, justifies the use of a specific technology or methodology in preserving the authenticity and integrity of electronically stored information.

Hearsay Evidence is secondhand or indirect evidence that is offered by a witness of which they do not have direct knowledge but, rather, their testimony is based on what others have said to them.

Electronically Stored Information (ESI) is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.

Structured data is information that resides in a fixed field within a record or file (i.e. databases, spreadsheets).

Unstructured data is information that does not reside in a traditional row-column arrangement (i.e. email, productivity documents).

Form Factor is commonly used in describing the specifications of a computing device, a computer case or chassis, or one of its internal components such as a motherboard.

Backplane a group of electrical connectors in parallel with each other, so that each pin of each connector is linked to the same relative pin of all the other connectors, forming a computer bus.

Someone with knowledge describes any person who has awareness or familiarity gained through experience or learning.

Runbooks, both electronic and physical, are a compilation of routine procedures and operations used as a reference.

Repeatable refers to obtaining the same results when using the same method on identical test items in the same laboratory by the same operator using the same equipment within short intervals of time.

Reproducible refers to obtaining the same results being obtained when using the same method on identical test items in different laboratories with different operators utilizing different equipment.

Proof-of-Concept (POC) is a process by which the realization of a certain concept, theory, method, or idea to demonstrate its feasibility or prove a principle.

Commercial-off-the-shelf (COTS) describes items that are available for purchase through the commercial marketplace; including, but not limited to, software or hardware products, installation services, training services.

Message Digest Algorithm family is a suite of one-way cryptographic hashing algorithms that are commonly used to verify data integrity through the creation of a unique digital fingerprint of differing length based on version used.

Secure Hashing Algorithm family is a suite of one-way cryptographic hashing algorithms that are commonly used to verify data integrity through the creation of a unique digital fingerprint of differing length based on version used.

Secure Boot is a security standard to ensure that a system only loads and uses know-good and trusted software.


About the Author

Jason Sachowski is a seasoned professional in the fields of Information Security and Digital Forensics. He has an extensive history of working in a fast-paced corporate environment where he has led digital forensic investigations, directed incident response activities, developed and maintained processes and procedures, managed large information security budgets, and governed the negotiation of third-party contracts.

Note: The forthcoming second edition of Implementing Digital Forensic Readiness: From Reactive to Proactive Process is due to be released in May 2019 from CRC Press. Click here for more information.



This article appeared in the Spring 2019 issue of Evidence Technology Magazine.
Click here to read the full issue.

 
< Prev   Next >






Crime Scene Revisited

Faces of the victims recovered from the scene of a genocide.

Read more...