Best Practices: Collecting Computer Forensic Evidence

Gathering information in a legal, court-friendly way is vital if computer forensic evidence is to hold up in court.

“Will it hold up in court?”

While little computer forensic evidence gathering ultimately ends up in court—HR might handle the matter, or suspect activity on a user’s computer might have been caused by Trojan software and an outside hacker never tracked down—investigators must ensure that evidence-gathering techniques will hold up in court.

So says Christopher L. T. Brown, the chief technology officer of Technology Pathways. The company's ProDiscover Investigator software helps security investigators examine local or remote disks, using everything from keyword searches to restoring deleted files, without altering data or metadata —crucial if companies ever want to use evidence in court.

To discuss Technology Pathways’ software tool and forensic best practices, Security Strategies spoke with Brown, who also holds CISSP security certification and is a computer forensic instructor.

You teach a course on forensics?

Yes, it's a semester-long extension course in computer forensics at the University of California at San Diego. However we get current UCSD students coming to our course as well, as well as a lot of industry professionals [and] law enforcement. Then we have a variety of different courses—everything from one to five day courses. For example, at the annual High-Tech Criminal Investigation Association conference in Lake Tahoe, we taught the course there every day.

What do people need to perform a forensic investigation?

Tools. Your toolbox is one of the most important things. Also a mindset, and for IT folks, a mindset of preservation of evidence—over restoration of services—is generally a conflicting thought. The restoration of services generally destroys the evidence.

What skills does a good forensic investigator need?

From an investigative standpoint, one of the most important issues is to take an impartial look at the data and be careful not to draw early conclusions. It can be a tedious process, and that's where your tools come into play.

Historically people have used a real grab bag of tools, and you're still going to need to use multiple tools. However, the ability to use a tool like [ProDiscover Investigator] to do a remote [analysis] can save you a tremendous amount of time. Also, one thing to stress: in the past, people might have used tools to establish if they should do something, and [that tool itself] might trample on the evidence. When you use a tool such as ours that manages the whole case process from beginning to end, [that doesn’t happen]. Should it turn out that there's been no misuse, you're good to go, we've helped establish that. But should it turn out [something was amiss], you can use the same tool to manage the whole process.

Any tips to share with forensic investigators?

It’s a pretty wide, encompassing field. There are subtle issues, such as in legal notification, signed consent forms, the 4th amendment to the U.S. Constitution, all sorts of subtle issues there.

For the criminal side, one thing I always try to let my students know is, if you'll focus on what you're doing and ask, "How is what I'm doing going to be challenged in court?", then you'll probably abate any successful challenges. Ask, “Am I doing anything that will compromise the integrity of what I'm doing?”

Are evidence-gathering mishaps too common?

That was actually one of the things that led to the founding of this company and our software. Over the ’90s, as … a security consultancy, too often we saw things be mishandled.

What’s happening today with forensics?

Within the computer security world, there's an increasing amount of training for security forensics. It's the same in the audit community. You're seeing much more attention being given to forensic auditing tools.

So how does ProDiscover Investigator work?

It's a full client/server application, and through the use of a remote agent launched on the suspect machine, the investigator can then, over any TCP/IP network, LAN, or WAN, connect to the remote machine from … [a] forensics console, so to speak, and work with that remote disk as though it was a local disk.

How do you install the remote agent?

You don't have to install it [per se]; there are a variety of ways. The simplest is to take a trusted binary CD of the agent and put it in the cradle of the target machine, and it will automatically load into memory without writing to disk. However from the [software] console, we provide scripts that will push that agent out and let it run undetected, using a password-encrypted back channel. What we call the least intrusive method, installing in a stealth mode, can be automated through scripting, but you would need admin rights.

Which operating systems can the software investigate?

From an analysis and collection standpoint, our [ProDiscover] console collects all of the Microsoft file systems, up to the current version of NTFS. Our console is always intended to be a Windows-type GUI (graphical user interface). However, … we're in the process of rolling [analysis and collection capability out for] Solaris, Linux, and Macintosh, throughout 2004. And … as we roll out the file system, we'll roll out a remote agent.

Is any additional training needed to use this product?

As far as the users, our goal is to design an intuitive question with online help that helps educate the person in the proper methodologies to take. In fact, in our online help, we actually include a book on the basic principles of computer forensics, including … physical chain of custody. Having said that, we also recommend the person stay informed and continue to educate themselves.

Does the software freeze the remote computer?

It's actually a live view of the file system, so while it's up and running, the investigator can be analyzing, … looking at the file system, recovering deleted files, … even bringing those files over to the investigators' machine. If the investigator decides they want to draw the entire computer hard disk over to the forensic workstation, then at any time they can image that disk. Now, that image is not an image frozen in time, since the system is live. We normally refer to this type of image as a “smear.”

Just grabbing files is understandable, since there’s so much data on computers today. But is a smear acceptable in court?

You have to be able to explain it in court, of course, but if an image is changing in time, you'll be able [to].

Do you have to drag a hard drive into court as well?

Attacks in court around evidence generally surround authenticity, and certainly it would be a perfect world if you had the original evidence disk and you had the original disk that you'd worked on. However as long as you can account for the integrity of the process you utilized to gather any information you gathered, then that evidence will go through the normal rules of evidence and either be suspected or rejected.

Smears have been used in court, and the process of collecting a smear has been done before, in intrusion detection, using a grab bag of tools to collect evidence over time. For example, in the Unix world, people have been piecing together a number of utilities—such as encryption [and] MD5 checksums—to do the same thing.

Will companies have to defend the software they’ve used in court?

Not generally. In court and evidence, there's what's commonly referred to as the Daubert and Frey principles, and those were two cases that outline the standards scientific [evidence gathering] tools should meet. One of the criteria for that is that you've had independent peer review. And we've had that: there's been independent, peer investigation that our images are correct, and that they're generally accepted among peers. That's a true statement now.

So companies can use this as an evidence gathering tool?

Generally, once you meet those criteria, your evidence can be accepted in court, and of course that it has been accepted in the past help. Defense usually goes for the path of least resistance, and generally it's easier and less expensive therefore to attack the methodologies that the person used, or the integrity or the training of the person who performed the action. We certainly stand behind our product if that ever becomes necessary.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.