Forensic PC anti-co...
 
Notifications
Clear all

Forensic PC anti-contamination procedures

30 Posts
12 Users
0 Likes
1,108 Views
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

Hello all. We are a growing lab and are making some changes to our set-up which is provoking much debate within the team.

We have a server with 8 hot-swappable bays. The working copy of an image being actively analysed is maintained on the server, where one drive = one case - clearly stored securely when analysis not occuring.

The server shares the image to one or more of several forensic client PCs during analysis, with the analyst maintaining a virtual case file on that PC, backed up elsewhere at the end of each day.

Our debate revolves around how anti-contamination procedures on the forensic clients can be undertaken both appropriately (to avoid challenges relating to tainted evidence) and efficiently.

Suggestions range from;
DoD wiping the client, re-installing OS and all apps prior to next case.
to
Each case has its own partition on the client HDD, which is DoD wiped prior to a new case being allocated to it.
through to
There's no need to wipe anything - rely on AV procedures, an image is a logical file in itself.

Persusive arguments are being made for each option!

It would be great to hear what others (would) do. Many thanks.

 
Posted : 21/08/2009 5:24 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Our debate revolves around how anti-contamination procedures on the forensic clients can be undertaken both appropriately (to avoid challenges relating to tainted evidence) and efficiently.

I'm not sure I follow the argument….if the original evidence is maintained separately and can be verified, how would it be tainted by a client PC?

I have no idea where your facility is or what it is you do, but let's say, for example, that in analyzing an image, one of the examiners finds CP. Is this discussion around evidence being tainted if a client PC becomes infected with a Trojan or virus of some kind? I don't see how this would be an issue, b/c you can deal with the infected PC and still have your original evidence, untainted.

Maybe a way to address your concern is through virtualization…have everyone use VMs.

 
Posted : 21/08/2009 6:00 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

For one client, we use virtual machines for each case. The EnCase images, installers for tools, and the EnCase file hierarchy live on the host's disk for performance reasons.

As Harlan notes, as long as the original evidence is in a locked evidence container, it cannot be contaminated. The work product could be contaminated by a virus/accident on the host or on the VM but we could go back to the original evidence with a fresh VM and start over again.

In your situation, I know many examiners would wipe the client, reinstall from a base Ghost image, and update everything, which is essentially what we do with VMs.

In discussions about best practices, it is often suggested that you wipe any disk or partition prior to storing evidence or work product on it to avoid the possibility of contamination.

-David

 
Posted : 21/08/2009 8:12 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
Topic starter
 

you can deal with the infected PC and still have your original evidence, untainted.

That seems supportive of the third option in my post.

To clarify, the question is;

do you work on several images/cases at a time, using the same forensic PC

and/or

do you undertake any 'cleaning' of your forensic PC between working on one image and working on the next image?

Or do you do something entirely different?

Hope that helps.

 
Posted : 21/08/2009 8:34 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I think using the VMs is an excellent idea.

It not only isolates the VM from the host, but also provides a fast way to create a dedicated VM for each case, if need be; and allows sanitizing (or cleaning) of the VM instance.

What is the downside using such VM setup?

I am going to have to rethink how my lab will look.

 
Posted : 21/08/2009 9:11 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

We can also archive the entire analysis environment, including a running operating system, the installed tools, patches, etc. If someone wants us to look at a five year old case, we can use the exact environment we used 5 years ago.

There is a performance hit, though I've not measured it. Keeping everything but the OS files on the host file system via shared folders works much better than using the virtual system's filesystem.

We're running the VMs on a 14GB Mac Pro with 1.7TB of RAID in an effort to provide as many resources as possible. For off the shelf, non-server hardware, this is about the best you can do, I think.

VMware only passes USB through to the client. Firewire and eSATA do not pass through, making VMs less than ideal for imaging.

You need to be a bit careful with you configuration and active focus when plugging USB devices and dongles in to ensure they show up in the right place.

This arrangement allowed us to run FTK 2.x with a standalone Oracle server and multiple clients, which was helpful for testing it out.

You can isolate the VM from the network, or connect the VM via an isolated virtual network to a sniffer.

We've built out server base images - Windows 2003 Server, XP, and 32 and 64 bit versions of each. Currently, EnCase isn't installed in the image as it is quick to install, but I may install it in one image so I can also pre-install the NIST database, our standard EnScripts, etc.

-David

 
Posted : 21/08/2009 9:20 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

Suggestions range from;
DoD wiping the client, re-installing OS and all apps prior to next case.

You don't DoD wipe in Forensics. The proper method of forensic sterilisation of media is to completely overwrite the drive with a single known character, generally 0x00. The reason for using 0x00, is that you can then read the drive using a CRC32 or CRC64, and if the resultant hash is all zeros, your drive is sterile.

Wipe, verify zero, and you are set.

As a general principle, forensic sterilisation is only required for restore drives, forensic copy (as opposed to imaging), and for target drives that you are taking into the field. Restore and forensic copy drives are sterilised so that no data from another job exists after the end of your restore or copy, and field acquisition drives are wiped so that sensitive data is not taken out into the field unnecessarily, and so there is no argument that you are contaminating their computer, or your image on site.

I have never had the practice of wiping my systems completely after each job. I have a backup of my standard build, and a forensic image of each forensic workstation that I can restore if an error is located. In almost 400 forensic computer examinations, the only time I've ever had to restore my master was from the failure of a 60GB IBM Deathstar that was my system drive.

As other posters have said, so long as you maintain chain of custody, and get your master image into an evidence locker as soon as possible, any arguments of contamination can be defended against.

 
Posted : 22/08/2009 8:57 am
(@dficsi)
Posts: 283
Reputable Member
 

Is wiping really necessary?
We've also had this discussion in our office over the last couple of days. One of the things that we have discussed is that when using EnCase the evidence files are self contained with hash values that match the original media.
If the hash value remains the same in the EnCase environment could you rule out the possibility of cross contamination?
We often work on several cases at the same time so wiping becomes somewhat burdensome. I know of several companies that do not wipe their storage drives before starting a new case and say that the practice of wiping drives between cases is unnecessary.
Thoughts anyone?

 
Posted : 22/08/2009 10:43 am
(@jonathan)
Posts: 878
Prominent Member
 

Is wiping really necessary?
We've also had this discussion in our office over the last couple of days. One of the things that we have discussed is that when using EnCase the evidence files are self contained with hash values that match the original media.
If the hash value remains the same in the EnCase environment could you rule out the possibility of cross contamination?
We often work on several cases at the same time so wiping becomes somewhat burdensome. I know of several companies that do not wipe their storage drives before starting a new case and say that the practice of wiping drives between cases is unnecessary.
Thoughts anyone?

Agreed. Wiping drives everytime be it single or multiple passes is unnecessary (for the reasons you give), ties up resources and potentially causes avoidable wear to the drive itself.

 
Posted : 22/08/2009 11:42 am
(@patrick4n6)
Posts: 650
Honorable Member
 

Is wiping really necessary?

For the circumstances that I elaborated in my previous post, yes wiping is necessary. For the drives that you keep in your lab, that have your working systems, and that store your working jobs, it's really not because there are mechanisms to detect contamination such as hashes on evidence files.

I know that we had this discussion at my old agency when AD announced that FTK2 would store your jobs in an Oracle DB. Did this mean that we had to redo the DB for each job to prevent cross-contamination? The final conclusion was that we did not. After all, Oracle is a database, and really NTFS is a database at the most basic level, so if we trust NTFS, we trust Oracle.

In relation to Jonathan's comment, I don't think that a single pass of writes could be considered unreasonable wear. Modern drives are designed to handle hundreds of thousands of reads and writes before failure. In fact, because of the verification pass, a zero and read could be considered a good thing in that it could help discover errors on your drive (and in fact has helped discover failing/faulty drives for me).

The larger reason against doing a drive wipe in all circumstances is the time. Of course, if you have a spare machine that you use to wipe drives unattended, that time cost is rather small.

 
Posted : 22/08/2009 8:28 pm
Page 1 / 3
Share: