Join Us!

Notifications
Clear all

What is "forensically sound"?  

  RSS
keydet89
(@keydet89)
Community Legend

What constitutes a "forensically sound" process?

Let's begin from a common starting point…a live Windows system that cannot be taken down. Generally speaking, what constitutes a "forensically sound" process for collecting data from that system?

Then, how would you go about doing so?

As responses begin to come in, I'll present my views, so that others can critique/discuss them.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

Quote
Posted : 18/10/2005 12:30 am
nbeattie
(@nbeattie)
Junior Member

Are we talking about collecting evidence that is admissable in a court of law ?

Also, what do you mean by a live system - do you mean one that is connected to a network with people accessing it ?

Surely the process would depend on what you are trying to prove.

If it is the existence of a file on a server, then this would be no problem on a live system.

ReplyQuote
Posted : 18/10/2005 1:50 am
keydet89
(@keydet89)
Community Legend

Excellent questions!

Are we talking about collecting evidence that is admissable in a court of law ?

Let's say that you're investigating a system that may be subject to further investigation by LEOs, and may end up going to court. However, at this time, that doesn't appear to be the case.

There's a reason I'm bringing up this specific type of incident…it's what many professional incident responders are being called to respond to. I've been confirming this with several folks who do this sort of thing, exclusively, for a living.

What's happening is that laws such as SB-1386 require reporting of security incidents (in the case of SB-1386, for incidents involving the exposure of personal data of CA residents), and corporations do not want to report an incident (a) when there isn't one, and (b) until they fully understand the nature of the incident. Why call law enforcement if you don't know the extent of the incident? Law enforcement involvement leading to public disclosure is one of the biggest reasons companies are reporting in surveys for NOT calling law enforcement.

Continuing…for the purposes of this example, let's say that it's a user or employee's workstation, and doesn't offer up any services (ie, it's not a public web server). The concern in this case is that the employee has stolen data, and may have installed a Trojan or backdoor.

So…what's a "forensically sound" process from removing and analyzing volatile data?

Now, let's say you have an e-commerce server (web server, with the database backend located on another system)…what do you do to determine whether the system has been compromised and/or malware installed, knowing that you can't take the system down? How do you collect and analyze data in a "forensically sound" manner?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 18/10/2005 3:05 am
Juniper
(@juniper)
Junior Member

I am in no way an expert at this, however, here are my opinions

A forensically sound process in the example case would be to gather evidence without disturbing the "live System".ie You do not make any changes to the system while you conduct the investigation. There are many methods available to do this.

This is the least one can expect should the case end up in court.

More importantly, all the actions you take once the case is presented to you should be viewed as something that should withstand the scrutiny of other experts in the field as well as some clever lawyers

Making an initial assessment
Creating a detailed & proven methodology of how you are going to approach the case.
Recognising what tools you will need to conduct the investigation.
Recognising the risks involved
Analyze and/or recover the evidence
Investigate/Scrutinize your findings
complete the case.

In my opinion each of the above is as important as the other. Professionalism is paramount.

The words "proven methodology" are key. I do not think this is any different than using the words "forensically sound". I think the whole prcess - from start to finish - should be conducted according to standard procedure and herein lies the problem. The processes involved would, I suspect, be different from country to country and even state to state (America).

Juniper

ReplyQuote
Posted : 18/10/2005 1:35 pm
keydet89
(@keydet89)
Community Legend

Juniper,

Excellent comments!

More importantly, all the actions you take once the case is presented to you should be viewed as something that should withstand the scrutiny of other experts in the field as well as some clever lawyers

and

The words "proven methodology" are key.

Agreed.

Now…what, in your mind, would that methodology consist of? What information would you collect, and how would you recommend collecting it (ie, which tools)? How would you implement that process/methodology, given the example cases?

This is what I'm trying to get at. I have my own opinion as to how to implement the process/methodology, but as you said, it as to stand up to scrutiny by other professionals in the field. So how do we go about setting up such a process/methodology?

The processes involved would, I suspect, be different from country to country and even state to state (America).

Can you elaborate on why that would be the case?

Thanks!

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 18/10/2005 5:21 pm
Juniper
(@juniper)
Junior Member
armresl
(@armresl)
Community Legend

"Let's say that you're investigating a system that may be subject to further investigation by LEOs, and may end up going to court. However, at this time, that doesn't appear to be the case."

Every case should be handled like it will be going to court and that there will be an expert on the other side who rivals or surpasses your intelligence on the subject matter.

ReplyQuote
Posted : 20/10/2005 12:41 am
arashiryu
(@arashiryu)
Active Member

http//www.techpathways.com/prodiscoverir.htm

ReplyQuote
Posted : 20/10/2005 1:48 am
T_Oliver
(@t_oliver)
New Member

My comments relate to the UK and in particular the ACPO guidelines.

My personal view is that many people get far too hung up about what is and is not a forensically sound process.

The ultimate aim of the process is to recover evidence from any computer and demonstrate to a court that the evidence is both accurate and reliable.

Under normal circumstances with static computer data, this will mean that that the process of imaging the computer is documented, and should someone else do exactly the same at a later time, the result will be exactly the same.

However, should some situation occur in which the result is not the same, document the reasons for this , and explain what the effect is on the reliability of the evidence.

A good example, is a laptop I dealt with. There was no way to remove the battery without lifting the screen and removing the keyboard, at which point the hard drive booted up. The result being a few files were accessed before I could shut the machine down and remove the battery.

So what is the effect of this. I have documented that it happened, and importantly why it happened. Other than smashing open the bottom of the laptop, there was no other way to get into it(accept I couldn't boot from CD or floppy etc).

Next issue, is what is the effect?. I can explain and show exactly what happened and why and what the result was (which files had MAC time changed etc ). Also I explain what the result of these changes were on the 200 pictures relevent to the case.

The reliality is that I dealt with the laptop in a manner that I considered best. If someone wished to challenge that, then they could explain to a court how they would have done it better and most importantly what effect the 'better way' would have had on the evidence. In my 4 1/2 years of computer forensic experience(17 years as a Police Officer in total), the courts would be very unlikely to make my evidence inadmissible.

So to briefly equate this to a live server situation, we recover the evidence in a way that is most accurate and reliable based upon the capabilities of the industry at this time(best tools and techniques available), but if that means some evidence is potentially lost or altered in some small way, document and explain why, and the consequences.

'Forensically sound' to me, is creating the most accurate and relaible copy and analysis of computer data based upon the individual circumstances of the case. This will differ greatly between a unpowered stand alone computer and a running server in a corporate environment.

ReplyQuote
Posted : 22/10/2005 2:21 am
Kamal_dave_advocate
(@kamal_dave_advocate)
New Member

Dear All,

To introduce myself to you, I am from India and an advocate by profession and member of Supreme Court of India Bar Association.

The discussions here are very interesting and with good technical support. I appreciate the forum members & the administrator.

I feel that the forensic science is applicable irrespective of the nationality, however, the interpretation may need different approach.

As far as computer forensic is concerned, As per Indian Law foreign judgements and law can be considered as basis for interpretting the case.

Thanks & Regards

Kamal Dave
Advocate & Legal Advisor
[email protected]

ReplyQuote
Posted : 02/12/2005 7:52 pm
mark777
(@mark777)
Active Member

With the default encryption and security methods proposed for the Microsoft Longhorm system that will no doubt be with us shortly it is a good question to put as it would appear that if, like now, we "pull the plug" on a running system the data it contains will most likely be unretirevable. It would seem that it will be likely that these will have to be examined in a running state.

Personally "forensically sound" to me is an assessment of the situation, the reaching of reasonable and justifiable conclusions in respect of that situation and the carrying out of whatever processes are neccessary to retrieve the data in the best possible way.

All of the above must be fully recorded with the reasoning behind them and hopefully at the end of the day you do what you think is best for all the right reasons and the courts and other side agree with you.

ReplyQuote
Posted : 02/12/2005 11:19 pm
yey365
(@yey365)
New Member

Hi guys.

Here goes with my two-pence-worth

I would utilise my current toolkit to conduct a live collect on the network against the mac or IP address of the target system in order to ascertain whether the "stolen" data is traversing the network, either originating or going to the suspect system. The collect will also identify whether the web server has been compromised as malware will be identified during this process. If the collect generates sufficient reasonable grounds to suspect the individual(s) using the suspect system are commiting a breach of security then it would mandate a system level interrogation that I would employ either EE against or, preferably, I would use something like Helix to access the system that cannot be taken down and Netcat off the image to a remote storage device for later examination.

This whole process relates to having a forensic toolkit rather than reliance on one piece of software and is fundementally underpinned by the ACPO Guidelines against which all work is undertaken.

As for what tool to use to do the initial network collect - I use an award winning network forensics tool from an A List company though it is not EE.

Hope this goes some way to explaining an approach,

Jim

ReplyQuote
Posted : 03/12/2005 6:08 pm
Share: