Digital Evidence Recovery Specialists, LLC.
Company Services Procedures Pricing Contact Us FAQs

 

 

DERS Forensic Mission
           
The mission of the Digital Evidence Recovery Specialists (DERS) in regards to computer forensics is to provide forensically sound services in the areas of evidence acquisition, storage and analysis DERS clients. 

Operational Authority

The operational authority under which DERS will provide computer forensics services will be outlined within each individual Statement of Work or Business Partner Agreement. Each Statement of Work for DERS clients will provide explicit guidelines by which DERS will perform any forensic services including at which point in time management escalations and law enforcement engagement may occur.

The operational authority under which forensic services will be provided will be determined by the Business Partner Agreement as drafted between DERS and its client.  Any decision to engage Local, State or Federal law enforcement organizations shall remain at all times under the purvey of the client.

 

Data Retention

Civil litigation can take years to complete.  Therefore, the retention period of evidence is tied to the ultimate resolution of the incident.  Litigation and criminal prosecution may be subject to appeal, extending the time that evidence must be preserved.  Therefore evidence must be retained indefinitely unless directed otherwise by the client or client legal councel.

Hardware

DERS forensic analysts are each equipped with a standard set tools that are available for use both during analysis and acquisition efforts. As each forensic analyst is deployed to a site or local situation they are equipped with a forensic fly away kit. The kit may consist of the following equipment:

  • Portable computer / laptop
  • IEEE 1394 Fire Wire 160GB External Drive
  • Firefly write-blocking device
  • Portable acquisition device

In additional to the hardware that comprises the kit a few cables and converters are housed within each Pelican Case in an effort to accommodate numerous types of devices during acquisition. Each fly away kit may be equipped with the following equipment:

  • 5’ CAT 5 networking cable
  • 5’ CAT 5 crossover cable
  • 5’ modem cable
  • 2.5” HDD IDE to standard laptop converter (Quantity 2)
  • IDE to Fire Wire Bridge Board Case Mount
  • PCI Dual IDE Bridge Card

Each situation is unique.  Additional equipment and adapters may be utilized as required to complete the task.
           

Software

In addition to the base operating system, security updates and utilities in place to utilize supplemental hardware, each kit will be equipped with forensic software for acquisition and analysis of suspect media. Forensic software packages currently authorized to be included in the fly away kit include the following:

  • Guidance Software EnCase
  • AccessData Forensic Toolkit (FTK)
  • SMART (ASR Data)
  • Maresware 
  • Helix Forensic and Incident Response Environment Bootable Linux CD
  • @Stake Pocket Security Toolkit Bootable Linux CD

Although all authorized forensic packages can be utilized for preview and acquisition, Guidance Software’s EnCase and AccessData’s FTK are the preferred forensic package for the analysis of evidence acquired as part of an incident or investigation. 

 

Miscellaneous

In order to ensure that evidence from each seizure is conducted in a standard manner each DERS forensic analysts shall carry a minimum of the following pieces of equipment.

  • Static free bags (Quantity 15)
  • Ties (Quantity 20)
  • Labels (Quantity 20)
  • Screwdriver tool kit (Quantity 1)
  • Mini MAG-Lite (2 spare AAA batteries, 1 Spare Bulb)
  • Evidence Form (Quantity 20)
  • DERS Forensic Acquisition Forms (Quantity 20)
  • Forensic Inventory Assessment Form (Quantity 20)
  • HDD Packaging Materials
  • Power Strip
  • Legal Pad
  • Disposable Camera with flash (Quantity 2) or digital camera
  • Static discharge precautionary devices

 

Intelligence Gathering

In order to make certain that the greatest understanding of the impending acquisition/seizure is available, DERS forensic analysts will ensure that a situational background has been obtained prior to arrival at any local or remote environment to acquire or seize evidence. Information for the situational background should be collected from multiple trusted sources that should include a variety of the following client personnel: local physical security manager, local information security manager, employee’s direct supervisor, systems administrator, security administrator, peers (with manager approval). At a minimum the situational background should contain information encompassing the following areas:

  • Type and Number of Systems (including operating system types, serial numbers, etc)
  • Site Information – This helps the forensic analyst understand the location of the system(s) that are in question. The facility layout should be well understood as to avoid any confusion upon entry and exit. An escort may be required to locate devices.  The condition of the facility should also be taken into question as if the condition is dangerous, in disrepair or in a condition that might damage the forensic equipment. 
  • Personnel Information – A forensic analyst should look to gain insight as to the nature of the employee activities prior to the need for investigation arising. Additionally forensic analysts should gain as much information regarding local contacts that may be of assistance in obtaining access to facilities and equipment.
  • Physical Access Considerations – A forensic analyst must understand when is the best time for acquisition/seizure and any need for physical security presences.

After the previously mentioned information has been gathered to compose the situational background, the forensic analyst must take the time to discuss options regarding equipment seizure vs. data acquisition with the requesting party (legal department, operational and function management organizations, etc) of any systems which may be affected. The forensic analyst must be prepared to provide them a brief written overview of how operations may be affected. It is also necessary for the overview to provide a statement that advises them of the available options noting the benefits, drawback and challenges that each will present for acquisition, business continuity and security of the data in question.

 

Equipment Seizure

Physical evidence must be collected and preserved using an appropriate chain of custody.  A lockable room, storage locker or evidence room will be provided for securing evidence.  Only two people, the custodian of the evidence and forensic analyst should have access to the room, cabinet or locker.  All transfers of evidence must be thoroughly documented and signed for.  At no time should the custodian of the evidence be unaware of its location or physical security

Evidence must be protected and preserved once it has been seized.   Improper handling, labeling, and storage could destroy valuable evidence or make it inadmissible as evidence.  All persons involved in the chain of custody of evidence must follow these guidelines to protect and preserve evidence.

Any equipment that is unable to be seized must have its bit stream image completed prior to the forensic analyst and witness leave the site. The procedure for bit stream imaging followed by the forensic analyst during an on site acquisition will be consist the methods used for acquisition within the DERS forensic lab.

 

Secure and Document Scene

Forensic activities can take two general forms: low profile and standard profile.

A low profile mission involves conducting forensic tasks in an environment in which affected parties may not be aware of the activities taking place.  The forensic analyst must act in manner that does not draw attention to the work being performed.  Due to the nature of this mission, the analyst will not disclose the true nature of the work with anyone who is not authorized by the initiating party.  The analyst will conduct the mission in the most appropriate manner based upon the situation at hand.  An analyst may be required to modify standard procedures to accomplish the mission while insuring an acceptable work product.

A standard profile mission is one in which the analyst’s mere presence is not sensitive.  The first step taken by a forensic analyst arriving on site is to ensure that physical access to the system(s) in question is restricted where possible. The restriction of physical access can be performed in conjunction with local physical security representatives, operational manager, functional manger, or designated party. Some cases (human resource issues, legal inquiries, etc) may require a low profile presence.  These activities should be conducted in the fashion required as requested by the initiating party. For intrusion cases, the forensic analyst should take due care to ensure that he/she arrive on scene with a credible witness who has the authority to help secure the area. Once the security of the immediate area has been established, the forensic analyst should use the resources provided within the fly away kit to document environment in detail.

 

Equipment Seizure

There are several options for seizing equipment.  : The entire system method, the drive method, and the drive replacement method.

Entire System Method

When securing computers on the scene as evidence the following steps must be followed in order to ensure that no damage is done that might limit admissibility of later forensic findings. The guidelines are as follows but may be modify as the situation requires:
If computer is "ON" and is of the Windows 9x/ME family or is a stand alone Windows NT/2000/XP (i.e. not acting as a server) the following steps should be taken:
Photograph screen [if permissible at location] (If the display is not on, but plugged in, it may be powered up to check for currently activity), then
Disconnect power sources from CPU by unplugging from the back of the computer (or also removing battery packs for laptops).
Follow process for an off computer.
If computer is "OFF", do not turn "ON". Analyst should not only check for an indication of power but also for running fans or dormant status lights.
Disconnect power sources from peripherals.
Photograph/diagram and label back of computer components with existing connections.
Label all connectors/cable ends to allow reassembly as needed. (See labeling subsection)
If transport is required, package components and transport/store components as fragile cargo.
Keep away from magnets, radio transmitters and otherwise hostile environments.

If computer is "ON" and is a networked or a business computer of the Windows NT/2000/XP, UNIX or Linux variety the following steps must be taken. Failure to follow these steps could severely damage the system, disrupt legitimate business or create unnecessary liability for DERS.
Photograph screen
Have a computer specialist perform normal shutdown as disconnecting the power from the back of the computer may have damaging affects on the file structure.  If no specialist is available, consult with the initiating party and determine the course of action to be taken.  Proceed only when prepared.
Disconnect all power sources; unplug from the back of the computer
Place evidence tape over each drive slot.
Photograph/diagram and label back of computer components with existing connections.
Label all connectors/cable ends to allow reassembly as needed. (See labeling subsection)
If transport is required, package components and transport/store components as fragile cargo.
Keep away from magnets, radio transmitters and otherwise hostile environments

 

Drive and Drive Replacement Method

If computer is "ON" and is of the Windows 9x/ME family or is a stand alone Windows NT/2000/XP (i.e. not acting as a server) the following steps should be taken:
Photograph screen [if permissible at location] (If the display is not on, but plugged in, it may be powered up to check for currently activity), then
Disconnect power sources from CPU by unplugging from the back of the computer (or also removing battery packs for laptops).
Follow process for an off computer.

If computer is "OFF", do not turn "ON". Analyst should not only check for an indication of power but also for running fans or dormant status lights.
Disconnect power sources from any peripherals.
Photograph/diagram and label back of computer components with existing connections (if possible).
Remove hard drive(s), inventory, and place in static bag once cooled.
For drive replacement method, copy hard drive to a new hard drive and place new drive back into the system.  The original drive is retained.
If transport is required, package components and transport/store components as fragile cargo.
Keep away from magnets, radio transmitters and otherwise hostile environments.

If computer is "ON" and is a networked or a business computer of the Windows NT/2000/XP, UNIX or Linux variety the following steps must be taken. Failure to follow these steps could severely damage the system, disrupt legitimate business or create unnecessary liability for DERS.
Photograph screen
Have a computer specialist perform normal shutdown as disconnecting the power from the back of the computer may have damaging affects on the file structure.  If no specialist is available, consult with the initiating party and determine the course of action to be taken.  Proceed only when prepared.
Disconnect all power sources; unplug from the back of the computer
Photograph/diagram and label back of computer components with existing connections.
Label all connectors/cable ends to allow reassembly as needed. (See labeling subsection)
Remove hard drive(s), inventory, and place in static bag once cooled.
For drive replacement method, copy hard drive to a new hard drive and place new drive back into the system.  The original drive(s) is retained.
If transport is required, package components and transport/store components as fragile cargo.
Keep away from magnets, radio transmitters and otherwise hostile environments.


Network/Enterprise Acquisitions

Additional techniques may be utilized depending upon the nature of the case and the technology available.

Technology is available to allow drive acquisition to be conducted via an enterprise solution.  This methodology utilizes a commercial software applet that allows an investigator to remotely copy one or more systems.  The method does not require any downtime on the device in question and typically does not require any travel on behalf of the analyst.

 

Labeling

The requirements for labeling collected evidence are:

  • Each hard drive should be placed in a static free envelope or evidence bag then sealed. Caution should be exhibited when sealing the bag as not to make the bag airtight.
  • All other evidence seized shall be placed in a labeled storage container based of evidence type and location where the evidence was found.
  • A label containing your signature, date, complete description of contents and identification number should be placed over the envelope seal to ensure that no one has tampered with the contents.
  • Anyone who takes possession of the evidence must sign and date the Chain of Custody Documentation.
  • Envelopes should be placed into the Secure Evidence safe or filing cabinet.
  • Label with tags all equipment and cables.  Make sure that all cables and connections are labeled to ensure that they can be reconnected in the proper order.
  • A forensic inventory assessment must be completed for evidence seized.

 

Evidence Transport

Evidence being transported must continue to conform to chain of custody requirements.  At no time should evidence be out of the direct control of the custodian.  When evidence, such as computers or hard drives, must be transported in such a manner that it is outside of the custodian’s direct control, it must be sealed in packaging that will reveal any attempt at tampering and transported by an agency that can attest to its specific location and handling.  Examples would be UPS, Federal Express or airlines counter-to-counter.  Signed acceptance (i.e., via signed air bill) must be obtained by the custodian and the receiver (when delivered by the shipper) must take immediate, personal custody and obtain a delivery signature form the deliver agent.  U.S. mail is not an acceptable method of transport in most cases.  The packaging must provide proper protection against damage while en-route.  This is not limited to foam packaging, static bags, and sturdy boxes.

Evidence Logging

In order to ensure that the chain of custody is maintained from seizure or acquisition until the investigation has concluded and the evidence returned to the rightful owner, all movements must be tracked. The evidence tracking is accomplished through the use of the DERS Evidence Form (Evidence Submission Form). This form will be maintained in hard and soft copy format at all times to allow the tracking of each piece of evidence during the course of an investigation. 

Storage

The DERS office provides a storage facility for computer evidence within a secured area that also is physically located within the forensic lab. Locking filing cabinets are available to secure data and a safe is available for more sensitive data.  The safe combination is only available to senior analysts and is changed should one of those members separate from the group.  All case information is labeled with fictitious names that do not reflect any client information or association. 

Any DERS facility utilized to store forensic evidence must meet the following conditions:

  • Locked at all times.
  • All visitors must be escorted at all times.
  • Document all evidence entered or checked out of the storage facility. (Evidence Submission Form)
  • Meet all temperature, light, and humidity requirements of all electronic media.
  • Must utilize equipment that can provide an audit trail of access to the storage facility.

Evidence Media Acquisition

All evidence that is to be acquired for forensic analysis should be obtained via a method that is consistent with bit stream acquisition. At this point in time the two methods for acquiring raw data are utilizing EnCase and DD. Such data can be loaded onto an appropriate forensic workstation and analyzed using EnCase forensic software.  The copy may then be analyzed off-line for evidence. Copies of the EnCase evidence files are then burned onto a non-changeable media type (CD-ROM, DVD, etc) with the originals being secured in the CIRT evidence safe.  A working copy is placed on a hard drive (Internal of External) and accessed by the forensics workstation for additional analysis. Starting with acquisition, all forensic analysis activities of evidence must be recorded using the DERS Forensic Notes log.
Circumstance may dictate that based on the amount of time that has elapsed since the incident occurred that an alternative image might only be available. Based on the previous statement images from the follow applications may need to be utilized:

  • Norton Ghost – using appropriate flags
  • Exchange Mail Archive or Alternative Mail Archive
  • CA  Back-up et al

Bit Stream Acquisition

  • The following work instructions outline the procedure normally utilized for bit stream acquisition(s).
  • Transport the logged suspect computer/hard drive into the lab and make the appropriate entries on Evidence Submission Form and chain of custody documentation.
  • Dismantle system and extract hard drive.
  • Enter hard drive information on Evidence Submission Form and include in case report.
  • Photograph hard drive on all sides where any writing occurs.
  • Put hard drive information and photos into Lab case evidence envelope.
  • Attach suspect hard drive to a forensic workstation to acquire image of drive.
  • Start forensic workstation with Forensic software and record all information related to suspects hard drive and case.
  • Create initial image of suspect drive.
  • Once initial image is complete, turn off forensic workstation, dismount suspect hard drive.
  • Reboot forensic workstation, and once Windows is running, open up Forensic program.
  • Start a new case, and import suspect image.
  • After the suspect image has been successfully imported into EnCase transport the suspects computer/hard drive to evidence storage and make the appropriate entries on Evidence Submission Form.
  • Start examination of suspect drive.
  • Once examination is complete, burn the evidence files to non-changeable media for storage and possible future examination. 
  • Print final report twice for a working copy of evidence and one to be put into Lab case folder along with the non-changeable backups for future viewing. If needed and/or case preparation for litigation.
  • If suspect hard drive is being kept, store in static free bag and put into Lab case folder.   If not, then return to its original computer and ship back to manager of individual being investigated.  (If during the course of the investigation the hard drive has been found to contain contraband you must perform a DOD wipe of suspect’s hard drive before shipping back.)  If shipped back, make the appropriate entries on Evidence Submission Form.
  • Put copy of shipping label into Lab case folder for future need if necessary.

 

Wiping Media

Hard drives used for investigative purposes should be properly prepared before use.  The media should be wiped utilizing a DoD approved wiping utility such as Declassify made by Maresware.  The drive shall be wiped by a minimum of three passes to insure that all data has been overwritten.  Encase drive wiping may be utilized for cleansing lab drives.  Media should be wiped prior to being utilized to hold data and after use if the data contains contraband items.

Other circumstances may also require that media be wiped.  Media that is to be returned to an original owner must be wiped before return if it contains any type of contraband.

To wipe media with declassify:

  • Connect the drive to a forensic workstation or place Bootable CD in subject machine.
  • Boot to a DOS bootable disk containing the wipe utility.
  • Enter the proper command to perform the DoD wipe.
  • Once the application is finished, power the system down.
  • Disconnect the drive.

Analysis

All items that are to undergo forensic analysis by DERS must be isolated and brought into the forensics lab.  Currently, the lab consists of a segregated private 10/100MB network located in a secure area with a variety of platforms available for forensic analysis.  The equipment can be used to examine scenarios and load evidence data for further analysis.  At the present time access to the area is controlled with limited and approved access to only DERS forensic analysts from that geographic area.

Evidence shall be stored in the locked evidence room when not signed out to an analyst.  In general, the best evidence image should only be accessed so that an investigative copy can be made.

All system information collected should be reviewed systematically.  A copy of each evidence file will be made and used as a working copy.  At no time should the original file be used.  All findings should be noted within the case notes for the case.

It is acknowledged that almost all forensic examinations of computer media are different and that each cannot be conducted in the exact same manner for numerous reasons, however there are four essential requirements of a forensic examination.
These are:

  • Forensically sterile conditions must be established.  All media utilized during the examination process is freshly prepared, completely wiped of all data, scanned for viruses and verified before use.
  • The examination must maintain the integrity of the original media.
  • All forensic analysis activities of evidence must be recorded (DERS Process Sheet and DERS Notes log to maintain permanent records of investigation activities)
  • Printouts, copies of data and exhibits resulting from the examination must be properly marked, controlled, and transmitted.

 

 

 

 

 

 


Digital Evidence Recovery Specialists, LLC. ©Copyright 2009
 
Site Design by Cathy George