Notifications
Clear all

What is "forensically sound"?

12 Posts
9 Users
0 Likes
1,197 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

What constitutes a "forensically sound" process?

Let's begin from a common starting point…a live Windows system that cannot be taken down. Generally speaking, what constitutes a "forensically sound" process for collecting data from that system?

Then, how would you go about doing so?

As responses begin to come in, I'll present my views, so that others can critique/discuss them.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 17/10/2005 11:30 pm
(@nbeattie)
Posts: 26
Eminent Member
 

Are we talking about collecting evidence that is admissable in a court of law ?

Also, what do you mean by a live system - do you mean one that is connected to a network with people accessing it ?

Surely the process would depend on what you are trying to prove.

If it is the existence of a file on a server, then this would be no problem on a live system.

 
Posted : 18/10/2005 12:50 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Excellent questions!

Are we talking about collecting evidence that is admissable in a court of law ?

Let's say that you're investigating a system that may be subject to further investigation by LEOs, and may end up going to court. However, at this time, that doesn't appear to be the case.

There's a reason I'm bringing up this specific type of incident…it's what many professional incident responders are being called to respond to. I've been confirming this with several folks who do this sort of thing, exclusively, for a living.

What's happening is that laws such as SB-1386 require reporting of security incidents (in the case of SB-1386, for incidents involving the exposure of personal data of CA residents), and corporations do not want to report an incident (a) when there isn't one, and (b) until they fully understand the nature of the incident. Why call law enforcement if you don't know the extent of the incident? Law enforcement involvement leading to public disclosure is one of the biggest reasons companies are reporting in surveys for NOT calling law enforcement.

Continuing…for the purposes of this example, let's say that it's a user or employee's workstation, and doesn't offer up any services (ie, it's not a public web server). The concern in this case is that the employee has stolen data, and may have installed a Trojan or backdoor.

So…what's a "forensically sound" process from removing and analyzing volatile data?

Now, let's say you have an e-commerce server (web server, with the database backend located on another system)…what do you do to determine whether the system has been compromised and/or malware installed, knowing that you can't take the system down? How do you collect and analyze data in a "forensically sound" manner?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 18/10/2005 2:05 am
(@juniper)
Posts: 37
Eminent Member
 

I am in no way an expert at this, however, here are my opinions

A forensically sound process in the example case would be to gather evidence without disturbing the "live System".ie You do not make any changes to the system while you conduct the investigation. There are many methods available to do this.

This is the least one can expect should the case end up in court.

More importantly, all the actions you take once the case is presented to you should be viewed as something that should withstand the scrutiny of other experts in the field as well as some clever lawyers

Making an initial assessment
Creating a detailed & proven methodology of how you are going to approach the case.
Recognising what tools you will need to conduct the investigation.
Recognising the risks involved
Analyze and/or recover the evidence
Investigate/Scrutinize your findings
complete the case.

In my opinion each of the above is as important as the other. Professionalism is paramount.

The words "proven methodology" are key. I do not think this is any different than using the words "forensically sound". I think the whole prcess - from start to finish - should be conducted according to standard procedure and herein lies the problem. The processes involved would, I suspect, be different from country to country and even state to state (America).

Juniper

 
Posted : 18/10/2005 12:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Juniper,

Excellent comments!

More importantly, all the actions you take once the case is presented to you should be viewed as something that should withstand the scrutiny of other experts in the field as well as some clever lawyers

and

The words "proven methodology" are key.

Agreed.

Now…what, in your mind, would that methodology consist of? What information would you collect, and how would you recommend collecting it (ie, which tools)? How would you implement that process/methodology, given the example cases?

This is what I'm trying to get at. I have my own opinion as to how to implement the process/methodology, but as you said, it as to stand up to scrutiny by other professionals in the field. So how do we go about setting up such a process/methodology?

The processes involved would, I suspect, be different from country to country and even state to state (America).

Can you elaborate on why that would be the case?

Thanks!

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 18/10/2005 4:21 pm
(@juniper)
Posts: 37
Eminent Member
 

OK - In terms of "First Responders"

I think the ACPO guideline as outlined here would be a good start

In terms of collecting the physical evidence, i'm afraid I do not have the necessary skills or experience to comment.

In terms of differences of laws and methodolgy from country to country - it is too wide an issue to discuss, however, each Forensic Analyst should be aware of the laws where he/she operates. Also, importantly, they should be aware of policies and procedures pertaining to individual businesses and company's they are operating in.

 
Posted : 19/10/2005 6:18 pm
(@armresl)
Posts: 1011
Noble Member
 

"Let's say that you're investigating a system that may be subject to further investigation by LEOs, and may end up going to court. However, at this time, that doesn't appear to be the case."

Every case should be handled like it will be going to court and that there will be an expert on the other side who rivals or surpasses your intelligence on the subject matter.

 
Posted : 19/10/2005 11:41 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

http//www.techpathways.com/prodiscoverir.htm

 
Posted : 20/10/2005 12:48 am
(@t_oliver)
Posts: 17
Active Member
 

My comments relate to the UK and in particular the ACPO guidelines.

My personal view is that many people get far too hung up about what is and is not a forensically sound process.

The ultimate aim of the process is to recover evidence from any computer and demonstrate to a court that the evidence is both accurate and reliable.

Under normal circumstances with static computer data, this will mean that that the process of imaging the computer is documented, and should someone else do exactly the same at a later time, the result will be exactly the same.

However, should some situation occur in which the result is not the same, document the reasons for this , and explain what the effect is on the reliability of the evidence.

A good example, is a laptop I dealt with. There was no way to remove the battery without lifting the screen and removing the keyboard, at which point the hard drive booted up. The result being a few files were accessed before I could shut the machine down and remove the battery.

So what is the effect of this. I have documented that it happened, and importantly why it happened. Other than smashing open the bottom of the laptop, there was no other way to get into it(accept I couldn't boot from CD or floppy etc).

Next issue, is what is the effect?. I can explain and show exactly what happened and why and what the result was (which files had MAC time changed etc ). Also I explain what the result of these changes were on the 200 pictures relevent to the case.

The reliality is that I dealt with the laptop in a manner that I considered best. If someone wished to challenge that, then they could explain to a court how they would have done it better and most importantly what effect the 'better way' would have had on the evidence. In my 4 1/2 years of computer forensic experience(17 years as a Police Officer in total), the courts would be very unlikely to make my evidence inadmissible.

So to briefly equate this to a live server situation, we recover the evidence in a way that is most accurate and reliable based upon the capabilities of the industry at this time(best tools and techniques available), but if that means some evidence is potentially lost or altered in some small way, document and explain why, and the consequences.

'Forensically sound' to me, is creating the most accurate and relaible copy and analysis of computer data based upon the individual circumstances of the case. This will differ greatly between a unpowered stand alone computer and a running server in a corporate environment.

 
Posted : 22/10/2005 1:21 am
(@kamal_dave_advocate)
Posts: 4
New Member
 

Dear All,

To introduce myself to you, I am from India and an advocate by profession and member of Supreme Court of India Bar Association.

The discussions here are very interesting and with good technical support. I appreciate the forum members & the administrator.

I feel that the forensic science is applicable irrespective of the nationality, however, the interpretation may need different approach.

As far as computer forensic is concerned, As per Indian Law foreign judgements and law can be considered as basis for interpretting the case.

Thanks & Regards

Kamal Dave
Advocate & Legal Advisor
kamal_dave_advocate@yahoo.com

 
Posted : 02/12/2005 7:52 pm
Page 1 / 2
Share: