The Best Practice for Evidence Collection and Forensic Analysis

Certification: Cisco CCIE Routing and Switching - Cisco Certified Internetwork Expert Routing and Switching


By Sherry G. Holland

Types of Evidence

Information or objects that might be entered to court for juries and judges to consider when hearing a case is called evidence. Evidence is in different sources, including genetic material or dental history or fingerprints or trace chemicals, and the list can go on and on. Evidence serves many roles in the investigation, such as reconstructing a crime, identity remains and an illicit substance.

Forensic science is the application of science and technologies to investigate after an incident establishing what has happened based on the evidence that is collected. The evidence is the information that is collected that will help to form a conclusion or judgment on an incident. Evidence can also be considered everything that you say and do because it is backing up and supporting what you say and do. People also consider numbers and quotes from famous people to be evidence. These are valid kinds of evidence, but there is more to it than just that. Evidence is considered to be the following types:

  • Statistical evidence is the type of data that people tend to look for when they are trying to prove their point. It is prevalent in our society as we see it today so this should not surprise anyone. Whenever numbers are used to support the main point, you will be relying on statistical evidence to support your statement. For example when McDonald’s said they served over 1 billion.
  • Testimonial evidence is a type of evidence that some turn to by those trying to prove their point. For example, when a lawyer relies on a witness so he will win a case.
  • Anecdotal evidence is a type of evidence that is underutilized because it is often dismissed as meaningless or untrustworthy. Normally this evidence is based on an observation but can be very useful when disproving a generalization because it only takes one claim to contradict the claim. When using this type of evidence one needs to be careful. The anecdote can disprove a claim if one is not careful. Evidence like that can be used to support claims especially in conjunction with other types. Wonderful examples like personal observations can introduce a topic and build upon that topic with statistical evidence so your information does not question the example.
  • Analogical evidence is also underutilize and is mainly used with an under-researched topic. For example is you don’t have statistics to use on a research topic that you are working on then analogical evidence is used.

General Principles During Evidence Collection

Some general principles that should help guide during an evidence collection situation is to:

  • Adhere to the appropriate Incident Handling and Law Enforcement personnel and the Security Policy of the site.
  • When gathering the evidence, capture the most accurate picture of the system as possible.
  • Ensure detailed notes are kept including dates and times and sign and date any print outs collected.
  • Denote whether UTC or local time is used.
  • Ensure notes are detailed in case you are called to testify years later.
  • As you are collecting the data minimize any changes and avoid updating directory or file access times.
  • Remove any external avenues for change.
  • If you are confronted with a choice to analyze or collect, the collection should be done first and analyze later.
  • Procedures should be implementable and procedures should be tested and verifiable.
  • A methodical approach for each device should be adopted so the guidelines can be spelled out in the collection procedures.
  • In the collection process, proceed from the volatile to the less volatile.
  • Respect any and all privacy rules and guidelines as well as any legal jurisdictions.
  • Do not intrude on the privacy without a strong justification.

Legal Considerations

When collecting computer evidence, it needs to be:

  • Admissible – by conforming to legal rules before it goes to court.
  • Authentic –be possible to positively tie the evidentiary material to the said incident.
  • Complete – to tell the entire story and not just a particular perspective.
  • Reliable – so nothing about how evidence was collected or subsequently handled that could potential case a doubt on its authenticity and veracity.
  • Believable – it must be understandable and believable by the court.

Chain Of Custody

The process of the chain of custody should be fully described when discussing how the evidence was found, handled and anything else that happens. Therefore, the following should be documented:

  • The when, where and by whom the evidence was discovered and collected by.
  • The when, where and by who handled or examined the evidence.
  • During what period who had custody of the evidence and how was it stored.
  • When the evidence changed custody, when and how did it transfer custody.
  • Where and how to archive the media.
  • Any tools used.

Evidence Collection

One of the most important components within the growing computer forensics field is that of evidence handling. Best practices and the constant growing of innovation in technology are causing a flux in effort to meet the needs of the industry. Shifting away from the pull and plug concept is the most recent shift in evidence handling as a first step in the collection process. Now the first step is the adoption to acquire evidence from the live computer that is suspect.

Changes are needed in the collection of digital evidence because it is being driven by an ever-increasing change to the computing environment”

  • Removable media has applications installed using the USB stick and then being virtualized in the RAM with no trace evident on the hard disk.
  • Hidden within the process and being undetected by underlying operating system are root kits and when using local tools the memory must be analyzed with trusted binaries.
  • There is no trace of existence on the hard disk of Malware because it is fully RAM resident.
  • Areas of the hard drive that will hide evidence is the covert / hidden encrypted files or partitions that the users will use on a regular basis.
  • Web browsers that are popular off the ability to cover the tracks of the users – the log files of the user are created but when the browser is closed they are deleted.
  • Due to the changes in the landscape of web based email, wiki’s, twitter extending storage of user communications / actions, and blogs are beyond the traditional hard disk found on users machines thanks to the changing environment of Web 2.0.

Digital Evidence Collection

Live forensics provides for collection of digital evidence in the order of collection based on life expectancy of the evidence that is in question. The most important evidence that is gathered in digital evidence collection now and in the future is most likely in the form of volatile data that is contained within the RAM on the computer. The order of volatility digital evidence is:

  • CPU, register and cache content
  • ARP cache, kernel statistics, process and routing table
  • Memory
  • Swap space / Temporary file system
  • Data on hard disk
  • Remotely logged data
  • Data contained on archival media

Digital Evidence Collection for Live Volatile Data Collection

When collecting live volatile data, proper evidence preservation is a must, therefore, follow the below procedures in order and it is imperative that you do not use the computer or search for evidence.

  1. Photograph the scene including the computer
  2. Do not turn the computer on if it is in the off position
  3. If the computer is on, take a photograph of the screen
  4. Starting with the RAM image, collect the live data (Live Response or via F-Response) and then collect the other required data such as logged on users, the network connection state, the current executing processes, etc.
  5. If the hard disk encryption detected such as full disk encryption, collect the local image of the hard disk by using dd.exe, Helix – remotely by F-Response or locally.
  6. From the back of the tower, while using a desktop, unplug the power cord. If using a laptop and it does not shut-down by un-plugging the power cord then remove the battery.
  7. Label and diagram all cords
  8. All device model and serial numbers are documented
  9. All cords and devices are disconnected
  10. After checking for HPA, image hard drives using a write blocker, a hardware imager or Helix
  11. Using anti-static evidence bags, package all components
  12. All other storage media is seized and create the respective images and place the original device in anti-static evidence bags
  13. Refrain from media coming in contact with magnets, radio transmission or other damaging elements. Collect the instruction manuals, notes and documentation
  14. All steps used in the seizure process should be documented

Live Forensics of Volatile Computer Evidence

Using the Windows Forensic Toolkit (WFT), they automated the collection from the PC subject to a forensically sound manner:

  • Utilizes only trusted and known binaries
  • The impact on the subject computer is minimized and if there is any impact it should be documented
  • Extensive logging
  • All tools utilized and collected creates hashes

Related IT Guides

  1. 12 secret tips to do well in CCIE Routing and Switching
  2. Becoming a Cisco certified internetworking expert with CCIE Routing & Switching certification
  3. Benefits of being a CCIE Routing & Switching certified
  4. Best study guides for CCIE routing and switching
  5. Candidates that is most suitable for CCIE Routing & Switching lab exam
  6. CCIE Routing & Switching 4 weeks study plan
  7. CCIE Routing & Switching jobs and career
  8. Risk Analysis Mitigation
  9. What is are most important topics for CCIE Routing & Switching lab exam?