Forensics: Under investigation

Feature by Derek Parkinson

Whether you've been hacked or suspect an employee of wrongdoing, knowing how to preserve evidence is crucial

Whether you've been hacked or suspect an employee of wrongdoing, knowing how to preserve evidence is crucial.

The closest thing the world of computer forensics has to the Ten Commandments is the guidance set down in the Association of Chief Police Officers' Good Practice Guide for Computer-Based Electronic Evidence. These guidelines, built around four main principles, are used as the basis for all criminal computer investigations. They are quite broad in scope, making recommendations regarding the correct handling of forensic data.

First, no action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Second, in circumstances where a person finds it necessary to access original data held on a computer or storage media, that individual must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Third, an audit trail or other record of all processes applied to computer-based electronic evidence is essential. An independent third party should be able to examine those processes and achieve the same result.

Finally, there should be someone in charge of the investigation with overall responsibility for ensuring that the law and these principles are adhered to.

"Principle one is solved by using software tools to make forensic image copies of the hard disk and other digital evidence," says Dr Sam Type, co-founder of computer forensics company Geek Ltd. "There are products designed for the purpose, such as FTK Imager, Encase and Helix utilities. Other system utilities, such as Linux DD will perform the same task," she explains. "It is important to capture the digital signature of the copied data so that it can be checked over time, and after processing, to confirm that you're still working on an exact copy of the original. MD5 hash-sums are commonly used."

In practice, well-thought-out procedures for handling forensic data are every bit as important as the tools needed to copy and analyse it, suggests Andy Harbison, a senior manager in Deloitte's IT forensics and litigation support team. "In my experience, a lot of people obsess about the technology, but mess up on the procedure," he says. "In a court case, there are generally two ways a barrister can go in questioning an expert witness on computer forensics: their expertise and the integrity of the procedure. The evidence can be destroyed before a case even gets to court," he adds.

Another compelling reason for having procedures in place is the need to avoid acting hastily when an incident occurs. "Taking an image of a disk is something IT staff can do on their own. But I've heard horror stories of people copying the wrong way round, and wiping out all the data," says Harbison.

Organisations need to be prepared for an incident where forensic analysis of computer data is nescessary, warns Geoff Donson, group security manager at TelecityGroup. Donson draws on more than 27 years of experience in the police, including the Serious Organised Crime Agency, the National Hi-Tech Crime Unit and the Metropolitan Police Computer Crime Unit. "You should have appropriately trained people because you have to be ready in advance. They need a basic awareness of computer forensics and what it can achieve," he says.

The enemy within
It is important for employers to recognise that forensic data may be needed as part of an investigation into the activities of people inside an organisation, as well as outside. "Hacking is just one of the threats a company's computer system may be exposed to," says Type. "Most large corporations will have systems administration staff tasked with ensuring it doesn't occur, but the majority of companies are more at risk from employee behaviour," she suggests.

"As best practice, a corporate should generate a set of computer response procedures and documents outlining the threats they might be vulnerable to and the actions they would take in each situation, similar to a risk assessment. This will help ensure that the best possible evidence is collected, that the evidence will be admissible should the situation require legal action, and that the company will be protected from any loss of revenue that may result from evidence not being produced," Type adds.

As well as helping internal staff to protect forensically valuable data from contamination, such a policy will set down guidance on when to bring in external professionals. "The documents can form part of a crisis-response strategy," Type continues. "They must consider the need to gather data from all computerised equipment within the organisation, from servers to PDAs.

"Companies often aren't aware that their policies are failing to protect them from the biggest threat - their employees. Businesses may disable DVD or CD writers in staff PCs, but then allow employees to plug in their iPods - which are basically portable hard-drives."

As the amount of and ways in which we can store data continue to grow, so do the means to find and analyse information. Recent advances in computer forensics are led by the need to extract information from data sources more effectively, and to keep pace with innovations in technology.

Tools for collecting network data are a good example. The network administration products found in most organisations produce data from all TCP/IP layers. Firewalls, intrusion detection systems, routers, packet sniffers and protocol analysers can all be of value to a forensic investigation, but this is usually not their primary purpose, so each is likely to provide only a partial view of what investigators need.

Purpose-built network forensic products combine the functions of IT security management systems with those of specific tools such as packet sniffers and protocol analysers. While they may be useful for capturing data, they are best used by experienced forensic experts who know how to analyse the results.

The massive increase in the availability of devices that can store, process and transmit data - such as mobile phones, PDAs, MP3 players and USB devices - delivers opportunities and challenges for digital forensics. A wireless-enabled device may store location data, and so provide powerful evidence of the whereabouts of a person at a particular time. Mobile phones and PDAs have forensic value precisely because they are personal communication devices and therefore may contain revealing information.

From a technical point of view, these devices are forensically important because they typically store personal data as flash-EEPROM (electrically erasable programmable read-only memory), which is relatively stable. Unless the user is an expert, they are unlikely to be aware of how much data is actually stored in this form, and will almost certainly not have direct access to all of it. However, there are difficulties in accessing such data without contaminating it, primarily because a phone will begin searching for, and exchanging, data with any nearby masts, transmitters or satellites as soon as it is switched on.

The first commercially available forensic tool for mobile phones and PDAs was released in 2004. The.XRY product from iCardForensics provided access to names and numbers in address books; SMS messages sent, received and archived; pictures; calendar information, sound files; call logs and multimedia messages.

In 2006, Forensic Telecommunication Services launched FTS Hex services, which are used primarily by police forces. The company claims to be able to extract similar information from phones even if the handset has been damaged by fire or water or the SIM card is missing, damaged or locked. In 2007, Guidance Software unveiled Neutrino, a suite of mobile phone tools that integrate with its Encase products. Other developers are expected to follow, bringing mobile phone analysis into the forensic mainstream.

Flash memory devices such as USB sticks are a growing source of concern to IT security professionals. Their growing capacity allows sophisticated software to be stored on them, raising the possibility that applications could be run on a computer without having to be installed. Such developments also mean that conventional techniques for creating an image of the data held on passive memory devices may no longer be an option.

Leaving aside the various considerations about technology, there is also the problem of getting access to such devices in a way that is both unobtrusive and lawful. All these issues mean that portable and mobile devices will give headaches to IT security professionals for some time to come.

A volatile combination
Access to data held in volatile memory is another area of innovation worth watching. If evidence from a PC is stored in password-protected containers, when it has been transmitted across a network or when encrypted applications have been used, data in volatile memory could be crucial to the investigator, providing evidence that might otherwise be unavailable. Such data will be lost if the machine is shut down.

But in order to capture volatile data, the machine will have to be accessed, which risks violating principle one of ACPO's guidance. Specialist tools must be used, and it is essential that they are applied only by trained personnel, who should be able to explain and justify the processes they have used, thus complying with principle two. This is a new area for the forensics industry and a limited set of tools are available (see box page 28).

It seems technological advancement is both helping and hindering digital forensics, but one thing is for certain: with cyber crime and insider threats on the rise, more and more organisations will need to make use of it.


Encase - Complete forensic investigation tool.

FTK - Another complete forensic investigation tool.

Helix - In-the-field forensic investigation toolkit.

Sleuthkit - Free forensic tool that runs on Unix.

OnlineDFS - Volatile data-capture tool.

ProDiscover - Another volatile data-capture tool.

- Internet-history analysis tool.

iGrade - Indecent-images analysis tool.


Forensic evidence only becomes an issue for most of us when things have gone badly wrong in an organisation. A prompt, effective responsive is needed, but it's important not to panic.

"The first thing is to stop and think about what you are going to do. Don't just jump in with both feet," advises Chris Spencer, a consultant at forensic services provider Sapphire. This is particularly crucial when a member of staff is under suspicion. "Most organisations will need a high-level discussion, not just within the IT department. I would seriously think about bringing in human resources people at an early stage."

A well-thought-out response plan should outline this procedure and identify the person to act as officer in charge of the forensic data. "It could be one of your network administration staff or, in a small organisation, it could be the company accountant or even the managing director," suggests Spencer.

An early judgement has to be made about the nature and seriousness of the situation and how best to proceed. "You may have to decide whether the problem is best dealt with covertly, for example, and think about whether a suspect is likely to destroy evidence," says Spencer. The IT knowledge of those suspected of wrongdoing is also relevant, because it provides useful pointers to where and how effectively evidence may have been hidden.

Once a decision has been made to intervene, by seizing equipment, for example, you must keep records of any action taken. The officer in charge will need to draft, sign and date reports of events as they unfold, preferably in front of a trusted witness. These do not have to be restricted to written reports, says Andy Harbison, a senior manager in Deloitte's IT forensics and litigation support team. "You could consider taking photographs of a computer screen, for instance."

If a suspect's PC is seized by professional investigators, it will be placed in tamper-proof packaging and taken off site. If the company itself takes possession of the machine, it must be stored securely. "It's no good just putting it in your car boot," says Dave Horn, business development manager at Sapphire. "Then you stop off at a petrol station, leaving it unsecured - how can you be certain it hasn't been tampered with?"

If the machine has been left switched on, a tricky decision has to be made: whether to leave it on and begin a forensic examination immediately, or to switch it off, risking the loss of valuable data in the volatile memory.

If a machine must be switched off, this should be done by removing the power source as the normal shutdown procedure will write data to the disk, compromising the evidence. Turning a suspect's PC on using the normal startup procedure must be avoided for the same reason.

A typical mistake for inexperienced investigators is to try and extract data using the desktop software present on a suspect's PC, using an email client to copy messages, for example. Again, this is likely to compromise the data, rendering it worthless. Many amateur attempts also fail because they neglect to record the time stamps and user IDs that tie specific individuals, times and places to the incriminating data.

Companies may decide to turn to professionals for help, which is likely to be costly. "You're entitled to know what you're getting. Ask about the formal training people have had, and their experience of cases that have gone to court," advises Geoff Donson, group security manager at TelecityGroup.


Tasked with handling the largest fraud cases in England, Wales and Northern Ireland, the Serious Fraud Office (SFO) has grown used to handling vast amounts of data, often in digital form. "The people we deal with are the richest, most powerful and greedy people in the world. They know the benefits of technology and, increasingly, they rely on it," says Keith Foggon, who heads the digital forensics unit.

At any one time, the SFO is dealing with 30 or 40 cases, and an individual case may take up to seven years to bring to a conclusion, according to Foggon. Unlike many police investigations, the SFO's work focuses less on analysing people's online behaviour and more on what information is stored on corporate intranets and personal devices.

The SFO prosecutes as well as investigates cases, and so has "end-to-end" responsibility for electronic evidence, from the point where a raid is carried out to presenting it in court. Its raids focus less on seizing physical items such as PCs or laptops and more on extracting the data.

"We do as much imaging as possible on site. It's quicker than seizing equipment. We have tools for doing this no one else has," says Foggon. In some cases, items such as backup tapes have to be seized and examined off site, which can be a challenge because there may be thousands of tapes containing data going back years.

The need to store and process large quantities of data means the SFO has increased its storage capacity for forensic data alone to 170 terabytes. As well as the sheer quantity of data, the SFO forensic team has to consider the ever-expanding range of devices data must be extracted from.

"As well as mobile phones, we have to think about dictation machines and PDAs," he says. The data held on entertainment products such as gaming machines, iPods, and TV set-top boxes may be relevant to an investigation, Foggon adds. "Even data in the 'Sat Nav' system of a car may be useful, because it can keep a record of where you've been. We haven't imaged a whole car yet, but it's only a matter of time."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events