Hardware You Will Need
Before we begin you will need to acquire a hardware level write-blocker. Or, utilize a free operating system such as one of the few that are one the listing herein: Linux Forensic Distributions. You may also utilize BackTrack Linux as a method to provide some forensic needs, as well as FTK (Forensic Toolkit). And, you may utilize tools such as the Bulk_Extractor Tool.
Considering it was mentioned that you would need access to a hard disk write-blocker we need to stress the fact that when purchasing a hardware level write-blocker you should also purchase a hard disk that has the capacity to handle very large disks. In the realm of forensics disk imaging a suspect drive (which I will discuss later) that is 250GB in size, and you only have a 120GB hard drive will not suffice -- no matter how you twist and turn. Ideally you'd want the largest hard drive (and quite a few, too!) that you can image drives as small as 4GB all the way up to 3TB. This will lessen the odds of you needing to run out and purchase hardware when and if the time comes. You can check for hardware write-blockers at any of these sites: Digital Intelligence Tools, Forensic PC Write Blockers, or The Nerds Write Blocker. Considering these are only suggestions -- if you can find a cheaper one elsewhere by all means go for the gusto.
On the other topic of hard disks you can find one of those from any major retailer. One of the tools you may want to pick up is a multi-connector SATA, IDE, etc. hard disk interfacing utility or tool. This will help you when you encounter newer, or legacy devices which need to have forensics performed. They normally range anywhere from 19.99 to about 60.00 USD. Again, the cheapest approach would be to mount a filesystem in Linux as read-only and when doing so, be sure that any auto-mounting options for hard disks are disabled within your system. Ubuntu and other operating systems (which you can convert into a forensic distribution) have options nestled within them which enable you to do so. I will cover more of this later on in this introduction to forensics as this document progresses.
More Software
Although I've lightly discussed the software that you would need (and this was from the form of Linux operating systems) You will also need to make a live disk (please don't confuse this with a live operating system disk such as a bootable Linux.) When you are examining a case there may come a time in which you would need to touch some of the details of the operating system. Due to the more advanced attacks that are happening with DLL injections, you want to obtain a copy of the software that is running in RAM. This can be from applications, and other processes to get a feel for what may be installed and configured on the box, or malware that is communicating. A good listing of information would be not only the running processes but the ports that are open. In many cases touching the disk, or the keyboard / mouse of a computer is prohibited as you want to preserve access to the machine and have valid forensics details to work from. Many times simply pulling the plug on the device and recording the time is well worth it. And, there are draw backs of such an activity.
For starters the best way to create a live disk is to install your operating system of choice and then load the files within the system32 directory into the CDROM, then copy your files from the disk that you will be using (recoding information and date and times should also become a common practice when you install or create a disk as such.) You may also want to rename common utilities as to now have them executed on the box that you will be performing your forensics against. With this in mind, anything you execute should be executed from the CD not from the hard disk as this can seriously hamper the reporting process and trample on computer forensic collection.
Unplug Method
The unplug method was implemented so that when you are going to provide a forensics nothing from that point on within the suspect computer is changed. From the time you unplugged the power cable, you have a nice clean log of time assuring that nothing from that moment onward has or will be changed. However, there are limitations to this as there are with all forms of investigative approaches. The one thing you need to know is if there is valuable forensic evidence running within the RAM you just lost that information. However this does not come with a trade-off. For instance, if you are investigating a crime which had taken place with a computer system and the files are stored on the hard disk -- you shouldn't need to worry about what is running in RAM. E.g. Recently (20th March 2014) there have been a lot of web-cam attacks involving individuals obtaining photos from computers and holding those photos at ransom, whereby "you pay x and I delete the photos, you don't pay by x we post the photos." Investigating a crime as such does not necessarily require you to be concerned with the evidence within the RAM. It's more of discovering evidence that is on the hard drive of a computer. If you can find out if the attacker has those photos that were sent, or conversations on the computer you are investigating are present showing that they were talking to the intended target attempting to extort the victim for financial gain -- your smoking gun, and its ammunition is already present. This would be one approach you could utilize to determine how you would continue with the investigation.
In all essence it becomes deterministic based on the grounds of what type of computer usage, event or crime you are investigating. You will need to think this through well before you take action on the suspect system you are investigating. Omitting something where you should have done something else can and may throw a case in a court of competent jurisdiction. Think more than once and think about the intended outcome of your action. Failure to do so can have consequences far more reaching than losing a case. You may become frequent at the unemployment line.
Laws
Before getting into this, each law (and as pertinent to the 18 U.S. Code § 2510 / 18 U.S.C. §§ 2510–2522 "Wiretap Act" and the state you are in will govern the procedures for data procurement and what you are allowed to collect. Failure to abide by the state code for digital evidence collection may void any case you are working on, or involved in whereby letting a criminal go based on the grounds of trampling on evidence which has been collected in 1) An illegal manor, or 2) in an insufficient manor where the data or forensic information has become tainted. As per the current writing of this documentation forensic investigators do not have jurisdictions and may work within any location so long as local, and federal laws are observed whilst collecting evidence.
Considering the grounds of obtaining "jurisdiction" in order to perform a forensics, the following map should be of usage to most of you reading the documentation. http://www.investigation.com/surveymap/surveymap.asp it does list which states require being licensed as a PI (private investigator) before launching such an investigation. However, some states do observe these requests, and others do not.
When discussing wiretap act, we need to understand how this document has been formulated and what it means to digital forensics, the prosecution end as well as the defense parties involved. Wiretap includes the capture of signals, data, images and other forms of communication that may be transmitted via radio, or wire. And, when we say radio and wire we do mean this in the widest umbrella that you can think of (RJ11, RJ45, 802.11, 802.3, ham radio, you name it. If you can spy on it, your bound to a law governing it's communications capture.) Now, when we deal with organizations that own the rights to an autonomous network, we normally see within documentation stating the collection of information (and of course the right of privacy to the individual at the terminals, or working within an organization). So, for this we then must observe 18 U.S.C. § 2511(1).
Although this may be a bit confusing (and I must admit I am no attorney) we have the following statements within the wiretap act revolving around the grounds of 18 U.S.C. § 2511(1)
What this roughly translates is the following. If any party engaging within communications provides consent to record, retain, intercept or otherwise collect information being transmitted it is legal to do so. Furthermore, for a service provider, providing access to electronic communications it is legal to perform the following (H)(II)
(i) to use a pen register or a trap and trace device (as those terms are defined for the purposes of chapter 206 (relating to pen registers and trap and trace devices) of this title); or
(ii) for a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service.
(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, through, or from the protected computer, if—
(I) the owner or operator of the protected computer authorizes the interception of the computer trespasser’s communications on the protected computer;
(II) the person acting under color of law is lawfully engaged in an investigation;
(III) the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser’s communications will be relevant to the investigation; and
(IV) such interception does not acquire communications other than those transmitted to or from the computer trespasser.
Within the stance above, if you own the network you reserve the right to record information, and or evidence so long as you are not using it against an individual, or utilizing it for illegal purposes. Also it shall be pointed out that wiretap act also extends to oral communications as well.
Laws and Logs
When you are attempting to perform a forensic there are a few key elements you need to understand. 1) Where the logs are kept, 2) What logs you will require, 3) if these logs are part of a tape rotation which must be pulled from a potential destruction. You will also want to inquire about the ISP logs as all this information is admissible within the court system to provide evidence against an attacker. Within certain instances you may discover that an organization you are investigating does not keep backups, or worries too much about the backup of logs. In such a case most of your questions will then move from asking about logs to asking questions about the backup of the target system, or the systems affected during this process. In most cases you will find that if the systems are backed up, the affected systems backups will contain valuable information within the logs backed up. So, hope is not lost completely! According to 18 U.S. Code § 2703
(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.
Under the above "preservation request" this will bid you time to obtain the evidence or information you need regarding the attack, or alleged system breach. From this point you can also obtain the process required under the Electronic Communications Privacy Act. Next we will analyze the information regarding the types of data you will be collecting your evidence from, as well as software you may utilize (law enforcement types of software.)
How Evidence Should be Collected
Although this may seem as a repeat, anything running on the desktop should be photographed, and or recorded. E.g: Audio, Video, or Photographs. An accurate time log of every event that is happening is a must! Failure to provide what you were doing, and recording it with the time can leave a case with more holes than anything else. Falling back on recorded evidence is always a good prospective to take during your trials, and or investigative processes.
So for the record -- anything you do you record. Keeping a log, or a digital account for what is happening is essential.
Chain of Custody
The main purpose of the chain of custody is to determine who had accessed to the device, any changes, and or any other actions they have performed while holding a said piece of equipment. This also details to whom the equipment, or device was released to. The chain of custody may also track route and where evidence was found. If this is done outside of a Law Enforcement Agency, you should appoint an "evidence custodian" who will be responsible for the reliable transport and seizure of forensic information. These individuals will obtain the information that will be analyzed and transport the materials to a secure location where it is held. This process is also known as the "bagging and tagging" process whereby when evidence is collected it is labeled, bagged and tagged. Normally the bag and tag technique involves the following key pieces of information: Date and Time, Your Name, Evidence, where you found the evidence, and any other information which may play a vital role in your investigation.
When collecting evidence you must also note that any information (especially in a civil cases) any and all information MUST BE processed legally. Either by warrant, observing local and federal laws, and also in accordance to policies enacted or in place at the organization if this is an investigation that is not yet being run by LEO there is no need to worry regarding warrants, especially if this is within a company and you are following procedures in place by a governing body regarding evidence collection and IR team information.
