Evidence Seizure Methodology for Computer Forensics
by Thomas Rude, CISSP
September 2000

The Science of Computer Forensics is fast becoming a very necessary skillset for law enforcement departments, government entities, and corporations worldwide. As society becomes more digitized, the need for skilled personnel in this arena becomes more and more pressing. And as this shortage of skilled technicians becomes apparent, we will find more and more companies rushing in to fill the gap. We will see 'experts' arise from all corners of the world. More on this later.

As it stands today, there is no ONE methodology for performing a forensic investigation and analysis. There are too many variables for there to be just one way. Some of the 'typical' variables which first come to mind include; operating systems, software applications, cryptographic algorithms and applications, and hardware platforms. But moving beyond these obvious variables spring other equally challenging variables; law, international boundaries, publicity, and methodology.

My intent with this paper is merely to put some ideas out there - to generate some interest and, more importantly, stimulate thinking. I do not work from inside the box. My line of thinking is outside the box. Give me something and I will not just test it to see if it works. Most likely, if it is a commercial product of course it works. However, I will test it in ways to break it. Test it in ways to see how it can be manipulated if it can. I feel this is very important. Only by breaking something do you learn the weaknesses. We know the strengths. The marketing brochures have told us those. We need to know what the weaknesses are in case we have to defend our work in a court of law. We need to be able to explain and support our methodology, our tool selection, our work.

As for the evidence seizure, some of these ideas already exist, some may be just my own. However, the Science of Forensics is an exact science. It is tedious and meticulous. Dare I say there is no room for error? However, does that not contradict what we, as humans, are? We error. We are not perfect. To sum up my intent, I hope that you simply become more aware of the variables which are a part of forensics, and see that you must develop a methodology from which to work from. I also feel that it is very important for us to recognize that if we cannot be perfect and error free, then we must be exact in our methodology and make sure that we perform our investigations in check and to the standards we have developed.

Concrete and Accepted Ideas

There are a few widely accepted guidelines for forensic analysis:
1) A forensic examiner is impartial. Our job is to analyze the media and report our findings with no presumption of guilt or innocence.
2) The media used in forensic examinations must be sterilized before each use.
3) A true image (bit stream) of the original media must be made and used for the analysis.
4) The integrity of the original media must be maintained throughout the entire investigation.

Before the Investigation

Long before the investigation begins, certain things need to be known. First, for sake of argument, let us say that we have the skilled technicians in-house. They have acquired and analyzed a plethora of evidence during their tenure. Excellent. We are confident in their ability. Further, we have a top notch lab - the right equipment, the right forensic analysis tools, etc. We are set, right? Well, maybe.

All the equipment and talent will not help us if we are not in synchronization with our local District Attorney. 'Ah, we're sorry Lt. Skywalker, but this is not enough evidence for me to move this case forward and prosecute.' Huh? Well, perhaps your local DA requires such and such, and you only have such. Or, maybe the DA requires more documentation on the chain of evidence handling. You cannot go backwards and recreate the trail after you have already blazed it!

This may seem like a no-brainer. Maybe. But, I have asked around, and to my surprise, I have gotten this response more than a few times: 'oh yeah, that is a good idea.' So, work with not just your local DA, but your state DA as well. Network when you are not pushing a case to them. Learn what it is they require as a minimum, and tweak your methodology to meet this and go beyond. This way, when you have a case arise, you know what is required and can work the case from the inception in support of these requirements.

Methodology Development

Since there are so many variables in a forensics case, can anyone really develop THE methodology from which to work from? I do not think so. However, I firmly believe in two things which will lead to a solid analysis and case building: 1) define your methodology and 2) work according to this methodology. By definition, methodology implies a method, a set of rules, guidelines which are employed by a discipline.

The idea here is if you cannot defend how you work nor why you work this way, the defending legal representation can drill you over and over again. Remember, the majority of jurors are not technical gurus. To sit there and explain to them that you have no defined methodology your department uses is equivalent to admitting that you handle each case differently. Huh? Why not the same? Why is each case handled differently?

By defining your methodology, you are working from a guideline - a set of rules. This is what we do, this is how we do it, and here are the steps. It becomes a discipline. Our department has these guidelines and we follow them for each and every case. No, they are not exact. We use them as a point of reference and a focal starting point for each phase of every investigation. They cannot be exact because no two case are identical. This car here is a Ferrari, while that car there is a Yugo. You drive them differently because you have to. However, they are still both cars and so the basic mechanics are the same and we follow them. This is our methodology. We follow it. We open the door, we sit down, we start the engine, etc. But, come time to drive, we drive differently! We have to because variables dictate this.

Document Everything

So important in forensic investigations is the chain of evidence. Who had custody at every step along the way? If resources allow, have two forensics personnel assigned to each case every step of the way. Specifically, having one person document what the other is doing and how they are doing it provides for a very detailed and accurate record of the handling of the evidence. Important in the documentation are the times and dates steps were taken, the names of those involved, and under whose authority were the steps taken?

If nothing else, by having this complete documentation you should be able to refute any claims of mishandling - especially if you have followed the steps defined within your methodology! Also, the documentation can provide a good point of reference for jogging the memories of the forensic examiners when case duration is lengthy and/or caseload is high.

Evidence Seizure

Again, remembering that your specific needs will vary at some point in time, the steps listed below are not meant to be taken in a literal sense. They are not concrete, they may not be perfect for every case you work. However, from working with Forensic Examiners and listening to what the community has been saying, these steps are a sort of 'Best of Breed' approach. I have tried to include steps for varying case examples.

There is one assumption I will make. And that is that prior to seizure, you already have the proper documents filled out and paperwork filed as well as permission from the proper authority to seize the suspect's machine (PC, Server, Tapes, etc.). My background is not in law, but I am aware of the forms required for seizure of electronic evidence and the processes within our legal system. I leave this discussion to the appropriate experts!

Step 1: Preparation
Before the investigation, make sure you are prepared! Some guidelines:
A) Sterilize all media which is to be used in the examination process. If you cannot afford new media for each case then you must make sure that the reusable media is free of viruses and all data has been wiped from the media. Document the wiping and scanning process.
B) Check to make sure that all forensic tools (software) are licensed for use.
C) Check to make sure that all lab equipment is in working order.
D) Time to make sure you have a good choice for your forensic examiner! Is the forensic examiner able to testify in court if necessary? Is the examiner able to explain the methodology used in real-world, simple to understand, terminology? Or will the jurors be wondering what bytes, bits, slack space, and hidden files are? What is reasonable doubt in relation to something completely foreign? Better yet, reasonable doubt when used in high technology. 'It is reasonable to acquit because I do not understand if a file is hidden how someone else could find it!'
Which leads me to a great analogy someone once told me. When posed with the question of how to explain something so technical to a very non-technical jury, this individual told me the following: Give the analogy of comparing the computer to a library. We all know what a library is. Ask them if they would use the card catalog to look up a book in the library to find what shelf the book is located on. So we use the the directory structure to find files on a piece of evidence. Furthermore, if you went through the library, would you not find books on the shelves which were not in the card catalog? The same on the computer. If we do a physical search, we will find data which is not cataloged.
Okay, so I may not have gotten it word for word, but you understand the idea. Thank you, Andrew Rosen. Much obliged.

Step 2: Snapshot
Your team needs to take a snapshot of the actual evidence scene. Some guidelines:
A) Photograph the scene, whether it be a room in a home or in a business. Digital cameras seem to be the emerging standard here.
B) Note the scene. Take advantage of your investigative skills here. Note pictures, personal items, etc. Later on in the examination these items may prove useful (for example, password cracking).
C) Photograph the actual evidence. For simplicity, let us assume for our example that the evidence is a PC in a home office. Take a photograph of the monitor. What is on the screen? Take a photograph of the PC. Remove the case cover carefully and photograph the internals.
D) Document in your journal the PC - the hardware, the internal drives, peripheral components, SERIAL NUMBERS, etc. Make sure you document the configuration of the cables and connections as well (IDE, SCSI, etc.).
E) Label the evidence according to your methodology.
F) Photograph the evidence again after the labels have been applied.
G) Remember to document everything that goes on! Who did what, how, why, and at what time. Also, make sure that you have your designated custodian for the chain of custody initial each item after double-checking the list you have created AT THE SCENE. So, you have noted the configuration, the components, etc., and then the custodian of the evidence double checks your list and puts his/her initials next to yours while at the scene. It is imperative to do this checking at the scene so as to dispell the possibility of evidence tainting at a later date.
H) Videotape the entry of all personnel. This may not always be possible, and in some cases or departments may be cost prohibitive. However, what we are doing here is taping the actual entrance of our team into the suspect's scene. By capturing our entrance and what we possess on tape we are setting the stage for refuting any claims that evidence was planted at the scene, etc.
However, where could the defense then point suspicion? The transport of the evidence? Right. So, by taping the entrance AND the transport to the lab, we have a verifiable trail of what we did, when we did it, and how we did it. Is this overkill? Is this possible for every case we work? Personally, I do not know. But, I do believe that the taping process is a very solid means of supporting our work and may one day be required in our methodology.

Step 3: Transport
Assuming you have the legal authority to transport the evidence to your lab:
A) Pack the evidence securely. Be careful to guard against electrostatic discharge.
B) Photograph/videotape and document the handling of evidence leaving the scene to the transport vehicle.
C) Photograph/videotape and document the handling of evidence from transport vehicle to lab examination facility.

Step 4: Preparation
Now we prepare the acquired evidence for examination in our lab:
A) Unpack the evidence, documenting according to your methodology (date, time, examiners, etc.).
B) Visually examine the evidence, noting and documenting any unusual configurations (PC), marks, etc.
Assumption: We will assume that we have seized a PC from a home office. This PC has 1 hard drive of size 8GB.
C) Now it is time to make an exact image of the hard drive. There are many options here on what tool to use to image the drive. You could use EnCase. You could use the Unix command DD. You could use Byte Back. You could use Safeback. I am sure the list could go on and on. It is wise to have a variety of tools in your lab. Each of these tools have their respective strengths. My recommendation is to work with as many of them as you can. Become so familiar with them that you know their strengths and weaknesses and how to apply each of them.
Important notes to remember include:
1) Turn off virus scanning software.
2) Record the time and date of the CMOS (Complementary Metal Oxide Semiconductor). This is very important, especially when time zones come into play. For example, the evidence was seized in California (PDT) and analyzed in Georgia (EDT). Please note that it is crucial to remove the storage media (hard drives, etc.) prior to powering on the PC to check the CMOS!
3) Do not boot the suspect machine! You can make the image in a number of ways. The key is you want to do it from a controlled machine. A machine that you know works in a non-destructive/corrupt manner.
4) When making the bit stream image, note and document how the image was created. The date, time, and the examiner. Note the tool used. Again, we are working from our methodology.
5) Lastly, when making the image, make sure that the tool you use does not access the file system of the target evidence media. You do not want to make any writes, you do not want to mount the file system, nor do you want to do anything which will change the file access time for any file on that target evidence media.
D) After making the image, seal the original evidence media in a electrostatic-safe container, catalog it, and initial the container. Make sure that anyone who comes in contact with this container also inscribes their initials on the container as well. The container should be locked in a safe room upon completion of the imaging.
It may be a wise choice to then make a second bit stream image of your first image. You may need to send this to the suspect's residence or place of work - especially if the seized machine was used in the workplace.

Step 5: Examination
The examination of the acquired image now begins.
It is here where I will make a break. One of my next goals is to write a few examples of analyzing evidence. I would like to give examples of various media (hard drives, tapes, etc.) as well as operating systems (Linux, Windows, Mac, etc.). If anyone has anything they would like to see or ideas they would like to contribute, please do so! And, as always, if you have any questions, concerns, or comments, please contact me. I welcome contribution and feedback!