Seizing Digital Evidence at

the Scene
Seizing Digital Evidence at the Scene
• Law enforcement can seize evidence
• With a proper warrant
• When seizing computer evidence in criminal
investigations
• Follow U.S. DoJ standards for seizing digital data
• Civil investigations follow same rules
• Require less documentation though
• Consult with your attorney for extra guidelines
Preparing to Acquire Digital Evidence
• The evidence you acquire at the scene depends on the nature of the
case
• And the alleged crime or violation
• Ask your supervisor or senior forensics examiner in your organization
the following questions:
• Do you need to take the entire computer and all peripherals and media in the
immediate area?
• How are you going to protect the computer and media while transporting
them to your lab?
• Is the computer powered on when you arrive?
Preparing to Acquire Digital Evidence
(continued)
• Ask your supervisor or senior forensics examiner in your organization
the following questions (continued):
• Is the suspect you’re investigating in the immediate area of the computer?
• Is it possible the suspect damaged or destroyed the computer, peripherals, or
media?
• Will you have to separate the suspect from the computer?
Processing an Incident or Crime Scene
• Guidelines
• Keep a journal to document your activities
• Secure the scene
• Be professional and courteous with onlookers
• Remove people who are not part of the investigation
• Take video and still recordings of the area around the
computer
• Pay attention to details
• Sketch the incident or crime scene
• Check computers as soon as possible
Handling a Running Computer
• Old rule: pull the plug
• Don’t cut electrical power to a running system unless it’s an older Windows 9x
or MS-DOS system
• Perform a live acquisition if possible
• When shutting down Win XP or later, or Linux/Unix, perform a normal
shutdown, to preserve log files
• Save data from current applications as safely as possible
• Record all active windows or shell sessions
• Photograph the screen
Handling a Running Computer
• Make notes of everything you do when copying data from a live suspect
computer
• Save open files to an external hard drive or a network share
• If that is not possible, save them with new names
• Close applications and shut down the computer
Processing an Incident or Crime Scene
(continued)
• Guidelines (continued)
• Bag and tag the evidence, following these steps:
• Assign one person to collect and log all evidence
• Tag all evidence you collect with the current date and time, serial numbers or unique
features, make and model, and the name of the person who collected it
• Maintain two separate logs of collected evidence
• Maintain constant control of the collected evidence and the crime or incident scene
Processing an Incident or Crime Scene
(continued)
• Guidelines (continued)
• Look for information related to the investigation
• Passwords, passphrases, PINs, bank accounts
• Look at papers, in drawers, in trash cans
• Collect documentation and media related to the investigation
• Hardware, software, backup media, documentation, manuals
Processing Data Centers with RAID Systems
• Sparse acquisition
• Technique for extracting evidence from large systems
• Extracts only data related to evidence for your case from allocated files
• And minimizes how much data you need to analyze
• Drawback of this technique
• It doesn’t recover data in free or slack space

Unallocated space is free space on a hard drive that can be used to store data. It
is a discrete number of clusters. Slack space is the unused space between the
end of the actual file and the end of the cluster.
Using a Technical Advisor
• Technical advisor
• Can help you list the tools you need to process the incident or crime scene
• Person guiding you about where to locate data and helping you extract log
records
• Or other evidence from large RAID servers
• Can help create the search warrant by itemizing what you need for the
warrant
Technical Advisor Responsibilities
• Know aspects of the seized system
• Direct investigator handling sensitive material
• Help secure the scene
• Help document the planning strategy for search and seizure
• Conduct ad hoc trainings
• Document activities
• Help conduct the search and seizure
Documenting Evidence in the Lab
• Record your activities and findings as you work
• Maintain a journal to record the steps you take as you
process evidence
• Goal is to be able to reproduce the same results
• When you or another investigator repeat the steps you
took to collect evidence
• A journal serves as a reference that documents the
methods you used to process digital evidence
Processing and Handling Digital Evidence
• Maintain the integrity of digital evidence in the lab
• As you do when collecting it in the field
• Steps to create image files:
• Copy all image files to a large drive
• Start your forensics tool to analyze the evidence
• Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital
hash
• Secure the original media in an evidence locker
Storing Digital Evidence
Storing Digital Evidence
• The media you use to store digital evidence usually
depends on how long you need to keep it
• CD-Rs or DVDs
• The ideal media
• Capacity: up to 17 GB
• Lifespan: 2 to 5 years
• Magnetic tapes
• Capacity: 40 to 72 GB
• Lifespan: 30 years
• Costs: drive: $400 to $800; tape: $40
Storing Digital Evidence (continued)
Evidence Retention and Media Storage Needs

• To help maintain the chain of custody for digital

evidence
• Restrict access to lab and evidence storage area
• Lab should have a sign-in roster for all visitors
• Maintain logs for a period based on legal requirements
• You might need to retain evidence indefinitely
• Check with your local prosecuting attorney’s office or
state laws to make sure you’re in compliance
• You cannot retain child pornography evidence, however
Evidence Retention and Media Storage Needs
(continued)
Documenting Evidence
• Create or use an evidence custody form
• An evidence custody form serves the following functions:
• Identifies the evidence
• Identifies who has handled the evidence
• Lists dates and times the evidence was handled
• You can add more information to your form
• Such as a section listing MD5 and SHA-1 hash values
Documenting Evidence (continued)
• Include any detailed information you might need to reference
• Evidence bags also include labels or evidence forms you can use to
document your evidence
Obtaining a Digital Hash
Obtaining a Digital Hash
• Cyclic Redundancy Check (CRC)
• Mathematical algorithm that determines whether a file’s contents have
changed
• Most recent version is CRC-32

• Message Digest 5 (MD5)

• Mathematical formula that translates a file into a hexadecimal code value, or
a hash value
• If a bit or byte in the file changes, it alters the digital hash
Obtaining a Digital Hash (continued)
• Three rules for forensic hashes:
• You can’t predict the hash value of a file or device
• No two hash values can be the same
• If anything changes in the file or device, the hash value must change
Obtaining a Digital Hash (continued)
• In both MD5 and SHA-1, collisions have occurred
• Most computer forensics hashing needs can be
satisfied with a nonkeyed hash set
• A unique hash number generated by a software tool, such
as the Linux md5sum command
• Keyed hash set
• Created by an encryption utility’s secret key
• You can use the MD5 function in FTK Imager to
obtain the digital signature of a file
• Or an entire drive
Obtaining a Digital Hash (continued)
Reviewing a Case
Reviewing a Case
• General tasks you perform in any computer forensics case:
• Identify the case requirements
• Plan your investigation
• Conduct the investigation
• Complete the case report
• Critique the case
Sample Civil Investigation
• Most cases in the corporate environment are
considered low-level investigations
• Or noncriminal cases
• Common activities and practices
• Recover specific evidence
• Suspect’s Outlook e-mail folder (PST file)
• Covert surveillance
• Its use must be well defined in the company policy
• Risk of civil or criminal liability
• Sniffing tools for data transmissions
Covert Surveillance Tools

• Spector
• WinWhatWhere
• EnCase Enterprise Edition
Sample Criminal Investigation
• Computer crimes examples
• Fraud
• Check fraud
• Homicides
• Need a warrant to start seizing evidence
• Limit searching area
Sample Criminal Investigation (continued)
Reviewing Background Information for a Case
• Company called Superior Bicycles
• Specializes in creating new and inventive modes of human-driven
transportation
• Two employees, Chris Murphy and Nau Tjeriko, have been missing for
several days
• A USB thumb drive has been recovered from Chris’s office with
evidence that he had been conducting a side business using company
computers
Identifying the Case Requirements
• Identify requirements such as:
• Nature of the case
• Suspect’s name
• Suspect’s activity
• Suspect’s hardware and software specifications