Damon Hacker, Vestige President, is presenting to the SAME Mt. Tacoma Post & engineering students at the University of Washington-Tacoma on April 9.

Preservation of Relevant Data

Articles

Preservation of Relevant Data

Author photo
Vestige Digital Investigations, CTO and Founder
BS, EnCE, DFCP

“You’re doing what with my computer?”

Last week we discussed the first stage in computer forensics, identification of potential sources of relevant data.  This week we will discuss the next stage, digital data preservation.

The ESI expert shows up at your door.  A forensic image of your computer is what they want.  Immediately thoughts of your data strewn about the internet come to mind.  It really isn’t that bad…read on to find out the ins-and-outs of forensic imaging.

The Forensic Image

In a scientific sense, a forensic image is a byte for byte identical copy of all content that exists on your hard drive whether that content is active or deleted, generated by you or by the computer.  In lay person’s terms, all emails and documents are being copied along with information as to how your computer is configured, websites you have visited, devices connected to your machine, etc.  If you are familiar with a Ghost image, this process is more thorough and provides for assuring that the process is accurate and complete (more on that later).

One important item to keep in mind is that digital evidence preservation does not include analysis or reading of the data. Therefore, preservation can be accomplished prior to setting up protocols for searching and analysis in such a way as to protect the owner’s data.  In fact, Vestige often recommends to its clients to preserve the data quickly and up front prior to anything occurring which may delete important data.

Another important item is that preservation usually involves “write blocking” of the original evidence.  Write blocking involves the use of hardware or software to prevent information from being written to the evidence.  This step is important to prevent altering of evidence or overwriting of important evidence, such as file dates.

Preservation is not just relegated to hard drives.  Preservation can mean many other things.  It might be creating a forensic image of a computer.  It might mean selective preservation of folders on a server.  Maybe you are capturing mailboxes or a cell phone.  Regardless of what is being preserved, the method should be defensible and along the lines of industry standards.

Authenticity & Admissibility

I briefly mentioned that a forensic image provides assurances that the process is accurate and complete.  During the imaging process, the software or hardware used will calculate a hash, commonly an MD5 hash.  An MD5 hash is a 32 hexadecimal (0-9, A-F) character string that uniquely identifies the content on the hard drive.  An MD5 hash is related to the content of a hard drive in the same way that a fingerprint or DNA profile is related to a human being.  The difference is that an MD5 is much more precise than a fingerprint or DNA match.

Effort & Convenience

So the first question we are often asked at Vestige is “how long will this take”.  I always want to answer with “how big is a box”.  Well, it depends.  It depends on how big your hard drive is, how large your mailbox is or how much data is on that network share.  For a laptop or desktop, the time is a function of the size of the hard drive.  By size, I’m not talking about how much data is in use or not, or how “full” your hard drive might be.  I’m talking about the full size of the hard drive.  Data can typically be preserved at a speed of 4-5 GB a minute.  So if you have a 500 GB hard drive, it can take an hour and a half to two hours, just to copy the data.  Add another half hour for documentation, removal of the hard drive and putting it back and there you have it.  In some circumstances, however, a forensic expert may have to preserve the hard drive by sending the image to a portable USB drive connected to the computer.  In situations such as that, the speed will drop to 1.5 GB a minute to maybe 3 GB a minute.  Now you are talking about hours to preserve a 500 GB drive.  Remember when we talked about creating that MD5 hash?  Sometimes the examiner may decide to verify the image right there.  So now you have to re-read that 500 GB image, typically at a rate of 4-5 GB a minute again.  The benefit of verifying the image right then is that the examiner doesn’t have to come back.  The downside is that it takes a little longer.

In Vestige’s experience, cell phones can take 1-5 hours.  The timing is based on the type of image being made, logical or physical and the type of phone.  If one is making a logical image, the time is directly related to how much data is on the phone.

So how does one make this process a little easier?  Quite often Vestige’s clients bring their devices into our lab at the end of the day.  We set it up to image overnight and have it ready first thing in the morning.  Vestige’s analysts have also come on site to start imaging the end of day.  Quite often Vestige will queue up half dozen or more computers to image simultaneously.  In one matter, Vestige preserved over 100 computers in a 36 hour period.

Digital data preservation can be done remotely as well.  Vestige has imaged computers all over the country.  A portable USB drive is sent on site.  The user will connect the USB drive to the computer and then a forensic analyst will direct the person either over the phone or via remote control over the internet through a couple of simple steps to start the process.  Afterwards, the drive is disconnected and shipped back to Vestige’s lab.  The best part is that the data is encrypted on the hard drive protecting it during transit.

Clone vs Image

I sometimes hear people talking about “cloning” a machine and often use it interchangeably with imaging.  Those terms, however, mean different things.  We’ve talked about a forensic image in this article.  The result of a forensic image is one or more computer files that need to be opened with a special program in order to see the content.  I can’t just provide an average person a forensic image and have them open it up in Windows.  A clone, on the other hand, is an exact byte for byte copy of a hard drive, just like a forensic image.  However, the result is that the hard drive is in essence rebuilt on another hard drive.  So one could take that clone, attach it to a computer and open up the various files.  That said, there is no protection for a clone to prevent it from being altered without doing something else.  If you think that you can hire an expert to make a clone and then just start poking around and find “evidence” I would venture to say that you may do more damage to the evidence than good.

Next week we will discuss the analysis phase.  What goes on behind those closed doors of the forensic lab? Read about some of our computer forensic cases to discover how we have applied our techniques.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations