Documenting Computer Forensic Procedures

By John J. Barbara Printer Friendly Forward to a Friend Share this

There are examiners working today in some agencies that do not have documented technical standard operating procedures ( SOPs) for the analysis of digital media. Most likely, this is because there are no Quality Assurance Practices (QAP) being followed and no Quality Assurance Systems (QAS) in those agencies to provide oversight. One requirement of a QAS is the development of a comprehensive Quality Assurance Manual (QAM). The QAM would include the assertion that SOPs must be documented and available for examiners use. SOPs could be incorporated into the QAM itself or documented in a stand-alone manual. It is unacceptable for any agency to be analyzing digital media without having a QAS, a QAM, and documented SOPs. Without these three critical components, there are no assurances to demonstrate that QAPs are in place and being utilized to provide resultsthat are accurate, repeatable, and reliable. When an examiner is made aware that documented SOPs are needed, he or she generally asks two questions: What type of outline or format do I use? and How much detail should I put into my technical SOPs? In a previous Digital Insider column, an outline was discussed concerning the style or format for writing policy statements. It can also serve as a template for documenting technical SOPs. Using that outline, a policy and procedure for the analysis of removable hard drives is shown below. It is not intended to be all-inclusive and should beviewed as a guide to writing technical SOPs. COMPUTER FORENSICS OPERATIONAL MANUAL 1. 2. 3. 4. 5. 6. 7. Policy Name: Imaging Removable Hard Drives Policy Number/Version: 1.0 Subject: Imaging and analysis of removable evidence hard drives. Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers. Document Control:Approved By/Date: Revised Date/Revision Number: Responsible Authority: The Quality Manager (or designee). Related Standards/Statutes/References: A) ASCLD/LAB Legacy standards 1.4.2.5, 1.4.2.6, 1.4.2.7, 1.4.2.8, 1.4.2.11, and 1.4.2.12. B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 4.13.2.4, 5.4.1.1, 5.4.1.2, 5.4.2.1. C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 5.4.5.2, 5.4.7.2 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a). Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops. Policy Statement: A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority. B) Forensic computers are not connected to the Inter-net. C) All forensic archives created and data recovered during examinations are

8. 9.

considered evidence. D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes and ensure the revised procedure is validated, if necessary, prior to its use in casework. 10. Procedure: A) Responsibilities 1. Section Supervisor a) Only trained examiners are assigned to work cases. b) Performs administrative and technical case file review. 2. Examiners a) Report directly to the section supervisor. b) Must be familiar with all types of hard drives that may be encountered as evidence. c) Responsible for the chain of custody record, evidence handling, evidence marking and security, and analysis of evidence. d) Generate reports and testify in court. B) Examination Preparation 1. Legal Authority: Examiners are to review the search warrant or consent form to determine the scope of the examination. Contact the investigator to obtain a list of keywords if none is provided. 2. Chain of Custody: All evidence transfers are documented in the evidence tracking system 3. Safety: All applicable parts of the agency Safety Manual and the units Handling Digital Media policy and procedure will be followed as appropriate. 4. Equipment and Materials: a) Marking pens, evidence tape, anti-static packaging material, worksheets, etc. b) Forensic computers c) Approved forensic software d) New/sterilized digital media (CDs, DVDs, hard drives, etc.) e) Verified/validated hardware write blockers and interfaces f) Crossover cables g) Assembly/disassembly toolkits h) Digital camera i) Appropriate hard drive standards and controls 5. Special Allowances: a) If hard drives are not removed or a RAID configuration exists, refer to the Cable Imaging, RAID Imaging, and/or DOI Imaging procedure(s). b) Hard drives may be password protected. Refer

to the Breaking Passwords procedure. 6. Evidence Documentation, Handling, and Inventory: a) Photograph and print pictures of evidence for the case file. b) Inventory/describe evidence. Record serial numbers in case file. c) Mark evidence according to the Handling Digital Evidence procedure. C) Hard Drive Analysis: 1. Select appropriate hard drive standard and control and interface/write blocker. 2. Record the forensic computers POST in the instrument logbook. 3. Image the hard drive standard and control. Record the hash value in both the instrument logbook and case file. 4. Complete the Hardware Documentation Worksheet. 5. Remove evidence hard drive(s). 6. Obtain BIOS information from evidence computer. 7. Attach evidence hard drive(s) to appropriate interfaces and/or write blockers and image onto wiped hard drive(s). 8. Verify hash values and create forensic archive(s) on non-alterable digital media whenever possible. 9. Examine the image using in-house verified/validated approved software tool(s). 10. Complete the Analysis Worksheet. 11. Export probative data onto digital media (CD/DVDs, hard drives, etc.). 12. Prepare report and submit case file for review, repackage evidence and return to property room.

The policy and procedure example is written in an outline format and references worksheets and other procedures where more detailed information can be obtained. Agencies or units may decide to use a narrative style and incorporate the referenced procedures into one detailed procedure. That would be their choice. Regardless of the amount of detail included, the most important consideration is that all technical standard operating procedures must be documented. John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the Handbook of Digital & Multimedia Evidence published by Humana Press.

Computer Forensic Standard Operating Procedures

Charles Pearson has written as a freelancer since 2009. He has a B.S. in literature from Purdue University Calumet and is currently working on his M.A. He has written the ebooks "Karate You Can Teach Your Kids," "Macadamia Growing Handout" and "The Raw Food Diet." By Charles Pearson, eHow Contributor

Print this article 1.

Information that seems lost on a computer can sometimes still be there.

Computer forensics is the act of using computer knowledge and skills in order to find evidence for crimes. In many cases, computer forensics investigators must find evidence that a computer user has attempted to hide by deleting the evidence or using specialized programs to hide evidence. Since computer users can sometimes attempt to frame other computer users for crimes, the forensics specialist must follow standard operating procedures.

2. Overwrite
o
The sooner the computer evidence is collected by computer forensics specialists, the better, according to the University of Mississippi. Data that has been deleted on a computer can still remain on the computer in full or be partially there until the computer overwrites the data. Even partial data can be useful in a prosecution.

Hard Drive Duplication

o
An entire duplicate of the computer's hard drive is made, since computer forensics specialists do not always know which evidence might be valuable in the trial, according to the University of Mississippi.

Data Preservation
o
Evidence collected through computer forensics procedures must not be tampered, since data that is tampered might not be usable in court and might also implicate innocent individuals, according to the University of Central Florida. All relevant data must be preserved just in case the evidence might be needed in the future. According to the University of Mississippi, one of the benefits of digital software is that computer evidence can be duplicated exactly. However, the evidence must be exact enough that it can perfectly serve as the original.

Computer Damage
o
The computer in which the evidence in question is located must be carefully supervised, since damage to the computer can lead to a loss of evidence. Computers can be vulnerable to electrical shocks, vibrations and improper shutdowns, according to the University of Mississippi.

Identifiers

Evidence must be identified by computer forensics specialists using descriptors of what each piece of evidence implies so that those with less technical sophistication can understand the evidence, according to the University of Central Florida. All computer evidence must be available for anyone to review, according to the University of Mississippi.

Time Line
o
In order for prosecutors and the jury to fully understand what occurred with the computer systems, computer forensics specialists must create a time line of actions that occurred and must thoroughly explain what these actions mean, according to the University of Central Florida.

Current Technology
o
Computer forensics specialists must keep up-to-date with the latest computer information, such as with the latest computer hacking and cracking techniques and the latest advancements in legal software, according to the University of Central Florida. They must also keep up-to-date with technology available for solving computer crimes.

Laws
o
New laws are passed on an ongoing basis regarding computers and the law. Computer forensics specialists must keep up-to-date with what is legal and what is illegal regarding computers, according to the University of Central Florida.

European E-Discoverywww.forensicrisk.com
Electronic Discovery Collect, Process, Review in Europe

Malaysia Divorce Lawyerwww.MyLawyer.com.my

FAQ, Info & Advice on Malaysia's Divorce Proceeding for Non-Muslim

Forensic Computer Consultwilliambaker.vpweb.com

Computer Forensics eDiscovery Data Consulting

Data Protectionwww.AllAnalytics.com
Visit the expert community for data management and business analytics.

Ads by Google

Read more: Computer Forensic Standard Operating Procedures | eHow.com http://www.ehow.com/list_6809822_computer-forensic-standard-operatingprocedures.html#ixzz1XSM9Gopi

Computer Forensics Procedures & Methods

Renee O'Farrell is a freelance writer providing valuable tips and advice for people looking for ways to save money, as well as information on how to create, re-purpose and reinvent everyday items. Her articles offer money-saving tips and valuable insight on typically confusing topics. O'Farrell is a member of the National Press Club and holds advanced degrees in business, financial management, psychology and sociology. By Renee O'Farrell, eHow
Contributor

Print this article

Computer forensics involves extracting and analyzing digital data. The evidence collected is frequently used in court cases, both criminal and domestic, as well as within the operations of a company to ensure that resources are being used in acceptable fashions. In spite of the fact that computer forensics has so many varied uses, procedures and methods used in computer forensics are largely similar, if not identical.

1. Gathering Data
o
In computer forensics, the analyst almost always gathers data by making a digital image of the target hard disk. This allows the information to be accessed without risking the integrity of the data itself. This is important because if data is accessed incorrectly, it may become inadmissible. A common error made by inexperienced computer forensic analysts is accessing the data directly; doing so alters the timestamp, thus compromising evidence of access. Some programs used in computer forensics already exist in the computer. Many computers run a variety of different back-up programs by default. Just as these programs make it possible to retrieve a file accidentally erased, they can also retrieve files that have been erased on purpose. Other programs are available on-line, such as Whois, a program that identifies the owner of a given IP address. An IP address is akin to the computer's telephone number. Although most IP's are dynamic, meaning that they change, they can still be used to obtain certain types of information, such as the company the IP is registered to.

2. Types of Evidence
o
There are two types of evidence looked for in computer forensics: persistent data, meaning data that remains intact when the computer is turned off, and volatile data, which is data that would be lost if the computer is turned off. Most data will be persistent in nature; sources include hard drives, disk drives and removable storage devices (such as USB drives or flash drives). Volatile data is looked for in deleted files, computer history, the computer's registry, temporary files and web browsing history.

Considerations
o
An important consideration in computer forensics is ownership. For example, how can it be proven that the owner of the computer sent a certain email and not another person? Even in work environments with private offices, it is entirely possible that someone obtained another's password and/or used the other's computer to do something he should not have. Also, security monitoring has many legal implications. Most governments have laws protecting privacy and the types of information that can be monitored; examples include the Wiretap Act (18 U.S.C. 2510-22); Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27); and the Stored Wired and Electronic Communication Act (18 U.S.C 2701-120).

What Is Computer Forensic Data?

Mercedes T. Green's primary interests are information, investigation and technology. She began her writing career creating technical documentation. Green has written for various websites and is certified in computer forensics and network administration. She has a bachelor's degree in business and a master's degree in information technology. By Mercedes T.
Green, eHow Contributor

Computer Media
Computer forensic data is any digital information retrieved from a computer or computer media which is acquired, authenticated, validated, analyzed and stored using sound forensic procedure. Computer forensic data is used to support criminal, civil and employee termination cases.

1. Volatile Data
o
Volatile data will be lost when the system is powered down. Information in RAM is volatile data.

Nonvolatile Data
o
Nonvolatile data can be retrieved if the system is powered down before the investigation. Hard drives, CDROMs and USB thumb drives contain nonvolatile data.

Encrypted Data
o
Encrypting data involves changing the data into code by applying a mathematical algorithm.

Live Acquisition
o
Live acquisition is the examination of a system while it is running. Volatile computer forensic data is collected from RAM and during the live acquisition phase of the investigation.

Static Acquisition
o
Static acquisition is the method used for retrieval of nonvolatile data. This type of acquisition is used to recover forensic data from hard drives, USB thumb drives, diskettes and discs.

Computer Forensic Collection Steps & Procedures

Rob Callahan lives in Minneapolis, where he edits several regional magazines published by Tiger Oak Publications. His print and broadcast work has earned awards in the fields of journalism, social media and the arts. Callahan graduated from Saint Cloud State University in 2001 with a bachelor's degree in philosophy. By Rob Callahan, eHow Contributor 1.

Computer forensics can often recover data from badly damaged computers and drives.

Computer forensics is a process used to gain information from digital devices such as computers and related devices (such as USB drives, digital cameras and cell phones) as well as black boxes, RFID tags and web pages. This is typically done to obtain evidence for legal proceedings, but can also be used to recover lost data, analyze security faults in compromised computers, reverse-engineer hardware and software and optimize a computer's performance. There are five basic steps in computer forensic collection.

2. Preparation
o
Computer forensic investigators are properly trained, with specific training pertaining to the kind of investigation they are conducting. In addition to education and training, the investigator will be aware of all the tools that will be needed, and have them on hand for the investigation.

Collection
o
During the process of collecting digital evidence, the investigator will ensure that the data remains intact and unaltered. For later proof that evidence hasn't been tampered with, he will calculate and record a cryptographic hash of an evidence file, to be compared to the original as proof that the evidence has not been modified. He will further assure the integrity of digital evidence by imaging computer media with a writeblocking tool, establishing a chain of custody and documenting everything done to the evidence. He will examine a computer's RAM for evidence prior to powering it down, as some digital evidence may be stored only in the RAM and will be lost after the computer is turned off.

Examination
o
During the examination step, the investigator will verify and catalog the presence and integrity of the original evidence and any copies.

Analysis
o
The investigator uses specialized software to determine the type of information stored on digital evidence, and conducts a thorough analysis of the media. This includes a manual review of all materials found on the media, a review of the Windows registry, techniques to crack passwords and retrieve protected data, keyword searches and extraction of email and pictures for further review.

Reporting
o
After analysis, the computer forensic investigator prepares and delivers a report. This may be a written report or an oral testimony. In some cases, she may prepare both a written report and a supplemental oral report.

What Is the Difference Between Computer Forensics & Digital Forensics?

Carol Wiley started writing as a technical writer/editor in 1990, was a licensed massage therapist for almost 12 years and has been writing Web content since 2003. She has a Bachelor of Science in aerospace engineering, a Master of Business Administration, a Certificate in Technical Writing and Editing and a Certificate in Massage Therapy. By Carol Wiley,
eHow Contributor

Computer and digital forensics examines computers and other digital devices.
The terms computer forensics and digital forensics are often used interchangeably to refer to the investigation of any computer, computer-related device or digital device for legal purposes.

1. Definitions
o
Technically, the term computer forensics refers to the investigation of computers. Digital forensics includes not only computers but also any digital device, such as digital networks, cell phones, flash drives and digital cameras.

Purpose
o
The purpose of computer and digital forensics is to determine if a device was used for illegal purposes, ranging from computer hacking to storing illegal pornography or records of other illegal activity.

Different Methods
o
According to the authors of the paper "Computer Forensics In Forensis," different users apply computer forensic systems, models and terminology in different ways. Different users may make incompatible assumptions and arrive at different conclusions regarding forensic data.

Considerations
o
The paper "Computer Forensics In Forensis" also states that computer scientists working with law enforcement officials need to be motivated by legal goals, but they need to understand those goals. For example, to computer scientists, computer audit trails have uses other than computer forensic data, including performance verification and accounting purposes. Accounting and debugging needs are different from forensic needs.

Expert Insight
o
"Computer Forensics In Forensis" goes on to state that the accuracy of computer forensic methods and the extent to which forensic data should be admissible in court is not yet well understood.