IT Governance, Risk, and Compliance » Data Acquisition

Preserving Electronically Encoded Evidence – Part IV

Robert Davis — Mon, 17 Aug 2009 20:26:36 +0000

Whether target data is in transit or at rest, it is critical that measures are in place to prevent the sought information from being destroyed, corrupted or becoming unavailable for forensic investigation. When evidence is at rest, adequate procedures should be followed to ensure evidential non-repudiation. Volatile data capture assists investigators in determining the system state during the incident or event. Consequently, the utilization of functionally sound imaging software and practices are essential to maintaining evidential continuity.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Post Note: An expanded version of this blog entry is available through the ISACA Journal.

Preserving Electronically Encoded Evidence – Part III

Robert Davis — Thu, 13 Aug 2009 21:04:19 +0000

Creating evidential copies through routine backup procedures will only permit replicating specific files while none of the files with delete indicators are recovered, nor the designated ‘free space’ between files. To remediate this limitation, a ‘forensic image’ should be obtained utilizing task-oriented software. Appropriate forensic image software reproduces an exact working copy of the original media’s content. Technologically, media content imaging can be carried out without launching the computers operating system, thereby avoiding tampering allegations. Functionally, the applied imaging software should be capable of making an exact replication of every encoded bit contained on the target media.

Residual data includes deleted files, fragments of deleted files and other data that are still existent on the disk surface. Forensic imaging software can capture residual data on targeted drives. Effective imaging replicates the disk surface sector-by-sector as opposed to reproduction file-by-file. With appropriate tools, even data commonly considered destroyed can be recovered from a disk’s surface. Furthermore, imaging software can also generate a log file recording of IT parameters such as disk configuration, interface status, and data checksums that are critical for supportable conclusions regarding an incident or event.

After creating at least two media images, one replication can be inserted as a target system substitute for the original while the second replication can be utilized for forensic analysis. Lastly, once facsimiled, the original media should be sealed in a sterilized container, labeled and stored as evidence.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Post Note: An expanded version of this blog entry is available through the ISACA Journal.

Preserving Electronically Encoded Evidence – Part II

Robert Davis — Mon, 10 Aug 2009 19:59:15 +0000

Conditionally, if the target system is turned off, simply turning the technology on and permitting a ‘boot’ can introduce content changes to files directly or indirectly connected through operating system procedures. Some files interacting with the IT boot process may not be of interest to an investigation. Nevertheless, IT boot configuration modifications can cause previously deleted files — containing pertinent information — to become irretrievable.

When circumstances will not permit the embryonic operational state and site being maintained until law enforcement authorities arrive or when management accepts lawful extraction risks, data acquisition procedures may be invoked for evidence preservation. Data acquisition procedures involve the process of transferring encoded content into a controlled location; including electronic media types associated with an incident or event. Upon commitment to this course of action, all earmarked hardware media should be protected, as well as the target content, during transference to another medium through an approved methodology. However, capturing volatile data (such as open ports, open files, active processes, user logons and other random access memory information) is also critical in most situations where evidence integrity can become an issue. By definition, volatile data is transient electronic bits. Therefore, without adequate precautions, volatile data ceases to exist when an information technology is shut down.

“View Part I of the Preserving Electronically Encoded Evidence series here“

Post Note: An expanded version of this blog entry is available through the ISACA Journal.