This document discusses best practices for collecting, preserving, and analyzing digital evidence. It covers topics such as data recovery, backup solutions, hidden data recovery techniques, evidence collection methods, and standards for ensuring digital evidence is authenticated and verified. The goal is to extract useful information from seized devices and recovered data in a way that can be used in a court of law to identify attackers and reconstruct security incidents.

1. Collecting and Preserving Digital
Evidence

2. Data Recovery
• What is Data Recovery?
• Role of Backup in Data Recovery
• Data Recovery Solution
• Hiding and Recovering Hidden Data

3. What is Data Recovery
• Usually data recovery means that data that is lost is
recovered – e.g., when a system crashes some data
may be lost, with appropriate recovery procedures
the data is recovered
• In digital forensics, data recovery is about extracting
the data from seized computers (hard drives, disks
etc.) for analysis

4. Role of Backup in Data Recovery
• Databases/files are backed up periodically (daily, weekly,
hourly etc.) so that if system crashes the databases/files can
be recovered to the previous consistent state
• Challenge to backup petabyte sized databases/files
• Obstacles for backing up
– Backup window, network bandwidth, system throughout
• Current trends
– Storage cost decreasing, systems have to be online 24x7
• Next generation solutions
– Multiple backup servers, optimizing storage space

5. Data Recovery/Backup Solution
• Develop a plan/policy for backup and recovery
• Develop/Hire/Outsource the appropriate expertise
• Develop a system design for backup/recovery
– Three tier architectures, caches, backup servers
• Examine state of the art backup/recovery products
and tools
• Implement the backup plan according to the policy
and design

6. Recover Hidden Data
• Hidden data
– Files may be deleted, but until they are overwritten, the
data may remain
– Data stored in diskettes and stored insider another disk
• Need to get all the pieces and complete the puzzle
• Analysis techniques (including statistical reasoning)
techniques are being used to recover hidden data
and complete the puzzle

7. Evidence Collection and Data Seizure
• What is Evidence Collection
• Types of Evidence
• Rules of Evidence
• Volatile Evidence
• Methods of Collection
• Steps to Collection
• Controlling Contamination

8. What is Evidence Collection
• Collecting information from the data recovered for further
analysis
• Need to collect evidence so that the attacker can be found
and future attacks can be prevented and/or limited
• Collect evidence for analysis or monitor the intruder
• Obstacles
– Difficult to extract patterns or useful information from the recovered
data
– Difficult to tie the extracted information to a person

9. Types of Evidence
• Testimonial Evidence
– Evidence supplied by a witness; subject to the perceived
reliability of the witness
– Word processor documents written by a witness as long as
the author states that he wrote it
• Hearsay
– Evidence presented by a person who is not a direct
witness
– Word processor documents written by someone without
direct knowledge of the incident

10. Rules of Evidence
• Admissible
– Evidence must be able to be used in court
• Authentic
– Tie the evidence positively to an incident
• Complete
– Evidence that can cover all perspectives
• Reliable
– There should be no doubt that proper procedures were used
• Believable
– Understandable and believable to a jury

11. Additional considerations
• Minimize handling and corruption of original data
• Account for any changes and keep detailed logs
• Comply with the 5 basic rules
• Do not exceed your knowledge – need to understand what
you are doing
• Follow the security policy established
• Work fast / however need to be accurate
• Proceed from volatile to persistent evidence
• Do not shut down the machine before collecting evidence
• Do not run programs on the affected machine

12. Volatile Evidence
• Types
– Cached data
– Routing tables
– Process table
– Kernel statistics
– Main memory
• What to do next
– Collect the volatile data and store in a permanent storage
device

13. Methods of Collection
• Freezing the scene
– Taking a snapshot of the system and its
compromised state
– Recover data, extract information, analyze
• Honeypotting
– Create a replica system and attract the attacker
for further monitoring

14. Steps to Collection
• Find the evidence; where is it stored
• Find relevant data - recovery
• Create order of volatility
• Remove external avenues of change; no
tampering
• Collect evidence – use tools
• Good documentation of all the actions

15. Controlling Contamination
• Once the data is collected it should not be contaminated,
must be stored in a secure place, encryption techniques
• Maintain a chain of custody, who owns the data, data
provenance techniques
• Analyze the evidence
– Use analysis tools to determine what happened
• Analyze the log files and determine the timeline
• Analyze backups using a dedicated host
• Reconstruct the attack from all the information collected

16. Duplication and Preservation of
Evidence
• Preserving the Digital Crime Scene
– First task is to make a compete bit stream backup of all computer data
before review or process
– Bit stream backups (also referred to as mirror image backups) involve
the backup of all areas of a computer hard disk drive or another type
of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such
backups exactly replicate all sectors on a given storage device. Thus,
all files and ambient data storage areas are copied. Bit stream backups
are sometimes also referred to as 'evidence grade' backups and they
differ substantially from traditional computer file backups and
network server backups.
– http://www.forensics-intl.com/def2.html
• Make sure that the legal requirements are met and proper procedures are
followed

17. Digital Evidence Process Model
• The U.S. Department of Justice published a process model in the
Electronic Crime Scene Investigation: A guide to first responders that
consists of four phases: -
• 1. Collection; which involves the evidence search, evidence recognition,
evidence collection and documentation.
• 2. Examination; this is designed to facilitate the visibility of evidence,
while explaining its origin and significance. It involves revealing hidden
and obscured information and the relevant documentation.
• 3. Analysis; this looks at the product of the examination for its significance
and probative value to the case.
• 4. Reporting; this entails writing a report outlining the examination
process and pertinent data recovered from the overall investigation.

18. Standards for Digital Evidence
• The Scientific Working Group on Digital Evidence (SWGDE) was established in
February 1998 through a collaborative effort of the Federal Crime Laboratory
Directors. SWGDE, as the U.S.-based component of standardization efforts
conducted by the International Organization on Computer Evidence (IOCE), was
charged with the development of cross-disciplinary guidelines and standards for
the recovery, preservation, and examination of digital evidence, including audio,
imaging, and electronic devices.
• The following document was drafted by SWGDE and presented at the
International Hi-Tech Crime and Forensics Conference (IHCFC) held in London,
United Kingdom, October 4-7, 1999. It proposes the establishment of standards
for the exchange of digital evidence between sovereign nations and is intended to
elicit constructive discussion regarding digital evidence. This document has been
adopted as the draft standard for U.S. law enforcement agencies.
• http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm

19. Verifying Digital Evidence
• Encryption techniques
– Public/Private key encryption
– Certification Authorities
– Digital ID/Credentials
• Owner signs document with his private key, the Receiver
decrypts the document with the owner’s public key
• Owner signs document with the receiver’s public key,
Receiver decrypts the document with his private key
• Standards for Encryption
– Export/Import laws

20. Conclusion
• Data must be backed up using appropriate policies,
procedures and technologies
• Once a crime ahs occurred data ahs to be recovered from the
various disks and commuters
• Data that is recovered has to be analyzed to extract evidence
• Evidence has to analyzed to determine what happened
• Use log files and documentations to establish the timeline
• Reconstruct the attack

21. Conclusion
• Standards and processes have to be set in place for
representing, preserving, duplicating, verifying,
validating certifying and accrediting digital evidence
• Numerous techniques are out there; need to
determine which ones are useful for the particular
evidence at hand
• Need to make it a scientific discipline