Information Technology Reference
In-Depth Information
the crime is left intact so as not to preclude any future investigative or analytical
measures. The “digital crime scene” is usually duplicated, i.e., an image disk is
created, so that detailed analyses may be performed in a properly equipped labo-
ratory.
Survey
. This is the first evidence collection step. The objective here is to examine
the scene of the crime for any
obvious digital evidence
and to develop hypotheses
that will orient further investigation.
Search
. The hypotheses developed in the Survey stage are investigated with the
help of analysis tools as needed. In this more detailed evidence collection phase, the
“cold” trails are abandoned and the “hot” ones followed.
Reconstruction
. This phase comprises detailed testing to connect the pieces of
evidence and reconstruct the event. In many cases this activity may indicate the need
for or reveal further evidence.
Presentation
. The final act in this process is to collect all the findings and present
them to those who requested the investigation.
A forensic analysis is indicated in two fundamental cases: (1) reconstruction of
an attack (Post Mortem Analysis); (2) examination of a computer that may have
been used to carry out some sort of criminal violation. In the first case, the examined
computer is the
target
of a violation, in the second it is a
tool
used to commit a crime.
The job of the Forensic Examiner is to carry out the investigative process.
2.
Tools and Techniques for Forensic Investigations
This section addresses investigation methodologies as they apply to the various
investigation phases described above. The objective here is to provide the reader
with the initial guidelines needed to approach the problem.
2 . 1 T h e P r e s e r v a t i o n P h a s e : I m a g i n g D i s k s
For the purpose of this chapter, we will talk about UNIX. The generation of an
image disk under UNIX is an essential part of the Preservation phase. We have cho-
sen to work with UNIX because, as we will see later, it is one of the few platforms
that allow user interaction with hidden areas of the disks, especially latest generation
disks. One of the most common errors involves making a “non-forensically reliable”
copy of disks. This obviously would be the lesser of two evils if we consider the
fact that there are still quite a few operators who work (and often even write) on the
original disks. While it may be admissible to work on non-rewritable CD-ROMs, the
same can certainly not be said for hard drives. For this reason, the first necessary step
is to make a copy, or “image disk,” of the original disk, which thereafter is referred
