methodology for evidence gathering.
Impartiality of an investigation is becoming a new standard in digital forensics, one that service providers are well-suited to deliver. Outsourcing almost guarantees that any investigation is impartial. It also saves organizations money since they don't have to keep a digital forensic investigator on the payroll. Service providers who offer digital forensic services can ease customer's minds by remaining impartial and taking the necessary steps to ensure that collected evidence is not tampered with and can be relied upon when called upon.
One element often overlooked in the rush to obtain evidence during a forensic investigation is control. To prove impartiality you must be able to answer the five W's and H questions: who, what, why, when, where and how. Who controlled the evidence? What was used to collect it? Why was it done in that manner? When was each piece of evidence found? Where was the evidence found? How was it documented? Ultimately, if the chain of custody (also referred to as the chain of evidence) is not maintained, all evidence can be challenged and thrown out of court. This can be particularly devastating when valuable time and resources have been used to collect the evidence in the first place, not to mention the fact that a failed investigation erodes customer confidence. How then should you ensure that forensic evidence is properly controlled to maintain the chain of custody? There are forms and software programs to assist in documenting the chain of custody, but here are my top tips that you won't find in reference guides.
Cables, plugs, peripherals, computers, monitors, disks, wireless access points -- anything and everything that is found at the site should be labeled. It's easy to forget what goes where when you get into a tangle of cables and equipment, especially in a server room. If you have to tear down the site and reassemble it in a lab, the labels make sure you get everything right.
I've found it invaluable, particularly when an examination is facing tough scrutiny, to have a witness for everything. If your labels, printed photos and recovered data are all physically signed by another person (another professional examiner preferred but not critical), it gives an additional level of credibility to the examination. And, heaven forbid, if you are incapacitated and not able to provide testimony when needed, the witness may be used to back up your investigation.
A unique ID for everything
Last but not least in the investigation is controlling the evidence by maintaining an indisputable chain of custody. The best method is to give everything a unique ID (bar codes work well) with accurate and complete descriptions. Include in your descriptions any unremoveable marks on equipment such as deep scratches and dents. Address the five W's and an H for all evidence, seal it with tamper-proof seals, sign and witness the seals. Then, lock it up in an indisputably secure location and log every time the evidence is accessed. If you have to turn evidence over to legal authorities, they are not above these rules, so have them sign for everything they take.
Digital forensics is an exciting new industry that is bound to see new methods and challenges as techniques and technology continue to change. To maintain a solid reputation in the field, build solid skills with existing software tools and ensure your methodology is beyond reproach.
About the author
Chey Cobb has 20 years of experience in the security industry and is the former senior technical security advisor for one of the top intelligence agencies in the country. Cobb was also in charge of security for the largest computing facility in the Southern Hemisphere. Additionally, she is a professor in the master of science program in information assurance at Norwich University.
This was first published in December 2007