The first course of action is making a forensic image of the evidence involved in the case. This image is a perfect bit-for-bit copy of the source. Such a process is also referred to as bit stream imaging or just hard drive imaging. This differs from a traditional backup or copy of a drive in that it contains everything on the drive, not just the active files but all areas of the drive including unallocated areas and deleted files. For further clarification, typically when an information technology professional (shortened to I.T.) makes a copy of a computer, it’s just the active files on the computer. Active files can include operating system files, data files; word, excel, pdf, pictures, and email, NOT files that have been deleted or operating system files that are not essential but may still yield valuable data in the course of working an investigation. Another point of distinction when creating a forensic image is the use of a write block device. Such a device is connected to the source media or drive and prevents the writing of any data on the original evidence which would obviously change a number datapoints that are critical in an investigation.
Having said that, and keeping in mind that a backup is NOT a proper forensic image (another reason of which I‘ll go into in a second), there are occasions when we start a case out with a backup. Wait, what? Why, you might be wondering? Sometimes it’s readily available, as in there’s a nightly backup that takes place so the client can easily provide a copy. Or maybe there was a copy made during some recent computer work. Getting started with what’s available allows us to get a peek into what may be on the computer without having to pull a “black bag” job and image the machine afterhours, take the machine out of service (thus alerting the employee there is something amiss) or in some cases, giving excuses as to why the employee needs to visit the home office for an “upgrade”. It’s a low-key way to see if there might be smoke before the fire in a non-alerting way to the subject of the investigation. If there are indications of wrongdoing found with the cursory analysis of the backup then there might be a reason to go ahead with a proper forensic image to work up the case to move forward with the matter.
Now, back to another reason a backup is not such a proper image to go to court with. One of the important parts of making a forensic image is the creation of a fingerprint for identification of the evidence. This fingerprint takes the form of a hash value. A hash value is an alphanumerical value that is arrived at after running an algorithm (such as MD5 or SHA1) on the completed image. Or put another way (as previously mentioned), a fingerprint. This fingerprint allows us to verify that the image we created, and are working from, is indeed an identical copy of the original evidence. It provides a means of authentication and verification of data integrity. There are times that there is a legitimate hash mismatch between the evidence drive and the forensic image, but we’ll go into those in another post at another time. The creation of such a hash value (which should now accompany the forensic image) also allows digital forensic experts to agree that they are all working on identical evidence. Oftentimes in litigation the images created are transferred to an opposing expert to refute the findings, or verify, and hopefully lead to a quicker conclusion and agreement by the attorneys involved. We’ve discussed the creation of a hash value in the context of an entire evidential drive but a hash value can be generated from a specific file as well. Again, the purpose here is to verify and authenticate that the file is identical to the original when a forensic image of a computer is made. And I’d point out that what’s been outlined here deals with a specific computer (like a standard desktop or laptop), because when imaging some other type of device or data (server, smartphone, tablet or cloud storage for instance), the process would be slightly different depending on some variables but more on that later.
The following post will continue on in the process of handling digital evidence in a computer forensic investigation. #ComputerInvestigation