Security+ TechNotes - Forensics



Computers and networks have become popular targets for old fashion and modern criminals. Although it may be too late to stop a criminal from stealing or damaging information systems or other assets, an attacker usually will leave traces. A trained professional skilled in computer forensics may be able to use these to trace the attacker and collect them to be submitted as evidence in a court of law. Organizations need to be prepared to carefully collect and preserve the evidence before an incident actually occurs. It is essential to set up a proper incident response policy and follow legal procedures for handling evidence. The main concern is to maintain the integrity of the evidence during the entire process, to ensure the evidence will be admissible in a court of law.

Computer forensics is still a relatively new and evolving area in the security arena. As the attacks become more complex, so do the methods, procedures, and technologies that are developed to aid computer crime investigators. In general, evidence goes through the following lifecycle.

After an incident occurred, the incident response team arrives at the scene and identifies and collects the evidence. The gathered evidence will then be preserved and stored until it is ready to be analyzed by specialists. After being analyzed, the evidence will be stored again to await presentation in a court of law. The final phase of the evidence lifecycle is returning the evidence to the owner. For the Security+ exam, the first two phases are the most important. An additional reoccurring process in this lifecycle, depicted by the black arrows in the image above, is transportation.

Collection of evidence

How exactly an organization wants to respond to an incident should be detailed in an incident response policy, but at some point, if the organization suspects a crime, evidence will need to be identified and collected. An organization naturally wants their systems to be up and running as soon as possible after a computer vandal destroyed it. However, restoring a system without thoroughly investigating the incident can make it difficult to prevent the incident from reoccurring in the future. Identification and collection of evidence includes the following tasks:

  • Photograph and/or document screen output – If any activity of an attacker is shown on a monitor the screen output should be photographed or documented before anything else.
  • Collect audit and monitoring logs – Collect audit trails and monitoring logs from the compromised system, other systems that may have been involved in the incident, and central
  • Create a memory dump – Even if audit logs show little information, the memory of a system can contain traces of recent activity. This information should be dumped to an external storage device.
  • Create a duplicate of the storage devices – To ensure the integrity of the copied data, and proof the data has not changed during the forensic investigation, a hashing system should be used to create a digest and the data should be copied to read-only media such as CD-ROM.
  • Seal and label evidence containers – Anything that is collected should be bagged, sealed, and labeled.

It is important to realize that the first two in the list above are usually the only tasks you, an IT professional, should do yourself. Additionally, you could unplug the system from the network, but you should not turn it off unless it is to be analyzed offsite. If you do turn it off, do so by unplugging the power cable and not by shutting down the operating system, as this will change system data on the disk. The remaining tasks of collecting evidence should be left to a trained and skilled computer forensics specialist. Who that is should be determined and documented in an incident response plan before an incident occurs. Depending on the severity of the incident/crime, it is usually a third party specialized in computer forensics or law enforcement. The latter is typically not a company’s first choice because it may lead to negative publicity in the media. Larger companies may have those trained and skilled professionals in-house.

Preservation of evidence

The collected evidence usually needs to be preserved and stored before it will be analyzed. Evidence should be stored securely and access to it should require authentication and must be logged. In addition to having the proper policies and procedures in place, logging everything that happens with the evidence is essential to ensure the evidence will be admissible in a court of law. This is also known as maintaining a proper chain of custody. Successfully maintaining a chain of custody means you record the following information:

- Who collected and secured the evidence
- When was the evidence collected
- Where was the evidence collected, stored, transported to
- Who accessed the evidence and when and for what purpose

This information is usually logged and recorded on the evidence bag/container. It is generally hard to build a legal case based on ‘digital’ evidence so it is important to make sure all related policy and procedures are in place before the actual crime is committed. A chain of custody should be maintained during the entire lifecycle of evidence. If it breaks, the evidence is likely to be deemed inadmissible by the judge.


Current related exam topics for the Security+ exam:

DOMAIN 5.0: Operational / Organizational Security

5.6 Understand the concepts of the following topics of forensics

- Chain of Custody
- Preservation of Evidence
- Collection of Evidence

Date: Wednesday, November 30, 2005
Author: Johan Hiemstra
MCSA 2000/2003 Security+ CWNA