/ FEATURE
• Start recording the chain of custody for each and every item will be followed for all other items of evidence). [Note: advise
of evidence. the user to change their passwords on any other systems where
• It is vital that everyone who handles or examines the evi- the same password was used, since it has now been disclosed.]
dence from this point forward is noted on the relevant chain • Be aware that programs such as Truecrypt allow the user to
of custody form, so that the chain remains unbroken, and it is configure a ‘duress password’, which gives access to benign
also vital that everyone understands their personal obliga- data, while the primary data remain securely stored and, being
tions to handle, examine and protect the evidence properly. strongly encrypted, simply appear to be random bytes on the disk.
• Complete all applicable fields on the forms, carefully and • Seize smart cards, tokens, SIM cards etc. as part of the evidence.
legibly. • If the user refuses to cooperate or cannot remember pass-
• Keep the forms themselves as safe and secure as the words, this may make it difficult or impossible to access and
evidence. The chain-of-custody forms may travel with the as- examine strongly-encrypted data, although lower grade encryp-
sociated items of evidence, but the evidence record forms will tion may be broken by cryptanalysis or brute force forensic
normally be kept locked in the safe. tools if the analysts have the requisite skills, tools, and time.
RecoRd Relevant details a
/ Remove the hard drives and any other non-
volatile storage media from the machine
bout the system and its data • Catalogue storage media on the evidence record forms (one
stoRage devices on evidence
per drive, CD, USB memory stick or whatever), record identify-
ing details such as model and serial number in each case.
RecoRd foRms, one sheet peR • Keep the media safe. Ideally they should be locked in a suit-
evidence item
ably certified fireproof safe with dual access controls, except
when they are copied for analysis or taken to court. The origi-
nal evidence is the most valuable evidence (“best evidence”),
/ Try to obtain passwords, encryption keys etc. so look after it especially well. It is vital to ensure that there is
• User passwords, encryption keys, and devices such as smart absolutely no question of the evidence having been tampered
cards or tokens may be necessary to investigate a system. with or compromised, hence the need to maintain the chain-
Ideally ask the users and system administrators to write down of-evidence records meticulously.
any passwords or keys (perhaps retrieved from key escrow)
and to sign the piece of paper, noting the date and time. Secure / Check the system’s real-time clock
this piece of paper as evidence in an evidence bag or sealed • Power-up the machine without any hard drives installed,
envelope, ideally sealed with tamper-evident evidence tape to checking the BIOS real-time clock and recording the current
indicate that it has not been examined by anyone not listed on date and time, along with the true clock time at that same mo-
the chain-of-custody form (this is the same basic process that ment (ideally down to the nearest second). Then power off the
Original evidence
Evidential copies
Working copies
Figure 2: Be prepared to create multiple copies of the original evidence.
24 Digital / ForensicS
DF1_21-26_3rd Feature.indd 24 30/10/09 4:26:12 pm
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52