• Categories

  • Pages

  • Archives

Electronic Crime Scene Investigations; Evidence Collection. II/II

Posted on July 24, 2012 by Lina Maini

In Part I of our two-part Electronic Crime Scene Investigations series, we covered recognizing and securing an electronic crime scene.  In this post, we delve into the actual investigation itself.

First and foremost, now that you have isolated all persons with access from the crime scene, please ensure that they provide your investigator (whether it is an inside manager or a hired professional detective), with a release similar to the below.  (Please check with your local law enforcement on particular jurisdictional guidelines.)

CONSENT TO SEARCH ELECTRONIC MEDIA
I, __________________, hereby authorize __________________, who has identified himself / herself as a law enforcement officer, and any other person(s), including but not limited to a computer forensic examiner, he / she may designate to assist him / her, to remove, take possession of and / or conduct a complete search of the following: computer systems, electronic data storage devices, computer data
storage diskettes, DVDs, or any other electronic equipment capable of storing, retrieving, processing and / or accessing data.
The aforementioned equipment will be subject to data duplication / imaging and a forensic analysis for any data pertinent to the incident / criminal investigation.
I give this consent to search freely and voluntarily without fear, threat, coercion or promises of any kind and with full knowledge of my constitutional right to refuse to give my consent for the removal and / or search of the aforementioned equipment /data, which I hereby waive. I am also aware that if I wish to exercise this right of refusal at any time during the seizure and or search of the equipment / data, it will be respected.

This consent to search is given by me this ________ day of, __________________
20__________, at ____________ am / pm.

Location items taken from: ____________________________________________
Consenter Signature: ________________________________________________
Witness Signature: _________________________________________________
Witness Signature: _________________________________________________

Evidence Collection
Handling digital evidence correctly is essential to preserving the integrity of the physical device as well as the information or data it contains. Turning off the power to a computer or other electronic device may cause the information or data stored on it to be damaged or lost.
If you are not trained in handling digital evidence —
• Do not attempt to explore the contents of a computer or other electronic device or to
recover information from it.
• Do not alter the state of a computer or other electronic device.
• Do not press any keys or click the mouse.
• If the computer or device is off, leave it off.
• Do not move a computer or other electronic device that is powered on.
• Do not accept offers of help or technical assistance from unauthorized persons.
• DO request technical assistance from personnel with advanced equipment and training in digital evidence collection.  See http://www.ecpi-us.org/Technicalresources.html for a list of available resources.

Assess the Situation

Before seizing digital evidence, make sure you have the legal authority to do so. Improper access to information or data stored on electronic devices may violate provisions of federal laws.

After securing the scene and identifying the computer’s power status, follow the steps listed below for the situation most like your own. (If the final suggestion in each situation is “Proceed to if Computer Is On” or “Proceed to if Computer Is Off.”, those two sections are posted on the bottom on this article.)

Situation 1: Monitor is on. Program, application, work product, picture, e-mail or Internet site is displayed.

1. Photograph screen and record information displayed.
2. Proceed to “If the Computer Is ON”

Situation 2: Monitor is on. Screen saver or picture is visible.
1. Move mouse slightly without depressing buttons or rotating wheel if present.
2. Note any onscreen activity that causes a change in the display.
3. Photograph screen and record information displayed.
4. Proceed to “If the Computer Is ON”

Situation 3: Monitor is on. Display is blank.
1. Move mouse slightly without depressing buttons or rotating wheel if present.
2. Display changes to login screen, work product, or other visible display.
3. Note change in display.
4. Photograph screen and record information displayed.
5. Proceed to “If the Computer Is ON”

Situation 4a: Monitor is off. Display is blank.
1. If monitor’s power switch is in off position, turn monitor on.
2. Display changes to a login screen, work product or other visible display.
3. Note change in the display.
4. Photograph screen and record information displayed.
5. Proceed to “If the Computer Is ON”

Situation 4b: Monitor is off. Display is blank.
1. If monitor’s power switch is in off position, turn monitor on.
2. Display does not change. Screen remains blank.
3. Note that the display does not change.
4. Photograph blank screen.
5. Proceed to “If the Computer Is OFF”.

Situation 5: Monitor is on. Display is blank.
1. Move mouse slightly without depressing any buttons or rotating the wheel if present.
2. If display does not change, confirm that power is supplied to the monitor.
3. If display remains blank, check computer case for active lights and listen for fans spinning or other indications computer is on.
4. If computer case gives no indication that it is powered on, proceed to “If the Computer Is OFF”.

================================

If the Computer Is OFF
For desktop, tower and minicomputers follow these steps:
1. Document, photograph, and sketch all wires, cables, and devices connected to the computer.
2. Uniquely label and photograph the power supply cord and all cables, wires or USB drives attached to the computer and the connection each of these occupies on the computer.
3. Remove and secure the power supply cord from the back of the computer and from the wall outlet, power strip or battery backup device.
4. Disconnect and secure all cables, wires and USB drives from the computer and document the device or equipment connected at the opposite end.
5. Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
6. Place tape over the power switch.
7. Record the make, model, serial numbers and any user-applied markings or identifiers.
8. Record or log computer and all cords, cables, wires, devices and components according to agency procedures.
9. Carefully package all evidence collected to prevent damage or alteration during transportation and storage.

For laptop computers follow these steps:
1. Document, photograph and sketch all wires, cables and devices connected to the laptop.
2. Uniquely label and photograph all wires, cables and devices connected to the laptop and the connection each occupies.
3. Remove and secure the power supply and all batteries from the laptop computer.
4. Disconnect and secure all cables, wires, and USB drives from the laptop and document the equipment or device connected at the opposite end.
5. Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
6. Place tape over the power switch.
7. Record the make, model, serial numbers and any user-applied markings or identifiers.
8. Record or log the laptop computer and all cords, cables, wires, devices and components according to agency procedures.
9. Carefully package all evidence collected to prevent damage or alteration during transportation and storage.

If the Computer Is ON
Removing the power supply is generally the safest option. If evidence of a crime is visible on the computer display, however, request assistance from personnel with experience in volatile data capture and preservation (see http://www.ecpi-us.org/Technicalresources.html).

Immediate disconnection of power is recommended when —
• Information or activity on screen indicates that information or data is being deleted or overwritten.
• A destructive process appears to be in progress on the computer’s data storage device(s).
• The system is powered on in a typical Microsoft Windows® environment. Pulling the power supply cord from the back of the computer will preserve information about the last user account logged in, login time, most recently used documents, most
recently used commands, and other valuable information.

Immediate disconnection of power is NOT recommended when —
• Information or data of apparent evidentiary value is in plain view onscreen. Seek assistance from personnel with advanced training in digital evidence collection.
• Indications exist that any of the following are active or in use: Chat room(s), text documents, remote data storage, Instant Messaging (IM), child pornography, contraband, financial documents, data encryption and obvious illegal activities.
• The device is a mobile or smart phone. Leave mobile and smart phones in the power state in which they were found.

Improper shutdown of mainframe computers, servers or a group of networked computers may result in the loss of data, loss of evidence and potential civil liability. Secure the scene and request assistance from personnel with advanced training in digital evidence collection of large or complex computer systems (see http://www.ecpi-us.org/Technicalresources.html).

(We suggest you print Parts I and II of this series into a manual format.)

Our Operatives: A step ahead.

As always, stay safe.

Related articles

Filed under: Computer Security, crime, cyber crime, cyber investigations, data, equipment, evidence, investigation, security | Tagged: , , , , , , , , , | Leave a Comment »

Electronic Crime Scene Investigations; Assessing & Documenting the Situation. I/II

Posted on July 17, 2012 by Lina Maini

When a computer crime is suspected in the workplace, action must be taken immediately. We’ll take you through a step by step computer crime scene investigation; the same protocol that we security and information specialists conduct.

When securing and evaluating the scene:
• Do not alter the state of an electronic device. If a computer or an electronic device is off, leave it off.
• Remove all unauthorized persons from the area where evidence is to be collected.
• Identify, seize and secure all electronic devices, including personal (have the employee sign a release or note the type of device, if s/he refuses) or portable devices.
• Recognize potential digital evidence in telephones, digital video recorders, other office appliances and motor vehicles.

If the computer is on or the power state cannot be determined:
• Look and listen for indications that the computer is on — e.g., fans running, drives spinning and lit light-emitting diodes (LEDs).
• If you cannot determine the power state of the computer, observe the monitor to determine if it is on, off or in sleep mode.
• Check display screen for signs of data destruction.  Look out for words such as “delete,” “format,” “remove,” “copy,” “move,” “cut” or “wipe.”
• Look for indications that the computer is being accessed remotely and/or signs of ongoing com-
munications with other computers or users — e.g., Instant Messaging (IM) windows or chat rooms.
• Take note of all cameras and determine whether they are active.

Preliminary Interviews
•Separate and identify all adults of interest and record the location they occupied when you entered the scene. Obtain the following information from interviewee(s):
• Purpose of computers and devices.
• All users of the computers and devices.
• Type of Internet access and Internet service provider.
• Computer and Internet user information — e.g., login names, user account names and passwords, and Instant Message screen names.
• E-mail and Web mail (Web-based e-mail) accounts and Web pages.
• Account information for online social networking Web sites — e.g.,  Facebook, LinkedIn
• All security provisions, data access restrictions, destructive devices or software in use.
• Any automated applications in use.
• Any other relevant information.

Documenting the Scene
Your documentation should include:
• The type, location, position, condition and power status of the device.
• A record of all activity and processes visible on the display screen(s).
• A record of all physical connections to and from the computers and other devices.
• A record of any network and wireless components capable of linking devices to each other and the Internet.
• The type, condition and power status of the device’s Internet and network access.
• Video, photos, notes and sketches to assist in recreating/conveying the details of the scene.
(Some computer systems and electronic devices — and the information they contain — may be protected under applicable laws, agency policies or other factors, that may prohibit collection of these devices or components.  That’s when you call in a pro.  However, do include the location, condition and power state of these devices in your documentation.)

Movement of a running computer or electronic device may cause changes or damage to the computer or device or the digital evidence it contains. Computers and electronic devices should not be moved until it is determined that they are powered off.

In Part II/II we will get into the meat of Evidence Collection.  The instructions we will impart will not be generalizations but rather, actual, working directions.

Our Operatives: A step ahead.

As always, stay safe.

Related articles

Filed under: Computer Security, crime, cyber crime, invasion of privacy, investigation | Tagged: , , , , , , , | 2 Comments »

Top Ten Security/Investigation Predictions for 2012. Part I of II.

Posted on January 2, 2012 by Lina Maini

 Hoping to give our readers an edge on awareness and combatting security and investigation concerns in 2012, below are our top five predictions in the area of information and data security management. (Next week, in II of this two-part series, we will cover the remaining five predictions, focused on evolving investigation concepts.)

1. Social networking redefining “privacy”.

Confidential user information is ending up online, in large part by the users themselves.  We’ve grown into a society that maintains a different attitude toward protecting and sharing information. We are now more likely to reveal personal data and unlikely to take steps to keep information restricted.  Within several years, privacy-conscious individuals will be in the minority.

2. Hackers will attack nontraditional targets.

To date, hackers’ goals have been mainly to steal money, obtain valuable data for resale, disrupt services and intimidate targets ranging from individuals to large corporations and governmental agencies.  The new hack attacks will now concentrate on network-connected systems, such as medical equipment, actively controlling devices from external locations by unauthorized users. (This may explain the decision to not enable online election voting  as within a networked system there is a 100% probability of its vulnerability to outside hacking attacks, which may include data interruption or manipulation.)

3. Smartphone and tablet platforms, especially Android, will suffer greater cybercriminal attacks.

As smartphone usage continues to grow worldwide, so will mobile platforms attacks. The Android platform, in particular, due to its open app distribution model, is and will continue to be, a favored cybercrminal’s target.

4. Virtual and cloud-based computing systems will encounter the same cybercriminal vulnerabilities as do physical systems.

The inevitable, using and or interacting with virtual and cloud-based computing systems, renders them just as vulnerable by conventional attack methods that hackers have used in the past.  They see no need to change their criminal methodology as virtual and cloud platforms are just as easy to attack as physical systems but more difficult to protect. The burden will thus fall on IT admins to secure their company’s critical data as they adopt these technologies.

5. Bring-Your-Own-Device (BYOD) data breaches will dramatically increase.

The BYOD Era is here and, if anything, mobile device usage will only increase. As more and more corporate data is stored or accessed by mobile devices that are not fully controlled by IT administrators,  the likelihood of data loss incidents will rise.  The massive uptick expected in this area is directly attributable to improperly secured personal devices.

Just my thoughts:  In the past decade+, I’ve noticed the wide range of expertise among IT administrators.  Operating an entity’s internal information engine is one thing, securing it is an entirely different matter.  Given the cost that security breaches can and have caused, perhaps it is time to upgrade the post-certification requirements for IT admins.  Continuing education classes and annual re-certification may be viable solutions to the rapidly rising level of cybercriminality.

Our Operatives: Street smart; Tech savvy.

As always, stay safe.

Related articles

Filed under: cyber crime, data, information, security | Tagged: , , , , , , , , | Leave a Comment »

Top 10 Digital Security Threats for 2011

Posted on December 27, 2010 by Lina Maini
iPad and a Bluetooth Keyboard

Image via Wikipedia

Top 10 Security Threats for 2011

1. Malware creation: In 2010, our industry witnessed significant growth in the amount of malware and discovered at least 20 million new strains, more than in 2009. At present, IC3 database stores a total of more than 60 million classified threats. The actual rate of growth year-on-year however, appears to have peaked. Several years ago it was over 100 percent and in 2010 it was 50 percent, so 2011 looks to be busy but not as busy as it could be if the older trend still held sway.

2. Cyber war: Stuxnet and the WikiLeaks cables suggesting the involvement of the Chinese government in the cyber-attacks on Google and other targets have marked a turning point in the history of these conflicts. Stuxnet was an attempt to interfere with processes in nuclear plants, specifically, with uranium centrifuge. Attacks such as these, albeit more or less sophisticated, are still ongoing, and will undoubtedly increase in 2011, even though many of them will go unnoticed by the general public.

3. Hacktivism: Cyber-protests , or hacktivism, are all the rage and will continue to grow in frequency. This new movement was initiated by the Anonymous group and Operation Payback, targeting organizations trying to close the net on Internet piracy, and later in support of Julian Assange, editor-in-chief of WikiLeaks. Even users with limited technical know-how can join in the distributed denial of service attacks (DDoS) or spam campaigns.

Despite hasty attempts in many countries to pass legislation to counter this type of activity effectively by criminalizing it, we believe that in 2011 there will be more cyber-protests, organized by this group or others that will begin to emerge.

4. Social engineering: Cyber-criminals have found social media sites to be their perfect working environment, as users are even more trusting with these than with other types of tools, such as email. Throughout 2010,  various attacks used the two most popular social networks — Facebook and Twitter — as launching pads. In 2011, not only will hackers continue to use these networks, but it is predicted that they will also be used more for distributed attacks.

5. Windows 7: It will take at least two years before there is a proliferation of threats designed specifically for Windows 7. In 2010, we began seeing a shift in this direction, and predict that in 2011, new cases of malware targeting users of this new operating system will continue to emerge.

6. Smartphones: In 2011 there will be new attacks on mobile phones, but it will not be on a massive scale. Most of the existing threats target devices with Symbian, an operating system which is now on the wane. Of the emerging systems, we predict that the threats for Android will increase considerably throughout the year, becoming the number one mobile target for cyber-crooks.

7. Tablets: The dominance of the iPad will only start to be challenged by new competitors entering the market. Therefore, we do not believe that tablet PCs will become a major consideration for the cyber-criminals in 2011.

8. Mac: Malware for Mac exists, and will continue to exist. As the market share of Mac users continues to grow, the number of threats will grow. The greatest concern is the number of security holes in the Apple operating system. Developers will need to patch these holes as soon as possible, as hackers are well aware of the possibilities that these vulnerabilities offer for propagating malware.

9. HTML5: HTML5 is the perfect target for many types of criminals and could eventually replace Flash. It can be run by browsers without any plug-ins, making it even more attractive to find a security hole that can be exploited to attack users regardless of which browser they use.

10. Highly dynamic and encrypted threats: Expected are dynamic and encrypted threats to increase in 2011. Monitoring services are receiving more and more encrypted, stealth threats designed to connect to a server and update themselves before security companies can detect them.

There are also more threats that target specific users, particularly companies, as information stolen from businesses will fetch a higher price on the black market.

Pass this on to your IT people and perhaps we can begin to line up the sandbags to an effective level.

As always, be safe.

To all of our wonderful readers, we’d like to thank you for your loyalty, feedback and support, which makes us even more excited about the upgrades we have in store for you in 2011.

A happy, healthy and prosperous New Year to you and yours.

Related Articles

Filed under: Computer Security | Tagged: , , , , , , , | Leave a Comment »

Follow

Get every new post delivered to your Inbox.

Join 185 other followers

%d bloggers like this: