Cyber Forensics: Pre-Investigation
This blog is part of an ongoing piece to learn about and explain the cyber forensics process. This “series” is geared towards beginners who have an interest in cyber forensics and want to learn about the process. This is meant to start with the basics and get more in-depth with each post. Step 1 is pre-investigation…
There are a number of key elements to a successful forensic investigation. First and foremost is preparation, you and your team need to be ready when you are called to a crime or called to do any sort of forensic investigation. There are multiple pieces of equipment that forensic teams need, but first your team should establish a budget. Keep in mind that some budget items will be a one-time cost, such as your forensic workstation, while other items may be part of a continuous cost, such as trainings. Next, you should prepare a “go-bag” that contains all equipment that you may need if the team needs to go on-site. Additionally, you need to choose forensic software that will be used to analyze the data. Lastly, team members should train using the tools and software beforehand. It is essential investigators know how to process and analyze the data in the most effective and efficient way. In some investigations, every second counts so proper training with the software and tools is crucial.
Certifications
When it comes to establishing a budget, you need to realize that some costs have one upfront cost and some are continuous. For example, forensic analysts should obtain necessary certifications. Certifications help to establish credibility and can be useful if a case needs to go to court. There are a number of certifications related to Digital Forensics and Incident Response (DFIR) that are recommended by DFIR field experts. One such certification is the SANS GIAC Forensic Examiner Certification (GCFE). The exam details can be found below, additional information can be found at https://digital-forensics.sans.org/certification/gcfe
- 115 Questions
- 3-hour time limit
- Minimum passing score of 71%
There are also additional tool-based certifications such as the EnCase Certified Examiner (EnCE), however, these are geared towards the specific EnCase forensics software. If your team utilizes this software on a regular basis this certification may be beneficial. To repeat, there are a number of DFIR certifications so each analyst should try to find one that matches their needs and experience level.
Certifications need to be maintained through continuing education units (CEUs). Each certification has guidelines for renewal that the analyst must be aware of and be prepared to pay for. Additionally, in a field like Information Technology (IT), the technology changes so rapidly that a certification earned today may become outdated within a few years. Staying current with CEU’s will help keep you up to date in your field making you an asset for your employer.
Forensic Software
An additional cost that is continuous will be the forensic software fee since most licenses need to be renewed annually. Your team should only use fully licensed software since there is nothing that will jeopardize your team’s reputation and integrity more than using pirated software. However, with that being said, there are some open source forensic software that you can utilize. A couple examples of open source tools are Autopsy, SIFT, and CAINE. You can choose to use open source software; however, typically commercial tools have greater support and more capabilities than open source tools. There are different types of forensic software which makes the open source/free versions useful. The investigative team can explore these versions to determine their capabilities before purchasing the license. Your team should research the forensic software that fits your company’s needs to ensure its capabilities correlate with its intended use.
Forensic Workstation
There are items that are a one-time cost such as a forensic workstation. Forensic workstations can be quite expensive and should be considered when establishing a budget. The price can range from $5,000 to over $16,000. Depending on your company needs, you may want to customize your forensic workstation’s RAM, SSD drives, processors, etc. The more RAM and quicker CPU a machine has will maximize productivity when conducting forensic investigations. There is no right answer when it comes to how much RAM and SSD drives that will be needed, it will depend on the budget and the amount and types of cases that are being investigated. Investigators can achieve the same results without high-end equipment, it may just take a little longer.
“Go-Bag”
Sometimes investigators will need to go to a location to acquire evidence, this may be a crime scene or a different third-party location. Investigators need to be prepared with any tools that they may need in order to collect digital evidence. Paperwork, including a chain-of-custody form and pens are essential in a go-bag. Chain-of-custody forms are crucial because it documents who has possession of the evidence starting from the initial acquisition all the way to the courtroom, should a trial be necessary. Chain-of-custody documents are also crucial because if there are any inconsistencies this can cause the case to be thrown out in court. Therefore, it is imperative to maintain an accurate chain-of-custody document throughout the entire investigation. A list of additional tools that should be included in a go-bag are:
- Latex Gloves: Gloves are used to preserve evidence such as fingerprints, but also to protect the investigator from any hazards that may be present on the evidence or at the scene.
- Digital Camera: It is important to document everything at the scene the way that it was found and digital cameras help achieve this goal. Cameras can show the state in which the machine was found, for example, whether it was on or off. Additionally, if the machine needs to be taken apart a camera can help put the machine back together exactly how it was found.
- Label Maker: Similar to the above point, if the machine needs to be taken apart a label maker can help label cords with their respective ports and ensure that the machine can be reassembled.
- Faraday Bags: Investigators want to leave devices in the state that they find them, meaning that if they are on they should leave them on. However, step one should be to cut off connection to the device by putting it in airplane mode, if applicable. There have been instances where a law enforcement agency has retrieved a device from a scene and the suspect remotely sends a command to the device wiping it clean of all the data. Faraday bags are made of a material that ensures that a device cannot send or receive a connection. In the above example, the device would not be able to receive the command sent by the suspect, thus preserving the evidence.
- Antistatic Bags: Evidence is extremely fragile and static electricity has the ability to wipe drives clean of any evidence. Antistatic bags protect evidence media from the risk of being damaged.
- Notepads: There is always the possibility of needing to take notes or write reminders related to the case so it is better to have a notepad to be able to collect your thoughts and ensure you do not forget important action items.
- Write Blockers: One of the most important pieces of equipment is a write blocker. Write blockers are connected to hard drives and allow investigators to access the contents of the drive without running the risk of accidentally writing to the drive and altering the contents of the drive. Similarly to the chain-of-custody forms, altering the contents of the drive can have a severe consequence, especially if the case ever makes it to a courtroom. The best way to prove that the contents of the drive was not altered is to hash the drive when investigators first get possession of it and then rehash the drive at various points in the investigation process to prove that the data still maintains its integrity.
- Hand Tools: When investigators are on scene there is a high chance that they may need to take apart a machine in order to get to the hard drive or other points-of-interest. It is necessary to have hand tools such as screwdrivers, SIM card ejection tools (in case the team needs to acquire mobile media), pliers, extra screws, etc. These are all tools that could come in handy during an investigation.
- Cables: When going to a scene you never know what kind of devices you will come in contact with so it is best to have a wide range of cables so that you will be prepared no matter what device you come across. Suppliers do sell kits that contain popular cables such as SATA, RJ45, different USB cables, etc. These kits ensure that your team will have access to the appropriate cables to be able to acquire the evidence.
- Forensic laptop: The team should have a forensic laptop with their forensic software installed and up to date so that investigators can begin data acquisition ASAP. Additionally, there may be some cases where the team cannot physically take the machine or hard drive in question so they will need to conduct an onsite data acquisition.
- Bootable Forensic software: As a backup, the team should have a bootable version of their forensics software on a USB drive or another form of external media. The reason for this is to account for errors, if they get on site and their software is not responding correctly or if there are other errors, the team can still access the forensic software and continue with the investigation with as little disruption as possible.
Obviously, this is not an exhaustive list of everything that is required for the pre-investigation phase of forensic investigations, however, it does go into enough depth to get a team on their way and prepared for their first forensic investigation. To summarize, preparation is key when it comes to forensic investigations. Your team should establish a budget, keeping in mind that some budget items will be a one-time cost while other items may be part of a continuous cost. Next, you need to choose forensic software that will be used to analyze the data. Team members should train using the tools and software beforehand so during an investigation the analysts know how to process and analyze the data. Lastly, you should prepare a “go-bag” that contains the essential equipment you may need if the team is required to go on-site. This will allow your team to be prepared for anything that they may come across at the scene. The team should always be ready to get up, grab all the equipment and go onsite in as little time as possible. Depending on the type of incident a couple of minutes is all it takes to gain access to a system or to files on a system, therefore it is necessary to be ready to move as effectively and as efficiently as possible.
Sources:
Digital Intelligence, digitalintelligence.com/store/.
Disklabs Faraday Bags, www.teeltech.com/mobile-device-forensics-equipment/disklabs-faraday-bags/.
“EnCase Certified Examiner (EnCE) Certification Program.” OpenText, www.opentext.com/products-and-solutions/services/training-and-learning-services/encase-training/examiner-certification.
FRED Forensic Workstation with 2 RAIDs, www.digitalintelligence.com/store/products/fred-forensic-workstation-with-2-raids.
“GIAC Forensic Examiner Certification: GCFE.” GCFE: GIAC Forensic Examiner Certification, digital-forensics.sans.org/certification/gcfe.
MOBILedit Connection Kit. Https://Www.mobiledit.com/Connection-Kit.
Oettinger, William. Learn Computer Forensics: a Beginner’s Guide to Searching, Analyzing, and Securing Digital Evidence. Packt Publishing, Limited, 2020.
Supershield Antistatic Shielding ESD Bag. Https://Www.amazon.com/Supershield-IC3700-628-ZB-3X3IN-Thickness-Surface-Resistance/Dp/B013G49XSG.
WiebeTech Forensic Field Kit K, www.insectraforensics.com/WiebeTech-Forensic-Field-Kit-K/en.
