Key Steps to Managing a Cybercrime Scene>
– publisher
When handling a cybercrime scene, it is important not to source, evaluate, and learn to use memory capture tools on the spot.
Just like a sniper hones their skills through practice, a cyber investigator must have experience with different configurations to effectively extract evidence.
The absolute first step is to photograph anything and everything around the suspect computer.
That includes the screen, keyboard, case, cables, peripherals, and power connections.
This is done in case there is a time triggered software booby trap or the next steps trigger a booby trap.
Ensure that every photo is well lit without shadows so that it is obvious where everything is connected – or not connected (figure 1).
Before touching the keyboard, you may want to dust it for fingerprints.
Be very careful of putting downward pressure on the keyboard keys lest you trigger a booby trap.
The raw memory capture data should be preserved and used as input for various tools that can scan for evidence encoded as memory artifacts.
It is crucial to have storage options that prevent writes to the storage media, thereby preserving the contents.
Before moving on to storage, it is recommended to label both sides of every cable and take photographs to reconstruct the environment if needed.
Each cable should be labeled with a simple numbering and lettering system (e.g., 1A, 1B, 2A, 2B) to indicate its connection points.
To capture storage, there are two main methods: live imaging on the suspect computer or disconnecting the drive cable (preferably while the machine is running) and using a hardware duplicator to create forensic images of the drives.
The two popular formats for creating forensic images are E01 (Encase Image File Format) and DD (Data Dump).
Both formats preserve the files and status of the machine at a specific time.
E01 images also include a hash or checksum for retrospective evidence integrity verification.
It is crucial to create multiple copies of the forensic images, with one copy designated as the master.
If a booby trap is triggered during analysis, the master copy can be used to create another copy and continue the investigation.
The process of creating and using a forensic hard drive image should be performed by a trained professional to ensure the admissibility of evidence.
Digital forensic analysis protocols can be found in guidelines provided by institutions and organizations like the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST).
If a potential suspect computer is powered down, it is recommended to label cables, take photos, and bring all the pieces to a professional cyber forensic lab for investigation.
In the case of storage volumes and RAID, the data can be split across multiple physical devices, making it more challenging to recover and analyze.
Each RAID volume has its own characteristics and requires the original software and volume map to decode the data distribution.
RAID volume recovery should only be performed on copies of the data and not the forensic masters.
Virtual machines (VMs) can be used for forensic analysis to recreate the suspect’s computer system in a virtual environment.
VMs allow investigators to interact with files and software without modifying the original evidence.
They are portable and can be moved between computers or accessed remotely.
Building and using forensic VMs can be learned through available documentation.
In summary, investigating cybercrime scenes presents unique challenges, requiring technical expertise and the use of specialized tools.
Preserving and analyzing memory capture data, creating forensic images of storage, and using virtual machines can help extract evidence and present it in court effectively.
Collaboration with professional forensic practitioners and adherence to established guidelines is essential for successful cyber investigations.
Link: https://policeandsecuritynews.com/2023/10/04/key-steps-to-managing-a-cybercrime-scene/
Key Steps to Managing a Cybercrime Scene
Categories:
Tags: