Tuesday, February 20, 2007

Digital crime scene walkthrough

I was recently fishing through myriad sites related to criminology and crime scene processing for criminalistics folks and decided to take a peek at the technical working group for crime scene investigation documents. I came across Crime Scene Investigation: A Guide for Law Enforcement on the FBI's site and decided to read a bit of it. Note that this is different than what the DOJ put out for electronic crime scene investigation. One of the more interesting sections in the CSI document is that not only are CSI's directed to conduct a "walk through", they are encouraged to do so. The principle listed in section 2 on page 20 states "the scene walk through provides and overview of the entire scene, identifies any threats to scene integrity and ensures protection of physical evidence". Compare that to traditional digital crime scene teachings that say "if it's off, leave it off. Don't do anything to modify the scene. If it's on then pull the plug and wait for the expert to arrive".

Locard teaches us that transference is a natural by-product of interacting with crime scenes and evidence. "real world" CSI's therefore modify the crime scene as they walk through it and process the scene and the evidence. The key to investigating a crime scene is to avoid or minimize the impact that an investigator has on the scene and its evidence.
The CSI doc states that an investigator should "Avoid contaminating the scene by using the established path of entry"...."Identify and protect fragile and/or perishable evidence. Ensure that all evidence that may be compromised is immediately documented, photographed, and collected".

What can we take away from this when it comes to computer related incidents? I take away that we need to make live investigations not only a bonus feature of incident response and forensics, but it needs to become a mandatory function in any investigation. Fact is, there is a lot of fragile and perishable evidence that can become compromised if we don't collect it while the system is live. By "following an established path of entry" I think we need to use a standard methodology of live investigation that minimizes the impact to a system or network. Is it ok to stick your USB key in to a system to collect live evidence? This, and other similar issues have been debated time and time again. In my personal opinion, the answer is yes, most definitely yes. Plug in a USB key if and only if:

It has been sanitized.
Your procedure is defensible.
You have documented the state of the system/network before you plug it in.
The evidence to be collected outweighs the changes you may make to the system
It is your last or best option.

The industry has identified the order of volatility for electronic evidence but this type of "live" evidence is not often collected and is rarely used to maximum effect.

Instead of pulling the plug, why not get every last drop of evidence from the victim system before you destroy it. By immediately pulling the plug investigators are compromising the very evidence that may solve the case. Harlan Carvey's concept that the chief surgeon arrives on the scene and promptly kills the victim in order to assess the nature of the evidence rings very true here.

At the very least we need to preview the system in question and conduct a digital walkthrough of the scene before we collect evidence from the primary source.

And now for a concept...
Digital walk through: the digital walk through provides an examiner with the opportunity to assess the victim system for potential sources of digital evidence that are relevant, and to overview the entire system, in order to identify any threats to data integrity and to ensure protection and collection of volatile digital evidence that would otherwise be lost.