Collecting Evidence From A Running Computer
CollectingEvidencefrom aRunningComputer:A Technical and LegalPrimer for the JusticeCommunityBy Todd G. Shipley, CFE, CFCEandHenry R. Reeve, Esq.SEARCHThe National Consortium for JusticeInformation and Statistics
This report was prepared by SEARCH, The National Consortium for Justice Informationand Statistics, Francis X. Aumand III, Chairman, and Ronald P. Hawley, Executive Director.This report was produced as a product of a project funded by the Office of Juvenile Justiceand Delinquency Prevention (OJJDP), Office of Justice Programs, U.S. Department ofJustice, under Cooperative Agreement No. 2005-MC-CX-K021, awarded to SEARCH Group,Incorporated, 7311 Greenhaven Drive, Suite 145, Sacramento, California 95831. Contentsof this document do not necessarily reflect the views or policies of the OJJDP or the U.S.Department of Justice. Copyright SEARCH Group, Incorporated, dba SEARCH, TheNational Consortium for Justice Information and Statistics, 2006.AcknowledgmentsThis primer was prepared by Todd G. Shipley, CFE, CFCE, Director of Systems Security andHigh Tech Crime Training for SEARCH, The National Consortium for Justice Informationand Statistics, and Henry R. “Dick” Reeve, General Counsel and Deputy District Attorney,Denver, Colorado.This paper was written under the direction of the Legal Committee of the Working Group ofthe Internet Crimes Against Children Task Forces.7311 Greenhaven Drive, Suite 145Sacramento, California 95831SEARCHThe National Consortium for JusticeInformation and Statistics Phone: (916) 392-2550Fax: (916) 392-8440www.search.org
Traditional ComputerSearch and SeizureMethodologyThe traditional method for law enforcementwhen dealing with the search and seizure ofcomputers at a crime scene is to simply unplugthe computer and book it into the evidencefacility. From there, the investigator requeststhat the computer be examined by a traineddigital evidence examiner. The examiner thenmakes a “forensically sound” copy of thecomputer’s hard drive(s)1 and reviews the copyfor evidence or contraband. Upon completion,the examiner reports the findings back to theinvestigator.Traditionally, computer forensics has focused on researching, developing, and implementing proper techniques, tools, and methodologiesto collect, store, and preserve sensitive data that is left on a system’shard drive(s).—First Responders Guide to Computer Forensics(CERT Training and Education Handbook)This methodology was developed in theearly days of computer forensics to ensurethat the data was not changed in any way.It was developed in light of a number ofconsiderations, including defending againstlater challenges in court that the investigatoror examiner altered or created evidencefound on the device. Since the early 1990s,1 A forensically sound copy of a computer hard drive isone that is a bit-for-bit copy.this methodology has been central to lawenforcement’s response in handling computersfound at a crime scene. As stated in a 2001National Institute of Justice (NIJ) publicationtitled Electronic Crime Scene Investigation: AGuide for First Responders:“Each responder must understand thefragile nature of electronic evidenceand the principles and proceduresassociated with its collection andpreservation. Actions that have the
potential to alter, damage, or destroyoriginal evidence may be closelyscrutinized by the courts.”2A more recent NIJ document, ForensicExamination of Digital Evidence: A Guide forLaw Enforcement, further states:“When dealing with digital evidence,the following general forensic andprocedural principles apply: Actions taken to secure andcollect digital evidence shouldnot affect the integrity of thatevidence. Persons conducting anexamination of digital evidenceshould be trained for thatpurpose. Activity relating to the seizure,examination, storage, or transferof digital evidence should bedocumented, preserved, andavailable for review.Through all of this, the examinershould be cognizant of the need toconduct an accurate and impartialexamination of the digital evidence.”3What this means simply is that lawenforcement officers generally should not doanything that changes electronic evidenceunless the circumstances of a particularsituation justify something different.Inadvertent or accidental changing of evidence2 U.S. Department of Justice, Office of Justice Programs,National Institute of Justice (Washington, DC: July 2001)at page 1. The guide was written and approved by theTechnical Working Group for Electronic Crime SceneInvestigation.3 U.S. Department of Justice, Office of Justice Programs,National Institute of Justice (Washington, DC: April 2004)at page 1. could be caused by simply looking throughfiles on a running computer or by bootingup the computer to “look around” or playgames on it. This strict methodology hashistorically provided for original evidence that,if relevant, is difficult for defense counsel tosuccessfully challenge when it is introducedin court. However, we must remember thatevery crime scene is changed by the action oflaw enforcement being there. In fact, the NIJresearch report Crime Scene Investigation: AGuide for Law Enforcement acknowledges thatcontamination occurs, and describes methodsto limit that contamination.4It is important to note that potentialevidence may be lost or destroyed if arunning computer is encountered bylaw enforcement and seized as part ofan investigation using the historicalmethodology described above. (A “runningcomputer” is defined as a computer that isalready “powered on” when encountered at acrime scene.)4 U.S. Department of Justice, Office of Justice Programs,National Institute of Justice (Washington, DC: January2000). This report was written and approved by the Technical Working Group on Crime Scene Investigation.
Volatile Data on RunningComputers can ProvideCrucial EvidenceComputers require that a certain amount ofcomputer memory called “random accessmemory” (RAM)5 be used by the operatingsystem and its applications when the computeris in operation. The computer utilizes thisRAM to write the current processes it isusing as a form of a virtual clipboard. Theinformation is there for immediate referenceand use by the process. This type of data iscalled “volatile data” because it simply goesaway and is irretrievable when the computeris off.6 Volatile data stored in the RAMcan contain information of interest to theinvestigator. This information could include,for example:1. Running processes.2. Executed console commands.3. Passwords in clear text.4. Unencrypted data.5. Instant messages (IMs).6. Internet Protocol (IP) addresses.7. Trojan Horse(s).There are other types of volatile data thatcould be considered evidence of interest toan investigation. This potentially exculpatoryinformation may also simply “go away” whenthe system is turned off or loses power. Thistype of volatile data as potential evidence canalso be collected from a running MicrosoftWindows computer. Some of the additionaldata that can be collected may include:1. Who is logged into the system.2. Open ports and listening applications.3. Lists of currently running processes.4. Registry information.5. System information.6. Attached devices (this can be importantif you have a wireless-attached devicenot obvious at the crime scene).5 RAM is the most common type of memory found incomputers. It is a type of memory that can be accessedrandomly. RAM is synonymous with the term “mainmemory,” which is memory available for applications touse.6 The United States Computer Emergency ReadinessTeam (US-CERT) defines “volatile data” as “. any data thatis stored in memory, or exists in transit, that will be lostwhen the computer loses power or is turned off.”
Analyzing a RunningComputer: A DifferentApproach to EvidenceCollectionThe traditional digital evidence collectionmethodology described earlier still holdstrue for many law enforcement applications.Ensuring the integrity of evidence isparamount to any investigation conductedby a law enforcement agency. Preservingdigital evidence by collecting a system andconducting a forensic examination later will bethe standard for many years to come. However,there are also exceptions to the rule.There can be circumstances during aninvestigation involving a computer that canrequire the examination of a running system.Circumstances when this technique is ofpotential use are becoming more frequent.The single greatest factor pushing lawenforcement into this direction is theadvancement of home networkingtechnology. The ability of the home andsmall office user to set up small wired orwireless networks has been simplified to the“plug-and-play” standard. Now it is more likelythat in any investigative situation involving acomputer, the investigator may find a smallnetwork.Network crime scenes traditionally havebeen treated by investigators as a big STOPsign that says “call for help.” However, thecurrent ranks of trained computer forensicspersonnel are inadequate to support the ever-growing amount of digital evidence thatshould be collected at crime scenes. It is fairlycommon for investigators to wait months fortheir reports due to the resulting backlog. Inmany jurisdictions, such backlogs limit thesupport that forensics examiners can provideto field operations. Therefore, the ability ofinvestigators to collect potential evidencefrom running computers at the crime scenehas never been more critical. Providinginvestigators with new crime scene collectionskills will be paramount in dealing with theworkload and challenges presented by smallnetworks.
Let’s look at a scenario where evidence, if collected on-scene, can be critical to solving that crime:ScenarioInvestigators respond to ahomicide on a street corner. Thevictim was shot once in the chest,and there are no witnesses. Thevictim is identified and a searchis conducted of his residence in an attempt to determine a suspect or motive.A computer is found at his residence. The computer is already turned on and isrunning Windows XP. The investigators follow the traditional method of computerevidence collection by shutting down the system and collecting the computer. Thecomputer is booked into evidence for review by a computer forensics examiner.Had the investigators been trained in thecollection of volatile evidence, they could havecollected the RAM from the running system.Had they collected this evidence, they mighthave found instant message traffic between thevictim and another individual detailing a drugdeal. The IM traffic would have quickly ledthem to the suspect.This scenario is based on a real case in whichinvestigators did, in fact, collect the volatileevidence and identify a suspect through theIMs, thereby leading to his arrest. Had theinvestigators not recovered the IM traffic,they would have had little evidence to tie thesuspect to the crime.This type of scenario is becoming morecommon. Live system information can, insome cases, mean the difference betweensolving a crime and not. It can be thedifference between proving someone’s guiltor their innocence. The shift here is not alarge technological leap; it is more one ofphilosophy and training. The traditionalmethod of “Do Not Touch” the runningmachine leads to the potential of losingthis kind of evidence. These methods havebeen commonly used in the investigationof intrusion attempts on larger networksfor years. In chapter 9 of the book IncidentResponse: Investigating Computer Crime, theauthors describe their view of the best processfor collecting volatile data as evidence.7 Mostof the more current incident response textsoffer a similar method for collecting RAM andvolatile evidence.Learning how to properly collect volatileevidence requires investigators to takeadditional training to supplement thebasic computer seizure courses conductednationally. However, with additional trainingin volatile evidence collection methods, aninvestigator can develop the skills necessaryto collect evidence that traditionally may havebeen overlooked or lost. Again, it is importantto understand that volatile data will be lostforever if not collected while the computer isrunning.7 Kevin Mandia and Chris Prosise (Berkeley, CA: Osborne/McGraw-Hill, 2001).
A Methodology forthe Law EnforcementCollection ofDigital Evidence from aRunning ComputerPresently, there are a number of differenttools in use to collect volatile data.8 Givenhow rapidly technology changes, any tools ormethodologies described here today could beobsolete by tomorrow. What is offered hereis a suggested practice for investigators tofollow at the crime scene that allows volatileevidence to be collected in a manner consistentwith principles of evidence preservation andcollection and the law.Some guidance on a possible methodology isprovided in a CERT Training and Educationhandbook, First Responders Guide toComputer Forensics. It describes this six-stepmethodology for volatile data collection:9Step 1: Incident Response Preparation.Step 2: Incident Documentation.Step 3: Policy Verification.Step 4: Volatile Data Collection Strategy.Step 5: Volatile Data Collection Setup.Step 6: Volatile Data Collection Process.These steps are designed to be used by aninvestigator to investigate intrusion casescommon to larger networks. For purposes ofthis document, our focus is on Step 6.Steps in the Volatile Data CollectionProcessStep 6, Volatile Data Collection Process,involves the following five steps:1. Collect uptime, date, time, andcommand history for the securityincident.2. As you execute each forensic tool orcommand, generate the date and time toestablish an audit trail.8 Some of the currently used tools include Helix, abootable CD that is a collection of incident responsetools, and “dd,” a tool written by George Garner tocapture RAM.3. Begin a command history that willdocument all forensic collectionactivities.9 Richard Nolan, Colin O’Sullivan, Jake Branson, and CalWaits, CMU/SEI-2005-HB-001 (Pittsburgh, PA: CarnegieMellon Software Engineering Institute, March 2005) atpp. 94–102.4. Collect all types of volatile system andnetwork information.
5. End the forensic collection with date,time, and command history.These basic steps provide general guidanceregarding what to collect. Of importance tothis discussion is the need to document theactions of the investigator. CERT suggeststhe use of audit trails as documentation. TheCERT method also describes in general termsthe types of volatile evidence to collect.With the understanding that computersystems contain potential evidence that couldbe destroyed if traditional computer evidencecollection methods are employed, investigatorscan use the following basic steps whencollecting volatile evidence:1. Maintain a log of all actions conductedon a running machine.2. Photograph the screen of the runningsystem to document its state.3. Identify the operating system running onthe suspect machine.4. Note date and time, if shown on screen,and record with the current actual time.5. Dump the RAM from the system to aremovable storage device.6. Check the system for the use of wholedisk or file encryption.7.Collect other volatile operating systemdata and save to a removable storagedevice.8. Determine evidence seizure method (ofhardware and any additional artifacts onthe hard drive that may be determinedto be of evidentiary value).9. Complete a full report documenting allsteps and actions taken.These basic steps allow the on-sceneinvestigator to collect data that was previouslyoverlooked as unnecessary or simply lost outof ignorance. Open source and commercialtools are currently available that easily allowfor this methodology to be followed on arunning system. The RAM is dumped firstto capture the greatest amount of evidenceavailable. It must be noted that insertingany device into the running system (flashdrive, removable drive, or CD) will makeminor changes to the system, albeit verysmall changes. The proper use of these toolsdoes not add evidence or contraband to thesystem. Running a program to dump the RAMrequires that a very small amount of RAMbe occupied by the tool to conduct the RAMdump. Inserting a removable drive into a USBport adds an entry to the Microsoft Registry.All of these changes have no effect on theoverall state of the evidence and can be furtherdocumented at a later time by a traditionalforensic examination. Some small changes aremade during the process of using some of theavailable tools that require interaction withthe Windows operating system. These changeshowever, occur to the operating system filesonly and do not fundamentally change thecontent of the data saved on the system.
Legal Considerationsof Live Analysis andCollecting Evidence froma Running Computer:An OverviewCurrent practice in many jurisdictions utilizeeither— one search warrant that authorizes boththe initial seizure of a computer and thesubsequent forensic examination, or two search warrants in which the firstwarrant authorizes the initial seizureand the second (usually obtained ata later time) authorizes the forensicexamination.The on-scene live analysis described in thisprimer is of a limited nature and scope andshould not require specific authorization in awarrant unless the additional time requiredfor execution materially lengthens or broadensthe execution of the warrant. The boundariesfor this determination will be establishedby reference to local case law. To date, thereis no reported appellate decision on thisquestion; however, the authors submit that liveanalysis, when performed by properly trainedpersonnel, usually does not add significanttime to the warrant execution process and alsoshould not broaden the scope of the search.Rather, the collection and preservation ofvolatile data should be viewed simply as aregular, integral component of the proper10seizure of many computer systems. Theconstitutional need to be more particularin such circumstances seems a dubiousargument.If properly drafted, a search warrant shouldhave at least the implied authority to conducta live analysis, when circumstances merit. It issuggested that the warrant or its attachmentscontain the following language:1. Electronically document and preservethe state of the computer network andelectronic storage media, and2. Conduct preview screening of thecomputer data storage media forcontraband utilizing data recoverysoftware.The steps for live analysis, as described earlier,are merely designed to capture, preserve, andrecord evidence that may already be presentat an electronic crime scene and whichmay be lost if not properly collected. A liveanalysis should be structured to be a directedeffort, conducted in an efficient manner, bytrained personnel. If conducted otherwise,the likelihood of other legal challenges beingraised seems substantial.
A live analysis should be structured to be a directed effort, conductedin an efficient manner, by trained personnel. If conducted otherwise,the likelihood of other legal challenges being raised seemssubstantial.In cases where no search warrant was neededor used (for example, where consent or exigentcircumstances were present), the above legalconsiderations may not prove of relevance.In light of a recent decision in Georgia v.Randolph10 by the United States SupremeCourt on the question of consent, however,the ability to quickly and effectively conducta live analysis may contribute to establishingprobable cause prior to the time consent isrevoked when the authority to conduct a fullforensic examination might otherwise be lost.The accuracy and reliability of any evidencecollection process, as well as the varioustools or utilities used in the collection, maybe challenged by a criminal defendant. Inorder to best assure admissibility in court,law enforcement officers and prosecutors whouse live system analysis in a case need to beIn order to best assureadmissibility in court,law enforcement officersand prosecutors who uselive system analysis in acase need to be preparedto establish the skill
evidence collection by shutting down the system and collecting the computer. The computer is booked into evidence for review by a computer forensics examiner. this kind of evidence. These methods have been commonly used in the investigation of intrusion attempts on larger networks for years. In chapter 9 of the book Incident
Types of Evidence 3 Classification of Evidence *Evidence is something that tends to establish or disprove a fact* Two types: Testimonial evidence is a statement made under oath; also known as direct evidence or prima facie evidence. Physical evidence is any object or material that is relevant in a crime; also known as indirect evidence.
about evidence-based practice [2] Doing evidence-based practice means doing what the research evidence tells you works. No. Research evidence is just one of four sources of evidence. Evidence-based practice is about practice not research. Evidence doesn't speak for itself or do anything. New exciting single 'breakthrough' studies
2-6 Product Catalogue 2016 1.1.2016 Tanks and Transfer Pumps 2 Red PE Stackable Collecting Pans Natural PE Collecting Pan Black PE Collecting Pan Usable capacity D2 D1 H Weight Order no. l mm mm mm kg 35 565 507 220 3.0 1010903 60 680 607 270 4.3 1010904 100 802 727 320 6.5 1010905
akuntansi musyarakah (sak no 106) Ayat tentang Musyarakah (Q.S. 39; 29) لًََّز ãَ åِاَ óِ îَخظَْ ó Þَْ ë Þٍجُزَِ ß ا äًَّ àَط لًَّجُرَ íَ åَ îظُِ Ûاَش
Collectively make tawbah to Allāh S so that you may acquire falāḥ [of this world and the Hereafter]. (24:31) The one who repents also becomes the beloved of Allāh S, Âَْ Èِﺑاﻮَّﺘﻟاَّﺐُّ ßُِ çﻪَّٰﻠﻟانَّاِ Verily, Allāh S loves those who are most repenting. (2:22
o All years/2015 Date/Survey Reference Number/Property Address/UPRN in ascending/descending order Download Evidence report Delete Evidence folder . IM56_ Evidence_User_Manual_v5_August_2016 Page 6 of 13 Uploading Your Files New evidence can be uploaded by clicking the New Evidence Folder _ tab, which is located in the top left corner of the overview screen. After licking New Evidence Folder a .
Evidence-Based ” Journal series : All available online through AtlanticHealth. Evidence-Based Medicine, Evidence-Based Mental Health, Evidence-Based Nursing Unflitered Sources: Each one of these unfiltered sources has the ability to limit a search to relevant evidence as those listed in the pyramid.
In general, user-mode hooking is intended for API monitoring, like Mark Russinovich’s ProcessMonitor (alias FileMon/RegMon), resource leak detection, various malware which doesn’t need to care about security issues, extending applications and libraries you don’t have the source code for (also cracks may fall in this category), adding a compatibility layer for existing applications to run .
