Preserving Digital Evidence to Bring Hackers and Attackers to Justice
Legislators have done their parts by strengthening computer crimes laws, but it's still more difficult to track down and prosecute those who intrude into our networks and steal our data than catching and punishing those who break into our homes or offices. One reason is the nature of digital evidence. To obtain a criminal conviction, you must present evidence in court, but in order to be admissible in court, evidence must be preserved and handled to ensure that it hasn't been changed. Unfortunately, IT or security personnel who are first responders to a hacking incident often inadvertently destroy the evidence -- and along with it, destroy any chance of bringing the hacker to justice.
The Rules of Evidence
A criminal trial is an adversarial proceeding in which both the prosecution and the defense attempt to prove their cases by presenting evidence. Evidence can be testimony from a person who has personal knowledge of facts pertaining to the crime, or it can be physical evidence, which is a tangible item such as a murder weapon, a firewall log or a hard disk containing data.
The problem with digital data is that it's a little less tangible than most physical evidence. It belongs in the category of fragile evidence, along with such things as footprints in the snow, because it is so easily destroyed or changed. In fact, the very act of collecting or examining it can change it. The problem with this is that in order for evidence to be admissible, the party introducing it must prove that it has not been tampered with or modified since it was collected at the crime scene.
Even the concept of the crime scene can be complicated in computer crimes cases, since a computer criminal need not be present to commit the crime. In fact, most hacks and attacks are perpetrated remotely, often from locations outside the state or country where the damage occurs, thus bringing up questions regarding which criminal court has jurisdiction.
Evidence is subject to strict rules regarding its admissibility. In order for the court to allow it to be presented, recorded in the court record and considered in the verdict, evidence must be:
- Relevant: it must pertain to the actual case. For example, evidence showing that a person hacked into a different computer system ten years ago generally would not be admissible in a trial to determine his guilt or innocence in an attack that occurred ten months ago (however, the past criminal history might be admissible in the sentencing phase of the trial, after guilt or innocence has already been decided).
- Material: the evidence must prove or disprove facts that impact the question before the court (which is usually: "did the defendant commit the crime with which he's charged").
- Competent: the evidence must be proven to actually be what it purports to be. Proving its competence is called authentication of the evidence.
How Evidence is Authenticated
Physical evidence is usually authenticated by the sworn testimony of one or more persons who can verify that it is what it purports to be. For example, the network administrator who checked the firewall logs immediately following an attack can testify that the log data presented in court matches the data he saw in the logs on that date and time. The police officer who arrived on the scene can testify that he packaged up the computer containing the log files and delivered them to the evidence lab. The computer forensics technician who took possession of the computer can testify that he received it from that officer and that he used standard forensics methods to make a bit level copy of the disk containing the logs.
This process of authenticating the evidence each time it changes hands is called preservation of the chain of custody. If the evidence is unaccounted for at any time during the process, its authenticity can become tainted because there is a chance that someone could have made changes to it.
For this reason, it's important that everyone who handles the evidence keep written records of when they turned it over to someone else, to whom they turned it over, and why. These records make up the evidence log. Evidence should be locked up in a secure evidence room or locker when it must be left alone.
Incident Response Guidelines
When it comes to digital evidence, think of the oath that physicians take: "First, do no harm." Your first tendency upon discovering that the network has been breached may be to open the log files, shut down the system, etc. However, if there is a chance that the case will be prosecuted criminally, you should do as little as possible beyond disconnecting the system from the network and protecting the scene (ensuring that nobody else changes anything) until law enforcement personnel arrive.
- Don't turn off the system. Data that's in volatile memory (RAM) will be lost.
- Do disconnect the system from the network. If it stays connected, a hacker could cover his tracks by deleting log files and other evidentiary data.
- Don't use the system to do anything. Don't run any programs. You could inadvertently overwrite evidentiary data. In some cases, the hacker might have planted a program that will erase data when triggered by some event (such as opening or closing a program).
- Don't open files to examine them. This modifies the date/time stamp.
The best way to preserve digital evidence in its original state is to connect the computer to another computer onto which the digital information can be copied. This can be done through a private network connection between the two computers. Data can be transferred over an Ethernet connection between the two computers (by connecting them both to a private hub that is not connected to any other network) or through a serial or USB connection.
The contents of the original (source) computer's memory should be transferred to the second (target) computer first. Transfer the memory contents in small increments so as not to overwrite what's already in memory. The contents of the source computer's hard disk should be copied to the target computer as a bit level image. That means the image is an exact copy of all information on the source disk, including slack space. It's best to use software designed specifically for forensic purposes. Programs used by law enforcement forensics experts include EnCase, made by Guidance Software (which offers a graphical interface) and the command line tools made by New Technologies, Inc. (NTI). Some investigators also use programs such as Symantec's Ghost, which can make bitstream images using the "ir" or "image raw" switch.
Digital evidence is fragile and can be easily destroyed or rendered inadmissible in court due to modification after it is collected. IT incident response teams need to recognize that, if an intrusion or attack has a chance of ending up in criminal prosecution, evidence handling is crucial to winning the case and bringing the criminal to justice.
The first priority of IT personnel is usually two-fold: to protect the system and network from further harm and to return the system and network to full functionality as quickly as possible. Actions taken to further these goals may directly conflict with best practices for preserving evidence. If a crime has occurred, the best action is often to do nothing - after disconnecting the system from the network so hackers can't erase the evidence itself. Unless you have training in computer forensics and evidence collection, you should leave it up to professionals in that area to make copies of evidentiary data in memory and on the hard disk. They have specialized equipment that makes it easier and makes it easier to prove in court that there was no tampering with the evidence.