Digital Forensic Process—Preservation / Collection

By John Ahearne, Forensic Analyst

This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:

Handling Digital Evidence

Handling of evidence is the most important aspect in digital forensics. It is imperative that nothing be done that may alter digital evidence. This is known as preservation: the isolation and protection of digital evidence exactly as found without alteration so that it can later be analyzed.

Collection is the gathering of devices and duplication of electronically stored information (ESI)  for the purpose of preserving digital evidence (exact copy of the original) that remains untouched while digital forensics is performed. Here at DriveSavers, we never work on the original copy. Historically, the collection of data for forensics literally involved pulling the plug from a computer and sending it to a forensic team. However, depending on the situation, this is no longer acceptable in some cases. In fact, in certain cases this is a sure way to lose valuable evidence. On the other hand, you may have to turn off the device or isolate ESI in a way that will not alter evidence, such as with some smartphones. For example, a wipe command can be sent remotely erasing everything. Careful consideration of the situation is necessary.

Dead box forensic collection (imaging a device after it is powered off in order to collect digital evidence) still remains an essential part of the digital forensic process. It is growing more and more important with today’s technology to conduct live box forensic collection or simply a live collection (the collection of data from an active device prior to shutting it down). For example, if the device is encrypted, without the passcode or encryption key, you may never have another chance to acquire valuable evidence if that device powers off or locks due to inactivity.

Relevant data will be permanently lost due to continued use of the device, such as when an employee leaves a company and their computer remains in use. When a summons arrives six months later, it might be too late to realize that you should have preserved their old computer. Preserving a former employee’s electronic devices, especially C-level, may not be forensic best practices, but can surely be considered business best practice. I know it is tempting to log onto a former employee’s device and see what they did, but Stop! The data must be preserved for collection if it is to be considered for litigation. Time and date stamps will change, system log files will rotate and valuable information can be lost.

A copy of digital evidence must be properly preserved and collected in accordance with forensic best practices. Otherwise, the digital evidence may be inadmissible in court or spoliation sanctions may be imposed. This might be a good time to go back and review the Identification process.

A proper forensic image (sector copy) contains the operating system (OS) and deleted data, in addition to user-generated data. There will be times when it is not possible to collect the OS or deleted data due to time constraints, business operations or court order restrictions. A focused and/or targeted approach to collection of ESI will be required. If deleted data is suspected then a sector by sector copy of the entire computer will be necessary and could be time consuming. If you have minutes not hours, 90% of relevant evidence can be acquired by collecting user-generated data only; don’t forget the recycle bin.

Critical Business Operations

Business servers used in a production environment will be providing critical employee functions or providing a service to its customers. Unplugging one of these could cost a corporation millions in lost revenue and productivity. In this situation, the device cannot be powered down, and collection of relevant data must occur while the system is active. After-hours, weekends or scheduled down times are options for collection of a business server. It is important to consult with experts such as DriveSavers that will work with the company’s IT department to ensure that business operations are not adversely affected by the collection of server drives or data.

More and more companies are moving critical functions to the cloud or to a hybrid, a combination of both (servers and the cloud). DriveSavers can control collection costs by acquiring evidence remotely and securely from our protected environment.

A court order may direct its defendants/plaintiffs to provide data from a particular employee or employees and no others, not to mention privileged communication or personal information that will have to be redacted. Again, it is important to consult with an expert such as DriveSavers that can act as a neutral third party and understands the importance of relevant, privileged and regulated data. Please stay tuned for future articles in Analysis and Presentation for more information.

Encrypted Data

Data at rest will not be accessible on an encrypted device or inside encrypted partitions after it powers off or locks if the following is unknown:

  • User names
  • Passwords and passcodes
  • Encryption keys

This becomes an issue for both personal devices like laptops and smartphones and also in small companies without a dedicated IT team that manages a master encryption key for company-owned devices. It is important to note, that most smartphones and laptops are encrypted. Nearly all smartphones have a privacy lock, and increasingly complex passcodes and encryption schemes make it very difficult to bypass such schemes.

If the device is unlocked and you are unsure of the passcode, and you have the authority to do so, please disable the passcode or change/simplify it to something that can be remembered. If you have a company device, please check with your IT department for admin accounts and/or master keys. It is a good idea to place a device in airplane mode and/or remove the SIM card, if it is to be considered for collection. Please document every step taken to secure a device for collection: the time, date, location and changes that were made.

If the device is NOT encrypted, computer user passwords are not required.

Inaccessible Devices

If a device is locked or physically damaged to the point that it is not possible to access the ESI, give DriveSavers a call. DriveSavers engineers in our Certified ISO Class 5 Cleanroom have had tremendous success in recovering wet/corroded, fire damaged, physically damaged (crushed, cracked screen, etc.), mechanically and electronically failed devices. Please have the passcodes/passwords readily available because sometimes the window of opportunity to access a severely damaged device is a short one-time opportunity.

If a device is locked and its passcode is unknown, please give DriveSavers a call. We may be able to help.

Locations of Electronic Evidence

Examples of devices that may need to be collected for digital evidence:

  • Smartphones
  • Tablets
  • Laptops
  • Desktops
  • External hard drives
  • Flash/Thumb drives
  • Camera cards
  • Backup Tapes
  • Servers & RAIDs
  • DVRs & Surveillance systems
  • MP3 players
  • GPS devices
  • Game stations (Xbox, PlayStation, etc.)

Never underestimate the importance of an electronic device. We have even analyzed voice recorders and automatic electronic defibrillators (AED)! Internet of things (IoT) and automobiles  are also a source of ESI (how many times has your smartphone synced with your car?).

Preparing Devices for Data Collection

There are many different scenarios. Every possible situation has to be thought out carefully. DriveSavers specialists are available by phone 24/7 by calling 800.440.1904.

If the device is already powered down, do not turn it on. Follow these steps for forensically sound data collection:

  1. Determine if the device is on or off:
    • Look for lights
    • Listen for sounds
    • Feel for vibrations, haptic feedback and heat
    • A smartphone, tablet or laptop may be in sleep mode and appear to be off
    • If the device is a laptop or desktop, wiggle the mouse, but do not click any buttons
    • Is the smartphone or tablet’s screen greasy or dirty? Look for swipe patterns
    • Press the Home button or swipe the screen
  2. If the device is on, ask these questions and document the answers:
    • Is the device locked?
    • Is the user interface accessible?
    • Is the device encrypted? Do you know the passcode?
    • Is the battery charged?
  3. If a smartphone, tablet or laptop is on, activate airplane mode
  4. Record device model numbers, serial numbers and passcodes
  5. Take pictures
  6. Start a chain of custody document; DriveSavers will send you one
  7. If a device must be shut down in order to preserve ESI (such as a computer), shut the device down properly using the “shut down” command
  8. If you suspect destructive software (formatting, deleting, removing or altering data) is running, turn off the device immediately; pull the plug!
  9. Check for any removable media
    • CD/DVD trays
    • SD card slots
    • Flash drives
    • Sticky notes

Once a device is turned off, it can be delivered to a lab like DriveSavers for acquisition and/or analysis. Package all components, clearly labeling all devices, preferably in anti-static bags:

  1. Label the bags or boxes containing devices
  2. Package the device (anti-static bag whenever possible) tightly and securely in a box or evidence bag with at least two inches of bubble wrap
    • A local FedEx office can help you package the device
    • DriveSavers has several drop off locations in major cities; assistance with packaging is available here
  3. Keep all media away from magnets, moisture, extreme temperature and other potentially damaging elements
  4. Do not place evidence in the trunk of a vehicle, especially overnight

Sometimes due to business requirements, company policy or geographic location, it may not be feasible to send devices to a forensic lab or it may be financially prohibitive to shut down a corporate system. In the case of malware or network intrusions, valuable information may be lost if an electronic device is shut down. In this situation, an Incident Response Team must be onsite in a timely manner.

In any situation, DriveSavers can work with company IT staff, legal departments and opposing parties to preserve data for collection in a manner that is both defensible and repeatable according to forensics best practices.

Stay tuned for your lesson in analysis!