bill’s blog

As system administrators do we really have to worry about collecting evidence? Maybe not… BUT what if you’re asked by your company’s general counsel (an authorized requester) to collect all non business data (emails and files) from an employee’s laptop? AND what if you come across some adult porn. You start copying the images onto a USB thumb drive… You then find a folder on their desktop with a bunch of saved emails titled “I missed you last night”… Well that seems like personal emails… Let me copy that over… You dig around a bit more and come across label “Desktop Images” containing a bunch of JPEGs. You double click the first image and it’s a picture of a clearly under-aged minor having sex with the employee. Now what do you do? Call the attorney IMMEDIATELY! This laptop is not evidence in a criminal matter. Possible charges could include possessing child pornography and sex with a minor for starters.

Anyone who has ever watched police show knows… “Don’t touch anything… you’ll leave fingerprints behind!” Pretty basic stuff. Most of us know about bloodstains and DNA evidence. Thank you OJ! We know about carpet fibers and lost articles of clothing. We know about tire tracks. This list goes on and on but do we really know how to secure digital evidence? Well luckily for us the National Institute of Justice (part of the U.S. Department of Justice) publishes many helpful documents that can better help us understand the dos and don’ts of collecting digital evidence.

NOTE: the National Institute of Justice is research and development arm of the DOJ.

Browsing through some of the NIJ’s white papers, I came across a document that all system administrators should read… Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. It can be found at: www.ncjrs.gov/pdffiles1/nij/219941.pdf

The guide is pretty straight forward. It offers up some fairly common sense checklist combined with a lot of “Oh yeah, I probably would have forgot that” reminders.

So what did I learn from reading the guide?

Always have a digital camera with you… Sure many cell phones have cameras built in but you’ll need something with a bit more resolution. Take pictures of everything… Why not it doesn’t cost your anything!

Look around for cell phones and MP3 players… They can contain data as well as their intended purposes. Be careful though! You want to make sure that you don’t overstep the authority provided by your authorization. Even if it’s not a criminal investigation… you could violate a persons right to privacy (the 4th amendment rights) even if there’s no expectation of privacy!

There are some that say turn everything off… power down the computer. You may need to do that if files are being deleted. BUT powering down the computer may not always be the best thing to do. Check and see what’s on the screen first. What you’re looking for may be right in front of your nose.

Chapter 7 of the guide details for you the types of evidence you may need (both physical and digital) for various types of crimes! I think the real learning from going over the lists is opening your mind (Why would medical records be next to the computer?)… use our common sense (Well there’s a box a 100 SIM cards and a box of cell phones next to the computer)… keep your eyes open (Let me grab that USB thumb drive too).

The First Responders guide is a great place to start… The NIJ has plenty of other white papers if you find this one interesting. They can be found at: http://www.ojp.usdoj.gov/nij/

BTW, getting back to the opening paragraph… Always image the drive off first! Always work from a copy! You’ll change the time stamps on the originals if you don’t

What is it they say? The right tool for the job! Indeed!

When I got my first car, it was a mess. It always needed work… in fact the Scarsdale police department knew my mom’s phone number by heart. “Mrs. Heese your kid is stuck again up by the Exxon station… Do you want us to send the tow truck?” I learned all about combustion engines that summer and I learned that there are particular tools that are designed to make some jobs easier AND having those tools could mean the difference between working on the car all weekend and driving it up and down Central Avenue! It’s no different today.

Nice story… But where are we going with this? Well… now instead of using socket wrenches and screwdrivers, its all about software packages and hardware! But that’s only half the story there’s still the human element. How do we interact with the tools we use? The ISO (or International Organization for Standardization) have put together a number of standards for how humans with computers. One in particular, ISO 9241 (Ergonomics of Human System Interaction) details various best practices from how Workstations should be layout, to postural requirements, to keyboard layouts, and even to how menu dialogues boxes should be laid out!

NOTE: A great list of other usability standards can be found at http://www.userfocus.co.uk/resources/iso9241/intro.html

I find that if my desk is cleared of all distractions I can work efficiently and effectively. But that’s only part of the equation… your workspace must be organized as well! Any effort put into organizational planning is well worth the time. A big part of this is knowing how you work. What things are required? Do you need to have a radio on or… is silence best. Best practices are everywhere these days… And for good reason! We as people know there’s no point reinventing the wheel. It functions and serves it purpose well. Sure we can always improve upon and idea… but why spend the effort trying to do the same thing people have done over and over again!

WOW… Where to start… Hard drives are the garbage dump of a computer… Sure we strive to keep our data organized but in actuality… We have zero control as to where the computer places our data on disk. Files are written to the first available sector on disk. These sectors are reversed and freed based on which files are in “use” and which have been “deleted”! In actuality no files are truly deleted until they are overwritten. Point of fact… the pointer to the file on disk is the only thing that is deleted when we empty the Trash/Recycle Bin.

A bit-stream copy of a hard disc is a more exact duplicate as to the ones and zeros on a disk. One needs to have an HD of equal or larger size than the one being copied… Some may call this a disadvantage BUT the fact of the matter is that disc is cheap. The fact is that disc size grows while the cost remains fairly constant. No real disadvantage there.

It takes disc of equal size because it includes the file/disc slack. Why is this important? Because disc storage is broken up into blocks. These blocks are finite on disc based on the file system of the OS/disc that is operating upon the disc. If the block size is 8KB and you actual file/data sizes is only 4KB…that leave 4KB of free unallocated space. There are tools that can right data to the slack space. Tricky… tricky they are. You want to be able to capture everything that is on disk… No matter what.

Because Bit-stream copies are capturing every byte of data on disk it takes longer to copy. Standard backups/mirror images are only copying the actual data and then fitting it into it block size allocation on the destination disc. One would miss the slack space… AND the “deleted” files! Bad idea.

When working in IT one needs to have a game plan… a road map so to speak with regard to fixing problems. One needs to understand what is happening and look at the problem from a number of different perspectives (Our servers’ hard drives are filling at random intervals… it’s got to be a server problem). One needs to understand what is causing the problem… more often that not… What’s changed in the environment? (Well we installed the new version of Firefox onto everyone’s machine yesterday!) Then how to go about fixing the problem? Remove Firefox from everyone’s machine? But wait… problems within IT often aren’t that straight forward… often times one cannot address the problem directly… “We need to use Firefox because our WebApp requires it” BUT wait… it’s this feature that is causing the problem! “If we turn off that particular feature it will allow most of us to use Firefox although some users could still have other problems”. We’ve provided a fix for the greater good… but is it really a fix? It depends!

Having a game plan as to how you are going to attack the problem and sticking with the game plan can make the difference… finding a workable solution! Understanding what you are looking for (and that can include data that you don’t know is there) and why can only help to keep you focused. The game plan isn’t always the same…certainly the rules are different if you’re working in a corporate environment verses a government organization. They can be different depending on whether it’s a criminal matter. You as the technical expert need to understand that the suspect has rights that cannot be infringed upon or you may find that all your hard work is inadmissible in court. Make sure you have the company’s permission, in writing, before you start poking around on other employees’ computers. Know who is authorized to give the OK to begin your work. Don’t start the work until you have everything in place.

Be Professional! Stick to what you were hired to do! It doesn’t matter whether you’re a salaried employee or a consultant! Be objective! Don’t form opinions until you’ve done your homework. Forming opinions prior to starting your work could lead you down the wrong path and waste valuable time. Keep your mouth shut… you never know what you’re going to find… Confidentiality is often equated to trust. In IT we often have more access to information than our bosses! Don’t sneak a peak and their salary information. You may not like what you find! If people can’t trust you, you’ll find yourself unemployed.