A cybercrime scene is as challenging to manage as a physical crime scene for investigators
By Ron LaPedis
Before you enter a suspected bomb builder's lair you need to be wary of booby traps. The same holds true when you come across a computer that belongs to a suspected hacker, a pedophile suspected of storing or sharing child pornography or any other suspect.
Hackers are good at what they do because they know computers inside and out. It is possible to booby trap a computer system so that any evidence of a crime is destroyed as soon as a single key is pressed. This means that it is important for you to know what to do when you need to access a computer which has been used in a crime.
The FBI has over a dozen Regional Computer Forensics Laboratories (RCFL) across the United States with the charter to cultivating working relationships between law enforcement, the private sector, academia and other government agencies by serving as a national clearinghouse for the exchange and dissemination of information.
Time is critical when investigating a crime and you might not have the luxury to wait for someone from the RCFL to show up on site to help. And if a computer is powered down you might lose essential information and either may not be able to power it up again or login.
Save time in a bottle
Before making a move, you need to take a snapshot of a suspect's computer to freeze it in time. The snapshot becomes your baseline and if a booby trap is triggered you can go back to the image and try again.
Tools that come on a flash drive can be used to capture the computer's live memory, which may include unencrypted passwords and other information which can be used for additional forensic work. You may also see proof of links to dark servers or TOR networks, both of which are popular for criminal use.
Once you have done a memory capture, the next step is to attempt to capture an image of the operating system and images of the disk drives while they are unencrypted. This may or may not be possible depending on whether or not there is a booby trap set. It may be better to shut down the machine and use a hardware duplicator to take forensic images of the drives, which will preserve the files and status of the machine as a snapshot in time. In either case, the creation of a true forensic hard drive image is a highly detailed process. If you do not have it performed by a trained professional, you may severely compromise your chances of obtaining admissible evidence as a result of your discovery efforts.
Suggested protocols for digital forensic analysis can be found within guidelines standardized by institutions and organizations like the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST).
The final step before powering down the computer is to lock the drives so that the data on them cannot be overwritten either accidentally or by a booby trap when they are powered on again. There are tools available to perform all of these actions.
If you come across potential computer exhibits that are already powered down, these need to be seized as evidence and then investigated by qualified, professional forensic practitioners. There are products in the market which allow you to boot up these exhibits in a forensically sound manner, using the original hardware, enabling you to gain actionable intelligence at the point of discovery.
What if you don't have room on your desk for the huge tower computer you've just seized from the suspect's address? What if you eat your lunch at your desk and the suspect's laptop is splattered with biological matter or full of accumulated dust from years of being hidden under a bed/desk?
To address these issues, along with preserving the chain of custody, you need to re-create the computer in a clean, sterile, forensic environment letting you access to the evidence it may contain while protecting the source from modification or deletion. To do this, you need to create a virtual replica of the suspect's computer.
Think about a firearms simulator for a moment. There are virtual targets on the screen and you are holding a firearm that communicates with the simulator. If you are on target and pull the trigger, a hole shows up in the target – just as surely as a piece of lead going downrange would make a hole in a paper target. You are convinced that you made that hole.
In a similar manner, a Virtual Machine (VM) is a piece of software that simulates a computer, letting the Operating System (OS) and any apps installed on that OS think that they are running on a real computer. If the OS or an app installed on it can perform an action on a real computer, it can perform the same action on a VM. With a little finesse, you can recreate the suspect's entire computer as a VM, which in turn will allow you to re-create the entire digital crime scene in an accessible, virtual environment.
What is a Virtual Machine?
A VM is an app which runs on a computer, and pretends to be a computer (fig 1). The VM software tricks the OS and apps into thinking that they are running directly on a computer when in reality, they are running on a simulated computer.
Using a virtual machine saves money by reducing the amount of hardware required – multiple VMs can share the same physical computer and access the same storage, putting processing power to use that otherwise might be idle while waiting for a human to respond.
Since the VM is divorced from the hardware, they are portable, and can be moved from real computer to real computer or can be accessed from almost anywhere, even over the internet.
This is how many modern corporate networks are configured: your OS and your files are inside one VM which is running on the same big computer as dozens or hundreds of VMs from other users. The cloud works in a similar manner; Your OS, apps and your files are slotted into a secure location, usually on a virtual server specific to your business, accessible only with your own security credentials.
Forensic Virtual Machines
Before you can re-create a suspect's machine in a VM, you need to create an image of it from the real computer on which it is running. Various forensic tools area available to image a hard drive, each having their own merits, and while you can build a VM yourself, this can be a time-consuming process, riddled with driver errors and Blue Screen of Death (BSoD errors). Special software is available that can take a forensic image (including the OS, apps and all user generated files) of a computer and convert it to a working VM, literally in seconds, giving you access to this valuable intelligence in a short period of time.
Standard forensic principles often deny an investigator the opportunity to turn a computer back on once it has been powered down. The use of a VM lets the forensic examiner fire it back up and poke around it without affecting the original, unchanged evidence.
In the same way that a dead body from physical crime scene can give up clues and evidence to an ME as to who the perpetrator was and how the crime happened, use of a forensic VM from a dead box hard-drive (or an image of that hard drive) can offer up clues and powerful evidence to the digital examiner that are not available via standard forensic software. The VM enables a virtual autopsy of the suspect's computer.
If your suspect has been mixed up in a financial crime, you'll have access to their accounting records and will be able to export them to Excel and then extract them from the VM to perform further analysis on – just like if you'd been able to turn their own computer on. If they have been downloading or sharing illegal content, you will be able to take a screenshot of how and where the files were stored or show the sharing software actively attempting to send or receive material.
A picture speaks a thousand words, and showing a judge or a jury a screenshot of a suspect's computer can save literally hours of technical explanation which can often fall on deaf ears.
If the user was accessing files stored in proprietary databases, it is quite possible that the software to decrypt or interpret those databases resides on the suspect's computer. With no other way to access those files, they become unusable – and they may contain the smoking gun evidence the examiner needs.
The VM image captures the original software that they used to access that information. By recreating the suspect's machine as a VM, and performing a similar action on any other machine where proprietary databases are located, you can create a virtual networkwhich links all of the VMs together, enabling you to access what otherwise might be inaccessible files.
Summary
Being able to access an identical but virtual replica of the suspect's machine, means that you can interact with the files and the software on their system without fear of making a mistake which will modify or destroy it. If you have an accident, you can just go back to the previous image (called a snapshot). And because the VM is just a piece of software, it can be moved from place to place or can be sent to the RCFL or a vendor specializing in forensic work.
Creating a VM from a computer allows you to lock all of the original hardware and software to the time when you first came upon it. It will let you search for evidence without altering evidence, and will let you go back to that time if required. If you need additional expertise, you can send the VM to the person who has that knowledge.
All in all, a VM can help you find elusive evidence and present it in court in a non-technical manner. VM for the win.
Did you like this example?
Cite this page
Key steps to managing a cybercrime scene. (2019, Nov 07).
Retrieved November 21, 2024 , from https://studydriver.com/key-steps-to-managing-a-cybercrime-scene/
Save time with Studydriver!
Get in touch with our top writers for a non-plagiarized essays written to satisfy your needs
Get custom essay
//= get_calc_single_post(); ?>
Stuck on ideas? Struggling with a concept?
A professional writer will make a clear, mistake-free paper for you!
Get help with your assignment
Leave your email and we will send a sample to you.