Acquisition

In the USA there is a jury and the judge is the gatekeeper of what is presented to the jury, so there is a focus on the admissibility of evidence (if it’s not admissible it will not be presented to a jury). Also in the USA, to strenghten evidence, there's the concept of chain of custody: evidence is tracked in a way to avoid gaps.

In Italy instead criminal action is mandatory. A judge will always evaluate the case (and evidence admissibility) and there isn’t a jury. So, you just present evidence to the judge for deciding if is valid or not: there is no admissibility concept like in the USA. In Italy, the power of admissibility is only limited to what has been acquired in the violation of the law (illegally gathered evidence is not admissible). Consideration: in Italy admissibility standard is way lower than in the USA.

Budapest convention of cybercrime: sets standards for how digital evidence should be collected. If it's not applied, then the evidence is collected in violation of the law. Problem: in Italy there's not penalties associated to this law, which means that it has less strong effects than it should (theoretically it can just be ignored). In fact it rarely happens for some evidence to be deemed not valid for those reasons.

Brittleness of digital evidence

Digital evidence is brittle (fragile). This means that if it gets tampered, the previous state cannot be recovered (by default), and also the fact that it has been modified cannot be determined. We can just show that digital evidence has not been modified. (ensure that it is the same as before). Some technique is needed to ensure:

• Legal compliance

• Ethical behaviour from all parties

• Detection of errors in good faith (e.g. Garlasco thesis alibi)

• Detection of natural decay

Solution: hashing

To ensure the integrity of some evidence we use hashing. In order to seal digital evidence, hashes (and digital signatures) are routinely used. If the hash of a digital object is recorded at a given step of acquisition (this means that what happens before is not known), and then constantly checked in further steps, it can ensure on the identity, authenticity and non-tampered state of the evidence from that step on. This means that taking the hash needs to be done as close as possible to the original acquisition of the evidence.

Some notes:

• Hashes doesn’t tell you what has been modified if hashes are different.

• To be useful, hashes must be stored somewhere else from where the evidence is stored: either sealed in writing (e.g. on a signed report, or more generally on another medium), or encrypted to form a digital signature.

• Hashes lack does not invalidate anything automatically, and on the contrary their presence does not make evidence admissible magically.

HW/SW for acquisition

HW:

• Removable HDD enclosures

• Write blockers

• External disks

• USB, firewire, SATA, and e-SATA controllers, if possible

SW: Linux. It has extensive native file system support + ease of accessing drives and partitions without “touching” (mounting) them. It can be used to acquire the bitstream of an hard drive, which is a bit-by-bit clone of the original evidence media. The reason being that if we only copy the allocated content we lose (potentially) information. This may be different in special cases (e.g. RAID drives, encrypted or virtual drives…).

Note:

• The bistream copy can also be called "forensic clone" or "clone copy" or "image".

• Acquisition is also called "freezing" sometimes.

Basic procedure for acquisition

Basic acquisition of a powered-down system

1. Disconnect the media from the original system (if possible, if not possible see ahead for usage of forensic distributions).

2. Connect the source media to analysis station, if possible with a write blocker.

3. Compute the hash of the source, e.g. dd if=/dev/sda conv=noerror,sync | sha256sum.

4. Copy the source, e.g. dd if=/dev/sda of=/tmp/acquisition.img conv=noerror,sync.

5. Compute the hashes of the source and the clone dd if=/dev/sda conv=noerror,sync | sha256sum #sha256sum /tmp/acquisition.img.

6. Compare the three hashes.

Notes:

• It could be good to compute also MD5 (even if broken) and SHA-1 hashes of the image at least, for redundancy and to be sure it can be compared. This may be useful because we may compare our result with someone else that may have used MD5 (maybe because it was done 5 years before).

• We may get different hashes before and after the extraction despite our measures taken to prevent modification. It means that we have modified the source in some way (or maybe the transmission was corrupted), we can only take notes on that and repeat the procedure. In Italy, this will not change a lot at the condition that the acquisition has been performed in a non-repeatable analysis. In the USA this would be a problem.

• There are no techniques to prevent this process from working, but there are techniques "anti-forensics techniques" that make this process not useful. For example, you can destroy the information inside the device overwriting the data (override with zero) or "degaussing" the disks with strong magnets (this is not useful in modern disks).

Write blocker

Piece of hardware that acts as interface towards HDD blocking writing commands. It's an additional measure to prevent accidental proof tampering. Not mandatory but useful. In the case of SDD, this may not be enough to prevent modification.

Problems with acquisition

1. Time: Because of HW limitation the process of dumping drive data may be slow and take several hours. Some software (e.g., dcfldd) may automate part of the procedure (e.g. compute the source hash while copying, in parallel).

2. Size: Dealing with today’s capacity in storage is complex, in particular for large-scale investigations. Using external media (e.g. USB drives) slows down operations. NAS or SAN systems are common in forensic shops, and may be useful to mitigate this problem.

3. Encryption: This is a problematic topic. Even if provided with key, performing acquisition in a repeatable way is challenging.

You can also use embedded devices that perform all presented passes by themselves in a reliable way.

Alternative operating procedures

1. Booting from live distribution

   Sometimes we need to work directly on the machine. For example if we're dealing with systems with weird HW and controllers or physical cases, RAID devices or if we have specific investigation constraints. In this case we can live-boot the system under assessment using a Linux distribution targeted to forensic analysis. For example general purpose linux distros may use the swap of the HDD, therefore corrupting evidence.

2. Acquisition of a target machine powered on

   We are in uncharted territories, which means that there's no standards or no appropriate way to do it.

   If a machine is turned on and it needs to remain turned on (e.g. server machine in a server room), we need to keep in mind of modifying the evidence as little as possible.

3. Live network analysis

   Generally speaking this is rare because we do not want to be seen by the attacker while we're watching them, which may result in him deleting proof of what he's doing. Also if the machine we're looking at has been compromised, also what we're seeing may be modified by a malicious user.