To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed:
Examine the machine's surroundings
A USB key drive
XD Picture Card
Secure Digital card The collection phase starts off with the computer forensic team analyzing its surroundings. Similar to police investigating a crime in any other case, all printouts, disks, notes, and other physical evidence must be collected to take back to the laboratory for analysis. Furthermore, an investigating team must take digital photographs of the surrounding environment before any of the hardware is dealt with. This initial collection phase sets the tone for the rest of the investigation and therefore the evidence must be locked away securely, with limited access granted to authorized team members only.
Look for notes, concealed or in plain view, that may contain passwords or security instructions. Secure any recordable media, including music mixes. Also look for removable storage devices such as
key drives, MP3 players or security tokens. See Category: Solid-state computer storage media.
Examine the Live System and record open applications
If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost, so acquiring the data while the RAM is still powered is a priority. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.
Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and of significant importance, open or mounted encrypted files (containers) on the live computer system. Additionally, through Microsoft's implementation of the Encrypted File System (EFS), once a system is powered down, the difficulty to examine previously mounted EFS files and directory structures is substantially increased. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. For Windows based systems, these Open Source tools include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Tool Kit and Guidance Software's Encase application. Both companies make available their imaging tools for free; however, in order to analyze the data imaged using these tools you will need to purchase a full licensed version of the application.
The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
With MS most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), the importance of developing procedures for examining and imaging live (mounted unencrypted) systems is anticipated to significantly increase.
It is possible that in utilizing tools to analyze and document a live computer system that changes can be made to the content of the hard drive. During each phase of system analysis, the forensic examiner must document what they did and why they did it. Specifically, the examiner should detail the potentially perishable information that can/will be lost during a system power down process. The examiner must balance the need to potentially change data on the hard drive versus the evidentiary value of such perishable data.
RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. Data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below - 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, the practicality of utilizing such a method in a field examination environment severely limits this approach.
As expeditious destruction of chronic residual stress within the module can really only be achieved by impractical exposure to high energies, applications written with data security in mind will periodically bit-flip critical data, such as encryption keys, to eliminate 'imprinting' of this data on the RAM, thus preventing the need to actively destroy it in the first place.
It is important to note that that when preforming a live analysis that the order of volatility be followed. The data that is most likely to be modified or damaged first should be captured first. The order of volatility is.
1. Network connections
Network connections can close quickly and often leave no evidence of where they were connected to or the data being transfered.
2. Running Processes
It is important to note which programs are running on a computer before further analysis is conducted.
The systems Random Accessing Memory contains information on all running programs as well as recently run programs. The information that can be gained from the system ram includes Passwords, encryption keys, personal information and system and program settings.
4. System settings
The Operating system settings can now be extracted. this includes User lists, currently logged in users, system date and time, currently accessed files and current security policies.
5. Hard Disk
The hard disk can then be imaged. It is important to note that it is not forensically sound to image a hard drive while it is running live unless there are extenuating circumstances.
Power down carefully
If the computer is running when seized, it should be powered down in a way that is least damaging to data currently in memory and that which is on the hard disk. The method that should be used is dependent on many differing values, such as the operating system in use, and the role of the computer to be seized. Performing a proper shut down may cause malicious scripts to be run, or volatile data to be lost. On the other hand, removing the power plug may cause corruption of the filesystem or loss of crucial data.
Be aware of the fact that computers may feature an internal uninterruptible power supply (UPS). With such devices the computer may stay running long after the power cable has been removed.
Inspect for traps
See also: commons:Category:Computer hardware
Fully document hardware configuration
Completely photograph and diagram the entire configuration of the system. Note serial numbers and other markings. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later.
Duplicate the electronic media (evidence)
The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd or IXimager, completely duplicate the entire hard drive. This should be done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering.
Usually some kind of hardware write protection to ensure no writes will be made to the original drive is used. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is usually the best practice. The Defense Cyber Crime Institute warns that if a hardware write-block is used the examiner should take into consideration the fact that write-blocks can introduce extra benign data when being used to image damaged media (bad sectors). Special consideration is also given to hard drives with Host Protected Areas (HPAs) and Device Configuration Overlays (DCOs). These small areas of a hard drive, normally reserved for hard drive device and diagnostic utilities and hidden from the operating system, can be altered up to the entire capacity of the hard drive and used to store information (potential evidence) that many imaging applications and devices fail to image. You can image to another hard disk drive, a tape, or other media. Tape is a preferred format for archive images, since it is less vulnerable for damage and can be stored for a longer time.