C OLLECTION T ECHNIQUES

Now that we have our tools, let’s move on to using them. We have earlier discussed collecting evidence, but now would be a good time to review some important points. First, treat all of our evidence as if it will be used in criminal litigation. Second, never work directly on the evidence itself. Collect it and work on a copy. We have a couple of ways to do that, as you will see.

Third, once you have collected your evidence and made a copy, store the original safely and maintain a chain of custody. Finally, label everything, catalog carefully, document your findings, and use a technique that lets you establish when the evidence was collected, by whom, and that it hasn’t been altered since its collection. Now, on to specific techniques.

Let’s assume you have just arrived on the crime scene. You see a computer that may have been used to attack your payroll system. The computer is still turned on. What do you do? The first thing you will want to do is nothing. Clear everyone from around the computer, examine it for such things as network or modem con- nections, check any other connections to it, and carefully observe the screen display. If there is a modem or network connection, unplug it from the computer. Do not turn the computer off. Do not turn the modem off. You should disconnect the modem from the telephone but do not use the telephone for making a call. The modem and the telephone may contain the last number dialed, a list of commonly called numbers, or other information that you can use to establish if the computer was used to attack your system. Disconnecting the devices from the computer, however, ensure that the owner of the PC cannot dial in or come in through the network and destroy evidence.

If your observation of the screen display indicates that there is a currently running remote session, it is probably even more important the you cut the connection at once. If the computer is a file server, you may want to get someone who knows the operating system to issue the command that lists currently connected users. Remem- ber, however, that in doing this you run the risk of altering data in the hidden areas of the hard drive.

If you can do so, it is a good idea to redirect lists to a floppy disk and never display it. By not displaying, you won’t write to the hard drive when the DIR command completes. Instead, by redirecting to the floppy, you’ll capture on safe

media and, when the command closes, the residue will be written to the slack space on the floppy. Label the floppy and write-protect it.

Next, document the connections to the PC. If you encounter a Unix computer, instead of a PC, the process is the same, for the moment, anyway. You can document by sketching or taking a Polaroid snapshot. Then take labels and label all connections so you can reassemble the system exactly as you found it. Now, we’re ready for the most controversial step: turning off the computer.

Some computers suffer painfully if you simply pull the plug. Unfortunately, doing an orderly shutdown exposes you to several potentially catastrophic possibil- ities. The worst, of course, is the possibility of booby traps. Hackers often rig their computers to destroy evidence or, even, the computers themselves (by formatting the drive), if a secret sequence is not used to shut them down. In DOS computers, this sequence can even be embedded in the command interpreter. In Unix, there are several files involved in the shutdown process that are easily altered.

Just because you’re investigating the victim computer, don’t assume that it hasn’t been booby trapped. Hackers often need to leave evidence of their efforts on the machine if they intend to come back. If necessary, they may rig the computer to destroy that evidence. The other part of this argument is that some systems, such as Windows, alter files as part of the shutdown process. The files they alter, sadly, are among the most valuable to our investigation.

In general, my decision, based upon a great deal of experimentation, is that PCs, regardless of whether they are running DOS, Windows, or NT, can be shut down ungracefully without much permanent damage. Most important, when we go to start them up again, as we will discuss next, we can be fairly certain that their data is waiting for us intact. When the investigation is over, if we need to rebuild the computer, we’ll have a physical mirror that we can use to put it back to its original (or nearly original) condition. In every case I’ve observed, the system could rebuild during initial bootup after we finished with it.

The possible exception is older versions of Novell NetWare servers. These will probably require some effort to reconstruct, but they, too, can be brought back to life. The important point is that pulling the plug on PCs is no disaster. Pulling it on a Unix machine may be. Let’s stick with PCs for the moment.

Once you have determined that it’s time to get “into” the PC, simply pull the plug. Don’t turn it off — some systems have a graceful shutdown built into the power-off circuits. I have a Unix machine configured for use as an Internet gateway for our network that has a built-in battery power supply. When you turn it off, it automatically goes into its graceful power-down cycle. If you pull the plug, the battery takes over until the shutdown process cycles correctly and the power-down is complete. There isn’t much you can do about this type of system. One possibility is a reboot with an alternative boot device, such as a CD-ROM or emergency floppy. Now, you need some of the tools we discussed above. Before you can use the tools, however, a little preparation is in order. I have a full set of prepared forensic tools, on disks of various sizes, ready for use. Let’s begin by listing the steps we’ll need to take in general terms. That will help us understand what our tool kit should look like, all prepared for the field.

• Shut down the computer.

• Reboot to DOS (NEVER Windows) from a floppy. • Make two physical backups of the hard drive.

• Use one physical backup to create a mirror of the machine under test; save the other for evidence.

• Analyze the mirror machine.

To make your physical image you will need an external drive, such as an Iomega Jaz, Zip, or other large capacity drive. I use the Jaz drive, but, a word of warning, they are tricky to set up. The Jaz drive wants to connect to a SCSI port, but it will use the parallel port, if necessary. To use the parallel port, you will need the Traveler option. Jaz Traveler is a pair of special adapters that convert the drive’s SCSI input to accept parallel ports on the source PC. You will also need a full set of Jaz drivers, including the GUEST driver, on your boot disk.

I have prepared a disk that boots DOS 6.22, loads the Jaz drivers, and sets me up with the Jaz drive on the target PC, all ready to back up with SafeBack. SafeBack is also on the disk. I selected DOS 6.22 because it is fairly stable and pretty plain vanilla. If you want the most stable, unadorned DOS, however, use DOS 3.X. I have boot disks for 3.X, 4.X, and 6.X. Do not use Windows 95 for booting. Never boot from the computer’s operating system.

By using the GUEST driver for the Jaz drive, I never need to write anything to the target computer. DOS 6.22 is comfortable with the Jaz drive, so it just takes a few minutes to get set up. It will take much longer for the backup, especially if you use the parallel port. If the computer has a SCSI port, use it. SCSI is much faster than parallel and the GUEST driver will happily discover the SCSI port and your Jaz drive. One final word about the Jaz drive: There have been reports that it is occasionally unreliable. I have not personally observed that, but a word to the wise, etc.

The next step is to use SafeBack to create the physical backup. A physical backup backs up everything on the disk — even empty sectors. When you restore to the test machine, you will have an exact physical mirror of the original disk. The mirror will be correct sector by sector. All hidden, unallocated, slack, cache, tem- porary, and swap files will be located on the mirror exactly as they are on the original. Analysis of the mirror is identical with analysis of the original. The results will be precisely the same.

Once we have a physical backup on our Jaz (or other) media, we can restore to the test machine. SafeBack is very simple to use. It is a DOS character-based program. Never try to use forensic tools from inside Windows. The changes Windows will make to the swap file will damage any evidence that may have been there. Also, Windows creates and deletes files. There is no way to predict the effect that will have on evidence in other hidden areas. In short, working from within Windows will make all of your forensic efforts worthless.

You now have the original machine, a physical copy of the drive, and a restored test machine. It’s time to start analyzing.