Eu recebi um email com algumas dicas de como apresentar e analisar uma evidência digital diante de uma corte jurídica e de um processo legal.
Imaginem que estamos analisando uma evidência digital (e.g. uma imagem forense de um HD) e que o caso será apresentado para um juizado qualquer. A outra parte (consultoria jurídica da outra parte) pode duvidar do seu processo de aquisição da imagem forense.
Então essas dicas a seguir serve para mostrar como fazer a aquisição de uma imagem forense, minimizando os riscos de questionamento da outra parte.
Essas dicas são do Nick Klein:
Some tips from my experience:
- I’m not aware of any cases of a court mandating a forensic tool (interested to hear if anyone can quote a case). In fact, I’ve worked on cases where ‘experts’ have misinterpreted evidence they acquired using “court validated” forensic tools. As the old saying goes - just because you’re holding a scalpel, doesn’t make you a surgeon. Don’t be fooled by people who tell you evidence is by default inadmissible if you don’t use a particular tool or process.
- However you DO want your evidence to be strong in terms of integrity and authenticity. Document every step you take while acquiring. Take photographs. Use well established industry processes.
- Some excellent (free) tools include:
-- Linux boot distros like Paladin / DEFT which don’t mount internal drives by default (therefore no changes to them) and have easy to use imaging tools.
-- You could also make Windows read-only for USB devices by making a Registry change, then use a tool like FTK Imager. Note these only stop writes through the Windows API, but that should be sufficient unless you have programs that access the device raw.
- To ensure you have the most amount of data for analysis, use a tool and process that captures the entire data area of the drive, not just live files. Tools like Ghost refer to “images” but they’re NOT the same as a full forensic image that include every sector of the original physical medium (which I assume you want).
- In my experience (in Australia) if the court accepts your evidence is what you represent (because you’ve followed these steps) the onus of proof falls to the other side to disprove its authenticity. I’ve never had a case where the other side has successfully won such an argument.
- If the other side are attacking your credibility or your process, then your evidence is probably strong.
Essas outras dicas são de uma pessoa chamada VSuen:
- Are there free or open source tools that you can use in place of a hardware write blocker that is admissible in court?
- Yes. But your reference to the term "admissible in court" is a bit vague. See Nick's comment.
- Don't let EnCase tell you they are the only court-verified tool. That's marketing FUD.
- I like and use their product, but I don't like sales people that much. They make a good product, but there are a lot of good products out there.
- You should be more concerned about your processes, documentation, and validation activities than the specific court-approved tool since there is no such thing.
- Consider the possibility that what you write can be discoverable.
For the following examples, I encourage you to test the process out with some other media BEFORE you attach your real evidence. Practice makes perfect-ish.
- MS Windows:
- There is a simple registry tweak that you can make to prevent writing to USB devices. Search for "Software USB Write Block" and you should have at least two results. One is Irongeek's Thumbscrew and another is DSI's USB Write Blocker
- Both software and manual registry change work the same way. It changes one registry value. I believe this functional from Windows XP and up. You will want to double check that.
- Manual Registry Change: http://www.ghacks.net/
2011/03/18/how-to-enable- write-protection-of-usb- devices-under-windows/
- I don't recommend this method for those new to forensics. It is very easy to forget what write/read state you're in. If you go the software route, I encourage you to use an application that reflects the write state you are in.
- I have used an IDE/SATA to USB adapter that you can purchase from Amazon for about $25
- Once you have this properly working, you can use FTK Imager or EnCase Imager (or any imager) to create a forensic image.
- I personally prefer a commonly used forensic file format like EWF, RAW, or AD1 over disk duplication because the impact of "accidentally" plugging in the drive to a read/write situation is significantly lower. A disk duplication scenario can result in you "altering" files.
- If you already have EnCase Forensic Edition, I believe they have a Softblock feature that allows you to prevent writes to devices AFTER the feature has been enabled. It has been a while since I've used it. Consult with Guidance Software for confirmation.
- Linux - Forensic Distributions Only:
- You want to ask: Is the distribution specifically built for forensics or information security?
- Some consumer distributions of Linux (such as consumer Ubuntu) will automatically mount file systems read/write (r/w) to be consumer friendly. You don't want that because there is a chance that something will write to the drive.
- Forensics-oriented distributions such as CAINE, Kali, Paladin, SANS SIFT, etc. will recognize your drive is attached but typically will not automatically mount the device or its file systems. This is good.
- Distrowatch is a good place to start if you want to go this route. The link I embed drops you straight to the search feature with the "Forensics" category highlighted.
- This method, effectively, is your "free open source write blocker"
- Here are some commands to get comfortable with:
- man [command] - manual for the binary you are executing
- sudo - run the next command with elevated credentials (admin-level)
- fdisk - this will show you what devices the OS has detected as attached to your computer
- mount - this is the command you will run to mount the drive
- Warning. This is the one you really want to be careful with.
- Consider looking at these options via the man page:
- -o ro (or -r): mount device as read only
- umount - unmount device
- without knowing what you are doing, you'll probably run these commands in this order:
- sudo fdisk -l
- Show me all the devices I've attached
- This will give you the "/dev/sda#" I mention below.
- Don't see anything? You probably didn't "sudo"
- sudo mount -l
- Show me what devices are mounted, if they are ro/rw, where are they mounted, etc.
- sudo mount -o rw /dev/sda1 /media/sda1
- Human: Mount in read only mode partition 1 on device "sda" to logical location/mount point /media/sda1
- Complaints: You might get some errors regarding file system type. You will have to research that.
- sudo mount -l
- Show me the devices again AND confirm that the device you mounted is "ro"
- "Easy" way?
- Mount your target media as rw via command line or similar
- Use Guymager, AIR, or whatever the forensic acquisition tool of choice is
- Attach your original evidence; do not mount
- Point Guymager (or similar) to the row that reflects that new device, right click, acquire to target media
- Add notes appropriate for the image file format you use
- I like evidence ID, custodian name, source metadata like make|model|SN, date of acquisition, forensics collection person responsible for the image, etc.
- Mac OS X:
- I don't really play in this area. Someone else might have a better suggestion. I won't validate these suggestions. I won't testify to the effectiveness either.
- Not free, but have you looked at BlackBag Technologies' Softblock?
- Command line use of diskutil?
- Do not do this one:
- One method you will see if Google for it is the use of diskutil to identify your UUID then alter your fstab file to always force the device to "rw". However, that's ridiculous because you will have already attached your device at that point and OS X would have had already attempted to mount the partition. At that point you have already placed your evidence at risk.
- This *might* work:
- To prevent OS X from automounting while you are logged in, you might want to disable the OS X disk arbitration daemon.
- Probably the better solution if you know what you are doing:
- Disk Arbitrator:
Basic Logic of Software-based Write Blockers:
- Write blocking is only enabled for all devices attached _AFTER_ you have enabled the write blocking feature.
- This suggests that all devices attached _BEFORE_ you enabled the write blocking feature will continue to be writable.
- In theory, this also suggests that all devices attached _AFTER_ write blocking is disabled, all devices attached BUT NOT REMOVED prior to disabling software write blocking will continue to be not writable.
- I wouldn't trust it. Just play it safe and attach all your "write to" media _BEFORE_ you perform a software write block and attach your "original evidence" media.
Somethings you might want to do right away:
- Evidence Control:
- Did you create a chain of custody document and associate it with this piece of physical evidence?
- If not, I highly suggest you properly document the life cycle of the media you received from the time you received it. You can easily search on the SANS reading room for a simple Chain of Custody form. Not having basic evidence history makes it challenging to defend that you have had positive control over the media at all times.
- Where do you store this evidence when you are not using it?
- Ideally you have a secure storage location that only you have access to. A locked desk drawer is a starting point, but we can venture into multiple layers of significantly better storage controls. Start with what you can afford because it sounds like you are running on a budget. There's no shame in that. Ideally, like any evidence management solution, you should clearly label the device and associate it with your evidence. You don't want to accidentally misplace it in your secure storage location and accidentally associate it with another case.
- When you use the Evidence (for imaging or for investigation), what is your procedure?
- Ideally you are checking out the evidence from your really great Evidence Management System. If you are not so blessed, consider using the Chain of Custody form to indicate when you have moved it from storage to your work space for doing a task. It can be overkill, but you want to do this right. I've seen people do this on Excel too.
- When you are manipulating the evidence, do you do this from a clean workstation and in a secure area that only you have access to?
- Opposing counsel's view can include: "How do I know you this evidence wasn't tampered with if you aren't the only one who has physical access to this media?"
- Forensic Preservation Procedures:
- Do you have at least a Primary and Secondary Forensic copy of the evidence?
- I'm jumping the gun on your question here obviously. However, if you decide to duplicate the media, I encourage you to make at least two copies. One you keep as your "working" copy and another as your "backup" copy in the event something frustratingly happens to the working copy. It happens all the time. Trust me. You want at least two copies.
- If you are creating a copy for opposing counsel, make a copy but don't give away your two copies. Asking opposing counsel for a copy _after_ you damaged your only copy looks bad and can impact the timeliness of your response to discovery.
- When you create your forensic copies, did you document other appropriate metadata?
- You can probably google for a basic Computer Evidence Acquisition form. You want to capture several things that you probably don't need immediately but can assist with the individual who will be performing your forensic investigation. This isn't exhaustive, but I want to give you ideas of what would help:
- Original Asset Information:
- State of Asset
- On, Logged in, Logged in & locked, Off, Other (BSOD, Frozen, etc.)
- Make, model, and serial number of original asset; Make, model, serial number, and sectors of media.
- Where did this hard drive come from? How do we know you didn't just grab the hard drive out of someone else's computer?
- It helps to have a digital photo with a date/time stamp too. I typically do this with the evidence ID I assign it written on a post-it note along with the primary custodian name. This way if I'm hitting multiple computers with multiple people I can easily flip through pictures to find relevant items.
- Who is/was the custodian associated with the original asset?
- Location of the asset, the username(s), the given name of the user(s), etc.
- BIOS/EFI Date/Time vs. Real Date/Time
- If you're not working in the same time zone as you collected the evidence then this will really mess with your timelining process.
- What else does your form not include but should be documented?
- Items that I commonly see: Company Asset Tag #, asset damage information, location of asset at time of preservation, symptoms reflecting physical media failure.
- Did you mess up? Maybe you did. Don't freak out.
- This is where your meticulous documentation skills kick into high gear. What did you do? What was the expected result? What actually happened? What time did this occur? What files were potentially altered?
- Know when you are in over your head. If this is important, hire someone who knows a little bit more than you and won't put your case in jeopardy.
- SUPER IMPORTANT: Do you know what you are doing? Can you explain why you chose to do X instead of Y to a jury?
- Can you testify to the actions that you performed were best practice and did not impact the evidence?
- If so, great.
- If not, consider getting a professional forensics expert or have a forensics firm on retainer or MSA.
- For forensic imaging services, you can typically see:
- Billing method 1: time and materials
- Billing method 2: fixed fee
- Billing method 3: fixed fee and materials.
- Rates and quality of work product vary by region. I'm sure those on this list can give you recommendations.
- Forensic Analysis:
- If you don't know what you are seeing, consider the possibility that you might be over your head in this phase. Highly consider the need to employ a professional that can and has testified in court for digital forensics. Ideally, someone who has testified in a case similar to yours.
- Consider the possibility that what you are seeing can be interpreted in more than one way.
- Remove unfounded opinion from any statements you choose to document.
- State only the facts that you can observe.
- Note: Forensic Expert bill rates can be different from a Forensic Preservation bill rate.
There's a lot more. I see that Nick has responded too. He knows his stuff.
Good luck and thanks for letting me stand on this soapbox.
Eu recebi todas essas informações por email e resolvi colocá-las aqui.
São dicas muito boas.
Bom, é isso, galera