Endpoint Protection

Last time...

In our last article, Search and Seizure Planning we examined the process of readying for a search and seizure. In particular, we looked at the importance of being prepared to document and handle evidence found a computer crime scene, and at the necessity of organizing investigators into a team of distinct roles and functions. With planning out of the way, it's time to take some action!

Although no two computer crime cases will necessarily be identical, all computer crime search and seizures should begin the same way:

1. After the initial planning, the crime scene is approached and secured
2. The crime scene layout is documented with photographs, sketches and notes
3. Finally, a search is undertaken for computer evidence

We begin with a very brief discussion of approaching, securing, and documenting the computer crime scene (stages B and C of the search and seizure process). This is followed with a lengthier consideration of searching for computer evidence, and then a short divergence about containing the threat that viruses pose to evidence.

Figure 1: Approaching, Securing, and Documenting the Crime Scene - Stages B and C of a Search and Seizure

Approaching and securing the crime scene consists of investigators arriving at the scene and protecting it from unauthorized (and potentially contaminating) access by others. For corporate investigators, this can be accomplished by simply locking doors and/or posting security guards at entrances; law enforcers, on the other hand, may take more elaborate steps (e.g., arresting unauthorized individuals).

Documenting the crime scene should begin immediately after security is established. Photography (from a normal, eye-level perspective), rough sketches and notes should be implemented to accurately map the scene layout, and location of all evidence. While 35-mm cameras are well suited to the job of crime scene photography, video and instant-development cameras offer convenience and ease of use.

The documentation process actually continues to take place during the remaining stages of search and seizure. In Stage D, the search for evidence, as new pieces of evidence are located, they are carefully noted on a rough crime scene sketch, and additional photography may be used if desired. During Stage E, evidence retrieval, pieces of evidence are tagged and their states are logged. Stage F, where we process evidence back at an evidence preservation lab, is really all about documentation! At that point, computer crime evidence is backed up, cataloged, and analyzed; detailed notes are take throughout this stage. While investigators are at a crime scene, however, nothing elaborate is required for documentation - just enough to accurately depict the crime scene layout, where the evidence is located, and in what sort of state the evidence is found. We'll see later on in Stages E and F, how the log files mentioned in our previous article (the search and seizure evidence log, shipping manifest, and the lab evidence log) will be used to guide documentation efforts.

Figure 2: Searching for Evidence - Stage D of a Search and Seizure

It is vital to the forensics process that an efficient and detailed search of the computer crime scene be made. Even with cases that appear to require very little effort to locate computer evidence, it is still incumbent on the investigator to follow through on a correct and thorough search. Failing to do so, "can lead to accusations of negligence or charges that the investigative agency knowingly 'covered up' evidence that would be detrimental to its case" [1, pg. 42].

Once the computer search team has arrived at the computer crime scene, the team leader should delegate responsibilities for carrying out the search. Naturally, it is important that those looking for evidence have an understanding of what they might find and how it should be handled. In addition, it is a good idea to keep in mind where such evidence might be found. Clark and Diliberto offer the following locations as examples of where to search for computer crime evidence [2, pgs. 19 - 25] (this is by no means an exhaustive list):

• Desktops - may contain important notes, computer media, manuals, computer equipment, and cables
• Monitors - may have post-it notes with passwords and other important information
• Next to telephones - may include notes with important phone numbers (e.g., dial up numbers), passwords, and user names
• In wallets or purses - may contain ID cards, notes, and important numbers and passwords (see discussion below about a suspect's protection against unreasonable search and seizure)
• Electronic pocket organizers - may contain important user names, passwords, electronic notes and documents (see discussion below about a suspect's protection against unreasonable search and seizure)
• In a suspect's pocket - may contain diskettes, tapes, CDs, important notes (see discussion below about a suspect's protection against unreasonable search and seizure)
• Trash can - may contain important hard copy and computer media evidence, as well as notes and documents with other evidentiary value
• Inside of books and manuals - important notes, documents, diskettes, CDs and other media
• Taped underneath keyboards - important notes, documents, diskettes, CDs and other media

Specialized search patterns can often cut down on redundancy and confusion during the process of locating evidence. Typical patterns include the spiral, strip, grid and quadrant (where the patterns should be evident from their names).

During the search for evidence, investigators must keep in mind that they may or may not have the right to look in certain places and seize certain items. Relative to law enforcement officials (here in the U.S), the Fourth Amendment tells us that,

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizure, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.

Except for a handful of particular circumstances, law enforcement officials must have a court approved search warrant to look for evidence. If a need arises to search for an item or items not listed on the warrant, an amendment to the warrant must be written, or a new search warrant must be obtained for the additional items.

Within a corporation things are a little different, in that the corporation will most likely own the evidence being sought by the investigators. For example, all of the computer hardware, software and media that a suspect might have access to at his job, is probably owned by his employer (not to mention the office facilities where the suspect works). Unfortunately, this is not always the case: an employee may purchase his own electronic organizer for use at work, or may bring in his own notebook - worse yet, the employee may be working out of his home! Situations like these can prove disastrous to the retrieval of evidence. As pointed out in our previous article, during the planning stage of the search and seizure process, corporate investigators must confer with their legal department about what they legally can and cannot do.

In our next article, we'll discuss the details of retrieving computers, computer components, and media from a crime scene. In preparation for this, a protocol should be outlined for managing the threat computer viruses pose to an investigation. The less an investigator interacts with electronic evidence in the field, the better. The controlled, secure environment of the evidence preservation lab is the best place to perform such activities. Whether in the field or at the lab, however, if an investigator uses contaminated media¹ to perform tasks on a crime scene computer, he will put all electronic evidence at risk, and possibly damage the chain of custody (e.g., unexplainable changes to the evidence may take place as a result of virus contamination). Similarly, evidence already contaminated by a virus can be highly volatile. Hence, the following protocol for dealing with viruses should be adhered to rigorously:

1. Always use clean (i.e., virus free) media when interacting with a crime scene computer
2. After interactions with a crime scene computer, always clean all media utilized (with the exception of backups)
3. Never attempt to clean a crime scene computer - doing so could destroy important evidence
4. After restoring a bit stream backup to an evidence preservation lab computer (if such a restoration is even necessary):
   1. Identify any viruses on the lab computer
   2. If needed, clean the lab computer prior to additional forensic activities (remember, cleaning a computer could destroy valuable evidence)

It is a requirement that all media used to interact with a crime scene computer be clean. Furthermore, after such interactions all media should be cleaned, with the exception of that which is used to store bit stream backups. It is undesirable to clean backup media after its use, because any viruses stored there may actually be relevant forensic evidence. Also, such a cleaning could inadvertently destroy other evidence; this is why a crime scene computer should never be cleaned. If it is necessary to restore a bit stream backup to an evidence preservation lab computer (e.g., the investigator may need to interact with a virtual copy of the crime scene computer), any viruses present from the backup should be carefully documented. If they pose a threat to other evidence, only then should they be cleaned.

In this installment of The Field Guide for Investigating Computer Crime, we've gotten down to brass tacks. We left the planning stage, and moved into the next three stages of the search and seizure process: approach and secure the crime scene, document the crime scene, and search for evidence. We found that crime scene security may range from locking doors to (for law enforcers) arresting trespassers. We saw that documentation can be rough, but must be adequate in its depiction of the crime scene layout, and the location of evidence. Also, we noted that the search for evidence can involve looking in a variety of places, but that the legalities of searching must always be considered. Finally, we reviewed the virus protocol: a means of preventing and containing the threat to electronic evidence by computer viruses.

In our next article, we will wrap up search and seizure with a discussion of the last two stages: retrieving and processing evidence. Here, the importance of having access to a good case management system will become apparent, as we'll rely heavily on the use of log files to keep track of an investigation's data.

To read The Field Guide for Investigating Computer Crime, Part 6: Search and Seizure - Evidence Retrieval and Processing , click here.

(1) Saferstein, Richard. "Criminalistics: An Introduction to Forensic Science, Sixth Edition," Prentice Hall, Upper Saddle River, New Jersey, 1998.

(2) Clark, Franklin and Diliberto, Ken. "Investigating Computer Crime," CRC Press, New York, 1996.

For the past several years, Timothy Wright has been investigating computer fraud and abuse as a Senior Technology Investigator at one of the country's largest financial corporations. Before then, he worked as a lead developer within the financial industry, designing and building web-based home banking software. He holds an M.S. in Computer Science, and a B.A. in Philosophy.