Evidence Acquisition

D Musundire, Mr (@taona2)

Computer Science Department

National University of Science and Technology
Bulawayo, ZW

2019

. . . .... .... .... . . . . .

Contents

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

USB device

Discuss when it can be important to detect if a certain

USB device has been connected to a computer.How can
this be done?
Why would you want to capture memory during a live
investigation? How do you prepare fro such an exercise?
List any 15 pieces of evidence which can be found in the
Windows Registry

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

USB device

Discuss when it can be important to detect if a certain

USB device has been connected to a computer.How can
this be done?
Why would you want to capture memory during a live
investigation? How do you prepare fro such an exercise?
List any 15 pieces of evidence which can be found in the
Windows Registry

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

USB device

Discuss when it can be important to detect if a certain

USB device has been connected to a computer.How can
this be done?
Why would you want to capture memory during a live
investigation? How do you prepare fro such an exercise?
List any 15 pieces of evidence which can be found in the
Windows Registry

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Evidence Definition

”The available body of facts or information indicating

whether a belief or proposition is true or false” (Oxford
Dictionaries 2017)
Digital evidence may mean ”data collected from any type
of digital storage that is subject to a computer forensic
examination.”
The forensic examiner is either handed the devices subject
for examination or is asked to take part in the actual
collection.
important Question: Is device on or off?

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Evidence Definition

”The available body of facts or information indicating

whether a belief or proposition is true or false” (Oxford
Dictionaries 2017)
Digital evidence may mean ”data collected from any type
of digital storage that is subject to a computer forensic
examination.”
The forensic examiner is either handed the devices subject
for examination or is asked to take part in the actual
collection.
important Question: Is device on or off?

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Evidence Definition

”The available body of facts or information indicating

whether a belief or proposition is true or false” (Oxford
Dictionaries 2017)
Digital evidence may mean ”data collected from any type
of digital storage that is subject to a computer forensic
examination.”
The forensic examiner is either handed the devices subject
for examination or is asked to take part in the actual
collection.
important Question: Is device on or off?

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Evidence Definition

”The available body of facts or information indicating

whether a belief or proposition is true or false” (Oxford
Dictionaries 2017)
Digital evidence may mean ”data collected from any type
of digital storage that is subject to a computer forensic
examination.”
The forensic examiner is either handed the devices subject
for examination or is asked to take part in the actual
collection.
important Question: Is device on or off?

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Types of Evidence

Testimonial Evidence: This is evidence supplied by the

witness. This is subject to the perceived reliability of the
witness...it can be considered as real evidence(if witness is
considered reliable.)e.g Word processor documents
Hearsay : any evidence presented by a person who was
not a direct witness. This should be avoided and
generally inadmissible.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Types of Evidence

Testimonial Evidence: This is evidence supplied by the

witness. This is subject to the perceived reliability of the
witness...it can be considered as real evidence(if witness is
considered reliable.)e.g Word processor documents
Hearsay : any evidence presented by a person who was
not a direct witness. This should be avoided and
generally inadmissible.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

The Rules of Evidence

1 Admissible
2 Authentic : if you cant tie the evidence positively to the
incident, you cant use it to prove anything. Relevancy!!
3 Complete : Also known as exculpatory evidence
4 Reliable : collection and analysis procedures must not
cast doubt on the evidence’s authenticity and veracity
5 Believable : clearly understandable and believable to a
jury.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

The Rules of Evidence

1 Admissible
2 Authentic : if you cant tie the evidence positively to the
incident, you cant use it to prove anything. Relevancy!!
3 Complete : Also known as exculpatory evidence
4 Reliable : collection and analysis procedures must not
cast doubt on the evidence’s authenticity and veracity
5 Believable : clearly understandable and believable to a
jury.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

The Rules of Evidence

1 Admissible
2 Authentic : if you cant tie the evidence positively to the
incident, you cant use it to prove anything. Relevancy!!
3 Complete : Also known as exculpatory evidence
4 Reliable : collection and analysis procedures must not
cast doubt on the evidence’s authenticity and veracity
5 Believable : clearly understandable and believable to a
jury.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

The Rules of Evidence

1 Admissible
2 Authentic : if you cant tie the evidence positively to the
incident, you cant use it to prove anything. Relevancy!!
3 Complete : Also known as exculpatory evidence
4 Reliable : collection and analysis procedures must not
cast doubt on the evidence’s authenticity and veracity
5 Believable : clearly understandable and believable to a
jury.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

The Rules of Evidence

1 Admissible
2 Authentic : if you cant tie the evidence positively to the
incident, you cant use it to prove anything. Relevancy!!
3 Complete : Also known as exculpatory evidence
4 Reliable : collection and analysis procedures must not
cast doubt on the evidence’s authenticity and veracity
5 Believable : clearly understandable and believable to a
jury.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Other do’s and dont’s

Minimize handling and corruption of original data

Account for any changes and keep detailed logs of your
actions
Comply with the Five rules of evidence
Do not exceed your knowledge
Follow your local security policy

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

...cont

Capture as accurate an image of the system as possible

Be prepared to testify
Work fast
Proceed from volatile to persistent evidence
Don’t shutdown before collecting evidence
Don’t run any programs on the affected system

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

When the system is on?
When examining a computer or device that is turned on,
a live examination, the examiner gets the opportunity to
collect volatile data that includes information on what the
device is currently up to.
It also gives the examiner the opportunity to examine if
any of the active hard drives are encrypted and collect
unencrypted data from them.
Before turning off a computer subject to examination the
examiner must make a thorough search for encryption
tools. If any sign of encryption is present, the examiner
should create a logical image of the hard drives to ensure
that the data is preserved and available for later analysis.
Dead man switch...destroys any evidence once the system
detects that its offline. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

When the system is on?
When examining a computer or device that is turned on,
a live examination, the examiner gets the opportunity to
collect volatile data that includes information on what the
device is currently up to.
It also gives the examiner the opportunity to examine if
any of the active hard drives are encrypted and collect
unencrypted data from them.
Before turning off a computer subject to examination the
examiner must make a thorough search for encryption
tools. If any sign of encryption is present, the examiner
should create a logical image of the hard drives to ensure
that the data is preserved and available for later analysis.
Dead man switch...destroys any evidence once the system
detects that its offline. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

When the system is on?
When examining a computer or device that is turned on,
a live examination, the examiner gets the opportunity to
collect volatile data that includes information on what the
device is currently up to.
It also gives the examiner the opportunity to examine if
any of the active hard drives are encrypted and collect
unencrypted data from them.
Before turning off a computer subject to examination the
examiner must make a thorough search for encryption
tools. If any sign of encryption is present, the examiner
should create a logical image of the hard drives to ensure
that the data is preserved and available for later analysis.
Dead man switch...destroys any evidence once the system
detects that its offline. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Live acquisition

Preserve as much volatile data as possible, and ensure

that data resting on hard drives is available for later
analysis.
To ensure that you capture an overview of how the
computer was set up, where it was located and what
peripheral devices that were connected to it.
Look for any other devices that may be of interest to the
investigation

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Live acquisition

Preserve as much volatile data as possible, and ensure

that data resting on hard drives is available for later
analysis.
To ensure that you capture an overview of how the
computer was set up, where it was located and what
peripheral devices that were connected to it.
Look for any other devices that may be of interest to the
investigation

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Live acquisition

Preserve as much volatile data as possible, and ensure

that data resting on hard drives is available for later
analysis.
To ensure that you capture an overview of how the
computer was set up, where it was located and what
peripheral devices that were connected to it.
Look for any other devices that may be of interest to the
investigation

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

When the system is off?

You can examine only data stored on the static memory,

such as a hard drive.
Actions must be taken to eliminate any chance of
modifying the actual evidence.
No to Ctrl-C, Ctrl-V
Bit-bit copy, using disk imaging software
Write blockers are used when connecting a piece of digital
evidence to a computer.
Lastly, ensure the copy is identical to the
original.(Hashing)

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Order of Volatility

One of the many procedures that a computer forensics

examiner must follow during evidence collection is order
of volatility.
During the process of collecting digital evidence, an
examiner is going to go and capture the data that is most
likely to disappear first, which is also known as the most
volatile data.
After that, the examiner will continue to collect the next
most volatile piece of digital evidence until there is no
more evidence to collect. In a nutshell, that explains the
order of volatility.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

The IETF and the Order of Volatility

1 Registers, Cache
2 Routing Table, ARP Cache, Process Table, Kernel
Statistics, Memory
3 Temporary File Systems
4 Disk
5 Remote Logging and Monitoring Data that is Relevant to
the System in Question
6 Physical Configuration, Network Topology
7 Archival Media

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Registers, Cache

The contents of CPU cache and registers are extremely

volatile, since they are changing all of the time.
Literally, nanoseconds make the difference here. An
examiner needs to get to the cache and register
immediately and extract that evidence before it is lost.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Routing Table, ARP Cache, Process Table, Kernel
Statistics, Memory

Some of these items, like the routing table and the

process table, have data located on network devices.
In other words, that data can change quickly while the
system is in operation, so evidence must be gathered
quickly.
Also, kernel statistics are moving back and forth between
cache and main memory, which make them highly volatile.
Finally, the information located on random access
memory (RAM) can be lost if there is a power spike or if
power goes out. Clearly, that information must be
obtained quickly.
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Temporary File Systems

Even though the contents of temporary file systems have

the potential to become an important part of future legal
proceedings, the volatility concern is not as high here.
Temporary file systems usually stick around for awhile.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Disk

Does data stay forever? SSD?

The likelihood that data on a disk cannot be extracted is
very low.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Remote Logging and Monitoring Data that is
Relevant to the System in Question

The potential for remote logging and monitoring data to

change is much higher than data on a hard drive, but the
information is not as vital.
So, even though the volatility of the data is higher here,
we still want that hard drive data first.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition

Physical Configuration, Network Topology, and
Archival Media

Here we have items that are either not that vital in terms
of the data or are not at all volatile.
The physical configuration and network topology is
information that could help an investigation, but is likely
not going to have a tremendous impact.
Finally, archived data is usually going to be located on a
DVD or tape, so it isn’t going anywhere any-time soon.
It is great digital evidence to gather, but it is not volatile.

. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .

DM @taona2 Evidence Acquisition