Forensic Cop Journal

http://forensiccop.blogspot.com

Volume 3(2), Jan 2010

Standard Operating Procedure of Seizure on Computer-based Electronic Evidence

by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police Coordinator of Digital Forensic Analyst Team (DFAT) Forensic Lab Centre of Indonesian National Police HQ

Introduction Handling the evidence found in the case of computer crime or computer-related crime is different from handling other evidence such as blood, tool marks, trace, and fibres. The evidence found at such crimes is grouped as computer-based electronic evidence. As the evidence from this type of crime is easy to volatile, digital forensic analyst should be able to understand how to handle it properly. With proper handling, it is expected that the analyst could reveal the contents of the evidence and bring it to further investigation. With proper ways, the findings in the evidence are also reliable and even it can be accepted by the court, otherwise it will be doubt and even rejected by the court. Based on this fact, as to handle such evidence is so essential, the analyst must pay more attention when finding it at the crime scene. To handle it is started from seizure; therefore the seizure technique plays a key role on handling it properly. From the seizure at the crime scene, chain of custody of the evidence is also started. Chain of custody is a comprehensive description about the travelling of the evidence from the crime scene to the court. Who firstly found it at the crime scene; and then who handles it in further investigation actions till who submits it to the court. It also describes who does what on the evidence. However this journal does not discuss about chain of custody, but it will explain about how to perform proper seizure on computer-based electronic evidence. Computer-based Electronic Evidence The evidence which is found in the case of computer crime or computer-related crime and requires digital forensic analysis is grouped as computer-based electronic evidence. This evidence is actually physical evidence as it is visually seen. Digital forensic analyst and criminal investigators should seek the existence of this evidence type at crime scene. After finding it, they perform a proper seizure on it. The findings in the form of data or information stored in the evidence are called digital evidence. This digital evidence is then required to be found and analysed by digital forensic analyst as it can prove the relationship between the case and the perpetrators.

Forensic Cop Journal

http://forensiccop.blogspot.com

Volume 3(2), Jan 2010

Below is physical evidence which might be found at crime scene and need to seize. 1. Personal Computers 2. Notebooks / Netbooks / Laptops 3. Mobile phones / PDAs 4. Printers 5. Optical Media: CDs / DVDs 6. Zip drives / Backup Tapes 7. Flash disks, Hard disks, Floppy disks 8. Modems / Switches / HUBs / Routers 9. Digital Cameras 10. Memory Cards 11. Dongles 12. Wireless Network Cards Following is digital evidence which might be found in the contents of the physical evidence above. 1. Digital Images 2. Videos 3. Voice Recordings 4. Plain Texts 5. Ciphered Texts / Encrypted Files 6. Emails 7. Instant Messages 8. Network Logs 9. Application Logs 10. Call Logs 11. Short Messages

Forensic Cop Journal

http://forensiccop.blogspot.com

Volume 3(2), Jan 2010

Condition 1: The electronic evidence appears to be switched off According to ACPO, below are the proper actions on how to handle the electronic evidence when it appears to be switched off (ACPO, p11, 2008). 1. Secure and take control of the area containing the equipment. If necessary, secure the scene by applying Police Line as the perimeter to protect the scene from contamination which might occur. 2. Move people away from any computers and power supplies. Warn and order any person not to enter the scene unless the analyst in charge involved in the investigation. Nobody is allowed to be closed to the evidence unless for the analysis purposes. It is aimed to avoid any accidental or deliberate actions which are harmful to the evidence, particularly to change the evidence. 3. Photograph or video the scene and all the components including the leads in situ. If no camera is available, draw a sketch plan of the system and label the ports and cables so that system/s may be reconstructed at a later date. 4. Allow any printers to finish printing. 5. Do not, in any circumstances, switch the computer on. This action (i.e. to switch the computer on) is prohibited to perform because it definitely changes the contents of the evidence. 6. Make sure that the computer is switched off some screen savers may give the appearance that the computer is switched off, but hard drive and monitor activity lights may indicate that the machine is switched on. Usually by moving the mouse a moment will wake up the computer. Never forget to check the lights displaying the activity of hard drive of monitor. 7. Be aware that some laptop computers may power on by opening the lid. 8. Remove the main power source battery from laptop computers. However, prior to doing so, consider if the machine is in standby mode. In such circumstances, battery removal could result in avoidable data loss. 9. Unplug the power and other devices from sockets on the computer itself (i.e. not the wall socket). A computer that is apparently switched off may be in sleep mode and may be accessed remotely, allowing the alteration or deletion of files. 10. Label the ports and cables so that the computer may be reconstructed at a later date. To do so, please perform it carefully in order to avoid mistakes on reconstruction. 11. Ensure that all items have signed and completed exhibit labels attached to them. Failure to do so may create difficulties with continuity and cause the equipment to be rejected by the forensic examiners.

Forensic Cop Journal

http://forensiccop.blogspot.com

Volume 3(2), Jan 2010

12. Search the area for diaries, notebooks or pieces of paper with passwords on which are often attached or close to the computer. Consider asking the user about the setup of the system, including any passwords, if circumstances dictate. If these are given, record them accurately. 13. Make detailed notes of all actions taken in relation to the computer equipment. Condition 2: The electronic evidence appears to be switched on Following are the actions offered by ACPO on how to handle the evidence properly when it is found to appear to be switched on (ACPO, p12, 2008). 1. Secure the area containing the equipment. Again, it is the same as previous actions, build perimeter area by applying Police Line so that visually people see the border of the scene. 2. Move people away from computer and power supply. The existence of people can contaminate the electronic evidence; even it can change the contents of the evidence when they do something wrongly. 3. Photograph or video the scene and all the components including the leads in situ. If no camera is available, draw a sketch plan of the system and label the ports and cables so that system/s may be reconstructed at a later date. 4. Consider asking the user about the setup of the system, including any passwords, if circumstances dictate. If these are given, record them accurately. 5. Record what is on the screen by photographing and by making a written note of the content of the screen. 6. Do not touch the keyboard or click the mouse. If the screen is blank or a screen saver is present, the case officer should be asked to decide if they wish to restore the screen. If so, a short movement of the mouse should restore the screen or reveal that the screen saver is password protected. If the screen restores, photograph or video it and note its content. If password protection is shown, continue as below, without any further touching of the mouse. Record the time and activity of the use of the mouse in these circumstances. 7. Where possible, collect data that would otherwise be lost by removing the power supply e.g. running processes and information about the state of network ports at that time. Ensure that for actions performed, changes made to the system are understood and recorded. See section on Network forensics and volatile data. 8. Consider advice from the owner/user of the computer but make sure this information is treated with caution. 9. Allow any printers to finish printing.

Forensic Cop Journal

http://forensiccop.blogspot.com

Volume 3(2), Jan 2010

10. If no specialist advice is available, remove the power supply from the back of the computer without closing down any programs. When removing the power supply cable, always remove the end attached to the computer and not that attached to the socket. This will avoid any data being written to the hard drive if an uninterruptible power protection device is fitted. 11. Remove all other connection cables leading from the computer to other wall or floor sockets or devices. 12. Ensure that all items have signed exhibit labels attached to them. Failure to do so may create difficulties with continuity and cause the equipment to be rejected by the forensic examiners. 13. Allow the equipment to cool down before removal. 14. Search area for diaries, notebooks or pieces of paper with passwords on which are often attached or close to the computer. 15. Ensure that detailed notes of all actions are taken in relation to the computer equipment. Bibliography ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p df. Last accessed 30 September 2009. Al-Azhar, M.N. (2009). Digital Forensic: State of the art. Forensic Cop. Available: http://forensiccop.blogspot.com. Last accessed 1 January 2010. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 2nd edition. London: Elsevier Academic Press. Carrier, B. (2005). File System Forensic Analysis. London: Addison Wesley. Department of Justice, US. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed 30 September 2009.