We've been talking of Computer Forensics in our articles for quite a few
years now. We were the first magazine in the country to take you through a
hands-on guide on running different forensics tools. We have discussed the the
best practices to follow after a machine is compromised and before an
investigator comes. This time we take you through the complete process of
investigation from the eyes of an investigator in a photo feature. So, we shall
not talk of any fancy tools, rather we will see what a Computer Forensic
Investigator does when he reaches a crime scene and how he responds to it. To
get inputs, we contacted a Private Computer Forensic Labs in Delhi/NCR named
Orkash and did a mock drill. Here's what happened.
The first step in forensics investigation is to identify and record the
condition of the compromised machine. This means one has to check if the machine
is Off, On, connected to the network, physically damaged or not, etc.
Once the victim is identified, one has to very smartly turn the monitor to
see what's going on in the screen. This is the first level of observation, and
while touching the physical components, the investigator has to make sure he
neither changes the crime scene nor does he leave any other mark such as finger
prints, etc. So use of surgical gloves is must.
The next step is to identify the OS and other applications running on the
system. If the system is based on Windows, the best approach is to take out the
power cable directly so that all page files are intact and no disk cache data is
lost.
After taking out the power cable, the investigator should take out all the
other cables from the ports and seal all the ports including the power socket
using labels (with time and case name) and tapes. This makes sure that after
investigation, nobody uses the machine in any form.
Now this is the time to take out the machine very carefully and tag it with
the case and victim name. This name will identify the machine throughout the
investigation. So for instance the case name here is 'Demo-PCQ' and the machine
name, Demo-PCQ-0001.
The next step is to carefully open the cabinet of the machine. The only issue
to be careful about is to avoid fingerprints or other marks of the investigator.
Once the machine is open, the investigator has to very carefully take out the
hard drive/s. Once the disk has been taken out, the investigator needs to pack
the drive in an anti-static bag, label it with the case and the component names.
Now this is the time to take note of each and everything that's happened at
the scene. Starting from what was running on the screen, to the status of the
computer (clean or dusty), the make and model of the computer and peripherals,
etc.
Once the notes have been taken, this is the time to close the cabinet and
seal it with tapes and labels. This is to make sure nobody tampers with the
machine after the investigator has left.
The hard disk has to be taken to the forensics lab for image creation and
data analysis. In image creation, an image is created bit-by-bit from the disk
with values that can't be tampered with.
This can be ensured by not letting anybody write anything on the disk while
creating an image. A FastBloc is a device which can disable the write heads on a
disk, so no one can write anything to the hard drive. It comes with many
adjustments, which can let it connect not just with a disk but also with other
storage devices such as USB drives, memory cards, phones, MP3Players, memory
cards, etc.
This is how a connection with FastBloc is made. Once connected, the image of
the disk can be created and an analysis started.