Advertisement
 
Articles
Advertisement

Documenting Computer Forensic Procedures

Mon, 10/01/2007 - 4:00am
John J. Barbara

There are examiners working today in some agencies that do not have documented technical standard operating procedures ( SOPs) for the analysis of digital media. Most likely, this is because there are no Quality Assurance Practices (QAP) being followed and no Quality Assurance Systems (QAS) in those agencies to provide oversight. One requirement of a QAS is the development of a comprehensive Quality Assurance Manual (QAM). The QAM would include the assertion that SOPs must be documented and available for examiners use. SOPs could be incorporated into the QAM itself or documented in a stand-alone manual. It is unacceptable for any agency to be analyzing digital media without having a QAS, a QAM, and documented SOPs. Without these three critical components, there are no assurances to demonstrate that QAPs are in place and being utilized to provide resultsthat are accurate, repeatable, and reliable.

When an examiner is made aware that documented SOPs are needed, he or she generally asks two questions: “What type of outline or format do I use?” and “How much detail should I put into my technical SOPs?” In a previous Digital Insider column, an outline was discussed concerning the style or format for writing policy statements. It can also serve as a template for documenting technical SOPs. Using that outline, a policy and procedure for the analysis of removable hard drives is shown below. It is not intended to be all-inclusive and should beviewed as a guide to writing technical SOPs.

COMPUTER FORENSICS OPERATIONAL MANUAL

  1. Policy Name: Imaging Removable Hard Drives
  2. Policy Number/Version: 1.0
  3. Subject: Imaging and analysis of removable evidence hard drives.
  4. Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers.
  5. Document Control:Approved By/Date:
    Revised Date/Revision Number:
  6. Responsible Authority: The Quality Manager (or designee).
  7. Related Standards/Statutes/References:
    A) ASCLD/LAB Legacy standards 1.4.2.5, 1.4.2.6, 1.4.2.7, 1.4.2.8, 1.4.2.11, and 1.4.2.12.
    B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 4.13.2.4, 5.4.1.1, 5.4.1.2, 5.4.2.1.
    C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 5.4.5.2, 5.4.7.2 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a).
  8. Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops.
  9. Policy Statement:
    A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority.
    B) Forensic computers are not connected to the Inter-net.
    C) All forensic archives created and data recovered during examinations are considered evidence.
    D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes and ensure the revised procedure is validated, if necessary, prior to its use in casework.
  10. Procedure:
    A) Responsibilities 
         1. Section Supervisor 
             a) Only trained examiners are assigned to work
                  cases.
             b) Performs administrative and technical case file
                 review.
         2. Examiners
            a) Report directly to the section supervisor.
            b) Must be familiar with all types of hard drives 
                that may be encountered as evidence.
            c) Responsible for the chain of custody record,
               evidence handling, evidence marking and
               security, and analysis of evidence.
            d) Generate reports and testify in court.
    B) Examination Preparation
         1. Legal Authority: Examiners are to review the
             search warrant or consent form to determine the
             scope of the examination. Contact the investigator
             to obtain a list of keywords if none is provided.
         2. Chain of Custody: All evidence transfers are
             documented in the evidence tracking system
         3. Safety: All applicable parts of the agency Safety
             Manual and the unit’s “Handling Digital Media”
             policy and procedure will be followed as
             appropriate. 
         4. Equipment and Materials:

             a) Marking pens, evidence tape, anti-static
                 packaging material, worksheets, etc.
             b) Forensic computers
             c) Approved forensic software
             d) New/sterilized digital media (CDs, DVDs, hard
                 drives, etc.)
             e) Verified/validated hardware write blockers and
                  interfaces
             f) Crossover cables
             g) Assembly/disassembly toolkits
             h) Digital camera
              i) Appropriate hard drive standards and controls
         5. Special Allowances: 
             a) If hard drives are not removed or a RAID
                 configuration exists, refer to the “Cable 
                 Imaging,” “RAID Imaging,” and/or “DOI
                 Imaging” procedure(s).
              b) Hard drives may be password protected. Refer
                  to the “Breaking Passwords” procedure.
          6. Evidence Documentation, Handling, and
             Inventory:
             
    a) Photograph and print pictures of evidence for
                  the case file.
              b) Inventory/describe evidence. Record serial
                  numbers in case file.
              c) Mark evidence according to the “Handling 
                  Digital Evidence” procedure.
    C) Hard Drive Analysis:

    1. Select appropriate hard drive standard and control and interface/write blocker.
    2. Record the forensic computer’s POST in the instrument logbook.
    3. Image the hard drive standard and control. Record the hash value in both the instrument logbook and case file.
    4. Complete the “Hardware Documentation Worksheet.”
    5. Remove evidence hard drive(s).
    6. Obtain BIOS information from evidence computer.
    7. Attach evidence hard drive(s) to appropriate interfaces and/or write blockers and image onto wiped hard drive(s).
    8. Verify hash values and create forensic archive(s) on non-alterable digital media whenever possible.
    9. Examine the image using in-house verified/validated approved software tool(s).
    10. Complete the “Analysis Worksheet.”
    11. Export probative data onto digital media (CD/DVDs, hard drives, etc.).
    12. Prepare report and submit case file for review, repackage evidence and return to property room.

 

The policy and procedure example is written in an outline format and references worksheets and other procedures where more detailed information can be obtained. Agencies or units may decide to use a narrative style and incorporate the referenced procedures into one detailed procedure. That would be their choice. Regardless of the amount of detail included, the most important consideration is that all technical standard operating procedures must be documented.

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press.

 

Advertisement

Share this Story

Advertisement
X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading