Forensic Chain of Custody

A Forensic Chain of Custody is Everything you take, date and time, condition, who or where you got it from, whether it was packaged or not.

In rare cases where a crime is actually going down (actual DDoS or a real time malcious attack), chain of custody is second to preventing a crime from occuring, and depending on your legal standing (warrant, court orders, etc), you may even legally be able to actively fight the attacks.

That's pretty much the only legal way you're going to be able to compromise a remote system, if it is being used as an attack machine, if it is a victim machine and you have a court order to do so.

Acquisition

Many times you'll receive a computer from an end user, other times you'll be receiving a package. Usually packages arrive via a courier service, in fact, federal mail is not used and should not be used because it can damage the disks. Packages that arrive via couriers are usually sealed in some special fashion, depending on the country you are in. Typically it is a tamper evident seal of some sort. You'll also want a receipt from the courier service to ensure your itemid/shipmentid matches the outbound one (to ensure packages arent switched mid transit).

The sender will have taken pictures of the sealed evidence to preserve chain of custody, you'll want to take pictures of it from every angle before opening it as well as after opening it.

When you receive a machine, you'll want to document how long it has been since the machine has been shut down. If that information is unknown, simply putting unknown is acceptable.

Witnesses and Documentation

There should be a security camera in place everywhere that the evidence goes once it has entered your custody until it leaves your custody. Witnesses are very important, and cameras can be a huge help with that. At any rate, you'll want to document each changing of hands with the evidence.

Any time you are not examining or acquiring evidence, the evidence should be locked in an evidence room. Requirements for the room are obviously a lock, security cameras, and a sign in/sign out form.

Any time you hand evidence to another examiner, even in your own facility, you will want to fill out an evidence custodial transfer form of some type. Additionally, the evidence room or box that the evidence is kept in inside of the room will need to be fireproof.

Different countries and states have different standards for fireproofing, typically evidence rooms are locked and usually have biometrics on some form or fashion, security cameras, and then on top of that the evidence will go in a lock box. The lock box will need to be both fireproof and waterproof, so in the case of a fire ,if a sprinkler or gas flame retardant system is activated.

With forensic evidence, backups of the hdd's will be also stored in off-site datacentres due to the volatile nature of computers.

Once evidence has been acquired or imaged, it should never be touched again. Reason for not touching evidence once its been acquired or imaged, is because you can ensure that you can re-image it later that way. Additionally, because you'll probably wind up giving an expert witness testimony at some point, you'll need it for when you show a chain of the evidence examination (checksums etc).

In the united states, they recently passed some precedents that require multiple forms of hashing/digest algorithms for checksums. The reasoning for this is because you can cause a hash collision with only one algorithm, but then it will change the other algorithms hash. You can't defeat both algorithm's simultaneously (essentially, checksumming a checksum).

Any examination, imaging or acquisition needs to have a log. Even if all you're doing is a dd image, you need to include the start and stop time, exact commands used, and even write the checksums down. All of this wlil be considered as part of your expert witness testimony. If you break any of this stuff at all, an offender/attacker can easily slip through the cracks.

If you receive frozen ram, you'll want to document how long its been on ice, how long it was between it being shutdown and going on ice, etc.

Active Memory Snapshots

There is a question of admissibility in court for active volatile forensics. e.g.: I walk up to your machine while its turned on and ramdump it. Admissability in court is completely questionable, because there's no proof you didn't tamper with it. When imaging a hard drive, you use physical and hardware write blockers. But volatile ram memory, you could write to that all day, so, its admissability is questionable. However, anything from a ramdump that can be validated via hard drive evidence is fair game. e.g.

• Passwords in plaintext found from the keyboard buffer, encryption keys. If you can use the drive image to validate the volatile evidence, those parts of volatile evidence become admissible.
• 100gb of encrypted home drive on HDD, you get the key from the ram for encryption, its all admissible.
• If you get a password for say a windows account, you can pull that sam file later and show that it hashes out to the same NTLM hash

because its not the ram's admissability that holds up, its the data's on the harddrive.