Data Capture..key challenge in Cyber Evidence Management

.


In the previous article, we had discussed the requirements of Indian Evidence Act for the admissibility of Electronic Evidence. In this article we shall discuss the hardware required for making copies of hard disks for further analysis.

In most of the incidents of Cyber Crime investigation by the Police or suspected fraud in a Corporate network, it becomes necessary to seize the suspect Computer or its hard disk for a detailed examination.

Some times even in an "Intelligence gathering Mission" it may be necessary to subject a hard disk for a detailed examination.

The practical problem in most such cases is that if  the computer is seized immediately, it may disrupt the operations of the enterprise seriously. If the Police make this as a common practice, then no Company would be comfortable in preferring a complaint  in case of a computer crime.

A similar problem also arises in case of an auditor who suspects some fraud in a hard disk but needs access to the same for a prolonged time for further analysis.

It therefore becomes necessary for the investigator or the auditor to make a "Copy" of the original "Evidence" and carry on his investigations on the "Copy". The question then arises that if he stumbles upon some evidence during his examination and then comes back to seize the original hard disk, the data on the original hard disk may no longer contain the evidence he had unearthed during the investigation.

Even assuming that the "Original Hard Disk" itself had been seized and the investigations have unearthed some evidence, there would be a charge from the accused that the evidence was in the custody of the Police/Auditor and could have been tampered with.

It becomes absolutely essential therefore for the investigator to preserve the original evidence and at the same time subject it to any type of analysis he may like besides not disrupting the regular user of the system and the hard disk.

A device required for this purpose is one which makes a "Bit Image Copy" of the suspect hard disk, creates a "hash code" for the "original" being copied so that the original can be preserved, the "Clone" can be subjected to analysis and in case of necessity prove with the hash code that the data as captured from the "Original" has not been tampered with during the process of "analysis".

The recommended device for the purpose is from a Company in USA called Intelligent Computer Solutions (ICS).

ICS has developed the hard drive duplication technology (patented under US patent no C,131,141) that has been in use by Law Enforcement agencies and Commercial enterprises including companies such as Intel, in several countries. For the first time the devices are now  available in India.

The two key products offered by ICS are the Image Masster Solo2 and Link Mater.

Image MASSter Solo 2 Forensic unit

Image Masster Solo2  is a handheld software duplication device made for computer disk drive data seizure. Image capture operations can be performed from a suspect's drive to another hard drive with duplication speeds in excess of 1.8 GB/Min.

The Image MASSter  Forensic is powered by the Company's patented Image MASSter technology and provides for MD5 and SHA1 hashing (in latest version) for data integrity checking. Upon copying of the suspect disk to an evidence disk, a report can be generated along with the hash code which can be jointly authenticated by the system owner and the investigator to avoid any disputes on the integrity of the data transfer.

Since the copying is a "Bit Image Copy Process", the evidence disk can be analysed with data recovery tools for recovering deleted information. Multiple clones can be generated so that different investigators can simultaneously work on the copies all of which are legally acceptable clones of the original.

Solo 2 is connected directly to the suspect drive and in order to prevent accidental writing on the suspect drive,  an accessory namely "Drive Lock" is used in between the suspect disk and Solo2.

The Link Masster is a software acquisition device made for seizing data from computers that Solo-2 Forensic option: USB/FireWire Connection (LinkMasster Forensic)cannot be opened in the field. It is ideally suited for acquiring data from a Laptop. This can perform high-speed data transfer between any suspect hard disk drives through the computer's  USB 1.1/2.0 port. Supports MD5 and, SHA1 hashing during and after the acquisition. A bootable CD is supplied to boot the suspect's computer and run the LinkMASSter acquisition program

The transfer rate in the latest version which will reach the market in Mid January can reach upto 3 GB/Min depending on the interface used and the suspect notebook/PC performances.

Both devices captures data from suspect's hard drive in Single Capture mode and Multi Capture mode (which can capture more than one source drive to a single evidence drive).

These devices are the primary hardware requirements for data capture and have been forensically tested and industrially accepted as reliable for judicial evidence.

The cost  is expected to be around US $1450/- for SOLO 2 and US $ 600 for LinkMasster.

The analysis is itself requires software such as "Encase" of the Guidance Software or CATT systems for IT audit from various vendors.

The availability of the ICQ data capture products in India will now make their use a benchmark for Cyber Evidence collection. It is therefore necessary for the Law Enforcement authorities and IT auditors to equip themselves with these devices so that they shall not be held "Negligent" during the process of evidence collection by the Indian Courts.

Naavi

January 6, 2003

(For more information on these products contact Naavi.)

Related Article:

Cyber Evidence Collection..a Major Challenge to Law Enforcement in India

For Structured Online Courses in Cyber laws, Visit Cyber Law College.com

 

Back To Naavi.org