Computer Forensics: Disk Imaging Overview

IT professionals are inundated with information on how to prevent intrusions and attacks. But what do you do if the worst happens in spite of your security patches, firewalls, and other efforts?

Given the huge costs in downtime, lost productivity, and administrative workload that can result from an attack, we all applaud when hackers or virus writers are caught and prosecuted, but it doesn’t seem to happen very often. That’s because successful criminal prosecution (or a civil suit) requires hard, admissible evidence, which can be difficult to come by. Sadly, the evidence is often contaminated or destroyed in the process of responding to the attack (in the same way that the water used to put out a fire sometimes causes as much damage as the fire itself).

If there is any chance that a case might go to court, it is extremely important that digital evidence be handled properly by everyone who has access to it. The process of handing off evidence from one person to another is known as the “chain of custody,” but it’s a bit less clear-cut when we’re talking about digital data rather than physical objects.

The key point is that evidence can become inadmissible if anyone who handles it after an incident takes place does anything to change it. But simply opening a file changes it (for example, the date of last modification may change), so how can digital evidence ever be preserved in an admissible state?

The answer is to conduct any examination of the evidence not on the original data, but on an exact copy of it made for that purpose. To meet the high standards of the court, this is not as simple as it sounds. The copy must be a bit-level image of the original disk, which makes a sector-by-sector exact copy of all the binary data and contains all the slack space, free space, and other ambient data. This requires special imaging software made for this purpose. Imaging software for forensic purposes should also use some method of verification to ensure that the copy is exactly like the original. For this reason, it is best not to use disk imaging software intended for other purposes (such as Norton Ghost, which was made for creating cloned images to install on multiple machines, but was not designed specifically for forensic use with the emphasis on the absolute integrity of the copy).

Forensics-based imaging systems often use a special computer that is attached to the target computer via one of its communications ports, through which the complete copy of the disk can be copied to another disk, tape, or other electronic media. In other cases, the disk is removed from the target computer to be copied. The imaging process should be done in a way that will leave no traces (make no changes) on the target computer.

Once you have a forensically sound copy, the original disk is set aside and preserved in its current state. All examination work is done on the copy. You also need to be able to testify that the computer was immediately isolated from the network and physically secured so that no one could make any changes to it between the discovery of the incident and the time the disk was imaged. You should do nothing. Don’t turn the computer on or off, or examine logs until the disk has been imaged. The disk imaging should be done by a qualified forensics investigator. This is not a reflection on your abilities as an IT professional or on your personal integrity; it is because it’s likely that a defense attorney in a court trial will question the credentials of those who performed the imaging and/or examination, and more credibility will be given to the evidence if it was collected by someone who specializes in computer forensics.

DEB SHINDER is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. These include “Scene of the Cybercrime: Computer Forensics Handbook,” published by Syngress, and “Computer Networking Essentials,” published by Cisco Press. She is coauthor, with her husband, Dr. Thomas Shinder, of “Troubleshooting Windows 2000 TCP/IP,” the best-selling “Configuring ISA Server 2000,” “ISA Server and Beyond,” and “Configuring ISA Server 2004.” Deb currently specializes in security issues and Microsoft products; she has been awarded Microsoft’s Most Valuable Professional (MVP) status in Windows Server Security. A former police officer and police academy instructor, she lives and works in the Dallas-Fort Worth area and teaches computer networking and security and occasional criminal justice courses at Eastfield College in Mesquite, TX.

See other Security MVP Article of the Month columns.