Before you enter a suspected bomb builder’s lair you need to be wary of booby traps. The same holds true when you come across a computer that belongs to a suspected hacker, a pedophile suspected of storing or sharing child pornography or any other suspect.
Hackers are good at what they do because they know computers inside and out. It is possible to booby trap a computer system so that any evidence of a crime is destroyed as soon as a single key is pressed. This means that it is important for you to know what to do when you need to access a computer which has been used in a crime.
Time is critical when investigating a crime. If a computer is powered down you might lose essential information and also may not be able to power it up again or login.
Save time in a bottle
Before making a move, you need to take a snapshot of a suspect’s computer to freeze it in time. The snapshot becomes your baseline and if a booby trap is triggered you can go back to the image and try again.
Tools that come on a flash drive can be used to capture the computer’s live memory, which may include unencrypted passwords and other information that can be used for additional forensic work. You may also see proof of links to dark servers or TOR networks, both of which are popular for criminal use.
Once you have done a memory capture, the next step is to attempt to capture an image of the operating system and images of the disk drives while they are unencrypted. This may or may not be possible depending on whether or not there is a booby trap set. It may be better to shut down the machine and take forensic images of the drives which will preserve the files and status of the machine as a snapshot in time. In either case, the creation of a true, forensic hard drive, image is a highly detailed process. If it is not performed by a trained professional, you may severely compromise your chances of obtaining admissible evidence as a result of your discovery efforts.
Suggested protocols for digital forensic analysis can be found within guidelines from institutions and organizations like the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST).
The final step before powering down the computer is to lock the drives so that the data on them cannot be overwritten either accidentally or by a booby trap when they are powered on again. There are tools available to perform all of these actions.
If you come across potential computer exhibits that are already powered down, these need to be seized as evidence and then investigated by qualified, professional forensic practitioners. Products in the market allow you to boot up these exhibits in a forensically sound manner, using the original hardware, enabling you to gain actionable intelligence at the point of discovery.
What if you don’t have room on your desk for the huge tower computer you’ve just seized from the suspect’s address? What if you eat your lunch at your desk and the suspect’s laptop is splattered with biological matter or full of accumulated dust from years of being hidden under a bed/desk?
To address these issues, along with preserving the chain of custody, you need to re-create the computer in a clean, sterile, forensic environment letting you access the evidence it may contain while protecting the source from modification or deletion. To do this, you need to create a virtual replica of the suspect’s computer.
Think about a firearms simulator for a moment. There are virtual targets on the screen and you are holding a firearm that communicates with the simulator. If you are on target and pull the trigger, a “hole” shows up in the target – just as surely as a piece of lead going downrange would make a hole in a paper target. You are convinced that you made that hole.
In a similar manner, a Virtual Machine (VM) is a piece of software that simulates a computer, letting the Operating System (OS) and any apps installed on that OS “think” that they are running on a real computer. If the OS or an app installed on it can perform an action on a real computer, it can perform the same action on a VM. With a little finesse, you can recreate the suspect’s entire computer as a VM, which in turn will allow you to re-create the entire digital crime scene in an accessible, virtual environment.
What is a Virtual Machine?
A VM is an app that runs on a computer, and “pretends” to be a computer. The VM software “tricks” the OS and apps into thinking that they are running directly on a computer when in reality, they are running on a simulated computer.
Using a virtual machine saves money by reducing the amount of hardware required – multiple VMs can share the same physical computer and access the same storage, putting processing power to use that otherwise might be idle while waiting for a human to respond.
Since VMs are divorced from the hardware, they are portable, and can be moved from real computer to real computer or can be accessed from almost anywhere (even across continents, via the internet).
This is how many modern corporate networks are configured: Your OS and your files are inside one VM which is running on the same big computer as dozens or hundreds of VMs from other users. “The cloud” works in a similar manner: Your OS, apps and files are slotted into a secure location, usually on a virtual server, specific to your business, accessible only with your own security credentials.
Forensic Virtual Machines
Before you can re-create a suspect’s machine in a VM, you need to create an image of it from the real computer on which it is running. Various forensic tools are available to “image” a hard drive, each having their own merits, but while you can build a VM yourself, this can be a time-consuming process, riddled with driver errors and Blue Screens of Death (BSoD errors). Special software is available that can take a forensic image (including the OS, apps and all user generated files) of a computer and convert it to a working VM, literally in seconds, giving you access to this valuable intelligence in a short period of time.
Standard forensic principles often deny an investigator the opportunity to turn a computer back on once it has been powered down. The use of a VM lets the forensic examiner fire it back up as many times as they like – and poke around it without affecting the original evidence.
In the same way a dead body from physical crime scene can give up clues and evidence to an ME as to who the perpetrator was and how the crime happened, use of a forensic VM from a “dead box” hard-drive (or an image of that hard drive) can offer up clues and powerful evidence to the digital examiner that are not available via standard forensic software. The VM enables a virtual autopsy of the suspect’s computer.
What can you do with a VM?
A picture speaks a thousand words, and showing a judge or a jury a screenshot of a suspect’s computer can save hours of technical explanation that can often fall on deaf ears.
If your suspect has been mixed up in a financial crime, you’ll have access to their accounting records; with a VM, you can export them to Excel and then copy them to your host system (extracting them from the virtual environment) to perform further analysis on – just like if you’d been able to turn on their actual computer. If they have been downloading or sharing illegal content, you will be able to take a screenshot of how and where the files were stored or show the sharing software actively attempting to send or receive material.
If the user was accessing files stored in proprietary databases, it is quite possible that the software to decrypt or interpret those databases resides on the suspect’s computer. Without access to the original computer, there is often no other way to access those files, so they become unusable – and they may contain the smoking gun evidence the examiner needs.
The forensic image captures the files but it also captures the original software that was used to access that information. By recreating the suspect’s machine as a VM, and performing a similar action on any other machine where proprietary databases are located, you can use the original software or even create a virtual network which links all of the VMs together, enabling you to access what otherwise might be inaccessible files.
Summary
Being able to access an identical (but virtual) replica of the suspect’s machine means you can interact with the files and the software on their system without fear of making a mistake that could modify or destroy it. If you have an accident, you can just go back to the previous system state (called a snapshot). And because a VM is just a piece of software, it can be moved from place to place or can be sent to the RCFL or a vendor, specializing in forensic work.
Making a forensic image of a computer allows you to lock all of the original hardware and software to the time when you first came upon it. Creating a VM from that image will let you search for evidence without altering evidence, and will let you go back to a previous point in time, if required. If you need additional expertise, you can send the VM to the person who has that knowledge, or boot it up in front of them for maximum psychological impact.
All in all, a VM can give you access to otherwise elusive evidence – and can help you present it in court in a non-technical manner.