1 Ricoh Legal Live Data Acquisition: The New Default Standard for Capturing ESI? By David Greetham, National Director of Forensics, Legal Enterprise Solutions
2 Live computer forensic imaging, which is performed while a desktop or laptop workstation is on, offers some important advantages over the more traditional static imaging, which is performed after a workstation is shut down. Live acquisition of electronically stored information (ESI), allows for the collection of the contents of random access memory (RAM); generally defeats hardware and software encryption; eliminates the need to shut down workstations and take them offline; and supports time and cost savings for investigators as well as end clients. Despite these advantages, questions have persisted around the validity of ESI collected through live acquisition. In this article, Ricoh Legal explores the validity of these questions and discusses potential advantages of live acquisitions. Over the last quarter century, legal requirements have increased the prevalence of and reliance upon computer forensics. Meanwhile, use of information technology has intensified with data volumes growing exponentially. For many years, the computer forensics community has established and followed predefined collection standards. Today, forensic imaging remains the foundation for all computer forensics, and is critical when having data admitted as evidence in courts and tribunals worldwide. Consequently, it is more important than ever to identify and utilize the most effective and defensible imaging methods available, while remaining cognizant of any cost concerns that clients may have. Imaging Methods for Data Acquisition Recent amendments to the Federal Rules of Civil Procedure (FRCP) have changed the guidelines for discovery including ESI. These amendments can result in significant costs for parties in civil litigation. During discovery, ESI on desktop and laptop computers ( workstations ) is generally gathered in one of two ways: on-site imaging or remote live imaging. On-site imaging can be performed with the computer on or off but usually incurs hourly time and travel expenses for forensics technicians. By contrast, remote imaging is typically performed live with a workstation turned on and is typically charged at a flat rate per device. Workstations typically contain a wealth of ESI. While servers (combined with the efficiency of the RAID technology typically used) quickly overwrite old data, workstations can in theory retain records of every file ever created (assuming the data has not been overwritten with new data). In a modern Microsoft Windows system, a workstation s master file table (MFT) functions as its index to all of its files. When a user deletes a file, the MFT removes the pointer to that file, but until overwritten with new data, the source data is still present on the workstation. Through forensic imaging, all past and present files including those deleted by the user can be captured as long as the data has not been overwritten with new data. Forensic imaging also captures metadata ( data about the data ), which can be vitally important to an investigation. For workstations, on-site acquisition of ESI is a standard process. A chain of custody form is completed for the equipment being imaged. The data custodian or technician shuts down the workstation before the technician removes the hard drive, creates a forensic image, validates the process and then reinstalls the hard drive into the computer. Finally, the technician turns on the workstation to verify it is in working order prior to leaving. 2
3 With a remote imaging process (using Remlox, for example), computer users the data custodians can facilitate the creation of their own forensic images. A tamper-resistant package is sent to the custodian, who then attaches an encrypted hard drive to the computer. The remote live imaging tool runs, with no input required on the part of the custodian. The tool creates a full and complete forensic image of the hard drive while the system is on. It also performs an electronic audit of the computer system recording a range of information, such as the make, model and serial number of the system; the make, model and serial number of the hard drive; user details; domain details; number of drives connected and other pertinent information. After the custodian completes the provided chain-ofcustody paperwork, he or she uses a pre-addressed package to return the encrypted hard drive to the forensic lab. In this example, remote live imaging offers three important advantages compared to traditional on-site imaging: Captures ESI in an expeditious, convenient and costeffective manner Enables imaging of random access memory (RAM) Can defeat or bypass most encryption Speed, Convenience and Cost-Effectiveness Few would argue that a remote approach to live imaging is the clear winner when it comes to cost and time efficiency. Compared with deploying forensic experts to perform imaging on site, the remote process is fast, secure and convenient. Data custodians can facilitate the live imaging process at their convenience, such as after hours or while on the road. Further, when a forensic image needs to be created quickly, scheduling and deploying a technician simply may not be feasible at short notice. Since remote live imaging can be deployed and completed within 24 hours, it is the clear choice when time is of the essence. Random Access Memory By definition, the contents of RAM are dynamic and temporary. With live imaging, an image of RAM can be captured. With a static approach, this volatile data is lost when the system is shut down. Yet, the contents of RAM can be a rich source of potentially important ESI. Indeed, an article published by DFI News outlines nine of the most common artifacts that can be found in RAM: Past and current network connections including the remote IP address and port number used in network connections A list of processes that were running at the time of RAM capture information that can provide important insights about how the system was being used User names and passwords Loaded Dynamically Linked Libraries (DLL) Contents of an open window including any keystrokes into Webmail, an client, values into a form field and an IM chat client and chat sessions (including participants) Open registry keys for a process, which can be crucial to identifying registry keys associated with a malicious process Open files for a process Unpacked/decrypted versions of a program Evidence of memory-resident malware an increasingly prevalent type of malware that lives only in a system s memory Live imaging can seamlessly capture all of this ESI, providing a complete picture of how the system has been used. Static imaging could also capture the contents of RAM as long as it is feasible to use compressed air to cryogenically freeze RAM chips before shutting down the system, removing RAM chips and then placing them into a specialized reader. While such an approach is technically possible, it probably is not desirable from a time or resource standpoint. Thus, although not every case will require the contents of RAM to be imaged, live imaging is the clear choice for those that do, or for those where the full scope of requirements may not yet be known. 1 Source: 3
4 Defeating or Bypassing Hardware and Software Encryption By definition, live imaging generally defeats encryption an increasingly common practice due to security risks and regulatory requirements. Encrypted hard drives and encryption software are more affordable and more in demand than ever before. Organizations are using this technology to protect sensitive information, thereby addressing regulatory requirements and reducing the risk of costly and embarrassing security breaches. What would be the point in creating a static image of a fully encrypted hard drive? After all, the image collected will be inaccessible to the forensic examiner. The examiner could try to persuade IT administrators to share their decryption codes, but it is highly unlikely that these confidential decryption keys would be shared. By contrast, live forensic imaging generally bypasses encrypted hard drives and encryption software simply because the user has already logged on and begun to use the workstation with pre-authorized credentials placing the target ESI in an unencrypted state. As noted in The Impact of Full Disk Encryption on Digital Forensics, Encryption is one of the strongest protection measures against unauthorized access to data. The need for securing data on hard drives has led to an increase in the use of strong encryption. Until recently, forensic examiners could recover digital evidence from computers despite the use of encryption. However, the integration of encryption into operating systems, specifically full disk encryption (FDE), is making recovery of digital evidence more difficult. Today, a forensics examiner may encounter a full disk encryption interface prior to the machine booting, preventing access to any data unless the necessary credentials are supplied. If these credentials are not available, forensic examiners may have to acquire a forensic image of a live system while the contents are in an unencrypted state. 2 FOUR TESTS PERFORMED Vestige Ltd. chose two operating systems for the analysis: Microsoft Windows XP Service Pack 3 installed on a 40GB SATA drive hosted on a Sony Vaio PCV-RS72G desktop and Microsoft Windows 7 Ultimate installed on a 160GB SATA drive and also hosted on a Sony Vaio PCV-RS72G desktop. The lab conducted four tests: TEST 1. The Microsoft Windows XP system was shut down with the command shutdown s t 0. The -s option directed the computer to shut down and not restart. The -t 0 option directed the computer to shut down immediately. The command was executed on 9/1/2011 at 2:23:00 Eastern. Upon completion of the shutdown process, the hard drive was removed. The hard drive was then connected to a forensic analysis machine through a Tableau IDE/SATA bridge (model T35e) in order to write block the data. The hard drive was then analyzed using Encase v6.18 for evidence of changes to files or the Windows registry. TEST 2. The Microsoft Windows XP computer was left running. A USB hard drive containing Remlox v3.1 was attached to the computer s USB port. Process Monitor (Procmon) v2.96 was executed for the purpose of tracking actions performed by the computer. Procmon, a Microsoft application, is an advanced monitoring tool for Microsoft Windows that shows real-time file system, Registry and process/thread activity. The Remlox application was then executed. Remlox created a full and complete forensic image of the host hard drive at the physical level onto the connected USB drive. The Procmon logs were then analyzed for evidence of changes to files or the Windows registry. TEST 3. The Microsoft Windows 7 system was shut down with the command shutdown s t 0. Again, the -s option directed the computer to shut down and not restart and the -t 0 option directed the computer to shut down immediately. The command was executed on 9/2/2011 at 9:32:00 Eastern. Upon completion of the shutdown process, the hard drive was removed. The hard drive was connected to a forensic analysis machine through a Tableau IDE/SATA bridge (model T35e) in order to write block the data. The hard drive was then analyzed using Encase v6.18 for evidence of changes to files or the Windows registry. TEST 4. For the fourth test, The Microsoft Windows 7 system was left running. A USB hard drive containing Remlox v3.1 was attached to the computer s USB port. Procmon was again executed for the purpose of tracking actions performed by the computer. The Remlox application was then executed. Remlox created a forensic image onto the connected USB drive. The Procmon logs were then analyzed for evidence of change to files or the Windows registry. 2 Casey, Eoghan and Stellatos, Gerasimos J., The Impact of Full Disk Encryption on Digital Forensics, circa April
5 Concerns Surrounding Forensic Soundness Traditional static imaging has been through extensive verification processes and has met certification requirements. Consequently, it is universally and scientifically accepted as an accurate and effective method to forensically acquire ESI. By contrast, questions have persisted about the forensic soundness of live imaging: Purists argue that forensic acquisitions should not alter the original evidence source in any way. However, traditional forensic disciplines such as DNA analysis show that the measure of forensic soundness does not require the original to be left unaltered. When samples of biological material are collected, the process generally scrapes or smears the original evidence. Forensic analysis of the evidentiary sample alters the sample even more because DNA tests are destructive. Despite the changes that occur during preservation and processing, these methods are considered forensically sound and DNA evidence is regularly submitted as evidence. Ricoh Forensics commissioned a study by a third-party lab to compare changes made during the shutdown process to create a static acquisition and those made during a live acquisition. Specifically, the study was intended to identify and then compare changes made to files or the Microsoft Windows Registry between both a live acquisition and the more traditional method of static acquisition in which the computer must be shut down. Key Findings The third-party lab conducted a series of tests (see Four Tests Performed ), which produced the following results: Static Imaging (changes recorded during computer shut down process) Live Imaging Using Remlox v3.1 (changes recorded while computers were running)* Changes to files Changes to Microsoft Changes to files Changes to Microsoft on the hard drive Windows Registry on the hard drive Windows Registry Operating system: Microsoft Windows XP Service Pack 3 30 files created 23 registry 16 files created 1 registry key Hardware: 40GB or modified keys modified or modified modified SATA drive hosted on a Sony Vaio PCV- RS72G desktop Operating system: Microsoft Windows 7 Ultimate 91 files created 21 registry keys 46 files created No changes to Hardware: 160GB SATA or modified modified or modified registry keys drive hosted on a Sony Vaio PCV-RS72G desktop *Note: In both cases of live imaging, there may be an additional change to the computer from the insertion of the USB device on which the Remlox application resides. This change would depend on whether or not the computer being imaged had previously interfaced with that particular USB device. Any changes would be the typical changes made to the Microsoft Windows Registry for the insertion of a new USB device, as well as changes to the setupapi.log (or setupapi.dev.log) and any drivers that might need to be installed (rare in the case of USB devices). 3 Ibid. 5
6 Full details are available in Vestige Ltd s report, Live Forensic Imaging, Using Remlox. The study s conclusion underscores the forensic soundness of live imaging: The evidence clearly demonstrates that running Remlox (a live forensic imaging application) at the physical level has minimal effect on file changes. Comparing the change in the data on a hard drive from the Remlox operation versus the change in the data on a hard drive when issuing the shutdown command, the results demonstrated that the shutdown command on a Microsoft Windows XP system or Microsoft Windows 7 system results in more changes to files and the Registry than utilizing the Remlox imaging process (emphasis added). Summary Despite the beliefs and skepticism of the more traditional forensic examiners, the third-party lab tests deliver scientific proof that live imaging can be an effective way to gather ESI. In fact, these tests show that live imaging of workstations may be considered more forensically sound making fewer changes to workstations than when the workstations are shut down prior to creating a static image. When the forensic examiner is provided with a workstation that is already shut down and powered off, a static image would clearly remain the method of choice. However, in circumstances where a workstation is on and the user is logged on, a live image should be considered the most effective and least invasive method to be used. Further, it provides the RAM and encryption advantages described in this article. ABOUT THE AUTHOR David A. Greetham, CFE, is National Director of Forensics, Legal Enterprise Solutions for Ricoh Americas Corporation. He is retained by law firms and corporations as a consulting and testifying expert in the area of Computer Forensics. He has performed investigations and provided consulting services relative to electronic evidence in large scale litigations involving up to 12,000 custodians. He has overseen the litigation process through the entire data life span, from pre-litigation consulting, data collection, data culling, preparation of data for attorney review, to providing expert testimony. Additionally, David has been responsible for forensic examinations of computer systems and other electronic storage media involved in theft of trade secrets, Internet misuse, harassment, murder, kidnapping, fraud and alleged spoliation. David has testified as a forensic expert on many occasions both nationally and internationally. He is a frequent speaker for Bar Associations continuing legal education (CLE) events, and industry associations. A Licensed Private Investigator with the States of Texas and Florida, David is also a member of the High Technology Crime Network (HTCN) and the Association of Certified Fraud Examiners (ACFE). 2013, Ricoh Americas Corporation. All Rights Reserved. All referenced product names are the trademarks of their respective companies. The content of this document, and the appearance, features and specifications of Ricoh products and services are subject to change from time to time without notice. While care has been taken to ensure the accuracy of this information, Ricoh makes no representations or warranties about the accuracy, completeness or adequacy of the information contained herein, and shall not be liable for any errors or omissions in these materials. The only warranties for Ricoh products and services are as set forth in the express warranty statements accompanying them. Nothing herein shall be construed as constituting an additional warranty. Your actual results and other performance measures will vary depending upon your use of the products and services, and the conditions and factors affecting performance. THERE ARE NO GUARANTEES THAT YOU WILL ACHIEVE RESULTS SIMILAR TO OURS. Ricoh does not provide legal, tax, accounting or auditing advice, or represent or warrant that our products or services will GUARANTEE OR ENSURE COMPLIANCE WITH ANY LAW, REGULATION OR SIMILAR REQUIREMENT. Customer is responsible for making the final selection of products, solutions and technical architectures, and for ensuring its own compliance with applicable laws. 6 RICNP-0028
Computer Forensic Services and the CPA Practitioner 2010-2012 Forensic Technology Task Force 2010-2012 Forensic Technology Task Force Ron Box Margaret Daley Carl Hoecker Joel Lanz Charles Reid Donna Tamura
Issue 4 Handling Inactive Data Efficiently 1 Editor s Note 3 Does this mean long term backup? NOTE FROM THE EDITOR S DESK: 4 Key benefits of archiving the data? 5 Does archiving file servers help? 6 Managing
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
The Growing Importance of E-Discovery on Your Business! An Osterman Research White Paper Published June 2008 SPONSORED BY!! Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 Phone:
May 2013 Page 1 This document answers frequently asked questions regarding the Emerson system Backup and Recovery application. www.deltav.com May 2013 Page 2 Table of Contents Introduction... 6 General
156 Chapter 7 Seizing Electronic Evidence from Cloud Computing Environments Josiah Dykstra University of Maryland, Baltimore County, USA ABSTRACT Despite a growing adoption of cloud computing, law enforcement
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
A Formtek Whitepaper Getting Both Best-Practice and Best-Value in a Records Management System 1855 Gateway Blvd. Suite 570 Concord, CA 94520-5715 Phone: 1.800.367.6835 www.formtek.com 2012 Formtek, Inc.
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Ricoh Security Solutions Version 18 Comprehensive and reliable solutions to protect sensitive information Ricoh Security Solutions Don t underestimate the risks and costs of information theft Information
Software Usage Analysis Version 1.3 Implementation Guide Implementation Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM Corporation
White Paper May 2006 Applying Electronic Records Management in the Document Management Environment: An Integrated Approach Written by: Bud Porter-Roth Porter-Roth Associates Table of Contents Introduction
EMC NetWorker Version 8.2 SP1 Server Disaster Recovery and Availability Best Practices Guide 302-001-572 REV 01 Copyright 1990-2015 EMC Corporation. All rights reserved. Published in USA. Published January,
Payment and Security Experts Implementing PCI A Guide for Network Security Engineers Updated For PCI Data Security Standard Version 1.2.1 Tom Arnold, CISSP, ISSMP, CFS, CPISM/A, PCI/QSA Partner, PSC Sponsored
Yosemite Server Backup User s Guide Part number: First edition: October 2010 Legal and notice information Copyright 2004, 2012 Barracuda Networks, Inc. Under copyright laws, the contents of this document
The Impact of Electronically Stored Information on Corporate Legal and Compliance Management White paper The impact of electronically stored information on corporate legal and compliance management: An
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
One Stop Data & Networking Solutions PREVENT DATA LOSS WITH REMOTE ONLINE BACKUP SERVICE Prevent Data Loss with Remote Online Backup Service The U.S. National Archives & Records Administration states that
Electronic Records Handbook Table of contents Key points to consider 3 Introduction 5 Selecting an appropriate system 7 Regulation of electronic records (erecords) 10 Patient consent and rights to access
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
WHITE PAPER: EDISCOVERY AND LITIGATION READINESS Becoming Litigation Ready Through Proactive Information Governance OCTOBER 2008 Peter Pepiton II CA INFORMATION GOVERNANCE SOLUTIONS Table of Contents Executive
T h e Se d o n a Co n f e r e n c e Wo r k i n g Gr o u p Se r i e s Th e Se d o n a Co n f e r e n c e Co m m e n t a r y o n ESI Ev i d e n c e & Admissibility A Project of The Sedona Conference Working
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...