Capturing Evidence Metadata

00:00

in this lesson, let's talk about evidence, examination forms and the minimum record keeping requirements related to completed forms for evidence.

00:08

Well, come on, what must be recorded, who should record the information

00:11

and what to do Once a security case has been finalized

00:15

When collecting evidence and creating forensic images for your security case, what information should be collected about the evidence itself?

00:25

There are a lot of things which analysts really should record, although what is required to be recorded will depend on organisational policy and regulatory requirements. So data, which must be recorded compulsorily, will change from jurisdiction to jurisdiction.

00:39

At a minimum, though, the information to record should include a project code, case name or case number

00:46

or any combination off those things.

00:49

Ah, the analyst's name, the evidence item, name or number, depending on which you choose to use

00:55

the serial number off the device if it has one.

00:57

The date and time of the examination

01:00

and also the type of evidence or data source, such as a disk image or memory image or USB drive mobile phone. Whatever the case may be,

01:10

depending on the type of evidence, it is also wise to record additional information, such as the hard drive number inside a device, the make model serial and capacity off that hard drive

01:22

mobile device make model serial capacity and likely I M E I or any other identification number.

01:30

The operating system version and build, such as Windows Server 2000 and 12 are, too.

01:34

The system date and time, just in case that is different from the actual date. And time should also record the actual date in time so as it tags if they exist. Ah, lot of organization to use our *** tags. A lot of organizations don't, so you may or may not be able to record this.

01:49

The location of the collection is very important,

01:52

and the user or owner off the device if known

01:56

what on three pieces of information, which must be recorded about an evidence item during as security case.

02:04

Three things you must record the project code, case, name or number so that you know which case this particular evidence item belongs to

02:12

the analyst name. So your name, if you are the person conducting the examination

02:16

and the evidence item, name or number.

02:20

If the device or data source is being forensically imaged and not just collected or received by the analyst. Further information to record should include things like the imaging software name, including the version number.

02:32

The right blocking method used if one was used, which it probably should be.

02:37

Thesis TEM state. Whether the device was turned on or off for

02:40

what kind of state you offer. Edit it in

02:43

any passwords that were required, such as passports for mobile phones or passwords, to log into a system. Encryption passwords if they exist. Decryption case. If you are able to get a hold of them,

02:53

ashes of completed image is absolutely crucial in a forensic investigation

02:58

and any further notes related to the evidence.

03:00

What potential additional information about an evidence source should be recorded

03:07

hashes of completed images. The system state, whether it's on, off, etcetera and any possible it's required to image the system should be recorded. Let's take a look at how to record all of this information in one place using an evidence examination form.

03:22

So what we have here is an example of a computer examination form. You can modify this however you like just so that it suits your team and the way that you guys work.

03:31

Your organization may have a policy about what needs to go into this document.

03:35

If not, maybe you should think about creating one.

03:39

So as we can see, we start with the case number and the case name

03:44

so that we know exactly which case this piece of evidence belongs to.

03:46

We then have the analyst name, which is a requirement. If you are the one filling out the computer examination form, put your name here. If someone else is filling it out, ensure that their name is there so that you can trace this back if necessary.

04:00

Forward by the evidence. Identify. This might be the evidence named Evans number. However, you're going to identify the evidence item.

04:08

Next, we have the physical attributes off the device. Now

04:11

there are a couple of options here. You can put a notes section in so that you can describe the device. Or you can put a further notes section at the end of the form so that you can know it down. Whatever you need to say that there's scratches on the device where there's nicks or cuts or whatever it might be, you might want to describe the color of the device, depending on how many you have.

04:30

This also allows you to identify the various hard drives that maybe inside the device,

04:34

including their model, the serial number and whatever the capacity might be said that it's two terabytes. For example,

04:41

Following this, we have system information,

04:43

so this will be information about the system or the device that you are capturing.

04:46

So we want the system dating time because this is not necessarily always going to be accurate, and we want the actual date in time so that we can compare the two and make sure that one or the other is correct.

04:56

We then have time checked against where you would specify what you used to check the actual date in time. Say, use your mobile phone or use your watch or whatever it is following that we have the serial number, which would probably be the serial number of the device itself, not the internal disks

05:13

guarded by the type of device, whether it's a laptop, a desktop, a Palm Pilot, all whatever it might be

05:18

and then at the bottom here of the system information we have the OS version and build say windows over 2012 are, too. And whatever the build number might be,

05:27

open the right hand side. We have the asset tag. This might just be not applicable. War and slash a or one of you want to put in there if an asset tag doesn't exist. If you're working at an organization where asset tags are used, then hopefully you'll be able to note this down in the examination form.

05:41

Following that, we have the location and depending on where the asset was collected or where you create creating the

05:46

forensic image, you might put in a lab before you might put in sight one. Or you might put in whatever the name of the site. Maybe

05:54

following that we have the make of the device so that it's like a Dell, her NHP or whatever it might be, and then the specific model. If you are able to glean that information, finally we have the user or the owner off the device,

06:05

then moving down the sheet we have imaging, which is specifically about the forensic image you're creating.

06:11

So first of all, we definitely want the software and version on. We definitely want the version because different versions of the same software may produce different results. Say new X Version 3 may produce different results than New X Version seven, for example. Following this, we have right walking

06:27

on. This is typically the hardware or software.

06:30

If you have another method of right walking, feel free to add it in here

06:33

when this is just a tick box. So you think the system state. In a lot of cases, we will be doing dead box forensics, which is where the system state has turned completely off.

06:43

Following that, we have terminal where you might have Ah, Lenox Terminal that you're operating from. And finally we have the gooey, which should be like a windows gooey.

06:50

And there's also a space enough in these two fields to write in something separate. If there's a

06:56

unknown case that comes up,

06:58

then we have passwords required. So if you had a pin code for a phone, for example, where if you have a password that you need to log into the machine or to decrypt the machine, this is where you would enter that information. Then we have the hash, which is an essential part of any forensic examination.

07:12

Then we want to know whether the hash was recorded to a file, yes or no, and whether the image or hash was verified yes or no. It would be ideal if we can say that the image hash was verified and it verified successfully.

07:26

As you can see, we have fields for each of the items.

07:29

The reason this works is that people tend to enjoy filling out boxes, and making it simple and straightforward tends to result in more information being recorded.

07:36

Forms such as this should be completed by the analyst performing the examination or collection off the evidence. Ideally, at the beginning of the collection,

07:46

what information should be recorded about the process for creating images of evidence?

07:53

You should record the imaging software and version used the right blocking method used, if any, and the image hash once it is completed and hopefully verified.

08:01

Once the form has been completed, we need to decide where to store all completed forms. This will obviously be an organizational decision, but it's recommended that both physical and digital, such as PDF copies are kept.

08:15

Copies should be kept in secure locations with the principle of least privileged determining those who have access.

08:22

So in this lesson we learned about evidence examination forms and the minimum record keeping requirements related to completed forms.

08:30

We also talked about what must be recorded, who should record the information