On Scene Tips: Securing Computers for Forensic Analysis
Choices you make in securing digital evidence on scene can make or break your department’s ability to recover evidence and make a case. In the past, we’ve covered common mistakes made on scene and offered advice for water emergencies. Today we share best practices for securing a computer, especially one that is powered ON and potentially encrypted.
In a previous post, we talked about ways to secure mobile devices and computers that are powered OFF. We encourage you to read that entire post, but if you seize a computer that is OFF, don’t turn it ON. Just bag it, tag it and send it to the digital crime lab for analysis.
If A Computer is ON and Accessible
If the computer is ON and accessible, the traditional way to secure the evidence is to unplug the device from its power source. This prevents any unexpected changes to data that may occur during a “normal shutdown”. However, the increasing use of data encryption is forcing first responders to change that protocol slightly. If the computer is ON and accessible, you’ll need to perform a few cursory checks for encryption before you do anything else.
If a hard drive is encrypted, the data on that drive is effectively inaccessible to a forensic examiner (or anyone) without the appropriate password. So if you come across a computer that is ON, accessible and encrypted, you have a unique opportunity to access the data on that drive that will be lost if you simply pull the plug and process it like other devices. If you believe that the device is encrypted, you should immediately seek the help of a trained forensic examiner, who may perform a field analysis of the device.
Determining If The Data Is Encrypted
To detect full disk encryption on a computer that is ON may be as easy as identifying the operating systems and version of those operating systems that support full disk or full volume encryption schemes like Windows BitLocker full volume encryption. This feature is available on most modern versions of Windows and is enabled by default on certain clean installs of Windows 8.1 Pro and higher.
To check for Windows BitLocker, you’ll need to view a list of the computer’s hard drives or volumes. From the START menu, click on COMPUTER or FILE EXPLORER. From there you should see a list of the storage media connected to the computer. A BitLocked drive will have a closed LOCK through the icon. (see the image below)
Close attention should also be given to the volume names at this point. The presence of a volume name that contains the word “CRYPT”, “VAULT”, “LOCKED” or similar phrase should serve as a clue that volume level encryption may be present.
If BitLocker can be ruled out, then a minimally intrusive look for other encryption tools should be undertaken.
STEP 1 - Check the Desktop: Perform a close visual inspection of all desktop icons. Note any programs with names like PGP, VeraCrypt, TrueCrypt, BestCrypt or FreeOTFE.
STEP 2 - Check the System Tray: Visually inspect the systray area (usually in the lower right of the screen) to check for icons associated with FreeOTFE.
STEP 3 - Check the Program List: Review the list of program files for applications capable of providing encryption. You can see this list from START > PROGRAMS (or All Programs) or in the PROGRAM FILES folder in FILE EXPLORER. Look for names including PGP, VeraCrypt, TrueCrypt, BestCrypt, Jettico, Kremlin, Protector, Shredder, and anything containing the word Encrypt or Crypt.
Any of these programs or icons indicates the presence of an encrypted drive or volume. Photograph these icons and immediately seek the assistance of a trained examiner.
If you complete this triage and do not detect any suspicious items, then disk encryption is likely not present, and you can proceed accordingly.
If you need help with a planned seizure or with forensic data analysis, Contact Flashback Data today. We work with law enforcement and DA’s around the country and provide faster turnaround than your local RCFL or state crime lab.