I present in this post the principles and correct steps for the acquisition of potential digital evidence online, from the Internet. Online acquisition of web pages and other content is a problematic part of digital forensics, especially given the need to preserve integrity and the volatility of online content. Physical access to the server or datacenter where evidence is stored is often problematic, if nothing else for geographic reasons.
- All activities should be videorecorded, in a single file without interruptions.
- All network traffic exchanged during acquisition operations should be recorded as well. Later on this, correlated with the video recording, will guarantee the integrity and veracity of what was done.
- Like in all digital forensics operations, the working environment and all the software tools used must be documented (type, version, etc).
- Of any result (video recording, network traffic, files downloaded if applicable) the analyst must generate its hash signature and document it. If possible, legal digital signatures and timestamps should also be applied to the files.
1 Start video recording
2 Environment validation
Firstly the analyst should verify that the working directory is empty, so to be sure files present at the end are actually downloaded during acquisition and not already present. The same goes for the files containing the video recording and network traffic.
Then, the integrity of the Domain Name System client should be verified, so to be sure remote servers visited are actually remote servers and the right ones. In other words, the correct functionality of the DNS resolver used during operations assures that the IP addresses visited are the actual ones, on the Net. To do so, the analyst visualizes the resolver configuration (the nameservers it uses, that shluld be well-known public servers).
nameserver 188.8.131.52 nameserver 184.108.40.206
Given the volatility of Internet content, date and time should be known, from an external source. A well-known ntp server could be employed for this purpose, first verifying the configuration (a MacBook in the example) and then synchronizing the ntp client with the remote server. The date and time are later visualized.
cat /etc/ntp.conf server time.euro.apple.com. ntpd -q date
3 Start traffic recording
At this time the analyst con proceed to browse the content he or she is interested in, browsing it normally on the web and if necessary downloading files in the working directory. If traffic is unencrypted it will be possible to extract files also from the traffic recorded (for instance, text, images and binaries).
When the content needed has been visited or downloaded traffic capture can be stopped. The presence of downloaded files and recorded traffic in the working directory is verified by a simple listing command via terminal, their hashes calculated. The video recording can now be stopped too.
Sctrictly speaking, analysis is a separate phase from acquisition in the digital forensics workflow. Detailed analysis activities and goals vary wildly according with cases and goals but we can at least sketch some of the basic activities. Among them are the extraction of content from the traffic file (.pcap format is a de facto standard), the reconstruction of interactions between client and server, the subsequent analysis of for instance malware present on the site or in binaries.