The objective of this article is to illustrate all the different types of digital data that should be collected when searching a crime scene or the location of a computer intrusion. This document was written with the law enforcement community in mind, but is applicable for anyone investigating a computer intrusion within a company. Each crime scene or intrusion is different and will pose different challenges.

It is essential in each case to ensure that all the necessary digital data is collected. When investigating a computer intrusion that affects a company or organization, the hard drives imaged or the computers targeted in the intrusion do not always tell the whole story. Extra data may need to be collected to help fill in the missing pieces and to decrease the turnaround time of the analysis. It is easier to collect data while onsite, rather than having to return and collect it. It should also be noted that upon returning to collect the any data, the desired data could have been deleted or overwritten through normal operations.

Scoping the Digital Crime Scene
When investigating a company that was the victim of a computer intrusion it is necessary to understand the type of business or the services provided and available. Understanding the type of business you’re working with will help identify the motive. Understanding the services provided and available to the public can help identify the possible intrusion vector. Those on the scene will want to have a good understanding of how data or information is flowing in and out of company’s internal network. This will help to identify which system(s) needs to be imaged and analyzed first.

What Evidence Needs to Be Collected?
An intrusion is usually identified by an alert from a monitoring device, odd computer or network activity, or the obvious loss in company assets. These assets could be financial, intellectual property, or computer resources. After it has been suspected or determined that a breach has occurred, what information or data needs to be collected for analysis? This question is usually preceded by knowing the right questions to ask when interviewing the victim. The complexity of the victim’s infrastructure determines the type of questions to ask. For example, does the victim have a single business location or multiple locations with network connections between them? Are there business partners who connect to the network through VPN connections? Does the victim have a DMZ that houses Web, e-mail, or DNS servers? Does the Web server connect to a backend database that is behind a firewall? These are the types of questions that need to be asked when determining the intrusion vector.

The next set of questions center around trying to determine what part of the network infrastructure might have logged all or parts of the intrusion activity. Below are key questions to ask when interviewing the victim:

o Firewalls
o Intrusion Detection Systems
o Routers
o Web Servers
o Proxy Servers
o SMTP Servers
o DHCP Servers
o DNS Servers

• What time zone are the logs in? If a company has multiple locations ask if the time settings are synced using NTP or are based on local time of that location.
• Have any changes recently occurred to the network, public facing systems, or applications?
• Are there any network maps? All the network maps need to be reviewed, even older copies.