In criminal cases, it’s common for law enforcement to seize mobile devices and computers that might have electronically stored information that is relevant to the case at hand (with warrants, of course). In cases involving businesses, that information is often stored on a “server.” It’s far less common for law enforcement to seize a server, but why?
One reason is that the business is often either a victim or a at least did not actively participate in the crime (e.g. an employee stored child pornography on a server at work and the employer found it and reported it). Taking the company’s server(s) would impact their business.
Another, very good, reason is that it’s not necessary. In cases such as hacking, it’s common for the business to hire a computer security firm that specializes in “incident response”. This is specialty is related to digital forensics but with a focus on hacking and security, including getting a business operational after an incident. The incident response firm will collect information, including forensic images (bit-for-bit copies of the device storage or hard drive), and that information can be turned over to law enforcement for use in its criminal investigation.
The forensic images created by an incident response firm will be equivalent to those that law enforcement would create. With mobile phones and personal computers, law enforcement typically doesn’t examine the device itself. Instead, they make a forensic image of the data or use an acceptable but less preferable method such as a backup if the forensic image is not a possibility. If law enforcement has seized the device, they will store it securely and not use it again unless there is an issue with the forensic image. In the end, whether law enforcement size the device or not, they perform their analysis on a forensic image.
Suppose, however, that we’d really prefer that law enforcement take the servers and create the images themselves. Can they do that? Probably not.
Note: the next few paragraphs get pretty geeky so if you get lost, it’s okay. Just plow ahead and I’ll give you the big picture view at the end.
We often refer to a server as if it is a standalone device. The reality is much more complex. In the past, each server was a self-contained unit with processors, memory, hard drives, etc. and each one had an operating system such as Windows or Linux. They were like supped-up desktop computers. Today, servers use technology called “virtualization” to run several systems within the same physical machine. This allows IT departments to use hardware more efficiently. So, one physical machine could run 10 copies of Windows and 10 copies of Linux side-by-side. These systems would not be aware of each other but would share physical resources. If one of these systems has a problem, the others will not be affected.
For better efficiency, and for recovery in case of a hardware failure, physical servers can be clustered together. In a cluster, a virtual system (e.g. a Linux web server) can be moved between physical machines at the direction of a system administrator, or automatically.
And, whereas a personal computer typically has one or two hard drives (to store our files and the operating system), a server may need a massive amount of storage. It’s difficult to fit all of that into one physical unit so many organizations buy servers that have little or no storage in them. Instead, they put all of their hard drives into a shared storage unit called a SAN. The SAN can manage hundreds of hard drives and provide storage to each server over the network. One major advantage of a SAN is that it frees the server up from having to worry about the individual hard drives; the SAN can combine several drives into one big block of storage or split up a drive into several small ones. In order to communicate, most SANs require their own network switch. Most of us have a switch/router at home to connect to the Internet. The switch used with a SAN is similar but more powerful and (at least) several tens of times more expensive.
If you got lost, here’s where I sum this up:
In the past, a server might have been one physical computer running one copy of Windows. Today, it might be a cluster of three physical machines running seventy copies of Windows and/or Linux that connects to a shared storage device (bucket of hard drives) via a dedicated network switch. That equipment will draw a tremendous amount of power and needs to be in a room with a dedicated air conditioner. It can also cost $100,000 or more and might be used to process all of a business’s important operations. It’s no wonder a business would be reluctant to hand it all over.
The best approach in most cases will be to either work with the business to get the relevant information off of the servers, or to let the business work with a security firm to provide that information. In most cases, the business will already have the tools necessary to produce images for any servers that are relevant to the case. The business, or the security consultants, may also be able to produce logs from other devices, such as a firewall, that might be of interest.
Disclaimer: This post focuses on the technical issues involved. It does not attempt to address any of the legal issues involved in what an organization might or might not be compelled to provide to assist an investigation.