1D - Understanding Digital Forensics Flashcards
What is digital forensics?
Used by police when investigating crimes to find digital evidence to secure conviction
What is the Forensic Process 19, proposed by NIST?
Four cyclical phases:
- Collection: examined, extracted, converted into format for forensic investigation
- Examination: carried out by forensic tool
- Analysis: analyse and transform into information that can be used as evidence
- Reporting
What are the principles in forensic investigation? Describe each
- Admissibility - must be relevant to the disputed fact and does not violate any laws or legal statutes
- Order of volatility - secure the most perishable evidence first
What is the volatile evidence in a web-based attack?
Capturing the network traffic
What is order of volatility for a host based attack?
- CPU Cache - a fast block of volatile memory used by CPU
- Random Access Memory (RAM) - volatile memory used to run applications
- Swap / Page File / Virtual Memory - used for running applications when RAM is totally exhausted
- Hard Drive - Data at rest for storing
Command line tool that disappears upon reboot?
netstat
What is e-discovery?
Collection, review and interpretation of electronic documents on hard disks, USB drives and other forms of storage.
What is the chain of custody?
Lists the evidence and who has handled it along the way
What to do when evidence is collected?
Bag, tie, tag - ensuring no tampering. Log in evidence log
What is data provenance?
Chain of custody has been carried out properly and the original untampered data has been presented to the court
What is legal hold?
Process of protecting any documents that can be used in evidence from being altered or destroyed.
What can legal hold be known as?
Litigation hold
What is data acquisition?
Process of collecting all of the evidence from devices such as USB flash drives, cameras, computers and data in paper format (letters / bank statements etc).
What are artifacts?
Evidence that is invisible to the naked eye?
Examples of artifacts?
log files, registry hives, DNA, fingerprints, fibres of clothing
What is the time offset?
The regional time
What is time normalisation?
Time from different zone is corrected to a common time zone so that it can be put into a meaningful sequence
What 3 time stamps are given on files?
When they were
- created
- last modified
- last accessed
What are forensic copies?
When data is collected, a forensic copy is taken for analysis so that the original data can remain unaltered
How do you ensure data integrity of forensic copies or other data?
Hashing at beginning and end and ensuring that they match
7 Types of evidence?
- Capturing system images
- Firmware - must compare source code from developer against current source code b a coding expert.
- Snapshots - VMs.
- Screenshots - of applications or viruses on desktops
- Network traffic and logs
- Videos (CCTV)
- Interviews (of witnesses)
Types of network traffic and logs to collect?
Firewall, NIPS, NIDS. SIEM can collate entries
What does SIEM stand for?
Security Information Event Management (SIEM)
Describe measures for preservation of data?
Taking copies to keep original data untampered
Taking and checking hashes
Putting a copy of vital evidence on a WORM drive (cannot delete data)
Write-protecting storage drives
Examples of recovery steps?
Recovering from backup
Hot-sites / cold-sites
Purchasing additional hardware if original is damaged
What is strategic intelligence / counterintelligence gathering?
Different governments exchange data about cyber criminals so that they can work together to reduce threats
What is active logging?
Active monitoring and logging of changes.
What does a SIEM do?
Real-time monitoring and collating entries in log files.
What are the stages of the Cloud Forensic Process 26 (2012)
Stage A - Verify the purpose of cloud forensics
Stage B - Verify the type of cloud service
Stage C - Verify the type of technology behind the cloud
Stage D - Verify the role of the user and negotiate with the CSP to collect all the evidence required
What is a CSP?
Cloud Service Provider
Why is the collection of forensic evidence more difficult in the cloud?
CSPs create virtual machines and destroy them on a regular basis
What does the forensic team need to consider in discussions with a CSP?
- State reasons for the collection of evidence
2. Rely on the CSP to send them the correct evidence
What is a Right-to-Audit clause?
Auditor can visit the premises of supply-chain without notice and inspect the contractor’s books, records to ensure that the contractor is complying with its obligation under the contract.
What can a Right-to-Audit clause help identify? (7)
- Faulty or inferior quality of goods
- Short shipments
- Goods not delivered
- Kickbacks
- Gifts and gratuities to company employees
- Commissions to brokers and others
- Services allegedly performed that weren’t needed in the first place, such as equipment repairs
What was the CLOUD ACT 2018?
Following problems that FBI faced in forcing Microsoft to hand over stored data in Ireland.
Allows U.S. law enforcement through a warrant, subpoena or court order to access electronically-stored communications data located outside the United States provided that the information sought is relevant and material to an ongoing criminal investigation
What is COPOA?
Overseas production act.
Allows UK to seek data stored overseas as part of criminal investigation.
Data sharing agreements between countries?
US & UK (2019)
US & EU (2016)
Data breach notification / laws?
Eu: GDPR - must be reported within 72 hours.
Fines > £10M