4.5 Flashcards
Legal hold
Legal hold is the process of protecting any documents that can be used in evidence from being altered or destroyed. Sometimes, this is also known as litigation hold.
video
Capturing Video: CCTV can be a good source of evidence for helping to identify attackers and the time the attack was launched. This can be vital in apprehendingsuspects.
Admissibility
All evidence relevant to the case is deemed admissible only if it is relevant to the disputed facts of the case and does not violate any laws or legalstatutes.
Chain of Custody
The chain of custody is one of the most crucial aspects of digital forensics, ensuring the evidence has been collected and there is not a break in the chain. It starts when the evidence has been collected, bagged, tied, and tagged, ensuring the evidence has not been tampered with. It lists the evidence and who has handled it along the way.
Time Stamps
Each file has timestamps showing when files were created, last modified, and last accessed
Time offset
When we collect evidence from computers, we should record the time offset. This is the regional time so that in a multinational investigation, we can put them into a time sequence—this is known as time normalization.
Tags
Physical serialized tags are attached to each item, and the tag number is used to identify a specific item. Frequently the items are then stored in anti-static bags to protect them from damage.
Reports
Reports are the official descriptions of the forensic data. Reports can have a variety of elements—from pure descriptive information, such as machine/device identifiers (make, model and serial number), to information on the data, including size and hash values. Reports can also have specific elements that are derived from this information, such as a timeline, an analysis of keywords, specific artifacts, and present or missing items. An expert can opine on what these elements mean or can mean with respect to the system.
Event logs
are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls all have event logs that detail actions that happen. Once you know the time and date of an event, you can gather information from various log files. These can be stored in Write-Once Read-Many (WORM) drives so that they can be read but not tampered with.
Interviews
The police may also take witness statements to try and get a picture of who was involved and maybe then use photo-fits so that they can be apprehended.
Acquisition
This is the process of collecting all of the evidence from devices, such as USB flash drives, cameras, and computers; as well as data in paper format, such as letters and bank statements. The first step in data acquisition is to collect the volatile evidence so that it is secured. The data must be bagged and tagged and included in the evidence log.
Order of Volatility
a. CPU Cache: Fast block of volatile memory used by the CPU
b. Random Access Memory (RAM): Volatile memory used to run applications
c. Swap/Page File/Virtual Memory: Used for running applications when RAM isexhausted.
d. Hard Drive: Data at rest for storing data
Order of volatility is collecting the most perishable evidence first. In a web-based attack, we should collect the network traffic with a packet sniffer.
Disk
A physical hard disk drive (HDD) will persist data longer than a solid state drive (SSD). And the newer file systems with journaling and shadow copies can have longer persistence of information than older systems such as File Allocation Table–based (FAT-based) systems. Raw disk blocks can be recovered in some file systems long after data has been rewritten or erased, due to the nature of how the file systems manage the data.
Random-access memory(RAM)
Random-access memory (RAM) is the working memory of the computer that handles the current data and programs being processed by the CPU. This memory, once limited to a single megabyte, now commonly consists of 4 GB or more. This memory holds the current state of the system as it is processing and is continuously changing. There are cases of malware that exists only in RAM, and without memory analysis and forensics, you would never see it. But this information is lost forever when the system is powered down.
Swap/pagefile
Used for running applications when RAM isexhausted.
The swap or pagefile is a structure on a system’s disk to provide temporary storage for memory needs that exceed a system’s RAM capacity. The operating system has provisions to manage the RAM and pagefile, keeping in RAM what is immediately needed and moving excess to the pagefile when RAM is full. This causes a performance hit, and with the reasonable cost of RAM, most systems avoid this by having sufficient RAM.