4.5 Digital Forensics Flashcards
Define legal hold
A legal notice requiring preservation of specific data until a specific date or until notified that it is no longer required
Admissibility of digital evidence
All digital evidence must be collected and secured against tampering per local laws to ensure it can be used in court proceedings
Chain of custody
Documentation including any access to the data and what was done after it was collected to ensure that it has not be altered
For chain of custody, how can one ensure that the data has not been altered?
By using hashing
Time stamps
It is important to know what time zone was used by the system for file data. For example, FAT file system used local time zone set on device and NTFS uses GMT
Time offsets
Sometimes there are time offset settings for different things that are configured in the OS. One must check this to know what different time stamps really mean
How is order of volatility relevant to digital data collection for forensics?
Data may not be preserved very long, depending on the component it is stored by. So data collection must start with the most volatile data.
Order of Volatility (4)
- CPU - registers, cache
- Router tables, ARP cache, process tables, and anything stored in system memory
- Temporary files
- Hard drives, configuration data
How to preserve disk data?
Must make a bit-for-bit exact copy of the drive that is write-protected
How to preserve memory data?
Use a third-party tool that provide a memory dump to more permanent storage
How to preserve swap/page file
Swap/page files are created to add virtual memory that is actually stored on disk and must be included when doing the memory dump
OS information that must be preserved but will be lost when generating an image of the drive (4)
- Logged-in users
- Open ports
- Running processes
- Any attached devices
Preserving data from mobile devices
Can connect via USB to create an image of the device
Firmware data for forensics
Accessing the firmware of a device can indicate if it was compromised and allowed an attack
How is VM data preserved?
Snapshot
Define cache relative to forensics (3)
- Many applications & components store temporary data in a cache
- May be very volatile or not volatile
- Must be sure to preserve any cache information
Define network data gathering for forensics
Various network data can be gathered from devices, such as connections and packet captures, depending on the type of device
Define artifacts relative to forensics
Artifacts are bits and pieces of data in miscellaneous places
How does use of cloud-based services complicate gathering forensic data? (3)
- Don’t have physical access to or possession of the data
- Rules and regulations may be different from your local rules & regulations depending on where the data is actually stored
- Access to this might be denied if it is stored in a different country
Define right to audit clause and its importance
When initiating relationship with cloud service provider, the terms and conditions of allowing access to audit the data should be defined prior to utilizing the service
Define relevance of data breach notification laws
Depending on where data is stored, or the locale of the people who provided it, data breach notification laws/requirements may be very different
Define relevance of checksums in forensics
A way to verify data transmitted via network wasn’t altered during transmission. Not designed to replace hashing, but offers a simple integrity check
Define provenance
The original source of the data
Considerations for preservation of data (3)
- Must be an exact copy of the data
- Powering off a system could destroy some data
- If drive is encrypted, it must be accessed from the live system and not removed
Define e-Discovery
Gathering (not analyzing or altering) information requested by authorities and providing it to them
Define data recovery
Recovering data that was deleted or from a physically damaged storage device
2 ways to provide non-repudiation relative to forensics
- MAC - message authentication code that is privately known by communicating parties
- Digital signatures
Define strategic intelligence
Gathering information about a specific target with specific goal in mind
Define strategic counter-intelligence
Gathering information about a source performing strategic intelligence on you
