4.5 Digital Forensics Flashcards
Define legal hold
A legal notice requiring preservation of specific data until a specific date or until notified that it is no longer required
Admissibility of digital evidence
All digital evidence must be collected and secured against tampering per local laws to ensure it can be used in court proceedings
Chain of custody
Documentation including any access to the data and what was done after it was collected to ensure that it has not be altered
For chain of custody, how can one ensure that the data has not been altered?
By using hashing
Time stamps
It is important to know what time zone was used by the system for file data. For example, FAT file system used local time zone set on device and NTFS uses GMT
Time offsets
Sometimes there are time offset settings for different things that are configured in the OS. One must check this to know what different time stamps really mean
How is order of volatility relevant to digital data collection for forensics?
Data may not be preserved very long, depending on the component it is stored by. So data collection must start with the most volatile data.
Order of Volatility (4)
- CPU - registers, cache
- Router tables, ARP cache, process tables, and anything stored in system memory
- Temporary files
- Hard drives, configuration data
How to preserve disk data?
Must make a bit-for-bit exact copy of the drive that is write-protected
How to preserve memory data?
Use a third-party tool that provide a memory dump to more permanent storage
How to preserve swap/page file
Swap/page files are created to add virtual memory that is actually stored on disk and must be included when doing the memory dump
OS information that must be preserved but will be lost when generating an image of the drive (4)
- Logged-in users
- Open ports
- Running processes
- Any attached devices
Preserving data from mobile devices
Can connect via USB to create an image of the device
Firmware data for forensics
Accessing the firmware of a device can indicate if it was compromised and allowed an attack
How is VM data preserved?
Snapshot