4.5 Explain the Key aspect Of Digital Forensics Flashcards
Documentation and Evidence
When collecting documentation and evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law. If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.
Legal hold
A legal hold refers to a court order to maintain different types of data as evidence. As an example, imagine that ZiffCorp is being sued for fraud and the Securities and Exchange Commission is investigating ZiffCorp. A court orders them to maintain digital and paper documents for the past three years related to the case. ZiffCorp now needs to take steps to preserve the data.
Video
Video surveillance methods such as closed-circuit television (CCTV) systems are often used as a detective control during an investigation. If a person is recorded on video, the video provides reliable proof of the person’s location and activity. For example, if a person is stealing equipment or data, the video might provide evidence of the theft.
Admissibility
If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.
Chain of study
A chain of custody is a process that provides assurances that evidence has been controlled and appropriately handled after collection. Forensic experts establish a chain of custody when they first collect evidence.
timeline of sequence of events
Digital forensic analysis typically tries to determine the timeline of an event. If the incident results in a data breach or ransomware spread throughout a network, they try to determine how the attacker got in. Today, the first failure is often a user responding inappropriately to a phishing email. By identifying the first failure in the incident, it becomes easier to make recommendations to prevent such a failure in the future.
Time stamps
Log entries include timestamps, so anyone reading the logs can determine when the event occurred.
Time offsets
However, it’s essential to consider time offsets based on how the timestamps are recorded.
Imagine you live in Virginia Beach and you see a server log entry of 12:01. You might assume that this indicates 12:01 Eastern Standard Time (EST), but if it’s in the winter months, it may be Eastern Daylight Time (EDT). However, the server may be in the cloud and physically located in Las Vegas, which follows Pacific Standard Time (PST) and Pacific Daylight Time (PDT) in the winter months. If you compare this log entry with a log entry on a server located in Pensacola, you need to consider Central Standard Time (CST) and Central Daylight Time (CDT). To simplify this, many servers use Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC). Neither GMT or UTC observe daylight savings time, and they are both based on the time at the Royal Observatory in Greenwich, London.
Tags
After an item is identified as possible evidence, it needs to be tagged. This can be a formal document, but it’s more common to be something simple, such as a sticker. The tag is placed on the item with the date, time, and name of the person placing the tag. It’s also common to include a control number that can be included in a chain of custody.
Reports
After analyzing all the relevant evidence, digital forensic experts create a report documenting their findings. These often document the tactics, techniques, and procedures (TTP) used in an attack.
Event Logs
A forensic investigation often includes an analysis of available logs. This information helps the investigators re-create events leading up to and during an incident. This can be as simple as looking at Event logs on computers, or Device Logs on routers and firewalls.
Interviews
Another element of an investigation is interviewing witnesses. Witnesses provide firsthand reports of what happened and when it happened. However, witnesses won’t necessarily come forward with relevant information unless someone asks them. Often witnesses don’t recognize what information is valuable.
Acquisition
When performing data acquisition for digital forensics, it’s important to follow specific procedures to ensure that the data is not modified. In many cases, this ensures that the evidence is preserved in case it is needed in a legal proceeding.
Order of Volatility
Order of volatility refers to the order in which you should collect evidence. Volatile doesn’t mean it’s explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.
Disk
Data files are stored on local disk drives, and they remain there even after rebooting a system.
RAM.
Data in RAM is used by the operating system (OS) and applications.
Swap or pagefile.
A swap file (sometimes called a pagefile) is on the system disk drive. It is an extension of RAM and is stored on the hard drive. However, the pagefile isn’t a typical file, and the system rebuilds the pagefile when rebooting. This makes the pagefile more volatile than other files stored on hard drives.
OS
OS forensics refers to the process of collecting data from the OS. This includes things like the cache, RAM, swap file, and artifacts. It can also include much more depending on the operating system. As an example, the Windows Registry includes a wealth of information on installed applications and holds user data to enhance the user experience.
Device
Mobile device metadata is often a treasure trove of evidence for investigators. It includes users’ location (tracked through apps), who they called, who called them, who they messaged, and who messaged them, website history, and more.
Firmware
Firmware forensic methods are useful when a forensic specialist suspects malware has infected firmware. It starts by extracting the firmware code. It then attempts to reverse engineer the code to discover what it is doing. In some cases, the firmware has a backdoor embedded in it that attackers can exploit. In other cases, the firmware has malicious code embedded within it.
snapshots
Security experts sometimes use snapshots to capture data for forensic analysis. Various tools are available to capture snapshots of memory (including cache memory), disk contents, cloud-based storage, and more.
Cache.
This is data in the cache memory, including the processor cache and hard drive cache. Data in the cache is removed as new data is used.
Network
Networks typically have servers and shared folders accessible by users and used to store log files. These remote systems often have more robust backup policies in place, making them the least volatile.
Artefacts
Forensic artifacts are pieces of data on a device that regular users are unaware of, but digital forensic experts can identify and extract. In general, logs and data files show direct content, but the artifacts are not so easy to see.
