4.5 Explain the Key aspect Of Digital Forensics Flashcards
Documentation and Evidence
When collecting documentation and evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law. If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.
Legal hold
A legal hold refers to a court order to maintain different types of data as evidence. As an example, imagine that ZiffCorp is being sued for fraud and the Securities and Exchange Commission is investigating ZiffCorp. A court orders them to maintain digital and paper documents for the past three years related to the case. ZiffCorp now needs to take steps to preserve the data.
Video
Video surveillance methods such as closed-circuit television (CCTV) systems are often used as a detective control during an investigation. If a person is recorded on video, the video provides reliable proof of the person’s location and activity. For example, if a person is stealing equipment or data, the video might provide evidence of the theft.
Admissibility
If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.
Chain of study
A chain of custody is a process that provides assurances that evidence has been controlled and appropriately handled after collection. Forensic experts establish a chain of custody when they first collect evidence.
timeline of sequence of events
Digital forensic analysis typically tries to determine the timeline of an event. If the incident results in a data breach or ransomware spread throughout a network, they try to determine how the attacker got in. Today, the first failure is often a user responding inappropriately to a phishing email. By identifying the first failure in the incident, it becomes easier to make recommendations to prevent such a failure in the future.
Time stamps
Log entries include timestamps, so anyone reading the logs can determine when the event occurred.
Time offsets
However, it’s essential to consider time offsets based on how the timestamps are recorded.
Imagine you live in Virginia Beach and you see a server log entry of 12:01. You might assume that this indicates 12:01 Eastern Standard Time (EST), but if it’s in the winter months, it may be Eastern Daylight Time (EDT). However, the server may be in the cloud and physically located in Las Vegas, which follows Pacific Standard Time (PST) and Pacific Daylight Time (PDT) in the winter months. If you compare this log entry with a log entry on a server located in Pensacola, you need to consider Central Standard Time (CST) and Central Daylight Time (CDT). To simplify this, many servers use Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC). Neither GMT or UTC observe daylight savings time, and they are both based on the time at the Royal Observatory in Greenwich, London.
Tags
After an item is identified as possible evidence, it needs to be tagged. This can be a formal document, but it’s more common to be something simple, such as a sticker. The tag is placed on the item with the date, time, and name of the person placing the tag. It’s also common to include a control number that can be included in a chain of custody.
Reports
After analyzing all the relevant evidence, digital forensic experts create a report documenting their findings. These often document the tactics, techniques, and procedures (TTP) used in an attack.
Event Logs
A forensic investigation often includes an analysis of available logs. This information helps the investigators re-create events leading up to and during an incident. This can be as simple as looking at Event logs on computers, or Device Logs on routers and firewalls.
Interviews
Another element of an investigation is interviewing witnesses. Witnesses provide firsthand reports of what happened and when it happened. However, witnesses won’t necessarily come forward with relevant information unless someone asks them. Often witnesses don’t recognize what information is valuable.
Acquisition
When performing data acquisition for digital forensics, it’s important to follow specific procedures to ensure that the data is not modified. In many cases, this ensures that the evidence is preserved in case it is needed in a legal proceeding.
Order of Volatility
Order of volatility refers to the order in which you should collect evidence. Volatile doesn’t mean it’s explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.
Disk
Data files are stored on local disk drives, and they remain there even after rebooting a system.