4.5: Explain the key aspects of digital forensics. Flashcards
Documentation/Evidence
Direct evidence Oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions.
- Real evidence Also known as associative or physical evidence, this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime.
- Documentary evidence Evidence in the form of business records, printouts, manuals, and the like. Much of the evidence relating to computer crimes is documentary evidence.
- Demonstrative evidence Used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
Legal Hold
In the U.S. legal system, legal precedent requires that potentially relevant information be preserved at the instant a party “reasonably anticipates” litigation or another type of formal dispute. Although this sounds technical, it is fairly easy to grasp: once an organization is aware that it needs to preserve evidence for a court case, it must do so.
Admissibility
- Sufficient evidence The evidence must be convincing or measure up without question.
- Competent evidence The evidence must be legally qualified and reliable.
- Relevant evidence The evidence must be material to the case or have a bearing on the matter at hand.
Chain of Custody
After evidence is collected, it must be properly controlled to prevent tampering. The chain of custody accounts for all persons who handled or had access to the evidence. More specifically, the chain of custody shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained. Any and all access to the evidence is recorded.
The following are the critical steps in a chain of custody:
- Record each item collected as evidence.
- Record who collected the evidence along with the date and time it was collected or recorded.
- Write a description of the evidence in the documentation.
- Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container.
- Record all message digest (hash) values in the documentation.
- Securely transport the evidence to a protected storage facility.
- Obtain a signature from the person who accepts the evidence at this storage facility.
- Provide controls to prevent access to and compromise of the evidence while it is being stored.
- Securely transport the evidence to court for proceedings.
EXAM TIP
Never analyze the seized evidence directly. The original evidence must be secured and protected with a chain of custody. It should never be subjected to a forensic examination because of the fragile nature of digital evidence. A forensic copy, however, can be examined and, if something goes wrong, discarded, and the copy process can be repeated. A good forensics process will prove that the forensic copy is identical to the original at the start and at the end of the examination. From a practical standpoint, investigators usually make multiple forensic copies and perform their analysis in parallel on the multiple copies.
Acquisition
Acquisition refers to the collection of information that may be evidence in an investigation. Evidence consists of the documents, verbal statements, and material objects admissible in a court of law. Evidence is critical to convincing management, juries, judges, or other authorities that a particular event has occurred.
Order of Volatility
tems such as the state of the CPU and its registers, RAM, and even storage are always changing, which can make the collection of electronic data a difficult and delicate task. These elements tend to change at different rates, and you should pay attention to the order of volatility, or lifetime of the data, so that you can prioritize your collection efforts after a security incident to ensure you don’t lose valuable forensic evidence.
Following is the order of volatility of digital information in a system:
- CPU, cache, and register contents (collect first)
- Routing tables, ARP cache, process tables, kernel statistics
- Live network connections and data flows
- Memory (RAM)
- Temporary file system/swap space
- Data on hard disk
- Remotely logged data
- Data stored on archival media/backups (collect last)
Right to Audit Clauses
The only rights the customer has are detailed in the service level agreements/contracts with the cloud provider. This makes the Right to Audit clause a critical requirement of any service level agreement, and its specificity needs to match the operational and regulatory scope of the cloud engagement.
E-Discovery
Electronic discovery, or e-discovery, is the term used for the document and data production requirements as part of legal discovery in civil litigation. When a civil lawsuit is filed, under court approval, a firm can be compelled to turn over specific data from systems pursuant to the legal issue at hand.
Nonrepudiation
Nonrepudiation is a characteristic that refers to the inability to deny an action has taken place. This can be a very important issue in transactions via computers that involve money or things of value. Did the transaction occur and did the parties involved actually do it?