4.5 Forensic Data Acquisition Flashcards
State the order of volatility
CPU registers, CPU cache Router table, ARP cache, process table, kernel stats, memory Temporary file systems Disk Remote logging and monitoring Physical configuration, network topology Archival media
What is the best way to gather storage data?
Prepare the drive to be imaged by powering down the system to prevent changes.
Remove the storage drive and then connect it to an imaging device.
Make a forensic clone (bit-for-bit copy)
Preserve all data, even “deleted” data.
What is the challenge of capturing RAM data and how do you do it?
RAM data changes constantly, even trying to capture it can change it.
Third party tools (mem dump) can grab everything and copy it to a seperate system or device.
What data is never written to a storage drive from RAM?
Browsing history, clipboard information, encryption keys, command history
What is the swap/pagefile?
It’s a temporary storage area to swap in/out RAM when your RAM is full. We want to gather this data as well.
Each OS uses this area slightly differently.
What type of information from the OS may be modified during a compromise?
The core operating system files. Executable files and libraries. We can compare these files to known good baselines.
Other important areas of note:
- Logged in user
- Open ports
- Running processes
- Attached device list
How do you capture data from a mobile device and tablets?
Use an existing backup file or transfer an image of it via USB.
Areas of note:
- Phone calls
- Contact information
- Text messages
- Emails
- Images and movies
- More
When Firmware is compromised, how should we investigate?
It depends on the product/model. Often the firmware has been reprogrammed or hacked by the attacker. If we look at how the device functions, we may be able to determine how it was hacked, what functionality the attacker had with the device, and possibly where the data is going to/from the device.
How do we handle VM compromises?
We need to investigate snapshots of the VM. Snapshots are basically images of the VM. Snapshots are essentially incremental backups of the original VM and each subsequent snapshot. Restoring requires all incremental snapshots.
What is a cache?
A temporary data storage area for later use. Designed to increase speed.
CPU cache, disk cache, internet cache, etc.
Cache is replace after a specific time or when the cache is full. Browser caches are long lived (days or weeks).
What are artifacts?
Digital items left behind. (perhaps evidence) You might find them in:
Logs Flash memory Prefetch cache files Recycle bin Browser bookmarks and logins
What are some challenges to cloud forensics?
Devices are not totally in your control
Potentially limited access
May be difficult to associate cloud data to a specific user because there may be many users at the same time.
Legal issues potentially depending on location of data and where you are
What is a right-to-audit clause?
Legal agreement to have the option to perform a security audit at any time. Everyone agrees to terms and conditions. Allows you to verify security.
What are the most important ideas to understand about data breaches?
If consumer data is breached, the consumer must be informed.
The legalities of this vary across countries and localities. If you are in the cloud, consider yourself a global entity.
Notification requirements also vary from location to location such as what data requires notification, who to notify, and how quickly.