5.5 Summarize basic concepts of forensics Flashcards
Order of Volatility
You should collect data first from volatile areas and then move to the nonvolatile areas. This is known as the order of volatility—you should collect data in the order of volatility.
The order of volatility is memory (RAM), swap file, hard disk, and then finally CD/DVD-ROM.
Chain of Custody
The chain of custody is a document that records where the evidence is at all times. It is imperative that you have a chain of custody in place for the evidence so that you can account for the whereabouts of the evidence at all times.
Legal Hold
Legal hold is the term for putting data in a special hold so that users cannot delete that data during an investigation. For example, Microsoft Exchange Server allows an administrator to put a mailbox in legal hold so that the user cannot delete mail while the mailbox is being searched for evidence.
Data Acquisition
Once the evidence has been seized, you can then acquire the evidence. Acquiring the evidence involves taking an image of the evidence so that you can do your investigation from a copy of the evidence and not from the original evidence. It is critical that you acquire a bit-level copy (raw sector-by-sector copy) of any drives on the suspect’s system by using forensically sound imaging software. Forensically sound imaging software is software that is designed for computer forensics and does not make any modifications to the source drive.
Data Acquisition - Capture System Image
Creating an image of a drive captures the entire drive (because it copies each sector), including deleted files and hidden information on disk.
Always remember to create multiple images of the drive and use different imaging tools in case one of the images goes corrupt. After creating the image, you will perform your investigation on the image and not the original drive.
Static Images
When acquiring the image, you typically will take the drive out of the suspect’s system and then connect the drive to your forensics workstation. The forensics workstation is a system you set up with your forensics software and with no connection to the network or Internet.
Live Images
Although most times you will be dealing with static images, you may sometimes need to do a live acquisition. With static images, you are unable to capture the contents of memory because the power was removed from the system when it was seized. Before seizing the evidence, plan whether you need to do a live acquisition or a static acquisition.
The benefit of the live acquisition is that you can obtain the contents of memory by placing a forensics CD into the system and running your imaging software and dumping the contents of memory to disk or across the network. Capture the contents of an encrypted drive These days, full drive encryption is becoming more common, so that when the system is powered off, the drive is automatically encrypted. When the system boots up, if the correct key is supplied, the drive is decrypted and access to the files is granted. From a forensics point of view, drive encryption poses a problem, so if you suspect that the drive is encrypted, you should do a live acquisition before pulling the power.
The drawback of the live acquisition is that you are modifying the system when you run your software—you must verify ahead of time with the lead investigator that this is acceptable.
Data Acquisition - Network Traffic and Logs
Depending on the type of incident you are investigating, it may be necessary to look at the network traffic and log files of networking devices and software. For example, if you are investigating a security incident that involves someone hacking into a system from across the Internet, you will need to look at the server logs of the system compromised and also the router and firewall logs.
Data Acquisition - Capture Video
Documenting Your Steps
It is critical that you document all of your steps after arriving at the scene. Be sure to take pictures of the area where the evidence is. For example, if you’re responsible for seizing a computer from a suspected criminal’s home, be sure to take photos of the area where the computer is before you touch anything.
You may also capture video of your investigation steps with a video camera or screen-capturing software. If you do not have software to capture videos of your steps, be sure to take screenshots of critical screens.
Data Acquisition - Record Time Offset
When performing your investigation, it is critical to record all your activities and the time of each activity. Recording the time you start each action and how long it took is critical to the success of the investigation. Record time offset is an important setting for the investigator to configure when performing an investigation. Configuring record time offset involves the investigator configuring the time zone in the forensics software to match the time zone of the suspect’s system so that all time stamp information in the evidence is accurate.
Data Acquisition - Take Hashes
A big part of the forensics process is to validate the contents of the forensic image by running a hashing algorithm on the data to generate a hash value. The concept here is that the hash value generated will be unique, based on the data in the evidence.
If you ever need to prove that the copy of the drive you are working with is the same data as the original, you can compare the hash values.
Most forensics tools generate a hash value when the bitstream image is created, but you can use other tools such as MD5sum to calculate the hash value on data.
Data Acquisition - Screenshots
Documenting Your Steps
It is critical that you document all of your steps after arriving at the scene. Be sure to take pictures of the area where the evidence is. For example, if you’re responsible for seizing a computer from a suspected criminal’s home, be sure to take photos of the area where the computer is before you touch anything.
You may also capture video of your investigation steps with a video camera or screen-capturing software. If you do not have software to capture videos of your steps, be sure to take screenshots of critical screens.
Data Acquisition - Witness Interviews
When performing the investigation, be sure to talk to any witnesses who could have some insight into what has happened. In the corporate world, this means talking to the users of the system and learning what is normal activity versus abnormal activity with the systems.
Preservation
When collecting the evidence, not only must you document each piece of evidence and create a chain of custody, but you must also ensure that you take steps to preserve, or protect, the evidence.
The evidence should be placed in secure containers and then transported immediately to a secure storage location.
With digital evidence, you will need to ensure that the evidence is protected from damage from magnetic fields and also protected against electrostatic discharge (ESD). ESD is a common way that computer chips are destroyed, so be sure to protect computer components.
Ensure that the evidence is stored in a secure cabinet and that the secure cabinet is located in a secure area with limited personnel access. You will need to prove that only authorized individuals had access to the evidence.
Recovery
A system involved in a security incident is considered a compromised system, and in many cases recovery involves wiping the hard drives, reinstalling or reimaging the operating system, and restoring data from the last good backup.
Strategic Intelligence/Counterintelligence Gathering
An important task of the security team is to continuously monitor and log activity on systems and the network so that the security team becomes aware of security events as they are occurring. Continuous monitoring is a never-ending process of monitoring access to resources, network traffic, and security logs for events.
Strategic Intelligence/Counterintelligence Gathering - Active Logging
An important task of the security team is to continuously monitor and log activity on systems and the network so that the security team becomes aware of security events as they are occurring. Continuous monitoring is a never-ending process of monitoring access to resources, network traffic, and security logs
