CH31 Incident Response and Forensics Flashcards
During which incident response phase is the preservation of evidence performed?
a. Preparation
b. Detection and analysis
c. Containment, eradication, and recovery
d. Post-incident activity
c. Containment, eradication, and recovery
A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?
a. Image of the server’s SSD
b. L3 cache
c. Backup tapes
d. ARP cache
b. L3 cache
When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first, and the least volatile (least likely to change) last.
You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU).
The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory.
Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices.
Which of the following is required for evidence to be admissible in a court of law?
a. Order of volatility
b. Legal hold
c. Chain of custody
d. Right to audit
c. Chain of custody
The chain of custody is used to document the collection and preservation of evidence from its initial acquisition, throughout the handling leading up to a trial, and during its preservation in case of an appeal or retrial.
What information should be recorded on a chain of custody form during a forensic investigation?
a. Any individual who worked with evidence during the investigation
b. The list of former owners/operators of the workstation involved in the investigation
c. The list of individuals who made contact with files leading to the investigation
d. The law enforcement agent who was first on the scene
a. Any individual who worked with evidence during the investigation
OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.
Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?
a. Memdump
b. Autopsy
c. FTX Imager
d. dd
c. FTX Imager
OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.
(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.)
Order of Evidence Collection Swapping File 1. Processor Cache 2. Hard Drive or USB Drive 3. Random Access Memory 4.
You are working as part of a cyber incident response team. An ongoing attack has been identified on your webserver. Your company wants to take legal action against the criminals who have hacked your server, so they have brought a forensic analyst from the FBI to collect the evidence from the server. In what order should the digital evidence be collected based on the order of volatility?
a. Hard Drive or USB Drive, Swap File, Random Access Memory, Processor Cache
b. Processor Cache, Swap Files, Random Access Memory, Hard Drive or USB Drive
c. Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive
d. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive
d. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive
OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?
a. Personally identifiable information
b. Credit card information
c. Trade secret information
d. Protected health information
d. Protected health information
OBJ-4.5: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?
a. Encrypt the source drive to ensure an attacker cannot modify its contents
b. Digitally sign the image file to provide non-repudiation of the collection
c. Create a hash digest of the source drive and the image file to ensure they match
d. Encrypt the image file to ensure it maintains data integrity
c. Create a hash digest of the source drive and the image file to ensure they match
OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data’s confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.