Chapter 5 Flashcards
Sanitization Methods
Clear: overwrite storage space on the media with non-sensitive data
Destroy: Disintegrate, pulverize, melt, shred, shoot
Aftermath of an Incident
Identify shortcomings in risk assessment, policy, or implementation. repair the problems caused by the incident. Hold the person accountable if it was caused by a malicious act, collect evidence to clearly tie them to the event
Digital Forensics
What data shoudl we collect before an incident occurs? What data are we allowed to collect from an individuals personal computer? What data can we retrieve from persistent memories like USBs, and hard drives?
Fault and due diligence
In the US parties involved in an incident may be blamed for what they do or don’t do EG if a party should have prevented the incident but they failed to do so. There are customary acts to take for safety and security, parties are less at fault if they show due diligence.
Types of legal disputes
Private action: one aprty acts against another based on a shared relationship
Mediation: Two parties rely on a third party to negotiate a settlement
Civil complaint: A party files a lawsuit against another. settled in court unless settled informally ahead of time.
Criminal Compliant: A person is charged for breaking specific laws.
Admissible evidence
In private actions and mediation we can use informal evidence but mediators might demand admissable evidence. Civil and criminal we can only use admissible evidence.
Collecting digital evidence
Must yield admissible evidence. There must be no modifications since collection.
Process of collecting digital evidence
1) securing the scene
2) documenting the scene
3) Collecting the evidence
Digital evidence procedures
take pictures of powered on devices. for most devices simply remove power source. If we reboot the OS we may modify or destroy evidence. Using CoC document all serial numbers, cords, and connections before removal, seal each item in an evidence bag
Forensic Hard Drive Analysis
Do not use native OS to analyze contents. 1) do an integrity check (md5,sha)
2)copy the hard drive and do the integrity check again.
analyze the copy, not the original, after you collect the evidence recalculate the integrity check.
Sectors and Clusters
sectors are independent data blocks on the hard drive, each can be read or written individually. Clusters are a series of sectors treated as a single block by the file system.
Partitions
breaking up the overall drive into smaller, individual drives.
FAT File System
Intorduced in MSDOS, widely used, used in cameras and flash drives and many other digital devices. Supports modern features like Long, mixed case filenames, hierarchical directories, and individual file sized up to 4GB.
FAT Volume Layout
bootblocks, file allocation table, root, clusters
Boot Blocks
contain bootstrap program on bootable drive, contains details on the volume format like how large the clusters are, FAT, root directory.