Domain 7: Security Operations - Continuity of the Enterprise Flashcards
Computer Forensics
Discipline of using proven methods toward collection, preservation, validation, identification, analysis, interpretation, documentaion, and presentation of digital evidence
Who can collect evidence
those who are trained
7 Steps for Forensic Investigatin
Identification Preservation Collection Examination Analysis Presentation Decision
Identification Step
Locard’s principle of Exchange: when a crime is committed an attacker leaves behind something when something is taken.
Preservation Step
Chain of custody must be well documented
Verify integrity of all evidence
Collection Step
Minimize handling/corruption of evidence Keep detailed logs Ensure actions are repeatable Follow security policy Work fast Start with most volatile to most persistent evidence
Examination Step
Generates Data
Look for signatures of known attacks
Review audit logs
Hidden data recovery
Analysis Step
Reviews Data
What is the root cause?
What files were altered/installed?
What communication channels were open?
Presentation and Decision
Present the information in a forensically sound manner, and maintain chain of custody. Court of law makes a decision
Order of Volatility
CPU Registers Cache RAM Virtual Memory Hard Drive Paper Records