Explain the key aspects of digital forensics

Question 1

Documentation/evidence

Answer 1

Legal hold
Video
Admissibility
Chain of custody
Timelines of sequence of events
Tags
Reports
Event logs
Interviews

Question 2

Legal hold

Answer 2

Legal hold refers to the fact that information that may be relevant to a court case must be preserved. Information subject to legal hold might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or lawyers pursuing a civil action. This means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails.

Question 3

Video

Answer 3

Making an audio or video recording of witness statements produces a more reliable record but may make witnesses less willing to make a statement. If a witness needs to be compelled to make a statement, there will be legal issues around employment contracts (if the witness is an employee) and right to legal representation.

Question 4

Admissibility

Question 5

Chain of custody

Answer 5

The record of evidence history from collection, to presentation in court, to disposal.

Question 6

Timelines of sequence of events

Answer 6

Time stamps

Time offset

Question 7

Time stamps

Answer 7

NTFS uses UTC “internally” but many OS and file systems record time stamps as the local system time. When collecting evidence, it is vital to establish how a timestamp is calculated and note the offset between the local system time and UTC.

Question 8

Time offset

Answer 8

In forensics, identifying whether a time zone offset has been applied to a file’s time stamp.

Question 9

Tags

Answer 9

Tags—apply standardized keywords or labels to files and metadata to help organize the evidence. Tags might be used to indicate relevancy to the case or part of the case or to show confidentiality, for instance.

Question 10

Reports

Answer 10

A digital forensics report summarizes the significant contents of the digital data and the conclusions from the investigator’s analysis. It is important to note that strong ethical principles must guide forensics analysis.

Analysis must be performed without bias. Conclusions and opinions should be formed only from the direct evidence under analysis.
Analysis methods must be repeatable by third parties with access to the same evidence.
Ideally, the evidence must not be changed or manipulated. If a device used as evidence must be manipulated to facilitate analysis (disabling the lock feature of a mobile phone or preventing a remote wipe for example), the reasons for doing so must be sound and the process of doing so must be recorded.
Defense counsel may try to use any deviation of good ethical and professional behavior to have the forensics investigator’s findings dismissed.

Question 11

Event logs

Answer 11

Digital evidence is not just drawn from analysis of host system memory and data drives. An investigation may also obtain the event logs for one or more network appliances and/or server hosts. Similarly, network packet captures and traces/flows might provide valuable evidence. On a typical network, sensor and logging systems are not configured to record all network traffic, as this would generate a very considerable amount of data. On the other hand, an organization with sufficient IT resources could choose to preserve a huge amount of data. A Retrospective Network Analysis (RNA) solution provides the means to record network events at either a packet header or payload level.

Question 12

Interviews

Answer 12

As well as digital evidence, an investigator should interview witnesses to establish what they were doing at the scene, whether they observed any suspicious behavior or activity, and also to gather information about the computer system. An investigator might ask questions informally and record the answers as notes to gain an initial understanding of the circumstances surrounding an incident.

Question 13

Acquisition

Answer 13

Order of volatility
Disk
Random-access memory (RAM)
Swap/pagefile
OS
Device
Firmware
Snapshot
Cache
Network
Artifacts

Question 14

Order of volatility

Answer 14

The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.

Question 15

Disk

Answer 15

Disk image acquisition refers to acquiring data from non-volatile storage. Non-volatile storage includes hard disk drives (HDDs), solid state drives (SSDs), firmware, other types of flash memory (USB thumb drives and memory cards), and optical media (CD, DVD, and Blu-Ray). This can also be referred to as device acquisition, meaning the SSD storage in a smartphone or media player. Disk acquisition will also capture the OS installation, if the boot volume is included.

Question 16

Random-access memory (RAM)

Answer 16

System memory is volatile data held in Random Access Memory (RAM) modules. Volatile means that the data is lost when power is removed. A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device. There are various methods of collecting the contents of system memory.

Question 17

Swap/pagefile

Answer 17

The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host’s RAM modules. The pagefile is not structured in a way that analysis tools can interpret, but it is possible to search for strings.

Question 18

OS

Question 19

Device

Question 20

Firmware

Answer 20

Firmware is usually implemented as flash memory. Some types, such as the PC firmware, can potentially be extracted from the device or from system memory using an imaging utility. It likely will be necessary to use specialist hardware to attach the device to a forensic workstation, however.

Question 21

Snapshot

Answer 21

A snapshot is a live acquisition image of a persistent disk. While this may have less validity than an image taken from a device using a write blocker, it may be the only means of acquiring data from a virtual machine or cloud process.

Question 22

Cache

Answer 22

Cache can refer either to hardware components or software. Software-based cache is stored in the file system and can be acquired as part of a disk image. For example, each brower has a cache of temporary files, and each user profile has a cache of temp files. Some cache artifacts generated by the OS and applications are held in memory only, such as portions of the registry, cryptographic keys, password hashes, some types of cookies, and so on. The contents of hardware cache (CPU registers and disk controller read/write cache, for instance) is not generally recoverable.

Question 23

Network

Answer 23

Packet captures and traffic flows can contain very valuable evidence, if the capture was running at the right time and in the right place to record the incident. As with memory forensics, the issue for forensics lies in establishing the integrity of the data. Most network data will come from a SIEM.

Question 24

Artifacts

Answer 24

Artifacts refers to any type of data that is not part of the mainstream data structures of an operating system. For example, the Windows Alternate Data Streams (ADS) feature is often used to conceal file data, and various caches, such as prefetch and Amcache, can be used to find indicators of suspicious process behavior.

Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space. These fragments might represent deleted or overwritten files. The process of recovering them is referred to as carving.

Question 25

On-premises vs. cloud

Answer 25

Right-to-audit clauses
Regulatory/jurisdiction
Data breach notification laws

Question 26

Right-to-audit clauses

Answer 26

While companies can operate private clouds, forensics in a public cloud are complicated by the right to audit permitted to you by your service level agreement (SLA) with the cloud provider.

Question 27

Regulatory/jurisdiction

Answer 27

Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to release to you.

Question 28

Data breach notification laws

Question 29

Integrity

Answer 29

Hashing
Checksums
Provenance

Question 30

Hashing

Answer 30

Hashing is the process of transforming any given key or a string of characters into another value. This is usually represented by a shorter, fixed-length value or key that represents and makes it easier to find or employ the original string. The most popular use for hashing is the implementation of hash tables.

Question 31

Checksums

Answer 31

A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity.

Question 32

Provenance

Answer 32

the records describing the possession of, and changes to, components, component processes, information, systems, organization, and organizational processes. Provenance enables changes to the baselines of components, component processes, information, systems, organizations, and organizational processes, to be reported to appropriate actors, functions, locales, or activities.

Question 33

Preservation

Answer 33

The host devices and media taken from the crime scene should be labeled, bagged, and sealed, using tamper-evident bags. It is also appropriate to ensure that the bags have anti-static shielding to reduce the possibility that data will be damaged or corrupted on the electronic media by electrostatic discharge (ESD). Each piece of evidence should be documented by a chain of custody form which records where, when, and who collected the evidence, who subsequently handled it, and where it was stored.

The evidence should be stored in a secure facility; this not only means access control, but also environmental control, so that the electronic systems are not damaged by condensation, ESD, fire, and other hazards. Similarly, if the evidence is transported, the transport must also be secure.

Question 34

E-discovery

Answer 34

E-discovery is a form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings. The traditional discovery process is standard during litigation, but e-discovery is specific to digital evidence.

Question 35

Data recovery

Question 36

Non-repudiation

Answer 36

Once the target disk has been safely attached to the forensics workstation, data acquisition proceeds as follows:

A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function. The output of the function can be described as a checksum.
A bit-by-bit copy of the media is made using the imaging utility.
A second hash is then made of the image, which should match the original hash of the media.
A copy is made of the reference image, validated again by the checksum. Analysis is performed on the copy.
This proof of integrity ensures non-repudiation. If the provenance of the evidence is certain, the threat actor identified by analysis of the evidence cannot deny their actions. The checksums prove that no modification has been made to the image.

Question 37

Strategic intelligence/counterintelligence

Answer 37

In some cases, an organization may conduct a forensics investigation without the expectation of legal action. As well as being used in a legal process, forensics has a role to play in cybersecurity. It enables the detection of past intrusions or ongoing but unknown intrusions by close examination of available digital evidence. A famous quote attributed to former Cisco CEO John Chambers illustrates the point: “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”

Digital forensics can be used for information gathering to protect against espionage and hacking. This intelligence is deployed in two different ways:

Counterintelligence—identification and analysis of specific adversary tactics, techniques, and procedures (TTP) provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions.
Strategic intelligence—data and research that has been analyzed to produce actionable insights. These insights are used to inform risk management and security control provisioning to build mature cybersecurity capabilities.