Gathering Forensic Data 5.5 Flashcards
Forensic Procedures
Collect and protect info relating to an intrusion.
RFC 3227 - Guidelines for Evidence Collection and Archiving. A good set of best practices.
Take extensive, detail oriented notes.
Order of Volatility
Most to Least
CPU, CPU Cache, CPU Register Router Table, ARP Cache, Process Table, Kernel Stats Live Network Connections, Data Flows Temporary File Systems Data on Disk Remote Logged Data Data stored on archival media/backups
Chain of Custody
Control the evidence, and maintain integrity. Everyone who comes in contact with evidence must be documented. Label and catalog everything, seal it. This will prevent anyone tampering the evidence.
Legal Hold
A legal technique to preserve relevant information to prepare for impending litigation, initiated by legal counsel. This is provided as a hold notification, which tells you what kind of data and how much should be preserved. If this is Electronically Stored Information (ESI), there will be a separate repository created just for this data. There will be many kinds of data, documents, emails, personal files, others. You will preserve old and newly created data.
Capture System Image
Copy the contents of a disk. Bit-for-bit, byte-for-bite. There are software imaging tools that are specialized for this. You may even use a bootable drive, to copy the affected drive in order to avoid touching anything. It is common to remove the physical drive to make sure nothing is overwritten, and add that drive to a hardware write-blocker to prevent anything from being overwritten. In case everything gets deleted on the drive, there may already be backups of everything.
Network Traffic and Logs
Many attacks occur across the network so capturing as much log information as possible from switches, firewalls, routers, anything across the network. Log usual traffic patterns on the IDS/IPS. Some orgs can store ALL of their raw data. It’s possible to rebuild images, emails, browser sessions, file transfers, etc.
Capture Video
If a security event happens outside of a computer event. Video footage could come in handy. You can also take video of a compromised computer you are working on. The video content must also be archived, it could have some of the most important record of information.
Recording Time Offsets
Time zone determines how the time is displayed. Document the local device settings. Different file systems store timestamps differently.
FAT: Time is stored in local time.
NTFS: Time is stored in GMT.
Record the time offset from the OS. Windows keeps it in the Windows Registry. Make sure to keep track of day light savings.
Take Hashes
You can ensure that there’s no tampering if you use a digital hash. An Message Digest 5 (MD5) is 128 bit hash. If someone tries to modify the hash, they have a 230 billion, billion, billion, billion, chance of doing it. A CRC hash is 32 bits, and has a over 4 billion chance to duplicate.
Screenshots
Screenshots are difficult to reproduce, even with a disk image. You can even take shots with a digital camera or your phone. Use print screen or a third party app.
Witnesses
You need to ask interview, and document asap. In the future, some of those witnesses may not be around. Not all witness statements are 100% accurate. Humans are fallible.
