Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Sec+ > Lesson 18 > Flashcards

Lesson 18 Flashcards

1
Q

Key Aspects of Digital Forensics

A

DEFINITION: Collecting evidence from computer systems to a standard that will be accepted in a court of law

Evidence, documentation, and admissibility
•Latent evidence
•Collection must be documented
•Due process

Legal hold

Chain of custody
•Integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Digital Forensics

A

DEFINITION: Collecting evidence from computer systems to a standard that will be accepted in a court of law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Evidence, documentation, and admissibility
•Latent evidence
•Collection must be documented
•Due process

A

Evidence, documentation, and admissibility
•Latent evidence - Latent means that the evidence
cannot be seen with the naked eye; rather, it must be interpreted using a machine or
process. This means that great care must be taken to ensure the admissibility of digital
evidence.

•Collection must be documented - requires documentation showing how the evidence was collected and analyzed without
tampering or bias.

•Due process - people only
be convicted of crimes following the fair application of the laws of the land. More
generally, due process can be understood to mean having a set of procedural
safeguards to ensure fairness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Legal hold

A

Legal hold refers to the fact that information that may be relevant to a court case
must be preserved. Information subject to legal hold might be defined by regulators
or industry best practice, or there may be a litigation notice from law enforcement or
lawyers pursuing a civil action. This means that computer systems may be taken as
evidence, with all the obvious disruption to a network that entails.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Chain of Custody

A

Chain of custody

•Integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Digital Forensics Reports

A
  • Summarizes contents of the digital data
  • Conclusions from the investigator’s analysis
  • Professional ethics
    • Analysis must be performed without bias
    • Analysis methods must be repeatable
    • Evidence must not be changed or manipulated
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

E-discovery

A

•Electronically Stored Information (ESI)
Some software does the following for e-discovery
•Identify and de-duplicate files and metadata
•Search
•Tags
•Security
•Disclosure

E-discovery is a means of filtering the relevant
evidence (From ESI) produced from all the data gathered by a forensic examination and storing
it in a database in a format such that it can be used as evidence in a trial.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Video and Witness Interviews

A

Video
•Record all actions
•Log/video steps taken

Witness interviews
•Informal statements
•Avoid leading questions
•Formal questioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Timelines

A

A significant part of a forensic investigation will involve tying events to specific times
to establish a consistent and verifiable narrative. The visual representation of events
happening in chronological order is called a timeline.

  • Sequence of events
  • Time stamps
    • OS/file system methods for recording time
    • Correct synchronization of local time source
  • Time offset
    • Coordinated Universal Time (UTC)
    • Local time
  • Date/time settings tampering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Event Logs and Network Traffic

A

•Collect data from network logging servers
•Packet captures
•Retrospective Network Analysis (RNA) - A Retrospective Network Analysis (RNA)
solution provides the means to record network events at either a packet header or
payload level.
•Record collection methods to establish provenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Strategic Intelligence and Counterintelligence

A

In some cases, an organization may conduct a forensics investigation without the
expectation of legal action. As well as being used in a legal process, forensics has a
role to play in cybersecurity. It enables the detection of past intrusions or ongoing but
unknown intrusions by close examination of available digital evidence.

  • Re-examine logs for signs of intrusion
  • Counterintelligence
    • Analyze adversary tactics, techniques, and procedures (TTP)
    • Develop better control configurations
  • Strategic intelligence
    • Inform risk management and security control provisioning to build mature cybersecurity capabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data Aquisition

A

process of obtaining a forensically clean copy of data from a device
held as evidence. If the computer system or device is not owned by the organization,
there is the question of whether search or seizure is legally valid. This impacts bringyour-
own-device (BYOD) policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Computer on/off state

A

Data acquisition is also complicated by the fact that it is more difficult to capture
evidence from a digital crime scene than it is from a physical one. Some evidence will
be lost if the computer system is powered off; on the other hand, some evidence may
be unobtainable until the system is powered off. Additionally, evidence may be lost
depending on whether the system is shut down or “frozen” by suddenly disconnecting
the power.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Order of volatility (CRSH)

A 
CRSH
CPU  Registers and cache memory
RAM (Memory)
Swap file
Hard Drive

Data acquisition usually proceeds by using a tool to make an image from the data
held on the target device. An image can be acquired from either volatile or nonvolatile
storage. The general principle is to capture evidence in the order of volatility, from
more volatile to less volatile.

1.CPU registers and cache memory
2.Non-persistent system memory (RAM)
3.Data on persistent storage
•Partition data and file system artefacts
•Cached system memory data (pagefiles and hibernation files)
•Temporary file caches
•User, application, and OS files and directories
4.Remote logging and monitoring data
5.Physical configuration and network topology
6.Archival media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Digital Forensics Software

A
  • EnCase Forensic and The Forensic Toolkit (FTK)
    • Commercial case management and evidence acquisition and analysis
  • The Sleuth Kit/Autopsy
    • Open-source case management and evidence acquisition and analysis
  • WinHex
    • Forensic recovery and analysis of binary data
  • The Volatility Framework
    • System memory analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

System Memory acquisition

A

System memory is volatile data held in Random Access Memory (RAM) modules.
Volatile means that the data is lost when power is removed. A system memory
dump creates an image file that can be analyzed to identify the processes that are
running, the contents of temporary file systems, registry data, network connections,
cryptographic keys, and more. It can also be a means of accessing data that is
encrypted when stored on a mass storage device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

methods of

collecting the contents of system memory.

A
  • Live acquisition
    • Pre-install kernel driver
  • Crash dump
    • Recover from fixed disk
  • Hibernation and page file
    • Recover from fixed disk
18
Q

Live acquisition

A
  • Live acquisition
    • Pre-install kernel driver

A specialist hardware or software tool can capture the contents of memory while the
host is running. Unfortunately, this type of tool needs to be preinstalled as it requires a
kernel mode driver to dump any data of interest.

19
Q

Crash dump

A
  • Crash dump
    • Recover from fixed disk

When Windows encounters an unrecoverable kernel error, it can write contents of
memory to a dump file at C:\Windows\MEMORY.DMP. On modern systems, there is
unlikely to be a complete dump of all the contents of memory, as these could take up
a lot of disk space. However, even mini dump files, stored in C:\Windows\Minidumps,
may be a valuable source of information.

20
Q

Hibernation File and Pagefile

A
  • Hibernation and page file
    • Recover from fixed disk

A hibernation file is created on disk in the root folder of the boot volume when
a Windows host is put into a sleep state. If it can be recovered, the data can be
decompressed and loaded into a software tool for analysis. The drawback is that
network connections will have been closed, and malware may have detected the use of
a sleep state and performed anti-forensics.

21
Q

Disk Image Acquisition

A
  • Non-volatile storage media and devices
  • Acquisition types
    • Live acquisition
    • Static acquisition by shutting down the host
    • Static acquisition by pulling the plug
  • Imaging utilities
    • Forensic software suites and file formats
    • dd
22
Q

Disk Image Acquisition types

A
  • Acquisition types
    • Live acquisition
    • Static acquisition by shutting down the host
    • Static acquisition by pulling the plug

• Live acquisition—this means copying the data while the host is still running. This
may capture more evidence or more data for analysis and reduce the impact on
overall services, but the data on the actual disks will have changed, so this method
may not produce legally acceptable evidence. It may also alert the adversary and
allow time for them to perform anti-forensics.

• Static acquisition by shutting down the host—this runs the risk that the malware will
detect the shutdown process and perform anti-forensics to try to remove traces of
itself.

• Static acquisition by pulling the plug—this means disconnecting the power at the
wall socket (not the hardware power-off button). This is most likely to preserve the
storage devices in a forensically clean state, but there is the risk of corrupting data.

23
Q

Imaging utilities

A
  • Forensic software suites and file formats
  • dd

There are many GUI imaging utilities, including those packaged with suites such as the
Forensic Toolkit and its FTK Imager. You should note that the EnCase forensics suite
uses a vendor file format (.e01) compared to the raw file format used by Linux tools
like dd. The file format is important when it comes to selecting a tool for analyzing the
image. The .eo1 format allows image metadata (such as the checksum, drive geometry,
and acquisition time) to be stored within the same file. The open-source Advanced
Forensic Format (AFF) provides similar features.

24
Q

dd

A

If no specialist tool is available, on a Linux host you can use the dd command to make
a copy of an input file (if=) to an output file (of=) and apply optional conversions to
the file data. In the following sda is the fixed drive:

dd if=/dev/sda of=/mnt/usbstick/backup.img

25
Q

Provenance (Preservation and integrity of evidence)

A
  • Provenance
    • Record process of evidence acquisition
    • Use a write blocker

It is vital that the evidence collected at the crime scene conform to a valid timeline.
Digital information is susceptible to tampering, so access to the evidence must be
tightly controlled. Recording the whole process establishes the provenance of the
evidence as deriving directly from the crime scene.
To obtain a forensically sound image from nonvolatile storage, you need to ensure that
nothing you do alters data or metadata (properties) on the source disk or file system. A
write blocker assures this process by preventing any data on the disk or volume from
being changed by filtering write commands at the driver and OS level. Data acquisition
would normally proceed by attaching the target device to a forensics workstation or
field capture device equipped with a write blocker.

26
Q

Data acquisition with integrity and non-repudiation

A

Data acquisition with integrity and non-repudiation
•Cryptographic hashing and checksums
•Take hashes of source device, reference image, and copy of image for analysis

Once the target disk has been safely attached to the forensics workstation, data
acquisition proceeds as follows:
1. A cryptographic hash of the disk media is made, using either the MD5 or SHA
hashing function. The output of the function can be described as a checksum.
2. A bit-by-bit copy of the media is made using the imaging utility.
3. A second hash is then made of the image, which should match the original hash
of the media.
4. A copy is made of the reference image, validated again by the checksum. Analysis
is performed on the copy.
This proof of integrity ensures non-repudiation. If the provenance of the evidence
is certain, the threat actor identified by analysis of the evidence cannot deny their
actions. The checksums prove that no modification has been made to the image.

27
Q

Preservation of evidence

A 
Preservation of evidence
•Secure tamper-evident bagging
•Protection against electrostatic discharge (ESD)
•Chain of custody
•Secure storage facility

The host devices and media taken from the crime scene should be labeled, bagged,
and sealed, using tamper-evident bags. It is also appropriate to ensure that the
bags have antistatic shielding to reduce the possibility that data will be damaged
or corrupted on the electronic media by electrostatic discharge (ESD). Each piece of
evidence should be documented by a chain of custody form which records where,
when, and who collected the evidence, who subsequently handled it, and where it
was stored.

The evidence should be stored in a secure facility; this not only means access control,
but also environmental control, so that the electronic systems are not damaged by
condensation, ESD, fire, and other hazards. Similarly, if the evidence is transported, the
transport must also be secure.

28
Q

Acquisition of Other Data

A
  • Network
  • Cache
    • File system cache (temporary files)
    • Hardware cache
  • Artifacts and data recovery
    • Windows Alternate Data Streams (ADS)
    • File caches (prefetch and Amcache)
    • Slack space and file carving
  • Snapshot
    • Acquisition of VM disk images
  • Firmware
29
Q

Acquisition of Network data

A

Network
Packet captures and traffic flows can contain very valuable evidence, if the capture was
running at the right time and in the right place to record the incident. As with memory
forensics, the issue for forensics lies in establishing the integrity of the data. Most
network data will come from a SIEM.

30
Q

Acquisition of Cache Data

A
  • Cache
    • File system cache (temporary files)
    • Hardware cache

Cache can refer either to hardware components or software. Software-based cache is
stored in the file system and can be acquired as part of a disk image. For example, each
brower has a cache of temporary files, and each user profile has a cache of temp files.
Some cache artifacts generated by the OS and applications are held in memory only,
such as portions of the registry, cryptographic keys, password hashes, some types of
cookies, and so on. The contents of hardware cache (CPU registers and disk controller
read/write cache, for instance) is not generally recoverable.

31
Q

•Artifacts and data recovery

A
  • Artifacts and data recovery
    • Windows Alternate Data Streams (ADS)
    • File caches (prefetch and Amcache)
    • Slack space and file carving

Artifacts refers to any type of data that is not part of the mainstream data structures
of an operating system. For example, the Windows Alternate Data Streams (ADS)
feature is often used to conceal file data, and various caches, such as prefetch and
Amcache, can be used to find indicators of suspicious process behavior.
Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in
slack space. These fragments might represent deleted or overwritten files. The process
of recovering them is referred to as carving.

32
Q

Slack space and file carving

A

Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in
slack space. These fragments might represent deleted or overwritten files. The process
of recovering them is referred to as carving.

33
Q

Snapshot

A
  • Snapshot
    • Acquisition of VM disk images

A snapshot is a live acquisition image of a persistent disk. While this may have less
validity than an image taken from a device using a write blocker, it may be the only
means of acquiring data from a virtual machine or cloud process.

34
Q

Firmware

A

Firmware is usually implemented as flash memory. Some types, such as the PC
firmware, can potentially be extracted from the device or from system memory using
an imaging utility. It likely will be necessary to use specialist hardware to attach the
device to a forensic workstation, however.

35
Q

Digital Forensics for Cloud

A

With an on-premises investigation, the right to seize and analyze devices is usually
fairly unproblematic. There may be availability issues with taking a system out of
service, and bring-your-own-device policies can be more complex, but essentially as all
the equipment is the company’s property, there are no third-party obstacles.
While companies can operate private clouds, forensics in a public cloud are
complicated by the right to audit permitted to you by your service level agreement
(SLA) with the cloud provider. Two more issues with forensics investigations of cloudhosted
processing and data services are as follows:

  • Right to audit clauses
  • Limited opportunities for recovery of ephemeral images
    • Ability to snapshot instances
    • Recover log and monitoring data
  • Complex chain of custody issues
  • Complex regulatory/jurisdiction issues
  • Data breach notification laws
36
Q

Right to Audit Clauses (Cloud)

A

While companies can operate private clouds, forensics in a public cloud are
complicated by the right to audit permitted to you by your service level agreement
(SLA) with the cloud provider.

37
Q

•Limited opportunities for recovery of ephemeral images

A
  • Limited opportunities for recovery of ephemeral images
    • Ability to snapshot instances
    • Recover log and monitoring data

The on-demand nature of cloud services means that instances are often created
and destroyed again, with no real opportunity for forensic recovery of any data.
Cloud providers can mitigate this to some extent with extensive logging and
monitoring options. A CSP might also provide an option to generate file system
and memory snapshots from containers and VMs in response to an alert condition
generated by a SIEM.

38
Q

•Complex chain of custody issues (cloud)

A

Chain of custody issues are complex and might have to rely on the CSP to select and
package data for you. The process should be documented and recorded as closely
as is possible.

39
Q

•Complex regulatory/jurisdiction issues (Cloud)

A

Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to
release to you.

40
Q

-•Data breach notification laws (cloud

A

• If the CSP is a data processor, it will be bound by data breach notification laws and
regulations. Coordinating the timing of notification and contact with the regulator
between your organization and the CSP can be extremely complex, especially if
there is an ongoing incident requiring confidentiality.

Sec+ (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions