Lesson 18 Digital Forensics

Question 1

dd

Answer 1

linux command to make an exact copy of a disk

use with if= to identify the input file
use with of= to identify the output file/img

example: dd if=/dev/sda of=/mnt/usbstick/backup.img

Question 2

OoV

Answer 2

Order of Volatility - more volatile to less volatile
How to capture information from an incident of compromise or attack
Order is:
1. CPU registers and cache memory including cache on disk controllers, GPUs, etc

2. non-persistent sys mem - RAM, routing table, ARP cache, process table, kernel statistics, etc
3. Data on persistent mass storage devices - HDDs, SSDs, flash memory devices, etc
4. Remote logging and monitoring data
5. Physical configuration and network topology
6. Archival media and print documents

Question 3

pagefile

Answer 3

pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host’s RAM modules

Analysis tools can’t interpret but it is possible to search for strings

Question 4

NetFlow or IPFIX

Answer 4

NetFlow
A Cisco-developed means of reporting network flow to a structured database

has a variety of monitoring tools to capture data for point-in-time analysis and to diagnose security and operational issues on the network

IPFIX - IP Flow Information Export
a standard from a redevelopment of NetFlow

Question 5

admissibility of data forensics

Answer 5

Capture of latent evidence (cannot be seen with the naked eye) requires physical evidence as well as documentation.

Documentation must prove the evidence was collected without tampering or bias and as to what the procedure was to collect the data

admissibility requires both

Question 6

Due process

Answer 6

to have a set of safeguards to ensure fairness

a central principle to digital forensics investigation

technicians and managers must be aware of the processes used in investigation as to not compromise the investigation

Question 7

Legal hold

Answer 7

Information which may be relevant to a court case must be preserved

can mean computer systems can be taken by law enforcement and lawyers which can be disrupt to a network

Question 8

Chain of Custody

Answer 8

Chain of custody documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation.
When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been tampered with or is different than it was when it was collected.
Every person in the chain who handles evidence must log the methods and tools they used.

Question 9

RAM Dump

Answer 9

A system memory dump creates an image file which can be analyzed to identify the running processes, contents of temporary file systems, registry data, network connections, cryptographic keys, and more

Question 10

write blocker

Answer 10

a device attached to a system to make an image of the system while preventing any writes from happening on the system being copied/imaged

used in digital forensics to follow the chain of custody

Question 11

FTK

Answer 11

Forensic Tool Kit

tool kit for Windows for digital forensic investigation

Question 12

The Sleuth Kit

Answer 12

an open-source collection of cmd line tools and programming libraries disk imaging and file analysis

Autopsy is a graphical front-end for these tools acting as a case management/workflow tool

available for Windows and Linux

Question 13

eDiscovery

Answer 13

A means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database such that it can be used at trial

SW has been developed to assist in this process:

• Identify and de-duplicate files and metadata to reduce the volume of data
• Search on keywords and semantic context
• Tags to help organize the data by adding keywords or labels to files and metadata
• Security to prevent tampering
• Disclosure of the same evidence to both parties

Question 14

timelines

Answer 14

need to tie events to specific times to establish a consistent and verifiable narrative

Note the local time offset, due to daylight saving time, or use of UTC vs local time

NTFS uses UTC while FAT uses local time

Question 15

RNA

Answer 15

Retrospective Network Analysis (RNA) a solution which provides the means to record network events either at the packet header or payload level

Question 16

Counterintelligence and Strategic intelligence

Answer 16

Counterintelligence provides information about how to configure the system to help capture evidence of attempted and successful intrusions

Strategic intelligence uses data and research analysis to produce actionable insights which are used to build mature cybersecurity capabilities

Question 17

Acquisition

Answer 17

the process of obtaining a forensically clean copy of data from a device held as evidence

Can be complicated by items like BOYD, as equipment is owned by employee, may have legal issues in getting the data

Question 18

Data Acquisition

Answer 18

can be complicated as data can be lost depending on the type of data and state of the system

Must follow the Order of Volatility (OOV)

Question 19

Live System Memory Acquisition

Answer 19

Requires a specialist hw or sw tool to be preinstalled and a kernel driver to capture the contents of memory while the host is running

Question 20

Hibernation file

Answer 20

a file created on the disk in the root folder of the boot volume when a Windows host is put into sleep mode

If it can be recovered, it can be decompressed and loaded into a sw tool for analysis

malware can detect sleep mode and perform anti-forensics

Question 21

Risks of Live Disk image Acquisition

Answer 21

this is a means of copying data while the host is running

Since the data on the disk can change, it may not produce legally acceptable evidence
Also it can alert the attack and allow for them to perform anti forensics

Question 22

Risks of Static Acquisition by shutting down the host

Answer 22

malware can detect the shutdown and perform anti forensics by removing traces of itself

Question 23

Risks of Static Acquisition by pulling the plug

Answer 23

this can preserve the storage devices forensically but does run the risk of corrupting the data

Question 24

Provenance of the Evidence

Answer 24

Same as chain of custody, must record the whole process to show the evidence derived directly from the crime scene

Question 25

Disk Data Acquisition with Integrity and Non-Repudiation

Answer 25

Steps for preserving a target disk
1 Attach a forensics workstation equipped with a write blocker
2. Hash the target disk drive
3. Create a bit-for-bit copy or copies, for use in production (if safe), for the forensics team, and for off site 3rd party
4. Hash the copied disk drives and make sure they match the original hash
5. Maintain the chain of custody by sealing up the target drive
6. Record the time offset

Question 26

Disk Carving

Answer 26

Data recovery method performed by analyzing a disk or image of a disk for file fragments stored in slack space, like deleted or overwritten files.

Autopsy can perform this type of action

Question 27

Snapshot for Live Acquisition

Answer 27

A snapshot is a live acquisition image of a persistent disk

Not as valid as image from a write blocker, but maybe only means available

Usually used for a virtual machine or a cloud process

Question 28

Issues with Digital Forensics in the Cloud

Answer 28

Limited by your Service Level Agreement (SLA) as to the right to audit permitted

On-demand nature of the cloud

CSP has to maintain the chain of custody and can be complex

Jurisdiction and data sovereignty may restrict the evidence the CSP can relate to you

CSP is bound by data breach and notification lays and regulations which can be complex