Lesson 18 Digital Forensics Flashcards
dd
linux command to make an exact copy of a disk
use with if= to identify the input file
use with of= to identify the output file/img
example: dd if=/dev/sda of=/mnt/usbstick/backup.img
OoV
Order of Volatility - more volatile to less volatile
How to capture information from an incident of compromise or attack
Order is:
1. CPU registers and cache memory including cache on disk controllers, GPUs, etc
- non-persistent sys mem - RAM, routing table, ARP cache, process table, kernel statistics, etc
- Data on persistent mass storage devices - HDDs, SSDs, flash memory devices, etc
- Remote logging and monitoring data
- Physical configuration and network topology
- Archival media and print documents
pagefile
pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host’s RAM modules
Analysis tools can’t interpret but it is possible to search for strings
NetFlow or IPFIX
NetFlow
A Cisco-developed means of reporting network flow to a structured database
has a variety of monitoring tools to capture data for point-in-time analysis and to diagnose security and operational issues on the network
IPFIX - IP Flow Information Export
a standard from a redevelopment of NetFlow
admissibility of data forensics
Capture of latent evidence (cannot be seen with the naked eye) requires physical evidence as well as documentation.
Documentation must prove the evidence was collected without tampering or bias and as to what the procedure was to collect the data
admissibility requires both
Due process
to have a set of safeguards to ensure fairness
a central principle to digital forensics investigation
technicians and managers must be aware of the processes used in investigation as to not compromise the investigation
Legal hold
Information which may be relevant to a court case must be preserved
can mean computer systems can be taken by law enforcement and lawyers which can be disrupt to a network
Chain of Custody
Chain of custody documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation.
When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been tampered with or is different than it was when it was collected.
Every person in the chain who handles evidence must log the methods and tools they used.
RAM Dump
A system memory dump creates an image file which can be analyzed to identify the running processes, contents of temporary file systems, registry data, network connections, cryptographic keys, and more
write blocker
a device attached to a system to make an image of the system while preventing any writes from happening on the system being copied/imaged
used in digital forensics to follow the chain of custody
FTK
Forensic Tool Kit
tool kit for Windows for digital forensic investigation
The Sleuth Kit
an open-source collection of cmd line tools and programming libraries disk imaging and file analysis
Autopsy is a graphical front-end for these tools acting as a case management/workflow tool
available for Windows and Linux
eDiscovery
A means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database such that it can be used at trial
SW has been developed to assist in this process:
- Identify and de-duplicate files and metadata to reduce the volume of data
- Search on keywords and semantic context
- Tags to help organize the data by adding keywords or labels to files and metadata
- Security to prevent tampering
- Disclosure of the same evidence to both parties
timelines
need to tie events to specific times to establish a consistent and verifiable narrative
Note the local time offset, due to daylight saving time, or use of UTC vs local time
NTFS uses UTC while FAT uses local time
RNA
Retrospective Network Analysis (RNA) a solution which provides the means to record network events either at the packet header or payload level
Counterintelligence and Strategic intelligence
Counterintelligence provides information about how to configure the system to help capture evidence of attempted and successful intrusions
Strategic intelligence uses data and research analysis to produce actionable insights which are used to build mature cybersecurity capabilities
Acquisition
the process of obtaining a forensically clean copy of data from a device held as evidence
Can be complicated by items like BOYD, as equipment is owned by employee, may have legal issues in getting the data
Data Acquisition
can be complicated as data can be lost depending on the type of data and state of the system
Must follow the Order of Volatility (OOV)
Live System Memory Acquisition
Requires a specialist hw or sw tool to be preinstalled and a kernel driver to capture the contents of memory while the host is running
Hibernation file
a file created on the disk in the root folder of the boot volume when a Windows host is put into sleep mode
If it can be recovered, it can be decompressed and loaded into a sw tool for analysis
malware can detect sleep mode and perform anti-forensics
Risks of Live Disk image Acquisition
this is a means of copying data while the host is running
Since the data on the disk can change, it may not produce legally acceptable evidence
Also it can alert the attack and allow for them to perform anti forensics
Risks of Static Acquisition by shutting down the host
malware can detect the shutdown and perform anti forensics by removing traces of itself
Risks of Static Acquisition by pulling the plug
this can preserve the storage devices forensically but does run the risk of corrupting the data
Provenance of the Evidence
Same as chain of custody, must record the whole process to show the evidence derived directly from the crime scene
Disk Data Acquisition with Integrity and Non-Repudiation
Steps for preserving a target disk
1 Attach a forensics workstation equipped with a write blocker
2. Hash the target disk drive
3. Create a bit-for-bit copy or copies, for use in production (if safe), for the forensics team, and for off site 3rd party
4. Hash the copied disk drives and make sure they match the original hash
5. Maintain the chain of custody by sealing up the target drive
6. Record the time offset
Disk Carving
Data recovery method performed by analyzing a disk or image of a disk for file fragments stored in slack space, like deleted or overwritten files.
Autopsy can perform this type of action
Snapshot for Live Acquisition
A snapshot is a live acquisition image of a persistent disk
Not as valid as image from a write blocker, but maybe only means available
Usually used for a virtual machine or a cloud process
Issues with Digital Forensics in the Cloud
Limited by your Service Level Agreement (SLA) as to the right to audit permitted
On-demand nature of the cloud
CSP has to maintain the chain of custody and can be complex
Jurisdiction and data sovereignty may restrict the evidence the CSP can relate to you
CSP is bound by data breach and notification lays and regulations which can be complex
