Sec+ Chapter 15: Digital Forensics

Question 1

Legal hold

Answer 1

A notice that informs orgs that they must preserve data and records that might be otherwise destroyed or modified according to normal operating procedure

Question 2

EDRM

Answer 2

Electronic discovery reference model

A nine stage model that describes a legal e-discovery process

Question 3

Order of volatility

Answer 3

A process that documents what data is most likely to be lost due to system operations or normal processes

Question 4

7 Steps in Order of volatility

Answer 4

1) CPU cache and registrars

2) Routing table, ARP cache, process table, kernel stats

3) System memory and RAM

4) Temporary files and swap space

5) Data on the hard disk

6) Remote logs

7) Backups

Question 5

CPU cache and registers

Answer 5

Rarely captured as part of normal forensic effort

These are constantly changing as processing occurs, making them highly volatile

Question 6

Process table, kernel stats, ARP cache

Answer 6

Ephemeral data

Can be captured through combo of memory and disk acquisition

Capture can only be of the moment in time when acquisition is done

Question 7

RAM

Answer 7

Difficult to gather information because it changes constantly, and the process of capturing information can alter it

Some of this information is never written to a drive like browsing history, clipboard info, encryption keys, ephemeral app data, and command history

Question 8

Swap and pagefile info

Answer 8

An area of your storage device that you can use to swap info out of your RAM to free up memory for other apps to execute

Stored temporarily on the drive, perform the execution in RAM, and then transfer back from swap file to RAM

Question 9

Files and data on disk

Answer 9

Primary focus of many investigations

Create a bit by bit forensic clone of everything contained on that storage device

Need to capture the entire disk instead of a copy of files in order to see deleted files and other remaining artifacts

Question 10

Operating system

Answer 10

The OS itself can contain useful info for an investigation

You can compare OS and libraries to a known good OS and library looks like for reference

Also capture other info like:

1) Number of logged in users and who they are

2) Open ports

3) Running processes

4) Attached device list

Question 11

Firmware

Answer 11

Not a common artifact for forensics, but can be important if firmware was modified as part of an incident

Can help understand how a device was exploited, and once the firmware was installed what functionality the attacker had

Question 12

Snapshots

Answer 12

A way to image a VM where the original snapshot is considered the full backup

Subsequent snapshots are incremental updates from the last snapshot

To recreate the VM you need the original snapshot and all incremental snaps taken from original

Can see all the information for the VM like OS, apps, user data, etc

Question 13

Network traffic and logs

Answer 13

Detailed info or clues about what was sent or received, when, and over what port and protocol

Question 14

Chain of custody

Answer 14

Documentation that details each time an artifact is accessed, transferred, or handled

Question 15

Right to audit clause (cloud)

Answer 15

Provides either a direct ability to audit the cloud provider or an agreement to use a third party audit agency

Specifies how you can perform security audits of the data held in the cloud and make sure the it’s safe before a breach

Question 16

Regulatory and jurisdiction concerns (cloud)

Answer 16

The law that covers your data, infrastructure, or services might not be the laws in your region

Question 17

Data breach notification laws (cloud)

Answer 17

Contracts cover how long after breach until customers need to be legally notified

Regulation changes from state to state and country to country

Question 18

dd

Answer 18

Linux command that creates a bit by bit copy of all the information on a drive or in a directory

Useful if you need to capture the information to perform analysis later

Question 19

FTK Imager

Answer 19

Imaging tool that can mount drives, image drives, or perform file utilities in a Windows executable

Capture images from other drives and store them in a format that can be read by other third party utilities

Widely supported in other forensics tools to capture information in FTK, and then use the image files in other utilities on other OS

It can even read encrypted drives, and save read and write to dd, Ghost, or Expert Witness

Question 20

WinHex

Answer 20

Windows utility that allows you to view information in hexadecimal mode, so you can pull out info from files, memory, or disks and view or edit it

There’s also disk cloning capabilities, secure wipes, and many other forensics tools built in

Question 21

Provenance

Answer 21

The original source of the data and the chain of custody for how it’s been handled

Question 22

Slack space

Answer 22

Open space on a HD

EX: If a 100 mb file is deleted and overwritten with a 25mb file (75mb slack space, can obtain partial recovery)

Question 23

Autopsy

Answer 23

Tool that provides digital forensics of information stored on a storage device or image file

Allows us to view and recover data, like downloaded files, browser history and cache, email messages, databases, etc

Question 24

memdump

Answer 24

Use this utility to capture all the information in system memory and send it to a particular location on your system

Third party forensic tools can read this file and identify or locate information that’s stored in that memory file

You commonly store the memdump outside the system, you use this in conjunction with netcat, stunnel, openssl, etc

Question 25

Admissibility

Answer 25

Not all data can be used in a court of law because there are different rules in different jurisdictions

The key part is that you collect the data with a set of standards that could allow it to be used if necessary:

1) Have legal authorization to collect

2) Use the right procedures and tools

3) Use proper scientific principles used during analysis

4) Have the right professional qualifications

Question 26

Time offsets

Answer 26

Time zone information associated with the device you’re analyzing

It can be different based on OS, file system in place, or where the device is located

EX: FAT is stored in local time, but NTFS is stored in GMT

Question 27

Event logs

Answer 27

Documents important OS or app events

Export and store for future use

Linux: /var/log
Windows: Event Viewer

Question 28

Artifacts

Answer 28

Digital items left behind, can be stored in log, flash memory, prefect cache file