Sec+ Chapter 15: Digital Forensics Flashcards
Legal hold
A notice that informs orgs that they must preserve data and records that might be otherwise destroyed or modified according to normal operating procedure
EDRM
Electronic discovery reference model
A nine stage model that describes a legal e-discovery process
Order of volatility
A process that documents what data is most likely to be lost due to system operations or normal processes
7 Steps in Order of volatility
1) CPU cache and registrars
2) Routing table, ARP cache, process table, kernel stats
3) System memory and RAM
4) Temporary files and swap space
5) Data on the hard disk
6) Remote logs
7) Backups
CPU cache and registers
Rarely captured as part of normal forensic effort
These are constantly changing as processing occurs, making them highly volatile
Process table, kernel stats, ARP cache
Ephemeral data
Can be captured through combo of memory and disk acquisition
Capture can only be of the moment in time when acquisition is done
RAM
Difficult to gather information because it changes constantly, and the process of capturing information can alter it
Some of this information is never written to a drive like browsing history, clipboard info, encryption keys, ephemeral app data, and command history
Swap and pagefile info
An area of your storage device that you can use to swap info out of your RAM to free up memory for other apps to execute
Stored temporarily on the drive, perform the execution in RAM, and then transfer back from swap file to RAM
Files and data on disk
Primary focus of many investigations
Create a bit by bit forensic clone of everything contained on that storage device
Need to capture the entire disk instead of a copy of files in order to see deleted files and other remaining artifacts
Operating system
The OS itself can contain useful info for an investigation
You can compare OS and libraries to a known good OS and library looks like for reference
Also capture other info like:
1) Number of logged in users and who they are
2) Open ports
3) Running processes
4) Attached device list
Firmware
Not a common artifact for forensics, but can be important if firmware was modified as part of an incident
Can help understand how a device was exploited, and once the firmware was installed what functionality the attacker had
Snapshots
A way to image a VM where the original snapshot is considered the full backup
Subsequent snapshots are incremental updates from the last snapshot
To recreate the VM you need the original snapshot and all incremental snaps taken from original
Can see all the information for the VM like OS, apps, user data, etc
Network traffic and logs
Detailed info or clues about what was sent or received, when, and over what port and protocol
Chain of custody
Documentation that details each time an artifact is accessed, transferred, or handled
Right to audit clause (cloud)
Provides either a direct ability to audit the cloud provider or an agreement to use a third party audit agency
Specifies how you can perform security audits of the data held in the cloud and make sure the it’s safe before a breach
Regulatory and jurisdiction concerns (cloud)
The law that covers your data, infrastructure, or services might not be the laws in your region
Data breach notification laws (cloud)
Contracts cover how long after breach until customers need to be legally notified
Regulation changes from state to state and country to country
dd
Linux command that creates a bit by bit copy of all the information on a drive or in a directory
Useful if you need to capture the information to perform analysis later
FTK Imager
Imaging tool that can mount drives, image drives, or perform file utilities in a Windows executable
Capture images from other drives and store them in a format that can be read by other third party utilities
Widely supported in other forensics tools to capture information in FTK, and then use the image files in other utilities on other OS
It can even read encrypted drives, and save read and write to dd, Ghost, or Expert Witness
WinHex
Windows utility that allows you to view information in hexadecimal mode, so you can pull out info from files, memory, or disks and view or edit it
There’s also disk cloning capabilities, secure wipes, and many other forensics tools built in
Provenance
The original source of the data and the chain of custody for how it’s been handled
Slack space
Open space on a HD
EX: If a 100 mb file is deleted and overwritten with a 25mb file (75mb slack space, can obtain partial recovery)
Autopsy
Tool that provides digital forensics of information stored on a storage device or image file
Allows us to view and recover data, like downloaded files, browser history and cache, email messages, databases, etc
memdump
Use this utility to capture all the information in system memory and send it to a particular location on your system
Third party forensic tools can read this file and identify or locate information that’s stored in that memory file
You commonly store the memdump outside the system, you use this in conjunction with netcat, stunnel, openssl, etc
Admissibility
Not all data can be used in a court of law because there are different rules in different jurisdictions
The key part is that you collect the data with a set of standards that could allow it to be used if necessary:
1) Have legal authorization to collect
2) Use the right procedures and tools
3) Use proper scientific principles used during analysis
4) Have the right professional qualifications
Time offsets
Time zone information associated with the device you’re analyzing
It can be different based on OS, file system in place, or where the device is located
EX: FAT is stored in local time, but NTFS is stored in GMT
Event logs
Documents important OS or app events
Export and store for future use
Linux: /var/log
Windows: Event Viewer
Artifacts
Digital items left behind, can be stored in log, flash memory, prefect cache file
