Security Plus - Chapter 15 Flashcards
Digital Forensics
The acquisition and analysis of drives, files, copies of live memory, and any other digital artifacts that are created in the normal process of using computers and networks. Techniques used for tasks ranging from responding to legal cases to conducting internal investigations and supporting incident response processes. Planning for gathering of digital forensics data is essential incident response, internal investigations and responding to legal cases.
Legal Holds
A notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations. Backups, paper documents, and electronic files.
Spoliation of Evidence
Intentionally, recklessly, or negligently altering, destroying, fabricating, hiding, or withholding evidence relevant to legal matters.
eDiscovery
The electronic discovery of evidence required from parties involved in a legal case. Legal holds are the first part of the eDiscovery process.
Electronic Discovery Reference Model (EDRM) - A framework for the eDiscovery process. Nine stages of the EDRM framework:
- Information governance before the fact to assess what data exists and to allow scoping and control of what data needs to be provided.
- Identification of electronically stored information so that you know what you have and where it is.
- Preservation of the information to ensure that it isn’t changed or destroyed.
- Collection of the information so that it can be processed and managed as part of the collection process.
- Processing of the data to remove unneeded or irrelevant information, as well as preparing it for review and analysis by formatting or collating it.
- Review of the data to ensure that it only contains what it is supposed to, and that information that should not be shared is not included
- Analysis of the information to identify key elements like topics, terms, and individuals or organizations.
- Production of the data to provide the information to third parties or those involved in legal proceedings.
- Presentation of the data, both for testimony in court and for further analysis with experts or involved parties.
Conducting Digital Forensics
Forensic data is acquired using forensics tools like disk and memory imagers, image analysis and timelining tools, low-level editors that can display detailed information about the contents and structure of data on the disks.
Acquiring Forensic Data
The process of retrieving Electronically Stored Information (ESI) from suspected digital assets.
Order of Volatility
Documents what data is most likely to be lost due to system operations or normal processes.
Most volatile to least:
- CPU cache and registers
- Routing table, ARP cache, process table, kernel statistics
- System memory
- Temporary files and swap space
- Data on the hard drives
- Remote logs
- Backups
Common Forensic Data Locations
CPU cache - Rarely directly captured in a normal forensic effort. IT is possible to capture some of this information using specialized hardware or software.
Ephemeral data - The process table, kernel statistics, the system’s ARP cache, and similar information can be captured through a combination of memory and disk acquisition. This is a moment in time data capture.
Random Access Memory (RAM) - Memory can contain encryption keys, ephemeral data from applications, and information that may not be written to the disk.
Swap and pagefile information - Disk space used to supplement physical memory.
Files and data on disk - This data changes more slowly but is the primary focus of many investigations. Capture the entire disk in forensics so deleted files and other artifacts can be discovered.
The operating system - The Windows registry is a common target for analysis since many activities in Windows modify or update the registry.
Devices - Smartphones, tablets, IoT devices, and embedded or specialized systems may contain data to assist.
Firmware - Less frequently targeted but knowing how to copy the firmware form a device can be necessary if the firmware was modified as part of an incident.
Snapshots - VMs are a common artifact so the snapshots are becoming a target of investigations.
Network traffic and logs - Can provide detailed information about what was sent or received, when, via what port and protocol, as well as other details.
Artifacts like devices, printouts, media, and other items related to investigations can provide useful data.
Chain-of-custody is essential when handling any of the data being collected for a forensic investigation. It is required to be legally admissible in legal matters. Admissibility also requires the data to be intact, unaltered and have provably remained unaltered before, during, and after the forensic process.
Cloud Forensics
Have provided new challenges for organizations moving parts of their systems to a cloud-hosted environment.
Organizations need to consider:
- Right-to-audit clause - Provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency.
- Regulatory requirements - May vary depending on the location of the cloud provider operates or where it is headquartered. The laws that govern the organizations data, services, or infrastructure may not be the same as the cloud service provider.
- Jurisdiction concerns - Local jurisdictions may have rights to access the data with a search warrant or legal instrument. Can be controlled where data may be hosted with a contract clause between the organization and the cloud service provider.
- Breach notification clause - Data breach notification laws vary from country to country and even state to state.
Acquisition Tools
dd - Linux-based command line utility that allows you to create images for forensic or other purposes. Takes input like input location, output location, flags for describing what action will be taken. When creating a forensic image, use the MD5sum hash of the image. This is for validation that no changes occurred from the original image.
FTK Imager - Supports raw (dd), SMART, E01, and AFF file formats for creating forensic images. Can image physical and logical drives, image files, folders, and CD/DVD volumes. Can also capture live memory from a system. Can use MD5 and SHA1 hashes.
WinHex - A disk editing tool that can also acquire disk images in raw format or WinHex format. Useful for directly reading and modifying data from a drive, memory, RAID arrays, and other filesystems.
Network Forensic Data
Forensic data collected from wired, wireless, and cellular networks. Network traffic is ephemeral, capturing traffic for forensic investigation often requires a direct effort to capture and log the data in advance. Can be used in conjunction with Firewall, IDS/IPS, email server, authentication logs to collect forensic artifacts.
Frequently use a packet analyzer like Wireshark to review captured network traffic.
Acquiring Data from Virtual Machines
VMs are often running in a shared environment where removal of a system could cause a disruption to other systems. Imaging the entire host would provide too much data for the investigation. Snapshots are used to isolate the information that would need to be collected for a specific system on a host and not affect the other systems being hosted.
Acquiring Data from Containers
Containers are designed to be ephemeral, and the resources are often shared, they create fewer forensic artifacts. Containers can be paused but capturing them and returning them to a sound state can be a challenge.
Validating Forensic Data
The most common way to validate that a forensic copy matches the original copy is to create a hash of the copy as well as a hash of the original drive, then compare them. MD5 and SHA1 are useful for quickly hashing forensic images. They can be stored as part of the chain-of-custody and forensic documentation for a case.
Copying a file or folder is called a logical copy. The data will be preserved, but it will not exactly match the state of the original drive or device. It is essential in forensic analysis to preserve the full content at a bit-by-bit level. These forensic copies preserve the exact structure of the drive with deleted file remnants, metadata, and time stamps.
The hash value of the drive is used as a checksum to ensure the drive has not been modified since the image was created.
Documenting the provenance (where the image or drive came from and what happened with it) is critical to the presentation of a forensic analysis.
Data Recovery
Recovery of systems for a forensic investigation is a common practice. A recovery tool or a manual process can be performed to return the deleted file to its last known state. This requires reviewing the drive, finding the files based on headers or metadata, then recovering the files and file fragments.
