Topic 12B Flashcards
Due process
used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
Ensures fairness thorugh procedural safeguards.
Legal hold
refers to the fact that information that may be relevant to a court case must be preserved.
Information subject to legal hold might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or lawyers pursuing a civil action.
This means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails
Data acquisition
is also complicated by the fact that it is more difficult to capture evidence from a digital crime scene than it is from a physical one.
Some evidence will be lost if the computer system is powered off; on the other hand, some evidence may be unobtainable until the system is powered off.
order of volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
SOC best practice guide to evidence collection and archiving
- SOC best practice guide to evidence collection and archiving
- Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics.
3.Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
Partition and file system blocks, slack space, and free space.
System memory caches, such as swap space/virtual memory and hibernation files.
Temporary file caches, such as the browser cache.
User, application, and OS files and directories.
4.Remote logging and monitoring data.
5.Physical configuration and network topology.
6.Archival media and printed documents.
Volatile
the data is lost when power is removed
A system memory dump
creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more.
It can also be a means of accessing data that is encrypted when stored on a mass storage device.
Nonvolatile storage includes
disk drives (HDDs), solid state drives (SSDs), firmware, other types of flash memory (USB thumb drives and memory cards), and optical media (CD, DVD, and Blu-ray).
This can also be referred to as device acquisition, meaning the SSD storage in a smartphone or media player.
Live acquisition
this means copying the data while the host is still running.
This may capture more evidence or more data for analysis and reduce the impact on overall services, but the data on the actual disks will have changed,
Static acquisition by shutting down the host
this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.
Static acquisition by pulling the plug
this means disconnecting the power at the wall socket (not the hardware power-off button).
This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.
on a Linux host, the dd command
makes a copy of an input file (if=) to an output file (of=). In the following, sda is the fixed drive:
dd if=/dev/sda of=/mnt/usbstick/backup.img
provenance
In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
valid timeline
In digital forensics, a tool that shows the sequence of file system events within a source image in a graphical format.
Once the target disk has been safely attached to the forensics workstation, data acquisition proceeds as follows:
A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function.
A bit-by-bit copy of the media is made using an imaging utility.
A second hash is then made of the image, which should match the original hash of the media.
A copy is made of the reference image, validated again by the checksum.
Analysis is performed on the copy.
Tamper-evidence bags should have antistatic shielding to reduce the possibility of what?
data will be damaged or corrupted on the electronic media by electrostatic discharge (ESD).
Chain of custody
documentation records where, when, and who collected the evidence, who subsequently handled it, and where it was stored. This establishes the integrity and proper handling of evidence.
Protects organizations from legal accusations involving tampering.
Digital forensics reporting
summarizes the significant contents of the digital data and the conclusions from the investigator’s analysi
strong ethical principles must guide forensics analysis:
Analysis must be performed without bias.
Analysis methods must be repeatable by third parties with access to the same evidence.
If a device used as evidence must be manipulated to facilitate analysis (disabling the lock feature of a mobile phone or preventing a remote wipe, for example), the reasons for doing so must be sound and the process of doing so must be recorded.
E-discovery
is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial
Some of the functions of e-discovery suites are as follows:
Identify and de-duplicate files and metadata—many files on a computer system are “standard” installed files or copies of the same file. This reduces the volume of data
Search—allow investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Semantic search matches keywords if they correspond to a particular context
Tags—apply standardized keywords or labels to files and metadata to help organize the evidence
Security
Disclosure—an important part of trial procedure is that the same evidence be made available to both plaintiff and defendant
