Topic 12B Flashcards
Due process
used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
Ensures fairness thorugh procedural safeguards.
Legal hold
refers to the fact that information that may be relevant to a court case must be preserved.
Information subject to legal hold might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or lawyers pursuing a civil action.
This means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails
Data acquisition
is also complicated by the fact that it is more difficult to capture evidence from a digital crime scene than it is from a physical one.
Some evidence will be lost if the computer system is powered off; on the other hand, some evidence may be unobtainable until the system is powered off.
order of volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
SOC best practice guide to evidence collection and archiving
- SOC best practice guide to evidence collection and archiving
- Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics.
3.Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
Partition and file system blocks, slack space, and free space.
System memory caches, such as swap space/virtual memory and hibernation files.
Temporary file caches, such as the browser cache.
User, application, and OS files and directories.
4.Remote logging and monitoring data.
5.Physical configuration and network topology.
6.Archival media and printed documents.
Volatile
the data is lost when power is removed
A system memory dump
creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more.
It can also be a means of accessing data that is encrypted when stored on a mass storage device.
Nonvolatile storage includes
disk drives (HDDs), solid state drives (SSDs), firmware, other types of flash memory (USB thumb drives and memory cards), and optical media (CD, DVD, and Blu-ray).
This can also be referred to as device acquisition, meaning the SSD storage in a smartphone or media player.
Live acquisition
this means copying the data while the host is still running.
This may capture more evidence or more data for analysis and reduce the impact on overall services, but the data on the actual disks will have changed,
Static acquisition by shutting down the host
this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.
Static acquisition by pulling the plug
this means disconnecting the power at the wall socket (not the hardware power-off button).
This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.
on a Linux host, the dd command
makes a copy of an input file (if=) to an output file (of=). In the following, sda is the fixed drive:
dd if=/dev/sda of=/mnt/usbstick/backup.img
provenance
In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
valid timeline
In digital forensics, a tool that shows the sequence of file system events within a source image in a graphical format.
Once the target disk has been safely attached to the forensics workstation, data acquisition proceeds as follows:
A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function.
A bit-by-bit copy of the media is made using an imaging utility.
A second hash is then made of the image, which should match the original hash of the media.
A copy is made of the reference image, validated again by the checksum.
Analysis is performed on the copy.
