Week 1 - Introduction to LDF Flashcards
Define Digital Forensics
Forensics = the application of scientific methods & techniques to criminal investigations USED IN A COURT OF LAW.
Digital Forensics encompassess the recovery & investigation of material found in digital device
Define LDF
The forensic acquisition and / or analysis of data from a running (live) digital system for use in a court of law.
The difficulty is doing this while maintaining the integrity of the evdience, aim is to minimise damage that the suspect can do to the evidence.
What About the ACPO Principles For Digital Evidence?
ACPO Principle 1. No actions taken by LE or their agents should change data held on computer or storage media which may subsequently be relied upon in court.
Not always compatable with LDF acquisition.
LDF may be necessary and therefore goes against this principle
When to Conduct LDF
- When switching off the device is likely to make evidence inaccessible e.g
- Where disk encryption is in use and no encryption key is available
- Where online storage used where access will be lost once the device is switched off
- Where switching off the device is impractical e.g
-Production servers in very large organisations (Amazon ebay etc where very large monetory loss will occur and LE may be liable)
- Servers where human life may be at risk if shut down
- When crucual data is likely to reside only in RAM (volatile).
e.g
- Instant messenger Conversations
- Traces of intrusions / malware
- Passwords typed byt the user
- encrypted files or text
- Clipboard Contents (copied passwords or texts)
Can contain crucial data because suspect’s have no control over what is stored there. - When Post Mortem Techniques are not viable due to lack of equipment or resources e.g when evidence is contained on rare or custom made storage or when need to ID a small no. of relevant systems among a large no. of potentials with limited time / resources (e.g a uni with 2,000 computers and evidence is only on one - traige by LDF)
- Where intelligence information is needed quickly e.g life at risk or kidnapping or location for a bomb threat. Where life takes priority over evidential gathering.
Final decision on whether to conduuct LDF depends on the situation & a number of factors incl time, type of investigation, type of suspect, environment, local laws
When NOT to conduct LDF
- When the critical data cab be obtained in another way
-Once the required data or info has been obtained
- Need to justify decision to do LDF continuously with every new action. Stop LDF when the necessity no longer exists.
Differences between offline digital forensics (PM forensics) and LDF.
In LDF the investigator is interacting with a suspect’s untrusted environment. This means the investigator is changing the suspect’s environment & data is always changing even by not doing anything (e.g updates or screensavers changing).
- can we trust the results?
-can we prove that evidence has not been modified?
-verification is difficult or impossible (cannot use hashing methods to verify)
-won’t know exactly what systems / software will be using so must have a plan before hand to make educated choices.
LDF Considerations
- What impact will the investigators actions have on the system?
- Will the action impact the investigator’s ability to capture other volatile data?
- What tools & processes will the investigator use to view / capture / analyse and what are the pros / cons of each and are they validated / tested?
KNOW YOUR TOOL. KNOW THE FOOTPRINT OF YOUR TOOL (Footprint = the amount of data that is changed on the suspect’s device just by running the tool)
What is the order of volatility and why is it relevant?
Volatile data is data that has the ability to change & often lost on powering down the device. Can also be described as temporary & changeable.
PRIMARY storage is MEMORY. Volatile, non-persistant. Lost when powering down computer.
SECONDARY storage is MASS STORAGE DEVICE - data degrades slowly. persistant storage medium. Examples are HDD and SSD.
The order of volatility orders types of data by how persistant they are starting with the most volatile (least peprsistant and most quickly changing). For example (not conclusive list):
1. Memory, registers and caches
2. Page file / swap space
3. File metadata on the hard disk
4. File content on hard disk
5. Removeable media
6. Backup media
Understanding this helps us prioritise.
List some forms of information on a device that is volatile
- Operating system info.
includes lists of running processes, open files, network info, volatile windows registry - Application Information
includes passwwords (clear text), decrypted data, instant messenger sessions, file content data, email fragments.
-Malware (may only erside in the memory of the device)
How can we be compatible with ACPO principles with LDF?
ACPO Principle 2. Basically means ‘know what you are doing’
In EXCEPTIONAL circumstances where a person finds it NECESSARY to access original data held on a device or stoareg media that person must be COMPETENT to do so and be able to give evidence explaining the relevance and implications of their actions.
i.e you must be able to answer questions about what you did, why, data was changed, what implications this may have
ACPO principle 3. Basically means ‘document everything’.
An audit trail or other record of all processes applied to computer based electronic evidence should be created & preserved. An independent third party shoudl eb able to examine those processes and achieve the same results.
This is difficult in LDF because of the changing nature, the same results may not be achieved twice, however with good record keeping it is possible to be able to demonstrate to a competant person what was done and why and how in theory it could be replicated.
EVEN actions that do not result in evidence or intelligence MUST BE DOCUMENTED.
What are some basic examples of LDF actions that modify the system’s state?
- Connecting an external USB (creates USB related registry keys, adds an entry in mounted devices)
- Starting a program (may add / update a file in the prefetch folder, may add / update UserAssist data value, changes memory while loading and executing program)
- Opening & closing a folder (updates ShellBag registry keys). So you must document what folders you open and what time.
Changes that occur depend on system configurations such as firewall configurations (may create new rules for any program running & prevent them running), antivirus software (may automatically scan any USB connected disk, may scan all files on the system may change time stamps), indexing software (may start automatically indexing any inserted disk and update it’s database on the evidential disk 0 always use a com-pletely clean disk).
Files on anything you inser must be read only.
DEFINITIONS:
** A registry key in Microsoft Windows operating systems, refers to a specific location within the Windows Registry, which is a hierarchical database that stores low-level settings and configurations for the operating system and installed applications. Used for organisation and configuration**
Key Concepts of the Registry:
Registry Hive: The top-level folders, such as HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc., which contain various registry keys. Registry Key: A folder-like structure within a hive that can contain subkeys (like subfolders) and values. Each key is a path in the registry where settings are stored. Keys help organize settings for the OS and applications. Registry Value: The actual data associated with a key, which can be in various formats such as string, binary, or DWORD (32-bit number). These values define the behavior or configuration of a specific setting.
** The Prefetch folder in Windows is part of a system optimization feature known as Prefetching. It is used by the operating system to improve the speed and efficiency of loading applications**
** UserAssist data refers to information stored by Windows in the Registry that tracks the usage of applications and programs by a user. This data is collected by the UserAssist feature of Windows Explorer and is primarily used to enhance user experience by providing quicker access to recently or frequently used applications, often reflected in the Start Menu or Taskbar.**
** Shellbag registry keys in Windows are a set of registry entries that store information about a user’s preferences for the layout and settings of folders in Windows Explorer. These keys help the system remember how a user customizes folder views, such as icon size, window position, sorting order, and view mode (details, tiles, icons, etc.).**
Remember we don’t know in advance everything that will change as a result of our actions - so summarise what we must do when conducting LDF
- Respect the order of volatility
e.g data from RAM, metadat from disk, user data from disk, backup data storage. - Perform least invasive actions first
Photograph scene and screen before conducting LDF. if we know a certain tool is going to modify the registry then collect a copy of the registry first before running the tool. - Collect most valuable evidence first
So you have the least contimination in that evdience.
Might be a balancing act with risks weighed up. - Document everything
Keep very detailedd notes of everythign the investigator is doing with the system. EVERYTHING
Create a strategy in advance by creating flow charts (test in advance) for investigation of various types of cases. At each step ask questions:
- what is the most important piece of info needed?
- based on that answer what do I do?
- am I justified in continuing?
The result will be a series of IF-THEN statements
