Week 2 - RFC 3227 - Guidelines for Digital Evidence Collection & Storage Flashcards
What does RFC 3227 Cover?
Guidelines for Evidence Collection & Archiving. It covers:
- The purpose of it
- Core principles of evidence collection
- Understanding the order of volatility
- Things to avoid
- Archiving procedure, chain of custody, the archive & tools
What is the purpose of RFC 3227?
- To standardise procedures
- To preserve the integrity of evidence
- To ensure legal admissibility
Essentially it provides a framework to ensure digital evidence remains relaible & admissible as legal evidence
What are the core principles of evidence collection?
INTEGRITY of evidence. Must be maintained from moment it is collect through the legal process. Ensuring what you collect today is exactly what is presented in court
AUTHENTICITY of evidence. Must be able to prove what you present as evidence is exactly what it claims to be - originating from the source you identified.
CHAIN OF CUSTODY maintained. A thprough record of exactly every person who has handled the evidence and what actions taken on it.
COMPLETENESS. You must gather all available relevant information & evidence
Adhering to these principles ensures evidence you gather is technically sound AND legally robust.
It ensures that evidence is collected, preserved & presented to the highest of standards.
List the order of volatility from high to low
- CPU registers & cache (difficult to capture directly - often requires virtualised environments like hyper V or VM ware)
- Active memory & network configuration. Includes routing table, ARP cache, process table, kernel statistics & RAM. Need tools like FTK Imager to capture full memory ‘dumps’. Can be analysed with tools like Volatility.
- Temporary file systems. Includes short term data like sessions files and unsaved documents. Tools like FTK imager can capture then analysed using EnCase.
- Disk storage. Persistant data like system logs and user files. Can use tools like dd or FTK Imager to create a full image of these for full forensic analysis.
- Remote logging & monitoring data. Crucial for tracking network activity. Tools like sys log and event management platforms such as splunk helpto collect / analyse these logs.
- Physical Configuration & network topology using tools like nmap & diagrams ensuring all aspects of the set up are recorded accurately
- Archival media. Includes backups on offline devices. To ensure prevervation of historical data that may be crucial to the investigation.
Things to avoid when digital evidence gathering
- Avoid altering the state of evidence
- Avoid inproper shut-down procedures - remember to stick to the order of volatility - shutting down a device too quickly will cause volatile data to be lost.
- Avoid failing to document every action. Incomplete documentation leads to inadmissability challenges.
- Avoid useing unverified tools. User validated forensic tools.
The Archiving Procedure
In digital forensics this procedure ensures that the evidence is preserved in it’s original state.
- Create an exact forensic image (using a verified tool).
- Store correctly on a write protected machine or server.
- Maintain chain of custody. Who has done what & when.
- The archive is the secure storage location where the evidence is preserved. Must be a controlled environment - Where data remains intact & prevents unauthorised access. Ensures evidence is RELIABLE and can be obtained long after it was gathered.
- Digital evidence collection & archiving equires the correct tools.
- Remember collecting the evidence is only the first step. Appropriate archiving (storage) is also required.
