4.5 Explain the Key aspect Of Digital Forensics

Question 1

Documentation and Evidence

Answer 1

When collecting documentation and evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law. If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.

Question 2

Legal hold

Answer 2

A legal hold refers to a court order to maintain different types of data as evidence. As an example, imagine that ZiffCorp is being sued for fraud and the Securities and Exchange Commission is investigating ZiffCorp. A court orders them to maintain digital and paper documents for the past three years related to the case. ZiffCorp now needs to take steps to preserve the data.

Question 3

Video

Answer 3

Video surveillance methods such as closed-circuit television (CCTV) systems are often used as a detective control during an investigation. If a person is recorded on video, the video provides reliable proof of the person’s location and activity. For example, if a person is stealing equipment or data, the video might provide evidence of the theft.

Question 4

Admissibility

Answer 4

If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.

Question 5

Chain of study

Answer 5

A chain of custody is a process that provides assurances that evidence has been controlled and appropriately handled after collection. Forensic experts establish a chain of custody when they first collect evidence.

Question 6

timeline of sequence of events

Answer 6

Digital forensic analysis typically tries to determine the timeline of an event. If the incident results in a data breach or ransomware spread throughout a network, they try to determine how the attacker got in. Today, the first failure is often a user responding inappropriately to a phishing email. By identifying the first failure in the incident, it becomes easier to make recommendations to prevent such a failure in the future.

Question 7

Time stamps

Answer 7

Log entries include timestamps, so anyone reading the logs can determine when the event occurred.

Question 8

Time offsets

Answer 8

However, it’s essential to consider time offsets based on how the timestamps are recorded.

Imagine you live in Virginia Beach and you see a server log entry of 12:01. You might assume that this indicates 12:01 Eastern Standard Time (EST), but if it’s in the winter months, it may be Eastern Daylight Time (EDT). However, the server may be in the cloud and physically located in Las Vegas, which follows Pacific Standard Time (PST) and Pacific Daylight Time (PDT) in the winter months. If you compare this log entry with a log entry on a server located in Pensacola, you need to consider Central Standard Time (CST) and Central Daylight Time (CDT). To simplify this, many servers use Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC). Neither GMT or UTC observe daylight savings time, and they are both based on the time at the Royal Observatory in Greenwich, London.

Question 9

Tags

Answer 9

After an item is identified as possible evidence, it needs to be tagged. This can be a formal document, but it’s more common to be something simple, such as a sticker. The tag is placed on the item with the date, time, and name of the person placing the tag. It’s also common to include a control number that can be included in a chain of custody.

Question 10

Reports

Answer 10

After analyzing all the relevant evidence, digital forensic experts create a report documenting their findings. These often document the tactics, techniques, and procedures (TTP) used in an attack.

Question 11

Event Logs

Answer 11

A forensic investigation often includes an analysis of available logs. This information helps the investigators re-create events leading up to and during an incident. This can be as simple as looking at Event logs on computers, or Device Logs on routers and firewalls.

Question 12

Interviews

Answer 12

Another element of an investigation is interviewing witnesses. Witnesses provide firsthand reports of what happened and when it happened. However, witnesses won’t necessarily come forward with relevant information unless someone asks them. Often witnesses don’t recognize what information is valuable.

Question 13

Acquisition

Answer 13

When performing data acquisition for digital forensics, it’s important to follow specific procedures to ensure that the data is not modified. In many cases, this ensures that the evidence is preserved in case it is needed in a legal proceeding.

Question 14

Order of Volatility

Answer 14

Order of volatility refers to the order in which you should collect evidence. Volatile doesn’t mean it’s explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.

Question 15

Disk

Answer 15

Data files are stored on local disk drives, and they remain there even after rebooting a system.

Question 16

RAM.

Answer 16

Data in RAM is used by the operating system (OS) and applications.

Question 17

Swap or pagefile.

Answer 17

A swap file (sometimes called a pagefile) is on the system disk drive. It is an extension of RAM and is stored on the hard drive. However, the pagefile isn’t a typical file, and the system rebuilds the pagefile when rebooting. This makes the pagefile more volatile than other files stored on hard drives.

Question 18

OS

Answer 18

OS forensics refers to the process of collecting data from the OS. This includes things like the cache, RAM, swap file, and artifacts. It can also include much more depending on the operating system. As an example, the Windows Registry includes a wealth of information on installed applications and holds user data to enhance the user experience.

Question 19

Device

Answer 19

Mobile device metadata is often a treasure trove of evidence for investigators. It includes users’ location (tracked through apps), who they called, who called them, who they messaged, and who messaged them, website history, and more.

Question 20

Firmware

Answer 20

Firmware forensic methods are useful when a forensic specialist suspects malware has infected firmware. It starts by extracting the firmware code. It then attempts to reverse engineer the code to discover what it is doing. In some cases, the firmware has a backdoor embedded in it that attackers can exploit. In other cases, the firmware has malicious code embedded within it.

Question 21

snapshots

Answer 21

Security experts sometimes use snapshots to capture data for forensic analysis. Various tools are available to capture snapshots of memory (including cache memory), disk contents, cloud-based storage, and more.

Question 22

Cache.

Answer 22

This is data in the cache memory, including the processor cache and hard drive cache. Data in the cache is removed as new data is used.

Question 23

Network

Answer 23

Networks typically have servers and shared folders accessible by users and used to store log files. These remote systems often have more robust backup policies in place, making them the least volatile.

Question 24

Artefacts

Answer 24

Forensic artifacts are pieces of data on a device that regular users are unaware of, but digital forensic experts can identify and extract. In general, logs and data files show direct content, but the artifacts are not so easy to see.

Question 25

On premises vs cloud

Answer 25

Digital forensics can be challenging enough when all the evidence is on-premises. When an organization uses cloud resources, it can add additional risks. Anytime an organization contracts with a cloud provider, the cloud provider becomes a third-party source providing the service. This includes when the cloud provider holds data or provides any type of service.

Question 26

Right to Audit Clauses

Answer 26

Cloud providers are expected to take precautions to protect any data they maintain in the cloud and ensure all the services they provide are secure. This isn’t always apparent, so more and more customers are demanding a right to audit clause be included in a contract. This allows a customer to hire an auditor and review the cloud provider’s records.

Question 27

Regulatory Jurisdiction

Answer 27

If all data and resources for ZiffCorp are contained and processed within a single building in Virginia Beach, Virginia, the regulatory jurisdiction is clear. The company must comply with relevant U.S. laws, Virginia laws, and Virginia Beach laws. However, if ZiffCorp contracts with a cloud provider to store data, things change. Imagine that the cloud provider’s headquarters are in San Jose, California, but it runs data centers across the United States and in Canada to hold the data. At this point, ZiffCorp is now responsible for complying with the laws in any location used by the cloud provider.

Question 28

Data Breach Notification Laws

Answer 28

Data breach notification laws require organizations to notify customers about a data breach and take steps to mitigate the loss. When the data is stored in the cloud, this could require notification based on several different laws.

Question 29

Integrity

Answer 29

Hashes and checksums are important elements of forensic analysis to provide proof that collected data has retained integrity.

Question 30

Hashing/checksum

Answer 30

hashing and checksums allow you to prove the analyzed copy of data is the same as the original data. This is required if the evidence needs to be admissible in a court of law.

Question 31

Provenance

Answer 31

Provenance refers to tracing something back to its origin. In the context of digital forensics

Question 32

Preservation

Answer 32

this ensures that the evidence is preserved in case it is needed in a legal proceeding.

Question 33

E-discovery

Answer 33

Electronic discovery, or eDiscovery, is the identification and collection of electronically stored information. This includes files of any kind, voice mail, social media entries, and website data.

Question 34

Data recovery

Answer 34

Generically, data recovery refers to restoring lost data, such as restoring a corrupt file from a backup. In the context of forensics, data recovery goes further. Even without backups, it’s often possible to recover data that a user has intentionally or accidentally deleted.

Question 35

Non-repudiation

Answer 35

Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action, such as creating information, sending a message, approving information, or receiving a message.

Question 36

Strategic Intelligence and Counterintelligence

Answer 36

Intelligence is the ability to learn by acquiring new knowledge and skills. Digital forensic intelligence refers to knowledge and information which has value to investigative personnel and has been gathered using digital forensic methods and techniques.

Generically, strategic intelligence refers to collecting, processing, and analyzing information to create long-term plans and goals. Digital forensics strategic intelligence is collecting, processing, and analyzing digital forensic data to create long-term cybersecurity goals.

Counterintelligence activities assume that attackers are also using strategic intelligence methods. It refers to any activities designed to prevent or thwart spying, intelligence gathering, or attacks.