4.5 Flashcards
(33 cards)
Legal hold
Legal hold is the process of protecting any documents that can be used in evidence from being altered or destroyed. Sometimes, this is also known as litigation hold.
video
Capturing Video: CCTV can be a good source of evidence for helping to identify attackers and the time the attack was launched. This can be vital in apprehendingsuspects.
Admissibility
All evidence relevant to the case is deemed admissible only if it is relevant to the disputed facts of the case and does not violate any laws or legalstatutes.
Chain of Custody
The chain of custody is one of the most crucial aspects of digital forensics, ensuring the evidence has been collected and there is not a break in the chain. It starts when the evidence has been collected, bagged, tied, and tagged, ensuring the evidence has not been tampered with. It lists the evidence and who has handled it along the way.
Time Stamps
Each file has timestamps showing when files were created, last modified, and last accessed
Time offset
When we collect evidence from computers, we should record the time offset. This is the regional time so that in a multinational investigation, we can put them into a time sequence—this is known as time normalization.
Tags
Physical serialized tags are attached to each item, and the tag number is used to identify a specific item. Frequently the items are then stored in anti-static bags to protect them from damage.
Reports
Reports are the official descriptions of the forensic data. Reports can have a variety of elements—from pure descriptive information, such as machine/device identifiers (make, model and serial number), to information on the data, including size and hash values. Reports can also have specific elements that are derived from this information, such as a timeline, an analysis of keywords, specific artifacts, and present or missing items. An expert can opine on what these elements mean or can mean with respect to the system.
Event logs
are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls all have event logs that detail actions that happen. Once you know the time and date of an event, you can gather information from various log files. These can be stored in Write-Once Read-Many (WORM) drives so that they can be read but not tampered with.
Interviews
The police may also take witness statements to try and get a picture of who was involved and maybe then use photo-fits so that they can be apprehended.
Acquisition
This is the process of collecting all of the evidence from devices, such as USB flash drives, cameras, and computers; as well as data in paper format, such as letters and bank statements. The first step in data acquisition is to collect the volatile evidence so that it is secured. The data must be bagged and tagged and included in the evidence log.
Order of Volatility
a. CPU Cache: Fast block of volatile memory used by the CPU
b. Random Access Memory (RAM): Volatile memory used to run applications
c. Swap/Page File/Virtual Memory: Used for running applications when RAM isexhausted.
d. Hard Drive: Data at rest for storing data
Order of volatility is collecting the most perishable evidence first. In a web-based attack, we should collect the network traffic with a packet sniffer.
Disk
A physical hard disk drive (HDD) will persist data longer than a solid state drive (SSD). And the newer file systems with journaling and shadow copies can have longer persistence of information than older systems such as File Allocation Table–based (FAT-based) systems. Raw disk blocks can be recovered in some file systems long after data has been rewritten or erased, due to the nature of how the file systems manage the data.
Random-access memory(RAM)
Random-access memory (RAM) is the working memory of the computer that handles the current data and programs being processed by the CPU. This memory, once limited to a single megabyte, now commonly consists of 4 GB or more. This memory holds the current state of the system as it is processing and is continuously changing. There are cases of malware that exists only in RAM, and without memory analysis and forensics, you would never see it. But this information is lost forever when the system is powered down.
Swap/pagefile
Used for running applications when RAM isexhausted.
The swap or pagefile is a structure on a system’s disk to provide temporary storage for memory needs that exceed a system’s RAM capacity. The operating system has provisions to manage the RAM and pagefile, keeping in RAM what is immediately needed and moving excess to the pagefile when RAM is full. This causes a performance hit, and with the reasonable cost of RAM, most systems avoid this by having sufficient RAM.
OS
The OS is the source of many forensic artifacts, most of which are created to enhance system responsiveness to user requests. The two major OSs, Microsoft Windows and Linux, perform basically the same tasks: they enable applications to perform on a system. How they function, what artifacts are generated, all the technical details relevant to a forensics investigation, are different and thus require separate and specialized treatment with respect to the OS.
Device
One of the most common device acquisitions is USB storage devices. These devices are used to transport files between machines and are common in any case where the removal of information is suspected. A number of artifacts can be tied to USB device usage on a system, including when it was connected, link files and prefetch items on the drive, and who was logged in to the machine at the time of use.
Firmware
Firmware can be of interest in a forensics investigation when the malfunctioning of a device is an issue, as malware has targeted the firmware. As such, it takes a very specialized set of tools and equipment to analyze the firmware, as it is not readily accessible to outside users.
Snapshot
Snapshots are common in virtual machines, providing a point in time to which the machine can be recovered. Operating systems also have adopted this technology for some of their information, using point-in-time recovery to assist in fixing problems from updates or changes to the system. This capturing of points in time can be useful to a forensic investigator because it allows a means of looking at specific content at an earlier point in time.
Cache
Caches are temporary storage locations for commonly used items and are designed to speed up processing. Cashes exist all over in computer systems and are performance-enhancing items. Caches exist for files, for memory, for artifacts; they exist for fast retrieval of items that the OS expects. As such, they are inherently relevant to a specific activity that has been done and is likely to be done again and can serve as evidence of specific activities that have been done.
Network
When investigating a web-based or remote attack, we should first capture the volatile network traffic before stopping the attack. This will help us identify the source of the attack. In addition to this, we should look at different log files from the firewall, NIPS, NIDS, and any server involved. If we use a Security Information Event Management (SIEM) system, this can help collate these entries and give a good picture of any attack.
Artifacts
This can be log files, registry hives, DNA, fingerprints, or fibers of clothing normally invisible to the naked eye.
On-premises vs cloud
Right-to-audit clauses
By inserting right-to-audit clauses into supply chain contracts, an auditor can visit the premises without notice and inspect the contractor’s books and records to ensure that the contractor is complying with its obligation under the contract. This would help them identify the following:
Faulty or inferior quality of goods
Short shipments
Goods not delivered
Kickbacks
Gifts and gratuities to company employees
Commissions to brokers and others
Services allegedly performed that weren’t needed in the first place, such as equipment repairs
On-premises vs. cloud
Regulatory/Jurisdiction
Whether on premises or in the cloud, there will be cases where regulatory or law enforcement actions raise jurisdictional issues. If you have your software development data in the cloud, and the servers/storage elements are in a foreign country, whose laws will apply? It is important to consult with the company’s legal counsel to understand the ramifications of data location with respect to forensics and subsequent data use.
