4.5 Forensic Data Acquisition

Question 1

State the order of volatility

Answer 1

CPU registers, CPU cache
Router table, ARP cache, process table, kernel stats, memory
Temporary file systems
Disk
Remote logging and monitoring
Physical configuration, network topology
Archival media

Question 2

What is the best way to gather storage data?

Answer 2

Prepare the drive to be imaged by powering down the system to prevent changes.
Remove the storage drive and then connect it to an imaging device.
Make a forensic clone (bit-for-bit copy)
Preserve all data, even “deleted” data.

Question 3

What is the challenge of capturing RAM data and how do you do it?

Answer 3

RAM data changes constantly, even trying to capture it can change it.
Third party tools (mem dump) can grab everything and copy it to a seperate system or device.

Question 4

What data is never written to a storage drive from RAM?

Answer 4

Browsing history, clipboard information, encryption keys, command history

Question 5

What is the swap/pagefile?

Answer 5

It’s a temporary storage area to swap in/out RAM when your RAM is full. We want to gather this data as well.
Each OS uses this area slightly differently.

Question 6

What type of information from the OS may be modified during a compromise?

Answer 6

The core operating system files. Executable files and libraries. We can compare these files to known good baselines.

Other important areas of note:

• Logged in user
• Open ports
• Running processes
• Attached device list

Question 7

How do you capture data from a mobile device and tablets?

Answer 7

Use an existing backup file or transfer an image of it via USB.

Areas of note:

• Phone calls
• Contact information
• Text messages
• Emails
• Images and movies
• More

Question 8

When Firmware is compromised, how should we investigate?

Answer 8

It depends on the product/model. Often the firmware has been reprogrammed or hacked by the attacker. If we look at how the device functions, we may be able to determine how it was hacked, what functionality the attacker had with the device, and possibly where the data is going to/from the device.

Question 9

How do we handle VM compromises?

Answer 9

We need to investigate snapshots of the VM. Snapshots are basically images of the VM. Snapshots are essentially incremental backups of the original VM and each subsequent snapshot. Restoring requires all incremental snapshots.

Question 10

What is a cache?

Answer 10

A temporary data storage area for later use. Designed to increase speed.

CPU cache, disk cache, internet cache, etc.

Cache is replace after a specific time or when the cache is full. Browser caches are long lived (days or weeks).

Question 11

What are artifacts?

Answer 11

Digital items left behind. (perhaps evidence) You might find them in:

Logs
Flash memory
Prefetch cache files
Recycle bin
Browser bookmarks and logins

Question 12

What are some challenges to cloud forensics?

Answer 12

Devices are not totally in your control
Potentially limited access
May be difficult to associate cloud data to a specific user because there may be many users at the same time.
Legal issues potentially depending on location of data and where you are

Question 13

What is a right-to-audit clause?

Answer 13

Legal agreement to have the option to perform a security audit at any time. Everyone agrees to terms and conditions. Allows you to verify security.

Question 14

What are the most important ideas to understand about data breaches?

Answer 14

If consumer data is breached, the consumer must be informed.

The legalities of this vary across countries and localities. If you are in the cloud, consider yourself a global entity.

Notification requirements also vary from location to location such as what data requires notification, who to notify, and how quickly.