Chapter 5.5 Flashcards
order of volatility
The order of volatility serves as a guideline for determining what types of storage is more or less volatile than the other. Volatile storage (for example, system or cache RAM) is storage that is usually temporary and is easily erased or lost. Powering down a system will remove any potential evidence that is contained in volatile storage.
rank of volatility
- Cpu registers, CPU cache
- Router Table, ARP cache, process table, kernel stats, memory
- temporary file systems
- Disk
- Remote logging & monitoring data
- Physical configurations, network topology
- Archival media
chain of custody
Chain of custody is a record of where, when, and who collected evidence, who subsequently handled it, and where it was stored. goes before imaging
timeline
Preservation of evidence is focused on ensuring evidence remains credible. Keeping a valid timeline of events (such as a chain of custody) is a preservation of evidence practice.
cryptographic hash
A cryptographic hash is a method that is used to ensure that an image of a system is valid. Hashes created on both source and destination are compared. Identical hashes means the data is identical.
eDiscovery
eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.
Snapshots
Snapshots are a means of getting around the problem of open files encountered during a backup by using a point-in-time approach. Volume Shadow Copy Service (VSS) is an example of snapshot technology.
continuous monitoring
Continuous monitoring is a method of checking a system for health. This type of monitoring is usually perfomed using an agent on a system with details reported to a main system. This may be used as a form of control, but is not obtrusive to system usability.
image acquisition
System images are copies of entire computer systems or data. Such images are helpful during investiations as a backup copy. Image acquisition is a data backup/cloning technique, and is used in forensics.
network logs
Network logs may be used as a security control to record traffic and other statistics and data. Logging can overwhelm a system if too much activity is being logged. This is true for both perfomance and disk use.
timestamps
Different file systems use different methods to identify the time when something occurred. NTFS uses UTC “internally,” but many file systems record timestamps as the local system time. In forensics, it is vital to note the offset between the local system time and UTC.