Ch-15 Flashcards
(6 cards)
Electronic Discovery Reference Model (EDRM)
- Information governance before the fact to assess what data exists and to allow scoping and control of what data needs to be provided
- Identification of electronically stored information so that you know what you have and where it is
- Preservation of the information to ensure that it isn’t changed or destroyed
- Collection of the information so that it can be processed and managed as part of the collection process
- Processing of the data to remove unneeded or irrelevant information, as well as preparing it for review and analysis by formatting or collating it
- Review of the data to ensure that it only contains what it is supposed to, and that information that should not be shared is not included
- Analysis of the information to identify key elements like topics, terms, and individuals or organizations
- Production of the data to provide the information to third parties or those involved in legal proceedings
- Presentation of the data, both for testimony in court and for further analysis with experts or involved parties
order of volatility
Most 1. CPU cache and registers 2. Routing table, ARP cache, proccess table, kernel stats 3. System memory -RAM 4. Temp files and swap space 5. Data on hard disk 6. Remote logs 7. Backups Least
Recovering intact temporary files and data from swap space will depend on how the system was shut down and if it was rebooted successfully afterward.
Cloud Forensics
Right-to-audit clauses - which are part of the contract between the cloud service and an organization. A right-to-audit clause provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency.
Regulatory and jurisdiction - Regulatory requirements may vary depending on where the cloud service provider operates and where it is headquartered.
Data breach notification laws - like other regulatory elements, also vary from country to country, and in the United States notably from state to state. Contracts often cover the maximum time that can elapse before customers are notified.
Acquisition Tools
dd (linux) - is a command-line utility that allows you to create images for forensic or other purposes.
$ dd if=/dev/sda bs=4k conv=noerror,sync | tee example.img | md5sum> example.md5
FTK Imager - is a free tool for creating forensic images. It supports raw (dd)-style format as well as SMART, E01, & AFF
Memdump - is a command-line tool that can capture Linux memory using a simple command based on the process ID.
WinHex - a disk editing tool that can also acquire disk images in raw format, as well as its own dedicated WinHex format. WinHex is useful for directly reading and modifying data from a drive, memory, RAID arrays, and other filesystems.
Autopsy - is an open source forensic suite with broad capabilities. Forensic activities with a tool like Autopsy will typically start creating a new case with information about the investigators, the case, and other details that are important to tracking investigations, and then import files into the case.
Other Suites - FTK, the Forensic Toolkit from AccessData, and EnCase from Guidance Software
Create Hash
md5sum /dev/sdb> drive1.hash
or
md5sum image_file.img> drive1.hash
Typical Forensics Report
- A summary of the forensic investigation and findings.
- An outline of the forensic process, including tools used and any assumptions that were made about the tools or process.
- A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail.
- Recommendations or conclusions in more detail than the summary included.
Forensic practitioners may also provide a report with full detail of the analysis as part of their documentation package.
