GCGA Ch. 11 Understanding Digital Forensics (ST) Flashcards
(12 cards)
Chain of custody
When collecting documentation and evidence, it’s important to follow specific procedures to ensure that the evidence is admissible in a court of law. A chain of custody provides assurances that personnel controlled and handled evidence properly after collecting it. It may start with a tag attached to the physical item, followed by a chain of custody form that documents everyone who handled it and when they handled it.
Legal hold
refers to a legal obligation to maintain different types of data as evidence. Electronic discovery, or eDiscovery, is the identification and collection of electronically stored information. A legal hold requires an organization to protect existing data as evidence.
Event logs
often help investigators reconstruct the timeline of an event by looking at the timestamps of entries. However, investigators need to consider any time offsets based on the time zone used by the logs.
TTP
Investigators provide a report on their findings. They typically include tactics, techniques, and procedures (TTPs) used by attackers and recommendations based on the results.
Order of volatility
order of volatility for data from most volatile to least volatile on a system is cache memory, regular RAM, a swap or paging file, and hard drive data.
Snapshots
can capture data from almost any location, and the snapshot can be used for forensic analysis.
Forensic artifacts
pieces of data that most users are unaware of, but digital forensic experts can extract and analyze the artifacts.
Hard drive imaging
creates a forensic copy and prevents the forensic capture and analysis from modifying the original evidence. A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture.
Usage of hashes/checksums
Hashes or checksums are used to verify the integrity of captured data. They provide proof the capturing process did not modify data.
SOAR platforms
Security Orchestration, Automation, and Response. use internal tools to respond to low-level security events automatically, reducing administrator workload.
SOAR playbook
provides a checklist of things to check for suspected incidents.
SOAR runbook
implements the playbook checklist using available tools within the organization.
