Lesson 18 Flashcards
Key Aspects of Digital Forensics
DEFINITION: Collecting evidence from computer systems to a standard that will be accepted in a court of law
Evidence, documentation, and admissibility
•Latent evidence
•Collection must be documented
•Due process
Legal hold
Chain of custody
•Integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation
Digital Forensics
DEFINITION: Collecting evidence from computer systems to a standard that will be accepted in a court of law
Evidence, documentation, and admissibility
•Latent evidence
•Collection must be documented
•Due process
Evidence, documentation, and admissibility
•Latent evidence - Latent means that the evidence
cannot be seen with the naked eye; rather, it must be interpreted using a machine or
process. This means that great care must be taken to ensure the admissibility of digital
evidence.
•Collection must be documented - requires documentation showing how the evidence was collected and analyzed without
tampering or bias.
•Due process - people only
be convicted of crimes following the fair application of the laws of the land. More
generally, due process can be understood to mean having a set of procedural
safeguards to ensure fairness.
Legal hold
Legal hold refers to the fact that information that may be relevant to a court case
must be preserved. Information subject to legal hold might be defined by regulators
or industry best practice, or there may be a litigation notice from law enforcement or
lawyers pursuing a civil action. This means that computer systems may be taken as
evidence, with all the obvious disruption to a network that entails.
Chain of Custody
Chain of custody
•Integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation
Digital Forensics Reports
- Summarizes contents of the digital data
- Conclusions from the investigator’s analysis
- Professional ethics
- Analysis must be performed without bias
- Analysis methods must be repeatable
- Evidence must not be changed or manipulated
E-discovery
•Electronically Stored Information (ESI)
Some software does the following for e-discovery
•Identify and de-duplicate files and metadata
•Search
•Tags
•Security
•Disclosure
E-discovery is a means of filtering the relevant
evidence (From ESI) produced from all the data gathered by a forensic examination and storing
it in a database in a format such that it can be used as evidence in a trial.
Video and Witness Interviews
Video
•Record all actions
•Log/video steps taken
Witness interviews
•Informal statements
•Avoid leading questions
•Formal questioning
Timelines
A significant part of a forensic investigation will involve tying events to specific times
to establish a consistent and verifiable narrative. The visual representation of events
happening in chronological order is called a timeline.
- Sequence of events
- Time stamps
- OS/file system methods for recording time
- Correct synchronization of local time source
- Time offset
- Coordinated Universal Time (UTC)
- Local time
- Date/time settings tampering
Event Logs and Network Traffic
•Collect data from network logging servers
•Packet captures
•Retrospective Network Analysis (RNA) - A Retrospective Network Analysis (RNA)
solution provides the means to record network events at either a packet header or
payload level.
•Record collection methods to establish provenance
Strategic Intelligence and Counterintelligence
In some cases, an organization may conduct a forensics investigation without the
expectation of legal action. As well as being used in a legal process, forensics has a
role to play in cybersecurity. It enables the detection of past intrusions or ongoing but
unknown intrusions by close examination of available digital evidence.
- Re-examine logs for signs of intrusion
- Counterintelligence
- Analyze adversary tactics, techniques, and procedures (TTP)
- Develop better control configurations
- Strategic intelligence
- Inform risk management and security control provisioning to build mature cybersecurity capabilities
Data Aquisition
process of obtaining a forensically clean copy of data from a device
held as evidence. If the computer system or device is not owned by the organization,
there is the question of whether search or seizure is legally valid. This impacts bringyour-
own-device (BYOD) policies
Computer on/off state
Data acquisition is also complicated by the fact that it is more difficult to capture
evidence from a digital crime scene than it is from a physical one. Some evidence will
be lost if the computer system is powered off; on the other hand, some evidence may
be unobtainable until the system is powered off. Additionally, evidence may be lost
depending on whether the system is shut down or “frozen” by suddenly disconnecting
the power.
Order of volatility (CRSH)
CRSH CPU Registers and cache memory RAM (Memory) Swap file Hard Drive
Data acquisition usually proceeds by using a tool to make an image from the data
held on the target device. An image can be acquired from either volatile or nonvolatile
storage. The general principle is to capture evidence in the order of volatility, from
more volatile to less volatile.
1.CPU registers and cache memory
2.Non-persistent system memory (RAM)
3.Data on persistent storage
•Partition data and file system artefacts
•Cached system memory data (pagefiles and hibernation files)
•Temporary file caches
•User, application, and OS files and directories
4.Remote logging and monitoring data
5.Physical configuration and network topology
6.Archival media
Digital Forensics Software
- EnCase Forensic and The Forensic Toolkit (FTK)
- Commercial case management and evidence acquisition and analysis
- The Sleuth Kit/Autopsy
- Open-source case management and evidence acquisition and analysis
- WinHex
- Forensic recovery and analysis of binary data
- The Volatility Framework
- System memory analysis
System Memory acquisition
System memory is volatile data held in Random Access Memory (RAM) modules.
Volatile means that the data is lost when power is removed. A system memory
dump creates an image file that can be analyzed to identify the processes that are
running, the contents of temporary file systems, registry data, network connections,
cryptographic keys, and more. It can also be a means of accessing data that is
encrypted when stored on a mass storage device
methods of
collecting the contents of system memory.
- Live acquisition
- Pre-install kernel driver
- Crash dump
- Recover from fixed disk
- Hibernation and page file
- Recover from fixed disk
Live acquisition
- Live acquisition
- Pre-install kernel driver
A specialist hardware or software tool can capture the contents of memory while the
host is running. Unfortunately, this type of tool needs to be preinstalled as it requires a
kernel mode driver to dump any data of interest.
Crash dump
- Crash dump
- Recover from fixed disk
When Windows encounters an unrecoverable kernel error, it can write contents of
memory to a dump file at C:\Windows\MEMORY.DMP. On modern systems, there is
unlikely to be a complete dump of all the contents of memory, as these could take up
a lot of disk space. However, even mini dump files, stored in C:\Windows\Minidumps,
may be a valuable source of information.
Hibernation File and Pagefile
- Hibernation and page file
- Recover from fixed disk
A hibernation file is created on disk in the root folder of the boot volume when
a Windows host is put into a sleep state. If it can be recovered, the data can be
decompressed and loaded into a software tool for analysis. The drawback is that
network connections will have been closed, and malware may have detected the use of
a sleep state and performed anti-forensics.
Disk Image Acquisition
- Non-volatile storage media and devices
- Acquisition types
- Live acquisition
- Static acquisition by shutting down the host
- Static acquisition by pulling the plug
- Imaging utilities
- Forensic software suites and file formats
- dd
Disk Image Acquisition types
- Acquisition types
- Live acquisition
- Static acquisition by shutting down the host
- Static acquisition by pulling the plug
• Live acquisition—this means copying the data while the host is still running. This
may capture more evidence or more data for analysis and reduce the impact on
overall services, but the data on the actual disks will have changed, so this method
may not produce legally acceptable evidence. It may also alert the adversary and
allow time for them to perform anti-forensics.
• Static acquisition by shutting down the host—this runs the risk that the malware will
detect the shutdown process and perform anti-forensics to try to remove traces of
itself.
• Static acquisition by pulling the plug—this means disconnecting the power at the
wall socket (not the hardware power-off button). This is most likely to preserve the
storage devices in a forensically clean state, but there is the risk of corrupting data.
Imaging utilities
- Forensic software suites and file formats
- dd
There are many GUI imaging utilities, including those packaged with suites such as the
Forensic Toolkit and its FTK Imager. You should note that the EnCase forensics suite
uses a vendor file format (.e01) compared to the raw file format used by Linux tools
like dd. The file format is important when it comes to selecting a tool for analyzing the
image. The .eo1 format allows image metadata (such as the checksum, drive geometry,
and acquisition time) to be stored within the same file. The open-source Advanced
Forensic Format (AFF) provides similar features.
dd
If no specialist tool is available, on a Linux host you can use the dd command to make
a copy of an input file (if=) to an output file (of=) and apply optional conversions to
the file data. In the following sda is the fixed drive:
dd if=/dev/sda of=/mnt/usbstick/backup.img
