Module 6 - Digital Forensics

Question 1

Digital Forensics

Answer 1

Digital forensics is the recovery and investigation of information found on digital devices as it relates to criminal activity. Indicators of compromise are the evidence that a cybersecurity incident has occurred. This information could be data on storage devices, in volatile computer memory, or the traces of cybercrime that are preserved in network data, such as pcaps and logs. It is essential that all indicators of compromise be preserved for future analysis and attack attribution.

Question 2

Private Investigations

Answer 2

Cybercriminal activity can be broadly characterized as originating from inside of or outside of the organization. Private investigations are concerned with individuals inside the organization. These individuals could simply be behaving in ways that violate user agreements or other non-criminal conduct.

Question 3

Data breach involving Patient information

Answer 3

under the US HIPAA regulations, if a data breach has occurred that involves patient information, notification of the breach must be made to the affected individuals. If the breach involves more than 500 individuals in a state or jurisdiction, the media, as well as the affected individuals, must be notified. Digital forensic investigation must be used to determine which individuals were affected, and to certify the number of affected individuals so that appropriate notification can be made in compliance with HIPAA regulations.

Question 4

NIST Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response

Answer 4

NIST Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response is a valuable resource for organizations that require guidance in developing digital forensics plans. For example, it recommends that forensics be performed using the four-phase process.

Question 5

Digital Evidence Forensic Process

Answer 5

• Collection
• Examination
• Analysis
• Reporting

Question 6

Collection

Answer 6

This is the identification of potential sources of forensic data and acquisition, handling, and storage of that data. This stage is critical because special care must be taken not to damage, lose, or omit important data.

Question 7

Examination

Answer 7

This entails assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data. Information that is irrelevant to the investigation may need to be removed. Identifying actual evidence in large collections of data can be very difficult and time-consuming.

Question 8

Analysis

Answer 8

This entails drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented. This step may also involve the correlation of data from multiple sources.

Question 9

Reporting

Answer 9

This entails preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate. Limitations of the analysis and problems encountered should be included. Suggestions for further investigation and next steps should also be made.

Question 10

Types of Evidence

Answer 10

• Best evidence
• Corroborating evidence
• Indirect evidence

Question 11

Best evidence

Answer 11

This is evidence that is in its original state. This evidence could be storage devices used by an accused, or archives of files that can be proven to be unaltered.

Question 12

Corroborating evidence

Answer 12

This is evidence that supports an assertion that is developed from best evidence.

Question 13

Incident Evidence

Answer 13

This is evidence that, in combination with other facts, establishes a hypothesis. This is also known as circumstantial evidence. For example, evidence that an individual has committed similar crimes can support the assertion that the person committed the crime of which they are accused.

Question 14

Direct Evidence

Answer 14

Direct evidence is evidence that was indisputably in the possession of the accused, or is eyewitness evidence from someone who directly observed criminal behavior.

Question 15

IETF RFC 3227

Answer 15

IETF RFC 3227 provides guidelines for the collection of digital evidence. It describes an order for the collection of digital evidence based on the volatility of the data. Data stored in RAM is the most volatile, and it will be lost when the device is turned off. In addition, important data in volatile memory could be overwritten by routine machine processes. Therefore, the collection of digital evidence should begin with the most volatile evidence and proceed to the least volatile.

Question 16

Chain of Custody

Answer 16

Chain of custody involves the collection, handling, and secure storage of evidence. Detailed records should be kept of the following:

• Who discovered and collected the evidence?
• All details about the handling of evidence including times, places, and personnel involved.
• Who has primary responsibility for the evidence, when responsibility was assigned, and when custody changed?
• Who has physical access to the evidence while it was stored? Access should be restricted to only the most essential personnel.

Question 17

Preservation of Original Data

Answer 17

• When collecting data, it is crucial to maintain its original condition.
• Timestamps of files must be preserved as they may be part of the evidence.
• Analysis should only be conducted on copies of the original data to prevent accidental loss or alteration of evidence.
• Avoid opening files directly from the original media.

Question 18

Recording the Copying Process

Answer 18

• Document the process used to create copies of the evidence for the investigation.
• Prefer direct bit-level copies of the original storage volumes when making copies.
• Enable comparison between the archived disc image and the investigated disk image to detect tampering.
• Archive and protect the original disk to maintain its untampered condition.

Question 19

Preservation of Volatile Memory

Answer 19

Volatile memory may contain forensic evidence. Use special tools to preserve this evidence before shutting down the device to prevent data loss. Do not disconnect, unplug, or turn off infected machines unless instructed to do so by security personnel.

Question 20

Ensure Evidence Preservation

Answer 20

• Preservation of original data
• Recording the copying process
• Preservation of volatile memory

Question 21

Attack Attribution

Answer 21

The process of identifying the source of a cyberattack, which involves determining the responsible individual, organization, or nation.

Question 22

Principled Investigation

Answer 22

Identifying responsible threat actors should be based on a principled and systematic investigation of evidence, avoiding bias in attributing attacks.

Question 23

Correlating Tactics, Techniques, and Procedures (TTP)

Answer 23

Incident response teams correlate TTPs used in the attack with known exploits and utilize threat intelligence sources to map them to similar attacks.

Question 24

Attribution Factors

Answer 24

Key factors aiding attribution include the location of originating hosts or domains, characteristics of malware code, tools used, and techniques employed.

Question 25

Asset Management in Attribution

Answer 25

For internal threats, asset management, including IP addresses, MAC addresses, DHCP logs, and AAA logs, plays a crucial role in tracing the source of an attack.

Question 26

The MITRE ATT&CK Framework

Answer 26

The MITRE ATT&CK Framework is a global knowledge base of threat actor behavior. It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE