Theme 2: Scenes and Acquisition Flashcards
(21 cards)
Preparation for Entering a Scene
- Understand Operational Constraints: Resources and intelligence
- Consider Legal, Ethical and Media Considerations: Warrants, consider other routes of investigation that you may interfere with e.g. fingerprinting
- Check Permissions: Check validity of warrants
- Wear Appropriate Outfits: Health and safety
- Prepare Equipment: Avoid contaminating equipment e.g. personal phones that can be detected by IoT or magnets. Bring storage. And ensure devices are functional and you are competent with them
Entering a Scene
- Decide on Entry Time: Enter when suspect is likely to be actively using a device to avoid anti forensics
- Arrival: Dress appropriately, check equipment, ensure documentation is on-hand to prove warrant
- Map the Scene: Take photographs, identify hazards, identify what data is volatile and understand what is important
- Communicate: Define roles and follow them to avoid repeating actions and contamination
- Fill in Documentation: Search log form
Searching a Scene
- se a Methodical Approach: Clockwise, top-to-bottom
- Search Suspects: Portable storage and smart wearables
- Cyber Dogs: Can locate hidden devices through chemicals used on electronics
- Understand Potential Devices: May not be the newest devices e.g. floppy disks
- Follow ACPO Guidelines
Anti-forensics
used by technically competent people to interfere with digital forensics including
- Complete destruction of data: Chemical or slow-wipe
- Harming investigations: Needles, sharp objects
What to Collect
Data collected must be proportional, relevant, and justified due to legal guidelines and resource limitations
How to Collect Devices
Signal Emitting Devices: Use a faraday bag or aeroplane mode.
Search for Anti-forensics: To avoid harm
Turned on Devices: Follow ACPO 2
Turned off Devices: Follow ACPO 1
How to Turn off Devices
To turn off a device, directly cut power to avoid software-based processes cleaning up volatile data
Transporting Evidence
Transport carefully to avoid damage and quickly to ensure the battery does not deplete and cause ACPO 2 to be violated
Evidence Bags
They must be labelled, sealed and stored securely. If opened, the old bag must be placed in a new evidence bag and labelled accordingly to preserve provenance
Storage Evidence
Store securely.
Should be stored in faraday cages if signal emitting
External Review
performed to understand device capabilities
- Type of Device
- Model Numbers
- Contextual Function: What the user used the device for
- Ports
- Customisations: Additions and labels
Internal Review
Furthers understanding of the device
- Identify Hazards
- Take Apart Devices
- Search for Hidden Objects
- Understand Cables
- Identify Storage Media by Following Cables
- Extract Storage: Not always possible due to encryption
Four Components of Mobile Devices
- Main Handset: Operating system
- Battery: Can hide small objects
- Sim Card: Can store data such as contacts and recent calls
- Expansion Card: Non-apple products, treat as secondary storage
Data Provided by Network Providers
- Registered Name and Address
- Associated Numbers
- Payment Details
-
Call Information
- Originating and Receiving Number
- Call Duration
Prerequisites to Performing Acquisition
Check Permissions: Device provenance and how it was obtained
Generalised Acquisition Framework
- Determine Investigation Parameters: Define the legal, ethical, organisational, and resource constraints that will guide the acquisition process.
- Identify Acquisition Target and Output Location: Specify the data to acquire, where it’s located, and where and how it will be securely stored.
- Identify Acquisition Approaches: Map all possible methods for accessing the data, prioritising those closest to the original source.
- Validate Acquisition Approaches: Test each method on a similar device to ensure it is reliable, legal, and does not compromise data integrity.
- Establish the Order of Modification: Rank validated methods based on their likelihood of modifying data and overall suitability.
- Attempt Data Acquisition: Use validated methods in order of least intrusiveness to acquire the data from the evidential device.
- Validate Data Acquisition: Confirm the acquired data is correct, intact, and usable; if not, retry using the next validated method.
Acquisition Approaches
- Write-blocker with Removed Storage Media: Physically remove the storage media and image with a write blocker to prevent alteration
- Wireless: Capture wirelessly transmitted data in real-time or from network logs
- JTAG: A hardware interface standard used to access and extract memory content at the hardware level
- Chip Off: De-solder memory chips and read directly. High risk of damage
- Man-in-the-Middle: Intercept in-transit data between two devices
- Tool Driven: Use commercial forensic tools to automate acquisition
- Industry Closed: Proprietary methods or tools used by specific vendors
Live Acquisition
The process of capturing volatile data, such as RAM, active processes, encryption keys, passwords etc from a system that is running
It is used when powering down the device risks losing volatile data
Follow ACPO principle 2
Disk Image Formats
-
EnCase
.E01: Proprietary, compressed and includes metadata -
Raw Binary
.DD: Bit-for-bit copy of storage device
Hashing
- Hashing confirms integrity but does not verify authenticity, context, or provenance.
- Proper documentation and secure handling helps ensure the validity of evidence
Why disable auto-mounting
Inhibit the risk of the data being modified
