Embed Size (px)
Citation preview
EXPLAINING DIGITAL FORENSICS
Module 18
EXPLAIN KEY ASPECTS OF DIGITAL FORENSICS DOCUMENTATION
Topic 18A
4.5 Explain the key aspects of digital forensics
SYLLABUS OBJECTIVES COVERED
Collecting evidence from computer systems to a standard that will be accepted in a court of law
Evidence, documentation, and admissibilityLatent evidenceCollection must be documented
Due process
Legal hold – evidence in court must be preserved
Chain of custodyIntegrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation
KEY ASPECTS OF DIGITAL FORENSICS
Summarizes contents of the digital data
Conclusions from the investigator's analysis
Professional ethicsAnalysis must be performed without biasAnalysis methods must be repeatable
Evidence must not be changed or manipulated
DIGITAL FORENSICS REPORTS
Means of filtering and storing the Electronically Stored Information (ESI) found in forensics
Processes includeIdentify and de-duplicate files and metadataSearch
Tags Security Disclosure
E-DISCOVERY
VideoRecord all actionsLog/video steps taken
Witness interviewsInformal statementsAvoid leading questionsFormal questioning
VIDEO AND WITNESS INTERVIEWS
TIMELINES
Sequence of events
Time stampsOS/file system methods for recording time
Correct synchronization of local time source
Time offsetCoordinated Universal Time (UTC)Local time
Date/time settings tamperingScreenshot: Autopsy - the Sleuth Kit(sleuthkit.org/autopsy.)
Collect data from network logging servers
Packet capturesRetrospective Network Analysis (RNA)
Record collection methods to establish provenance
EVENT LOGS AND NETWORK TRAFFIC
Re-examine logs for signs of intrusion
CounterintelligenceAnalyze adversary tactics, techniques, and procedures (TTP)Develop better control configurations
Strategic intelligenceInform risk management and security control provisioning to build mature cybersecurity capabilities
STRATEGIC INTELLIGENCE AND COUNTERINTELLIGENCE
EXPLAIN KEY ASPECTS OF DIGITAL FORENSICS EVIDENCE ACQUISITION
Topic 18B
4.1 Given a scenario, use the appropriate tool to assess organizational security
4.5 Explain the key aspects of digital forensics
SYLLABUS OBJECTIVES COVERED
DATA ACQUISITION AND ORDER OF VOLATILITY
Legal seizure and search of devicesComputer on/off state – shutdown or powered off (“frozen”)Order of volatility
1. CPU registers and cache memory 2. Non-persistent system memory (RAM)3. Data on persistent storage
Partition data and file system artefactsCached system memory data (pagefiles and hibernation files)Temporary file cachesUser, application, and OS files and directories
4. Remote logging and monitoring data5. Physical configuration and network topology6. Archival media
EnCase Forensic and The Forensic Toolkit (FTK)Commercial case management and evidence acquisition and analysis
The Sleuth Kit/AutopsyOpen-source case management and evidence acquisition and analysis
WinHex Forensic recovery and analysis of binary data
The Volatility Framework System memory analysis
DIGITAL FORENSICS SOFTWARE
SYSTEM MEMORY ACQUISITION
Evidence recovery from non-persistent memory
Contents of temporary file systems, registry data, network connections, cryptographic keys, …
Live acquisitionPre-install kernel driver
Crash dumpRecover from fixed disk
Hibernation and page fileRecover from fixed disk
Screenshot: Volatility Frameworkvolatilityfoundation.org.)
DISK IMAGE ACQUISITION
Non-volatile storage media and devicesAcquisition types
Live acquisitionStatic acquisition by shutting down the hostStatic acquisition by pulling the plug
Imaging utilitiesForensic software suites and file formatsdd
ProvenanceRecord process of evidence acquisitionUse a write blocker
Data acquisition with integrity and non-repudiationCryptographic hashing and checksumsTake hashes of source device, reference image, and copy of image for analysis
Preservation of evidenceSecure tamper-evident baggingProtection against electrostatic discharge (ESD)Chain of custody
Secure storage facility
PRESERVATION AND INTEGRITY OF EVIDENCE
ACQUISITION OF OTHER DATANetwork - SIEM
CacheFile system cache (temporary files)Hardware cache
Artifacts and data recoveryWindows Alternate Data Streams (ADS)File caches (prefetch and Amcache)Slack space and file carving
SnapshotAcquisition of VM disk images
Firmware
Right to audit clauses
Limited opportunities for recovery of ephemeral imagesAbility to snapshot instancesRecover log and monitoring data
Complex chain of custody issues
Complex regulatory/jurisdiction issues
Data breach notification laws
DIGITAL FORENSICS FOR CLOUD
SUMMARYModule 18
Follow these guidelines for supporting forensics investigations:• Develop or adopt a consistent process for incident responders to handle andpreserve forensic data:
• Consider the order of volatility and potential loss of evidence if a host is shut
down or powered off.• Record evidence collection using video and interview witnesses to
gatherstatements.• Deploy tools, such as WinHex, Autopsy, or FTK Imager, that can capture
andvalidate evidence from persistent and nonpersistent media.• Establish a method for recovering forensic data from a CSP.• Document evidence using a chain of custody.
• Be aware of the potential for forensic evidence as a source of strategic intelligenceand counterintelligence.
