CompTIA Security+ SYO 601 Chapter 15 Digital Forensics
Acquiring a forensic copy of a dire or device requires a tool that can create?
A complete copy of the device at a bit-for-bit level. The Security+ exam considers a number of tools that can acquire disk images, including dd, FTK imager, and WinHex.
Forensic suites provide features that make investigations easier and more complete by?
A forensic suite like Autopsy provides tools to mage and organize investigations ae well as a complete set of tools. Those tools typically include the ability to ingest, analyze, and automatically identify common forensic targets such as images, Office documents, text files, and similar artifacts. They also provide timelining capabilities, tools to assist with reporting and markup of the forensic data, and a wide range of other features useful for forensic examination. Although Autopsy is one example, commercial tools are broadly available with advanced features.
The most common way to validate that a forensic copy matches and original copy is to create a?
A hash of the copy and to create a hash of the original drive, and then compare them. If the hashes match, the forensic copy is identical to the original. Although MD5 and SHA1 are both largely outmoded for purposes where attackers might be involved, they remain useful for quickly hashing forensic images. Providing an MD5 and SHA1 hash of both drives, along with documentation of the process and procedures used, is a common part of building the provenance of the copy. The hashes and other related information will be stored as part of the chain-of-custody and forensic documentation for the case.
Although the analysis of digital artifacts and evidence is important to the forensic process, the report that is produced at the end is the key product. Reports need to be useful and contain the relevant information without delivering into every technical nuance and detail that the analyst may have found during the investigation. A typical forensic report will include the following which is?
A summary of the forensic investigation and findings. An outline of the forensic process, including tools used and any assumptions that were made about the tool or process. A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail. Recommendations or conclusions in more detail than the summary included. Forensic practitioners may also provide a report with full detail of the analysis as part of their documentation package.
Once you've acquired your forensic data, you need to make sure that you have a complete?
Accurate copy before you begin forensic analysis. At the same time, documenting the provenance of the data and ensuring that the data and process cannot be reupdated (non-repudiation) are also important.
A key element of digital forensics is the?
Acquisition and analysis of digital forensic data. That data can be in the form of drives, files, copies of live memory, and any of the other multitude of digital artifacts that we can create in the normal process of using computers and networks.
Once modules have processed a file you can then use Autopsy to?
Analyze it. The modules can help with quick discovery or forensic artifacts. In fact, one of the rhinos associated with the hunt shows up immediately when the file discovery module is loaded, along with pictures or crocodiles inserted into the image as part of the exercise.
The Security+ exam considers a single forensic suite which is called?
Autopsy. Autopsy is an open-source forensic suite with broad capabilities. Forensic activities with a tool like Autopsy will typically start a new case with information about the investigation, the case, and other details that are important to tracking investigations, and then import files into the case. For this example, the NIST Computer Forensic Reference Data Sets (CFReDS) Rhino hunt disk competition image waws used. The Rhino hunt includes a small image file and three network traces that can be viewed in Wireshark. This example focuses on the disk image file. First as shown in an example you will select the type of file you are importing. Note that you can import a variety of data sources, including raw disks, images, and VMs. With an image imported, you can select the modules that will run against the file.
Files are stored in?
Blocks, with block sizes depending on the drive and the operating system. IF a file that is 100 megabytes long is deleted, then partially overwritten by a 25-megabyte file, 75 megabytes of the original file could potentially be recovered. Forensic analyst relies on this when files have been intentionally deleted to try to hide evidence and they refer to the open space on a drive as slack space.
The security+ exam expects you to be familiar with the basic concepts for acquisition of information for the following list of forensic targets which are?
CPU cache and registers are rarely directly captured as part of normal forensics effort. Although it is possible to capture some sort of this information using specialized hardware or software, most investigations do not need this level of detail. The CPU cache and registers are constantly changing as processing occurs making them very volatile. Ephemeral data such as the process table, kernel statistics, the system's ARP cache, and similar information can be captured through a combination of memory and disk acquisition, but it is important to remember that the capture will only be of the moment in time when the acquisition is done. If events occurred in the past, this data may not reflect the state that the system was in when the event occurred. The content of random-access memory (RAM) can be very helpful for both investigations and incident response. Memory can contain encryption keys, ethereal data from applications, and information that may not be written to the disk but that can be useful to an investigation. Swap and page file information is disk space used to supplement physical memory. Much like capturing information form RAM, capturing the swap and page file can provide insight into running processes. Since it is actively used by the system, particularly on machines with less memory, it also changes more quickly than many files on disk. Files and data on a disk change more slowly but are the primary focus of many investigations. It is important to capture the entire disk, rather than just copy files so that you can see deleted files and other artifacts that remain resident. The operating system itself can contain useful information. The Windows registry is a common target for analysis since many activities in Windows modify or update the registry. Devices such as smartphones or tablets may contain data that can also be forensic targets. Firmware is a less frequently targeted forensic artifact, but knowing how to copy the firmware form a device can be necessary if the firmware was modified as part of an incident or if the firmware may have forensically relevant data. Firmware is often accessible using a hardware interface like a serial cable or direct USB connection, or via memory forensic techniques. Snapshots from virtual machines are an increasingly common artifact that forensic practitioners must deal with. Network traffic and logs can provide detailed information or clues about what was sent or received, when, and via what port and protocol amongst other useful details. Artifacts like devices, printouts, media and other items related to investigations can all provide additional useful forensic data.
Regardless of the type of the type of forensic data that is obtained or handled, it is important to maintain?
Chain of custody documentation if the forensic case may result in a legal case. In fact, some organizations apply these rules regardless of the case to ensure that a case could be supported if it was necessary. Chain of custody forms are simple sign-off and documentation forms. Each time the drive, device, or artifact is accessed, transferred, or otherwise handled; it is documented as shown in a form.
The hash value of a drive or image can also be used as a?
Checksum to ensure that it has not changed. Simply re-hashing the drive or image and comparing the value produced will tell you if changes have occurred because the hash will be different. Careful documentation for cases is a critical part of the forensic process and example shows how tools like FTK Imager have built-in support for documentation. Associating images with case numbers and including details of which examiner created the file can help with forensic documentation.
The same taps, scan ports, and port mirrors used for network security devices can also be useful for network forensics, allowing copies of network traffic to be sent to?
Collection servers. Although this can be useful, it can also result in massive amount of data. Capturing all or selected network traffic is a process that most organizations reserve for specific purposes rather than a general practice. Instead, most organizations end up relying on logs, metadata, traffic flow information, and other commonly collected network information to support forensic activities.
In Linux, dd is a?
Command-line utility that allows you to create images for forensic or other purposes. The dd command line takes input such as an input location (if), an output location (of), and flags that describe what you want to do, such as create a complete copy despite errors.
Cloud operations have made e-discovery even more?
Complex. Cloud vendors provide services and will not permit you to place an intrusive legal hold and discovery agent in their cloud service. That means that as you adopt cloud services you must address how you would deal with legal holds for those services. Tools like Google's Vault provide both email archiving and discovery support, helping organizations to meet their discovery requirements.
Since forensic information can be found in many different places, planning forensic information gathering is?
Crucial to having a complete and intact picture of what occurred. Gathering that forensic data is just the start of a process that involves careful documentation and detailed analysis. Throughout the process, the creation of documentation—including what you have observed, what conclusions can be made form data, and what evidence exist to support those conclusions—is necessary in order to be successful. You will document timelines and sequences of events, looking for clues as to what occurred and why, and you will use timestamps, file metadata, event logs, and a multitude of clues to piece together a complete picture.
In addition to forensic analysis, forensic techniques may be used to recover?
Data from drives and devices. In fact, file recovery is a common need for organizations due to inadvertent deletions and system problems or errors.
Quick formatting a drive in Windows only deletes?
Deletes the file index instead of overwriting or wiping the drive, and other operating systems behave similarly. So, recovering files with a recovery tool or by manual means requires reviewing the drive, finding files based on headers or metadata, and then recovering those files and file fragments. In cases where a file has been partially overwritten, it can still be possible to recover file fragments of the files.
The order of volatility is used to determine what to acquire first by?
Different system components and resources are more likely to be changed or lost during the time a forensic acquisition takes. Thus, forensic partitioners refer to order of volatility to determine what is most volatile and what is least volatile. CPU cache and registers are typically the most volatile, followed by the process table, ARP cache, kernel statistics, and similar data. Next, system RAM; temporary files and swap space, with data on the hard disk; remote logs; and finally, backups are all less volatile. Your forensic acquisition process should take the order of volatility into account as well as the circumstances of your acquisition process to determine what to capture first.
Summary for chapter 15 review this.
Digital forensics plays a role in legal cases, criminal investigations, internal investigations, incident response, and intelligence activities. For most organizations, legal holds, e-discovery, internal investigations, and IR are the most common uses. Legal holds are a notice from opposing counsel to retain data that may be relevant to a current or pending case. Using a discovery model like the EDRM model can help ensure that your discovery and holds process is well planned and executed. Forensic data acquisition can be time sensitive, so analysts must understand the order of volatility for systems, which identifies the targets most likely to change or lose data if they are not preserved first. Throughout acquisition and the forensic lifecycle, maintaining a chain of custody helps ensure that evidence is admissible in court. Cloud services have included additional complexity to forensic efforts. In addition to technical concerns that can make it impossible to conduct direct forensic investigations, contractual and policy considerations need to be taken into account. Many organizations now evaluate right-to-audit clauses, regulatory and jurisdictional concerns, and data breach notification timeframes as part of their contracting process for new third-party and cloud services. Acquisition tools and forensic suites provide the ability to collect forensic images and data and to analyze them using powerful capabilities like automatic recognition of images and documents, as well as timelining and other features. Hashing and validating ensures that acquired images are intact, and matching the source data helps ensure that the forensic data will admissible in court. Reporting occurs and then end of a forensic analysis and need to be complete, with documented reasoning for each conclusion or statement made about the forensic evidence. A standard forensic reporting format helps ensure that readers know what to expect and that they can easily understand what is presented. Forensic techniques may be used for more than just investigations and incident response. They also have a role to play in both intelligence and counterintelligence activities. Intelligence organizations may acquire information using forensic techniques or work to combat other organizations activities by examining the tools and artifacts that they leave behind.
Forensic data is acquired using forensic tools like?
Disk and memory imagers, image analysis and timing tools, low-level editors that can display detailed information about the contents and structure of the data on a disk, and other specialized tools. The Security+ exam focuses on the key aspects of acquisition, including the order of volatility, and details of how and why data is acquired from common locations and devices.
The final tool that the exam outline lists is WinHex which is a?
Disk editing tool that can also acquire disk images in raw format, as well as its own dedicated WinHex format. WinHex is useful for directly reading and modifying data form a drive, memory, RAID, arrays, and other filesystems.
Additional setting are frequently useful to get better performance, such as setting the block size appropriate for the?
Drive. If you want to use dd for forensic purposes, it is worth investing additional time to learn how to adjust its performance using block size settings for the devices and interfaces that you use for your forensic workstation.
Legal holds are often one of the first parts of an?
Electronic discovery, or e-discovery, process. Discovery processes allow each side of a legal case to obtain evidence from each other and other parties involved in the case, and e-discovery is simple an electronic discovery process. In addition to legal cases, discovery processes are also often used from public records, Freedom of Information Act request and investigations. It helps to view electronic discovery using a framework, and the Electronic Discovery Reference Model (EDRM) is a useful model for this.
Physical drives, logical drives, image files, and folders, as well as multi-CD/DVD volumes are all supported by?
FTK imager. In most cases, forensic capture is likely to come from a physical or logical drive. An example, shows a completed image creation form a physical drive using FTK Imager. Note the matching and validated MD5 and SHA1 hashes as well as confirmation that there were no bad blocks which would indicate potential data loss or problems with the drive.
Although the Security+ exam only deals with one computer forensic suite, there are two major commercial forensic packages that security professionals need be aware of which are?
FTK, the Forensic Toolkit from Access Data, and EnCase form Guidance Software. Both are complete forensic tools, including acquisition, analysis, automation, and investigation tools, and reporting capabilities. Although some organizations use Autopsy, and open-source tools are heavily used by analyst who need forensic capabilities for incident response, these commercial packages see heavy use in police, legal, and similar investigations. If you're interested in forensics as a path forward in your security career, you should expect to become familiar with one or both tools.
Slack space analysis is critical to?
Forensic analysis because of the wealth of data about what has previously occurred on a drive that it can provide. Anti-forensic techniques and data security best practices are the same in this circumstance and suggest overwriting deleted data. Secure delete tools are built into may operating systems or are available as standalone tools. If a file has been deleted securely and thus overwritten, there is very little chance of recovery if the tool was successful.
Forensic reports must be well organized to the point by?
Forensic analysis doesn't end when the technical examination of devices and drives is over. Forensic reports summarize key findings, then explain the process, procedures and tools, as well as any limitations or assumptions that impact the investigation. Next, they detail the forensic findings with appropriate evidence and detail to explain how conclusions were reached. They conclude with recommendations or overall conclusions in more detail that the summary provided.
FTK Imager is a free tool for creating?
Forensic images. It supports raw (dd)-style format as well as SMART (ASR Data's format for their SMART forensic tool), E01 (EnCase), and AFF (Advanced Forensics Format) formats commonly used for forensic tools. Understanding what format you need to produce for your analysis tool and whether you want to have copies in more than one format is important when designing your forensic process.
Validating acquired data helps keep it admissible by?
Hashing drives and images ensures that the acquired data matches its source. Forensic practitioners continue to commonly use MD5 or SHA1 despite issues with both hashing methods because adversarial techniques are rarely in play in forensic examinations. Checksums can be used to ensure that data is not changed, but they do not create the unique fingerprints that hashes are also used to provide for forensic artifacts.
There are many options for acquisition tools and selecting the right tool combines technical needs and skillsets by?
Image acquisition tools provide the ability to copy disks and volumes using a bit-by-bit method that will capture the complete image, including unused, or slack space. Tools range in complexity form built-in Linux dd utility to free tools like FTK's Imager and can handle both drives and memory acquisition. Win Hex a commercial tool, provides additional drive analysis features as well as acquisition capabilities. When network data needs to be acquired. Wireshark and other network analyzers play a role to capture and analyze data. Finally, specialized tools and practices may be required to acquire virtual machines and containers, and those practices and procedures need to be identified and practiced before a forensic examination becomes necessary to ensure the tools and capabilities are in place.
The EDRM model uses nine stages to describe the discovery process which are?
Information governance before the fact to assess what data exist and to allow scoping and control of what data needs to be provided. Identification of electronically stored information so that you know what you have and where it is. Preservation of the information to ensure that it isn't changed or destroyed. o Collection of the information so that it can be processes and managed as part of the collection process. Processing of the data to remove unneeded or irrelevant information, as well as preparing it for review and analysis by formatting or collating it. Review the data to ensure that it is only contains what it is supposed to, and that information that should not be shard is not included. Analysis of the information to identify key elements like topics, terms, and individuals or organizations. Production of the data to provide the information to third parties or those involved in legal proceedings. Presentation of the data, both for testimony in court and for further analysis with experts or involved parties.
Organizations use digital forensics techniques for tasks ranging from responding to legal cases to conducting?
Internal investigations and supporting incident response processes.
The human side of digital forensics can also be important by?
Interviews with individuals involved in the activity can provide important clues. That means you can't merely be a technical forensics expert in some cases—instead, you have to leverage your knowledge of both technology and human behaviors to complete your forensic efforts.
Digital forensics provides organizations with the?
Investigation and analysis tools and techniques to determine what happened on a system or device. Digital forensics may be carried out to respond to legal holds and electronic delivery reequipments, in support of internal investigations, or as part of an incident response process. Digital forensics even has a role to play in intelligence and counterintelligence efforts.
Manually creating a hash of an image file or drive is as simple as pointing the hash tool to?
It. Here are example of a hash drive mounted as /dev/sbd on a Linux system and an image file in the current directory. The filename selected for output is drive1.hash, but it could be any filename that you choose which would look like? Md5sum /dev/sdb > drive1.hash Or Md5sum image_file.img > drive1.hash
In many cases, forensic starts when litigation is pending or is anticipated. Legal counsel can send a?
Legal hold or litigation hold, a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations. Backups, paper documents, and electronic files of all sorts must be preserved.
Evidence in court cases is typically?
Legally admissible if it is offered to prove the facts of the case and it does not violate the law. To determine if evidence is admissible, criteria such as the relevance and reliability of the evidence, whether the evidence was obtained legally, and whether the evidence is authentic, are all applied. Evidence must be the best evidence available, and the process and procedures should stand up to challenges in the court. In addition to these requirements, admissibility for digital forensics requires that the data be intact and unaltered and have provably remained unaltered before and during the forensic process. Forensic analysts must be able to demonstrate that they have appropriate skills, that they used appropriate tools and techniques and that they have documented their actions in a way that is reliable and testable via an auditable trail. Thus, their efforts and findings must be reparable by a third party if necessary.
The ability to obtain data from devices isn't restricted to?
Legitimate users. In fact, some organizations that face targeted attacks focus on access on their devices when those devices are plugged into untrusted or unknown USB chargers and cables. In those circumstances, USB data blockers that prevent USB data signals from being transferred while still allowing USB charging can be an effective solution.
In addition to drive imaging tools, forensic analysts are sometimes asked to capture?
Live memory on a system. Alon with drive images, FTK Imager can capture live memory from a system. In a example the simple GUI lets you select where the file will go, the filename, whether the system page file for virtual memory should be included, and whether to save it in the ADI native FTK file format.
Simply copying a file, folder, or drive will result in a?
Logical copy. The data will be preserved, but it will not exactly match the state of the drive or device it was copied from. When you conduct forensic analysis, it is important to preserve the full content of the drive at a bit-by-bit level, preserving the exact structure of the drive with deleted file remnants, metadata, and timestamps. Forensic copies are therefore done defiantly than logical copies. Hashing a file may match, but hashing a logical copy and a forensic copy will provide different values, thus making logical copies inadmissible in many situations where forensic analysis may involve legal action, or unusable when changes to the drive or metadata and deleted files are critical to the investigation.
In addition to FTK Imager, and similar forensic imaging tools, the Security+ exam includes?
Memdup, part of the Volatility framework for Linux memory forensics. Memory dump is a command-line tool that can capture Linux memory using a simple command based on the process ID.
If network traffic isn't actively being logged, forensic artifacts like firewall logs, IDS and IPS logs, email server logs, authentication logs, and other secondary sources may provide information about when a device was on a?
Network, what traffic is sent, and where it sent the traffic.
The ability to recover data in many cases relies on the fact that deleting a file from a drive or device is?
Nondestructive. In other words, when a file is deleted, the fastest way to make the space available is to simply delete the files information from the drive's file index and allow the space to be reused when it is needed.
When a forensic practitioner plans to acquire data, one of the first things that they will review is the?
Order of volatility. The order of volatility documents what data is most likely to be lost due to system operations or normal processes. An example, shows a typical order of volatility chart. Note that frequently changing information about routes, registers and cache is first and thus most volatile, and that information about routes, processes, and kernel statistics follows. As the list proceeds, each item is less likely to disappear quickly, with backups being the least likely to change. Following the order of volatility for acquisitions—unless there is a compelling and immediate reason to differ from the list—will provide a forensic analyst with the greatest likelihood of capturing data intact. It is important to remember which items will disappear when a system is powered down or rebooted. In general, that occurs at position 4 for temporary files and swap space on this list. Recovering intact temporary files and data from swap space will depend on how the system was shut down and if it was rebooted successfully afterward.
Legal holds and e-discovery drive some forensic activities by?
Organizations face legal cases and need to respond to legal holds, which require them to preserve and protect relevant information for the active pending case. E-discovery processes also require forensic and other data to be provided as part of the legal case. Organizations must build the capability and technology to respond to these requirements in an appropriate manner to avoid losing cases in court.
In addition to the forensic acquisition types that you have learned so far, two other specific types of acquisition are increasingly common. Acquisition from virtual machines requires additional?
Planning. Unlike a server, desktop, or laptop, a virtual machine is often running in a shared environment where removal of the system would cause disruption to multiple other servers and services. At the same time imaging, the entire underlying virtualization host would include more data and systems then may be needed or appropriate for the forensic investigation that is in progress. Fortunately, a virtual machine snapshot will provide the information that forensic analysts need and can be captured and then imported into forensic tools using available tools.
Documenting the provenance, or where the image or came from and what happened with it, is critical to the?
Presentation of a forensic analysis. Forensic suites have built-in documentation process to help with this, but manual processes that include pictures, written notes, and documentation about the chain of custody, processes, and steps made in the creation and analysis of forensic images can yield a strong set of documentation to provide appropriate provenance information. With documentation like this, you can help ensure that inappropriate handling or processes do not result in the repudiation of the images or process, resulting in the loss of a legal case or an inability to support criminal or civil charges.
One of the most important and simultaneously most challenging requirements in the EDRM model or process can be?
Preservation of electronic information, particularly when data is covered by a legal hold or dis very process is frequently used or modified by users in your organization. Electronic discovery and legal hold support tools exist that can help, with abilities to capture data for users or groups under legal hold. They often come with desktop, mobile device, and server agents that can gather data, track changes, and document appropriate handling of the data throughout the legal hold timeframe. In organizations that are frequently operating under legal holds, it is not uncommon for frequent litigation targets like CEOs, presidents, and others to be in a near constant state of legal hold and discovery.
Although on-site forensics have made up the bulk of trinational forensic work, the wide-spread move to cloud services has created new challenges for forensic analysts. Along with the need for tools and capabilities that support discovery needs, organizations are increasingly ensuring that they have worked with the cloud providers. In addition to having an understanding of the high-level concerns about the ability to preserve and produce data from cloud providers that organizations must consider, the Security+ exam specifically includes three concepts which are?
Right-to-audit clauses, which are part of the contract between the cloud service and an organization. A right-to-audit clause provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency. Many cloud providers use standard contracts and may not agree to right-to-audit clauses for smaller organizations. In those cases, they may instead provide access to regularly updated third-party audit statement, which may fit the needs of your organization. If you have specific audit requirements, you will need to address them in the contract if possible, and decide whether the ability to conduct the audit is a deciding factor in your organization's decision to adopt the cloud provider's services if not. Regulatory and jurisdiction concerns are also a significant element in the adoption of cloud services. Regulatory requirements may vary depending on where the cloud service provider operates and where it is headquartered. The law that covers your data, services, or infrastructure may not be the laws that you have in your own locality region, or country. In addition, jurisdiction concerns may extend beyond which law covers the overall organization. Cloud providers often have sites around the world, and data replication and other services elements mean that your data or services may be stored or used in a similarly broad set of locations. Local jurisdictions may claim rights to access that data with a search warrant or other legal instrument. Organizations that have significant concerns about this typically address it with contractual terms, through service choices that providers make available to only host data or systems in specific areas or countries, and by technical controls such as handling their own encryption keys to ensure that they know if the data is accessed. Data breach notification laws, like other regulatory elements, also vary from country to country, and in the United States notably from state to state. Contracts often cover the maximum time that can elapse before customers are notified, and ensuring that you have an appropriate breach notification clause in place that meets your needs can be important. Some vendors delay for days, weeks, or even months, potentially causing significant issues for customers who are unaware of the breach. These considerations mean that acquiring forensic data from a cloud provider is unlikely. Although you may be able to recover forensic data from logs or from systems and infrastructure as a service provider's environment, forensics data from the service itself is rarely handled over customers. Therefore, organizations that use cloud services must have a plan to handle potential incidents and investigations that doesn't rely on direct forensic techniques.
Modules provide additional analysis capabilities but they will take time to?
Run. Fortunately, the Rhino Hunt is a small image, but disabling unnecessary modules is a good practice for larger images.
Cloud concerns must be dealt with before forensic response is needed by?
Since cloud environments are typically hosted in third-party infrastructure, the ability to directly conduct forensics is frequently not available. Organizations may need to build in contractual capabilities, including right-to-audit clauses, regulatory and jurisdictional choices, and data breach notification requirements and timeframes.
Although digital forensics work in most organizations is primarily used for legal cases, internal investigations, and incident response, digital forensics also plays a role in both?
Strategic intelligence and counterintelligence efforts. The ability to analyze adversary actions and technology, including components and behaviors of advanced persistent threat tools and processes, has become a key tool in the arsenal for national defense and intelligence groups. At the same time, forensic capabilities can be used for intelligence operations when systems and devices are recovered or acquired, allowing forensic practitioners to recover data and provide it for analysis by intelligence organizations.
The Security+ outline doesn't require you to know about write blockers, but forensic practitioners who need to be able to create legally admissible forensic images and reports must ensure?
That their work doesn't alter the drives and images they work with. That's the role of a write blocker. Write blockers allow a drive or image to be read and accessed without allowing any writes to it. That way, not matter what you do, you cannot alter the contents of the drive in any way while conducting a forensic examination. If you show up in court and the opposing counsel asks you how you did your work and you don't mention a write blocker, your entire set of forensic findings could be at risk!
Many of the tools that are used by traditional forensic practitioners are also part of the?
Toolset used by intelligence and counterintelligence organizations in addition to those capabilities, they require advanced methods of breaking encryption, analyzing software and hardware, and recovering data from systems and devices that are designed to resist or entirely prevent tampering that would be part of a typical forensic process.
Completely removing data from devices like SSDs and flash media that have space they use for wear leveling can be far more difficulty than with?
Traditional magnetic media like hard drives. Since wear leveling will move data to less worn cells (blocks of reserved space) as needed, those cells that have bene marked as unusable due to wear leveling may still contain historic or current data on the drive. Large drives can contain a significant percentage of spare wear leveling capacity—up to double digit percentages—which means that attempts to securely delete information on an SSD may fail. Fortunately, techniques like using full-disk encryption can ensure that even if data remains it cannot be easily recovered
Although they aren't directly covered on the exam, regulatory and jurisdiction issues also come into play with?
Two other legal concepts. The first is venue, which is the location where a case is heard. Many contracts will specify venue for cases, typically in a way that is beneficial to the service provider. If you sign a contract and don't pay attention to venue, the legal cases might have to be handled far away in another state. At the same time, nexus is the concept of connection. A common example of nexus is found in the decision of whether a company has nexus in a state or locality and must charge tax there. For years, nexus was decided on whether the company had a physical location, disruption center, or otherwise did business physically in a state. Understanding how and why nexus may be decided can be important when you are considering laws and regulations that may impact your organization.
Containers have grown significantly in?
Use and new challenges for forensic examiners. Since containers are designed to be ephemeral, and their resources are often shared, they create fewer forensic artifacts than a virtual or physical machine. In fact, though containers can be paused, capturing them and returning them to a forensically sound state can be challenging. Container forensics require additional planning, and forensic and incident response tools are becoming available to support these needs.
As a security professional, you need to know the basic concepts behind digital forensics which are?
What digital forensics is capable of? What tools it uses. What processes, and procedures organizations put in place to build a digital forensics capability.
Although there are many features with tools like this, timelines are also important and Autopsy's timeline capability allows you to see the?
When filesystem changes and event occurred. This is particularly useful if you know when an incident happened or you need to find events as part of an investigation. Once you know when a person was active, or the event started, you can then review the timeline for changes that were made near that time. You can also use timelines to identify active times where other event were likely to be worth reviewing. An example shows some of what the Autopsy timeline can help discover, with two file changes in the timeframe shown. Further investigation of these times is likely to show activity related to the case. Forensic suites have many other useful features, from distributed cracking of encryption to hash cracking, steganographic encoding detection to find data hidden in images, and a host of other capabilities that are beyond the scope of the Security+ exam.
Not all forensic data can be found on disks or systems. Network forensics have an increasing large role to play which is?
Whether they are for traditional wired and wireless networks, cellular networks, or others. Since network traffic is ephemeral, capturing traffic for forensics investigation often requires a direct effort to capture and log the data in advance.
When forensic examiners do work with network traffic information, they will frequently use a packet analyzer like?
Wireshark to review captured network traffic. In depth-analysis of packets, traffic flows, and metadata can provide detailed information about network behaviors and content.
To copy a drive mounter as /dev/sda to a file called example.img you can execute a command like the following which is?
dd if=/dev/sda of=example.img conv=noerror ,sync