Digital Forensics

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

A documentation trail is beneficial but not required.

False

Digital evidence is not volatile.

False

Should you touch a drive that was attacked

No, you dont want to make changes to the system while examining it.

FBI Forensic Guidelines

Preserve the state of the computer -make a backup copy of the logs and files - the incident in progress, activate any auditing or recording software. -collect all the data you can Document specific losses including: labor costs costs of damaged equipment Value of data lost or stolen Lost revenue due to downtime

Which activity is not usually included in computer forensics?

The examination of physical systems

The Window Registry contains a list of USB devices that have been connected to the machine.

True

Detection

•Determining if an incident or attempt has been made •IDS •Initial actions/reactions •Determining the scope •Reporting process

Physical vs Digital Crime Scenes

•Overlapping principles • •The basics of criminalistics are constant physical and digital • •Locard's principle applies "When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived"

Eradication/Repair,Recovery

•Recovering systems •Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) •Hardening systems •Dealing with patches

Follow up

•Review the incident and how it was handled •Postmortem analysis •Lessons learned •Follow-up reporting

Collection: Imaging

•Rule of Thumb: make 2 copies and don't work from the original (if possible) •A file copy does not recover all data areas of the device for examination •Working from a duplicate image •Preserves the original evidence •Prevents inadvertent alteration of original evidence during examination •Allows recreation of the duplicate image if necessary

Affidavit and Search Warrant

•Sworn testimony that certain facts are in the possession of the investigating officer that they feel warrant the examination of specific items located at a specific place •The facts, the items, and the place must be specified •When an approving authority signs the affidavit, it becomes a search warrant, giving permission to: •Search the EM at the specified location •Seize items to return to the investigator for examination

The 3 A's

Acquire the evidence without altering or damaging the original Authenticate the image Analyze the data without modifying it

In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court

Chain of Custody

___________________ can include logs, portable storage, emails, tablets, and cell phones.

Computer Evidence

Basic Principles

Digital/electronic evidence is extremele volatile Once evidence is contaiminated it cannot be de contaminated. Chain of custody is crucial court acceptance is based on the best evidence rule "best the nature of the case will allow"

Documentation

Document everything possible

Most Windows logs are turned on automatically.

False

With a computer, always work on the original since when a person commits a crime something is always left behind.

False

Why should you note all cable connections for a computer you want to seize as evidence?

In case other devices were connected

Components of PDCAERF

Preperation Detection Containment Analysis Eradication Repair Follow up

When an affidavit is signed, it becomes a search warrant

True

Evidentiary material

any information that could potentially support organizations legal or policy based case against suspect

When to take a computer offline

as soon as it was attacked, will prevent further tampering.

Evidentiary Procedures

having good procedures can minimize the change of losing a legal battle. •Who may conduct an investigation and who is authorized in an investigation •What affidavit- and search warrant-related issues are required •The methodology to be followed •The final report format

Why do we study it

the director of FBI expects 50% of cases to involve forensic examination

Digital Forensics Defined

the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence. used to investigate what happened during attack on assets and how attack occured

Digital Forensics used for two key purposes

to investigate allegations of digital malfeasance to perform root cause analysis

Forensically sound evidence

used to characterize methods to securely copy data. One method to create forensically sound copies is to utilize disk imaging. This is the process of copying a hard drive to store a backup/ In this process, all the drive's information will be copied including boot records. Most digital forensics professionals state that the image must be a 'bit-for-bit' copy and you must verify the authenticity and reliability of the copy.

Preperation

•Being ready to respond •Procedures & policies •Resources & CSIRT creation •Current vulnerabilities & counter-measures

Examples of digital evidence

•Browser - direct and circumstantial evidence •Pornography - direct •Cyber stalking - direct •Creation of a virus - circumstantial •History - information •Window Logs •Security logs - successful and unsuccessful login event •Application log - events logged by applications and programs •System log - event logged by Windows system components •Forwarded Events log - events collected from remote computers •Applications and Service logs - store events from a single application or component. •Linux logs •Deleted Files •Mobile phones •Logs •Portable devices (USB drives, external drives) •Emails •Devices that store data - iPod, iPad, tablets •Cell phones

Collection

•Care must be taken to minimize contamination •Collect or seize the system, network trace •Create forensic image •Live or static? •Do you own the system •What does your policy say?

myths and misconceptions

•Cyber-criminals are computer experts with a high technical ability •Cyber-criminals have higher than average IQs •All cyber-criminals are introverts •Cyber-criminals are never violent •Cyber-criminals are not "real" criminals •Cyber-criminals fit one "neat" profile

Secret Service Guidelines

•For First Responders: •Secure scene and make it safe •Secure computer •Determine if you have legal right to seize computer •Do not try to access files or turn computer on if off •Do not search computer if it is on •Shut down the computer if it appears to be deleting files. •Take pictures of the computer screen

Analysis

•How the incident occurred •More in-depth analysis of the event •Tracing the incident back to its source

Methodology for Digital Forensics

•Identify relevant items of evidentiary value (EM) •Acquire (seize) the evidence without alteration or damage •Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized •Analyze the data without risking modification or unauthorized access •Report the findings to the proper authority

Containment

•Limit the extent of an attack •Mitigate the potential damage & loss •Containment strategies

Identifcation

•More difficult than it sounds •Small scale devices •Non-traditional storage media •Multiple possible crime scenes •Do not operate in a vacuum •Do not overlook non-electronic sources of evidence •Manuals, papers, printouts, etc.

Digital Forensics Team

•Most organizations •Cannot sustain a permanent digital forensics team •Collect data and outsource analysis •Information security group personnel should be trained to understand and manage the forensics process to avoid contamination of potential EM •Expertise can be obtained by training

Collection: Documentation

•Take detailed photos and notes of the computer / monitor •If the computer is "on", take photos of what is displayed on the monitor DO NOT ALTER THE SCENE •Make sure to take photos and notes of all connections to the computer/other devices

Chain of Custody

•detailed documentation showing the status of evidence at everyone point in time from the moment of seizure to the moment the evidence is presented in court. the chronological documentation or paper trail that records the sequence of custody anytime that evidence is transferred it has to be documented •Any break in that chain could render the evidence inadmissible at trail.

Basic Activities involved

•the secure collection of computer data •the identification of suspect data •the examination of suspect data to determine details such as origin and content •the presentation of computer-based information to courts of law •the application of a country's laws to computer practice.


Kaugnay na mga set ng pag-aaral

Ch. 12 Acid Base Balance and Imbalance

View Set

C720 - Operations and Supply Chain Management (12-13)

View Set

NCLEX-RN Content Area: Fundamental Skills: Acid-Base

View Set

TCP/IP Addressing and Data Delivery

View Set