Security+ Chapter 1 Vocabulary

Time Stamps

Each file has timestamps showing when files were created, last modified, and last accessed

Environmental Controls

HVAC and fire suppression systems are also security controls. In a data center or a server room, the temperature needs to be kept cool or the servers inside will overheat and fail. They use a technique called hot and cold aisles to regulate the temperature.

Forensics cycle

Here, the data is examined, then extracted from the media that it is on, and then converted into a format that can be examined by forensic tools.

Snapshots

If the evidence is from a virtual machine, a snapshot of the virtual machine can be exported for investigation.

Conduits

... or cable distribution have cables placed inside. This protects the cables from tampering or being chewed by rodents.

Biometric Locks

...unique to each person; examples would be using their fingerprint, retina, palm, voice, an iris scanner, or facial recognition.

Air Gap

A computer is taken off the network and has no cable or wireless connection to ensure that the data is not stolen. An example of this would be a computer in the research and development department, as we want to prevent access to it via a network cable. The only way to insert or remove data from an air-gapped machine is by using removable media such as a USB drive.

Security Information Event Management (SIEM)

A product that consolidates real-time monitoring and management of security information with analysis and reporting of security events.

Reporting

A report is compiled that can be used as evidence for a conviction.

Capturing Video

CCTV can be a good source of evidence for helping to identify attackers and the time the attack was launched. This can be vital in apprehending suspects.

Device Protection

Cable locks, Air Gap, laptop safe, USB Data Blocker, Vault, Faraday Cage.

Preservation

Data needs to be preserved in its original state so that it can be produced as evidence in court. This is why we take copies and analyze the copies so that the original data is not altered and is pristine. Putting a copy of the most vital evidence in a WORM drive will prevent any tampering with the evidence, as you cannot delete data from a WORM drive. You could also write-protect the storage drives.

E-Discovery

During e-discovery, Cloud Service Providers (CSP) may be subpoenaed so that we can collect, review, and interpret electronic documents located on hard disks, USB drives, and other forms of storage.

Forensic Copies

If we are going to analyze data stored on a removable device that we have acquired, we would first take a forensic copy and keep the original data intact. We would then use the copy to analyze the data so that we keep the original data unaltered, as it needs to be used in its original state and presented as evidence to the courts. It would be hashed at the beginning and the end to confirm that the evidence has not been tampered with.

Fire Alarms/Smoke Detectors

In a company building, there will be fire alarms or smoke detectors in every room so that when a fire breaks out and the alarms go off, the people inside the premises are allowed to escape.

Laptop Safe

Laptops and tablets are expensive, but the data they hold could be priceless, therefore there are safes for the storage of laptops and tablets.

Legal Hold

Legal hold is the process of protecting any documents that can be used in evidence from being altered or destroyed. Sometimes, this is also known as litigation hold.

Missing Entry on the Chain of Custody Document

On Monday, 15 laptops were collected by the system administrator. The next day, the system administrator passed them on to the IT manager. On Wednesday, the IT director presents the 15 laptops as evidence to the court. The judge looks at the chain of custody document and notices that there was no formal handover between the IT manager and the IT director. With the handover missing, the judge wants to investigate the chain of custody.

Examination

Prior to examination, the data will be hashed, and then an investigation will be carried out with the relevant forensic tool. When the examination has concluded, the data is once again hashed to ensure that the examiner or the tools have not tampered with it.

Tokens

Small physical devices where you touch the proximity card to enter a restricted area of a building. Some allow you to open and lock doors by pressing the middle of itself; others display a code for several seconds before it expires.

Firmware

Sometimes called embedded software could be reversed engineered by an attacker, therefore we must compare the source code that the developer wrote against the current source code in use. We would employ a coding expert to compare both lots of source code in a technique called regression testing. Types of attacks that affect embedded software could be rootkit and backdoor.

Evidence Leaves the Detective's Possession

The FBI arrests a known criminal and collects 43 hard drives that they bag and tag, before placing them in two bags. They arrest the criminal and take him from Arizona to New York by airplane. One detective is handcuffed to the criminal while the other carries the two bags. When they arrived at check-in, the airline clerk tells them that the carry-on bags are more than the 8 kg allowance, and therefore they are too heavy and need to go in the hold. The detective complies but locks the suitcases to prevent theft. Because the evidence is not physically in their possession at all times, the chain of custody is broken as there is a chance that someone working for the airline could tamper with the evidence. Therefore, they cannot prove to the court that the integrity of the evidence has been kept intact at all times.

Chain of Custody

The chain of custody is one of the most crucial aspects of digital forensics, ensuring the evidence has been collected and there is not a break in the chain. It starts when the evidence has been collected, bagged, tied, and tagged, ensuring the evidence has not been tampered with. It lists the evidence and who has handled it along the way. For example, Sergeant Smith handed 15 kg of illegal substance to Sergeant Jones following a drug raid. However, when it is handed into the property room, 1 kg is missing. In this event, we would need to investigate the chain of custody. In this scenario, Sergeant Jones would be liable for the loss. Chain of custody examples are as follows

Interviews

The police may also take witness statements to try and get a picture of who was involved and maybe then use photo-fits so that they can be apprehended.

Cable Locks

These are attached to laptops or tablets to secure them so that nobody can steal them.

Proximity Cards

These are contactless devices where a smart card is put near the proximity card device to gain access to a door or building.

Burglar Alarms

These are set when the premises are not occupied, so when someone tries to break into your premises, it will trigger the alarm and notify the monitoring company or local police.

Mantraps

These are turnstile devices that only allow one person in at a time. They maintain a safe and secure environment, mainly for a data center. A data center hosts many servers for different companies.

Security Guards

They work at the entrance reception desk to check the identity cards of people entering the building to stop unauthorized access. These guards should be armed and one of the guards should be a dog handler. An access control list is provided to them to ensure that unauthorized personnel is denied access.

Artifacts

This can be log files, registry hives, DNA, fingerprints, or fibers of clothing normally invisible to the naked eye.

USB Data Blocker

This device blocks the data pins on the USB device, which prevents a hacker from juice jacking, where data is stolen when you are charging your USB device in a public area.

Two-Person Integrity/Control

This increases the security level at the entrance to a building, ensuring that someone is available to deal with visitors even when the other person is on the phone. This would also reduce the risk of a malicious insider attack.

Faraday Cage

This is a metal structure, like a metal mesh used to house chickens. The cage prevents wireless or cellular phones from working inside the company.This could be built into the structure of a room used as a secure area. They would also prevent any kind of emissions from escaping from your company.

Data Acquisition

This is the process of collecting all of the evidence from devices, such as USB flash drives, cameras, and computers; as well as data in paper format, such as letters and bank statements. The first step in data acquisition is to collect the volatile evidence so that it is secured. The data must be bagged and tagged and included in the evidence log.

Vault

This is where data can be encrypted and stored in the cloud, giving you an extra-secure storage area. You could use a password vault on your computer to secure all of your passwords, but it is only as secure as the master password protecting it.

Key Management

This is where departmental keys are signed out and signed back in daily to prevent someone from taking the keys away and cutting copies of them.

Strategic Intelligence/Counterintelligence Gathering

This is where different governments exchange data about cyber criminals so that they can work together to reduce threats. It is also possible for companies who have suffered an attack to log as much information as they can and have a third party who specializes in incident response to help them find a way to prevent re-occurrence.

Time Normalization

This is where evidence is collected across multiple time zones, then a common time zone, such as GMT, is used so that it can be put into a meaningful sequence.

Active Logging

To track incidents, we need to be actively monitoring and actively logging changes to patterns in our log files or traffic patterns in our network. Installing a SIEM system that provides real-time monitoring can help collate all entries in the log files, ensuring that duplicate data is not used so that a true picture can be taken. Alerts based on certain triggers can be set up on our SIEM system so that we are notified as soon as the event happens.

Analysis

When all of the forensic data has been collected, it is analyzed and then transformed into information that can be used as evidence.

Taking Hashes

When either the forensic copy or the system image is being analyzed, the data and applications are hashed at the beginning of the investigation. It can be used as a checksum to ensure integrity. In the end, it is re-hashed and should match the original hash value to prove data integrity.

Network Traffic and Logs

When investigating a web-based or remote attack, we should first capture the volatile network traffic before stopping the attack. This will help us identify the source of the attack. In addition to this, we should look at different log files from the firewall, NIPS, NIDS, and any server involved.

Provenance

When the chain of custody has been carried out properly and the original data presented to the court has not been tampered with, it is known as data provenance.

Recovery

When the incident has been eradicated, we may have to recover the data from a backup; a faster method would be a hot site that is already up and running with data less than 1 hour old. We may also have to purchase additional hardware if the original hardware was damaged during the incident

Capturing System Images:

When the police are taking evidence from laptops and desktops, they take a complete system image. The original image is kept intact and the system image is analyzed to find evidence of any criminal activity. It would be installed on another computer and hashed at the beginning and the end to confirm that the evidence has not been tampered with.

Time Offset

When we collect evidence from computers, we should record the time offset. This is the regional time so that in a multinational investigation, we can put them into a time sequence—this is known as time normalization.

Electronic Locks

With..., you no longer need a key to access a building; you only need a PIN. They can be set to fail open, where the door open when a power cut is detected, or fail-safe, where the door remains locked.

Internal Protection

You could have safe areas and secure enclosures; the first example would be a toughened glass container or a sturdy mesh, both with locks to reduce access. You could also have protected distribution for cabling; this looks like metal poles that would have network cables inside. Screen filters used on a desktop could prevent someone from reading the screen.

Screenshots

You may also take screenshots of applications or viruses on the desktops and keep them as evidence. A better way of doing this would be to use a modern smartphone that would geotag the evidence.