Explore

4.5 Explain the Key aspects of digital forensics

Last edited 892 days ago by Makiel [Muh-Keel].

Digital forensics provides organizations with the investigation and analysis tools and techniques to determine what happened on a system or device.

Digital forensics may be carried out to respond to legal holds and electronic discovery requirements, in support of internal investigations, or as part of an incident response process.

Digital forensics even has a role to play in intelligence and counterintelligence efforts.

📄Documentation & Evidence

In many cases, forensics starts when litigation is pending or is anticipated. Legal counsel can send a Legal Hold or Litigation Hold, a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations. Backups, paper documents, and electronic files of all sorts must be preserved.

⚖️Legal Hold

A Legal Hold, also known as a litigation hold, is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated.

The legal hold is a requirement established by the Federal Rules of Civil Procedure (FRCP) in the United States, and similar rules and laws in other jurisdictions, to prevent the destruction of potential evidence.

A key concept for legal holds and preservation is “spoliation of evidence,” which means intentionally, recklessly, or negligently altering, destroying, fabricating, hiding, or withholding evidence relevant to legal matters.

As a security professional, if you receive a legal hold, you have a responsibility to gather and maintain that data so that everything is preserved.

📹Capturing Video Evidence

Another good source of information to gather would be in a Video form. Video can provide important information that you could reference after the fact that normally would not be available.

For example, you can capture the screen information and other details around the system that normally would not be captured through any other means.

Mobile Phone

If you’ve got a mobile phone, it’s very easy to grab video from wherever you might be

CCTV Camera

You might also want to look around and see if there’s any security cameras which may also have stored video that could then be included with this information gathering.

This video content needs to be archived so that you’re able to view it later in reference to this particular security incident.

🚢Admissibility

Admissibility is a crucial concept in digital forensics because it determines whether the evidence collected can be used in a court of law. For evidence to be admissible, it must be relevant, reliable, and obtained legally.

Here's why each of these factors is important:

Relevance: The evidence must be directly related to the case at hand. It must have the potential to prove or disprove a material fact in the case.

Reliability: The evidence must be trustworthy and reliable. This means it must be authentic (it is what it purports to be), complete, and unaltered. The integrity of digital evidence can be demonstrated through the use of checksums or hashes, which can show that the evidence has not been tampered with since it was collected.

Legally Obtained: The evidence must be collected in a manner that respects all relevant laws and regulations.

This includes laws related to privacy, search and seizure, and data protection. If evidence is obtained illegally, it may be ruled inadmissible, regardless of its relevance or reliability.

⛓️Chain of Custody

The Chain of Custody is a critical concept in digital forensics that refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It's crucial for maintaining the integrity of the evidence and ensuring its admissibility in court.

Here's why it's important:

Integrity of Evidence: The chain of custody helps to ensure and demonstrate that the evidence has not been tampered with or altered in any way.

It shows who has had access to the evidence, when they had access, and what they did with it.

This helps to maintain the integrity of the evidence from the time it was collected until it's presented in court.

Admissibility in Court: Courts require a properly documented chain of custody to consider the evidence as admissible.

If there's a break in the chain of custody, or if it's not clear who had access to the evidence at a given time, the evidence may be considered unreliable and may not be admitted in court.

Accountability: The chain of custody provides a record of who is responsible for the evidence at each stage of the process.

This accountability is important for maintaining the integrity of the investigation and the evidence.

Reproducibility: A well-documented chain of custody can provide enough information for another expert to reproduce the steps taken during the forensic analysis.

This reproducibility is a key aspect of the scientific method and is important for the credibility of the forensic analysis.

In a typical chain of custody process in digital forensics, the following steps would be documented:

Collection: Who collected the evidence, when, where, and how.

Transfer: When the evidence was transferred to another person or location, who was involved, and why the transfer was necessary.

Storage: Where and how the evidence is stored to ensure it's not tampered with.

Analysis: Who analyzed the evidence, what tools and methods they used, and what their findings were.

Presentation: How the evidence is presented in court, including any visualizations or summaries of the analysis.

⌚Timelines of sequence of events

In digital forensics, the "Timeline of Sequence of Events" refers to the chronological order in which events occurred on a system or network. This timeline can be crucial in understanding the nature of a security incident, identifying the actions of an attacker, or reconstructing the events leading up to a system failure.

Time stamps and time offsets play a critical role in creating this timeline. Here's why:

Time Stamps: Most digital activities leave time-stamped records. For example, files have time stamps indicating when they were created, modified, or accessed.

Log entries in operating systems, applications, or network devices also include time stamps.

These time stamps allow investigators to place events in chronological order and understand the sequence in which they occurred.

Time Offsets: Time offsets refer to the difference between the time recorded in a time stamp and a reference time (often Coordinated Universal Time, or UTC).

Time offsets can be important in digital forensics for a few reasons.

First, they can help investigators correlate events that are recorded in different time zones or on systems with incorrect or inconsistent clock settings.

Second, understanding time offsets can be crucial when dealing with daylight saving time changes, which can otherwise cause confusion or errors in the timeline.

🏷️Tags

In digital forensics, Tags are used as a way to categorize, organize, and highlight important pieces of evidence during an investigation. They are essentially labels that investigators can apply to digital artifacts to make them easier to find, analyze, and reference.

Here's how they are typically used:

Categorization: Tags can be used to categorize evidence based on its type, source, or other characteristics.

For example, an investigator might use tags to distinguish between emails, documents, images, or log files.

Prioritization: Tags can be used to highlight particularly important pieces of evidence.

For example, an investigator might tag any files that contain certain keywords or that were accessed at a particular time.

Correlation: Tags can be used to link related pieces of evidence.

For example, if an investigator finds multiple files that were all accessed by the same user, or at the same time, they might use a tag to indicate that these files are related.

Ease of Reference: Once evidence has been tagged, it becomes easier to find and reference.

This can be particularly useful in large investigations, where there may be thousands of pieces of digital evidence to sift through.

Reporting: Tags can also be useful when it comes to reporting the findings of an investigation.

They can help to organize the evidence in a way that makes it easier for others to understand.

In summary, tags are a simple but powerful tool in digital forensics. They help investigators to manage and make sense of the vast amounts of data that can be involved in a digital investigation.

📃Reports

Although the analysis of digital artifacts and evidence is important to the forensic process, the report that is produced at the end is the key product.

Reports need to be useful and contain the relevant information without delving into every technical nuance and detail that the analyst may have found during the investigation.

A typical forensic report will include:

A summary of the forensic investigation and findings.

An outline of the forensic process, including tools used and any assumptions that were made about the tools or process.

A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail.

Recommendations or conclusions in more detail than the summary included.

Forensic practitioners may also provide a report with full detail of the analysis as part of their documentation package.

⁠

🔴Event Logs

Event Logs provide a wealth of information because they are storing details about the operating system, the security events, and the applications that are running in that operating system.

So if you’re collecting data from a device, you want to be sure to get the event logs.

They can offer valuable insights into the sequence of events leading up to a security incident, the actions of an attacker, or the cause of a system failure.

Here's why they are so important:

Detailed Record: Event logs provide a detailed record of what happened on a system.

They can show when a user logged in, what actions they performed, what changes were made to the system, when a system error occurred, and much more.

Timestamps: Each entry in an event log typically includes a timestamp, which can help investigators establish a timeline of events.

This can be crucial in understanding the sequence of events during an incident.

Source of Evidence: Event logs can provide evidence of malicious activity.

For example, they might show repeated failed login attempts, changes to system settings, or the execution of unusual processes—all of which could indicate a cyber attack.

Correlation of Events: By analyzing event logs from different sources (such as operating system logs, application logs, and network logs), investigators can correlate events and gain a more complete understanding of an incident.

Accountability: Event logs often record the user account associated with each event. This can help investigators identify who was responsible for a particular action.

🎙️Interviews

We’re often very focused on gathering information from a digital machine. But often you can gather important details from the users of those devices so you may want to perform interviews.

Interviews will allow you to ask questions and get information about what a person saw when a particular security event occurred.

You want to be sure to perform these interviews as quickly as possible after the event, especially since people may leave the organization or they may forget what happened during that particular time frame.

This is the challenge we have when getting witness statements is that they may not be 100% accurate because people may see or hear things during this event, but may not accurately describe that someone during an interview.

📝Acquiring Forensic Data

🌊Order of Volatility

The order of volatility is a concept in digital forensics and incident response that refers to the sequence in which data should be collected based on its volatility, or how long it lasts in a system before it changes or is lost.

The idea is to collect the most volatile data first, as it's at the greatest risk of being lost as time passes or if the system state changes.

⁠

CPU Cache and Registers: This includes processor cache, register content, and other related system state information. This data is highly transient and is lost as soon as the system is powered down or rebooted.

Routing Table, ARP Cache, Process Table, Kernel Statistics: This information is typically held in memory and is lost when the system is rebooted.

Main Memory (RAM): This includes all the information currently being processed in the system's memory, which can include valuable data like encryption keys, running processes, and network information.

Temporary File Systems: This includes data stored in temp files or swap space.

This data can change frequently and may be overwritten or deleted during normal system operation.

Disk: This includes data stored on the system's hard drive or other storage devices.

While this data is less volatile than the types listed above, it can still be changed or deleted during normal system operation or by an attacker trying to cover their tracks.

Remote Logging and Monitoring Data: This includes data sent to remote log servers or SIEM systems.

This data is typically preserved until it's rotated out by newer data, depending on the organization's log retention policy.

Physical Configuration, Network Topology: This includes data about the physical setup of the system and network, which typically changes infrequently.

Archival Media: This includes backups and archives, which are designed to be a long-term, unchanging storage of data.

By following the order of volatility, investigators can maximize their chances of preserving and collecting all relevant data during a digital forensic investigation or incident response.

The Security+ exam expects you to be familiar with the basic concepts for acquisition of information for the following list of forensic targets:

🎒Cache

CPU cache and registers are rarely directly captured as part of a normal forensic effort.

Although it is possible to capture some of this information using specialized hardware or software, most investigations do not need this level of detail.

The CPU cache and registers are constantly changing as processing occurs, making them very volatile.

💾Disk

Ephemeral data such as the process table, kernel statistics, the system's ARP cache, and similar information can be captured through a combination of memory and disk acquisition, but it is important to remember that the capture will only be of the moment in time when the acquisition is done.

If events occurred in the past, this data may not reflect the state that the system was in when the event occurred.

🐏RAM (Random Access Memory)

The content of random access memory (RAM) can be very helpful for both investigations and incident response.

Memory can contain encryption keys, ephemeral data from applications, and information that may not be written to the disk but that can be useful to an investigation.

🔁Swap/Pagefile

Swap and pagefile information is disk space used to supplement physical memory.

Much like capturing information from RAM, capturing the swap and pagefile can provide insight into running processes.

Since it is actively used by the system, particularly on machines with less memory, it also changes more quickly than many files on disk.

🗃️Files and Data

Files and data on a disk change more slowly but are the primary focus of many investigations.

It is important to capture the entire disk, rather than just copy files so that you can see deleted files and other artifacts that remain resident.

👨🏾‍💻OS

The operating system itself can contain useful information.

The Windows registry is a common target for analysis since many activities in Windows modify or update the registry.

📱Device

Devices such as smartphones or tablets may contain data that can also be forensic targets.

💽Firmware

Firmware is a less frequently targeted forensic artifact, but knowing how to copy the firmware from a device can be necessary if the firmware was modified as part of an incident or if the firmware may have forensically relevant data.

Firmware is often accessible using a hardware interface like a serial cable or direct USB connection, or via memory forensic techniques.

📸Snapshots

Snapshots from virtual machines are an increasingly common artifact that forensic practitioners must deal with.

🚦Network Traffic

Network traffic and logs can provide detailed information or clues about what was sent or received, when, and via what port and protocol amongst other useful details.

⚱️Artifacts

Artifacts like devices, printouts, media, and other items related to investigations can all provide additional useful forensic data.

☁️On-Premises vs Cloud

Although on-site forensics have made up the bulk of traditional forensic work, the widespread move to cloud services has created new challenges for forensic analysts.

Along with the need for tools and capabilities that support discovery needs, organizations are increasingly ensuring that they have worked with their cloud providers.

In addition to having an understanding of the high-level concerns about the ability to preserve and produce data from cloud providers that organizations must consider, the Security+ exam specifically includes three concepts:

🔉Right-to-Audit Clauses

Right-to-audit clauses, which are part of the contract between the cloud service and an organization. A right-to-audit clause provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency.

Many cloud providers use standard contracts and may not agree to right-to-audit clauses for smaller organizations.

In those cases, they may instead provide access to regularly updated third-party audit statements, which may fit the needs of your organization.

If you have specific audit requirements, you will need to address them in the contract if possible, and decide whether the ability to conduct the audit is a deciding factor in your organization's decision to adopt the cloud provider's services if not.

⚖️Regulatory and Jurisdiction

Regulatory and Jurisdiction concerns are also a significant element in the adoption of cloud services. Regulatory requirements may vary depending on where the cloud service provider operates and where it is headquartered.

The law that covers your data, services, or infrastructure may not be the laws that you have in your own locality, region, or country.

In addition, jurisdictional concerns may extend beyond which law covers the overall organization.

Cloud providers often have sites around the world, and data replication and other services elements mean that your data or services may be stored or used in a similarly broad set of locations.

Local jurisdictions may claim rights to access that data with a search warrant or other legal instrument.

Organizations that have significant concerns about this typically address it with contractual terms, through service choices that providers make available to only host data or systems in specific areas or countries, and by technical controls such as handling their own encryption keys to ensure that they know if the data is accessed.

🚓Data Breach Notification Laws

Data breach notification laws, like other regulatory elements, also vary from country to country, and in the United States notably from state to state.

Contracts often cover the maximum time that can elapse before customers are notified, and ensuring that you have an appropriate breach notification clause in place that meets your needs can be important.

Some vendors delay for days, weeks, or even months, potentially causing significant issues for customers who are unaware of the breach.

These considerations mean that acquiring forensic data from a cloud provider is unlikely.

Although you may be able to recover forensic data from logs or from systems and infrastructure you maintain in an infrastructure as a service provider's environment, forensic data from the service itself is rarely handed over to customers.

🌉Validating Forensic Data Integrity

#️⃣Hash

The most common way to validate that a forensic copy matches an original copy is to create a Hash of the copy and to create a hash of the original drive, and then compare them. If the hashes match, the forensic copy is identical to the original.

Although MD5 and SHA1 are both largely outmoded for purposes where attackers might be involved, they remain useful for quickly hashing forensic images.

Providing an MD5 or SHA1 hash of both drives, along with documentation of the process and procedures used, is a common part of building the provenance of the copy.

The hashes and other related information will be stored as part of the chain-of-custody and forensic documentation for the case.

✅Checksums

Checksums

Purpose: Similar to hashing, checksums are used to verify the integrity of data. However, checksums are generally simpler and faster but less secure than cryptographic hash functions.

How it works: A checksum is a value derived from the sum of all the bytes in a data set. It's often used in data transmission scenarios like downloading files from the internet.

Verification: If the received data's checksum matches the expected checksum, it's likely the data hasn't been tampered with during transmission.

However, checksums are more susceptible to collisions (different data producing the same checksum) than cryptographic hashes.

📃Provenance

Purpose: Provenance refers to the detailed history of an item or set of data.

In digital forensics, it's crucial to track the origin, custody, handling, and storage of digital evidence.

How it works: Every time evidence is accessed, modified (in the case of copies, not the original), transferred, or otherwise handled, a record is made detailing who did it, when, why, and how.

This chain of custody ensures that the evidence has been handled appropriately and securely.

Verification: By maintaining a clear and unbroken chain of custody, forensic experts can demonstrate the integrity and authenticity of the digital evidence.

If there's any break in this chain, it could cast doubt on the integrity of the evidence.

🪴Preservation

Preservation is a fundamental aspect of the digital forensics process, and its importance cannot be overstated. The core goal of digital forensics is to identify, collect, preserve, analyze, and present digital evidence in a manner that is legally defensible.

Here's why preservation is so crucial:

Data Integrity: When digital evidence is collected, it's critical to ensure the original data remains unaltered during the process.

Any changes to the evidence, intentional or accidental, can compromise its integrity, making it unreliable or inadmissible in court.

Preservation techniques, like creating bitwise copies (also known as forensic images) of the data, allow investigators to work on an exact copy of the evidence, leaving the original data untouched.

Non-volatile Data: Some types of data are volatile, meaning they can easily be lost or altered, such as data in RAM (Random Access Memory).

If this information isn't preserved quickly and correctly at the time of the incident, it could be lost forever, and potentially crucial evidence could be missed.

Evidence Admissibility: In legal proceedings, for digital evidence to be admissible, it's necessary to show a clear and unbroken chain of custody and prove that the evidence hasn't been tampered with or altered since it was collected.

Proper preservation techniques are essential to this process.

Reproducibility: The preservation of digital evidence enables investigators and third parties to reproduce the findings.

This is crucial when it comes to peer-review of the forensic process, and for enabling defense experts to review the work done by the prosecution's experts (or vice versa).

Future Use: Preserved data can be used in the future as technology and techniques advance.

What might not be solvable today might become solvable tomorrow, and having preserved evidence could be vital in those situations.

In summary, preservation in digital forensics is of the utmost importance. It ensures data integrity, allows the collection of volatile data, secures the admissibility of the evidence in court, supports reproducibility of the forensic process, and ensures the future usability of the data.

Without proper preservation, the entire digital forensic process could be undermined.

💿E-Discovery

E-Discovery, short for Electronic Discovery, is the process by which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.

It can be carried out offline on a particular computer or it can be done in a network. E-Discovery can also encompass raw data mining or processing, where data may be found forensically whether they're deleted, encrypted, or damaged.

E-Discovery is a multi-step process which typically involves the following phases:

The Electronic Discovery Reference Model (EDRM) is a framework that outlines the standards for the recovery and discovery of digital data.

Information Governance: This is the first stage of the EDRM and involves getting your electronic house in order to mitigate risk and expenses should e-discovery become an issue.

It involves organizing and managing data effectively and securely.

This can also involve creating data maps to understand where all types of data reside.

Identification: This is where potential data sources are identified and the scope of the electronic content to be managed is defined.

This process could include anything from identifying potential custodians of data to determining what data exists and where it's stored.

Preservation: This stage involves ensuring that electronically stored information (ESI) is protected against inappropriate alteration or destruction.

This can be achieved using a legal hold, where identified data is preserved in its original format.

Collection: Collection is the stage where data is gathered for further use in the e-discovery process.

It's vital to collect data in a way that preserves the integrity of the data, so that it can't be disputed at a later stage.

Processing: At this stage, the collected ESI is prepared for further review and analysis.

The data set is reduced by de-duplication and by removing irrelevant information.

This stage also involves converting data, if needed, into forms more suitable for review and analysis.

Review: This phase involves going through the processed ESI to identify what is relevant and what is not.

At this stage, data is often reviewed for privilege and confidentiality before being produced to the opposing party.

Analysis: This is where the reviewed data is further analyzed to find specific evidence relevant to the matter, understand the information, and learn the key patterns, trends, and facts within the dataset.

Production: The production stage is when the relevant, non-privileged ESI is delivered to the requesting party.

The data must be provided in a format that has been agreed upon by both parties or as mandated by the court.

Presentation: The final stage of the EDRM is presenting the ESI.

This involves displaying data before audiences (which can be during depositions, hearings, trials, etc.), to elicit further information, validate existing facts or positions, or persuade an audience.

⛑️Data Recovery

In addition to forensic analysis, forensic techniques may be used to recover data from drives and devices. In fact, file recovery is a common need for organizations due to inadvertent deletions and system problems or errors.

Data Recovery is a critical aspect of digital forensics, the science of uncovering and interpreting electronic data for use in a court of law. Here are some of the reasons why data recovery is so important:

Evidence Retrieval: In many digital forensic investigations, the most important task is to recover data that serves as evidence.

This could be deleted files, hidden files, or even data within corrupted files.

It could be crucial emails, transaction records, logs, images, or videos that can help investigators reconstruct events or prove the commission of a crime.

Recovering Deleted Files: When a file is deleted, it is not necessarily permanently removed from the system.

The space it occupied is typically marked as available for new data, but until that space is overwritten, the original file data can often be recovered.

Want to print your doc?
This is not the way.

Try clicking the ··· in the right corner or using a keyboard shortcut (

CtrlP

) instead.