Digital forensics provides organizations with the investigation and analysis tools and techniques to determine what happened on a system or device.
Digital forensics may be carried out to respond to legal holds and electronic discovery requirements, in support of internal investigations, or as part of an incident response process.
Digital forensics even has a role to play in intelligence and counterintelligence efforts.
📄Documentation & Evidence
In many cases, forensics starts when litigation is pending or is anticipated. Legal counsel can send a Legal Hold or Litigation Hold, a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations. Backups, paper documents, and electronic files of all sorts must be preserved.
⚖️Legal Hold
A Legal Hold, also known as a litigation hold, is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated.
The legal hold is a requirement established by the Federal Rules of Civil Procedure (FRCP) in the United States, and similar rules and laws in other jurisdictions, to prevent the destruction of potential evidence.
A key concept for legal holds and preservation is “spoliation of evidence,” which means intentionally, recklessly, or negligently altering, destroying, fabricating, hiding, or withholding evidence relevant to legal matters. As a security professional, if you receive a legal hold, you have a responsibility to gather and maintain that data so that everything is preserved.
📹Capturing Video Evidence
Another good source of information to gather would be in a Video form. Video can provide important information that you could reference after the fact that normally would not be available.
For example, you can capture the screen information and other details around the system that normally would not be captured through any other means. If you’ve got a mobile phone, it’s very easy to grab video from wherever you might be You might also want to look around and see if there’s any security cameras which may also have stored video that could then be included with this information gathering. This video content needs to be archived so that you’re able to view it later in reference to this particular security incident. 🚢Admissibility
Admissibility is a crucial concept in digital forensics because it determines whether the evidence collected can be used in a court of law. For evidence to be admissible, it must be relevant, reliable, and obtained legally.
Here's why each of these factors is important:
Relevance: The evidence must be directly related to the case at hand. It must have the potential to prove or disprove a material fact in the case. Reliability: The evidence must be trustworthy and reliable. This means it must be authentic (it is what it purports to be), complete, and unaltered. The integrity of digital evidence can be demonstrated through the use of checksums or hashes, which can show that the evidence has not been tampered with since it was collected. Legally Obtained: The evidence must be collected in a manner that respects all relevant laws and regulations. This includes laws related to privacy, search and seizure, and data protection. If evidence is obtained illegally, it may be ruled inadmissible, regardless of its relevance or reliability.
⛓️Chain of Custody
The Chain of Custody is a critical concept in digital forensics that refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It's crucial for maintaining the integrity of the evidence and ensuring its admissibility in court.
Here's why it's important:
Integrity of Evidence: The chain of custody helps to ensure and demonstrate that the evidence has not been tampered with or altered in any way. It shows who has had access to the evidence, when they had access, and what they did with it. This helps to maintain the integrity of the evidence from the time it was collected until it's presented in court. Admissibility in Court: Courts require a properly documented chain of custody to consider the evidence as admissible. If there's a break in the chain of custody, or if it's not clear who had access to the evidence at a given time, the evidence may be considered unreliable and may not be admitted in court. Accountability: The chain of custody provides a record of who is responsible for the evidence at each stage of the process. This accountability is important for maintaining the integrity of the investigation and the evidence. Reproducibility: A well-documented chain of custody can provide enough information for another expert to reproduce the steps taken during the forensic analysis. This reproducibility is a key aspect of the scientific method and is important for the credibility of the forensic analysis. In a typical chain of custody process in digital forensics, the following steps would be documented:
Collection: Who collected the evidence, when, where, and how. Transfer: When the evidence was transferred to another person or location, who was involved, and why the transfer was necessary. Storage: Where and how the evidence is stored to ensure it's not tampered with. Analysis: Who analyzed the evidence, what tools and methods they used, and what their findings were. Presentation: How the evidence is presented in court, including any visualizations or summaries of the analysis.
⌚Timelines of sequence of events
In digital forensics, the "Timeline of Sequence of Events" refers to the chronological order in which events occurred on a system or network. This timeline can be crucial in understanding the nature of a security incident, identifying the actions of an attacker, or reconstructing the events leading up to a system failure.
Time stamps and time offsets play a critical role in creating this timeline. Here's why:
Time Stamps: Most digital activities leave time-stamped records. For example, files have time stamps indicating when they were created, modified, or accessed. Log entries in operating systems, applications, or network devices also include time stamps. These time stamps allow investigators to place events in chronological order and understand the sequence in which they occurred. Time Offsets: Time offsets refer to the difference between the time recorded in a time stamp and a reference time (often Coordinated Universal Time, or UTC). Time offsets can be important in digital forensics for a few reasons. First, they can help investigators correlate events that are recorded in different time zones or on systems with incorrect or inconsistent clock settings. Second, understanding time offsets can be crucial when dealing with daylight saving time changes, which can otherwise cause confusion or errors in the timeline.
🏷️Tags
In digital forensics, Tags are used as a way to categorize, organize, and highlight important pieces of evidence during an investigation. They are essentially labels that investigators can apply to digital artifacts to make them easier to find, analyze, and reference.
Here's how they are typically used:
Categorization: Tags can be used to categorize evidence based on its type, source, or other characteristics. For example, an investigator might use tags to distinguish between emails, documents, images, or log files. Prioritization: Tags can be used to highlight particularly important pieces of evidence. For example, an investigator might tag any files that contain certain keywords or that were accessed at a particular time. Correlation: Tags can be used to link related pieces of evidence. For example, if an investigator finds multiple files that were all accessed by the same user, or at the same time, they might use a tag to indicate that these files are related. Ease of Reference: Once evidence has been tagged, it becomes easier to find and reference. This can be particularly useful in large investigations, where there may be thousands of pieces of digital evidence to sift through. Reporting: Tags can also be useful when it comes to reporting the findings of an investigation. They can help to organize the evidence in a way that makes it easier for others to understand. In summary, tags are a simple but powerful tool in digital forensics. They help investigators to manage and make sense of the vast amounts of data that can be involved in a digital investigation.
📃Reports
Although the analysis of digital artifacts and evidence is important to the forensic process, the report that is produced at the end is the key product.
Reports need to be useful and contain the relevant information without delving into every technical nuance and detail that the analyst may have found during the investigation. A typical forensic report will include:
A summary of the forensic investigation and findings. An outline of the forensic process, including tools used and any assumptions that were made about the tools or process. A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail. Recommendations or conclusions in more detail than the summary included. Forensic practitioners may also provide a report with full detail of the analysis as part of their documentation package.
🔴Event Logs
Event Logs provide a wealth of information because they are storing details about the operating system, the security events, and the applications that are running in that operating system.
So if you’re collecting data from a device, you want to be sure to get the event logs. They can offer valuable insights into the sequence of events leading up to a security incident, the actions of an attacker, or the cause of a system failure.
Here's why they are so important:
Detailed Record: Event logs provide a detailed record of what happened on a system. They can show when a user logged in, what actions they performed, what changes were made to the system, when a system error occurred, and much more. Timestamps: Each entry in an event log typically includes a timestamp, which can help investigators establish a timeline of events. This can be crucial in understanding the sequence of events during an incident. Source of Evidence: Event logs can provide evidence of malicious activity. For example, they might show repeated failed login attempts, changes to system settings, or the execution of unusual processes—all of which could indicate a cyber attack. Correlation of Events: By analyzing event logs from different sources (such as operating system logs, application logs, and network logs), investigators can correlate events and gain a more complete understanding of an incident. Accountability: Event logs often record the user account associated with each event. This can help investigators identify who was responsible for a particular action.
🎙️Interviews
We’re often very focused on gathering information from a digital machine. But often you can gather important details from the users of those devices so you may want to perform interviews.
Interviews will allow you to ask questions and get information about what a person saw when a particular security event occurred.
You want to be sure to perform these interviews as quickly as possible after the event, especially since people may leave the organization or they may forget what happened during that particular time frame.
This is the challenge we have when getting witness statements is that they may not be 100% accurate because people may see or hear things during this event, but may not accurately describe that someone during an interview.
📝Acquiring Forensic Data
🌊Order of Volatility
The order of volatility is a concept in digital forensics and incident response that refers to the sequence in which data should be collected based on its volatility, or how long it lasts in a system before it changes or is lost.
The idea is to collect the most volatile data first, as it's at the greatest risk of being lost as time passes or if the system state changes. CPU Cache and Registers: This includes processor cache, register content, and other related system state information. This data is highly transient and is lost as soon as the system is powered down or rebooted. Routing Table, ARP Cache, Process Table, Kernel Statistics: This information is typically held in memory and is lost when the system is rebooted. Main Memory (RAM): This includes all the information currently being processed in the system's memory, which can include valuable data like encryption keys, running processes, and network information. Temporary File Systems: This includes data stored in temp files or swap space. This data can change frequently and may be overwritten or deleted during normal system operation. Disk: This includes data stored on the system's hard drive or other storage devices. While this data is less volatile than the types listed above, it can still be changed or deleted during normal system operation or by an attacker trying to cover their tracks. Remote Logging and Monitoring Data: This includes data sent to remote log servers or SIEM systems. This data is typically preserved until it's rotated out by newer data, depending on the organization's log retention policy. Physical Configuration, Network Topology: This includes data about the physical setup of the system and network, which typically changes infrequently. Archival Media: This includes backups and archives, which are designed to be a long-term, unchanging storage of data. By following the order of volatility, investigators can maximize their chances of preserving and collecting all relevant data during a digital forensic investigation or incident response.
The Security+ exam expects you to be familiar with the basic concepts for acquisition of information for the following list of forensic targets:
🎒Cache
CPU cache and registers are rarely directly captured as part of a normal forensic effort.
Although it is possible to capture some of this information using specialized hardware or software, most investigations do not need this level of detail. The CPU cache and registers are constantly changing as processing occurs, making them very volatile. 💾Disk
Ephemeral data such as the process table, kernel statistics, the system's ARP cache, and similar information can be captured through a combination of memory and disk acquisition, but it is important to remember that the capture will only be of the moment in time when the acquisition is done.
If events occurred in the past, this data may not reflect the state that the system was in when the event occurred. 🐏RAM (Random Access Memory)
The content of random access memory (RAM) can be very helpful for both investigations and incident response.
Memory can contain encryption keys, ephemeral data from applications, and information that may not be written to the disk but that can be useful to an investigation. 🔁Swap/Pagefile
Swap and pagefile information is disk space used to supplement physical memory.
Much like capturing information from RAM, capturing the swap and pagefile can provide insight into running processes. Since it is actively used by the system, particularly on machines with less memory, it also changes more quickly than many files on disk. 🗃️Files and Data
Files and data on a disk change more slowly but are the primary focus of many investigations.
It is important to capture the entire disk, rather than just copy files so that you can see deleted files and other artifacts that remain resident. 👨🏾💻OS
The operating system itself can contain useful information.
The Windows registry is a common target for analysis since many activities in Windows modify or update the registry. 📱Device
Devices such as smartphones or tablets may contain data that can also be forensic targets.
💽Firmware
Firmware is a less frequently targeted forensic artifact, but knowing how to copy the firmware from a device can be necessary if the firmware was modified as part of an incident or if the firmware may have forensically relevant data.
Firmware is often accessible using a hardware interface like a serial cable or direct USB connection, or via memory forensic techniques. 📸Snapshots
Snapshots from virtual machines are an increasingly common artifact that forensic practitioners must deal with.
4.5 Explain the Key aspects of digital forensics
