Next up, we’re covering digital forensics. Again, don’t get your hopes up. This isn’t a very hands-on chapter. If you’re looking for a forensics certification, check out this page. Instead, it covers the legal side of things. Not super technical, but still interesting.
This is a continuation of my blog post series on the CompTIA Security+ exam.
The goal here is to preserve, identify, document and interpret computer data. This is the technical side of developing legal proof, possibly in relation to an incident response.
Order of Volatility
If you want to figure out what happened on a system, you need a copy of the data. What do you collect first? The digital information that is most volatile. This ensures that you don’t lose important information. In order of what to collect first:
- CPU, cache, and register contents
- Routing tables, ARP cache, process tables, kernel statistics
- Live network connections and data flows
- Memory (RAM)
- Temporary file system and swap space
- Data on hard disk
- Remotely logged data
- Data stored on archival media and backups
And yes, this will be on the test.
Chain of Custody
This shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control of the evidence during the process. This is a set of strict rules that help guarantee that your evidence will stand in court.
For each step along the way, you should record the who, what, when, where, and how of what happened.
This is a term that means once an organization is aware that it needs to preserve evidence for a court case, it must do so. After this point, any and all information must be preserved. Ordinary data retention isn’t sufficient here. Finding and managing all of the myriad information across multiple devices and locations is called e-discovery.
Evidence is a set of documents, verbal statements, and material objects that are considered admissible in a court of law. Make sure you document all of the steps taken when you collect evidence. This includes who collected it, how, and where. It also includes possession, protection and storage of evidence.
Standards of Evidence
Evidence must be three things:
- Sufficient, which is to say convincing without question.
- Competent, which means it is legally qualified.
- Relevant, which means it must matter to the case at hand.
Types of Evidence
Direct evidence is oral testimony that proves a specific fact. Real evidence is tangible objects that prove or disprove a fact, linking the suspect to the crime scene. Documentary evidence is business records, printouts, manuals, and so on. Most evidence for computer crimes is documentary evidence. Demonstrative evidence is an aid to the jury that can prove that an event occurred.
Three Rules for Evidence
A judge determines whether an item is admissible as evidence by following three rules:
- Best evidence means that courts prefer original evidence to copies to avoid alteration of evidence.
- The exclusionary rule means that data collected in violation of the Fourth Amendment (no unreasonable searches or seizures) is not admissible.
- Hearsay is second-hand evidence and is often not admissible (some exceptions apply). Computer-generated evidence is typically considered hearsay.
Capturing System Images
Imaging or dumping the physical memory of a computer can help identify evidence not available on the hard drive. This is especially useful for identifying rootkits. Dumping memory might not always be for court cases. This might be more appropriate for investigative work. If you think it will end up in court, be sure to consult the legal team first.
A forensic copy is a bit-by-bit copy that includes integrity checks in the form of hashes. Hashing algorithms and tools create message digests that prove that a copy is equivalent to the original and has not been altered.
Network Traffic and Logs
Network activity of a given device can be useful data, or evidence, too.
Screenshots, Photo and Video
Consider taking photos of a computer setup. This can demonstrate how things were laid out. You can also take photos of a screen to show what was visible at a given time. Don’t rely on internal screenshot tools in this case. Lastly, you can use video as evidence, but it also needs to be copied and preserved in the same careful manner as other data.
Make sure that you are aware of, and record any time offsets. The computers in question might not be synced up to “real” time, so calculating the offset is important to establish timelines. Do this before the system is powered down, because you might lose the offset data.
Know that the people involved in the preservation processes might have to testify. Their credibility will have an impact on how the evidence is received.
Evidence needs to be properly acquired, identified, protected from tampering, transported and stored. Digital evidence can be changed, and this happens without a record of the change. As such, you need to have safeguards against this tampering, whether it’s intentional or not. You need a strong chain of custody. You also collect hashes for each piece of data. Lastly, the analysis needs to happen on the forensic copies, not the original data. And you need to verify before and after testing that the copy under inspection matches the hash value.
In the realm of digital forensics, this is determining the relevant information and then recovering it. This isn’t as easy as it seems. How do you know what information in a 1TB system is relevant? You can narrow it down by establishing timelines, keywords, specific activities/acts, and so on.
Strategic Intelligence and Counterintelligence Gathering
One means of narrowing down the relevant information is by strategic information gathering, which is the use of all resources to make determinations. This limits the investigation to a manageable level.
Counterintelligence gathering is the gathering of information specifically targeting the strategic intelligence effort of another entity.
If you know what events to log for, you can minimize logging scope by setting up a system that actively logs relevant info when it happens. These logs should be stored somewhere that isn’t subject to tampering.
Lastly, you should keep records of forensics. This demonstrates who did what, when they did it, and how long it took.