Security Operations

Evidence Collection Priority

Most volatile to least volatile:

Memory registers, caches

Routing table, ARP cache, process table, kernel statistics, RAM

Temporary files systems

Non-volatile media, fixed and removable

Remote logging and monitoring data

Physical interconnections and topologies

Archival media, tape or other backups

RFC 3227

Examen: welke als eerste collecten

Data Integrity and Preservation

Digital evidence should be preserved in its original condition.

Original evidence should be copied, and analysis should only be conducted on copies.

Timestamps may be part of evidence so opening files from the original media should be avoided.

Process used to create copies of evidence should be recorded.

Special tools should be used to preserve forensic evidence before the device is shut down and evidence is lost.

Users should not disconnect, unplug, or turn off infected machine unless told to by security personnel.

NIST Guide to Integrating Forensic Techniques into Incident Response: page 28, 47

6

Chain of custody

The documentation of evidence collected about an incident that is used by authorities during an investigation.

Who, what, when, where, how?

The chain of custody requires that from the moment the evidence is collected, every transfer of evidence from person to person be documented and that it be provable that nobody else could have accessed that evidence. It is best to keep the number of transfers as low as possible (wikipedia).

Evidence must be relevant, reliable, properly identified, and properly preserved.

NIST Guide to Integrating Forensic Techniques into Incident Response: page 38

7

Building a Forensic Toolkit

Key Toolkit Components

A digital forensics workstation.

A forensic investigation suite or forensic software (e.g. FTK, EnCase)

FTK, EnCase; SIFT workstation, the Sleuth Kit (TSK)

Write blockers, which ensure that drives connected to a forensic system or device cannot be written to.

Forensic drive duplicators, which are designed to copy drives for forensic investigation.

Wiped drives and wiped removable media of sufficient capacity to handle any drive or system that you are likely to encounter.

Cables and drive adapters, camera, labeling and documentation tools, Notebooks and pre-prepared documentation forms and checklists

8

Forensic Software

Capabilities and Application

Imaging Media and Drives

Analysis Utilities

Timelines of system changes

Validation tools that check known-good versions of files against those found on a system

Filesystem analysis capabilities that can look at filesystem metadata (like the Windows Master File Table for NTFS) to identify file changes, access, and deletions

Windows Registry analysis

Log file parsing and review

Support for properly maintaining chain-of-custody documentation in an automated and logged manner

Verification of the forensic integrity of an image

Operating System, Process, and Memory Dump Analysis

Password Crackers and Password Recovery

9

Training and Certification

CCE, or Certified Computer Examiner

CFCE, Certified Forensic Computer Examiner

CHFI, Computer Hacking Forensic Investigator

GCFA, GIAC Certified Forensic Analyst

GCFE, GIAC Certified Forensic Examiner

CSFA, Cybersecurity Forensic Analyst

Vendor-specific certifications are also common, particularly the ACE, or AccessData Certified Examiner (for FTK and other AccessData products), and EnCE, or EnCase Certified Examiner.

10

Forensic investigation examples

https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html

https://www.wired.com/images_blogs/threatlevel/2012/03/celiginvestigation.pdf

11

Network data

12

Nbtstat is a utility that can provide protocol statistics and current connections using the NetBIOS over TCPIP protocol.

Netstat is a very powerful command line tool that can be used to view the network connection information on a machine

sysinternals-suite https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Pslist, psloggedon, psfile

Disk imaging

13

A bit-by-bit copy of a harddisk or USB drive, including the slack space and the unallocated space on the media Slack space: the leftover storage that exists on a computer’s hard disk drive when a computer file does not need all the space it has been allocated by the operating system.

Commercial tools:

FTK imager, Encase

Unix/linux

Dd, Dcfldd (http://dcfldd.sourceforge.net/)

NIST Guide to Integrating Forensic Techniques into Incident Response: page 51