Incident Response Plan

profilesepola
bd_ch_10_sect_08_03.html
Home>Computer Science homework help>Incident Response Plan

Digital Forensics Methodology

In digital forensics, all investigations follow the same basic methodology:

  1. Identify relevant items of evidentiary value (EM).

  2. Acquire (seize) the evidence without alteration or damage.

  3. Take steps to assure that the evidence is at every stage verifiably authentic and is unchanged from the time it was seized.

  4. Analyze the data without risking modification or unauthorized access.

  5. Report the findings to the proper authority.

This general process is illustrated in Figure 10-12.

Figure 10-12. Digital Forensics Process Digital Forensics Methodology

To support the selection and implementation of a methodology, the organization may wish to seek legal advice or consult with local or state law enforcement. Other publications that should become part of the organization team’s library include:

For a list of these and other computer forensics responder guides, visit the CERT Web site at www.cert.org/incident-management/csirt-development/resources-collecting-evidence.cfm or the National Institute of Justice Web site at www.nij.gov.

Identify Relevant Items

A crucial aspect of any digital forensics investigation is identifying the potential EM and its probable location and then documenting that information in the search warrant or authorization document. Unless investigators have an idea of what to look for (such as evidence that the accused has been selling intellectual property related to future product offerings, or has been viewing objectionable or illegal content), they may never find it in the vast array of possible locations an individual user may have access to—such as flash drives, external storage drives, and Internet services.

Acquire the Evidence

The principal responsibility of the response team is to acquire the information without altering it. Computers modify data constantly. Normal system file changes may be difficult to explain to a layperson (e.g., a jury member with little or no technical knowledge). A normal system consequence of the search for EM could be portrayed by a defense attorney as affecting the authenticity or integrity of the EM, which could lead a jury to suspect that the EM was planted or is otherwise suspect. The biggest challenge is to show that the person under investigation is the one who stored, used, and maintained the EM, or who conducted the unauthorized activity.

Other Potential Evidence

Not all EM is on a suspect’s computer hard drive. A technically savvy attacker is more likely to store incriminating evidence on other digital media, such as removable drives, CDs, DVDs, flash drives, memory chips or sticks, or on other computers accessed across the organization’s networks or via the Internet. EM located outside the organization is particularly problematic, as the organization cannot legally search systems they don’t own. However, the simple act of viewing EM on a system leaves clues about the location of the source material, and a skilled investigator can at least provide some assistance to law enforcement when conducting a preliminary investigation. Log files are another source of information about the access and location of EM, as well as about what happened when.

Some evidence isn’t electronic or digital in nature. Many suspects have been further incriminated when the passwords to their digital media were discovered in the margins of user manuals, in calendars and day planners, and even on notes attached to their systems.

EM Handling

Once the evidence is acquired, both the copy image and the original drive should be handled so as to avoid legal challenges based on authenticity and preservation of integrity. If the organization or law enforcement cannot demonstrate that no one had physical access to the evidence, they cannot provide strong assurances that it has not been altered. Once the evidence is in the possession of investigators, they must track its movement, storage, and access until the resolution of the event or case. This is typically accomplished by means of chain of evidence (also known as chain of custody) procedures. Chain of evidence is defined as the detailed documentation of the collection, storage, transfer, and ownership of collected evidence from crime scene through its presentation in court. The evidence is then tracked wherever it is located. When the evidence changes hands or is stored, the documentation is updated. Not all evidence-handling requirements are met through the chain of custody process. Digital media must be stored in an environment designed for that purpose, one that can be secured to prevent unauthorized access. Individual items should be stored in electrostatic discharge (ESD) protective containers or bags, marked as sensitive to ESD and magnetic fields, and so forth.

Authenticate the Recovered Evidence

A copy or image of the digital media containing the EM is typically transferred to the laboratory for the next stage of authentication. The team must be able to demonstrate that any analyzed copy or image is a true and accurate replica of the source EM. This is accomplished by the use of cryptographic hash tools. As you will learn in Chapter 12, the hash tool takes a variable-length file and creates a single numerical value, usually represented in hexadecimal notation, rather like a digital fingerprint.

Analyze the Data

The most complex part of an investigation is the analysis of the copy or image for potential EM. The first component of the analysis phase is indexing. During indexing, many investigatory tools create an index of all text found on the drive, allowing the investigator to quickly and easily search for a specific type of file.

Report the Findings

As investigators examine the analyzed copies or images and identify potential EM, they can tag it and add it to their case files. Once they have found a suitable amount of information, they can summarize their findings as well as their investigatory procedures in a report and submit it to the appropriate authority. This authority could be law enforcement or management. The suitable amount of EM is a flexible determination made by the investigator. In certain cases, such as child pornography, one file is sufficient to warrant turning the entire investigation over to law enforcement. On the other hand, a dismissal on the grounds of the unauthorized sale of intellectual property may require a substantial amount of information to support the organization’s assertion. Reporting methods and formats vary from organization to organization and should be specified in the digital forensics policy. The general guideline for the report is that it should be sufficiently detailed to allow a similarly trained person to repeat the analysis and achieve similar results.

Listen webReader by ReadSpeaker Open/close toolbar