M-7 One Page
Computer Forensics
Chapter 23
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Objectives
Explore the basics of digital forensics.
Identify the rules and types of evidence.
Collect evidence and preserve evidence.
Maintain a viable chain of custody.
Investigate a computer crime or policy violation.
Examine system artifacts.
Develop forensic policies and procedures.
Examine the policies and procedures associated with e-discovery.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
2
Key Terms (1 of 2)
Active logging
Best evidence rule
Competent evidence
Demonstrative evidence
Device forensics
Direct evidence
Documentary evidence
E-discovery
Evidence
Exclusionary rule
Forensics
Free space
Hash
Hashing algorithm
Hearsay rule
Host forensics
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Active logging - A type of logging that is determined during the preparation phase, and when it comes time for recovery, the advance planning pays off in the production of evidence.
Best evidence rule – A legal principle that supports a true copy as equivalent to the original.
Competent evidence – Competent evidence is evidence that is legally qualified and reliable.
Demonstrative evidence – Demonstrative evidence is evidence that is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
Device forensics – The application of digital forensic principles to devices—mobile phones, tablets, the endless list of devices that comprise the “Internet of Things,” and more.
Direct evidence – Direct evidence is the oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions.
Documentary evidence – Documentary evidence is evidence in the form of business records, printouts, manuals, and other items.
E-discovery – A branch of digital forensics dealing with identifying, managing, and preserving digital information that is subject to legal hold.
Evidence – The documents, verbal statements, and material objects admissible in a court of law.
Exclusionary rule – The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. Additionally, if evidence is collected in violation of the Electronic Communications Privacy Act (ECPA) or other related violations of the U.S. Code, it may not be admissible to a court.
Forensics – The preservation, identification, documentation, and interpretation of computer data for use in legal proceedings.
Free space – Sectors on a storage medium that are available for the operating system to use.
Hash – A number produced from a hashing algorithm that is unique based on the information contained in the data stream (or file). If a subsequent hash created on the same data stream results in a different hash value, it usually means that the data stream was changed.
Hashing algorithm – An algorithm that performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number, the hash, that is unique based on the information contained in the data stream (or file).
Hearsay rule – Hearsay is second-hand evidence; evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted? Typically, computer-generated evidence is considered hearsay evidence, as the maker of the evidence (the computer) cannot be interrogated. There are exceptions being made where items such as logs and headers (computer generated materials) are being accepted.
Host forensics – A term that refers to the analysis of a specific system. Host forensics includes a wide range of elements, including the analysis of file systems and artifacts of the operating system.
3
Key Terms (2 of 2)
Legal hold
Litigation hold
Magic number
Network forensics
Partition
Preservation
Real evidence
Record time offset
Relevant evidence
Slack space
Strategic intelligence
Stream
Sufficient evidence
Write blocker
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Legal hold – The process by which you properly preserve any and all digital evidence related to a potential case. Also known as litigation hold.
Litigation hold – The process by which you properly preserve any and all digital evidence related to a potential case. Also known as legal hold.
Magic number – A series of digits near the beginning of the file that provides information about the file format.
Network forensics – The application of digital forensics processes to network traffic.
Partition – A logical storage unit that is subsequently used by an operation system
Preservation – To isolate, secure, and preserve the state of physical and digital evidence. This includes preventing people from using the digital device or allowing other electromagnetic devices to be used within a certain proximity. Proper preservation is essential to prevent alteration of the source.
Real evidence – Real evidence consists of tangible objects that prove or disprove a fact.
Record time offset – A data element calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server.
Record time offset – A data element calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server.
Relevant evidence – Relevant evidence is evidence which is material to the case or have a bearing on the matter at hand.
Slack space – Unused space on a disk drive created when a file is smaller than the allocated unit of storage (such as a sector).
Strategic intelligence – The use of all resources to make determinations.
Stream – A short name for Alternate Data Stream, a specific data structure associated with NTFS in Windows.
Sufficient evidence – Sufficient evidence is evidence that is convincing or measures up without question.
Write blocker – A specific interface for a storage media that does not permit writing to occur to the device. This allows copies to be made without altering the device.
4
Introduction (1 of 2)
The term forensics relates to the application of scientific knowledge to legal problems.
Computer forensics involves the preservation, identification, documentation, and interpretation of computer data.
Forensics is often associated with incident response.
Incident response is about corrective action—returning the system to a normal operational state.
Forensics is about figuring out what happened.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
In today’s practice, computer forensics can be performed for three purposes:
■ Investigating and analyzing computer systems as related to a violation of law
■ Investigating and analyzing computer systems for compliance with an organization’s policies
■ Responding to a request for digital evidence (e-discovery)
5
Introduction (2 of 2)
One can violate corporate policies while acting lawfully with respect to computer laws.
Exceeding one’s authorizations with respect to system access is a violation of the law.
Computer forensic actions may deal with legal violations.
Investigations could go to court proceedings.
As a potential first responder, you should always seek legal counsel.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
If an unauthorized person accesses a system, that person likely has violated the law. However, a company employee who performs similar acts(accessing data remotely) may or may not violate laws, the determination of which depends on many factors, including specific authorizations and job duties. One can violate corporate policies while acting lawfully with respect to computer laws. It is worth noting that knowingly exceeding one’s authorizations with respect to system access is a violation of the law.
Any of these situations could ultimately result in legal action and may require legal disclosure. Therefore, it is important to note that computer forensic actions may, at some point in time, deal with legal violations, and investigations could go to court proceedings. As a potential first responder, you should always seek legal counsel. Also seek legal counsel ahead of time as you develop and implement corporate policies and procedures. It is extremely important to understand that even minor procedural missteps can have significant legal consequences. The rule to follow is simple: always assume that the material will be used in a court of law and thus must be handled in a perfectly proper manner at all times. This further means that when dealing with forensics, you must ensure that all steps are performed by qualified forensic examiners.
6
Evidence
Evidence consists of the documents, verbal statements, and material objects that are admissible in a court of law.
The submission of evidence is challenging, but it is even more challenging when computers are used.
People involved may not be technically educated and thus may not fully understand what has happened.
Computer evidence presents more challenges.
Data cannot be experienced with the physical senses.
Bits of data are merely magnetic pulses on a storage device.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Evidence consists of the documents, verbal statements, and material objects that are admissible in a court of law. Evidence is critical to convincing management, juries, judges, or other authorities that some kind of violation has occurred. The submission of evidence is challenging, but it is even more challenging when computers are used because the people involved may not be technically educated and thus may not fully understand what’s happened.
Computer evidence presents yet more challenges because the data itself cannot be experienced with the physical senses—that is, you can see printed characters, but you can’t see the bits where that data is stored. Bits of data are merely magnetic pulses on a disk or some other storage technology. Therefore, data must always be evaluated through some kind of “filter” rather than sensed directly. This is often of concern to auditors, because good auditing techniques recommend accessing the original data or a version that is as close as possible to the original data.
7
Types of Evidence (1 of 2)
Direct evidence – Oral testimony that proves a specific fact (such as an eyewitness’s statement)
The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions.
Real evidence – Also known as associative or physical evidence, this includes tangible objects that prove or disprove a fact
Physical evidence links the suspect to the scene of a crime.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
8
Types of Evidence (2 of 2)
Documentary evidence – evidence in the form of business records, printouts, manuals, and the like
Much of the evidence relating to computer crimes is documentary evidence.
Demonstrative evidence – used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
9
Standards for Evidence (1 of 4)
Evidence in U.S. federal court cases is governed by a series of legal precedents.
The most notable is the Daubert standard.
Three U.S. Supreme Court cases articulate the Daubert standard and shape how materials are entered into evidence.
Digital forensics must be interpreted by an expert and presented to the court.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
10
Standards for Evidence (2 of 4)
Four specific elements are associated with the admission of scientific expert testimony:
The Judge is the gatekeeper.
The trial judge determines that the expert’s testimony is relevant and that the expert’s methods are reliable.
Expert knowledge should be based on science.
Scientific methodology must be based on proven science, subjected to peer review, with a known error rate or potential error rate and consensus among the scientific community that the methodology is generally accepted.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
The first element is that the Judge is the gatekeeper. Materials are not considered evidence until declared so by the judge. This is to ensure that experts are determined to be experts before the court relies upon their judgment. A second element is reliability and relevance. The trial judge is to determine that the expert’s testimony is relevant to the proceedings at hand, and that the expert’s methods are reliable with respect to the material being attested to. The third element is that expert knowledge should be based on science, specifically science that is based on the scientific method with a replicable methodology. The final element relates to this scientific methodology, stating that it must be based on proven science, subjected to peer review, with a known error rate or potential error rate and consensus among the scientific community that the methodology is generally accepted. After these elements are satisfied, the judge can admit the expert’s testimony as evidence.
11
Standards for Evidence (3 of 4)
These factors all relate to a U.S. federal court decision and therefore are only binding in the U.S. federal judiciary.
The test is recognized and applied in similar form at many levels of jurisdiction.
The bottom line is simple:
The data cannot speak for itself, and experts who can interpret the data operate under strict guidelines with respect to conduct, qualifications, principles, and methods.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
12
Standards for Evidence (4 of 4)
Credible evidence must meet three standards:
Sufficient evidence – It must be convincing or measure up without question.
Competent evidence – It must be legally qualified and reliable.
Relevant evidence – It must be material to the case or have a bearing on the matter at hand.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
To be credible, especially if evidence will be used in court proceedings or in corporate disciplinary actions that could be challenged legally, evidence must meet three standards.
13
Three Rules Regarding Evidence (1 of 2)
Three rules guide the use of evidence with regard to court proceedings:
Best evidence rule – Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred.
Exclusionary rule – The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure.
Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
An item can become evidence when it is admitted by a judge in a case. Three rules guide the use of evidence with regard to its use in court proceedings:
Best evidence rule Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. In some instances, an evidence duplicate can be accepted, such as when the original is lost or destroyed by acts of God or in the normal course of business. A duplicate is also acceptable when a third party beyond the court’s subpoena power possesses the original.
Exclusionary rule The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. Additionally, if evidence is collected in violation of the Electronic Communications Privacy Act (ECPA) or other related provisions of the U.S. Code, it may not be admissible to a court. For example, if no policy exists regarding the company’s intent to monitor network traffic or systems electronically, and the employee has not acknowledged this policy by signing an agreement, sniffing the employee’s network traffic could be a violation of the ECPA.
Hearsay rule Hearsay is secondhand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. Typically, computer-generated evidence is considered hearsay evidence, as the maker of the evidence (the computer) cannot be interrogated. There are exceptions being made where items such as logs and headers (computer-generated materials) are being accepted in court. There are exceptions, but they rarely apply to digital evidence.
14
Three Rules Regarding Evidence (2 of 2)
Hearsay rule – Hearsay is secondhand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
15
Forensic Process (1 of 4)
Steps in a digital forensic investigation include:
Identification – Recognize an incident from indicators and determine its type and scope.
Preparation – Prepare tools, techniques, and search warrants and monitor authorizations and management support.
Approach/strategy – Dynamically formulate an approach based on potential impact on bystanders and the specific technology in question.
Preservation – Isolate, secure, and preserve the state of physical and digital evidence.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Forensics is the use of scientific methods in the analysis of matters in connection with crime or other legal matters. Because of the connection to law, it is
an exacting process, with no room for error. In digital forensics, the issue of alteration becomes paramount, because changing 1’s to 0’s does not leave a trace in many situations. Because of the issue of contamination or spoliation of evidence, detailed processes are used in the processing of information.
From a high-level point of view, multiple steps are employed in a digital forensic investigation:
From a high-level point of view, multiple steps are employed in a digital forensic investigation:
1. Identification – Recognize an incident from indicators and determine its type and scope. This is not explicitly within the field of forensics but is significant because it impacts other steps. What tools were used? How many systems are involved? How much data is to be copied? These questions all have ramifications on the successful outcome of a forensic process.
2. Preparation – Prepare tools, techniques, and search warrants and monitor authorizations and management support.
3. Approach/strategy – Dynamically formulate an approach based on potential impact on bystanders and the specific technology in question. The goal of the strategy should be to maximize the collection of untainted evidence while minimizing impact to the victim or owner.
4. Preservation – Isolate, secure, and preserve the state of physical and digital evidence. This includes preventing people from using the digital device or allowing other electromagnetic devices to be used within a certain proximity. Proper preservation is essential to prevent alteration of the source.
16
Forensic Process (2 of 4)
Steps in a digital forensic investigation include (continued):
Collection – Record the physical scene and duplicate digital evidence using standardized and accepted procedures.
Examination – In-depth, systematic search of evidence relating to the suspected crime.
Analysis – Determine significance, reconstruct fragments of data, and draw conclusions based on the elements of evidence found.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
From a high-level point of view, multiple steps are employed in a digital forensic investigation (continued):
5. Collection – Record the physical scene and duplicate digital evidence using standardized and accepted procedures. This is where a digital camera and microphone are vital tools for capturing details—serial numbers, layouts, and so forth—quickly and definitively.
6. Examination – In-depth, systematic search of evidence relating to the suspected crime. This step occurs later, in a lab, and focuses on identifying and locating potential specific evidence elements, possibly within unconventional locations. It is important to construct detailed documentation for analysis, documenting the metadata and data values that may be relevant to the issues at hand in the investigation.
7. Analysis – Determine significance, reconstruct fragments of data, and draw conclusions based on the elements of evidence found. The data itself cannot tell a story, and in this step the investigator weaves the elements into a picture, hopefully the only one that can be supported. Although the intuition is to prove guilt, the skilled and seasoned investigator focuses on painting the picture that the data describes, regardless of outcome, and making it comprehensive and complete so that it will stand up to challenge. Multiple people with different skill sets may be needed to complete the picture.
17
Forensic Process (3 of 4)
Steps in a digital forensic investigation include (continued):
Presentation – Summarize and provide an explanation of the conclusions: The results should be written in layperson’s terms using abstracted terminology.
Returning evidence – Ensure physical and digital property is returned to its proper owner and determine how and what criminal evidence must be removed.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
From a high-level point of view, multiple steps are employed in a digital forensic investigation (continued):
8. Presentation – Summarize and provide an explanation of the conclusions. The results should be written in layperson’s terms using abstracted terminology. If you cannot explain the information to a nontechnical layperson, then you do not understand it well enough to complete this aspect. All abstracted terminology should reference the specific details of the case.
9. Returning evidence – Ensure physical and digital property is returned to its proper owner and determine how and what criminal evidence must be removed. (For example, hardware may be returned, but images of child pornography would be removed.) This is not an explicit step of forensic investigation, and most models that address how to seize evidence rarely address this aspect. But at the end of the day, the job is not done until all aspects are finished, and this includes this level of clean-up activity.
18
Forensic Process (4 of 4)
In a court, credibility is critical.
Evidence must be properly acquired, identified, protected against tampering, transported, and stored.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
When information or objects are presented to management or admitted to court to support a claim, that information or those objects can be considered as evidence or documentation supporting your investigative efforts. Senior management will always ask a lot of questions—second- and third-order questions that you need to be able to answer quickly. Likewise, in a court, credibility is critical. Therefore, evidence must be properly acquired, identified, protected against tampering, transported, and stored.
19
Acquiring Evidence (1 of 11)
When an incident occurs, you will need to collect data and information to facilitate your investigation.
You should collect as much information as soon as you can.
Evidence can be found in many places.
Workstation or laptop computer
Company-owned file servers
Security appliances
Servers located with the Internet service provider (ISP)
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
When an incident occurs, you will need to collect data and information to facilitate your investigation. If someone is committing a crime or intentionally violating a company policy, she will likely try to hide her tracks. Therefore, you should collect as much information as soon as you can. In today’s highly networked world, evidence can be found not only on the workstation or laptop computer, but also on company-owned file servers, security appliances, and servers located with the Internet service provider (ISP).
20
Acquiring Evidence (2 of 11)
A first responder must do as much as possible to control damage or loss of evidence.
Look on the desk, on the Rolodex, under the keyboard, in desktop storage areas, and on cubicle bulletin boards for any information that might be relevant.
Secure floppy disks, optical discs, flash memory cards, USB drives, tapes, and other removable media.
Request copies of logs as soon as possible.
Take photos or video.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Take photos (some localities require use of Polaroid photos, as they are more difficult to modify without obvious tampering) or video. Include photos of operating computer screens and hardware components from multiple angles. Be sure to photograph internal components before removing them for analysis.
21
Acquiring Evidence (3 of 11)
These are two questions to consider when an incident occurs and the computer being used is going to be secured:
Should the computer be turned off?
Should the computer be disconnected from the network?
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
When an incident occurs and the computer being used is going to be secured, you must consider two questions: Should it be turned off, and should it be disconnected from the network? Forensic professionals debate the reasons for turning a computer on or turning it off. Some state that the plug should be pulled in order to freeze the current state of the computer. However, this results in the loss of any data associated with an attack in progress from the machine. Any data in RAM will also be lost. Further, it may corrupt the computer’s file system and could call into question the validity of your findings.
22
Acquiring Evidence (4 of 11)
Imaging or dumping the physical memory of a computer system can help identify evidence that is not available on a hard drive.
This is especially appropriate for rootkits.
Once the memory is imaged, you can use a hex editor to analyze the image offline on another system.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Imaging or dumping the physical memory of a computer system can help identify evidence that is not available on a hard drive. This is especially appropriate for rootkits, for which evidence on the hard drive is hard to find. Once the memory is imaged, you can use a hex editor to analyze the image offline on another system. (Memory-dumping tools and hex editors are available on the Internet.) Note that dumping memory is more applicable for investigative work where court proceedings will not be pursued. If a case is likely to end up in court, do not dump memory without first seeking legal advice to confirm that live analysis of the memory is acceptable; otherwise, the defendant will easily be able to dispute the claim that evidence was not tampered with.
Exam Tip: File time stamps may be of use during the analysis phase. To correlate file time stamps to actual time, it is important to know the time offset between the system clock and real time. Recording the time offset while the system is live is critical if the system clock is different than actual time.
Exam Tip: For CompTIA Security+ testing purposes, remember this: the memory should be dumped, the system should be powered down cleanly, and an image should be made and used as you work.
23
Acquiring Evidence (5 of 11)
It is possible for the computer criminal to leave behind a software bomb.
Any commands you execute, including shutting down or restarting the system, could destroy or modify files, information, or evidence.
The criminal may have anticipated such an investigation and altered some of the system’s binary files.
If the computer being analyzed is a server, it is unlikely management will support taking it offline and shutting it down for investigation.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
While teaching at the University of Texas, Austin, Dr. Larry Leibrock led a research project to quantify how many files are changed when turning off and on a Windows workstation. The research documents that approximately 0.6 percent of the operating system files are changed each time a Windows XP system is shut down and restarted. An administrator looking at a machine at the behest of management can completely obfuscate any data that could be recovered, a process called spoliation. This cannot be undone and renders the data unusable in legal proceedings, whether court or human resources.
Further, if the computer being analyzed is a server, it is unlikely management will support taking it offline and shutting it down for investigation. So, from an investigative perspective, either course may be correct or incorrect, depending on the circumstances surrounding the incident. What is most important is that you are deliberate in your work, you document your actions, and you can explain why you took the actions you performed.
24
Acquiring Evidence (6 of 11)
Figure 23.1 Investigative method rigor
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Many investigative methods are used. Figure 23.1 shows the continuum of investigative methods from simple to more rigorous.
25
Acquiring Evidence (7 of 11)
Figure 23.2 Required rigor of the investigative method versus
both data reliability and the difficulty of investigation
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Figure 23.2 shows the relationship between the complexity of your investigation and both the reliability of your forensic data and the difficulty of investigation.
26
Acquiring Evidence (8 of 11)
Order of volatility
Things such as the state of the CPU and its registers are always changing, as are memory and even storage.
These elements tend to change at different rates, and you should pay attention to the order of volatility so that collection priority is devoted where it can matter.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
27
Acquiring Evidence (9 of 11)
The following is the order of volatility of digital information in a system:
CPU, cache, and register contents (collect first)
Routing tables, ARP cache, process tables, kernel statistics
Live network connections and data flows
Memory (RAM)
Temporary file system/swap space
Data on hard disk
Remotely logged data
Data stored on archival media/backups (collect last)
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
28
Acquiring Evidence (10 of 11)
Capture system image
Imaging or dumping the physical memory of a computer system can help identify evidence not available on a hard drive.
The other system image is the internal storage devices.
Network traffic and logs
Capture video
Record time offset
Take hashes
Hashing algorithm similar to cyclic redundancy check
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
29
Acquiring Evidence (11 of 11)
Screenshots
Particular attention should be paid to the state of what is on the screen at the time of evidence collection.
Witness interviews
Witness credibility is extremely important.
Witness preparation can be critical in a case, even for technical experts.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
30
Identifying Evidence
Evidence must be properly marked as it is collected so that it can be identified as a particular piece of evidence gathered at the scene.
Properly label and store evidence, and make sure the labels can’t be easily removed.
Keep an evidence control log book identifying each piece of evidence.
Log other identifying marks, such as device make, model, serial number, cable configuration or type, and so on.
Note any type of damage to the piece of evidence.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Keep an evidence control log book identifying each piece of evidence (in case the label is removed); the persons who discovered it; the case number; the date, time, and location of the discovery; and the reason for collection. Keep a log of all staff hours and expenses. This information should be specific enough for recollection later in court.
Being methodical is extremely important when identifying evidence. Do not collect evidence by yourself—have a second person who can serve as a witness to your actions. Keep logs of your actions during both seizure and during analysis and storage.
31
Protecting Evidence
Techniques to protect evidence (preservation of data)
Protect from electromagnetic or mechanical damage.
Ensure evidence is not tampered with, damaged, or compromised by the investigation.
Protect evidence from extremes in heat and cold, humidity, water, magnetic fields, and vibration.
Use static-free evidence-protection gloves as opposed to standard latex gloves.
Seal evidence in a proper container with evidence tape, and mark it with your initials, date, and case number.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
For example, if a mobile phone with advanced capabilities is seized, it should be properly secured in a hard container designed to prevent accidentally pressing the keys during transit and storage. If the phone is to remain turned on for analysis, radio frequency isolation bags that attenuate the device’s radio signal should be used. This will prevent remote wiping, locking, or disabling of the device.
32
Transporting Evidence
Properly log all evidence in and out of controlled storage.
Use proper packing techniques, such as placing components in static-free bags, using foam packing material, and using cardboard boxes.
Be especially cautious during transport of evidence to ensure custody of evidence is maintained and the evidence is not damaged or tampered with.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
33
Storing Evidence
Store evidence in an evidence room that has low traffic, restricted access, camera monitoring, and entry-logging capabilities.
Store components in static-free bags, foam packing material, and cardboard boxes, and inside metal tamper-resistant cabinets or safes whenever possible.
Storage areas should have environmental controls and environmental-monitoring devices.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Many of today’s electronics are sensitive to environmental factors. It is important for storage areas to have environmental controls to protect devices from temperature and humidity changes. It is also prudent to have environmental-monitoring devices to ensure that temperature and humidity remain within safe ranges for electronic devices.
34
Conducting the Investigation (1 of 4)
Use extreme caution when analyzing computer storage components.
A copy of the system should be analyzed—never the original system.
A forensic workstation can be used.
Contain hard drive bays, write blockers, analysis software, and other devices to safely image and protect computer forensic data
Analysis should be done in a controlled environment with physical security and controlled access.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
35
Conducting the Investigation (2 of 4)
Witness credibility is extremely important.
Digital forensic duplication of data is one of the key elements to preserving the chain of custody, protecting evidence, and having copies of data for analysis.
A digital forensic copy is a carefully controlled copy that has every bit the same as the original.
Includes files and all data structures associated with the device, including unused space, are copied in a digital forensic image copy, every bit, bit by bit
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness is asked, “Did you lock the file system?” and can’t answer affirmatively. Or, when asked, “When you imaged this disk drive, did you use a new system?” the witness can’t answer that the destination disk was new or had been completely formatted using a low-level format before data was copied to it.
36
Conducting the Investigation (3 of 4)
It is also important not to interface with the digital media using the host system.
This type of alteration changes information, potentially damaging the trace evidence needed in the investigation.
For this reason, a write blocker is commonly used to connect the media to the investigator’s computer.
It is common for forensic duplicator devices to have additional features to assist an investigator.
Capturing the hash values for all items is an essential first step in handling any digital evidence.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
It is also important not to interface with the digital media using the host system, as all file systems both read and write to the storage media as part of their normal operation, altering the media. This type of alteration changes information, potentially damaging the trace evidence needed in the investigation. For this reason, a write blocker is commonly used to connect the media to the investigator’s computer.
It is common for forensic duplicator devices to have additional features to assist an investigator, such as making multiple copies at once and calculating hash values for the device and the duplicate. Capturing the hash values for all items is an essential first step in handling any digital evidence.
37
Conducting the Investigation (4 of 4)
Figure 23.3 (a) Write blocker devices and (b) forensic duplicator device
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Figure 23.3 shows a kit that contains both write blockers and a forensic duplicator.
38
Analysis
The following steps are involved in the analysis:
Check the Recycle Bin for deleted files.
Check the web browser history files and address bar histories.
Check the web browser cookie files. Different web browsers store cookies in different places.
Check the Temporary Internet Files folders.
Search files for suspect character strings.
Search the slack and free space for suspect character strings as described previously.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
After successfully imaging the drives to be analyzed and calculating and storing the message digests, the investigator can begin the analysis. The details of the investigation will depend on the particulars of the incident being investigated.
39
Recovery
In a digital forensic sense, recovery is associated with determining the relevant information for the issue at hand.
There are ways to trim the work.
When you can specify specific activities and those activities have logs associated with their occurrence, you can begin to build a solid data set.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
40
Strategic Intelligence/Counterintelligence Gathering
Strategic intelligence is the use of all resources to make determinations.
Strategic intelligence can provide information that limits the scope of an investigation to a manageable level.
Counterintelligence gathering is the act of gathering information specifically targeting the strategic intelligence effort of another entity.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
41
Active Logging
When you have an idea of what information you will want to examine, you can make an active logging plan that assures the information is logged when it occurs and, if at all possible, is logged in a location that prevents alteration.
Active logging is determined during the preparation phase, and when it comes time for recovery, the advance planning pays off in the production of evidence.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
42
Track Man-Hours
Demonstrating the efforts and tasks performed in the forensics process may become an issue in court and other proceedings.
Having the ability to demonstrate who did what, when they did it, and how long it took can establish that the steps were taken per the processes employed.
Having solid accounting data on man-hours and other expenses can provide corroborating evidence as to the actions performed.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
43
Chain of Custody (1 of 3)
Evidence, once collected, must be properly controlled to prevent tampering.
The chain of custody accounts for all persons who handled or had access to the evidence.
The chain of custody shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
44
Chain of Custody (2 of 3)
The following are steps in a chain of custody:
Record each item collected as evidence.
Record who collected the evidence, along with the date and time it was collected or recorded.
Write a description of the evidence in the documentation.
Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container.
Record all message digest (hash) values in the documentation.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
45
Chain of Custody (3 of 3)
The following are steps in a chain of custody (continued):
Securely transport the evidence to a protected storage facility.
Obtain a signature from the person who accepts the evidence at this storage facility.
Provide controls to prevent access to and compromise of the evidence while it is being stored.
Securely transport the evidence to court for proceedings.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
46
Message Digest and Hash (1 of 2)
You need to ensure that data is not modified.
A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclical redundancy check (CRC).
It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file).
If a subsequent hash created on the same data stream results in a different hash value, it usually means that the data stream was changed.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
47
Message Digest and Hash (2 of 2)
The hash tool is applied to each file or log, and the message digest value is noted in the investigation documentation.
It is a good practice to write the logs to a write-once media such as CD-ROM.
When the case actually goes to trial, the investigator may need to run the tool on the files or logs again to show that they have not been altered in any way since being obtained.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
48
Host Forensics
Host forensics refers to the analysis of a specific system.
Host forensics includes a wide range of elements, including the analysis of file systems and artifacts of the operating system.
These elements often are specific to individual systems and operating systems, such as Linux or Windows.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
49
File Systems (1 of 5)
When a user deletes a file, the file is not actually deleted.
Instead, a pointer in a file allocation table is deleted.
This pointer was used by the operating system to track down the file when it was referenced, and the act of “deleting” the file merely removes the pointer and marks the cluster(s) holding the file as available for the operating system to use.
The actual data originally stored on the disk remains on the disk (until that space is used again); it just is not recognized as a coherent file by the operating system.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
50
File Systems (2 of 5)
Physical memory storage devices can be divided into a series of containers called partitions.
A partition is a logical storage unit that is subsequently used by an operation system.
Systems can have multiple partitions for a wide variety of reasons, ranging from hosting multiple operating systems to performance-maximizing efforts to protection efforts.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
The broad issue of partition operation and management is outside the scope of this chapter, but this is a critical topic to understand and examine when looking at a system forensically.
51
File Systems (3 of 5)
The cluster that holds the fragment of the original file is referred to as free space because the operating system has marked it as usable when needed.
As soon as the operating system stores something else in this cluster, it is considered allocated.
The unallocated clusters still contain the original data until the operating system overwrites them.
Looking at the free space might reveal information left over from files the user thought were deleted from the drive.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Since a deleted file is not actually completely erased or overwritten, it sits on the hard disk until the operating system needs to use that space for another file or application. Sometimes the second file that is saved in the same area does not occupy as many clusters as the first file, so a fragment of the original file is left over.
52
File Systems (4 of 5)
Another place that should be reviewed is slack space, which is different from free space.
When a file is saved to a hard drive or other storage medium, the operating system allocates space in blocks of a predefined size, called clusters.
Even if your file contains only ten characters, the operating system will allocate a full cluster—with space left over in the cluster.
This is slack space.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
It is possible for a user to hide malicious code, tools, or clues in slack space, as well as in the free space. You may also find information in slack space from files that previously occupied that same cluster. Therefore, an investigator should review slack space using utilities that can display the information stored in these areas.
53
File Systems (5 of 5)
Files can be hidden by setting the hidden attribute, which limits the listing of them by standard file utilities.
Can hide files by changing a file extension, encryption, streams, and storage on other partitions.
Encrypted data, by its very nature, is hidden from view.
The magic number is a series of digits near the beginning of the file that provides information about the file format.
Most integrated forensic tool suites handle file identification via magic number.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
There are numerous ways to hide data on a system. One method is to hide files by setting the hidden attribute, which limits the listing of them by standard file utilities. Devised so that system files that should not be directly manipulated are hidden from easy view, this concept raises a broader question with respect to forensics. How can a user hide information from easy accessibility?
There is a wide range of methods of hiding files, and any attempt to list them would be long and subject to continual change. The major ones typically encountered include changing a file extension, encryption, streams, and storage on other partitions. We have already covered partitions—it is obvious that a forensic investigation should find, enumerate, and explore all partitions. Streams will be covered in the next section. Encrypted data, by its very nature, is hidden from view. Without the key, modern encryption methods resist any brute-force attempts to determine the contents. It is important to find encrypted data stores and document the locations for later use by legal counsel.
Changing a file’s extension does not actually alter the contents or usability of a file. It merely breaks the automated runtime association manager that determines what executable is associated with the file type to properly handle it. The challenge of how to handle file types goes back to the early days of computers, when the magic number method was created. The term magic number describes a series of digits near the beginning of the file that provides information about the file format. In some cases the magic number can be read by humans, as GIF87a or GIF89a indicates both Graphics Interchange Format and the specification. Other file types are less obvious, such as a TIFF file on an Intel platform, which is II followed by 42 as a two-byte integer (49 49 2A 00).
Most integrated forensic tool suites handle file identification via magic number and are thus able to find hidden videos, pictures, and other items. The other thing these tools can do is complete searches across the entire storage structure for strings, and this can find many “hidden” items.
54
Streams (1 of 2)
Streams is a short name for Alternate Data Streams, a specific data structure associated with NTFS in Windows.
The normal location for data in an NTFS-based system is in the data stream
A location identified by a record in the Master File Table (MFT) called $DATA:, which is technically an unnamed data stream.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Streams is a short name for Alternate Data Streams, a specific data structure associated with NTFS in Windows. The normal location for data in an NTFS-based system is in the data stream, a location identified by a record in the Master File Table (MFT) called $DATA:, which is technically an unnamed data stream. Alternate data streams have names and are identified by $DATA:StreamName, where StreamName is the name of the stream being used. Streams can be used to hide information; although the information is still present, most of the normal file utilities do not deal with streams, so it will not be seen. Forensic tool suites have tools that can search for, report on, and analyze stream data on Windows systems.
55
Streams (2 of 2)
Alternate data streams have names and are identified by $DATA:StreamName, where StreamName is the name of the stream being used.
Streams can be used to hide information; although the information is still present, most of the normal file utilities do not deal with streams, so it will not be seen.
Forensic tool suites have tools that can search for, report on, and analyze stream data on Windows systems.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
56
Windows Metadata (1 of 2)
Microsoft Windows–based systems have a wide range of artifacts with forensic value.
The vast majority of artifacts exist for the purpose of improving the user experience.
Tracking what users do and have done and making that information available to the operating system to improve future use is one of the primary reasons for the information; its forensic value is secondary.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
57
Windows Metadata (2 of 2)
The first and foremost Windows artifact is the system Registry.
The registry acts a database repository of a whole host of information and provides a one-stop shop for a wide range of Windows forensic artifacts
Artifacts include what applications have been installed, user activity, activity associated with external devices, and more.
There is also a wide range of file activity artifacts that can be analyzed.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Although the specific artifacts needed in an investigation differ based on the scope of the investigation, it is safe to assume that metadata recorded by the Windows operating system will serve a useful purpose in the investigation, especially since the Registry is stored by user and therefore the activity recorded in the Registry is attributable to a user.
The list of artifacts stored by the Registry is extremely long, but some of the major ones include event logs of a wide range of system and security information. There is also a wide range of file activity artifacts that can be analyzed, including analysis of shell-bags, which provides evidence of folder opening. LNK files and most recently used (MRU) elements can point to file system activity. A wide range of date/time stamps on files, even deleted files, can be present for examination. There are specific toolsets designed to forensically explore the Registry and retrieve the desired artifacts from this voluminous store.
As mentioned before and will be mentioned again, Windows forensic analysis is no different from any other forensic analysis with respect to forensic procedures. Skill and proficiency in forensic procedures is the most important issue when analyzing a system, because damage may make use of the information impossible.
58
Linux Metadata (1 of 3)
From a forensics perspective, Linux systems differ from Windows systems in three main ways:
No registry – Program data is stored in scattered locations.
Different file system – A multitude of different file systems are used, each with different attributes.
Plaintext abounds – Files and data tend to be in plaintext, which impacts searching.
The lack of a registry to hold system and program information does not mean that the information is not there; it just means that it is distributed.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
59
Linux Metadata (2 of 3)
Linux comes with a whole host of different forms of file systems.
Each of these has quirks, such as no file creation dates in many of them.
The zeroing of metadata when files are deleted results in forensic challenges.
When it comes to performing forensics on a Linux system, the value of a good sysadmin cannot be understated.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
60
Linux Metadata (3 of 3)
Many of the artifacts of activity on a Linux system are scattered to various local locations.
A good sysadmin can assist in locating and recovering the essential elements for analysis.
This is not a license for a sysadmin to begin performing forensic activities!
The same rules and procedural requirements listed earlier still apply, and in most cases this necessitates the use of forensically trained professionals.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
61
Device Forensics
Device forensics is the application of digital forensic principles to devices.
The fact that it is a device does not change the principles pertaining to the collection and handling of evidence.
All of the forensic principles still apply and are just as important.
What does change are the tools and processes employed to retrieve and analyze the data.
This is because the file systems, data structures, operating systems, and artifacts are different than those in the world of servers and PCs.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
62
Network Forensics
Network forensics is the capture, recording, and analysis of network events in order to discover the source of network problems or security incidents.
Examining networks in a forensic fashion introduces several challenges.
Scale – The scale of a network is related to the number of nodes and the speed of traffic.
Volume – Packet capture can necessitate large quantities of storage.
Network forensics becomes an issue of specificity.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Examining networks in a forensic fashion introduces several challenges. First is scale. The scale of a network is related to the number of nodes and the speed of traffic. Second is the issue of volume. Packet capture is not technically difficult, but it can necessitate large quantities of storage. And although storage is relatively cheap, large numbers of packets can be difficult to sort through and analyze.
Because of these issues,—network forensics becomes an issue of specificity; if you know what target and what protocols you are looking for, you can selectively capture and analyze the traffic for those segments and have data that is useful. But therein lies the other challenge. Network data is temporal. It exists while the packet is in transit and then it is gone, forever. Metadata such as NetFlow data can provide some information, but it does not contain any content of the data being transmitted.
As a general-purpose tool, network forensics is nearly impossible because of the scale issues. But in specific situations, such as in front of high-value targets that have limited data movement, it can prove to be valuable. It can also be valuable in troubleshooting ongoing incidents and problems in the network.
The same rules apply to network forensics as apply to all other forensic collection efforts. Preserving the integrity of the data is paramount, and maintaining control over the data is always a challenge. Forensic rules (admissibility, chain of custody, etc.) do not change because the source of data has changed.
63
Legal Hold
Once you realize you need to preserve evidence, you must use a legal hold, or litigation hold, process by which you properly preserve any and all digital evidence related to a potential case.
Ordinary data retention policies no longer are in effect.
Alterations to metadata can be considered to be a violation of the hold request.
Finding and managing all of this information falls under a topic called e-discovery.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
64
E-Discovery
Electronic discovery, or e-discovery, is the term used for the document and data production requirements as part of legal discovery in civil litigation.
Electronic information is considered to be the same as paper documents in some respects and completely different in others.
The evidentiary value can be identical.
The fragility can be substantial—electronic records can be changed without leaving a trace.
Electronic documents can also have metadata associated with the documents.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
One of the pressing challenges in today’s enterprise record store is the maintenance of the volumes of electronic information. Keeping track of the information stores based on a wide range of search terms is essential to comply with e-discovery requests. It is common for systems to use forensic processes and tools to perform e-discovery searches.
65
Reference Model (1 of 2)
EDRM, a coalition of consumers and providers focused on improving e-discovery and information governance, has created a reference model for e-discovery.
The Electronic Discovery Reference Model provides a framework for organizations to prepare for e-discovery.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
The major steps of the framework are thoroughly described on the EMDR web site (http://edrm.net). Additional resources available from EDRM include XML schemas, glossaries, metric, and more.
66
Reference Model (2 of 2)
Figure 23.4 Electronic Discovery Reference Model
(courtesy of EDRM, EDRM.net)
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
The Electronic Discovery Reference Model, shown in Figure 23.4, provides a framework for organizations to prepare for e-discovery.
67
Big Data
We have created large data stores in most enterprises, a byproduct of cheap storage and the ubiquity of the Internet.
Big data is an issue in e-discovery as well.
The cataloging, storage, and maintenance of corporate records often becomes a big data issue.
This facilitates the use of big data methods in many cases.
This is an area of rapid development, both for forensics and e-discovery, as data volumes continue to grow exponentially.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
It may seem that big data is all the rage in business today, but in reality it is simply a description of the times.
68
Cloud (1 of 2)
The cloud has become a resource for enterprise IT systems.
The cloud is intimately involved in both e-discovery and forensics.
Having data that may or may not be directly accessed by the tools of e-discovery and forensics can complicate the needed processes.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
69
Cloud (2 of 2)
An additional complication is the legal issues associated with the contracts between the organization and the cloud provider.
As both forensics and e-discovery are secondary processes from a business perspective, they may or may not be addressed in a standard cloud agreement.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
Because these processes can become important—and if they do, it may be too late to contractually address them—it behooves an organization to prepare by addressing them in cloud agreements with third parties.
70
Chapter Summary
Explore the basics of digital forensics.
Identify the rules and types of evidence.
Collect and preserve evidence.
Maintain a viable chain of custody.
Investigate a computer crime or policy violation.
Examine system artifacts.
Develop forensic policies and procedures.
Examine the policies and procedures associated with e-discovery.
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights reserved.
71