reflection 4

profiletamerrabee3
sy0-601-18v1.0.pptx

Explaining Digital Forensics

Lesson 18

1

Explain Key Aspects of Digital Forensics Documentation

Topic 18A

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

4.5 Explain the key aspects of digital forensics

Syllabus Objectives Covered

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Collecting evidence from computer systems to a standard that will be accepted in a court of law

Evidence, documentation, and admissibility

Latent evidence

Collection must be documented

Due process

Legal hold

Chain of custody

Integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation

Key Aspects of Digital Forensics

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Summarizes contents of the digital data

Conclusions from the investigator's analysis

Professional ethics

Analysis must be performed without bias

Analysis methods must be repeatable

Evidence must not be changed or manipulated

Digital Forensics Reports

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

E-discovery

Electronically Stored Information (ESI)

Identify and de-duplicate files and metadata

Search

Tags

Security

Disclosure

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Video and Witness Interviews

Video

Record all actions

Log/video steps taken

Witness interviews

Informal statements

Avoid leading questions

Formal questioning

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Timelines

Sequence of events

Time stamps

OS/file system methods for recording time

Correct synchronization of local time source

Time offset

Coordinated Universal Time (UTC)

Local time

Date/time settings tampering

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Screenshot: Autopsy - the Sleuth Kit (sleuthkit.org/autopsy.)

Collect data from network logging servers

Packet captures

Retrospective Network Analysis (RNA)

Record collection methods to establish provenance

Event Logs and Network Traffic

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Re-examine logs for signs of intrusion

Counterintelligence

Analyze adversary tactics, techniques, and procedures (TTP)

Develop better control configurations

Strategic intelligence

Inform risk management and security control provisioning to build mature cybersecurity capabilities

Strategic Intelligence and Counterintelligence

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Digital Forensics Documentation

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Review Activity

Explain Key Aspects of Digital Forensics Evidence Acquisition

Topic 18B

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

12

4.1 Given a scenario, use the appropriate tool to assess organizational security

4.5 Explain the key aspects of digital forensics

Syllabus Objectives Covered

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Data Acquisition and Order of Volatility

Legal seizure and search of devices

Computer on/off state

Order of volatility

CPU registers and cache memory

Non-persistent system memory (RAM)

Data on persistent storage

Partition data and file system artefacts

Cached system memory data (pagefiles and hibernation files)

Temporary file caches

User, application, and OS files and directories

Remote logging and monitoring data

Physical configuration and network topology

Archival media

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

EnCase Forensic and The Forensic Toolkit (FTK)

Commercial case management and evidence acquisition and analysis

The Sleuth Kit/Autopsy

Open-source case management and evidence acquisition and analysis

WinHex

Forensic recovery and analysis of binary data

The Volatility Framework

System memory analysis

Digital Forensics Software

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

System Memory Acquisition

Evidence recovery from non-persistent memory

Contents of temporary file systems, registry data, network connections, cryptographic keys, …

Live acquisition

Pre-install kernel driver

Crash dump

Recover from fixed disk

Hibernation and page file

Recover from fixed disk

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

Screenshot: Volatility Framework volatilityfoundation.org.)

16

Disk Image Acquisition

Non-volatile storage media and devices

Acquisition types

Live acquisition

Static acquisition by shutting down the host

Static acquisition by pulling the plug

Imaging utilities

Forensic software suites and file formats

dd

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Provenance

Record process of evidence acquisition

Use a write blocker

Data acquisition with integrity and non-repudiation

Cryptographic hashing and checksums

Take hashes of source device, reference image, and copy of image for analysis

Preservation of evidence

Secure tamper-evident bagging

Protection against electrostatic discharge (ESD)

Chain of custody

Secure storage facility

Preservation and Integrity of Evidence

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Acquisition of Other Data

Network

Cache

File system cache (temporary files)

Hardware cache

Artifacts and data recovery

Windows Alternate Data Streams (ADS)

File caches (prefetch and Amcache)

Slack space and file carving

Snapshot

Acquisition of VM disk images

Firmware

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Right to audit clauses

Limited opportunities for recovery of ephemeral images

Ability to snapshot instances

Recover log and monitoring data

Complex chain of custody issues

Complex regulatory/jurisdiction issues

Data breach notification laws

Digital Forensics for Cloud

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

20

Digital Forensics Evidence Acquisition

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Review Activity

Assisted Lab

Acquiring Digital Forensics Evidence

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Lab Activity

Summary

Lesson 18

CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

23