reflection 4
Explaining Digital Forensics
Lesson 18
1
Explain Key Aspects of Digital Forensics Documentation
Topic 18A
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
4.5 Explain the key aspects of digital forensics
Syllabus Objectives Covered
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Collecting evidence from computer systems to a standard that will be accepted in a court of law
Evidence, documentation, and admissibility
Latent evidence
Collection must be documented
Due process
Legal hold
Chain of custody
Integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation
Key Aspects of Digital Forensics
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Summarizes contents of the digital data
Conclusions from the investigator's analysis
Professional ethics
Analysis must be performed without bias
Analysis methods must be repeatable
Evidence must not be changed or manipulated
Digital Forensics Reports
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
E-discovery
Electronically Stored Information (ESI)
Identify and de-duplicate files and metadata
Search
Tags
Security
Disclosure
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Video and Witness Interviews
Video
Record all actions
Log/video steps taken
Witness interviews
Informal statements
Avoid leading questions
Formal questioning
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Timelines
Sequence of events
Time stamps
OS/file system methods for recording time
Correct synchronization of local time source
Time offset
Coordinated Universal Time (UTC)
Local time
Date/time settings tampering
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Screenshot: Autopsy - the Sleuth Kit (sleuthkit.org/autopsy.)
Collect data from network logging servers
Packet captures
Retrospective Network Analysis (RNA)
Record collection methods to establish provenance
Event Logs and Network Traffic
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Re-examine logs for signs of intrusion
Counterintelligence
Analyze adversary tactics, techniques, and procedures (TTP)
Develop better control configurations
Strategic intelligence
Inform risk management and security control provisioning to build mature cybersecurity capabilities
Strategic Intelligence and Counterintelligence
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Digital Forensics Documentation
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Review Activity
Explain Key Aspects of Digital Forensics Evidence Acquisition
Topic 18B
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
12
4.1 Given a scenario, use the appropriate tool to assess organizational security
4.5 Explain the key aspects of digital forensics
Syllabus Objectives Covered
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Data Acquisition and Order of Volatility
Legal seizure and search of devices
Computer on/off state
Order of volatility
CPU registers and cache memory
Non-persistent system memory (RAM)
Data on persistent storage
Partition data and file system artefacts
Cached system memory data (pagefiles and hibernation files)
Temporary file caches
User, application, and OS files and directories
Remote logging and monitoring data
Physical configuration and network topology
Archival media
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
EnCase Forensic and The Forensic Toolkit (FTK)
Commercial case management and evidence acquisition and analysis
The Sleuth Kit/Autopsy
Open-source case management and evidence acquisition and analysis
WinHex
Forensic recovery and analysis of binary data
The Volatility Framework
System memory analysis
Digital Forensics Software
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
System Memory Acquisition
Evidence recovery from non-persistent memory
Contents of temporary file systems, registry data, network connections, cryptographic keys, …
Live acquisition
Pre-install kernel driver
Crash dump
Recover from fixed disk
Hibernation and page file
Recover from fixed disk
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
Screenshot: Volatility Framework volatilityfoundation.org.)
16
Disk Image Acquisition
Non-volatile storage media and devices
Acquisition types
Live acquisition
Static acquisition by shutting down the host
Static acquisition by pulling the plug
Imaging utilities
Forensic software suites and file formats
dd
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Provenance
Record process of evidence acquisition
Use a write blocker
Data acquisition with integrity and non-repudiation
Cryptographic hashing and checksums
Take hashes of source device, reference image, and copy of image for analysis
Preservation of evidence
Secure tamper-evident bagging
Protection against electrostatic discharge (ESD)
Chain of custody
Secure storage facility
Preservation and Integrity of Evidence
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Acquisition of Other Data
Network
Cache
File system cache (temporary files)
Hardware cache
Artifacts and data recovery
Windows Alternate Data Streams (ADS)
File caches (prefetch and Amcache)
Slack space and file carving
Snapshot
Acquisition of VM disk images
Firmware
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Right to audit clauses
Limited opportunities for recovery of ephemeral images
Ability to snapshot instances
Recover log and monitoring data
Complex chain of custody issues
Complex regulatory/jurisdiction issues
Data breach notification laws
Digital Forensics for Cloud
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
20
Digital Forensics Evidence Acquisition
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Review Activity
Assisted Lab
Acquiring Digital Forensics Evidence
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Lab Activity
Summary
Lesson 18
CompTIA Security+ Lesson 18 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
23