Digital Forensics

avatar
Created by
High-pitchedBeetle8111

Cards (36)

  • Forensics
    The process of using science to collect, analyze, and describe evidence in a manner that is acceptable by a court of law
  • digital forensics
    computer forensics; process of using well-defined analytical and investigative techniques to guide the processes of collecting and examining evidence related to a computer security incident
  • real evidence
    any physical object that you can touch or otherwise directly observe. Examples of real evidence include a smartphone, a laptop, a hard drive, or a USB drive
  • documentary evidence
    Data expressed in written form, whether on paper or stored in digital files
     Email messages, databases, log and activity files, digital media, communication activity records, etc.
  • Testimonial evidence
    Information collected from individuals that supports and helps to interpret evidence; Statements of people who observed the physical presence of other people at a specific place and time to support evidence
  • Demonstrative evidence
    Any information that helps explain other evidence; Visual aids, expert witness interpretation, etc.
  • Admissibility is
    the determination that evidence is either acceptable or unacceptable to a court of law
  • Acquistion
    The process of collecting evidence
  • legal hold
    a process that requires an organization to preserve and not alter evidence that may be used in court, and it can help ensure that normal data handling procedures do not contaminate or even delete data that may be needed for a case
  • chain of custody
    running documentation of what happened to evidence; important to establish that evidence was collected and handled using proper techniques and procedures that are required to satisfy evidence admissibility standards
  • provenance
    the point of origin of a piece of evidence
  • time stamps
    used that correspond to computer log files to help coordinate a sequence of events and are accurate to at least the second, if not the millisecond
  • preservation
    assurance that evidence remains unchanged from its state when it was collected
  • hash function
    A mathematical function that takes arbitrary data as input and returns a fixed length output (number)
  • E-discovery
    an iterative process of examining storage media, searching for items of interest, identifying likely items that may have value as evidence, and then recovering those items
  • data recovery
    identifying and recovering data that is not easily accessible
  • Faraday bag
    a bag or enclosure that is shielded to stop any electromagnetic emanations; used to avoid any outside communication while searching a mobile device and seizing evidence
  • evidence
    trail of damage or artifacts of what happened after a successful attack
  • Forensics team should have in-depth knowledge of at least these areas:
    • hardware
    • computer memory
    • storage devices
    • operating systems
    • file systems
    • networks
    • software
  • Computing devices play at least one of three roles in crime:
    • target
    • instrument
    • repository
  • Target
    computing device(s) that the attacker aims to change, infect, or otherwise make unavailable
  • instrument
    a computing device that may be a party to an attack; attackers often use a compromised computer or device to launch attacks on third parties to hide the true origin of the attack
  • repository
    a computing device that stores information about an attack; can help keep track of an attacker's activities to carry out follow-on attacks and, in some cases, to complete attack activities
  • Types of computer crimes:
    • identity theft
    • exfiltrating data
    • cyberstalking/harassment
    • online fraud
    • nonaccess computer crimes
    • cyberterrorism
  • Exfiltrating data
    capture identifying data; done by hacking into a computer that stores data and downloading (exfiltrate) the personal data. Once exfiltrated, the personal data can be leveraged or sold to other cybercriminals.
  • Nonaccess computer crimes
    aim is crashing a target’s critical functionality or otherwise stopping normal business from occurring can successfully interrupt normal (revenue-creating) processes from occurring or create a disruptive break
  • Principles of effective digital forensic investigations:
    • minimize original data handling
    • enforce the rules of evidence
    • do not exceed your knowledge
    • develop an analysis plan first
    • consider data volatility
  • Digital forensic frameworks:
    • U.S. Department of Defense Forensic Standards
    • The Digital Forensic Research Workshop Framework
    • The Scientific Working Group on Digital Evidence Framework
    • An Event-Based Digital Forensic Investigation Framework
  • The Digital Forensic Research Workshop Framework
    goal is to enhance the sharing of knowledge and ideas about digital forensics research; a matrix with 6 classes: Identification, Preservation, Collection, Examination, Analysis, and Presentation
  • An Event-Based Digital Forensic Investigation Framework
    more intuitive and flexible than DFRWS; has five primary phases, each of which may contain additional subphases: Readiness phase, the Deployment phase, the Physical Crime Scene Investigation phase, the Digital Crime Scene Investigation phase, and the Presentation phase
  • One important job of the OS is to support many more processes, which it does by allowing a process to execute for only a tiny amount of time and then giving the CPU to another process. It can do this by taking the instructions and memory of a running process and writing to a special file, called a pagefile, and then loading another process and running it.
  • And, in some cases, processes that are running need more memory than the computer can physically support. In those cases, some pages of memory are written to another file, called a swapfile, and then the page of memory can be used to store different data.
  • As a rule of thumb, paging (i.e., writing to and reading from the pagefile) is normal, while swapping (i.e., writing to and reading from the swapfile) is not. If you are swapping a lot, you probably need to add memory.
  • The core OS data and functions are often called the kernel.
  • Evidence of interest on mobile devices:
    • call history
    • email and text messages, including app-specific messages
    • pictures and videos (these can sometimes provide graphic evidence)
    • device information
    • GPS information and history
    • network connection information and history
  • Here is a list of troubleshooting steps when you encounter physical media damage:
    1. Remove the media and install in a test system
    2. Boot the test system and listen to the damaged media to see whether it makes any noise
    3. If you hear normal sounds on boot, accessing the drive and its contents from the test system may be possible
    4. If you hear no sounds or abnormal sounds on boot, limited repairs may be possible.
    5. If nothing else works, the best next step is to send the device to an organization that specializes in data recovery from damaged devices