4.8 Digital Forensics

Question 1

Digital forensics

Answer 1

• Collect and protect information relating to an intrusion– Many different data sources and
  protection mechanisms
• RFC 3227 - Guidelines for – Evidence Collection and Archiving– A good set of best practices
• Standard digital forensic process– Acquisition, analysis, and reporting
• Must be detail oriented- Take extensive notes

Question 2

Legal Hold

Answer 2

• A legal technique to preserve relevant information– Prepare for impending litigation– Initiated by legal counsel
• Hold notification– Custodians are instructed to preserve data
• Separate repository for electronically stored information
  (ESI)– Many different data sources and types– Unique workflow and retention requirements
• Ongoing preservation– Once notified, there’s an ongoing obligation to
  preserve data

Question 3

Chain of custody

Answer 3

• Control evidence– Maintain integrity
• Everyone who contacts the evidence– Use hashes and digital signatures– Avoid tampering
• Label and catalog everything– Digitally tag all items for ongoing documentation– Seal and store

Question 4

Acquisition

Answer 4

• Obtain the data– Disk, RAM, firmware, OS files, etc.
• Some of the data may not be on a single system– Servers, network data, firewall logs
• For virtual systems, get a snapshot– Contains all files and information about a VM
• Look for any left-behind digital items– Artifacts– Log information, recycle bins, browser bookmarks,
  saved logins, etc.

Question 5

Reporting

Answer 5

• Document the findings– For Internal use, legal proceedings, etc.
• Summary information– Overview of the security event
• Detailed explanation of data acquisition– Step-by-step method of the process
• The findings– An analysis of the data
• Conclusion– Professional results, given the analysis

Question 6

Preservation

Answer 6

• Handling evidence– Isolate and protect the data– Analyze the data later without any alterations
• Manage the collection process– Work from copies– Manage the data collection from mobile devices
• Live collection has become an important skill– Data may be encrypted or difficult to collect after
  powering down
• Follow best practices to ensure admissibility of data in
  court– What happens now affects the future

Question 7

E-Discovery

Answer 7

• Electronic discovery– Collect, prepare, review, interpret, and produce
  electronic documents
• E-discovery gathers data required by the legal process– Does not generally involve analysis– There’s no consideration of intent
• Works together with digital forensics– The e-discovery process obtains a storage drive– Data on the drive is smaller than expected– Forensics experts determine that data was deleted and attempt to recover the data