Explain the four general tasks that may place a role in recovering from a security incident.
- Identify shortcomings in risk assessment, policy, or implementation
- Repair problems caused by the incident
- If the incident is caused by an individual’s malicious act, and we can hold that person accountable, then we collect evidence to clearly tie the person to the incident
- If someone uses our computer to violate laws, then we need to preserve evidence so that a prosecutor may use it in a trial
A __________ has had defenses weakened and possibly no other damage
compromised system
Recovery from a compromise is ____________
remediation
Explain digital forensics:
The process of collecting and/or analyzing evidence from computers and other digital storage devices
Issues in evidence gathering:
- What data should we collect before an incident occurs
- What data are we allowed to collect from an individual’s personal computer
- What data can we retrieve from persistent memories like USBs and hard drives
List and explain the three general categories of legal systems used in the world. Give an example of each.
- Civil law - based on legislative enactments. Example: Roman and Napoleonic laws
- Common law - based on judicial decisions. Example: English common law and the US legal system
- Religious law - based on religious systems and/or documents.. Example: Jewish, Islamic, and Christian canon law systems
List and describe four ways of resolving a security incident that could arise to the level of a legal dispute
- Private action - One party acts agains another, based on a shared relationship
- Meditation - two Parties relies on a third party (mediator), to help negotiate a settlement
- Civil complaint - One party files a lawsuit against another. Settled in a court trial u n l e s s settled
informally ahead of time. - Criminal complaint - A person is charged with breaking specific laws.
When can we use informal evidence, and when must evidence be legally admissible?
Private actions and Mediation - Informal evidence might be considered when resolving the complaint or dispute. Mediators might demand admissible evidence
Civil and criminal complaints - Only admissible evidence may be used in court proceedings
Explain the concept of due diligence
The notion that there are customary acts that parties take for safety and security.
Parties are less at fault if they show due diligence in their actions.
Describe the basic requirements evidence must meet to be used in a legal proceeding.
Must yield admissible evidence
- Legal constraints: US 4th Amendment, expectations of privacy, private ownership, consent to search
- Records collected for routine business use
- No modifications since collection
Describe the three steps an investigator performs when collecting forensic evidence.
Securing the Scene – Securing the scene means restricting access by removing unauthorized individuals to preserve the integrity of the evidence.
Documenting the Scene – Documenting the scene involves recording detailed information, descriptions, and photographs of the location and evidence as they are found.
Collecting the Evidence – Collecting evidence is the careful process of gathering, preserving, and labeling items for further analysis and investigation.
Digital evidence procedures
- Photograph the screens of powered-on devices
- For most powered-on devices, simply remove the power source (cord and/or battery)
- Document all serial numbers, cords, and other connections before removal
- Seal each item in an evidence bag
Is it better to perform a clean “shutdown” or simply pull the plug when collecting a computer as evidence?
As noted, the best strategy in most cases is to simply unplug a running computer. The shutdown operation in many operating systems may wipe out evidence that a forensics investigation could otherwise recover. In particular, Microsoft Windows is likely to save more information if we simply “pull the plug” than if we perform a clean “shutdown.”
Forensic hard drive analysis
- We calculate an integrity check on the hard drive: a very large integer (48 digits or more)
- We copy the hard drive and recalculate the integrity check - it must match
- Then we analyze the copy, not the original. After collecting evidence, we recalculate the integrity check - must still match
Two elements of storing data on a hard drive
- a coil of wire
- magnetic surface
Two ways to handle magnetic data:
- Reading data: We generate a current if a coil of wire moves past a magnet
- Writing data: We magnetize a surface if it moves past a coil of wire containing a current
Basic components of a hard drive:
Arm
Disk head motor
Platter spindle (motor underneath)
Read/write head
Two platters
Drive size has followed __________
Moore’s Law
Explain the difference between “high-level” and “low-level” disk formatting. When we perform a “quick format,” what formatting do we perform?
High-level format: Provides the structure to store files, directories, folders, and free space.
Upon doing a “quick format” we perform high-level formatting.
Low-level format: Places the numbered sectors on the drive. Rewrites each one to ensure that all sectors can be read and written
Two error detection
Parity and Checksum
Modern error detection
- Cyclic Redundancy Checks (CRCs):
- Can detect a burts of errors. A series of all 0’s replacing the real data.
- More sensitive to a change of order. Simple checksum won’t detect swaps - Error Correcting Codes (ECC):
- Can detect larger-scale errors.
- Can correct smaller errors.
- Used on RAMs and DVDs
Difference of address variables and range of address
Address variable: tells where data resides. Typically a RAM address. Sometimes called a pointer variable. May also be an array index variable
Range of address: Indicates the size required for the address variable
What is the difference between 1 GB of storage and 1 GiB of storage? What is the difference between 1 KB of storage and 1 Kb of storage?
1 GB (gigabyte) = 1,000,000,000 bytes (10⁹) → decimal-based.
1 GiB (gibibyte) = 1,073,741,824 bytes (2³⁰) → the “i” in GiB means it uses binary (a large power of 2).
1 KB (kilobyte) = 1,024 bytes (binary) or 1,000 bytes (decimal).
1 Kb (kilobit) = 1,000 bits (decimal).
👉 B = Byte (8 bits), b = bit.
What is Moore’s law?
Predicted that computing power and efficiency will increase every 18 months
