Explaining Digital Forensics

# Explain Key Aspects of Digital Forensics Documentation ## Key Aspects of Digital Forensics - Collecting evidence from computer systems to a standard that will be accepted in a court of law - Evidence must be collected in a very specific way to be admissable - Needs to have a chain of custody - integrity and proper handling of evidence - Legal hold -> holding the data until litigation is over ![[Pasted image 20230711102103.png]] ![[Pasted image 20230711102110.png]] ![[Pasted image 20230711102118.png]] ![[Pasted image 20230711102129.png]] ![[Pasted image 20230711102136.png]] ![[Pasted image 20230711102142.png]] # Explain Key Aspects of Digital Forensics Evidence Acquisition ## Data Acquisition and Order of Volatility - Legal seizure and search of devices - Computer on/off state - **Order of volatility** 1. CPU registers and cache memory 2. Non-persistent system memory (RAM) 3. Data on persistent storage (Hard Drive) - Partition data and file system artefacts - Cached system memory data (pagefiles and hibernation files) - Temporary file caches - User, application, and OS files and directories 1. Remote logging and monitoring data 2. Physical configuration and network topology 3. Archival media ## Digital Forensics Software - **EnCase Forensic and The Forensic Toolkit (FTK)** - Commercial case management and evidence acquisition and analysis - **The Sleuth Kit/Autopsy** - Open-source case management and evidence acquisition and analysis - **WinHex** - Forensic recovery and analysis of binary data - **The Volatility Framework** - System memory analysis - XXD ## System Memory Acquisition - Evidence recovery from non-persistent memory - Contents of temporary file systems, registry data, network connections, cryptographic keys, … - Live acquisition - Pre-install kernel driver - Crash dump - Recover from fixed disk - Hibernation and page file - Recover from fixed disk ![[Pasted image 20230711102629.png]] ## Preservation and Integrity of Evidence - Provenance / Origination - Record process of evidence acquisition - Use a write blocker - Data acquisition with integrity and non-repudiation - Cryptographic hashing and checksums - Take hashes of source device, reference image, and copy of image for analysis - Preservation of evidence - Secure tamper-evident bagging - Protection against electrostatic discharge (ESD) - Chain of custody - Secure storage facility ## Acquisition of Other Data - Network - Cache - File system cache (temporary files) - Hardware cache - Artifacts and data recovery - Windows Alternate Data Streams (ADS) - File caches (prefetch and Amcache) - Slack space and file carving - Snapshot - Acquisition of VM disk images - Firmware ## Digital Forensics for Cloud - Right to audit clauses - Limited opportunities for recovery of ephemeral images - Ability to snapshot instances - Recover log and monitoring data - Complex chain of custody issues - Complex regulatory/jurisdiction issues - Data breach notification laws