Chapter 24: Digital Forensics
You have two major concerns:
- Capturing the right evidence before it disappears
- Keeping evidence valid and admissible
Order of Volatility
- CPU, cache and registers
- Routing tables, ARP cache, process tables, kernel statistics
- Live network connections, data flows
- Swap and page files, and /temp and /tmp folders
- Hard disk
- Remote logs
Critical but not on CompTIA’s list:
Create forensic copies of digital evidence, take hashes and digitally sign.
Not for the test, but for real life, you should know about the SIFT forensic Linux distribution from SANS:
The SANS DFIR channel on Youtube:
Here’s a simple, clear and soundless walkthrough of how DumpIt and Volatility work:
Here’s an example in greater detail, with a narrator, thanks:
And here’s a badass example of a forensics challenge:
Chain of Custody (is God)
Have a record-keeping system
- Log the item itself
- Log date, time and collector’s name
- Box and tag physical evidence
- Hashes of all digital evidence
- Secure transport to storage
- Signature of evidence storage officer
- Control for access and compromise while stored
- Secure transport to court
You can’t destroy evidence.
Data Acquisition: Admissible in Court
Log the crap out of evidence.
- Who collected it
- Who has had possession
- How was it protected and stored
- When was it removed from storage, by whom, and why
Capture System Images
This requires a write-blocked access device.
Capture Network Traffic and Logs
Wireshark is the de facto and de jure standard for evidence.
Get firewall and IDS logs.
Record Time Offset
NTP and the timeserver
Take Hashes of Everything
SHA-2 or better
Both captured on the system and from a camera
Chain of Custody