Chapter 24: Digital Forensics
Capturing Evidence
You have two major concerns:
-
-
- Capturing the right evidence before it disappears
- Keeping evidence valid and admissible
-
Order of Volatility
-
-
- CPU, cache and registers
- Routing tables, ARP cache, process tables, kernel statistics
- Live network connections, data flows
- RAM
- Swap and page files, and /temp and /tmp folders
- Hard disk
- Remote logs
- Backups
-
Critical but not on CompTIA’s list:
Create forensic copies of digital evidence, take hashes and digitally sign.
Not for the test, but for real life, you should know about the SIFT forensic Linux distribution from SANS:
https://digital-forensics.sans.org/community/downloads
The SANS DFIR channel on Youtube:
https://www.youtube.com/user/robtlee73
Here’s a simple, clear and soundless walkthrough of how DumpIt and Volatility work:
Here’s an example in greater detail, with a narrator, thanks:
And here’s a badass example of a forensics challenge:
Chain of Custody (is God)
Have a record-keeping system
-
- Log the item itself
- Log date, time and collector’s name
- Description
- Box and tag physical evidence
- Hashes of all digital evidence
- Secure transport to storage
- Signature of evidence storage officer
- Control for access and compromise while stored
- Secure transport to court
Legal Hold
You can’t destroy evidence.
Data Acquisition: Admissible in Court
Log the crap out of evidence.
-
-
- Who collected it
- How
- Where
- Who has had possession
- How was it protected and stored
- When was it removed from storage, by whom, and why
-
Capture System Images
This requires a write-blocked access device.
Capture Network Traffic and Logs
Wireshark is the de facto and de jure standard for evidence.
Get firewall and IDS logs.
Capture Video
CCTV
IP cameras
Walk-arounds
Record Time Offset
NTP and the timeserver
Take Hashes of Everything
SHA-2 or better
Screenshots
Both captured on the system and from a camera
Witness Interviews
Preserving Evidence
Chain of Custody
Hashes
Forensic copies