Security+ Domain 5.0: Risk Management: Chapter 24

  1. Security+ Certification
  2. Security+: Definitions and Catchwords
  3. Security+ Domain 1.0: Threats, Attacks and Vulnerabilities
  4. Security+ Domain 2.0: Technologies and Tools, Chapter 6
  5. Security+ Domain 2.0: Technologies and Tools, Chapter 7
  6. Security+ Domain 2.0: Technologies and Tools, Chapter 8
  7. Security+ Domain 2.0: Technologies and Tools, Chapter 9
  8. Security+ Domain 2.0: Technologies and Tools, Chapter 10
  9. Security+ Domain 3.0: Architecture and Design: Chapter 11
  10. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12
  11. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12 cont’d
  12. Security+ Domain 3.0: Architecture and Design: Chapter 13: Embedded Systems
  13. Security+ Domain 3.0: Architecture and Design: Chapter 14: Application Development
  14. Security+ Domain 3.0: Architecture and Design: Chapter 15: Cloud and Virtualization
  15. Security+ Domain 3.0: Architecture and Design: Chapter 16: Resiliency and Automation
  16. Security+ Domain 3.0: Architecture and Design: Chapter 17: Physical Security
  17. Security+ Domain 4.0: Identity and Access Management: Chapter 18
  18. Security+ Domain 4.0: Identity and Access Management: Chapter 19
  19. Security+ Domain 4.0: Identity and Access Management: Chapter 20
  20. Security+ Domain 5.0: Risk Management: Chapter 21
  21. Security+ Domain 5.0: Risk Management: Chapter 22
  22. Security+ : Sample Questions
  23. Security+ Domain 5.0: Risk Management: Chapter 23
  24. bastion.inf
  25. Security+ Domain 5.0: Risk Management: Chapter 24
  26. Security+ Domain 5.0: Risk Management: Chapter 25
  27. Security+ Domain 5.0: Risk Management: Chapter 26
  28. Security+ Domain 5.0: Risk Management: Chapter 27
  29. Security+ Domain 5.0: Risk Management: Chapter 28
  30. Security+ Domain 5.0: Risk Management: Chapter 29
  31. Security+: My Favorite Free Tools

Chapter 24: Digital Forensics

Capturing Evidence

You have two major concerns:

      1. Capturing the right evidence before it disappears
      2. Keeping evidence valid and admissible

Order of Volatility

      1. CPU, cache and registers
      2. Routing tables, ARP cache, process tables, kernel statistics
      3. Live network connections, data flows
      4. RAM
      5. Swap and page files, and /temp and /tmp folders
      6. Hard disk
      7. Remote logs
      8. Backups

Critical but not on CompTIA’s list:

Create forensic copies of digital evidence, take hashes and digitally sign.

Not for the test, but for real life, you should  know about the SIFT forensic Linux distribution from SANS:
https://digital-forensics.sans.org/community/downloads

The SANS DFIR channel on Youtube:
https://www.youtube.com/user/robtlee73

Here’s a simple, clear and soundless walkthrough of how DumpIt and Volatility work:

Here’s an example in greater detail, with a narrator, thanks:

And here’s a badass example of a forensics challenge:

Chain of Custody (is God)

Have a record-keeping system

    1. Log the item itself
    2. Log date, time and collector’s name
    3. Description
    4. Box and tag physical evidence
    5. Hashes of all digital evidence
    6. Secure transport to storage
    7. Signature of evidence storage officer
    8. Control for access and compromise while stored
    9. Secure transport to court

Legal Hold

You can’t destroy evidence.

Data Acquisition: Admissible in Court

Log the crap out of evidence.

      • Who collected it
      • How
      • Where
      • Who has had possession
      • How was it protected and stored
      • When was it removed from storage, by whom, and why

Capture System Images

This requires a write-blocked access device.

Capture Network Traffic and Logs

Wireshark is the de facto and de jure standard for evidence.

Get firewall and IDS logs.

Capture Video

CCTV

IP cameras

Walk-arounds

Record Time Offset

NTP and the timeserver

Take Hashes of Everything

SHA-2 or better

Screenshots

Both captured on the system and from a camera

Witness Interviews

Preserving Evidence

Chain of Custody

Hashes

Forensic copies

Recovery Procedures

Strategic Intelligence / Counterintelligence