System Forensics, Investigation, and Response Chapter 7
System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence. Learning Objective and Key Concepts. Learning Objective Examine the evidence life cycle. Key Concepts Differences between data and evidence Types of evidence
System Forensics, Investigation, and Response Chapter 7
E N D
Presentation Transcript
System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence
Learning Objective and Key Concepts Learning Objective • Examine the evidence life cycle. Key Concepts • Differences between data and evidence • Types of evidence • Chain of custody requirements • Collection, transportation, and storage of evidence
Evidence Collection • Freeze the scene. • Comply with the five rules of evidence. • Minimize handling and corruption of original data. • Proceed from volatile to persistent evidence. • Don’t run any programs on the affected system.
Evidence Collection (Continued) • Account for any changes and keep detailed logs of actions. • Do not exceed current knowledge. • Follow local security policy. • Be prepared to testify. • Ensure that actions arerepeatable.
Evidence Transport • Shut down computer • Document hardware configuration • Document all evidence handling • Pack evidence securely
Evidence Transport (Continued) • Photograph or videotape the scene from premises to transport vehicle. • Photograph or videotape the scene from vehicle to lab. • Transport computer to a secure location.
Evidence Protection and Storage • Keep evidence in possession or control at all times. • Document movement of evidence between investigators. • Secure evidence appropriately so that it can’t be tampered with or corrupted. • Mathematically authenticate data. (i.e., hash values)
Evidence Analysis • Make a list of key search words. • Work on image copies, never originals. • Capture an image of the system that is as accurate as possible, such as bit-stream backup. • Evaluate Windows swap file, file slack, and unallocated space.
Evidence Analysis (Continued) • Identify file, program, storage anomalies • Evaluate program functionality • Document findings • Create a case • Retain copies of software used
Locating Data in Access Logs • Manually review logs, or • Use a log analysis tool
Locating Data in Transmissions • For backed up data: • Mirror to removable media with validation by system administrator • For live data: • Uses packet sniffer or packet capture tool
Locating Data on Hard Disks and Storage Devices • Mirror to stable media • Use recovery software • Use data reconstructionsoftware
Technical Issues • Life span of data • Collecting data quickly • Collecting bit-level data • Obscured data • Anti-forensics
Types of Potential Evidence • Logs • Windows swap files and file slack • Unallocated space and temporary files • E-mails, word processing documents, and spreadsheets • Network data packets
Summary • Differences between data and evidence, and valid and invalid data • The rules of evidence • Chain of custody requirements in evidence handling • Methods for collection or seizure, transport, protection and storage, and analysis of evidence
