Security+: Basic forensic procedures (SY0-401) [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Forensics is the acquisition, analysis, and protection of digital evidence from the scene of the crime to present the facts in the courtroom. To make the evidence admissible in court proceedings, the forensic specialist must verify that the “chain of custody” was not broken and that the evidence was gathered and preserved properly. Moreover, the evidence must be protected from corruption, damage, and alteration throughout its lifecycle. Transportation is another important factor for preserving evidence. The evidence should be collected in a transportable container and the container should be labeled and stored in a secure physical environment. Such an environment not only prevents theft and damage but also maintains the proper humidity and temperature while avoiding smoke, dust, debris, vibrations, and magnetic fields. There are various other basic forensic procedures that candidates must understand to pass the Security+ exam.
Order of volatility
The order of volatility is the sequence or order in which the digital evidence is collected. The order is maintained from highly volatile to less volatile data. Highly volatile data resides in the memory, cache, or CPU registers, and it will be lost as soon as the power to the computer is turned off. Less volatile data cannot be lost easily and is relatively permanent because it may be stored on disk drives or other permanent storage media, such as floppy discs and CD-ROM discs. The crime scene technicians should collect evidence beginning with the most volatile and then moving towards a least volatile. The following order of volatility is reliable because it was taken from the standard document RFC 3227—Guidelines for Evidence Collection and Archiving.
- Cache, registers
- ARP cache, routing table, memory, kernel statistics, process table
- Temporary files
- Monitoring data and remote logging pertaining to the computer in question
- Physical configurations, network topology
- Archival media
Capture system image
Because the computer is vulnerable to cyberattacks, cybercriminals can counterfeit and fabricate evidence stored on the computer in question. The forensic analysts must protect the evidence from loss. Before examining the computer for digital evidence, the entire drive of the computer should be imaged (copied) to preserve data and verify its integrity.
In various circumstances, the crime scene investigators create a bit-stream copy of a storage device with the help of a forensic imaging tool. Afterward, they store that original storage media on a forensically clean storage device.
The proper checks and balances are necessary for successful image duplication, requiring the image-makers to perform a hash calculation before and after the creation of a forensic image. A hash calculation verifies that the image wasn’t altered or damaged during an imaging process. If the duplication is successful, then the hash of both the original copy and imaged copy should be the same.
Network traffic and logs
Network traffic and logs can provide empirical evidence if the forensic analysts properly collect and preserve them. Various network devices and tools, including switches, routers, VPN appliances, proxies, and firewalls, can be configured to record logs of the activities and events that occur on them. These log files can provide evidence for court proceedings. The tools used to collect network traffic and logs include Network Monitor, Wireshark, and several others.
The advent of modern surveillance cameras paves the way for the law enforcement agents to collect and preserve digital video evidence for legal proceedings. However, capturing video involves several issues. For example, if a video of the crime scene was captured, its video image must be collected and then preserved in an environment (such as external media) that should be even better protected than the original source (camera) of the video. Doing so is necessary because it prevents the perpetrator to claim that the evidence has been tampered with.
If someone videotapes an incident for collecting evidence, his/her presence will be significant during the investigation process. The recorded observation can help in crime scene re-enactments, orientation, and elucidating evidence properly during its presentation in the courtroom.
Another important consideration with regard to video evidence is the record time offset of the video in question. Record time offset is the difference between a time stamp of the video and a real time. A time stamp of the video can be incorrect and, when this occurs, the investigators should establish what the real time is by using a legitimate time-server. After that, the time stamp of the video should be compared with the real time.
Record time offset
By all accounts, the server and workstation times often slightly differ (or out of sync to some degree) from actual time. Time consideration of the incidents is imperative in forensic investigations. Hence, the forensic investigators must record the events in the correct time sequence. Doing so requires the investigators to record the time offset on each infected machine.
Events are recorded in the log files of the infected machine. The recording process also encodes the time stamp into the log file. This time stamp is pulled from the clock on the infected machine. As mentioned above, the time stamp in the log file will probably differ from the actual time. To deal with this technical problem, the forensic analyst should establish a known time standard, such as Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC). Afterwards, whenever a log file is updated with a time stamp, the clock of the infected machine should be compared to the time standard, either GMT, UTC, or so on. The time offset will be the difference between the infected machine’s time stamp and the time standard.
As discussed in the previous section, a hash calculation is performed before and after the creation of a forensic image. It ensures that the image wasn’t altered during the duplication process. In addition to this, it is essential to verify periodically that a hash of the image copy being used for forensic examination has not changed or altered. Consequently, a hash calculation confirms that the results drew from the image copy would legally apply to the original source.
When conducting the forensic examination, you shouldn’t trust the software tools on the perpetrator’s machine. Therefore, it’s unwise to use native screen-capture tool for taking screenshots. The wise approach is to use a camera to capture all photographs for later analysis.
A witness is a person who sees an event when it takes place. It is imperative to call the witness to assist the investigation process. The witness can testify about how the event occurred, where and when it occurred, and other information related to the event in question. A witness can also be called into court to provide testimony. However, the testimony will be voluntary, not coerced.
Track man-hours and expenses
Since an investigation process is expensive, the total man-hours and expenses associated with that investigation must be tracked and reviewed. Later on, these man-hours can be used to determine whether the cost of the incident was justified. This information can also be useful to adjust budgets for subsequent events.
Chain of custody
The chain of custody is a document that contains every detail about evidence across its lifecycle, such as when and where the evidence was collected, who collected it, who preserved it, who transported it, and who examined it. Evidence preservation means that the evidence must be protected from change, damage, corruption, and alteration throughout its lifecycle. A chain of custody also includes all the executive authorities who are privy to information about the evidence. In addition, the chain of custody must be maintained throughout the evidence’s lifecycle because, if the chain is broken, the integrity of the evidence will certainly be compromised.
Big data analysis
When a very large amount of data is available, it’s is referred as “big data.” Performing traditional means of analysis on big data is inappropriate, ineffective, and inefficient. Thus, it requires high-performance analytics running on massively distributed or parallel processing systems.
InfoSec Security+ boot camp
If you're ready for online security plus training, the InfoSec Institute offers a Security+ Boot Camp that teaches you the information theory and reinforces theory with hands-on exercises that help you learn by doing.
Moreover, the InfoSec Institute has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
InfoSec also offers thousands of articles on all manner of security topics.