By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 4.4 Given a scenario, utilize basic digital forensics techniques Forensics Considerations Forensics is an important part of an incident response. Using forensics, we attempt to discover what happened before, during, and after an incident; we are looking for the root causes of the incident. We are also trying to answer the questions who, what, where, when, and how. During this module, we’re going to look at various forensics considerations and issues, and we discuss the particulars of forensics as it relates to discovering the facts of an incident. Incident forensics can cover many different aspects, such as the network and hosts or other endpoints. Don’t forget that these endpoints aren’t always simply desktops or workstations. Mobile devices are also considered endpoints, and they present their unique challenges with information forensics. As a large majority of organizations are also using cloud-based services, cloud forensics has recently become an important part of incident response. And let’s not forget virtualization; many organizations use virtualized systems, including servers and end-user devices.
Information forensics involves the preservation, collection, security, analysis, and presentation of various types of electronic evidence. It requires skills that include advanced networking knowledge, in-depth knowledge and experience with operating systems and programming, and even knowledge of laws and regulations. For an incident response team, training on forensic skills is a must. Even if the team can quickly respond to, contain, and eradicate the cause of an incident, if they lack forensic experience and skills, they will not be able to effectively analyze the root causes of the incident and prevent a future one. Lack of forensic skills would also potentially enable a would-be attacker to go free from accountability or punishment. In this module, we’re going to discuss different aspects of forensics that you will need to know for the CySA+ exam. There’s no way we can make you an expert on incident forensics, but you will gain the knowledge required by the exam objectives and more. We discuss network forensics, host and endpoint forensics, and how to apply forensic skills to cloud-based services and virtualization. We also cover some basic forensic skills cybersecurity analysts should be aware of. Forensics Foundations You can conduct a very thorough, professional forensic examination on your organization’s information assets by being trained and experienced in basic forensic techniques. You will need those skills and knowledge to be a functional and valuable part of your organization’s incident response team. With that, you need to learn and understand several key foundations of knowledge, a few of which we discuss in the following sections. Evidence Preservation Evidence preservation is a key foundation you need to ingrain into your mind as a forensic investigator. This is probably the most critical part of an investigation. Even if you lack the skills to properly analyze evidence, you can save the investigation from failure by ensuring that the evidence is preserved and protected at all stages of the response and investigation. Evidence preservation involves aspects such as chain of custody, physical protection, and logical protection. Chain of custody is explained in the next section, and physical protection simply means that the evidence should be protected and preserved from the elements, such as weather, static electricity, accidental damage, fire, theft, and so on. Logical protection is a little bit more difficult; it involves taking some of the precautions that are outlined later on in the module, such as forensic duplication, hashing, and so on. All these steps are necessary to make sure that evidence is preserved and kept intact in its original form. Chain of Custody The concept of chain of custody is a critical part of preserving evidence. It essentially means that evidence is controlled, tracked, and documented from the moment it is seized or acquired, all through its lifecycle.
A typical evidentiary lifecycle is shown below. Note that securely storing and transferring evidence are part of each stage in the lifecycle and are prevalent throughout. FIGURE: The evidence lifecycle
The lifecycle for a piece of evidence may not end until after the investigation, response, or even court case is concluded, which could take days, months, or even years. During the lifecycle, evidence has to be protected from contamination. When evidence is initially acquired or seized, the investigator or responder creates a chain of custody form. They are usually the first person to sign this form as having acquired the evidence and accepted it into the chain. Any subsequent person or entity receiving the evidence or performing any type of action on the evidence should also sign the chain of custody form. The chain of custody follows the evidence wherever it goes, even if it is transferred to another entity for storage or analysis. During the actual disposition of the case, either through the courts or corporate investigation, the chain of custody will be used for verification that the evidence has not been tampered with. When the case for investigation has been concluded, the chain of custody is kept and filed in case it is needed in the future. Basic Forensic Procedures Some of the forensic procedures you may need to know for the actual investigation. Some of these seem like common sense, but unless you know them, you wouldn’t necessarily think to employ them without training and understanding why they must be carried out. What follows are a few of the more critical forensic procedures that could potentially make or break a case: - Secure the scene of the crime or incident. This could be an individual user’s cubicle, an office, or even a data center floor. During the initial stages of the investigation when you are collecting and seizing evidence, no unauthorized person should be in the area. This includes people who normally might work in this area. If the area is necessary for critical operations and requires personal in the area, make sure they are observed at all times and do not attempt to disturb any potential evidence. Know what they are doing at all times. - Photograph the scene of the crime or incident before anyone disturbs any of the equipment or evidence. This way, you can go back later and see how devices were set up and what items were around the equipment, and you can look for details you might have initially missed when you secured the crime scene and acquired the evidence. - Don’t arbitrarily power off a device unless you absolutely have to. Critical evidence could be lost from the contents of memory when you power down a device. Additionally, if an active attack is going on with the device, it may alert the attacker that they have been discovered, thus causing you to lose valuable evidence. You must weigh the value of keeping the device powered up to collect volatile evidence from it against the value of shutting it down and preventing an attacker from doing more damage to it. - Inventory every single item of evidence taken from the scene. This includes any device, such as the computer, monitor, keyboard, cables, phones, media, and so on. It also includes any written materials that you believe are evidence or that you will need to further analyze a device (an operating manual, for example). - Place all evidentiary items in a protected container. For electronic items that might be sensitive to static electricity, electrostatic bags are typically used. For items that may not be sensitive but should still be handled carefully, such as optical media, a strong storage container, properly labeled on the outside, should be used. - Maintain a strong chain of custody at all times. Ensure that anyone who removes evidence for the scene has signed for it, and that any actions taken with the evidence, such as storage, transfer, removal for analysis, and so on, are logged. - Get written permission from the original owner (assuming the owner is not the suspect, as would hopefully be the case in a corporate investigation) before removing any evidence. This can include the system owner, IT manager, or even the chief information security officer if necessary. It should be someone who has the authority to grant permission to remove an asset from its location and operations. - Have the proper tools at your disposal to perform an investigation. Most tools, both software and hardware, have to be approved by some professional or legal organization as being tested and sufficient for use in information forensics. Some common, ordinarily used utilities, such as file copy utilities, may inadvertently change evidence and are not suitable for forensic use. - Don’t perform any type of forensic action, such as analysis, if you do not have the proper training, knowledge, or skills. Although you may mean well, you could inadvertently destroy or damage evidence to the extent that it cannot be used in an investigation, thus setting back the response and preventing the guilty parties from being held accountable for their actions. - Never perform any analysis on the original evidence. Use forensically duplicated copies, as discussed later on in the module. Exam tip: You may not see questions on any of these procedures on the exam, but you should be expected to know them so you can answer more complex questions that may be part of the exam objectives. Network The network is the conduit for all information that travels throughout an organization. Because all data at some point touches the network in some fashion, that’s the first place we should look for evidence during an incident. Volumes can be written on network forensics, but we will cover some of the very basic things that you as a cybersecurity analyst should know. Two primary skills include capturing network traffic with various tools such as Wireshark and TCP dump, as well as things you should look for during traffic analysis. Wireshark Wireshark is the ubiquitous traffic capture and analysis tool used by cybersecurity analysts. Wireshark is the graphical version; the command-line version, which makes it easier to script, is called tshark. Wireshark is available for Windows, Linux, and macOS platforms. It is open source and free to use but does exist as a commercial version as well. Wireshark can be used on both wired and wireless networks. For wireless networks, however, it requires a network card that has been put into monitor or promiscuous mode so that it can capture all wireless traffic on a network. For wired traffic, the machine serving as the host running Wireshark must be able to capture all traffic on a segment, including the ability to span a switch for switched traffic. Wireshark uses a capture format called a PCAP (for packet capture) file. Note that this is a binary file and not a text-based (such as a CSV format) file. Wireshark can read files from other packet capture tools as well, such as tcpdump, discussed next. Note that packet captures contain huge volumes of data and can grow in size quickly, so organizations that perform a lot of packet captures must have a lot of space to store them. They can also be very unwieldy to analyze in large sizes. Because of the volume of traffic that can be captured even during a short capture session through Wireshark, it can be overwhelming to try to sort through all the different protocols and IP addresses that flow through a capture. Wireshark can provide display filters that an analyst can use to narrow down the types of traffic captured and analyzed. Filters can be used to narrow down traffic based on the source or destination IP address, port, protocol, or any one of dozens of other characteristics. Note: Wireshark, as well as other packet capture tools, can capture traffic that occurs at all levels of the TCP/IP and OSI models, regardless of the layer. Wireshark has a useful feature that allows you to look at TCP traffic, so you can follow its flow back and forth between devices. This feature is called TCP streams and can be very useful for both security and troubleshooting purposes. Using this feature, you can determine how traffic originated from a particular host and how it was received by the destination host, as well as the different traffic “conversations” both hosts engaged in during their communications session. Like most of other network security programs, Wireshark cannot read or decrypt any captured encrypted traffic without being able to break the encryption. If an organization has the right infrastructure set up, this may sometimes be achieved through Secure Sockets Layer (SSL) or Transport Layer Security (TLS) inspection, but typically before the traffic is flowed through Wireshark. Most other types of encrypted traffic can be captured and stored but not interpreted by Wireshark. The figure below shows an active capture from Wireshark. FIGURE: A Wireshark capture tcpdump tcpdump is a packet capture utility built into most Linux distributions and can also be found in some macOS and Windows ports. tcpdump essentially monitors all network traffic and sends it to a file or allows an operator to monitor it in real time on the screen. It is primarily used at the command line. Because it cannot display and filter as elegantly as Wireshark, it’s more useful as a capture tool rather than an analysis tool. Its output can be imported into a variety of packet analysis tools, including Wireshark. Because it is a command-line tool with a plethora of options, it’s very useful in scripts that require very specific capture filters.
The figure below gives an example of a TCP dump in progress. FIGURE: tcpdump in action Exam tip: You will not be required to know all the different options and switches for either Wireshark or tcpdump, but you should be able to understand when it might be appropriate to use either one and what the features are of both. Endpoint Forensics Considerations Endpoint or host forensics is a critical part of an incident investigation. Keep in mind that an incident doesn’t only mean that an external malicious attacker has attacked the network. It can also mean that a malicious or complacent insider has performed actions on the host to steal or destroy data, or even simply to violate a policy (surfing to forbidden websites, for example). In any case, there will be plenty of forensic artifacts on endpoints that you must make every effort to obtain. You’ll need specialized software and equipment in most cases, but you must also use good sound judgment and experience developed from your career as a cybersecurity analyst.
There are two key places you will obtain forensic evidence from:
First, any permanent storage media that has been attached to the computer, such as the hard disk, CD/DVD/Blu-ray discs, USB drive, external drives, SD cards, and so on. Remember that not only are you looking for ordinary files, but you’re also looking for file fragments from potentially deleted files, slack or free space on media, registry settings, running processes, and so on.
Second, the other key source is from the volatile memory on the device, typically RAM. You will need specialized acquisition software, and in some cases hardware, to acquire evidence artifacts from either of these two sources. Disk For this discussion, we’ll talk about hard disks in general, but understand that we also mean any type of permanent storage media, such as USB drives, SD cards, optical media, and so on. Most are fairly standard in how you would acquire forensic data from them. To acquire forensic evidence from a media, you should go into an investigation with an understanding of the different types of media you might encounter, even older types, such as ZIP disks or even floppies.
You also need to understand how file systems work, their characteristics, methods of indexing and accessing data, cluster and sector sizes, and so on. These will all vary based on the age and type of media. You need to know these things because they will help you use the right method to acquire the data and later analyze it.
You can use other software or hardware to acquire data from media. Software requires the use of a host with an operating system on it and is generally less efficient than hardware acquisition. However, software enables you to instantly preview potential forensic artifacts. Whether you use hardware or software, you must take special care not to contaminate the original media. By contamination, we mean to allow it to be written in any manner since this will disturb the integrity of the evidence (this topics is also discussed a little bit later in the module).
The goal is to make a forensically sound exact duplicate of the media, capturing the state of it upon seizure, so that it will not be changed in any manner. This is important because if the evidence has been changed, it may not hold up in a courtroom or investigation since the argument could be made that evidence was changed to slant the guilt or innocence determination of a suspect. Your analysis of the evidence should be made on a forensically sound copy, meaning that it is an exact duplicate, right down to deleted files, rather than just a basic copy of all intact files on the media. During the process of collecting evidence from media, you should take pictures of the media as well as record critical information about it, such as its type, manufacturer, make, model, serial number, capacity, and even information about the device from which it was seized.
Chain of custody is of critical importance during this part of the investigation. Media can be at risk of exposure to static electricity, thus inadvertently destroying the data on it and rendering it unusable for the investigation. That’s why you must take special precautions to protect sensitive media by using electrostatic bags, for example, and limiting the physical handling of the media. Memory Memory forensics is very similar to the actions performed on permanent storage media, with one powerful exception: memory, typically in the form of RAM, is volatile. In other words, power is required to maintain any data in memory. As soon as power is removed from the device, the contents of RAM are typically lost. There are, of course, exceptions to this, but for our discussion, you should assume that the contents of RAM could easily be lost if not acquired quickly and properly. Unlike static files that you might acquire from permit storage media, the contents of RAM are important because they contain ephemeral data elements that will be lost when power is removed from the device. These include current system state information like running processes and services, unencrypted passwords stored in RAM, network connections and their state, and decrypted file information. Many types of malware only run in active memory rather than as a file executed from a file system. Additionally, some indicators of compromise of an attack only reside in running memory. Normally, permanent storage media is acquired after power has been removed and it can be safely transported to a hardware or software device used to obtain the digital evidence. Because of the volatile nature of RAM, the contents of memory must be acquired using what is known as a “live” response. This means that the power for the host cannot be removed (shut down). The host is still online and processing during the memory acquisition process. There are risks involved with this because the contents of RAM are constantly changing, and even the acquisition process itself could change those contents. For the most part, this is an acceptable risk, as long as you document the process you used to acquire memory and record its state.
A cybersecurity analyst can use specialized utilities and hardware to obtain the contents of memory.
Some of them treat memory as if it is a form of media; that is, the utility may “view” RAM as a device drive letter. Remember to document any software or hardware you use to acquire memory contents, as well as the detailed process you used since you are likely to change some of those contents. You have to be able to show that any changes made were part of the acquisition process and did not substantially affect the integrity of those contents. Exam tip: Endpoint forensics involves collecting potential artifacts from two critical elements: permanent storage media, such as a hard disk, and volatile memory, such as RAM. Mobile Forensics Mobile devices are ubiquitous in today’s business world. Smartphones, tablets, laptops, cameras, and other types of devices have both permanent and volatile storage. Mobile devices provide a wealth of forensic information, including e-mail artifacts, web surfing history, social media access, location information, and so on. Each of these devices also has a unique operating systems as well as unique forensic requirements.
Here are some considerations for mobile device forensics: - Mobile devices require specialized software and tools to access the different manufacturers’ storage methods, memory, and operating systems. These are often device or manufacturer dependent, can be quite expensive, and require a deeper level of knowledge and experience to use. - Avoid turning off mobile devices for the same reason as other types of hosts: you may lose valuable volatile data from memory contents that cannot be recovered. - Mobile devices may still communicate with other hosts and networks through wireless or cellular means. Since you should not arbitrarily turn them off, you must shield them from communicating with the outside world via a special container known as a Faraday bag. Because this container can block RF radiation and communications to and from the device, it can prevent the device from communicating with a potential suspect who may send remote commands to the device to wipe it, destroying valuable evidence. - Mobile devices tend to have location data that should be preserved, in the form of GPS and other types of data. You should make an effort to preserve this data so the different locations where the device has been can be tracked. - Privacy should be considered in cases where you have seized a device that is owned by the suspect instead of the organization but may have data from both. You might not be authorized to forensically examine a personal device and should check with your legal department before attempting to do so. Exam tip: Two important considerations for mobile forensics are requirements for specialized software and hardware tools and the concern for privacy with personal mobile devices versus corporately owned mobile devices. Cloud Forensics Increasingly, organizations are moving resources to the “cloud.” Although there is a lot of marketing hype and mystique about cloud structures, remember that a cloud is nothing more than a hosted data center to which an organization can transfer some of its resources and infrastructure. Third parties, called cloud providers, maintain the infrastructure of the data center in the form of high-speed network connections, robust servers, and other high-performance hardware needed to service their customers. Operating systems and applications specifically designed for cloud implementations are also included in this infrastructure. The different resources and services an organization can move to the cloud include applications, platforms, infrastructure, and even security, each with different variations of implementation.
Since cloud services are essentially “shared” models, the organization may find it difficult to conduct a full incident response or forensic investigation in conjunction with the cloud provider. Remember that the cloud provider owns a good majority of the resources used in the infrastructure, including the physical and virtual servers and the network devices. An organization can perform incident response and forensics on its on-premises devices, but may not be able to gather the information it needs from a cloud provider to complete the investigation. That’s why contracts and agreements with providers are so critical.
Most of the larger cloud service providers, such as Amazon, Google, and Microsoft, have incident response teams and forensic technicians that can manage their part of an investigation. However, information sharing between those entities and the organization can be limited to only what the provider wants to share, since it may consider this information confidential or even proprietary. The service provider contract should be written in such a manner that enables information sharing, at minimum, or access to the cloud provider’s infrastructure, at best, to perform a full forensic investigation. With the larger providers, access to their infrastructure is going to be very rare.
With smaller providers, you may be able to work language into the contract that allows your organization’s personnel to have access to very specific parts of cloud provider infrastructure for very limited forensic data collection and response. It is more much likely that the cloud provider will gather the necessary forensic evidence it feels is appropriate and turn that over to your organization. Understand that this will all be at the provider’s discretion, however.
Keep in mind that if an attack has affected your cloud service provider, then the provider is naturally interested in keeping details of the attack closely held, such as any vulnerability information that may have caused the attack as well as any data loss resulting from it. The provider may not be able to conduct a forensic investigation until its incident response is complete and has restored any services that are down. Remember that you are likely not the provider’s only customer. However, incident response and forensics considerations must be spelled out in any contract with a cloud provider, regardless of the types of services provided. Exam tip: The key to cloud forensics is the agreement or contract between the organization and the cloud service provider. What the responsibilities and permitted actions are for both parties must be spelled out exactly. Virtualization Forensics In this modern era of technological wonders, hosts, servers, other unique devices, and even entire networks can be virtualized. Virtualization uses the resources of a host for a virtual machine, including virtualized operating systems and even virtualized applications. For the most part, virtualized devices and networks are stored as static files on a file system when they are not in use, but when they are active, they interact with their environment just as a physical system would. Because of this, they can be acquired and forensically analyzed just as any other physical host or device might.
Although there are various types of files that different virtualization vendors create as proprietary formats, examples of the files a virtual machine might use include the following: - VMX: Configuration file - VMDK: Stores the virtual hard drive for the machine - NVRAM: Nonvolatile RAM; stores static virtual machine BIOS information - VMEM: For storage of volatile memory contents
Again, these are just examples of files a virtual host might use. The actual files used depends on the different types of virtualization technologies and hypervisors (discussed shortly) the organization is using.
Virtualization in the infrastructure, if properly implemented, can be quite helpful to a cybersecurity analyst performing forensic analysis on virtualized devices. In addition to all the benefits that virtualization offers the organization and its infrastructure, it offers several useful features during a forensic analysis. For example, when a virtual device is shut down gracefully, it can store all the contents of its running memory as a preserved file on disk, so when it is powered back up, it still has the same volatile contents in memory.
A virtualized host can be transferred, through its files, to another media for analysis in a laboratory. It can also be easily forensically duplicated and powered back up for analysis, regardless of hardware needs. Finally, if damage is done to a virtual machine, it can be easily re-created from a backup. Virtualization requires the use of a hypervisor to manage the resources on the physical machine and their use by a virtual machine. Remember that a hypervisor comes in two flavors: Type I and Type II. A Type I hypervisor, also called a bare-metal hypervisor, is a minimal operating system installed on a resource-heavy machine (multiple CPUs, a great deal of RAM, massive hard disk space, and so on) that does nothing more than creating and managing virtual machines. A Type II hypervisor, on the other hand, is merely a software application that is used on a host with an existing operating system to manage resources and to interact with a guest operating system, the virtual machine itself.
Examples of popular Type I hypervisors include VMware’s ESX and Microsoft’s Hyper-V.
Well-known Type II hypervisors include VirtualBox from Oracle and VMware’s Workstation and Player products.
Most of the same forensic tools used for physical systems can be used with a virtual system. The same types of tools can be used to acquire disk images and memory contents as well as analyze them. There are some specialized tools, however, that are designed to work outside of the confines of the guest operating system. These are designed to locate artifacts that may be part of the hypervisor for the virtualized environment, as many specific attacks target the hypervisor itself in a virtualized infrastructure. Exam tip: Understand the differences between the types of hypervisors and how forensics may be performed on virtual machines, using primarily the same types of tools and techniques. Key Forensic Procedures As we discussed earlier, there is key foundational knowledge you should have as part of your incident response training. A basic understanding of evidentiary procedures and legal processes is necessary. The actual hands-on experience of acquiring data and analyzing it is also needed. You will get this training and knowledge from incident response training courses as well as experience during an exercise or actual event, but there are also other key pieces of knowledge you need to have that we will cover here as part of the exam objectives.
They include the concepts of a legal hold, evidence hashing, carving, and data acquisition.
Understand that by no means is this a complete list of the skills you’ll need for an actual incident response when it comes to forensic acquisition and analysis of evidence. If you’re going to be a part of an actual incident response team, you’ll have to move to the next level after the CySA+ exam to gain the necessary knowledge and skills to fully respond to an incident. Legal Hold Legal hold means that the organization must simply make every effort to preserve all sources of evidence for an incident, including any media on the host and the contents of RAM, log files from network security devices, and so on. This makes sense, but many organizations believe that after an incident, as part of their cleanup, they can simply reimage a drive or archive the logs. Additionally, during normal business operations, computers are retired, hard drives are destroyed, and the organization goes on with its daily business life. A legal hold is necessary to make sure that special efforts are made to preserve any evidence that may be relevant to the incident. As part of the legal hold process, all evidence obtained from a host, as well as the host itself, its media, and any network-related evidence (even sometimes the network devices themselves), must be kept secured in storage, and access to the same must be controlled. All evidence items must be inventoried, and all documentation regarding evidence, such as evidence inventory, chain of custody, and so on, must be turned over to the legal department. Normally it is a legal department that will direct you to place evidence items under legal hold in the first place, pending an investigation. Legal hold can sometimes have a serious impact on the organization, in that while evidence items, including devices, are on hold, they cannot be used as part of the infrastructure. For a single host, this isn’t necessarily a large impact; you can simply issue out another machine to a user. If it involves several hosts, that could impact the ability of the organization to provide computers for its users. If the device is a network device, which may have to be removed from the network and stored under a legal hold directive, that could have a serious impact on the organization that must replace that device or re-architect the network around it. Another issue with legal hold is that in the event of a law enforcement investigation and subsequent court case, the hold could last for weeks or months, effectively making it so that the organization has to maintain secure storage for that evidence for an indefinite period, and not have that asset as part of its usable inventory. Hashing Remember from your cryptography studies that one of the primary uses of hashing is to prove the integrity of a file. Hashes are essentially fingerprints of a file, not the entire file itself, that are derived by a mathematical algorithm. A hashing algorithm computes a hash from a file that should be the same every time that hash is computed. If it is different at any point, then it can be assumed that the file has lost its integrity because it has been modified in some manner. Popular hashing algorithms include MD5 and the SHA family of algorithms.
Hashing is also used to determine the integrity of evidence. Digital files acquired as part of the evidence collection process are hashed when they are collected, and those hashes are recorded. During the process of analyzing, storing, and transferring evidence, those hashes are regenerated frequently at different points of the investigation to ensure that the evidence’s integrity has been maintained and that those files have not been changed. You could hash a single file, a compressed set of files, an encrypted file, or even an entire disk image. Whatever hashes are generated with your hashing algorithm and utility must be the same every time that hash is generated, or it can be assumed that the evidence has been contaminated and is no longer useful for the investigation. Data Acquisition Data acquisition is a critical part of computer forensics. During this activity, digital evidence artifacts, such as files, are “acquired” for analysis. Assuming you have seized the physical evidence, such as a hard drive, the next step is to forensically duplicate the evidence. The reason for this is that you do not want to perform any analysis on the original evidence since you will likely change its integrity the second you plug the drive into a computer or access any of the files on the media.
Forensic duplication is called imaging, and you can image a hard drive or other media device through software or hardware. Software imaging requires a special program or utility that can take a bit-by-bit exact copy of the evidence item and forensically duplicate it in every way. This includes not only the obvious viewable files in the directories on the evidence item but also deleted files, file fragments, slack space (unused or unallocated space on the drive), directory structures, and file tables. Using software to image a drive requires that the imaging program reside on an operating system; unfortunately, during normal operations, data may be inadvertently written to the original media. That’s where a write blocker comes in. Write blockers are devices that sit between the original media and the connection to the host you are using to image the media. Write blockers should be attached to the original media through a cable to prevent data from being sent to the media. Any data sent to the media, even if it is only control data that an operating system sends during routine activities, could change the original media. Hardware imaging performs the same function but generally does not require software or a dedicated computer host. It performs its functions based on firmware embedded in the hardware imager, often offering a very limited user menu that performs specific functions. Hardware imaging is much faster and generally considered more efficient. It can also be safer in that most hardware imagers have built-in write blockers that can prevent any data from being written to the original media, ensuring that its integrity is not changed. When you’re imaging media, it’s a best practice to make two forensically exact copies. The first copy is used to create other copies. It is never analyzed, and neither is the original media. A secondary copy is used to perform the actual analysis. If, for some reason, the analysis disturbs the integrity of the evidence on the secondary copy, or mistakes are made during that analysis, you can always make a copy of the first copy without going back to the original evidence and risking the possibility of changing its integrity. Note: Data can be acquired not only from fixed media such as a hard disk or USB stick but also from the contents of RAM. For data acquisition, RAM can be treated just like fixed media, as long as its contents are forensically acquired and duplicated while there is active power to the host. This must occur during a live response before the host is powered down or removed from the crime scene. Data Carving Data carving is the science (and some would say, the art) of locating and pulling usable files or artifacts out of a large, otherwise unintelligible block of data. This would include deleted files, file remnants in slack space, and so on. Data carving is part of the forensic analysis process and is performed after an evidence item, such as a hard disk, is imaged. Remember that you do not want to perform any analysis on the evidence item itself; usually, this is done on a secondary copy. That way, if the evidence is disturbed in any way from its original integrity in a way that can’t be justified, you still have the original copy of the evidence item to duplicate and start over with again.
There many different file-carving utilities out there; some of them are standalone utilities and some are part of a larger forensic analysis suite, such as those that come with the popular commercial forensic application Forensic Toolkit (FTK) by Access Data, or Encase, another widely used commercial forensic suite.
You can also find native command-line tools in specific Linux distributions such as Kali. What all these have in common is that they allow you to locate characteristics of specific files, such as file headers and the logical beginning- and end-of-file segments.
For example, if a suspect has deleted a JPEG file, as long as that file has not been overwritten during the normal course of file operations on the hard drive, a forensic analyst might be able to find the file, or even a partial segment of the file, based on the characteristics of a standard JPEG file. Most of this data is viewed in a hexadecimal format and translated into something that the analyst can visually see and use. The data-carving part comes from knowing where a file begins and ends in the massive unorganized block of data that may be remaining in the file system.
Once an artifact has been located, it can usually be “carved out” with the carving utility and restored as a viable forensic artifact that can be used as evidence during an investigation. Exam tip: Understand the different key forensic procedures from the objectives that you must know for the exam. They include legal hold, hashing, data acquisition, and data carving. REVIEW Objective 4.4: Given a scenario, utilize basic digital forensics techniques In this module, we discussed a very important part of incidents response, which is forensic investigations and their processes and procedures. Although basic forensic knowledge and skills can be used to initially preserve and protect evidence, you must have more advanced knowledge and experience to become a full-fledged and qualified forensic investigator.
The foundational knowledge you should have includes an understanding of evidence preservation and how a chain of custody works, and you should be able to perform basic forensic procedures, such as securing the crime scene.
Network forensics is very important because almost all data travels over the network at some point. The key to network forensics is observing and collecting network traffic for further analysis. There are several utilities you can use for this, including Wireshark and tcpdump, which are both indispensable utilities in traffic capture and analysis. Endpoint or host device forensics is concerned with collecting forensic artifacts from either permanent storage or active memory. You must be careful not to disturb the integrity of either source of evidence. Memory must be acquired using live response techniques, typically with specialized hardware or software. We also took a look at mobile forensics, which involves acquiring and analyzing data from a wide variety of mobile devices, including smartphones, tablets, laptops, and cameras. The key to mobile device forensics is that you will typically use specialized hardware and software tools due to the wide variety of manufacturers, operating systems, file systems, and hardware. You should also be careful to consider privacy with personally owned devices. You learned about cloud forensics considerations, in that because the cloud is a shared infrastructure, you won’t always have the ability to perform a full incident response or forensic investigation. Cloud forensics relies heavily on how the cloud provider contract is written, which will delineate the different responsibilities and allowed actions of both the organization and the cloud service provider. Virtualization is a technology that requires special attention during incident response and forensics. Virtual machines run as guests on a host operating system, which can be a Type I or Type II hypervisor, depending on the scalability and hardware resources of the host server. For the most part, the same tools and techniques used to perform forensic analysis on physical networks and hosts are used with virtual devices, with the exception that some specialized tools might be needed to look at specifically designed hypervisor attacks. Virtual machines make forensic processes and procedures much easier, simply because virtual devices are typically stored as static files when not in use and can be quickly backed up, reconstituted, or forensically duplicated. Finally, we discussed some key forensic procedures you need to know for the exam. These are not all the forensic procedures you will need to know to conduct an actual forensic analysis on data recovered from incident response, but they will help you on the exam and in the field. You learned about the process of a legal hold, where an organization is directed by the legal department to securely store and preserve potential digital evidence during an investigation. We discussed the concept of hashing and how it relates to maintaining the integrity of forensic evidence by producing a digital fingerprint of both files and images that can tell you if the integrity of those artifacts has been violated or disturbed. Data acquisition is the process of gathering digital evidence by imaging media as well as analyzing it. Data carving is a process where a forensic analyst attempts to “carve out” digital artifacts from a mass of unorganized or unrecognizable data, sometimes from the media’s free or slack space.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.