Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security SY0-601 Exam: The Basics of Digital Forensics
Source: https://www.fatskills.com/comptia-security-certification/chapter/comptia-security-sy0-601-exam-the-basics-of-digital-forensics

CompTIA Security SY0-601 Exam: The Basics of Digital Forensics

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~22 min read

Objective: Explain the key aspects of digital forensics.

Topics:
- legal hold
- chain of custody
- time offset
- order of volatility
- preservation
- e-discovery
- non-repudiation
- strategic intelligence/counterintelligence

Forensics is the process of preserving evidence and collecting data. During the process, the following actions should be performed:
- Document an investigation from initial notification through conclusion.
- Locate data and any devices of potential evidentiary value.
- Identify data of interest.
- Establish an order of volatility to identify the first level of data capture desired.
- Eliminate external mechanisms of modification.
- Collect all data of potential evidentiary value.
- Create forensic duplicates of data for review.
- Store original data and devices in a manner that preserves integrity.
- Perform forensic evaluation and document findings (or lack thereof).
- Report findings as appropriate.

With information systems, forensics relates to both e-discovery and data recovery. E-discovery concerns the discovery of electronically stored information. Data recovery involves retrieving lost or corrupted data from media when it is otherwise inaccessible by typical means. During the forensics process, many of the requirements and methods are related to e-discovery and data recovery. The former is particularly important because incidents are often a part of legal matters. Data recovery is commonly associated with common failures (such as hard drive crashes), and the forensics process also involves data recovery when data might have been deleted or encrypted.
From a forensics standpoint, preservation is a common theme, especially preservation of evidence for use in legal proceedings.

Data Breach Notifications
A data breach is often the reason for a forensic investigation. As a result, it’s important for an organization to understand regulatory laws. Furthermore, international regulations are increasingly important as a company does more business globally. Because outsourcing and the cloud are commonly used, companies of all sizes should be concerned about data breaches. Most violations are handled by management, the information technology team, and the human resources department. Civil and criminal violations aren’t only a corporate or organizational matter; they are also a governmental matter outside the organization. Likewise, data breaches may also need to be governed outside the organization. A policy statement should include the jurisdiction and data residency requirements for an organization. Organizations partnering with third parties, such as those offering cloud services, need to understand their right to audit the service provider and what happens following a data breach.
The first data breach notification law in the United States was California’s S.B. 1386, a bill that was enacted in August 2002 and put into effect in July 2003. Almost all U.S. states and territories now have enacted breach notification laws that require organizations to notify consumers whose personal information has been compromised. Beyond state and federal data breach notification, organizations formed in the United States are also bound by laws related to the protection and proper disclosure of data.

Organizations that operate on a multinational level generally must comply with both national and international regulations. For example, U.S. entities that have data transactions within the European Union (EU) need to meet General Data Protection Regulation (GDPR) requirements. Because some of the GDPR provisions are stricter than U.S. laws and regulations, initial organizational data protection standards might not be strong enough to comply with EU regulations.

For example, U.S. organizations must be aware of these international privacy laws, among others:
- Australia: Privacy Act and Privacy Amendment Act
- Canada: Personal Information Protection and Electronics Document Act
- United Kingdom: Data Protection Act
- EU: Privacy Directive
- Japan: Computer Processed Personal Data Protection Act
- Germany: Federal Protection Act

Different countries have different approaches to notifying customers. This is especially important in a global economy. Notification of affected customers should be addressed in an organization’s incident response plan. If an organization resides in an area that is not subject to a specific notification law, the organization should adhere to common law liability and treat each incident on a case-by-case basis. In addition, state and provincial laws might require compliance.
National laws and federal regulations supersede state and provincial laws.
Regulations can affect many aspects of security planning, investigations, and forensics. For example, changes to the Federal Rules of Civil Procedure (FRCP) made requests for electronic data a standard part of the discovery process in federal lawsuits. This means that an organization needs to have a record-retention policy.
It is imperative to know the legal ramifications of any incident that occurs. Be sure to check the state laws concerning privacy, liability, and spam. Consider an example of what can happen. Imagine that your state has a strict antispam law. The company email server was misconfigured and has an open relay that allows it to be used for spamming purposes. A spammer sends email on the price of gasoline in Europe to 500,000 people. This could prove fatal to the company. First, all email would cease. Your ISP would put the company’s IP address on the spammers’ list. The open relay would have to be fixed and validated before you could send any email. You would be reported for spamming and fined $10 per email. This could put your company out of business. The company likely would have insurance, but there’s a good chance the insurance company would not cover this type of incident.
Finally, compliance with laws and regulations comes into play during complex third-party relationships. As part of a comprehensive monitoring program, an organization should periodically conduct regular assessments of business relationships to verify that all third parties conform to laws, regulations, and established policies and procedures.

Strategic Intelligence/Counterintelligence Gathering
The forensics process places heavy emphasis on proper preservation and collection.
Incidents such as a breach might require further intelligence gathering and counterintelligence. Considering the complexity of computer systems, after a breach occurs, it is necessary to make sure that attackers do not still have footprints in the organization. For example, attackers could remain active within the environment or might have placed persistent threats for subsequent access. Active logging is a common intelligence gathering tool used during the forensics process. Active logging cannot tell you what happened in the past, however: It can only examine what has happened since it was put into operation.
Many organizations have strategic intelligence and counterintelligence capabilities in place already. Forensically, these capabilities are similar to those of a DVR system for video recording: Investigators can easily replay what happened across the computer networks. Considering counterintelligence is also important when using such tools. The forensics process might seek to keep adversaries from knowing they are being monitored.

Track Person-hours
The cost of a forensic investigation can run into thousands of dollars. As soon as the work proposal or court order is executed, person-hours tracking and administrative work begin. Costs are an important part of project planning. Calculating the number of person-hours and other related expenses provides a way to estimate that investigation costs are within the budgeted amount. The costs include the acquisition, investigation, and reporting of time and expenses. An organization needs to assess the costs of an investigation against the potential benefits to determine whether the investigation would be cost-effective and technically feasible.

Order of Volatility
When a potential security breach must be reviewed, the digital forensics process comes into play. Data of potential evidentiary value can be stored in many different forms in a subject system. Some storage locations preserve the data even when a system is powered off, whereas others hold data for only a brief interval before it is lost or overwritten. Even the process of evaluation can modify or overwrite these volatile storage areas. Shutting off a running system might completely wipe all data stored in active memory. In some cases, evidence that is relevant to a case might exist only temporarily.

Evidence collection should follow the order of volatility. Specifically, during the collection process, the forensics team should proceed from the most volatile evidence to the least volatile pieces. Evidence can be lost when a computer is powered down. If you can capture volatile data before you unplug the computer, you can get a snapshot of the system at the time you arrived on the scene. You should collect the following information:
- System date and time
- Current network connections
- Current open ports and applications listening on those ports
- Applications currently running

Data capture is highly dependent on the order of volatility, in which the capture and examination of more durable storage can eliminate data of potential evidentiary value at more volatile levels.

Consider the order of volatility for a typical system:
Registers and caches:
Data stored within the CPU’s registers and cache levels. This data might remain for only nanoseconds before it is overwritten by normal system operations.
Routing and process tables: Data stored within networking and other active devices. Ongoing operations can modify this data externally.
Kernel statistics: Data regarding current kernel operations. This data can be in constant transit between cache and main memory.
Main memory: Data stored within the system’s RAM storage.
Temporary file systems: Data stored within elements of system memory allocated as temporary file storage, such as a RAM disk, or within virtual system drives.
Secondary memory: Data stored in nonvolatile storage, such as a hard drive or other form of media that retains data values after a system shutdown.
Removable media: Nonvolatile removable media such as backup tape storage media.
Write-once storage: Nonvolatile media that is not subject to later overwriting or modification, such as CD-Rs, DVD-Rs, and printouts.
Order of volatility demands that evidence be collected first from the most volatile systems (such as registers and caches) and later from the least volatile systems (such as archival media). Be sure that if you are presented with a list like the preceding one, you are able to put them in the correct order of volatility.

Chain of Custody
The chain of custody provides a clear record of the path evidence takes from acquisition to disposal.
This concept establishes provenance and is critical to the integrity of the forensics process. Provenance marks an origin and records ownership even as possession changes. It provides for authenticity and non-repudiation by clearly establishing the origin and proof of custody.
Cloud environments present great challenges to determining provenance, particularly as the infrastructure hardware is in physical locations unknown by and not managed by the end consumer. As a result, the data available within the cloud environment and the provenance of the data are crucial. In particular, metadata about the data objects and user interactions may provide origin and other historical clues for forensic investigations.

Key to any form of forensic investigation is adherence to standards for the identification, collection, storage, and review of evidence. It is important to create a log of all actions taken, including any inferences and causative details used to identify data of potential evidentiary value. This log should support the chain of custody for any evidentiary data, as well as track person-hours, expense, details of identification, and contact data for any witnesses and statements provided during an investigation. For evidence to be useful, it must have five properties:
- Admissible: Evidence must be usable in court or within an organization’s practices. It must follow all appropriate legal requirements and guidelines for identification, acquisition, examination, and storage.
- Authentic: Evidence must be proven to relate to the incident, and any changes must be accounted for in evidence review logs.
- Complete: In addition to data of evidentiary value, evidentiary gathering must include both directly related data (for example, logging details of the suspect’s login) and indirectly related data (for example, a list of all accounts logged into a server when an attack occurred).
- Reliable: Evidentiary identification, acquisition, review, and storage practices must ensure that the data remains authentic and unmodified to the best extent possible, based on the data’s order of volatility.
- Believable: Evidence must be clear and easy to understand, and it also must be related to the original binary or encrypted data through a process that is clear, documented, and free of manipulation during transition. Raw hexadecimal data is difficult for juries to review, but a chart illustrating the same information must represent the evidentiary data in a manner that another forensic analyst can replicate with the same end result.
Forensics requires vast knowledge of computer hardware, software, and media to protect the chain of custody over the evidence, avoid accidental invalidation or destruction of evidence, and preserve the evidence for future analysis. Computer forensic review involves applying investigative and analytical techniques to acquire and protect potential legal evidence. Therefore, a professional in this field needs to have a detailed understanding of the local, regional, national, and international laws affecting the process of evidence collection and retention, especially in cases involving attacks waged from widely distributed systems located in separate regions.

The practice of forensic analysis is a detailed and exacting one; precise actions must be taken during an investigation. Investigative tasks must not be attempted without training in the hardware, software, network, and legal issues involved in forensic analysis.

Consider the major concepts behind computer forensics:
- Identify the evidence.
- Determine how to preserve the evidence.
- Extract, process, and interpret the evidence.
- Ensure that the evidence is acceptable in a court of law.

Each state has its own laws that govern how cases can be prosecuted. For cases to be prosecuted, evidence must be properly collected, processed, and preserved. Whereas the corporate world tends to focus on prevention and detection, law enforcement focuses on investigation and prosecution.
Forensic analysis involves establishing a clear chain of custody over the evidence. This relates to the documentation of all transfers of evidence from one person to another, including the date, time, and reason for the transfer and the signatures of both parties involved in the transfer. In other words, it tells how the evidence made it from the crime scene to the courtroom, including documentation on how the evidence was collected, preserved, and analyzed. Every time data of possible evidentiary value is moved, accessed, manipulated, or reviewed, the chain of custody must be maintained, and actions must be logged. Forensic analysis of information might require further law enforcement action, depending on findings and evidentiary data of interest.
As an organization places more data on infrastructures that the organization does not own, security and forensic processes and tools require revaluation to properly protect data and gather forensic evidence.
If you are asked to testify about data that has been recovered or preserved, it is critical that you, the investigating security administrator, be able to prove that no other individuals or agents could have tampered with or modified the evidence. This requires careful collection and preservation of all evidence, including the detailed logging of investigative access and the scope of the investigation. Defining the scope is crucial to ensure that accidental privacy violations and unrelated exposure do not contaminate the evidence trail. After data is collected, you must secure it in such a manner that you, the investigating official, can state with certainty that the evidence could not have been accessed or modified during your custodial term.
Proper chain of custody helps ensure that evidence is handled correctly and strictly secured. For evidence to be useful, it must be admissible, authentic, complete, reliable, and believable.

Data Acquisition
Prior to data acquisition, the legal hold process ensures that anything that might be relevant to a legal matter is not destroyed. An organization should have a legal hold process to perform e-discovery to preserve and gather such information. A legal hold is an important part of the forensics process during an information breach.

Data acquisition is an important concept that relates to the forensics process. Data acquisition involves gathering data or copying data to an image or other media. Special forensics systems can assist with the process and ensure that the original source media is not modified in any way. Proper data acquisition is vital to ensure completeness and accuracy. It also ensures that the process cannot be repudiated.

The data acquisition process includes gathering and capturing the following:
- System images
- Network traffic and logs
- Video
- Time offset
- Hashes
- Screenshots
- Witnesses

The following sections look at these aspects of data acquisition in more detail.

Capture System Images
The capture of a system image is essentially the creating of a duplicate copy of the media being captured. This often includes capturing individual components such as a memory card, device firmware, or an entire disk drive that contains an operating system (OS), files, and other digital artifacts. These artifacts include items that are not readily available and that may provide clues to previous actions, including items such as those stored in volatile memory, running processes, open network sockets, cached data, and deleted and hidden data.
Drive imaging can be performed in several ways: from the disk to the disk image, from the disk to an image file, and from an image file to a disk. A forensic image is a snapshot of a system that is meant to be analyzed and preserved. On the other hand, a duplicate copy, also known as a clone, is created when the system may be modified in the course of a working investigation.
Regardless of whether direct device-to-device copies of the media or forensic evidence copies are created for examination, the process should be forensically sound. Examination of the media should be conducted in a forensically sound environment—that is, an environment over which the examiner has complete control. You can use a full system image to further examine data in an operational state, although you must put protections in place to prevent external communication through wired and wireless connectivity; it is important to guard against external manipulation and also against the risk that a suspect will be alerted. When available, use a write-blocking device to access the suspect media to capture a system image. You can use software or hardware write blockers. A software write blocker stops any operating system write operations from modifying the media. A hardware write blocker is a physical device that sits between a drive and a controller card.
Data storage should be duplicated using verified forensic utilities. Then only the duplicate should be reviewed in subsequent investigations to protect the original from modification or corruption. Virtual machine (VM) images are acquired either by using tools specifically designed to capture a VM environment or by using built-in vendor tools. System images can usually be easily validated from a forensics standpoint. Other environments are more challenging (for example, big data environments that contain unstructured data spread across diverse environments).

Capture Network Traffic and Logs
Analysts can use data from network traffic to reconstruct and analyze network-based attacks. When deciding what evidence to capture, first identify potential sources where the breach might have occurred in the networking environment. These resources typically include network traffic and files. After identifying the resources, gather the log files that capture network traffic flows for management devices, servers, workstations, and wireless and mobile devices. Network traffic data is usually recorded to a log or stored in a packet capture file; an examiner can collect the logs along with the packet capture.
Remote access logging occurs on the remote access server or the application server, but in some cases, the client also logs information related to a connection. Each system has a unique method for tracking and logging access, so capturing all related log files is important. Keep in mind that collecting network traffic can pose legal issues, especially if you must capture information that involves privacy or security implications. If logs will be needed as court evidence, an organization might want to collect copies of the original log files, the centralized log files, and interpreted log data in case questions arise about the accuracy of the copying and interpretation processes.

Capture Video and Photographs
If at all possible, after an incident occurs, record video of the entry of all persons into the affected area. Recording the entrance of a forensics team into the area helps you refute claims that evidence was planted at the scene. You might also want to take photographs of the evidence and make notes at the scene. For example, in the event of an intrusion, you might want to take a photograph of a monitor. If the computer will be dissembled onsite for imaging, pictures of the computer should be taken from all angles to document the system hardware components and how they are connected. Carefully photograph the inside of the machine and note the serial number, internal drives, and peripheral components. Label the evidence and then photograph the evidence again after you attach the labels. It might be a good idea to use a 35 mm camera for your photographs. Digital images are easy to manipulate, and film negatives can validate the pictures if questions arise over whether the images were altered. Ideally, one person should handle the documentation while another person handles the evidence. You want to be able to prove that you did not alter any of the evidence.
You can find valuable evidence about physical access in recordings from closed-circuit television (CCTV) systems and other video systems. However, some organizations must deploy adequate signage to state whether camera systems are monitored or merely present for later prosecution of wrongdoing. For example, individuals expecting live monitoring of security cameras might signal to the cameras for assistance during an emergency; in the absence of proper signage, they might be able to later sue the organization. Some CCTV systems might employ non-visible-spectrum cameras, such as thermal imaging systems that can spot heat blooms and body heat sources even when those sources are otherwise concealed. CCTV systems should be configured to observe access paths and location areas without displaying data, password entry, and similar details.

Record Time Offset
Records should be kept on all data and devices collected, including details such as system time offset from a verified time standard (for example, using NTP), nonstandard hardware or equipment configurations, and video codecs available for video manipulation and running services (if the system is in operation). Recording the time offset is critical to an accurate examination when dates and times are at issue, and it should be done at the beginning of any examination.
Keep in mind that just because a computer was seized in a particular time zone does not mean that it is configured for that time zone. Computers can be moved from one zone to another, can be incorrectly configured, and can be deliberately altered, so the time and time zone offset might not be accurate. When computers are examined, their date and time settings should be recorded and compared with the current time to calculate the difference between the two. This difference can then be used as an offset and applied to all the time evidence on the computer. For example, when a computer that is imaged in Mountain Standard Time is analyzed with a tool that is in Eastern Standard Time, the time zone is adjusted to accurately reflect the time of the imaged drive. To resolve these issues, you need to know the machine’s BIOS time and the time zone offset for which it is configured so that you can apply the correct time zone offset to your case. The time zone offset in Windows operating systems is stored in the registry.
Time offset adjustments cannot reveal anything about the accuracy of the events on a computer. The time offset adjustment establishes only the accuracy of the date and time record of the device when it was acquired.

Take Hashes
You should generate checksums or hashes of all data and applications before and after any in-depth analysis is performed to validate that the forensic analysis has not produced unexpected modifications of evidentiary data. After a drive has been imaged, a hash value of the image should be taken and compared against the hash of the original drive. Matching hashes provide for non-repudiation and ensure that you did not change anything.
The most common method of taking a hash of a drive is to calculate a hash of the entire drive. Most forensic tool sets include a utility to calculate either a cyclic redundancy check (CRC) or a Message Digest 5 (MD5) hash value. Other valid methods are available to generate a single value for a file or collection of files, but the CRC and MD5 hash values are the most common. Each of these algorithms examines the input and generates a single value. Any changes to the input result in a different value.
After you have ensured the physical integrity of the media, you can mount the media and access it in read-only mode. It is important that you explicitly separate the suspect media from other media during any access to the data. The only safe way to ensure that nothing changes the data on the drive is to use trusted tools to access the media only once. The only reason to directly access suspect media is to copy it for analysis.

Capture Screenshots
You should capture screenshots during the investigation and include them in forensic documentation for later reporting or testimony of the process and resulting findings. These screenshots should supplement photographs of the scene prior to evidence gathering and video of the collection and analysis process. Whenever possible, you should capture and preserve network traffic and logs to aid in the identification of related processes, remote virtual storage systems, and distributed computing functions that might relate to the investigation.

Collect Witness Interviews
Witnesses are an important part of any crime investigation. An investigator who interviews anyone as part of the investigation should create a list of the persons interviewed, including their names, email addresses, and what they saw (when, where, and how). The interviewer should minimize physical distractions such as noise or the presence of other persons. Witnesses should be encouraged to volunteer information without prompting. In cases such as the release of malware, denial-of-service (DoS) attacks, or theft of information, it is sometimes possible to obtain more information than expected just by asking. An interviewer may even end up with a confession if the threat came from an insider.
Be certain you know what items need to be acquired during the forensics process: system images, network traffic and logs, videos, time offset, hashes, screenshots, and witness interviews.

Quiz questions:
1. Organize the following items from the most volatile to the least volatile: removable media, main memory, hard drive, and cache. A. Removable media, main memory, hard drive, cache B. Main memory, hard drive, main memory, cache C. Cache, main memory, hard drive, removable media D. Cache, hard drive, main memory, removable media
2. What are the five properties required for evidence to be useful? A. Objectionable, authentic, closed, mendacious, and genuine B. Didactic, authentic, complete, reliable, and believable C. Admissible, spurious, contrived, untried, and questionable D. Admissible, authentic, complete, reliable, and believable
3. Evidence from a recent breach consists of marked tags that indicate who was in possession of evidence on a given date and time. Which of the following does this represent? A. Chain of custody B. Time offset C. Data acquisition D. Order of volatility

Answer 1: C. The correct order, from most volatile to least volatile, is cache, main memory, hard drive, removable media. Keep in mind that a hard drive is considered secondary memory. Answers A, B, and D are incorrect.
Answer 2: D. For evidence to be useful, it must have five properties: admissible, authentic, complete, reliable, and believable. Answers A, B, and C list incorrect choices.
Answer 3: A. The chain of custody provides a clear record of the path evidence takes from acquisition to disposal. Answer B is incorrect because time offset is recorded against a verified time standard. Answer C is incorrect because data acquisition is specific to gathering data or copying data to an image or other media. Answer D is incorrect because the order of volatility has to do with first capturing the data that is most volatile.



ADVERTISEMENT