280 likes | 653 Views
System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence. Learning Objective and Key Concepts. Learning Objective Examine the evidence life cycle. Key Concepts Differences between data and evidence Types of evidence
E N D
System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence
Learning Objective and Key Concepts Learning Objective • Examine the evidence life cycle. Key Concepts • Differences between data and evidence • Types of evidence • Chain of custody requirements • Collection, transportation, and storage of evidence
Evidence Collection • Freeze the scene. • Comply with the five rules of evidence. • Minimize handling and corruption of original data. • Proceed from volatile to persistent evidence. • Don’t run any programs on the affected system.
Evidence Collection (Continued) • Account for any changes and keep detailed logs of actions. • Do not exceed current knowledge. • Follow local security policy. • Be prepared to testify. • Ensure that actions arerepeatable.
Evidence Transport • Shut down computer • Document hardware configuration • Document all evidence handling • Pack evidence securely
Evidence Transport (Continued) • Photograph or videotape the scene from premises to transport vehicle. • Photograph or videotape the scene from vehicle to lab. • Transport computer to a secure location.
Evidence Protection and Storage • Keep evidence in possession or control at all times. • Document movement of evidence between investigators. • Secure evidence appropriately so that it can’t be tampered with or corrupted. • Mathematically authenticate data. (i.e., hash values)
Evidence Analysis • Make a list of key search words. • Work on image copies, never originals. • Capture an image of the system that is as accurate as possible, such as bit-stream backup. • Evaluate Windows swap file, file slack, and unallocated space.
Evidence Analysis (Continued) • Identify file, program, storage anomalies • Evaluate program functionality • Document findings • Create a case • Retain copies of software used
Locating Data in Access Logs • Manually review logs, or • Use a log analysis tool
Locating Data in Transmissions • For backed up data: • Mirror to removable media with validation by system administrator • For live data: • Uses packet sniffer or packet capture tool
Locating Data on Hard Disks and Storage Devices • Mirror to stable media • Use recovery software • Use data reconstructionsoftware
Technical Issues • Life span of data • Collecting data quickly • Collecting bit-level data • Obscured data • Anti-forensics
Types of Potential Evidence • Logs • Windows swap files and file slack • Unallocated space and temporary files • E-mails, word processing documents, and spreadsheets • Network data packets
Summary • Differences between data and evidence, and valid and invalid data • The rules of evidence • Chain of custody requirements in evidence handling • Methods for collection or seizure, transport, protection and storage, and analysis of evidence