1 / 21

System Forensics, Investigation, and Response Chapter 7

System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence. Learning Objective and Key Concepts. Learning Objective Examine the evidence life cycle. Key Concepts Differences between data and evidence Types of evidence

erv
Download Presentation

System Forensics, Investigation, and Response Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System Forensics, Investigation, and Response Chapter 7 Collecting, Seizing, and Protecting Evidence

  2. Learning Objective and Key Concepts Learning Objective • Examine the evidence life cycle. Key Concepts • Differences between data and evidence • Types of evidence • Chain of custody requirements • Collection, transportation, and storage of evidence

  3. DISCOVER: CONCEPTS

  4. 5 Rules of Evidence

  5. DISCOVER: PROCESS

  6. Evidence Life Cycle

  7. Evidence Collection • Freeze the scene. • Comply with the five rules of evidence. • Minimize handling and corruption of original data. • Proceed from volatile to persistent evidence. • Don’t run any programs on the affected system.

  8. Evidence Collection (Continued) • Account for any changes and keep detailed logs of actions. • Do not exceed current knowledge. • Follow local security policy. • Be prepared to testify. • Ensure that actions arerepeatable.

  9. Evidence Transport • Shut down computer • Document hardware configuration • Document all evidence handling • Pack evidence securely

  10. Evidence Transport (Continued) • Photograph or videotape the scene from premises to transport vehicle. • Photograph or videotape the scene from vehicle to lab. • Transport computer to a secure location.

  11. Evidence Protection and Storage • Keep evidence in possession or control at all times. • Document movement of evidence between investigators. • Secure evidence appropriately so that it can’t be tampered with or corrupted. • Mathematically authenticate data. (i.e., hash values)

  12. Evidence Analysis • Make a list of key search words. • Work on image copies, never originals. • Capture an image of the system that is as accurate as possible, such as bit-stream backup. • Evaluate Windows swap file, file slack, and unallocated space.

  13. Evidence Analysis (Continued) • Identify file, program, storage anomalies • Evaluate program functionality • Document findings • Create a case • Retain copies of software used

  14. DISCOVER: CONTEXTS

  15. Sources for Data of Potential Evidentiary Value

  16. Locating Data in Access Logs • Manually review logs, or • Use a log analysis tool

  17. Locating Data in Transmissions • For backed up data: • Mirror to removable media with validation by system administrator • For live data: • Uses packet sniffer or packet capture tool

  18. Locating Data on Hard Disks and Storage Devices • Mirror to stable media • Use recovery software • Use data reconstructionsoftware

  19. Technical Issues • Life span of data • Collecting data quickly • Collecting bit-level data • Obscured data • Anti-forensics

  20. Types of Potential Evidence • Logs • Windows swap files and file slack • Unallocated space and temporary files • E-mails, word processing documents, and spreadsheets • Network data packets

  21. Summary • Differences between data and evidence, and valid and invalid data • The rules of evidence • Chain of custody requirements in evidence handling • Methods for collection or seizure, transport, protection and storage, and analysis of evidence

More Related