190 likes | 413 Views
System Forensics, Investigation, and Response Chapter 6 Controlling a Forensic Investigation. Learning Objective. Procure evidence in physical and virtualized environments. Key Concepts. Preserving the crime scene Logical and physical media Data capture from local media
E N D
System Forensics, Investigation, and Response Chapter 6 Controlling a Forensic Investigation
Learning Objective • Procure evidence in physical and virtualized environments.
Key Concepts • Preserving the crime scene • Logical and physical media • Data capture from local media • Legal concerns specific to computer forensics
Considerations When Collecting Evidence • Never change the state of the data • Create an image (read-only) • Analyze the image (easiest data first) • Avoid losing volatile data • CPU/RAM • Running processes, network information, … • Maintain or capture the current state of each computer
Preserving the Crime Scene • Photograph the physical configuration • Tag and bag all physical components • Make sure media is write-protected • Transport and store in controlled environments • Keep an accurate chain of custody record • Document all access
Skills of a Forensic Specialist • Understands how hard disks and CDs are structured • Understands the basics of data encryption • Understands data compression • Understands techniques and automated tools used to capture and evaluate file slack • Can apply fuzzy logic tools to determine how a subject computer was used
Skills of Forensic Specialist (Continued) • Understands how to examine the boot process and memory-resident programs • Knows how to make a backup image of data stored on flash memory media • Applies software tools and methods to identify and retrieve: • Passwords, logon information, e-mail messages, and accounting information • Employs forensic software tools
Capturing Data from Storage Media • Structure of disk • Slack space • Swap files • Unallocated disk space • Boot partition data and hidden vendor partitions • Deleted files and folders • Corrupted files and folders
Capturing Data from Storage Media (Continued) • Use proper tools • “Exact” copies of original data • Creation attributes (that is, how was data created)
Legal Aspects of Acquiring Evidence • The Fourth Amendment affects how specialists can acquire evidence • Preserving evidence • Establish authenticity • Follow a repeatable process
Acquisition under the Fourth Amendment • When does “seizure” occur? • Who owns computer that contains data? • Is an image “good enough” for search? • Does attempts to delete data relate to privacy or cover-up? • Where does search in a network end? • Where does one search end and another begin?
Processes to log evidence • You should use one of the following 3 criminal evidence rules: • Authentication – show that it’s a true copy • Best Evidence Rule – work with the original • Exceptions to Hearsay rule – confessions or business records Forensics tend to use authentication
Authenticity Standards • Over the years, several evidence standards have been devised. • Relevancy test – Anything that is materially relevant to case • Frye Standard – Technique my be sufficiently established (general acceptance test) • Coppolino Standard – Even if not generally accepted, court can accept if good foundation laid • Marx Standard – No need to sacrifice common sense. • Daubert Standard – Rigorous test with special discovery procedures.