The basics of forensics are important topics for any technologist. In this video, you’ll learn about first responders, legal hold, eDiscovery, data collection, chain of custody, and much more.
<< Previous: Network Access Control ModelsNext: Network Troubleshooting Methodology >>
In network security, there’s not many topics more complex than those dealing with forensics. Even if you’re not the one performing these functions, you should certainly be aware of many of the tasks and procedures required in computer forensics.
If you’re the first responder on a scene, you have some very specific responsibilities assigned to you. These are generally documented in your incident response policy, but it basically means that your job is to control the damage. You also don’t want to disturb anything that may be in the immediate environment. This is where you need the right people in place to do the right type of analysis before anything is changed. You don’t want to be the one that’s damaging any evidence that’s found on this particular site.
Also, think about the escalation policy. There’s probably a certain number of people that need to be informed that an incident has occurred, and there’s usually a call sheet and an update process so that everybody knows what’s going on.
When working in security, you may be asked to perform a legal hold. This is a legal technique. It’s usually coming from legal counsel, and it’s requiring you to preserve certain kinds of information for the legal process itself. You’ll usually receive a hold notification, which informs you exactly what data needs to be stored. If this is electronic data, then you’ll have a separate repository for what we call ESI– Electronically Stored Information. There’s a lot of different kinds of data coming from a lot of different sources, and you will have some very specific requirements over what is stored and how it is stored.
Once the legal hold is in place, you are obligated to preserve every bit of data that you come across that’s related to this hold. This is a very specific, and very important part of the data forensics process, and it’s one that you have to follow to the letter.
When you’re working with data associated with an incident, you need to make sure all of that data remains safe. So everything has to be secured. You want to prevent any changes to this information, and you want to prevent anything from damaging some important evidence that might be on these devices. Everything should be stored in a secure room. You want to lock down the area that might have these devices inside of it, so that you can tightly control who has access to this device. You don’t want to even change the power settings, if at all possible. If the device is turned on, you leave it on. If the device is turned off, you leave it off.
When you’re securing an area, you may need some additional assistance, so feel free to escalate and get the resources you need to keep all of this data safe.
It’s very important document as much as you can in the scene of an incident. There’s information everywhere. You don’t want to disturb or touch or type anything on a keyboard or a screen. You don’t turn things on, you don’t power things down. Take plenty of pictures, and make sure that you’re documenting where things are, and what certain screens might look like.
You can also inventory everything, make sure you’ve documented what computers and devices are there. If there are external drives or flash memory cards, make sure you also include those in your inventory. And then document everything you can. The real analysis of the data is going to happen later. What you want to do now is document everything you can about what you see at the scene, and make sure that you have everything that may be considered evidence.
Working with electronic data is very different than working with something that’s physical. Very often, the data that’s stored on a drive may be hidden, or parts of information may be scattered in places that you really don’t see when you’re normally browsing through the files that are on its storage device. There’s going to be a lot of work on recovering data from these devices. There may be hidden data or information that’s been deleted that needs to be recovered. Or the files may be encrypted, and you need to work on decrypting the information.
A lot of the focus is going to be on recovering documents. These might be spreadsheets or word processing document or password files or metadata, or anything else that might help you gather details about what was happening on that particular device. You’ll probably work on discovering what has been changed on certain documents, look at email messages and text messages, and of course, sometimes people will try to fabricate evidence, and you want to be able to determine what evidence is real, and what evidence has been planted.
It can be difficult to collect evidence from these digital devices. They’re constantly writing information to their storage devices, the more they stay on, the more data you’re going to lose. The process of recovering this data can sometimes delete or damage the information.
So it’s very common to bring in an expert who can look at the data, and make sure that everything is going to be preserved. We might also want to perform images of the data. This is different than an image you might do as a backup, these are a bit level images that will image every 1 and every 0 that’s on that particular storage device. Even if the files are deleted, or if there’s temporary files– all of this is going to be collected and copied bit for bit to another storage device.
During the investigative process, it’s common to have a chain of custody. You have a piece of evidence and you need to know where that evidence is at all times and who’s in control of that evidence. There will be documentation then of every person who touched this evidence. And if it’s digital information, we can even perform hashes of that data so that later on we can compare the hash to make sure that nothing was changed in that information.
Physical devices and storage devices can be labeled and they can be sealed, and that way you control access to all of those pieces of information.
One of the challenges we have with digital information is that it could be changed so easily. So whenever you’re dealing with data during an incident, you want to be sure to maintain the integrity of that data. You’ll be using hashing to make sure nothing changes– whether it’s an entire drive, or just a single file. You’ll be able, later on, to compare this hash, and make sure that it is exactly the same as the original.
You might also be encrypting this information– not only to protect it from others, but if you need to transport from place to place, you don’t have to worry about losing the data and having someone else see it.
The final forensics report is going to be something provided to the legal authorities, and it’s going to have a lot of details inside of it. There will be the reporting organization, case numbers, investigator information, the reports submitters. And it’s going to have the information about the devices that were involved with the forensics test. And it’s going to contain information about the devices that were part of this particular incident.
So you’ll have make, model, and serial number of all of the different devices and storage devices. This will be something with a lot of detail. There will be searches, there will be information about how the data was recovered, and what information was recovered. And ultimately, you’ll have some detailed conclusions about what was determined based on the examination of all of this data.