27/1/2019 TestOut LabSim

2.6.2 Basic Forensic Procedures

Basic Forensic Procedure

In this lesson, we're going to review some basic computer forensics procedures. Forensics is the process of gathering scientific evidence for legal
purposes. Computer forensics involves obtaining legal evidence found in computers and on any type of storage media that holds digital
information, such as a hard disk drive or an external USB drive of some type.

The goal of computer forensics is to examine the media that stores digital information, in a sound manner, following forensic principles. The goal is
to identify, preserve, recover, analyze, and present facts about the information that's observed. Computer forensics is usually associated with the
investigation of some type of computer crime, and involves many of the techniques and processes that are used when doing data recovery after a
disaster.

Legal Standards
However, with computer forensics, we add additional guidelines and practices that are designed to create a legally defensible audit trail. We're
trying to recover data, but we're also trying to make sure that it's done in a legally defensible way so the results can't be challenged in a court of
law.

Computer forensics is part of the overall incident response and is centered on the concept of a digital artifact. We're looking for digital artifacts to
identify what happened with the computer system and who did it. In order for computer forensics evidence to be used in court, it has to meet the
usual requirements for any piece of evidence.

For example, the information must be authentic. We need to prove that the data that we gathered, and the conclusions that we drew, are directly
from the system itself. The information has to be authentic and can't have been tampered with at all.

In addition, the information must be reliably obtained. Because we're performing computer forensics, there's a degree of error involved. We need
to be able to prove that we followed established computer forensics procedures, thereby assuring that the information is authentic. If it is reliably
obtained using an accepted computer forensic procedure, then the information is admissible. There are two different ways that we can gain
forensic information. The first is to work on a live system and gather evidence from the compromised system while it's still running.

This is dangerous because trying to get that information could destroy the information in the process. For example if there's an exploit still running
in memory and you were to go in and run a different program to try to find that exploit, it's possible that you could overwrite that exploit. In which
case, you just lost your evidence. If you're looking for evidence on the hard drive, you run the chance of overriding the blocks where that evidence
resides, again losing evidence.

The second approach is to conduct computer forensic procedures on a static image that's taken from the actual live system that was exploited.
That way, the computer forensic procedures don't affect the original system.

Gathering Forensic Information

Gathering computer forensic information follows a three step process:

1. Acquire the necessary evidence.

2. Analyze the information.

3. Create a report in order to relay the information that was gathered.

Step 1: Acquire the Necessary Evidence

Let's look at how we acquire evidence in the computer forensics process.

Anytime anyone in your organization suspects that data has been compromised in some way, or that some kind of attack is underway or has
already occurred, it's critical that you act fast to ensure that the digital evidence is preserved. If you work for a larger organization, there may be a
computer forensics response team in place whose job is to respond to these types of incidents. Smaller organizations probably won't have an in-
house computer forensics response team and you may have to contract with a company that provides this service. Time is critical. The sooner you
can get your computer forensics response team on site, the more likely you will be able to preserve evidence in digital form.

Once the computer forensics response team is on site, their first task is to secure the crime scene. First, they will take custody of the entire system,
including the monitor, the keyboard, the mouse, and any peripherals that are plugged into the system. Then they're going to document the state of
the system, including:

* Recording the system's serial number, make, and model.

* Logging what's plugged into that system at the time.

* Photographing the system from the front, sides, back, top, and bottom.

* Listing all the different devices that are connected into the system.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 1/3
27/1/2019 TestOut LabSim
Many times you'll see that computer forensics response teams will use a film camera instead of a digital camera. If they take digital photos, an
attorney on the other side can try to claim that the digital files were tampered with.

Next, the computer forensics response team will interview all witnesses. They'll want to know what they were doing with the system when the
attack occurred and how they were impacted by the attack. The goal is to identify exactly what happened.

Then they're going capture volatile data. The window of time to capture this data is very narrow. For example, if the attack is still in progress, the
computer forensics response team can capture the data in the CPU registers and cache. The same is true for the system RAM. If the attack is
ongoing, they can make a copy of the data that's in RAM. Likewise, they will check the data in any network connections. They will also gather
information from running processes.

The process of capturing volatile data follows the order of volatility. We need to preserve the most volatile data first and work our way down to
data that is more persistent. If an attack is underway, your computer forensics response team is probably going to try to capture volatile data first
before trying to gather data from the hard disk or before they turn the system off.

Once the computer forensics response team has gathered volatile data, they'll probably look at the less volatile devices in the system, such as the
hard disk drive and any attached peripheral storage devices. Only someone who's properly trained in computer forensics should try to gather
evidence from the hard disk drive. Don't do it yourself. If you do, and you do it incorrectly, or if you don't follow the established procedures, then
it's very likely that you have compromised the integrity of the evidence. As a result, it may not hold up in a court of law. Leave these tasks to the
experts.

The data on the hard disk drive in a computer forensics investigation is a key piece of evidence. A lot of the things that we do on a computer
system are saved in some way on the hard disk drive, including in virtual memory. A wealth of data is there. In addition, information attached to
deleted files may still be on the disk. Therefore, the hard drive itself is a goldmine of evidence for a prosecutor.

Getting that evidence off the disk is very sensitive. You have to do it in the right way in order to maintain the authenticity of the evidence. This is
done by following established computer forensics procedures. You need to make sure that the evidence that is gathered is admissible in court and
basically beyond reproach. When we gather evidence off of the hard disk drive, we want to create a mirrored copy. This is an evidence grade copy
of the hard disk. It's not just copying files off of the disk or backing up the files off the disk. Instead, we're going to create a sector for sector copy,
an image, of the hard disk drive. The image file is going to be an exact mirror of the hard disk drive. This includes data that still resides on the disk
that isn't linked to a file or directory name in the file allocation table, such as deleted files and folders. To ensure that we have a high degree of
authenticity, we're going to use hashing to verify that the data hasn't been changed in any way during the mirroring process. The hash will be
made first on the original source data, and then on the mirrored data. If the hashes match, we know that the data in the mirror is exactly the same
as the data on the source hard disk drive, ensuring authenticity. If there were one bit different, the hashes would be radically different. If they're
the same, we know that we have an authentic copy of the hard disk drive.

During this process, the computer forensics response team must maintain the chain of custody. The chain of custody identifies and documents
where this evidence was at all times and who was responsible for it. It demonstrates that the evidence was monitored and under control at all
times. During the time that the evidence was being gathered, no unauthorized person had an opportunity to tamper with the evidence and corrupt
it. The chain of custody usually documents:

* The system itself, including the serial number, make, and model of the system.

* Everyone who interacted with the system in any way.

* Who had custody of that system during the time that the evidence was being gathered and for how long.

For example, if the system was transported for some reason, it will document who had custody of the system during the transport, how was it
transported, and where it went during the transport process.

Step 2: Analyze the Evidence

The next step is to analyze the evidence. We need to find out what it contains. If the attack was still in progress and the computer forensics
response team was able to gather volatile data, it will be analyzed to see what it contains. If the attack was already over, then we're going to
probably focus on the disk image itself to see what it contains. We're going to look through all the documents in the disk image, including emails
and their attachments.

Another great place to search for evidence is in the web browser's cache and also in the browser cookies. Valuable information can also be found
in the system's virtual memory. On a Windows system, that's the page file. On a Linux system, it's the swap partition. The page file or swap
partition can contain a lot of key evidence about the attack. It can provide a historical record of what happened over the last few minutes on that
system.

The computer forensics team is probably going to look at the system's file and folder metadata, such as:

* The file or folder attributes

* The date it was created and modified

* The user that owns the file

* The privileges or permissions assigned to the file

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 2/3
27/1/2019 TestOut LabSim
They're also going to look at all deleted files. To do this, they're going to go through the hard drive sector by sector to locate any data that could be
used. If possible, they're also going to review any available security video recordings to analyze the physical environment.

There are a variety of different software packages to analyze evidence, especially evidence coming from a disk image file:

* SANS Investigative Forensics Toolkit

* EnCase

* FTK

* Coroner's Toolkit

* Cofee

Step 3: Create a Report

Once the analysis of the evidence is done, you need to write up the findings. This document needs to be a very well-written document. We need to
present the information in a legally appropriate and defensible document. Therefore, you should probably engage the services of a lawyer to write
this document to make sure it's done in the correct way. This document needs to be self-contained, meaning that all the information necessary is
in that document. It shouldn't contain references or links to other documents. Everything needed is in the document itself. It should describe the
incident. It should describe the computer forensics team's response, and it should report what happened during the acquisition of evidence, how
the evidence was analyzed, and it should also report what was found in the evidence.

You should also track the hours and expenses that were required by the computer forensics response team to respond to the incident. This helps
determine a damage amount that can be included in a case.

Summary
So, that's a basic overview of how computer forensics works. We haven't gone into any great depth or detail because you should not be conducting
a computer forensics investigation unless you are a trained expert. Our goal in this lesson was to provide you with an overview so that, if an
incident happens, you know how to respond.

TestOut Corporation All rights reserved.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 3/3