Professional Documents
Culture Documents
Storage Memory
Storage Memory
Storage Memory
8
So far, the evidence that has been analyzed has focused on those elements that are obtained
from the network or the system's memory. Even though incident root cause may be ferreted
out from these evidence sources, it is also important to understand how to obtain
evidentiary material from a system's storage, whether that is removable storage such as
USB devices or the larger connected disk drives. In these containers is a good deal of data
that may be leveraged by incident response analysts in determining root cause. It should be
noted that this chapter will only be able to scratch the surface, as entire volumes have been
devoted to the depth of forensic evidence available. Rather, it is hoped that this chapter
provides some concrete areas of focus with the understanding that analysts will gain a
better sense of some of the tools that can be employed, as well as an understanding of some
of the critical data that can be leveraged.
Forensic platforms
Over the past 15 years, there has been an increase in the power of disk forensic platforms.
For the incident response analyst, there are options as to what type of platform can be
leveraged for conducting an examination of the disk drives. Often, the limiting factor in
utilizing these platforms is the cost of more robust systems, when a lower cost alternative
will be just as effective for an incident response team.
Analyzing System Storage
Web artifacts: With a great deal of data stored on the drive associated with web
searching, forensic platforms should have the ability to examine these pieces of
data. This is very handy when examining social engineering attacks where users
navigate to a malicious website.
Email carving: Incident responders may be called into cases where malicious
employees are involved in illegal activities or have committed policy violations.
Often, evidence of this type of conduct is contained within emails on the suspect
system.Having a platform that can pull this data out for immediate view, assists
the analyst to view communications between the suspect system and others.
Image viewer: Often it is necessary to view the images saved on systems. As was
stated previously, law enforcement utilizes this feature to determine if there is
evidence of child exploitation on a system. Incident response analysts can utilize
these features to determine if there has been a policy violation.
Metadata: Key pieces of data about files such as date and time created, file hashes
and location of a suspect file on the disk are useful when examining a system
associated with an incident. For example, the time an application is run, taken in
conjunction with a piece of malware, may be correlated with network activity
allowing the analyst to determine the actual executable run.
In terms of commercial options, the following three platforms are generally accepted as
sound and are in use by commercial and government entities all over the world. Each of
these have the features described among other more specialized tools.
[ 189 ]