Digital Forensics - An Introduction

 

Introduction

• Forensic is the process of preserving the evidence and collecting data.
• Digital forensic is a part of collection and protection of information usually during security incident.
• Digital forensics relates to both e-discovery and data recovery
• E-discovery concerns the discovery of the electronically stored information
• Data recovery on the other hand involves in retrieving the lost or corrupted data from the storage device when it is typically inaccessible
• From a forensics standpoint preservation is a most important part, as it is used as evidence for use in legal proceedings.

Digital Forensics Phases

• Digital forensics involves in the process of documentation from initial notification through conclusion.
• Digital forensics process comprises of three standard phases:
• Acquisition of data
• Locate data and any devices of potential evidentiary value
• Identity data of interest
• Analysis of that data
• Create forensic duplicates of the data to review
• Store original data and devices in a manner that preserves integrity
• Perform forensic evaluation and document findings
• Reporting of that data
• Report findings
• This would be ongoing process assuring the organization is complying the laws and regulations.
• Forensics process involves highly in preservation and collection of the data.

Data Breach

• Data breach is an important reason of performing forensics.
• Company of all sizes are concerned about the data breaches.
• There are laws and regulation internationally and nationally, as every state and country follows several standards. Organization operating globally needs abide.

Strategic Counter Intelligence

• Strategic and Counter Intelligence requires after data breach to make sure attackers do not hold the footprints in the organization.
• Active logging and recordings enables us to examine from the time it has been put, and act as an intelligence tool.
• Precautions and measures needs to be taken care to implement detective measures. 

Track Person Hours

• Forensic Investigation can run in thousands of dollars, cost includes person hours and related expenses from the period of acquisition, analysis and reporting.
• An organization needs to assess the cost of investigations against the potential benefits.

Data Hold

• Whenever there is a potential security breach digital forensics comes into play in looking for data.
• Data could be stored into different respective systems and hold for different time spans.
• Each needs to be taken into consideration while scrutinising the breach.

Legal Hold

• The legal hold process ensures that anything that matters to legal proceeding is not destroyed for over a period of time.
• An organization should have a legal hold process to perform e-discovery to preserve and gather information for the later use.
• A legal hold is an important part of forensics process during information breach.
• Often the legal hold data is stored in separate repository.

Chain of Custody

• The chain of custody provides a clear record of the path taken from acquisition to disposal.
• It provides authenticity and non-repudiation establishing the origin of data and proof of custody.
• It is important to create a log of all actions taken.
• Evidence it is useful and must follow below five properties:
• Admissible
• Must follow legal regulations.
• Authentic
• Data must not be tampered. Hash and Checksum are few mechanisms ensuring the data has not been changed.
• Complete
• All the information must be present.
• Reliable
• Data must be gathered based on the order of volatility and avoid destruction of the evidence.
• Multiple copies can be taken also sensitive data needs to be encrypted.
• Believable
• Must be clear to understand
• Document all the transfer of evidence, reason for transfer with the signature from both the parties.
• Proper chain of custody helps to ensure the evidences are handled correctly and strictly secure.
• Blockchain technology could be used track the detailed information.
• Ideally chain of custody means from the time data is gathered no change has been done to it with documentation.

Order of Volatility

• Each data evidence holds different life spans, eg: if the data is present in RAM it is available until system is powered off.
• Evidence collection should follow the order of volatility, collecting the most volatile evidence to least.
• Common evidence collection order follows as below:
• Register
• Caches
• Routing and process table
• System date and time
• Current network connections
• Current open ports and application listening to the ports
• Applications currently running
• Kernel statistics
• Main memory, RAM data, SWAP
• Temporary file system eg: tmp folder
• Secondary memory
• Removable media, Disk
• Operating System
• Write once storage
• Order of volatility demands that evidence be collected first from the most volatile systems (such as registers and caches) and later from the least volatile systems (such as archival media).

Data Acquisition

• Data acquisition is an important concept that involves gathering data or copying data to image or other media, in the forensics process.
• Data acquisition is vital for completeness and accuracy.
• Below are few methods of gathering and capturing data:
• Capture System Images
• Duplicate the copy of  entire system media including volatile and non volatile.
• Capture Screenshots
• Capture screenshots during the investigations and include in the forensic documentation.
• Capture Network Traffic and Logs
• Network traffic can be used to reconstruct network based attacks.
• Capture Event Logs
• Capture event logs which is detailed record of operating system, security and applications
• Capture Video and Photographs
• Recording in crucial areas and entrances can help the forensics confirm based on the evidence gathered in the scene.
• Record Time Offset
• Record the time offset is crucial information, to keep on all data and device collected such as system time off, NTP, hardware configurations and so on. 
• Take Hashes
• Generate checksums or hashes of all the data and applications before and after in-depth analysis performed to validate.
• Collect Witness Interview
• Witness gets to be interviewed by interviewer as part of the investigation.
• Sometimes it can reveal an insider
• But we need to take all this information with pinch of salt, as it could not be 100% accurate.
• Collect additional information
• Some of these data would not be saved in the hard drive, such examples are like browsing history, clipboard information, command history, encryption key, library versions/checksum, number of users logged in and so on.

Forensics in the cloud

• Digital Forensics may not limit to on premises but as well cloud, though it may not be immediate possession as we don't have physical control.
• Hybrid and multi cloud adds more complexity to the forensics process.
• Legally as well there would be control where the data needs to be located in the world.
• Integrity of the data how it has been saved and shared over the network, could be audited.
• In scenarios customers have the right to know where the data resides and any breach needs to be informed.

Reports

• Finally report the findings during the breach in a readable format along with metrics and evidences.
• Reports explain what has exactly occurred during a security incident.
• Usually this holds an overall summary and detailed documentation how data was collected,  processed and analysed. 
• Inferences and conclusions are arrived from the analysis.

Conclusion

• Major concepts behind computer forensics

• Identify the evidence
• Preserve the evidence
• Process the evidence
• Inference from the evidence
• Report the evidence

Credit & References

https://media.itpro.co.uk/image/upload/s--X-WVjvBW--/f_auto,t_content-image-full-desktop@1/v1613578972/Network_forensics_Shutterstock.jpg

Comptia Security Plus course materials