E-Learning - University of Northern Colorado
Download
Report
Transcript E-Learning - University of Northern Colorado
System Forensics,
Investigation, and Response
Chapter 7
Collecting, Seizing, and Protecting
Evidence
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective and Key
Concepts
Learning Objective
Examine the evidence life cycle.
Key Concepts
Differences between data and evidence
Types of evidence
Chain of custody requirements
Collection, transportation, and storage of
evidence
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
DISCOVER: CONCEPTS
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
5 Rules of Evidence
Admissibility
Authenticity
Evidence must be
admissible in
court.
Evidence must
relate to the
incident.
Completeness
Evidence must be
comprehensive.
Reliability
Believability
Evidence collected
must be
uncontaminated and
consistent.
Evidence presented
should be clearly
understandable and
believable by the jury.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
DISCOVER: PROCESS
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Evidence Life Cycle
Collect or seize
evidence
Transport evidence
Protect or store
evidence
Analyze evidence
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Evidence Collection
Freeze the scene.
Comply with the five rules of evidence.
Minimize handling and corruption of original
data.
Proceed from volatile to persistent
evidence.
Don’t run any programs on the affected
system.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Evidence Collection (Continued)
Account for any changes and keep detailed
logs of actions.
Do not exceed current knowledge.
Follow local security policy.
Be prepared to testify.
Ensure that actions are
repeatable.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Evidence Transport
Shut down computer
Document hardware configuration
Document all evidence handling
Pack evidence securely
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Evidence Transport (Continued)
Photograph or videotape the scene from
premises to transport vehicle.
Photograph or videotape the scene from
vehicle to lab.
Transport computer to a secure location.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Evidence Protection and Storage
Keep evidence in possession or control at
all times.
Document movement of evidence between
investigators.
Secure evidence appropriately so that it
can’t be tampered with or corrupted.
Mathematically authenticate data. (i.e.,
hash values)
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Evidence Analysis
Make a list of key search words.
Work on image copies, never originals.
Capture an image of the system that is as
accurate as possible, such as bit-stream
backup.
Evaluate Windows swap file, file slack, and
unallocated space.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Evidence Analysis (Continued)
Identify file, program, storage anomalies
Evaluate program functionality
Document findings
• Create a case
Retain copies of software used
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
DISCOVER: CONTEXTS
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Sources for Data of Potential
Evidentiary Value
Access logs
Data transmissions
Data on hard disks and storage devices
Data on mobile devices
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Locating Data in Access Logs
Manually review logs, or
Use a log analysis tool
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Locating Data in Transmissions
For backed up data:
• Mirror to removable media with validation
by system administrator
For live data:
• Uses packet sniffer or packet capture tool
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Locating Data on Hard Disks and
Storage Devices
Mirror to stable media
Use recovery software
Use data reconstruction
software
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Technical Issues
Life span of data
Collecting data quickly
Collecting bit-level data
Obscured data
Anti-forensics
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Types of Potential Evidence
Logs
Windows swap files and file slack
Unallocated space and temporary files
E-mails, word processing documents, and
spreadsheets
Network data packets
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Summary
Differences between data and evidence,
and valid and invalid data
The rules of evidence
Chain of custody requirements in evidence
handling
Methods for collection or seizure, transport,
protection and storage, and analysis of
evidence
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21