E-Learning - University of Northern Colorado

Download Report

Transcript E-Learning - University of Northern Colorado 

System Forensics,
Investigation, and Response
Chapter 7
Collecting, Seizing, and Protecting
Evidence
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective and Key
Concepts
Learning Objective
 Examine the evidence life cycle.
Key Concepts
 Differences between data and evidence
 Types of evidence
 Chain of custody requirements
 Collection, transportation, and storage of
evidence
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
DISCOVER: CONCEPTS
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
5 Rules of Evidence
Admissibility
Authenticity
Evidence must be
admissible in
court.
Evidence must
relate to the
incident.
Completeness
Evidence must be
comprehensive.
Reliability
Believability
Evidence collected
must be
uncontaminated and
consistent.
Evidence presented
should be clearly
understandable and
believable by the jury.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
DISCOVER: PROCESS
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Evidence Life Cycle
Collect or seize
evidence
Transport evidence
Protect or store
evidence
Analyze evidence
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Evidence Collection
 Freeze the scene.
 Comply with the five rules of evidence.
 Minimize handling and corruption of original
data.
 Proceed from volatile to persistent
evidence.
 Don’t run any programs on the affected
system.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Evidence Collection (Continued)
 Account for any changes and keep detailed
logs of actions.
 Do not exceed current knowledge.
 Follow local security policy.
 Be prepared to testify.
 Ensure that actions are
repeatable.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Evidence Transport
 Shut down computer
 Document hardware configuration
 Document all evidence handling
 Pack evidence securely
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Evidence Transport (Continued)
 Photograph or videotape the scene from
premises to transport vehicle.
 Photograph or videotape the scene from
vehicle to lab.
 Transport computer to a secure location.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Evidence Protection and Storage
 Keep evidence in possession or control at
all times.
 Document movement of evidence between
investigators.
 Secure evidence appropriately so that it
can’t be tampered with or corrupted.
 Mathematically authenticate data. (i.e.,
hash values)
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Evidence Analysis
 Make a list of key search words.
 Work on image copies, never originals.
 Capture an image of the system that is as
accurate as possible, such as bit-stream
backup.
 Evaluate Windows swap file, file slack, and
unallocated space.
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Evidence Analysis (Continued)
 Identify file, program, storage anomalies
 Evaluate program functionality
 Document findings
• Create a case
 Retain copies of software used
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
DISCOVER: CONTEXTS
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Sources for Data of Potential
Evidentiary Value
Access logs
Data transmissions
Data on hard disks and storage devices
Data on mobile devices
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Locating Data in Access Logs
 Manually review logs, or
 Use a log analysis tool
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Locating Data in Transmissions
 For backed up data:
• Mirror to removable media with validation
by system administrator
 For live data:
• Uses packet sniffer or packet capture tool
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Locating Data on Hard Disks and
Storage Devices
 Mirror to stable media
 Use recovery software
 Use data reconstruction
software
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Technical Issues
 Life span of data
 Collecting data quickly
 Collecting bit-level data
 Obscured data
 Anti-forensics
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Types of Potential Evidence
 Logs
 Windows swap files and file slack
 Unallocated space and temporary files
 E-mails, word processing documents, and
spreadsheets
 Network data packets
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Summary
 Differences between data and evidence,
and valid and invalid data
 The rules of evidence
 Chain of custody requirements in evidence
handling
 Methods for collection or seizure, transport,
protection and storage, and analysis of
evidence
System Forensics, Investigation, and Response
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21