Data Collection Procedures
(OBJ 4.8)
Digital Forensic Collection Techniques
- Involve making forensic images of data for later analysis
- This approach allows incident response teams to resume operations quickly while maintaining evidence
- Evidence may be required for potential legal action and cooperation with law enforcement
Data collection involves the following
- Capturing and hashing system images
- Use FTK imager to make an exact copy of server's hard drive, and then hash it to make sure it doesn't change while you're analyzing it.
- Analyzing data with forensic tools
- FTK (Forensic Toolkit)
- EnCase
- Capturing machine screenshots
- Reviewing network logs
- See how they moved throughout the network as you are trying to trace back the attack
- Collecting CCTV video
Order of Volatility
- Always follow the order of volatility when collecting evidence
- Guides the sequence of collecting data, from most volatile (CPU registers and cache) to least volatile (archival media)
- Licensing and documentation reviews ensure system configurations align with their design
Data Acquisition
- The method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk
- First thing to ask:
- "Do I have the right to search or seize this thing legally?"
- Not all devices are owned by the company
- Policies for bringing one’s own device (BYOD) complicate data acquisition because it may not be legally possible to search or seize the devices
- Make sure you have permission to gather needed evidence, otherwise the search could be inadmissible
- Some data can only be collected once the system is shutdown or the power is disconnected
- There is some evidence that could be lost when you turn off a computer or shut it down
- Understand the procedures you are going to deal with.
- Order of Volatility
- CPU registers and cache memory
- System memory (RAM), routing tables, ARP caches, process table, temporary swap files
- Data on persistent mass storage (HDD/SDD/flash drive)
- Remote logging and monitoring data
- Physical configuration and network topology
- Archival data
- Backup tapes and offsite storage
- Written once and then aren't touched again
- CDR or DVR
- WARNING
- Some Windows registry keys, like HKLM/Hardware, are only in memory and require a memory dump to analyze
- Do it off the hard rive afterward.
- Example:
- When you're dealing with things like the \Hardware hive, it's really important to capture that, because it's going to record every single disk that has been connected to or taken out of that computer.
- If I use a thumb drive on the computer, it's going to be logged in that HARDWARE hive
- That would tell me as an analyst that I need to start looking for that thumb drive or that flash drive, so I can find data that was written off of this computer.
- When you're dealing with things like the \Hardware hive, it's really important to capture that, because it's going to record every single disk that has been connected to or taken out of that computer.