The process of gathering forensics data requires planning and attention to detail. In this video, you’ll learn about the process of gathering and storing important information after a security incident.
<< Previous Video: Incident Response Process Next: Using Forensics Data >>
During and after a security incident there will always be a need to collect forensic information and this will come from many different data sources. You might want to refer to RFC 3227, this is the guidelines for evidence collection and archiving. It will give you a very good set of best practices for forensic data collection.
It’s common to have a standard digital forensic process so you know exactly how the data was gathered and how that information will be stored. This will detail the acquisition, the analysis, and the reporting of that data. All of this is extremely detail oriented, and it’s important that someone take extensive notes during the forensic process.
Not all data has the same volatility. Some data will stick around for longer time periods than others. This table shows the order of volatility where the most volatile data is the data that’s inside of CPU register or a CPU cache. As we get less volatile, you can find temporary file systems or even files that are stored on disk. And some of the least volatile data you’ll find is archival media, which is usually kept around for years.
Whenever evidence is gathered there needs to be some way to maintain the integrity, and control all of this evidence. One very common way to do this is with a chain of custody. This means that everyone who comes in contact with this evidence will be able to document that they touched this particular piece of information, and this will also help to avoid anyone else tampering with or modifying this evidence. With the chain of custody, every piece of evidence is cataloged and labeled, and everything is sealed so that you can store it and make sure that no one is able to tamper with any part of that evidence.
As an IT professional, you may be asked to store evidence through the use of a legal hold. This is a legal technique that ensures that any data that may be associated with a particular legal proceeding is held and kept so that nothing is lost. This is usually created to prepare for some impending litigation, and it’s usually a legal document provided to you this is usually provided as a hold notification, which tells you exactly what kind of data and how much should be preserved.
If this is electronically-stored information, or ESI, there will be a separate repository created just for this data, and you’re usually storing many different kinds of data. There might be personal files, there might be documents, or there might be email messages. And these legal holds may include ongoing preservation, so not only are you preserving the older data, you’re also preserving any new data that’s created.
The contents of a storage drive may contain very valuable forensics data, so it’s common to create a system image of that drive so that you’re able to look at and manipulate a copy of that data without affecting the original drive itself. Commonly, we would create a system image on a bit-for-bit or byte-for-byte basis so you have an exact duplicate of everything that was on that drive. There are software imaging tools that are specialized to create this, and you could even use a bootable device to be able to copy that drive without affecting any of the drive that currently exists.
It’s sometimes common to physically remove the drive to make sure that nothing overwrites data, and it’s common to add that drive to a hardware write-blocker that allows you to read the data from the drive, but the hardware itself prevents you from writing anything onto that important forensic data. And sometimes even if someone deletes an entire drive, all of that information may already be backed up. So don’t forget about getting the backup drives to make sure that you really do have all of the data you can use.
Many attacks occur across the network, so it’s important to capture as much log information as possible. These are coming from your switches, your routers, your firewalls, and almost anything else that’s connected to the network. Intrusion prevention systems can provide you with some unique log details since those devices are specialized at looking for attacks. And some organizations have the luxury of storing all of their raw network data. The stream-to-disk solution captures every packet going across the network and stores and archives that information to disk. From there, you can rebuild file transfers, email messages, and examine any specific data transfers that may have occurred across the network.
Sometimes a security event might happen outside the scope of a computer and a network. And in those cases, it’s important to store any video you may have of the incident. You can also take your own video of the incident. If you’re working on a system that has been compromised, it might be useful to gather video of any changes or messages that may be on the screen. Many organizations also have security cameras that are watching many different parts of the organization 24-hours a day and seven days a week, and these may be very valuable sources of forensics. All of this video information must be archived and saved so that you can go back and evaluate it during the investigation.
When you’re trying to correlate together log files, video evidence, and other types of evidence, you may be looking at timestamps to do that. But it’s also important to understand what the offsets might be for a time-stamp on a system. Usually this is determined by the time zone settings that may be on a local device, so it’s important to document exactly how a particular device is configured. For example, in the FAT file system, the time is stored in it’s local time. If you’re using NTFS, those files store information with a time-stamp that is marked with GMT. You can record this time offset directly from the operating system– Windows keeps it in the Windows registry– and you want to be sure that you not only document the time zone, but you document whether daylight saving time and any time changes are also configured for that system.
For physical evidence, we know that we can catalog and seal that evidence so there’s no tampering. With digital evidence, we can perform a similar function by using hashes. One type of hash we might use is the MD5 hash, or message digest 5. This is a 128-bit hash. This means that if anybody modifies that digital information, the chance of duplicating that hash is one in 2 to the 128th power, or 230 billion billion billion billion.
Another type of check that we often see with the network communication is the CRC, or the cyclical redundancy check. This is a 32-bit hash, and it means that the chance of duplication is 1 in 2 to the 32nd power, or 1 in just over 4 billion. It’s very common when capturing files, images, and other digital information to create an MD5 hash, and then it’s very easy to then reconfirm that that MD5 hash is valid by creating the hash later on and comparing those two values.
A lot of valuable forensic information goes by on the screen, so it’s useful to get screenshots to be able to capture what the state might be of a particular screen. We might use some type of external device like a phone or a digital camera to capture this information, or we can use built-in functions of the operating system, like the PrintScreen key or third-party screen capture utility.
And it may be useful to gather witness testimony, especially if there’s a physical component of this particular attack. You want to be sure to interview anyone who may have seen information and document anything that they may have seen, and you want to be sure to do it as quickly as possible. Some people may leave the organization or have a difficult time remembering what happened later on. Although witness statements are not 100% accurate, you may be able to build more evidence by interviewing more people and being able to correlate all of those different stories together.