Managing Evidence – SY0-601 CompTIA Security+ : 4.5

Once evidence has been collected, the data must be managed properly. In this video, you’ll learn about data integrity, preservation, e-discovery, data recovery, non-repudiation, and strategic intelligence.

When you’re collecting data for evidence, you want to be sure that nothing is going to change with the information that you’ve collected. One way to ensure this is to create a hash of that data. This is a way to cryptographically verify that what you have collected is going to be exactly the same as what you’re examining later.

You can think of this as a digital fingerprint. You would take that fingerprint or create that hash when you first collect the data. And then you would verify that hash whenever you perform the analysis to make sure that nothing has changed in the meantime.

A relatively simple integrity check can be done with a checksum. This is very commonly done with network communication to make sure that the information that we’ve sent from one side of the network to the other has shown up without any type of corruption. This isn’t designed to replace a hash, but it does provide a simple integrity check that might be useful in certain situations.

And we also have to think about the original source of this data. We refer to this as provenance. This provides us with documentation of where this data originated. It’s also useful to have a chain of custody so you know exactly where this data has been since the time it was taken. This might even be an opportunity to take advantage of newer blockchain technologies that can provide more detailed tracking of information.

It’s important when working with data as evidence that we are able to preserve this information and to verify that nothing has changed with this information while it’s been stored. We commonly will take the original source of data and create a copy of that data, often imaging storage drives or copying everything that might be on a mobile device. This becomes especially useful for these mobile smartphones, since it is possible to remotely erase these devices.

This is not always as simple as powering down the system, removing a drive, and then imaging the information that’s there, especially since many drives are configured with full disk encryption. And powering down the system could cause all of that data to be inaccessible. We often have to think about different techniques when we’re gathering this data, especially if encryption is in use.

We want to be sure that when we’re gathering this information that we’re using the best practices. This will be especially useful if this information is being used later on in a court of law because they will be examining the process you took to gather these details.

There’s a legal mechanism used to gather information called discovery. And when we apply this to digital technologies, it’s referred to as e-discovery. The process of e-discovery is about gathering the data.

We aren’t examining the information. We’re not analyzing the information that we’re gathering. We’re simply going through a list of information that’s been requested, and we’re gathering all of those details, and providing it to the legal authorities.

The process of e-discovery often works in conjunction with digital forensics. For example, with e-discovery, we may be requested to obtain a storage drive and provide that to the authorities. The authorities would then look at that drive and notice that the information on that drive is actually smaller than what they expected. At that point, they can bring in some digital forensics experts that can examine the drive and attempt to recover any data that may have been deleted.

Recovering missing data can be a complex process. There’s no single way to go about recovering data. So it takes extensive training and knowledge to know exactly the best way to do it.

The exact process someone might go through might vary based on whether the files were simply deleted on the drive. Were the files deleted and then the recycle bin was deleted? Or were the files simply hidden, but are still contained on the storage drive?

Was there corruption with the data associated with the operating system or the application? Or was the storage media damaged itself? All of these situations can have some type of data recovery associated with them if we use the correct techniques.

Another important part of this process is knowing exactly who sent the data originally. If we can ensure that the information that we’ve received is exactly what was sent and we can verify the person who sent it, then we have what’s called non-repudiation. With non-repudiation, we not only know who sent the data, but we have a high confidence of exactly who sent that information. This means that the only person who could have sent the data is that original sender.

There are commonly two ways to provide non-repudiation, one is with a message authentication code or a Mac. With message authentication codes, the two parties that are communicating back and forth are the two that can verify that non-repudiation. This is a little bit different than a digital signature where anyone who has access to the public key of the person who wrote the information can verify that they sent it. This is obviously a much broader non-repudiation since it would be verified by anyone and not just the two parties in the conversation.

Gathering evidence can also be done by using strategic intelligence. This is when we are focusing on a domain and gathering threat information about that domain. We might want to look at business information, geographic information, or details about a specific country.

We might get much of this information from threat reports that we create internally or information that we’re gathering from a third party. There might also be other data sources, especially with open source intelligence or OSIT that could even provide additional details. And if we’re looking at information over an extended period of time, we may be able to track certain trends that would give us more information about the threat.

If we’re the subject of someone’s strategic intelligence, we may want to prevent that intelligence from occurring. And instead, we would perform strategic counterintelligence or CI. With CI, we would identify someone trying to gather information on us. And we would attempt to disrupt that process. And then we would begin gathering our own threat intelligence on that foreign operation.