Class 1
Last updated
Last updated
Digital forensics involves the preservation, acquisition, documentation, analysis and interpretation of evidence of various storage media types found. It is a supporting function of the overall Incident Response(IR) process.
General digital forensic processes include:
Imaging
Hashing
File recovery
File system basics
Identifying
Mismatched
File types
Reporting
DF requires that you follow best practices and procedures to produce the same results time and time again, providing proof of evidence preservation and integrity, which can be replicated if called upon to do so
DEFT Linux
Computer Aided INvestigative Environment (CAINE)
CSI Linux
Kali Linux
There are many open-source tools, however, if the investigation is for legal purposes we can only use regulated, tested, and approved tools by your bodying government.
Anti-forensics aims to conceal or manipulate digital evidence to avoid detection and prosecution >:)
These anti-forensics techniques include:
Data encryption
Data destruction
Steganography
File obfuscation and manipulation
Counter-forensic tools
DFIR professionals must stay up to date on all anti-forensics TTP's to effectively counter it. Proper documentation, secure evidence handling, and making sure best practices are followed are crucial for mitigating the impact of anti-forensics
Before testing data, we must take a hash value of the data source, image the data, and then generate another hash to validate that the data is exactly the same.
Incident response (IR) is the effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents
These are the steps used to prepare for, detect, contain, and recover from a data breach/cyber incidence
Every IR Playbook is a set of instructions and actions to be performed at every step in the IR process. Playbooks are created to give companies a clear path through the process so everything is crazy dog water, however it includes a degree of flexibility in the event that the incident under investigation doesn't fit neatly into a cute box.
A playbook can be made for each kind of incident (e.g. ransomware, wide spread malware, social engineering, etc)
Registers, peripheral memory, chaches, etc
nanoseconds
Main memory (RAM)
nanoseconds
Network State (Arp cache, routing tables)
miliseconds
Running processes
seconds
Disk images
minutes
Extenral media (USBs
years
CD-ROMs, printouts, etc.
Tens of years
Chain of custody describes the documentation of a piece of evidence through it's lifecycle.
The life cycle begins when the first person takes custody of a piece of evidence and ends when the incident is finally disposed of, and the evidence can either be returned or destroyed.
Maintaining a proper chain of custody is very critical for the validity of the evidence
Used to view and manage disk partitions on a system
DC3DD is a Data Dump (DD) tool, used for forensic acquisition and hashing
This will overwrite the data with a bunch of 0's
Used for creating forensic disk images or performing data copying and manipulation tasks.
This is a standalone acquisition tool that can be used to create forensic images and perform disk cloning. This has a GUI and is preferred by newbies :3
Autopsy offers a GUI interface with a variety of investigative command-line tools including:
File analysis
Imaging and file hashing
Deleted file recovery
Case management
