Digital Forensics - CompTIA Security+ SY0-701 - 4.8

00:01

As security professionals, we are often

00:04

responsible for collecting data when a security event occurs.

00:07

This process of digital forensics

00:09

is not only important to understand

00:11

what happened during the security event

00:14

but also to understand how we can protect ourselves

00:17

in the future and be able to use this information in any type

00:21

of legal proceeding.

00:22

The specifics on how to collect this data and store this

00:25

information is a bit outside the scope of the Security+ exam,

00:30

but there is an RFC, number 3227,

00:33

which is the guidelines for evidence collection

00:35

and archiving.

00:36

If you wanted to read through a set of best practices,

00:39

they're all documented in this RFC.

00:42

The IT security industry has created

00:44

a number of best practices for digital forensics,

00:47

so it's important to understand what those best practices might

00:50

be for the acquisition, analysis,

00:53

and reporting of this data.

00:55

Because of how this data may be used in the future,

00:58

it's incredibly important to follow

01:00

these sets of best practices when

01:02

we're collecting data today.

01:03

It's very possible that the data you're collecting today

01:06

will be used in legal proceedings that occur years

01:09

from now.

01:10

So it's important that you follow the best practices

01:12

for this data collection and be able to take extensive notes

01:16

and information on how this data was obtained.

01:19

One type of data acquisition request is called a legal hold.

01:23

This is a process usually initiated

01:25

by a lawyer or some other type of legal entity,

01:28

and they will inform you in a document of the type of data

01:32

that needs to be stored and how much of that

01:35

data needs to be available.

01:36

These requests are usually sent to the data custodian, who

01:39

obviously has access to all of the data associated

01:42

with this particular request.

01:44

The custodian will be responsible for evaluating

01:47

the legal hold and understanding where to start

01:50

with acquiring that data.

01:51

In most cases, an organization will have a separate area

01:55

where all of this ESI, or electronically stored

01:58

information, will be held.

01:59

All of the data that is described in the legal hold

02:02

is acquired and stored in this repository.

02:05

And this may be a bit more involved

02:07

than simply copying a file from one place to the other.

02:10

The information you need to acquire

02:11

may be part of a much larger database

02:14

or may be stored in a format that

02:16

needs to be modified before storing it

02:18

as part of the legal hold.

02:20

For example, an email client might store data

02:23

into a proprietary format, and you

02:25

may need to convert that back to the text format of email

02:28

to be able to store it in a form necessary for this legal hold.

02:32

It's also important that all of this information

02:35

be properly preserved.

02:36

This is data that is being requested by the courts,

02:39

and you are responsible for making sure that data is safe

02:43

and is able to be provided to the court when requested.

02:47

One of the most important concepts

02:49

in this type of data collection is that the information remains

02:53

in its pristine or unmodified form during the duration

02:57

of this analysis.

02:58

This means, when the data is first acquired,

03:00

there needs to be a process in place

03:02

to ensure the integrity of that data going forward.

03:06

And of course, there will most likely

03:08

be multiple individuals who need to gain access

03:10

to this information as this particular event proceeds.

03:14

To better understand exactly who accesses this data

03:17

and to confirm that the data has not

03:19

changed during this process, we need

03:21

to put in place a chain of custody.

03:23

In the physical world, we would take evidence and place it

03:26

into a bag that could be sealed.

03:28

If anyone then accesses that evidence inside of the bag,

03:31

they would need to document that on the bag itself.

03:34

In the digital world, we can use hashes and digital signatures

03:38

to maintain the integrity of the data

03:40

and understand exactly who accesses that data

03:43

at any particular time.

03:45

This allows us to understand exactly how this data has

03:48

been stored during a particular time frame.

03:51

We know who accessed the data.

03:53

And we can confirm the data that we're

03:54

looking at in the future is exactly the same data that we

03:58

originally collected.

03:59

There may be times with a legal hold

04:01

when you know exactly what type of data you

04:04

should be collecting and how that data should be stored.

04:07

But in the case of a broader security event,

04:09

you may need to collect a lot of different types of data

04:12

from different systems.

04:14

And in those particular cases, you

04:15

will need to have a chain of custody for every bit of data

04:18

that you've collected.

04:20

The acquisition of this data is commonly the first step,

04:24

and we may need to obtain this data from many different types

04:27

of sources.

04:28

For example, the data might be stored on disk or in memory

04:31

of a system, it might be part of the firmware,

04:33

or it might be files that are stored

04:35

as part of the file system.

04:37

We may also find that this is an attack that took place

04:40

over a number of different systems,

04:42

so we may need to collect data from multiple devices.

04:45

We may need to gather information from servers

04:48

that are on the network.

04:49

There might be data stored in network devices.

04:51

There might be logs on a firewall

04:53

that we will also need to acquire.

04:55

If this is a virtual system, we may

04:58

want to take a full copy of everything

05:00

associated with that VM.

05:02

For example, you could obtain a snapshot of that system,

05:05

and that contains all of the files

05:07

and all of the information about that virtual machine.

05:10

And some of the most interesting information you'll acquire

05:13

may not be in the most obvious places.

05:15

For example, there's data that's inside

05:18

of log files inside of a system.

05:20

There may be data that's stored in a recycle bin

05:22

or some temporary storage area.

05:24

There might be browser bookmarks or saved logins

05:27

and other temporary files that can gather more details

05:31

about this particular event.

05:34

When dealing with this type of data,

05:35

it's not only important to acquire the data,

05:38

but it's also important to document

05:40

how that data was acquired.

05:42

We often create detailed reports on the data acquisition

05:45

process, not only to use internally

05:47

for understanding how this data was acquired, but in the future

05:50

if this is used for any type of legal proceeding,

05:53

we'll need a lot more information

05:55

on how this particular data was acquired and how it's stored.

05:59

This reporting process is going to give us

06:01

the documentation that we need.

06:03

We often start with a summary or an overview

06:06

of the entire event and the process

06:08

that led us to begin acquiring this data.

06:11

There then needs to be detailed documentation that

06:14

describes all of the steps that it

06:16

took to get the data from its original source

06:19

to the data that was acquired.

06:21

This allows a third party to look over the process later

06:24

and understand all of the integrity checks

06:27

that were put in place so they can feel comfortable

06:29

that the data they're looking at now

06:31

is a proper representation of the original data.

06:35

You might also be required to create an analysis

06:37

of the data that was acquired.

06:39

This is usually a factual description

06:41

of the structure of the data and how this data can be used

06:44

or understood by a third party.

06:47

And if we're using this data to provide insight

06:49

into the security event, we may want to create a conclusion.

06:53

We may analyze the data, have an understanding

06:56

of how this data relates to the security event,

06:59

and then make conclusions as to what happened with this data

07:02

during this particular event.

07:05

Acquiring data is obviously an important step

07:08

in this forensics process, but we also

07:10

have to think about how we're going to store this data.

07:12

And the preservation of this data

07:14

becomes especially important, especially when

07:17

these types of events turn into legal proceedings that can

07:20

occur even years down the road.

07:22

Since we are referring to a digital representation

07:25

of this data, it's very easy to make copies

07:28

from the original media and then use the copies in our analysis.

07:32

This not only ensures that we have a backup of the data.

07:35

It also prevents us from making any changes

07:38

to the original data source.

07:40

This is especially important with mobile devices,

07:42

which can be easily erased from a remote location.

07:46

So you want to be sure to make copies of those mobile devices

07:49

and work from the copies of that data.

07:51

For both our mobile devices and our desktop operating systems,

07:56

being able to collect data in a live form is a very important.

07:59

Skill this can be especially important on systems that

08:02

have some type of encryption technologies

08:05

that automatically lock themselves down when you

08:08

power off the system.

08:09

So if you are in a situation where you are acquiring data,

08:13

you may want to find ways to do that while the system is still

08:16

running.

08:17

And as we've already mentioned, this information

08:19

might be used years down the road in legal proceedings.

08:23

So we want to be sure to follow the best

08:24

practices for acquisition and the best practices

08:27

for preserving this data during that time frame.

08:31

This forensics process might also involve e-discovery.

08:35

This is the process of collecting, preparing,

08:38

reviewing, interpreting, and producing electronic documents.

08:42

As a security professional, you may

08:43

find yourself being asked to gather large amounts of data

08:47

and provide that data in a form that

08:49

may be used by a third party.

08:51

This e-discovery process is all about acquiring data.

08:55

It doesn't have any requirement that you

08:57

provide analysis of the data.

09:00

It's simply listing out the type of data

09:02

that needs to be acquired and putting that into your hands

09:05

to properly acquire it.

09:06

This e-discovery process often works in conjunction

09:10

with a formal forensics process.

09:12

So you might be asked to collect an image of a particular drive

09:16

and provide that drive to a digital forensics professional.

09:19

Creating the image of that drive is the only thing required

09:23

by the e-discovery process.

09:25

Once that image is handed over to the forensics team,

09:28

they might look at the data on the drive

09:30

and make determinations of whether the data is still

09:33

on that drive or whether the data may have been deleted.

09:36

And at that point, they can go through the processes

09:39

and procedures for undeleting or recovering that data

09:42

if required.