CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Implement basics of forensic procedure Tutorial

1 How to Implement Basics of Forensic Procedure

Documentation is important for every activity you perform as it helps record the actions taken for future reference. Every action you perform on the system or device, or when an incident takes place, should be documented. Let’s begin this lesson with the objectives on the next screen. After completing this lesson, you will be able to: • Analyze the system volatility • Perform the steps to collect forensic data • Analyze the collected data

2 Analyze the System Volatility

In this topic, you will learn the steps to analyze system volatility. Before moving to the actual learning of basic forensic procedures, let’s consider a scenario. Suppose, in your organization, there has been a compromise with your network. One machine in particular is the suspected target or a source of compromise. The machine is immediately rebooted to get it back to a working state. Later, you determine that reboot has resulted in loss of sensitive data required for the correct forensic. What went wrong, and how should this be handled to correctly document the attack evidence in future? One of the ways to avoid this kind of situation is by following the order of volatility. This includes documenting all the volatile information before any reboots or processes that flushes the caches and registers. Since, reboot was performed before documentation, there was no way to regain the lost information. Now let’s see the order of volatility. This is an initial technique of collecting forensic data. While responding to an incident, you should preserve the evidence, document them, and most importantly, be careful of the data that is changing, and the data that is constant. When there is a need to overwrite the data, or modify some details, you should review it. Every data has a space that helps you document and review it. Order of volatility is the order of evidence that needs to be collected. You may start collecting the data from the most volatile, that is, the one which is constantly changing, to the least volatile, which is the stable data. The least volatile data is never displayed on the computer, and is not compromised, as it is already in a different location. This process needs to be followed when you start a forensic investigation. The correct and dependable order of volatility is as follows: • Registers, cache. • Routing table, ARP cache, process table, kernel statistics, memory. • Temporary file systems. • Disk. • Remote logging and monitoring data that is relevant to the system in question. • Physical configuration, network topology. • Archival media.

3 Collect Forensic Data

In this topic, you will learn the steps to collect forensic data. As we are aware, the data on computer storage devices can be hacked or forged at any point in time, it is important to protect the data and verify the integrity of the existing data. You can do this by taking images of storage devices that might have been compromised. These images are not captured by an in-built application or software, but a third party forensic imaging application should be used to capture a bit-by-bit image of the storage device. Such applications also provide images of free space that are not completely empty. Now let’s see the process of capturing system images. • A forensically clean storage device stores the image copy of the original media. • The process of hash calculation is performed before and after the bit-by-bit image capturing process. • If the two hash values match, we conclude that the original device remained intact even after image duplication process. • Hash the captured image copy. • If the hash values of the captured image copy match the original hash values, we can conclude the imaging process was successfully performed. We discussed the importance of documentation and keeping log of all performed actions on the system or device, or incidents that take place. This practice holds utmost importance while verifying the data when the network is under a malicious attack. Moreover, it helps you identify the origin of a compromised attack. Regularly verifying documents and logs help foresee such incidents and interruptions. Documenting and storing network logs should be set as a priority, because there is limited space on the storage devices. This helps in quick review by identifying attacks. Additionally, many network devices such as switches, firewalls, routers, proxies, smart patch panels, and VPN appliances, can be used to track and maintain activity logs of data packets that pass through them. These logs are used to analyze the incident, and can be preserved for further investigation. We will now move further with minute detailing of incidents. This detailing can be done by capturing video of the entire incident using security cameras. Such videos can be presented as concrete evidence in court, and used to track sensitive information, such as entering credit card numbers. Capturing video has another advantage. It can be used to create reenactments of the crime and orientation. As the investigation begins, an ideal practice is to document its details. It helps as an additional form of evidence to prove if there is tampering or stealing of data. Additionally, during the investigation, you can take pictures from different angles by moving or dismantling objects present during the crime. We have gone through important functions of forensic procedure that helped you record the investigation of an event, a device, or a system. Now, let’s learn about another function that helps you record the exact time and happening of the incident with the device or system. We see that no two devices have the same time, and there exists at least some difference in seconds or minutes. So, it is important to bridge the gap between the two devices, or have a common standard time. Whenever a log file is drawn, the host device compares the event’s timestamp with the standard time. The process of identifying time-difference between the device clock and the standard time is termed Recording Time Offset. This difference is further used to adjust the time log entries, and sync events and activities across multiple network devices. This gives the exact time of events, which is useful at the time of investigation. Have you ever seen any police investigation? They investigate each and every suspect carefully. They also collect and consider every minute detail during the procedure as evidence. Collecting such detailed evidences ensure none of the aspects are left out, due to which a criminal may find a way to escape punishment. Similarly, hashes help you ensure the evidence you collect during an investigation is not tampered or counterfeited. It helps you cross-check credibility of the evidence, if presented at a later date from the time of investigation. Hashes may be termed a way of encryption. When you insert a file or multiple files into a hashing algorithm, a hash is produced. It is an eight-digit character, produced only when exact information is entered into the hashing algorithm. Also, these hashes are documented. So, whenever there’s a need for any concrete information, check for the hash value. It tells you if the data has been compromised. We are aware of taking screenshots with our cell phones and computers. Similarly, it is important to take screenshots of relevant information during a forensic investigation. But, you should never rely on a third-party tool, or an application, use only native screen capture tools to take pictures on the computer screen. Moreover, use a camera to click photographs of entities that display certain information. For example, monitors, LCD screen of printers or scanners, or any LEDs displaying the current status.

4 Analyze the Collected Data

In this topic, you will learn the steps to analyze the collected data. Cops interrogating witnesses is a common sight during a police investigation. At such times, anything the cops question, and the response the witnesses gives, should be documented. With respect to the system or the network, we need to record the statement of witnesses who were involved or in any way interacted with the system or network that has been compromised. Recording witness statements would help you compare their current statement with the one they might give in court during the trial. It is also important the witnesses are questioned as soon as possible, because the longer it takes for questioning a witness, higher is the probability to forget the witness. It’s said, there is more than one way to skin a cat. Similarly, you can use witnesses not only to get the necessary information, but also to verify the information obtained through the investigation process, and confirm or rule out unwanted aspects of the investigation. All man-hours and expenses, including the amount paid to the Incident Response Team for their labor and investigation, and the costs of third party investigation should be documented. Also, if any part of the investigation costs money, and damages done to the systems should be thoroughly documented. When such incidents reach the court of law, a monetary value is decided for the damages. Moreover, we should count and document the man-hours involved during investigation. All this information becomes part of the Trackman Hours and Expense documentation, which helps you identify expenses incurred for the incident, balancing budget, and modifying response policies. Finally, once the case is dismissed or closed, all details should be given to the authorized parties, which is limited to senior management, legal team, and some members of the security staff. The chain of custody is the record that stores all investigation records, starting from the first found evidence to who touched the evidence, to whom it is handed over, who investigated it, and what changes are made to the evidence, as it moves through proper passages. This ensures the data or documented evidence is never tampered or counterfeited before presenting the details in court. Additionally, the Chain of Custody documentation should clearly state the authoritative controller. The information in this custody includes, who collected the data, who transferred it, who reviewed and sealed it, and where was it transferred. All this information should be tracked from the initial response to the authorities, and to whom the evidence is handed over. Currently, traditional methods of analyzing and processing the increasingly complex data are proving to be incompetent. This is because, the big data continuously presents challenges such as storage, data mining, data transfer and distribution, and presenting reports. Furthermore, for big data, it is unlikely to disclose the problem and peculiarity that mostly tedious sets of data fail to address. It needs high-end technologies on a large scale to process and distribute the information in big data. Considering the security aspect, organizations are demanding more detailed data of the events and access information. This is used to detect violations, assess compliance issues, and improve efficiency and productivity.

6 Summary

Let’s summarize the topics covered in this lesson. • Forensics is the collection, protection, and analysis of evidence from a crime to present the facts of the incident in court. • Order of Volatility is the initial technique of collecting forensic data. • Documenting network traffic and logs help you identify the origin of a compromised attack or incident. • Videos can be presented as concrete evidence in court, and used to track sensitive information, such as entering credit card numbers during the violation. • Recording Time Offset is the process of identifying time difference between the device clock and the standard time. • The Trackman Hours and Expense documentation helps you identify the expenses incurred for the incident. With this, we conclude the lesson, ‘How to Implement Basics of Forensic Procedure.’ The next lesson is, ‘Summarizing Common Incident Response Procedures.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*