PACE-IT, Security+ 2.4: Basic Forensic Procedures
-
Upload
pace-it-at-edmonds-community-college -
Category
Education
-
view
327 -
download
1
Transcript of PACE-IT, Security+ 2.4: Basic Forensic Procedures
Basic forensic procedures.
Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications PC Hardware Network
Administration IT Project
Management
Network Design User Training IT Troubleshooting
Qualifications Summary
Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
Brian K. Ferrill, M.B.A.
Page 3
Basic forensic procedures.
– Recognize the need for forensic procedures.
– Basic forensic concepts and procedures.
PACE-IT.
Page 4
Recognize the need for forensic procedures.Basic forensic procedures.
Page 5
Recognize the need for forensic procedures.
The first step in basic forensics is the recognition that forensic measures need to take place (i.e., that a security incident has occurred).
Most technicians, hopefully, will not need to deal with a murder mystery in the workplace. However, it is almost a certainty that they will have to deal with some type of security or legal issue when supporting an organization’s network. This will often require using a first response that includes forensic procedures.The response to security and legal issues needs to be done in a manner such that evidence is recorded and preserved. The first step is recognizing that something has occurred which needs to be documented and that evidence needs to be collected and preserved.
Basic forensic procedures.
Page 6
Basic forensic concepts and procedures.Basic forensic procedures.
Page 7
Basic forensic concepts and procedures.
– First responder responsibilities.» Secure the area and limit who has access to the area as
much as possible; do not power down computer systems at this time.
• This is to protect possible evidence from being contaminated.
• Document anyone who has accessed the area after it has been secured.
• If necessary, to stop an ongoing computer attack, it is permissible to unplug the network cable.
» Document the scene thoroughly, including what is on any computer monitors.
• Video capture can be used to document the scene.• Polaroid type pictures, not digital pictures, work well
as evidence.• It may also be necessary to diagram the area.• Interview any witnesses as soon as possible.
» Start the electronic evidence collection process by order of volatility.
Basic forensic procedures.
Page 8
Basic forensic concepts and procedures.
– Order of evidence volatility.» Electronic evidence is volatile and easily corruptible
just because of what it is, so the order of collection is important.
• Contents of memory – the most volatile of all types of data.
• Swap files – not as volatile as RAM, but still very temporary.
• Network processes – all network processes that are active on the affected system or systems.
• System processes – all system processes that are active on the affected system or systems.
• File system information – including the attributes of all files.
• Raw disk blocks – all of the contents on all of the disk drives of all affected systems.
» After isolating the affected system or systems from the network, create a bit level image of the system or systems.
• To create proper time stamps, have the recording system match the time offset of the target system.
• Create two copies of the bit level image and create a message digest (e.g., an MD5 or SHA hash) of the images to be able to later prove they have not been tampered with.
• One image should be securely stored to be used as evidence.
• The other image can be examined.
Basic forensic procedures.
Page 9
Basic forensic concepts and procedures.
– Live system image.» Capturing the system image before the system is
powered down.• Can be used to capture highly volatile evidence.
» Warning: a live system image may change the target system’s data structure (a change in the evidence).
– Static system image.» Capturing a bit level system image after the system is
powered down.• The hard drive(s) is removed from the system and
connected to a forensic workstation, with a write-blocker placed between them.
• The write-blocker prevents any changes from occurring on the target hard drive.
Basic forensic procedures.
Page 10
Basic forensic concepts and procedures.
– Chain of custody.» A document that identifies who collected the evidence,
when it was collected, and who has had access to it.• A proper chain of custody document can prove that
evidence has been accurately preserved and can also be considered part of the evidence.
• A chain of custody document will help to ensure that all evidence is admissible in court.
• A broken chain of custody will negate the collected evidence.
– Creating a tracking log.» Document all steps taken from the beginning of the
initial incident response.• Shows all of the steps taken during the forensic
process.» Can be used to help track internal resources expended
on the incident.• Both for man hours and other expenditures.
» Can be used to justify expenses for management or clients.
Basic forensic procedures.
Page 11
Basic forensic concepts and procedures.
– Network traffic and log files.» Creates a history of events, which is a good source for
determining what has occurred on a computer.• Network traffic logs and browser history files can show
where the system went on the Internet and what actions were taken.
• Log files (system, application, security, etc.) can help to determine what has occurred with a system.
– Big data analysis.» Recognize that, in some situations, big data analysis
tools may be required.• Big data in this situation refers to any set of data that
is too large to analyze with typical data management tools.
» For example, analyzing data from a security incident at a financial institution can involve multiple exabytes of data.
Basic forensic procedures.
Page 12
What was covered.Basic forensic procedures.
The first step in basic forensic procedures is to recognize the need to employ the forensic process. The response to a security incident, in many cases, will involve using forensic procedures.
Topic
Recognize the need for forensic procedures.
Summary
First responder responsibilities include: securing the area and affected systems, documenting the scene, and starting the evidence collecting process. The order of electronic evidence volatility is: contents of memory, swap files, network and system processes, file system information, and raw disk block. A live system image will collect the most volatile of electronic evidence, but may lead to changes in the system. A static system image will not collect the volatile evidence, but will not affect the integrity of the evidence on the underlying system. A chain of custody document must be created for each piece of evidence. A broken chain of custody negates any evidence that has been collected. Tracking logs should be created to show the step-by-step processes that were used in the forensic process. Network traffic and log files can be used to show the history of the system under investigation. In some cases, big data analysis tools may be required in order to effectively analyze the data that has been collected.
Basic forensic concepts and procedures.
Page 13
THANK YOU!
This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.