Certified Cybersecurity Technician Computer Forensics PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
Summary
This document details procedures for collecting and preserving evidence in computer forensics. It covers various aspects including digital evidence sources, evidence collection, and handling different types of devices. The guide emphasizes the importance of proper authority, training, and experience to properly collect evidence.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow *’ *...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow *’ * Digital Evidence Sources Understand the Fundamentals to Support ::fg‘iltal f:g::::;:uxces Forensic of Computer Forensics. sptfgat P Investigation — ——— h‘\ h’\ Understand Digital Evidence /_/_'N /_/_\\\. @2 07 Collecting the Evidence Identify the Roles and /—\ ‘. Responsibilities of a Forensic (O (@) Securing the Evidence Investigator & K Understand the Forensic / @4) Investigation Process and @] O \ / ‘ (A):ervii m :fData (A):exvii its Importance ‘ Discuss Various Forensic Performing Evidence Investigation Phases Analysis. Collecting the Evidence Evidence is the crucial data that can help incident responders in understanding the nature of the attack and trace the attacker. Therefore, the forensic investigator should know where they can find the evidence and how to gather it. This section discusses collecting and preserving evidence, collecting physical evidence, dealing with powered on computers, dealing with powered off computers, dealing with networked computers, dealing with open files and startup files, and operating system shutdown procedure. Module 20 Page 2245 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Collecting and O Applicable jurisdiction and relevant legislation Preserv1ng Preserv"ng QO Chain of custody documentation Evide nce Evidence p' QO Details of the equipment containing evidence: » Structure type and size » Location (all in one place, spread across the building or floors) O The investigator must have » Type of device proper authority and »> Model gx?engnce tp experience to slt_a.rt s‘t‘a.rt the Pt > Powered STat status - '_ -“ _ ' »> Network status and type of network Brioy t(_) U “_’ [l [LD thg » Backups (if any), intervals of backup, last time and date, and the collection of the evidence, eationz : ; location investigators must gather the following details about the > If necessary, take the server down and measure the business impact evidence: O Approval of authorities and local management Collecting and Preserving Evidence Any individuals acting as a forensic investigator must secure the crime and document scene, must have proper authority, training, and experience to start collection of evidence. Prior to initiating the collection of evidence, investigators must gather the following details about the evidence: = When an incident is reported and where a computer is assumed to be a part of the incident, it is often the case that this is the first and only item seized = The crime scene should be investigated in a way that covers the entire area, keeping in mind the concept of the computer being at the middle of the circle = Pieces of evidence found at the crime scene should be first photographed, identified within documents, and then properly gathered = All collected evidence should be marked clearly so that it can be easily identified later = Markings on the evidence should, at the very least, include date and time of collection and the initials of the collecting person = Evidence should be identified, recorded, seized, bagged, and tagged on-site, with no attempts to determine contents or status = Applicable jurisdiction and relevant legislation = Create a chain of custody document (Create = Details of the equipment containing evidence: o Structure type and size Module 20 Page 2246 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics o Location (all in one place, spread across the building or floors) o Type of device o Model o Powered status o Network status and type of network o Backups (if any), intervals of backup, last time and date, and the location o Ifitis necessary to take the server down and the business impact Approval of authorities and local management The points to remember while preserving the electronic evidence are: Document the actions and changes that you observe on the monitor, system, printer, or other electronic devices Verify that the monitor is ON, OFF, or in sleep mode Remove the power cable, depending on the power state of the computer, that is, ON, OFF, or in sleep mode Do not turn ON the computer if it is in the OFF state Take a photo of the monitor screen if the computer is in the ON state Check the connections of the telephone modem, cable, ISDN, and DSL Remove the power plug from the router or modem Remove any portable disks that are available at the scene to safeguard potential evidence Keep the tape on drive slots and the power connector Photograph the connections between the computer system and the related cables, and label them individually Label every connector and cable connected to the peripheral devices For handheld devices such as cell phones, tablets, and digital cameras: Do not turn the device ON if it is OFF Photograph the screen display of the device Label and collect all cables and transport them along with the device Make sure that the device is charged Module 20 Page 2247 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Collecting Physical Evidence O Collect electronic devices or any other media found at the crime scene Q To preserve the integrity of the physical evidence, all the pieces of evidence collected should be QO handled carefully QO Physical evidence includes: »> Removable media »>» Cables Publications VYV All computer equipment, including peripherals VY Items taken from the trash V Miscellaneous items Y O Tag all objects identified as evidence and mention all the required details on the tag, such as the time, date, incident responder’s name, and control number Copyright © by Al Rights Reserved. Reproduction is Strictly Prohibited. Collecting Physical Evidence The victim computer and its elements are vital evidence sources in a computer forensic investigation. Collect all the electronic devices or any other media found at the crime scene. Seize storage devices like hard drives, memory cards, and removable media as they can have stored information. Handheld devices like smartphones, mobile phones, PDAs, digital multimedia devices, and GPS receivers can have valuable evidence information like Internet browsing history, emails, chat logs and friend lists, pictures and image files, and financial records. The peripheral devices themselves are potential evidence. Information stored in the device such as scanned or printed documents, incoming and outgoing phone and fax numbers, and information about device usage can all contain valuable evidence. To preserve the integrity of the physical evidence, handle all the pieces of evidence collected carefully. Tag all the objects identified as evidence, and mention all the required details on the tag, such as the date, time, incident responder’s name, and control number. The physical evidence should include: = Removable media = Cables = Publications = All computer equipment, including peripherals = |tems taken from the trash = Miscellaneous items Module 20 Page 2248 Certified Cybersecurity Technician Copyright © by EC-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Dealing with Powered On Computers. Investigators must perform the following steps while coll_écting collecting evidence from powered on computers: Q If a computer is switched ON and the screen is viewable, photograph the screen and document the running programs Q If a portable computer wakes up, record the time and date at which this occurs, take a photograph of the screen, and document a brief explanation of all running programs QO If a computer is ON and the monitor shows a screensaver, move the mouse slowly without pressing any mouse button and then photograph and document the programs O After collecting all volatile data, turn off the devices QO Q For portable computers, press down the power switch for 30 seconds, seconds; to force the power off :.' QQO For portable computers, remove the battery and unplug the power cord from the wall socket 3 Q If the computer is switched OFF, leave it in that state Dealing with Powered On Computers Electronic evidence is versatile in nature and easily broken during collection, preservation, and analysis. Therefore, investigators must act with caution while dealing with powered-on computers to prevent any damage to the evidence residing on them. In a powered-on computer system, both portable and desktop, the RAM contains crucial vital information, which is volatile in nature. Removing or shutting down the power supply will lead to deletion of this vital information. Investigators must collect the volatile data from the powered-on device only if they have the skills, ability, and proper authorization, else they must wait for the arrival of the incident response team. Investigators must perform the following steps while collecting electronic evidence from powered-on computers: = |f a computer is switched ON and the screen is viewable, photograph the screen and document the running programs = |f a portable computer wakes up, record the time and date at which this occurs, photograph the screen, and give brief explanation of all the programs running = |f a computer is ON and the monitor shows a screensaver, move the mouse slowly without pressing any mouse button and then photograph and document the programs = After collection of the complete volatile data, turn off the devices = In portable computers, press down the power switch for 30 seconds to force the power off * |n portable computers, remove the battery and unplug the power cord from the wall socket = |f the computer is switched OFF, leave it in that state Module 20 Page 2249 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.