Certified Cybersecurity Technician Computer Forensics Exam 212-82 PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Certified Cybersecurity Technician Computer Forensics Exam 212-82 PDF
- Data Acquisition Methodology PDF
- Certified Cybersecurity Technician Exam 212-82 Data Sanitization PDF
- Chapter 20 - Data Acquisition PDF
- Certified Cybersecurity Technician Computer Forensics PDF Exam 212-82
- Guide to Computer Forensics and Investigations 6th Edition PDF
Summary
This document is an overview of data acquisition in computer forensics, discussing live and dead acquisition for analyzing digital evidence. The document explains the process and steps investigators need to follow while acquiring data of evidentiary value.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow ’...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow ’ ' Digital Evidence Sources Understand the Fundamentals to Support Forensic of Computer Forensics Investigation ——— ,.A-\ Understand Digital Evidence fl /_/_\\. 07 Collecting the Evidence Identify the Roles and /_\ /\. ‘ Responsibilities of a Forensic © O O Securing the Evidence Investigator N & Understand the Forensic / @9 @4> Investigation Process and @ \ / ‘ (A):ervll m:‘ ::"“I - ie‘\::,:fnata its Importance 2 O Discuss Various Forensic Performing Evidence Investigation Phases Analysis ¢L] Copyright ©© by Copyright EC-Councll. EC-Cou All Rights I. All Rights Reserved. Reproduction is Strictly Reproduction Prohibited. Strictly Prohibited. Overview of Data Acquisition To perform a forensic examination on a potential source of evidence, the first step is to create a replica of the data residing on the media found in the crime scene such as a hard disk or any other digital storage device. Forensic investigators can either perform the data acquisition process on-site, or first transport the device to a safe location. This section discusses fundamental concepts in data acquisition, elaborates on live and dead acquisition, explains the types of data acquisition, and elaborates on the various steps that investigators should follow while acquiring data of evidentiary value. Module 20 Page 2266 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Data Acquisition. - O QO Data acquisition is the use of established methods to extract Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident O Investigators must be able to verify the accuracy of acquired data, and the complete process should be auditable and acceptable in the court Live Acquisition @ Dead Acquisition (Static Acquisition) Data Acquisition Categories It involves collecting data from It involves collecting data from a system that a system that is powered ON is powered OFF Data Acquisition Forensic data acquisition is a process of imaging or collecting information using established methods from various media according to certain standards for their forensic value. It is the use of established methods to extract Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident. With the progress of technology, the process of data acquisition is becoming increasingly accurate, simple, and versatile. However, investigators need to ensure that the acquisition methodology used is forensically sound. Specifically, the acquisition methodology adopted must be verifiable and repeatable. This enhances the admissibility of the acquired data or evidence in the court of law. A fundamental factor to consider in the acquisition of forensic data is time. While data in some sources such hard drives remain unaltered and can be collected even after the system is shut down, data in some sources such as the RAM are highly volatile and dynamic and must therefore be collected in real-time. From this perspective, data acquisition can be either categorized as live data acquisition or dead data acquisition. In live data acquisition, data is acquired from a computer that is already powered on (either locked or in sleep mode). This enables the collection of volatile data that are fragile and lost when the system loses power or is switched off. Such data reside in registries, caches, and RAM. Further, volatile data such as that in RAM are dynamic and change rapidly, and therefore must be collected in real-time. In dead or static data acquisition, nonvolatile data that remains unaltered in the system even after shutdown is collected. Investigators can recover such data from hard drives as well as from slack space, swap files, and unallocated drive space. Other sources of non-volatile data include DVD-ROMs, USB thumb drives, smartphones, and PDAs. Module 20 Page 2267 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics We next delve into further details of these two categories of data acquisition along with the sources of data that they capture. Module 20 Page 2268 Certified Cybersecurity Technician Certified Cybersecurity Technician Copyright Copyright ©© by EG-Gouncil EG-Geunell All Rights Reserved. Reproduction isis Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Live Acquisition Live data acquisition involves collecting volatile data from a live system Volatile information assists in determining the of the security incident, and the possible users responsible Live acquisition can then be , where an investigator shuts down the suspect machine, removes the hard disk and then acquires its forensic image Types of data captured during live acquisition = Current configuration ®** Running processes * Routing tables ® Running state *= Logged on users ®== ARP cache = Date and time * DLLs or shared libraries = Network configuration = Current system uptime = Swap files and temp files =* Network connections Live Acquisition The live data acquisition process involves the collection of volatile data from devices when they are live or powered on. Volatile information, as present in the contents of RAM, cache, DLLs, etc. is dynamic, and is likely to be lost if the device to be investigated is turned off. It must therefore be acquired in real time. Examination of volatile information assists in determining the logical timeline of a security incident and the users that are likely to be responsible for it. Live acquisition can then be followed by static/dead acquisition, where the investigator shuts down the suspect machine, removes the hard disk, and then acquires its forensic image. Live data acquisition can help investigators obtain information even if the data of evidentiary value is stored on the cloud using a service such as Dropbox or Google Drive. Investigators can also acquire data from unencrypted containers or disks that are open on the system and are automatically encrypted when the system shuts down. If the suspect has attempted to overwrite data on the physical hard disk to avoid detection, there is a possibility that investigators can find traces of such overwritten data by examining the RAM content. Depending on the source from which they are obtained, volatile data are of two types: = System data System information is the information related to a system, which can serve as evidence in a security incident. This information includes the current configuration and running state of the suspect computer. Volatile system information includes system profile (details about configuration), login activity, current system date and time, command history, current system uptime, running processes, open files, startup files, clipboard Module 20 Page 2269 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics data, users logged in, DLLs, and shared libraries. The system information also includes critical data stored in the slack spaces of the hard disk drive. Network data Network information is the network-related information stored in the suspect system and connected network devices. Volatile network information includes open connections and ports, routing information and configuration, ARP cache, shared files, and services accessed. Apart from the above data, live acquisition can help investigators obtain the following. Data from unencrypted containers or disks that are open on the system, which are automatically encrypted when the system shuts down Private browsing history and data from remote storage services such as Dropbox (cloud service) by examining the random-access memory (RAM) Module 20 Page 2270 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.