Certified Cybersecurity Technician Computer Forensics Exam 212-82 PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Computer Forensics Exam 212-82 PDF
- Data Acquisition Methodology PDF
- Certified Cybersecurity Technician Exam 212-82 Data Sanitization PDF
- Chapter 20 - Data Acquisition PDF
- Certified Cybersecurity Technician Computer Forensics PDF Exam 212-82
- Guide to Computer Forensics and Investigations 6th Edition PDF
Summary
This document is an overview of data acquisition concepts, including order of volatility and dead acquisition. Types of data acquisition (logical, sparse, and bit-stream) are also detailed. This information is related to computer forensics.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics OQ When collecting evidence, an investigator needs to evaluate the order of...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics OQ When collecting evidence, an investigator needs to evaluate the order of volatility of data depending on the suspect machine and the situation Orxder of Volatility According to the RFC 3227, below is an example of the order of volatility for a typical system: Registers and cache Routing table, process table, kernel statistics, and memory Temporary system files Disk or other storage media 05 Remote logging and monitoring data that is relevant to the systemin question Physical configuration, and network topology Archival media hitps://tools.ketf.org https://tools.ietf.org Ozrder of Volatility While performing live data acquisition, investigators need to collect data while considering their potential volatility and the impact of the collection on the suspect system. As not all data have the same level of volatility, investigators must collect the most volatile data first, and then proceed to the collection of the least volatile data. The order of volatility for a typical computing system as per the RFC 3227 Guidelines for Evidence Collection and Archiving is as follows: 1. Registers, processor cache: The information in the registers or the processor cache on the computer exists for nanoseconds. It is constantly changing and can be classified as the most volatile data. 2. Routing table, process table, kernel statistics, and memory: The routing table, ARP cache, and kernel statistics reside in the ordinary memory of the computer. These are slightly less volatile than the information in the registers, with a life span of about ten nanoseconds. 3. Temporary system files: Temporary system files tend to persist for a longer time on the computer compared to routing tables and ARP caches. These systems are eventually overwritten or changed, sometimes in seconds or minutes later. 4. Disk or other storage media: Anything stored on a disk stays for a while. However, sometimes due to unforeseen events, these data can be erased or overwritten. Therefore, disk data may also be considered somewhat volatile, with a lifespan of some minutes. Module 20 Page 2271 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics 5. Remote logging and monitoring data related to the target system: Data that pass through a firewall cause a router or switch to generate logs. The system might store these logs elsewhere. These logs may overwrite themselves within an hour, a day, or a week. However, these are generally less volatile data. 6. Physical configuration and network topology: Physical configuration and network topology are less volatile and have a longer life span than some other logs. 7. Archival media: A DVD-ROM or a tape contains the least volatile data because the digital information does not change in such data sources automatically unless damaged under a physical force. Module 20 Page 2272 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Dead Acquisition o1oL © Dead acquisition is defined as Dead acquisition usually involves Examples of static data: emails, the acquisition of data from a acquiring data from storage word documents, web activity, suspect machine that is devices such hard drives, DVD- spreadsheets, slack space, powered off ROMs, USB drives, flash cards, unallocated drive space, and and smart phones various deleted files Copyright © by 6 Cil. All Rights Reserved. cll. Al Prohibited. Reproductionis Strictly Prohibited s ogs Dead Acquisition Static data refers to nonvolatile data, which does not change its state even after the system is shut down. Dead acquisition refers to the process of extracting and gathering these data in an unaltered manner from storage media. Sources of nonvolatile data include hard drives, DVD-ROMs, USB drives, flashcards, smart-phones, and external hard drives. This type of data exists in the form of emails, word processing documents, web activity, spreadsheets, slack space, swap files, unallocated drive space, and various deleted files. Investigators can repeat the dead acquisition process on well-preserved disk evidence. Static data recovered from a hard drive include the following: = Temporary (temp) files = System registries = Event/system logs = Boot sectors = Web browser cache = Cookies and hidden files Module 20 Page 2273 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Types of Data Acquisition Logical Acquisition Sparse Acquisition O Logical acquisition allows an Q Sparse acquisition is similar to investigator to capture only selected logical acquisition, which in addition files or files types of interest to the collects fragments of unallocated case data, allowing investigators to acquire deleted files O Examples of logical acquisition Q Use this method when inspection of include: the entire drive is not required * Email investigation that requires collection of Outlook.pst or.ost files - = Collecting specific records from a large RAID server Copyright © by EC- cll. Al Rights Reserved. Reproduction is Strictly Prohibited. Types of Data Acquisition (Cont’d) Bit-stream imaging creates a bit-by-bit copy of a suspect drive, which is a cloned copy of the B::;St“::m entire drive including all its sectors and clusters, which allows forensic investigators toretrieve aging deleted files or folders / Bit-stream disk-to-image file \ / Bit-stream disk-to-disk \ QO I1tis the most common method used by forensic QO Disk-to-image copying is not possible in situations where investigators * Thesuspectdriveisvery old and incompatible with the imagingsoftware QO The created image file is a bit-by-bit replica of the suspect drive * Investigatorneeds to recovercredentialsused forwebsites and useraccounts 0O Tools used: R-Drive Image, ProDiscover, EnCase, FTK, The O To overcome this situation, investigators can create a disk- Sleuth Kit, X-Ways Forensics, etc. to-disk bit-stream copy of the target media - O While creating a disk-to-disk copy, investigators can adjust 01 Dfl dl() the target disk’s geometry (its head, cylinder, and track 7 configuration) to align with the suspect drive. This results in \ &)4 smooth data acquisition process. INEATUT O Tools used: Encase, Tableau Forensic Imager, etc. Copyright © by EC-{ All Rights Reserved. Reproduction Is Strictly Prohibited Types of Data Acquisition While acquiring a bit-by-bit copy of the evidence in a system might seem ideal, this may require a significant amount of time for large disks. In situations with time and resource constraints, two other primary types of data acquisition, namely logical acquisition and sparse acquisition, may be more suitable. Module 20 Page 2274 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Logical Acquisition In a situation with time constraints and where the investigator is aware of what files need to be acquired, logical acquisition may be considered ideal. Logical acquisition gathers only the files required for the case investigation. For example: o Collection of Outlook.pst or.ost files in email investigations o Specific record collection from a large RAID server Sparse Acquisition Sparse acquisition is similar to logical acquisition. Through this method, investigators can collect fragments of unallocated (deleted) data. This method is useful when it is not necessary to inspect the entire drive. Bit-Stream Imaging A bit-stream image is a bit-by-bit copy of any storage media that contains a cloned copy of the entire media, including all its sectors and clusters. This cloned copy of the storage media contains all the latent data that enables investigators to retrieve deleted files and folders. Investigators often use bit-stream images of the suspect media to prevent contamination of the original media. Moreover, most computer forensic tools such as FTK Imager and EnCase, can read bit-stream images, which further facilitates the investigation process. There are two kinds of bit-stream imaging procedures — bitstream disk-to-image-file and bit-stream disk-to-disk. o Bit-stream disk-to-image-file Forensic investigators commonly use this data acquisition method. It is a flexible method that enables the creation of one or more copies of the suspect drive. Tools such as R-Drive Image, ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, etc., can be used to create image files. Module 20 Page 2275 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics £ R-Drive Image 6.3 (Build 6305) : Create an Image ) - [w] a X Create an Image Image Image File: File: F:\D-image.rdr 3 D: New Volume Create a new full mage egson: Faster speed Estmated mage sze: 16.6M8 Estmated total duration: 8B second(s) Operation 1of 2 ation: aton: Backup partition Badap type: Badaip Actual data only Partition: Parttion: Logical Partition 23 #3 Drive Letter: o Fie System: NTFS \olume Label: New \olume Used space: 2578 258 Capadity: Capadty: 6.83G8 Located on HDO: Virtual VirtualHD (10068 #1) #1) » qd dd 8 (s Operation 2 0f 2 Operation: Opetation: Backup disk partition structure Model: Virtual HD (100GB) Connected: ATARO:0 #1 Createan Image Verify that the information onon the panel iss correct and clck the Start button to start the action, You may also create a script for this action, Cick the Sarpt to Clpboard button and paste the script to any text-processing utilty, |scrit to Clpboard |scrpt About | sock gock |[ swnt st Bt || b Figure 20.10: Screenshot of R-Drive Image o Bit-stream disk-to-disk Investigators cannot create a bit-stream disk-to-image file in the following situations: e The suspect drive is very old and incompatible with the imaging software e There is a need to recover credentials used for websites and user accounts In such cases, a bit-stream disk-to-disk copy of the original disk or drive can be performed. While creating a disk-to-disk copy, the geometry of the target disk, including its head, cylinder, and track configuration, can be modified to align with the suspect drive. This results in a smooth data acquisition process. Tools like EnCase, SafeBack, and Tableau Forensic Imager can help create a disk-to-disk bit- stream copy of the suspect drive. Module 20 Page 2276 EG-Council Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.