Chapter 15 - Digital Forensics.pdf

Full Transcript

Chapter 15
Digital Forensics

THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS
CHAPTER INCLUDE:
Domain 4.0: Security Operations
4.8. Explain appropriate incident response activities.
Digital forensics (Legal hold, Chain of custody, Acquisition, Reporting,
Preservation, E-discovery)

Digital forensics provides organizations with the investigation and analysis tools and
techniques to determine what happened on a system or device. Digital forensics may be
carried out to respond to legal holds and electronic discovery requirements in support of
internal investigations or as part of an incident response process. Digital forensics even
has a role to play in intelligence and counterintelligence efforts.
In this chapter, you will start by learning about digital forensics, what you need to do to
provide quality forensic data, and some of the challenges that the cloud can create with
these processes. First, you will learn about legal holds, the notifications sent by opposing
counsel to preserve and retain data, and chain-of-custody practices and how they play
into the electronic discovery process. After reviewing those common reasons for needing
forensic capabilities, you will explore forensic data acquisition, including the order of
volatility, which identifies the forensic artifacts at greatest risk of being lost and thus the
elements that need to be captured first. Next, you will read about how to ensure that the
data you capture is admissible in court and useful as evidence, what is required as part
of digital forensic preservation efforts, and what tools and agreements you must have in
place to handle the need for forensic data from cloud providers.
The next section of the chapter focuses on examples of acquisition of forensic images
and the use of forensic tools, including acquisition tools like dd, FTK Imager, and
WinHex. You will explore basic commands and practices and learn why validation is
important as well as how to perform image validation manually. Finally, you will review
what a forensic report needs to include and details about the role that forensics plays in
intelligence and counterintelligence activities.

Digital Forensic Concepts
Organizations use digital forensics techniques for tasks ranging from responding to legal
cases to conducting internal investigations and supporting incident response processes.
As a security professional, you need to know the basic concepts behind digital forensics;
what digital forensics is capable of; and what tools, processes, and procedures
organizations put in place to build a digital forensics capability.
A key element of digital forensics is the acquisition and analysis of digital forensic data.
That data can be in the form of drives, files, copies of live memory, and any of the other
multitude of digital artifacts that we create in the normal process of using computers
and networks. Since forensic information can be found in many different places,
planning forensic information gathering is crucial to having a complete and intact
picture of what occurred. Gathering that forensic data is just the start of a process that
involves careful documentation and detailed analysis.
Throughout the process, the creation of documentation—including what you have
observed, what conclusions can be made from data, and what evidence exists to support
those conclusions—is necessary in order to be successful. You will document timelines
and sequences of events, looking for clues as to what occurred and why, and use time
stamps, file metadata, event logs, and a multitude of clues to piece together a complete
picture.
The human side of digital forensics can also be important; interviews with individuals
involved in the activity can provide important clues. That means you can't merely be a
technical forensics expert in some cases—instead, you have to leverage your knowledge
of both technology and human behaviors to complete your forensic efforts.

Legal Holds and e-Discovery
In many cases, forensics starts when litigation is pending or is anticipated. Legal counsel
can send a legal hold or litigation hold, a notice that informs an organization that they
must preserve data and records that might be destroyed or modified in the course of
their normal operations. Backups, paper documents, and electronic files of all sorts
must be preserved.

A key concept for legal holds and preservation is “spoliation of
evidence,” which means intentionally, recklessly, or negligently altering, destroying,
fabricating, hiding, or withholding evidence relevant to legal matters. A legal hold
gives an organization notice that they must preserve that data. Ignoring the notice
or mishandling data after the notice has been received can be a negative blow
against an organization in court. Thus, having a strong legal hold process is
important for organizations before a hold shows up.

Legal holds are often one of the first parts of an electronic discovery or e-discovery
process. Discovery processes allow each side of a legal case to obtain evidence from each
other and other parties involved in the case, and e-discovery is simply an electronic
discovery process. In addition to legal cases, discovery processes are also often used for
public records, Freedom of Information Act requests, and investigations. It helps to view
e-discovery using a framework, and the Electronic Discovery Reference Model (EDRM)
is a useful model for this. The EDRM model uses nine stages to describe the discovery
process:
1. Information governance before the fact to assess what data exists and to allow
scoping and control of what data needs to be provided
2. Identification of electronically stored information so that you know what you have
and where it is
3. Preservation of the information to ensure that it isn't changed or destroyed
4. Collection of the information so that it can be processed and managed as part of the
collection process
5. Processing of the data to remove unneeded or irrelevant information, as well as
preparing it for review and analysis by formatting or collating it
6. Review of the data to ensure that it only contains what it is supposed to, and that
information that should not be shared is not included
7. Analysis of the information to identify key elements like topics, terms, and
individuals or organizations
8. Production of the data to provide the information to third parties or those involved
in legal proceedings
9. Presentation of the data, both for testimony in court and for further analysis with
experts or involved parties

You can find a lot more information about the EDRM model,
including a poster with process flows, self-assessment tools to determine your e-
discovery maturity, and other useful information at http://edrm.net.

One of the most important and simultaneously most challenging requirements in this
process can be preservation of electronic information, particularly when data covered by
a legal hold or discovery process is frequently used or modified by users in your
organization. Electronic discovery and legal hold support tools exist that can help with
abilities to capture data for users or groups under litigation hold. They often come with
desktop, mobile device, and server agents that can gather data, track changes, and
document appropriate data handling throughout the legal hold time frame. In
organizations that are frequently operating under legal holds, it is not uncommon for
frequent litigation targets like CEOs, presidents, and others to be in a near-constant
state of legal hold and discovery.
Cloud operations have made e-discovery even more complex. Cloud vendors provide
services to many customers and will not permit you to place an intrusive legal hold and
discovery agent in their cloud service. That means that as you adopt cloud services, you
must address how you would deal with legal holds for those services. Tools like Google's
Vault provide both email archiving and discovery support, helping organizations meet
their discovery requirements.
 Exam Note

The Security+ exam outline focuses on legal holds, chain of custody, and e-
discovery-related activities in very broad terms. You should be prepared to explain
each of these as well as how they are related to incident response.

Conducting Digital Forensics
Forensic data is acquired using forensic tools like disk and memory imagers, image
analysis and timelining tools, low-level editors that can display detailed information
about the contents and structure of data on a disk, and other specialized tools. The
Security+ Exam Outline includes acquisition, preservation, and reporting as well as legal
holds and chain of custody and e-discovery-related activities.

Acquiring Forensic Data
When a forensic practitioner plans to acquire data, one of the first things they will
review is the order of volatility. The order of volatility documents what data is most
likely to be lost due to system operations or normal processes. Figure 15.1 shows a
typical order of volatility chart. Note that frequently changing information like the state
of the CPU's registers and cache is first and thus most volatile, and that information
about routes, processes, and kernel statistics follows. As the list proceeds, each item is
less likely to disappear quickly, with backups being the least likely to change. Following
the order of volatility for acquisitions—unless there is a compelling and immediate
reason to differ from the list—will provide a forensic analyst with the greatest likelihood
of capturing data intact. It is important to remember which items will disappear when a
system is powered down or rebooted. In general, that occurs at position 4 for temporary
files and swap space on this list. Recovering intact temporary files and data from swap
space will depend on how the system was shut down and if it was rebooted successfully
afterward.
 FIGURE 15.1 The order of volatility
When you're considering digital forensics and how to preserve live data, it helps to keep
the order of volatility in mind. If you ignore it, you can lose data due to your forensic
work that cannot be recovered or replaced. Common forensic locations include the
following:
CPU cache and registers are rarely directly captured as part of a normal forensic
effort. Although it is possible to capture some of this information using specialized
hardware or software, most investigations do not need this level of detail. The CPU
cache and registers are constantly changing as processing occurs, making them very
volatile.
Ephemeral data such as the process table, kernel statistics, the system's ARP cache,
and similar information can be captured through a combination of memory and disk
acquisition, but it is important to remember that the capture will only be of the
moment in time when the acquisition is done. If events occurred in the past, this
data may not reflect the state that the system was in when the event occurred.
The content of random access memory (RAM) can be very helpful for both
investigations and incident response. Memory can contain encryption keys,
ephemeral data from applications, and information that may not be written to the
disk but that can be useful to an investigation.
Swap and pagefile information is disk space used to supplement physical memory.
Much like capturing information from RAM, capturing the swap and pagefile can
provide insight into running processes. Since it is actively used by the system,
particularly on machines with less memory, it also changes more quickly than many
files on disk.
 Files and data on a disk change more slowly but are the primary focus of many
investigations. It is important to capture the entire disk rather than just copy files so
that you can see deleted files and other artifacts that remain resident.
The operating system itself can contain useful information. The Windows Registry is
a common target for analysis since many activities in Windows modify or update the
Registry.
Devices such as smartphones, tablets, IoT devices, and embedded or specialized
systems may contain data that can also be forensic targets.

Preventing Malicious USB Cloning and Data Acquisition

The ability to obtain data from devices isn't restricted to legitimate uses. In fact,
some organizations that face targeted attacks focus on access to their devices
when those devices are plugged into untrusted or unknown USB chargers and
cables. In those circumstances, USB data blockers that prevent USB data signals
from being transferred while still allowing USB charging can be an effective
solution.

Firmware is a less frequently targeted forensic artifact, but knowing how to copy the
firmware from a device can be necessary if the firmware was modified as part of an
incident or if the firmware may have forensically relevant data. Firmware is often
accessible using a hardware interface like a serial cable or direct USB connection or
via memory forensic techniques.
Snapshots from virtual machines (VMs) are an increasingly common artifact that
forensic practitioners must deal with.
Network traffic and logs can provide detailed information or clues about what was
sent or received, when, and via what port and protocol, among other useful details.
Artifacts like devices, printouts, media, and other items related to investigations can
all provide additional useful forensic data.

Regardless of the type of forensic data that is obtained or handled, it is important to
maintain chain-of-custody documentation if the forensic case may result in a legal case.
In fact, some organizations apply these rules regardless of the case to ensure that a case
can be supported if it becomes necessary. Chain-of-custody forms are simple sign-off
and documentation forms, as shown in Figure 15.2. Each time the drive, device, or
artifact is accessed, transferred, or otherwise handled, it is documented as shown on the
form.
 FIGURE 15.2 A sample chain-of-custody form
Evidence in court cases is typically legally admissible if it is offered to prove the facts of a
case, and it does not violate the law. To determine if evidence is admissible, criteria such
as the relevance and reliability of the evidence, whether the evidence was obtained
legally, and whether the evidence is authentic are applied. Evidence must be the best
evidence available, and the process and procedures should stand up to challenges in
court.
In addition to these requirements, admissibility for digital forensics requires that the
data be intact and unaltered and have provably remained unaltered before and during
the forensic process. Forensic analysts must be able to demonstrate that they have
appropriate skills, that they used appropriate tools and techniques, and that they have
documented their actions in a reliable and testable way via an auditable trail. Thus, their
efforts and findings must be repeatable by a third party if necessary.

Cloud Forensics
Although on-site forensics have made up the bulk of traditional forensic work, the
widespread move to cloud services has created new challenges for forensic analysts.
Along with the need for tools and capabilities that support discovery needs,
organizations are increasingly ensuring that they have worked with their cloud
providers. In cloud environments, you will often have to consider:
Right-to-audit clauses, which are part of the contract between the cloud service and
an organization. A right-to-audit clause provides either a direct ability to audit the
cloud provider or an agreement to use a third-party audit agency. Many cloud
providers use standard contracts and may not agree to right-to-audit clauses for
smaller organizations. In those cases, they may instead provide access to regularly
updated third-party audit statements, which may fit the needs of your organization.
If you have specific audit requirements, you will need to address them in the
contract if possible, and decide whether or not the ability to conduct the audit is a
factor in your organization's decision to adopt the cloud provider's services.
Regulatory and jurisdiction concerns are also a significant element in the adoption of
cloud services. Regulatory requirements may vary depending on where the cloud
service provider operates and where it is headquartered. The law that covers your
data, services, or infrastructure may not be the laws that you have in your locality,
region, or country. In addition, jurisdictional concerns may extend beyond which
laws cover the overall organization. Cloud providers often have sites around the
world, and data replication and other service elements mean that your data or
services may be stored or used in a similarly broad set of locations. Local
jurisdictions may claim rights to access that data with a search warrant or other legal
instrument. Organizations with significant concerns about this, typically address
them with contractual terms, through service choices that providers make available
to only host data or systems in specific areas or countries and by technical controls
such as handling their own encryption keys to ensure they know if the data is
accessed.
Data breach notification laws, like other regulatory elements, also vary from country
to country, and in the United States, notably from state to state. Contracts often
cover the maximum time that can elapse before customers are notified, and ensuring
that you have an appropriate breach notification clause in place that meets your
needs can be important. Some vendors delay for days, weeks, or even months,
potentially causing significant issues for customers who are unaware of the breach.

These considerations mean that acquiring forensic data from a cloud provider is
unlikely. Although you may be able to recover forensic data from logs or from systems
and infrastructure you maintain in an infrastructure as a service provider's
environment, forensic data from the service itself is rarely handed over to customers.
Therefore, organizations that use cloud services must have a plan to handle potential
incidents and investigations that doesn't rely on direct forensic techniques.

Regulation and Jurisdiction Issues: Venue and Nexus
 Although they aren't directly covered on the exam, regulatory and jurisdictional
issues also come into play with two other legal concepts. The first is venue, which is
the location where a case is heard. Many contracts will specify venue for cases,
typically in a way that is beneficial to the service provider. If you sign a contract and
don't pay attention to venue, legal cases might have to be handled far away in
another state. At the same time, nexus is the concept of connection. A common
example of nexus is found in the decision of whether a company has nexus in a state
or locality and must charge tax there. For years, nexus was decided on whether the
company had a physical location, distribution center, or otherwise did business
physically in a state. Understanding how and why nexus may be decided can be
important when you are considering laws and regulations that may impact your
organization.

Acquisition Tools
Acquiring a forensic copy of a drive or device requires a tool that can create a complete
copy of the device at a bit-for-bit level. Over the next few pages you'll review examples of
such tools, including dd, FTK Imager, and WinHex.
In Linux, dd is a command-line utility that allows you to create images for forensic or
other purposes. The dd command line takes input such as an input location (if), an
output location (of), and flags that describe what you want to do, such as create a
complete copy despite errors.
To copy a drive mounted as /dev/sda to a file called example.img, you can execute a
command like the following:
dd if=/dev/sda of=example.img conv=noerror,sync

Additional settings are frequently useful to get better performance, such as setting the
block size appropriate for the drive. If you want to use dd for forensic purposes, it is
worth investing additional time to learn how to adjust its performance using block size
settings for the devices and interfaces that you use for your forensic workstation.

If you are creating a forensic image, you will likely want to create an
MD5sum hash of the image as well. To do that, you can use pipes, the tee
command, and md5sum:
dd if=/dev/sda bs=4k conv=sync,noerror | tee example.img | md5sum>
example.md5

This command will image the device at /dev/sda using a 4k block size, and will then
run an MD5sum of the resulting image that will be saved as example.md5. Hashing the
original drive (/dev/sda) and comparing the hashes will let you know if you have a
valid forensic image.
FTK Imager is a free tool for creating forensic images. It supports raw (dd)-style format
as well as SMART (ASR Data's format for their SMART forensic tool), E01 (EnCase), and
AFF (Advanced Forensics Format) formats commonly used for forensic tools.
Understanding what format you need to produce for your analysis tool and whether you
may want to have copies in more than one format is important when designing your
forensic process.
Physical drives, logical drives, image files, and folders, as well as multi-CD/DVD
volumes are all supported by FTK Imager. In most cases, forensic capture is likely to
come from a physical or logical drive. Figure 15.3 shows a completed image creation
from a physical drive using FTK Imager. Note the matching and validated MD5 and
SHA1 hashes and confirmation that there were no bad blocks, which would indicate
potential data loss or problems with the drive.

FIGURE 15.3 Output from a completed FTK Imager image
In addition to drive imaging tools, forensic analysts are sometimes asked to capture live
memory on a system. Along with drive images, FTK Imager can capture live memory
from a system, as shown in Figure 15.4. Here, the simple GUI lets you select where the
file will go, the filename, whether the system pagefile for virtual memory should be
included, and whether to save it in the AD1 native FTK file format.
 FIGURE 15.4 FTK Imager's Memory Capture dialog box
Another useful forensic tool is WinHex, a disk editing tool that can also acquire disk
images in raw format, as well as its own dedicated WinHex format. WinHex is useful for
directly reading and modifying data from a drive, memory, RAID arrays, and other
filesystems.

If you have experience performing forensic analysis, you've likely
noted that this set of tools is lacking major common tools, like EnCase, FTK, and
the Volatility framework, as well as common open source forensic tools like the
SANS SIFT distribution. You'll also notice a lack of network forensic access toolkits
and information about containers and virtual machine capture in the exam outline.
The Security+ exam focuses on broad concepts more than on specific tools, so we've
focused on easily available tools for practitioners who want to gain some experience
without licensing expensive commercial software.

Acquiring Network Forensic Data
Not all forensic data can be found on disks or systems. Network forensics have an
increasingly large role to play, whether they are for traditional wired and wireless
networks, cellular networks, or others. Since network traffic is ephemeral, capturing
traffic for forensic investigation often requires a direct effort to capture and log the data
in advance. If network traffic isn't actively being logged, forensic artifacts like firewall
logs, IDS and IPS logs, email server logs, authentication logs, and other secondary
sources may provide information about when a device was on a network, what traffic it
sent, and where it sent the traffic.
When forensic examiners do work with network traffic information, they will frequently
use a packet analyzer like Wireshark to review captured network traffic. In-depth
analysis of packets, traffic flows, and metadata can provide detailed information about
network behaviors and content.
The same taps, span ports, and port mirrors used for network security devices can also
be useful for network forensics, allowing copies of network traffic to be sent to collection
servers. Although this can be useful, it can also result in massive amounts of data.
Capturing all or selected network traffic is a process that most organizations reserve for
specific purposes rather than a general practice. Instead, most organizations end up
relying on logs, metadata, traffic flow information, and other commonly collected
network information to support forensic activities.

Acquiring Forensic Information from Other Sources
In addition to the forensic acquisition types you have learned about so far, two other
specific types of acquisition are increasingly common. Acquisition from virtual machines
requires additional planning. Unlike a server, desktop, or laptop, a VM is often running
in a shared environment, where removal of the system would cause disruption to
multiple other servers and services. At the same time, imaging the entire underlying
virtualization host would include more data and systems than may be needed or
appropriate for the forensic investigation that is in progress. Fortunately, a virtual
machine snapshot will provide the information that forensic analysts need and can be
captured and then imported into forensic tools using available tools.
Containers have grown significantly in use and create new challenges for forensic
examiners. Since containers are designed to be ephemeral, and their resources are often
shared, they create fewer forensic artifacts than a virtual or physical machine. In fact,
though containers can be paused, capturing them and returning them to a forensically
sound state can be challenging. Container forensics require additional planning and
forensic and incident response tools are becoming available to support these needs.

If you'd like to learn more about forensics in a containerized
environment, you can find a great video about it at www.youtube.com/watch?
v=MyXROAqO7YI.
Validating Forensic Data Integrity
Once you've acquired your forensic data, you need to make sure that you have a
complete, accurate copy before you begin forensic analysis. At the same time,
documenting the provenance of the data and ensuring that the data and process cannot
be repudiated (nonrepudiation) are also important.
The most common way to validate that a forensic copy matches an original copy is to
create a hash of the copy as well as a hash of the original drive, and then compare them.
If the hashes match, the forensic copy is identical to the original. Although MD5 and
SHA1 are both largely outmoded for purposes where attackers might be involved, they
remain useful for quickly hashing forensic images. Providing an MD5 or SHA1 hash of
both drives, along with documentation of the process and procedures used, is a common
part of building the provenance of the copy. The hashes and other related information
will be stored as part of the chain-of-custody and forensic documentation for the case.
Manually creating a hash of an image file or drive is as simple as pointing the hashing
tool to it. Here are examples of a hash for a drive mounted as /dev/sdb on a Linux
system and an image file in the current directory. The filename selected for output is
drive1.hash, but it could be any filename you choose.

md5sum /dev/sdb > drive1.hash

or
md5sum image_file.img > drive1.hash

Forensic Copies vs. Logical Copies

Simply copying a file, folder, or drive will result in a logical copy. The data will be
preserved, but it will not exactly match the state of the drive or device it was copied
from. When you conduct forensic analysis, it is important to preserve the full
content of the drive at a bit-by-bit level, preserving the exact structure of the drive
with deleted file remnants, metadata, and time stamps. Forensic copies are
therefore done differently than logical copies. Hashing a file may match, but
hashing a logical copy and a forensic copy will provide different values, thus making
logical copies inadmissible in many situations where forensic analysis may involve
legal action or unusable when changes to the drive or metadata and deleted files are
critical to the investigation.

The hash value for a drive or image can also be used as a checksum to ensure that it has
not changed. Simply rehashing the drive or image and comparing the value produced
will tell you if changes have occurred because the hash will be different.
Careful documentation for cases is a critical part of the forensic process, and Figure 15.5
shows how tools like FTK Imager have built-in support for documentation. Associating
images with case numbers and including details of which examiner created the file can
help with forensic documentation.
Documenting the provenance or where an image or drive came from and what
happened with it, is critical to the presentation of a forensic analysis. Forensic suites
have built-in documentation processes to help with this, but manual processes that
include pictures, written notes, and documentation about the chain of custody,
processes, and steps made in the creation and analysis of forensic images can yield a
strong set of documentation to provide appropriate provenance information. With
documentation like this, you can help ensure that inappropriate handling or processes
do not result in the repudiation of the images or process, resulting in the loss of a legal
case or an inability to support criminal or civil charges.

FIGURE 15.5 FTK Imager's evidence item documentation

Making Sure the Data Doesn't Change

The Security+ exam outline doesn't require you to know about write blockers, but
forensic practitioners who need to be able to create legally admissible forensic
images and reports must ensure that their work doesn't alter the drives and images
they work with. That's the role of a hardware or software write blocker. Write
blockers allow a drive or image to be read and accessed without allowing any writes
to it. That way, no matter what you do, you cannot alter the contents of the drive in
any way while conducting a forensic examination. If you show up in court and the
 opposing counsel asks you how you did your work and you don't mention a write
blocker, your entire set of forensic findings could be at risk!

Data Recovery
In addition to forensic analysis, forensic techniques may be used to recover data from
drives and devices. In fact, file recovery is a common need for organizations due to
inadvertent deletions and system problems or errors.
The ability to recover data in many cases relies on the fact that deleting a file from a
drive or device is nondestructive. In other words, when a file is deleted, the fastest way
to make the space available is to simply delete the file's information from the drive's file
index and allow the space to be reused when it is needed. Quick formatting a drive in
Windows only deletes the file index instead of overwriting or wiping the drive, and other
operating systems behave similarly. So, recovering files with a recovery tool or by
manual means requires reviewing the drive, finding files based on headers or metadata,
and then recovering those files and file fragments.
In cases where a file has been partially overwritten, it is still possible to recover
fragments of the files. Files are stored in blocks, with block sizes depending on the drive
and operating system. If a file that is 100 megabytes long is deleted then partially
overwritten by a 25 megabyte file, 75 megabytes of the original file could potentially be
recovered.
Forensic analysts rely on this when files have been intentionally deleted to try to hide
evidence, and they refer to the open space on a drive as slack space. Slack space analysis
is critical to forensic analysis because of the wealth of data about what has previously
occurred on a drive that it can provide.
Antiforensic techniques and data security best practices are the same in this
circumstance and suggest overwriting deleted data. Secure delete tools are built into
many operating systems or are available as stand-alone tools. If a file has been deleted
securely and thus overwritten, there is very little chance of recovery if the tool was
successful.

Flash Media and SSDs: What About Wear Leveling?

Completely removing data from devices like SSDs and flash media that have space
they use for wear leveling can be far more difficult than with traditional magnetic
media like hard drives. Since wear leveling will move data to less worn cells (blocks
of reserved spare space) as needed, those cells that have been marked as unusable
due to wear may still contain historic or current data on the drive. Large drives can
contain a significant percentage of spare wear leveling capacity—up to double digit
percentages—which means that attempts to securely delete information on an SSD
may fail. Fortunately, techniques like using full-disk encryption can ensure that
even if data remains, it cannot be easily recovered.
Forensic Suites and a Forensic Case Example
Forensic suites are complete forensic solutions designed to support forensic data
acquisition, analysis, and reporting. FTK and EnCase are major commercial options,
and Autopsy is an open source forensic suite with broad capabilities. Forensic activities
with a tool like Autopsy will typically start creating a new case with information about
the investigators, the case, and other details that are important to tracking
investigations, and then import files into the case. For this example, the NIST Computer
Forensic Reference Data Sets (CFReDS) Rhino hunt disk competition image was used.
The Rhino hunt includes a small image file and three network traces that can be viewed
in Wireshark. This example focuses on the disk image file. First, as shown in Figure 15.6,
you will select the type of file you are importing. Note that you can import a variety of
data sources including raw disks, images, and VMs.

FIGURE 15.6 Selecting the type of image or data to import

If you want some forensic practice, the Computer Forensic Reference
Data Sets (CFReDS) can be found at www.cfreds.nist.gov. They include solutions so
that you can check your answers too.

With an image imported, you can select the modules that will be run against the file
(Figure 15.7). Modules provide additional analysis capabilities, but they also take time to
run. Fortunately, the Rhino Hunt is a small image, but disabling unnecessary modules is
a good practice for larger images.
Once the modules have processed the file, you can then use Autopsy to analyze it. The
modules can help with quick discovery of forensic artifacts. In fact, one of the rhinos
associated with the hunt shows up immediately when the file discovery module is
loaded, along with pictures of crocodiles inserted into the image as part of the exercise.
Figure 15.8 shows the images that the discovery tool found.

FIGURE 15.7 Ingestion modules in Autopsy
 FIGURE 15.8 Using the Autopsy file discovery tool to identify images in an
investigation
Although there are many features with tools like this, timelines are very important, and
Autopsy's timeline capability allows you to see when filesystem changes and events
occurred. This is particularly useful if you know when an incident happened or you need
to find events as part of an investigation. Once you know when a person was active or
the events started, you can then review the timeline for changes that were made near
that time. You can also use timelines to identify active times where other events were
likely to be worth reviewing. Figure 15.9 shows some of what the Autopsy timeline can
help discover, with two file changes in the time frame shown. Further investigation of
these times is likely to show activity related to the case.
 FIGURE 15.9 Timelining in Autopsy to identify events related to the
investigation

Timelining capabilities like these rely on accurate time data, and
inaccurate time settings can cause problems for forensic timelines. Incorrect time
settings, particularly in machines in the same environment, can cause one machine
to appear to have been impacted an hour earlier than others, leading practitioners
down an incorrect path. Always check to make sure that the time stamps for files
and time settings for machines are what you expect them to be before jumping to
conclusions about what happened at a specific time.
Forensic suites have many other useful features, from distributed cracking of encryption
to hash cracking, steganographic encoding detection to find data hidden in images, and
a host of other capabilities that are beyond the scope of the Security+ exam.

Reporting
Although the analysis of digital artifacts and evidence is important to the forensic
process, the report that is produced at the end is the key product. Reports need to be
useful and contain the relevant information without delving into every technical nuance
and detail that the analyst may have found during the investigation.
A typical forensic report will include:
A summary of the forensic investigation and findings.
An outline of the forensic process, including tools used and any assumptions that
were made about the tools or process.
A series of sections detailing the findings for each device or drive. Accuracy is critical
when findings are shared, and conclusions must be backed up with evidence and
appropriate detail.
Recommendations or conclusions in more detail than the summary included.

Forensic practitioners may also provide a report with full detail of the analysis as part of
their documentation package.

Exam Note

The Security+ exam outline includes acquisition, preservation, and reporting
aligned with incident response activities. As you review this section, focus on how
acquisition and preservation processes work, how they would be used in an incident
response scenario, what information would be needed, and how it would be used
when reporting is done.

Digital Forensics and Intelligence
Although digital forensics work in most organizations is primarily used for legal cases,
internal investigations, and incident response (IR), digital forensics also plays a role in
both strategic intelligence and counterintelligence efforts. The ability to analyze
adversary actions and technology, including components and behaviors of advanced
persistent threat tools and processes, has become a key tool in the arsenal for national
defense and intelligence groups. At the same time, forensic capabilities can be used for
intelligence operations when systems and devices are recovered or acquired, allowing
forensic practitioners to recover data and provide it for analysis by intelligence
organizations.
Many of the tools that are used by traditional forensic practitioners are also part of the
toolset used by intelligence and counterintelligence organizations. In addition to those
capabilities, they require advanced methods of breaking encryption, analyzing software
and hardware, and recovering data from systems and devices that are designed to resist
or entirely prevent tampering that would be part of a typical forensic process.

Exam Note

The Security+ exam won't quiz you on specific intelligence and counterintelligence
tools or techniques, but you should remember that forensic techniques play an
important role in both communities.

Summary
Digital forensics plays a role in legal cases, criminal investigations, internal
investigations, incident responses, and intelligence activities. For most organizations,
legal holds, e-discovery, internal investigations, and IR are the most common uses.
Legal holds are a notice from opposing counsel to retain data that may be relevant to a
current or pending case. Using a discovery model like the EDRM model can help ensure
that your discovery and holds process is well planned and executed.
Forensic data acquisition can be time sensitive, so analysts must understand the order of
volatility for systems, which identifies the targets most likely to change or lose data if
they are not preserved first. Throughout acquisition and the forensic life cycle,
maintaining a chain of custody helps ensure that evidence is admissible in court.
Cloud services have included additional complexity to forensic efforts. In addition to
technical concerns that can make it impossible to conduct direct forensic investigations,
contractual and policy considerations need to be taken into account. Many organizations
now evaluate right-to-audit clauses, regulatory and jurisdictional concerns, and data
breach notification time frames as part of their contracting process for new third-party
and cloud services.
Acquisition tools and forensic suites provide the ability to collect forensic images and
data and to analyze them using powerful capabilities like automatic recognition of
images and documents, as well as timelining and other features. Hashing and validating
ensures that acquired images are intact, and matching the source data helps ensure that
the forensic data will be admissible in court.
Reporting occurs at the end of a forensic analysis and needs to be complete, with
documented reasoning for each conclusion or statement made about the forensic
evidence. A standard forensic reporting format helps ensure that readers know what to
expect and that they can easily understand what is being presented.
Forensic techniques may be used for more than just investigations and incident
response. They also have a role to play in both intelligence and counterintelligence
activities. Intelligence organizations may acquire information using forensic techniques