Chapter 20 - 07 - Collecting the Evidence - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Computer Forensics Investigation Team PDF
- Computer Forensics Investigation Team PDF
- Chapter 20 - 01 - Understand the Fundamentals of Computer Forensics - 01_ocred_fax_ocred.pdf
- Chapter 20 - 01 - Understand the Fundamentals of Computer Forensics - 02_ocred_fax_ocred.pdf
- SEC524 Computer and Network Forensics Lectures 01 & 02 PDF
- SEC524 Computer and Network Forensics Lectures 03 and 04 PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Dealing with Powered Off Computers QO At this point in the investigatio...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Dealing with Powered Off Computers QO At this point in the investigation, do not change the state of any electronic devices or equipment: ! -| »» |IfIf the the device/equipment is switched OFF, leaveitoOFF leave it OFF HHH L ~~ &:::% Q If a monitor is switched OFF and the display is blank: »> Turn the Turn the monitor monitor ON, ON, move move the the mouse mouse slightly, slightly, observe observe the the changes changes from from aa blank blank screen screen to to another another screen and note the changes » Photograph the screen Q If a monitor is switched ON and the display is blank: ~ » Move the mouse slightly = |f the screen does not change after moving the mouse slightly, do not press any keys » *» Photograph the screen cl. All Rights Reserved. Reproductionisis Strictly Prohibited Reproduction Dealing with Powered Off Computers At this point of the investigation, do not change the state of any electronic devices or equipment: = |fitis switched OFF, leave it OFF If a a monitor is switched OFF and the display is blank: * Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes = Photograph the screen If a monitor is switched ON and the display is blank: = Move the mouse slightly o If the screen does not change on moving the mouse slightly, do not press any keys Ifthe = Photograph the screen Module 20 Page 2250 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Dealing with Networked Computers Unplug the network cable from the router and modem in order to prevent further attacks Photograph all devices connected to the victim’s computer, particularly the router and modem, from several angles If any devices, such as a printer or a scanner, are present near the computer, then also take photographs of those devices If the computer is turned OFF, leave it in that state; if it is ON, photograph the screen and follow the steps for powered on computers Unplug all cords and devices connected to the computer and label them for identification cl. Al Rights Reserved. Repro Dealing with Networked Computers If the victim computer has an Internet connection, the investigator must adhere to the following procedures to protect the evidence: = Unplug Unplug the network cable from the router and modem, because the Internet connection can make it vulnerable to further attacks = Do not use the computer for evidence search because it may alter or change the integrity of the existing evidence = Photograph all the devices connected to the victim’s computer, especially the router and modem, and take photographs of the computer from different angles = |f any devices are present near the victim computer, such as a printer or scanner, take photographs of those devices = |If the computer is turned OFF, leave it in that state, and if it is ON, photograph the screen and follow the steps for powered on computers =* Unplug all cords and devices connected to the computer and label them for identification = Unplug Unplug the main power cord from the wall socket = Pack the collected electronic evidence properly and place it in a static-free bag = Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence = Document all the steps that are involved in searching and seizing the victim’s computer for later investigation. Module 20 Page 2251 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Dealing with Open Files and Startup Files O When malware attacks a computer system, some files are created in the startup folder to run the malware program QQO The investigator can get vital information from these files Open any recently created documents from the startup or system32 folder in Windows and the rc.local file in Linux ©0000 Document the date and time of the files Examine the open files for sensitive data such as passwords or images ® Search for unusual MAC (modified, accessed, or changed) times on vital folders and startup files Use the dir command for Windows or the Is command for Linux to locate the actual access times on those files and folders Copyright © by EC Dealing with Open Files and Startup Files When a malware attack occurs, the malicious software infiltrates the computer and creates files. The malicious code is run by executing malware created files in the startup folders for Windows operating systems and in the rc.local file folder for the Linux operating systems. Investigators can obtain vital information from these files. Use the 1s command for the Linux operating system. Steps for dealing with open files and startup files: = Open any recently created documents from the startup or system32 folder in Windows and the rc.local filein Linux * Document the date and time of the files = Examine the open files for sensitive data such as passwords or images = Search for unusual MAC times on vital folders and startup files = Use the dir command for Windows or the Is command for Linux to locate the actual access times on those files and folders Module 20 Page 2252 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Operating System Shutdown Procedure O In case the investigators need to shut the systems down, they must either collect or wait for the collection of the volatile data from the systems, as the system deletes it after shutting down, making it impossible to retrieve O The investigators must follow the predefined shutdown procedure; otherwise, data may be lost as the hard drives may crash Windows Operating System Mac OS X Operating System UNIX/Linux Operating Systems v' Click on the Windows button v' Click the Apple icon located on the v Right click on the Desktop and select the top left-hand side Terminal option v Click the Power ([@])option ([])option.. v/s Select the Shut Sh L ption option vv" If root user’s prompt is set to #sign mode: o!.. v’ Select the Shut Down option = Enter the password if available and type sync;sync;halt to shut down the system * If password is not available, unplug the power cord from the wall socket v Ifitis set to console #sign mode:.'.’ * Enter the user’s ID and press Enter = If the user ID is root, type sync;sync;halt to shut down the system Operating System Shutdown Procedure Investigators have to make a crucial decision when shutting down the computer system, because it is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files. In case the investigators need to shut the systems down, they must either collect or wait for collection of the volatile data from the systems, as the systems delete this data after shutting down and it is impossible to retrieve. Investigators must shut down the systems in a proper manner so that it will not damage the integrity of the files. Different operating systems have different shutdown procedures. The investigators must follow the predefined shutdown procedure; otherwise, data may be lost as the hard drives may crash. For Windows operating system: *= (Click on the Windows button from the bottom left of the screen = (Click the Power () ([) option from the menu = Then, select Shut down option = Wait Wait until the system shuts down completely and unplug the power cord from socket MAC OS X Operating System: = (Click the Apple icon located on the top left-hand side of the Mac OS taskbar = Select Shut Down near the bottom *= Unplug the power cord from the wall socket Module 20 Page 2253 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics UNIX/Linux Operating Systems: = Right click on the Desktop and select the Terminal option = |f root user’s prompt is set to #sign mode: o Enter the password if available and type sync;sync;halt to shut down the system o If the password is not available, unplug the power cord from the wall socket = |fitis set to console #sign mode: o Enter the user’s ID and press Enter o Ifthe user ID is root, type sync;sync;halt to shut down the system o Ifuser’s IDis not root, unplug the power cord from the wall socket Module 20 Page 2254 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.