Certified Cybersecurity Technician Exam 212-82 Data Sanitization PDF

Summary

This document outlines data sanitization procedures for investigators. It details various techniques and standards for destroying data on target media to prevent unauthorized access. Specific methods like overwriting and physical destruction are explained in the context of forensic data acquisition.

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Step 3: Sanitize the Target Media
Q Investigators must properly sanitize the target media
in order to any prior data residing on it, before it is
used for collecting forensic data

O
QO Post investigation, they must dispose this media by
following the same standards, so as to mitigate the risk
of unauthorized disclosure of information, and ensure
its confidentiality

Q The following are some standards for sanitizing media:
* Russian Standard, GOST P50739-95

*= German:VSITR

* American: NAVSO P-5239-26 (MFM)

= American: DoD 5220.22-M

= American: NAVSO P-5239-26 (RLL)

* NIST SP 800-88

bCil. All Rights Reserved. Reproduction is Strictly Prohibited

Step 3: Sanitize the Target Media
Before data acquisition and duplication, an appropriate data sanitization method must be used
to permanently erase any previous information stored on the target media. Destruction of data
using industry standard data destruction methods is essential for sensitive data that one does
not want falling into the wrong hands. These standards depend on the levels of sensitivity. Data
deletion and disposal on electronic devices is only virtual, but physically it remains, posing a
security threat.

Methods like hard drive formatting or deleting partitions cannot delete the file data
completely. However, it is important to destroy the data and protect it from retrieval, after the
collection of evidence from the computer. Therefore, the only way to erase the data completely
and protect it from recovery is to overwrite the data by applying a code of sequential zeroes or
ones.
Further, once the target data is collected and analyzed, the media must be appropriately
disposed to prevent data retrieval and protect its confidentiality.
Investigators can follow different standards as given below while sanitizing the target media:
* Russian Standard, GOST P50739-95 (6 passes): It is a wiping method that writes zeros in
the first pass and then random bytes in the next pass
* (German) VSITR (7 passes): This method overwrites in 6 passes with alternate
sequences of 0x00 and OxFF, and with 00xAA in the last (7*") pass
**= (American) NAVSO P-5239-26 (MFM) (3 passes): This is a three-pass overwriting
algorithm that verifies in the last pass

Module 20 Page 2283 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

(American) DoD 5220.22-M (7 passes): This standard destroys the data on the drive’s
required area by overwriting with 010101 in the first pass, 101010 in the second pass
and repeating this process thrice. This method then overwrites that area with random
characters which is the 7" pass.
(American) NAVSO P-5239-26 (RLL) (3 passes): This is a three-pass overwriting
algorithm that verifies in the last pass
NIST SP 800-88: The proposed NIST SP 800-88 guidance explains three sanitization methods-
Clear: Logical techniques applied to sanitize data in all storage areas using the standard
read and write commands

Purge: Involves physical or logical techniques to make the target data recovery
infeasible by using state-of-the-art laboratory techniques
Destroy: Enables target data recovery to be infeasible with the use of state-of-the-art
laboratory techniques, which result in an inability to use the media for data storage
The National Institute of Standards and Technology has issued a set of guidelines as given
below to help organizations sanitize data to preserve the confidentiality of the information.
The application of complex access controls and encryption can reduce the chances for
an attacker to gain direct access to sensitive information
An organization can dispose of the not so useful media data by internal or external
transfer or by recycling to fulfill data sanitization

Effective sanitization techniques and tracking of storage media are crucial to ensure
protection of sensitive data by organizations against attackers
All organizations and intermediaries are responsible for effective information
management and data sanitization
Physical destruction of media involves techniques, such as cross-cut shredding. Departments
can destroy media on-site or through a third party that meets confidentiality standards.
Investigators must consider the type of target media they are using for copying or duplicating
the data and select an appropriate sanitization method to ensure that no part of previous data
remains on the target media that will store the evidence files. The previous media may alter the
properties or changes the data and its structure.

Module 20 Page 2284 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Step 4: Acquire Volatile Data
O Volatile data acquisition involves collecting data thatis when the computeris shut down or restarted
O Thisdatausually correspondsto running processes, logged on users, registries, DLLs, clipboard data, openfiles, etc.
O Forensictools such as Belkasoft Live RAM Capturerand PsTools can be used to extract the entire contentsof the computer’s
volatilememory

“ Belkazoft Live RAM Capturer - X
Q Belkasoft Live RAM Captureris a forensic tool that
allows extractingthe entire contentsof a computer’s Select output folder path:
p:\RamCapturer
64}
volatile memory

Q It saves the imagefiles in.mem format Loading device driver...Physical Memory Page Size = 4056Total Physical Memory Sze = 16894 MB
Memory dump compieted. Total memory dumped = 16894 MBAnalyze memory dumps with Selkasoft
Evidence Center, Download at www,belkasoft. comfec

Note: While performing live acquisition, an investigator must be aware
of the fact that working on a live system may alter the contents of RAM _
or processes running on the system, Any involuntary action performed
on the system may potentially make the system inaccessible.
https://belkasoft.com

Copyright © by EC. L. All Rights Reserved. Reproduction Is Strictly Prohibited

Step 4: Acquire Volatile Data
As the contents of RAM and other volatile data are dynamic, investigators need to be careful
while acquiring such data. Working on a live system may alter the contents of the RAM or
processes running on the system. Any involuntary action may change file access dates and
times, use shared libraries or DLLs, trigger the execution of malware, or —in the worst case —
force a reboot, thus making the system inaccessible. Therefore, the examination of a live
system and volatile data acquisition must be conducted carefully. While most volatile data are
recovered by examining the live system, approximately the same amount of data can be
obtained by examining the image acquired from the memory of the system. The following
sections describe how to acquire volatile data from Windows, Linux, and Mac systems.
Acquire Volatile Data from a Windows Machine

Forensic tools such as Belkasoft Live RAM Capturer and PsTools can be used to extract the
volatile data from a system. This tool saves the image files in.mem format.
Belkasoft Live RAM Capturer

Source: https://belkasoft.com
Belkasoft Live RAM Capturer is an open-source forensic tool that enables reliable extraction of
the entire contents of the computer’s volatile memory, even if protected by an active anti-
debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available to minimize
the tool’s footprint. Memory dumps captured with Belkasoft Live RAM Capturer can be
analyzed with Live RAM Analysis using the Belkasoft Evidence Center software. Belkasoft Live
RAM Capturer is compatible with all versions and editions of Windows including XP, Vista,
Windows 7, 8, and 10, 2003, and 2008 Server.

Module 20 Page 2285 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

“» Belkasoft Live RAM Capturer o- X

Loading device driver...Physical Memory Page Size = 4096Total
Physical Memory
Memory Size = 16894MB
Memory
Memory dump completed. Total memory dumped = 16894 MBAnalyze memory
memory dumps with Belkasoft
Evidence
Evidence Center. Download
Download at www.belkasoft.com/fec
www.belkasoft.com/ec

~ Capture! Cancel | Close

Figure 20.13: Capturing RAM of a machine

Note: While performing live acquisition, an investigator must be aware of the fact that working
on a live system may alter the contents of RAM or processes running on the system. Any
involuntary action performed on the system may potentially make the system inaccessible.

Module 20 Page 2286 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Certified Cybersecurity
Certified Cybersecurity Technician
Technician Exam 212-82
Exam 212-82
Computer Forensics
Computer Forensics

Step 5:5: Enable
Step Enable Write
Write Protection
Protection on
on
the Evidence
the Evidence Media
Media
QOQ 1tis necessary
Itis necessary toto write
write protect
protect the
the suspect
suspect drive
drive using
using write
write blockers
blockers
toto preserve
preserve and
and protect
protect the
the evidence
evidence contained
contained inin itit

OO AA write
write blocker
blocker isis aa hardware
hardware device
device oror software
software application
application that
that
allows
allows data
data acquisition
acquisition from
from the
the storage
storage media
media without
without altering
altering its
its
contents
contents
OO 1tIt blocks
blocks write
write commands,
commands, thus
thus allowing
allowing read-only
read-only access
access toto the
the
storage media
storage media
== |f|If hardware
hardware write
write blocker
blocker isis used:
used:
»» Install aa write
Install write blocker
blocker device
device

»» Boot the
Boot the system
system with
with the
the examiner-controlled
examiner-controlled operating
operating system
system
»» Examples ofof hardware
Examples hardware devices:
devices: CRU®
CRU® WiebeTech®
WiebeTech® USB
USB WriteBlocker
WriteBlocker ,,
Tableau Forensic
Tableau Forensic Bridges,
Bridges, etc.
etc.

=* |f software write
write blocker
blocker isis used:
used:

»» Boot the
Boot the system
system with
with the
the examiner-controlled
examiner-controlled operating
operating system
system

»» Activate write
Activate write protection
protection

» software applications:
Examples of software applications: SAFE
SAFE Block, MacForensicsLab
MacForensicsLab Write
Write
Controller, etc.
Controller, etc.

Step 5: Enable Write Protection on the Evidence Media
Write refers to one or more measures that prevent a storage media from being
protection refers
Write protection
written to or modified. It may either be implemented by a hardware device, or a software
the
allows the
program on the computer accessing the storage media. Enabling write protection allows
data to be read but prohibits writing or modification.
InIn the
the context
context of forensic data acquisition, the evidence media — which refers to the storage in
the original device from which data must be copied onto a separate storage device — must be
write protected to safeguard it from modifications.
Write protection is important because forensic investigators should be confident about the
integrity
integrity of the evidence they obtain during acquisition, analysis, and management. The
The
evidence should be legitimate in order for it to be accepted by the authorities of the court.
Therefore, the investigator needs to implement a set of procedures to prevent the execution of
any
any program that can
can alter the disk
disk contents.
contents.
some measures
are some
The following are provide defense
measures that provide mechanisms against
defense mechanisms alterations:
against alterations:
= Set
Setaa hardware jumper
jumper toto make the
the disk read-only
read-only
== Use
Use operating
operating system software that
and software
system and cannot write
that cannot the disk
write toto the instructed
unless instructed
disk unless
== Employ
Employ aa hard
hard disk
disk write
write block
block tool protect against
tool toto protect writes
disk writes
against disk
Hardware
Hardware andand software
software write
write blocker
blocker tools
tools provide read-only access
provide read-only hard disks
access toto hard other
and other
disks and
storage
storage devices
devices without compromising their
without compromising their security. main differences
The main
security. The these
among these
differences among
solutions
solutions arise
arise during
during the
the installation
installation and
and usage
usage stages.
stages.

Module
Module 2020 Page
Page 2287
2287 Certified
Certified Cybersecurity
Cybersecurity Technician
Technician Copyright EC-Council
Copyright ©© byby EC-Council
All Rights
All Rights Reserved.
Reserved. Reproduction
Reproduction isis Strictly
Strictly Prohibited.
Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

= |f hardware write blocker is used:

o Install a write blocker device

o Boot the system with the examiner-controlled operating system
o Examples of hardware devices: CRU® WiebeTech® USB WriteBlocker™, Tableau
Forensic USB Bridge, etc.
= |f software write blocker is used:

o Boot the system with the examiner-controlled operating system
o Activate write protection
o Examples of software applications: SAFE Block, MacForensicsLab Write Controller,
etc.

Module 20 Page 2288 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.