Certified Cybersecurity Technician Exam 212-82 Data Sanitization PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Data-Informed Community-Focused Policing in the Los Angeles Police Department PDF
- 2020-09 CIPP-US Data Privacy Textbook Outline PDF
- Introdução ao Controle de Poluição Ambiental PDF
- Practice Exercises on Surveillance PDF
- Cryptographic Erase Explained PDF
- NIST SP 800-88r1 Guidelines for Media Sanitization PDF
Summary
This document outlines data sanitization procedures for investigators. It details various techniques and standards for destroying data on target media to prevent unauthorized access. Specific methods like overwriting and physical destruction are explained in the context of forensic data acquisition.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 3: Sanitize the Target Media Q Investigators must p...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 3: Sanitize the Target Media Q Investigators must properly sanitize the target media in order to any prior data residing on it, before it is used for collecting forensic data O QO Post investigation, they must dispose this media by following the same standards, so as to mitigate the risk of unauthorized disclosure of information, and ensure its confidentiality Q The following are some standards for sanitizing media: * Russian Standard, GOST P50739-95 *= German:VSITR * American: NAVSO P-5239-26 (MFM) = American: DoD 5220.22-M = American: NAVSO P-5239-26 (RLL) * NIST SP 800-88 bCil. All Rights Reserved. Reproduction is Strictly Prohibited Step 3: Sanitize the Target Media Before data acquisition and duplication, an appropriate data sanitization method must be used to permanently erase any previous information stored on the target media. Destruction of data using industry standard data destruction methods is essential for sensitive data that one does not want falling into the wrong hands. These standards depend on the levels of sensitivity. Data deletion and disposal on electronic devices is only virtual, but physically it remains, posing a security threat. Methods like hard drive formatting or deleting partitions cannot delete the file data completely. However, it is important to destroy the data and protect it from retrieval, after the collection of evidence from the computer. Therefore, the only way to erase the data completely and protect it from recovery is to overwrite the data by applying a code of sequential zeroes or ones. Further, once the target data is collected and analyzed, the media must be appropriately disposed to prevent data retrieval and protect its confidentiality. Investigators can follow different standards as given below while sanitizing the target media: * Russian Standard, GOST P50739-95 (6 passes): It is a wiping method that writes zeros in the first pass and then random bytes in the next pass * (German) VSITR (7 passes): This method overwrites in 6 passes with alternate sequences of 0x00 and OxFF, and with 00xAA in the last (7*") pass **= (American) NAVSO P-5239-26 (MFM) (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass Module 20 Page 2283 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics (American) DoD 5220.22-M (7 passes): This standard destroys the data on the drive’s required area by overwriting with 010101 in the first pass, 101010 in the second pass and repeating this process thrice. This method then overwrites that area with random characters which is the 7" pass. (American) NAVSO P-5239-26 (RLL) (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass NIST SP 800-88: The proposed NIST SP 800-88 guidance explains three sanitization methods- Clear: Logical techniques applied to sanitize data in all storage areas using the standard read and write commands Purge: Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques Destroy: Enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage The National Institute of Standards and Technology has issued a set of guidelines as given below to help organizations sanitize data to preserve the confidentiality of the information. The application of complex access controls and encryption can reduce the chances for an attacker to gain direct access to sensitive information An organization can dispose of the not so useful media data by internal or external transfer or by recycling to fulfill data sanitization Effective sanitization techniques and tracking of storage media are crucial to ensure protection of sensitive data by organizations against attackers All organizations and intermediaries are responsible for effective information management and data sanitization Physical destruction of media involves techniques, such as cross-cut shredding. Departments can destroy media on-site or through a third party that meets confidentiality standards. Investigators must consider the type of target media they are using for copying or duplicating the data and select an appropriate sanitization method to ensure that no part of previous data remains on the target media that will store the evidence files. The previous media may alter the properties or changes the data and its structure. Module 20 Page 2284 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 4: Acquire Volatile Data O Volatile data acquisition involves collecting data thatis when the computeris shut down or restarted O Thisdatausually correspondsto running processes, logged on users, registries, DLLs, clipboard data, openfiles, etc. O Forensictools such as Belkasoft Live RAM Capturerand PsTools can be used to extract the entire contentsof the computer’s volatilememory “ Belkazoft Live RAM Capturer - X Q Belkasoft Live RAM Captureris a forensic tool that allows extractingthe entire contentsof a computer’s Select output folder path: p:\RamCapturer 64} volatile memory Q It saves the imagefiles in.mem format Loading device driver...Physical Memory Page Size = 4056Total Physical Memory Sze = 16894 MB Memory dump compieted. Total memory dumped = 16894 MBAnalyze memory dumps with Selkasoft Evidence Center, Download at www,belkasoft. comfec Note: While performing live acquisition, an investigator must be aware of the fact that working on a live system may alter the contents of RAM _ or processes running on the system, Any involuntary action performed on the system may potentially make the system inaccessible. https://belkasoft.com Copyright © by EC. L. All Rights Reserved. Reproduction Is Strictly Prohibited Step 4: Acquire Volatile Data As the contents of RAM and other volatile data are dynamic, investigators need to be careful while acquiring such data. Working on a live system may alter the contents of the RAM or processes running on the system. Any involuntary action may change file access dates and times, use shared libraries or DLLs, trigger the execution of malware, or —in the worst case — force a reboot, thus making the system inaccessible. Therefore, the examination of a live system and volatile data acquisition must be conducted carefully. While most volatile data are recovered by examining the live system, approximately the same amount of data can be obtained by examining the image acquired from the memory of the system. The following sections describe how to acquire volatile data from Windows, Linux, and Mac systems. Acquire Volatile Data from a Windows Machine Forensic tools such as Belkasoft Live RAM Capturer and PsTools can be used to extract the volatile data from a system. This tool saves the image files in.mem format. Belkasoft Live RAM Capturer Source: https://belkasoft.com Belkasoft Live RAM Capturer is an open-source forensic tool that enables reliable extraction of the entire contents of the computer’s volatile memory, even if protected by an active anti- debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available to minimize the tool’s footprint. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with Live RAM Analysis using the Belkasoft Evidence Center software. Belkasoft Live RAM Capturer is compatible with all versions and editions of Windows including XP, Vista, Windows 7, 8, and 10, 2003, and 2008 Server. Module 20 Page 2285 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics “» Belkasoft Live RAM Capturer o- X Loading device driver...Physical Memory Page Size = 4096Total Physical Memory Memory Size = 16894MB Memory Memory dump completed. Total memory dumped = 16894 MBAnalyze memory memory dumps with Belkasoft Evidence Evidence Center. Download Download at www.belkasoft.com/fec www.belkasoft.com/ec ~ Capture! Cancel | Close Figure 20.13: Capturing RAM of a machine Note: While performing live acquisition, an investigator must be aware of the fact that working on a live system may alter the contents of RAM or processes running on the system. Any involuntary action performed on the system may potentially make the system inaccessible. Module 20 Page 2286 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Certified Cybersecurity Technician Technician Exam 212-82 Exam 212-82 Computer Forensics Computer Forensics Step 5:5: Enable Step Enable Write Write Protection Protection on on the Evidence the Evidence Media Media QOQ 1tis necessary Itis necessary toto write write protect protect the the suspect suspect drive drive using using write write blockers blockers toto preserve preserve and and protect protect the the evidence evidence contained contained inin itit OO AA write write blocker blocker isis aa hardware hardware device device oror software software application application that that allows allows data data acquisition acquisition from from the the storage storage media media without without altering altering its its contents contents OO 1tIt blocks blocks write write commands, commands, thus thus allowing allowing read-only read-only access access toto the the storage media storage media == |f|If hardware hardware write write blocker blocker isis used: used: »» Install aa write Install write blocker blocker device device »» Boot the Boot the system system with with the the examiner-controlled examiner-controlled operating operating system system »» Examples ofof hardware Examples hardware devices: devices: CRU® CRU® WiebeTech® WiebeTech® USB USB WriteBlocker WriteBlocker ,, Tableau Forensic Tableau Forensic Bridges, Bridges, etc. etc. =* |f software write write blocker blocker isis used: used: »» Boot the Boot the system system with with the the examiner-controlled examiner-controlled operating operating system system »» Activate write Activate write protection protection » software applications: Examples of software applications: SAFE SAFE Block, MacForensicsLab MacForensicsLab Write Write Controller, etc. Controller, etc. Step 5: Enable Write Protection on the Evidence Media Write refers to one or more measures that prevent a storage media from being protection refers Write protection written to or modified. It may either be implemented by a hardware device, or a software the allows the program on the computer accessing the storage media. Enabling write protection allows data to be read but prohibits writing or modification. InIn the the context context of forensic data acquisition, the evidence media — which refers to the storage in the original device from which data must be copied onto a separate storage device — must be write protected to safeguard it from modifications. Write protection is important because forensic investigators should be confident about the integrity integrity of the evidence they obtain during acquisition, analysis, and management. The The evidence should be legitimate in order for it to be accepted by the authorities of the court. Therefore, the investigator needs to implement a set of procedures to prevent the execution of any any program that can can alter the disk disk contents. contents. some measures are some The following are provide defense measures that provide mechanisms against defense mechanisms alterations: against alterations: = Set Setaa hardware jumper jumper toto make the the disk read-only read-only == Use Use operating operating system software that and software system and cannot write that cannot the disk write toto the instructed unless instructed disk unless == Employ Employ aa hard hard disk disk write write block block tool protect against tool toto protect writes disk writes against disk Hardware Hardware andand software software write write blocker blocker tools tools provide read-only access provide read-only hard disks access toto hard other and other disks and storage storage devices devices without compromising their without compromising their security. main differences The main security. The these among these differences among solutions solutions arise arise during during the the installation installation and and usage usage stages. stages. Module Module 2020 Page Page 2287 2287 Certified Certified Cybersecurity Cybersecurity Technician Technician Copyright EC-Council Copyright ©© byby EC-Council All Rights All Rights Reserved. Reserved. Reproduction Reproduction isis Strictly Strictly Prohibited. Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics = |f hardware write blocker is used: o Install a write blocker device o Boot the system with the examiner-controlled operating system o Examples of hardware devices: CRU® WiebeTech® USB WriteBlocker™, Tableau Forensic USB Bridge, etc. = |f software write blocker is used: o Boot the system with the examiner-controlled operating system o Activate write protection o Examples of software applications: SAFE Block, MacForensicsLab Write Controller, etc. Module 20 Page 2288 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.