Cyber Forensics and Incident Response

Flashcards from Cyber Forensics and Incident Response Unit Review

Digital Forensics

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation, use of validated tools, repeatability, reporting, and possible expert presentation.

Vulnerability/threat assessment and risk management

Tests and verifies the integrity of stand-along workstations and network servers.

Network intrusion detection and incident response

Detects intruder attacks by using automated tools and monitoring network firewall logs.

Digital investigations

Manages investigations and conducts forensics analysis of systems suspected of containing evidence.

Forensic Readiness and Business Continuity

Helps maintain business continuity by easy identification of the evidence. Quickly identify the incidents. Analyze the chain of evidence. Collect admissible and legally source evidence. Eliminate threats of reoccurrence of the incident. Efficient recovery plans. Collect information to legally prosecute perpetrators and claim damages.

Security Operations (SecOps)

An organizational approach that combines security teams and IT operations teams to safeguard against escalating and complex cyber threats. It aims to bridge the gap between security and IT operations to meet both objectives effectively, ensuring the safety of IT infrastructure networks, and data.

Cyber Incident Response Process (CIRP)

To support a swift and effective response to cyber incidents aligned with the organisation’s security and business objectives, such as Cyber Forensics.

Digital Evidence

Must establish a credible link between attacker, victim, crime scene “anyone or anything that enters a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”

Residual Data

Left behind when a document is deleted. This can be retrieved until the space is reused

Metadata

Records about a particular document or file. May include authorship information, modification timestamps etc

Data Acquisition Formats

Raw, Proprietary, AFF

Identifying Digital Evidence

Identify digital information or artifacts that can be used as evidence. Collect, preserve, and document evidence. Analyze, identify, and organize evidence. Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably Collecting digital devices and processing a criminal or incident scene must be done systematically.

Order of Volatility

Registers/Cache Memory > Temporary file system > Disk media > Remote logs or monitoring data > Physical config or topology > Archive media (Most to Least Volatile)

Requirements for Identification, Collection, Acquisition and Preservation of Digital Evidence

Auditable, Repeatable, Reproducible, Justifiability

Write-blocker

Prevents data writes to a hard disk

File system

Gives OS a road map to data on a disk. Type of file system an OS uses determines how data is stored on the disk

Partition

A logical drive. Windows OSs can have three primary partitions followed by an extended partition that can contain one or more logical drives.

FAT (File Allocation Table)

File structure database that Microsoft originally designed for floppy disks
FAT database is typically written to a disk’s outermost track and contains:
Filenames, directory names, date and time stamps, the starting cluster number, and file attributes

NT File System (NTFS)

Introduced with Windows NT. Primary file system for Windows

Registry

A database that stores hardware and software configuration information, network connections, user preferences, and setup information

Second Extended File System (Ext2)

The early file system standard

Third Extended File System (Ext3)

Replaced Ext2 in most Linux distributions

Fourth Extended File System (Ext4)

Added support for partitions larger than 16 TB

Hierarchical File System(HFS)

Files stored in nested directories (folders) (Before OS X)

Extended Format File System(HFS+)

Introduced with Mac OS8.1. Supports smaller file sizes on larger volumes, resulting in more efficient disk use

Apple File System(APFS)

Introduced in macOSHighSierra. When data is written to a device, metadata is also copied to help with crash protection

Active acquisition

Network acquisition that changes the packets

Passive acquisition

Network acquisition that should not change the packets

Cloud Forensics

A subset of network forensics. Can have three dimensions: Organizational, Legal, Technical

Cloud service agreements (CSAs)

A contract between a CSP and the customer that describes what services are being provided and at what level. Includes service legal agreements (SLAs)

Abstract

Condenses the report to concentrate on the essential information

The Body

Consists of the introduction and discussion sections

The Conclusion

Starts by referring to the report’s purpose, states the main points, draws conclusions, and possibly renders an opinion

Steganography

practice of concealing a file, message,image, or video within another file, message, image, or video.

Lossless Compression

Reduces file size without removing data

Lossy Compression

Permanently discards bits of information

The 3G standard

was developed by the International Telecommunications Union (ITU) under the United Nations. It is compatible with Code Division Multiple Access (CDMA), Global System for Mobile (GSM), and Time Division Multiple Access (TDMA)

4G networks

can use the following technologies: Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO), Long Term Evolution (LTE)