4.8 Digital Forensics

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/6

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

7 Terms

1
New cards

Digital Forensics

Involves collecting and analyzing data after a security event to understand what happened, prevent future attacks, and support legal proceedings.

  • Following best practices during data acquisition, analysis, and reporting is crucial since this evidence may be used years later in court.

  • RFC 3227 outlines guidelines for proper evidence collection and archiving

2
New cards

Legal Hold

A formal request, often from a lawyer, to preserve specific data for legal reasons.

  • This request is sent to a data custodian, who must locate and secure the electronically stored information (ESI) involved.

  • The data is placed in a designated repository and must be preserved exactly as specified.

  • May require extracting information from complex systems, such as converting email archives from proprietary formats to readable text.

3
New cards

Chain of Custody

Ensures digital evidence remains unchanged and traceable from the moment it’s collected.

  • Like sealing physical evidence in a tamper-evident bag, digital evidence must be handled using secure processes—such as cryptographic hashes and digital signatures—to prove its integrity.

  • Every time someone accesses the data, that action must be recorded.

  • This documentation helps verify that the evidence viewed later is exactly what was originally collected.

4
New cards

Acquisition

The first step in digital forensics and involves collecting data from a variety of sources.

  • Can include disk drives, system memory, firmware, virtual machines, or file systems.

  • Data might come from multiple endpoints like servers, firewalls, or network devices.

  • In virtual environments, a full VM snapshot can capture all relevant data.

  • Important evidence may also be hidden in less obvious places—like log files, the recycle bin, browser bookmarks, saved credentials, or temporary folders.

5
New cards

Reporting

After acquiring data in a forensic investigation, it's crucial to thoroughly document how the data was collected and handled.

  • Typically begin with a summary of the incident and the reasons for initiating data acquisition.

  • Followed by a detailed, step-by-step account of the acquisition process, including all integrity checks and methods used to preserve the data's original state.

  • Clear documentation allows third parties to verify that the evidence remains unchanged.

  • In some cases, the report also includes a factual analysis of the data’s structure and relevance

  • Conclusions about how the data relates to the security incident helps IT directly.

6
New cards

Preservation

Once data is acquired ensure it remains intact for potential legal proceedings, even years later.

  • Copies should be made from the original source to prevent accidental modification during analysis (especially for volatile data like mobile devices, which could be remotely wiped).

  • Preserving data while the system is live is often necessary, particularly on encrypted systems that lock when powered off.

  • Ensures the data remains admissible in court, reinforcing that actions taken now can significantly impact future legal outcomes.

7
New cards

E-Discovery

Focuses solely on data acquisition—not analysis.

  • Often supports legal or investigative efforts and works alongside broader forensic procedures.

  • You might be asked to create a forensic image of a hard drive and provide it to a forensics team.

  • Your role ends there; the team then examines the image for deleted files or relevant information.