31 - Desktop Forensics / notes

Page 1: Starter Activity

  • Complete the crossword puzzle (5 minutes) to engage with key vocabulary related to desktop forensics.

Page 2: Desktop Forensics

  • Focus on forensic procedures specifically designed for examining desktop systems, ensuring a thorough understanding of the processes involved in data recovery and evidence collection.

Page 3: Advanced Organizer

Key Dates:

  • 13/01 – Review Disaster Recovery Policy implications for restoring operations after data loss.

  • 19/01 – Explore External Service Provider roles in supporting forensic investigations.

  • 26/01 – Discuss Network Forensics techniques and their relevance in tracking malicious activities across networks.

  • 27/01 – Delve into Forensic Analysis Requirements, emphasizing the standards that must be met during investigations.

  • Today – Conduct in-depth analysis of Desktop Forensics methodologies.

Page 4: Lesson Objectives

Ability to:

  • List detailed tasks involved in desktop forensics including acquisition, analysis, and reporting.

  • Analyze data effectively to identify trends and anomalies relevant to cybersecurity incidents.

  • Discuss challenges encountered in live forensics, such as addressing volatile data and ensuring evidence integrity.

Page 5: Recap: External Service Providers

  • Understand that these third parties perform specialized tasks for businesses through agreements called Service Level Agreements (SLA).

  • Examples of services include:

    • Cloud Storage: Addressing data security and recovery processes in cloud environments.

    • Hardware Services: Evaluating hardware support for evidence preservation.

    • Software Services: Utilizing specialized forensic tools to assist in investigations.

Page 6: Digital Forensics

  • The investigation surrounding IT systems in relation to cybercrime.

  • Collects evidences for court presentations, ensuring adherence to legal standards.

  • Identifies the methodology behind incidents to inform prevention strategies for future attacks.

Page 7: Desktop Forensics

  • Also referred to as "computer forensics."

  • Involves a focused analysis of desktop computer systems to recover and scrutinize data.

Page 9: Confiscation of Devices

  • Acquire devices that were impacted during an attack, which also includes peripherals and external storage, as they provide critical evidence.

  • Importance of collecting peripherals: aids in gathering a comprehensive set of evidence vital for complete analysis.

Page 10: Legal Considerations

  • Stress that if devices are external, it is crucial to involve legal channels, such as law enforcement, to maintain the integrity of evidence gathered.

  • Evidence risks include deletion or contamination – emphasizing the necessity of proper handling and documentation.

Page 11: Taking an Image of the System

  • System image includes:

    • Operating System: The core software that manages hardware and software interactions.

    • Settings: Configuration files that may indicate user preferences and operational status.

    • Programs: Installed applications that could be relevant to the case.

    • Files: All user-generated and system files that may contain pertinent information.

Page 12: Image Acquisition

  • Emphasize never investigating directly on original devices to protect the evidence.

  • Reason: Avoid destruction or contamination of evidence that could compromise the integrity of the investigation.

Page 13: Purpose of System Images

  • Preserve evidence in its original state, ensuring it remains intact for analysis and court proceedings.

  • Allows for additional imaging if necessary, ensuring continued access to original data.

Page 14: Activity Discussion

  • Discuss how contamination or tampering of physical evidence relates closely to issues encountered within digital evidence handling.

Page 15: Using Forensic Analysis Tools

  • Software designed for forensic examination makes the investigative process more efficient by simplifying complex tasks.

  • Tools can be general-purpose or highly specialized, depending on the specifics of the investigation.

Page 17: Reviewing Data

  • Tasks include:

    • Identifying modified or deleted files that may indicate suspicious activity.

    • Understanding the nature of attacks and the potential perpetrator’s methods.

Page 18: Reviewing System Logs

  • Logs contain crucial data regarding:

    • Installed services that may have contributed to a vulnerability.

    • Device power events indicating unusual behavior.

    • Unexpected shutdowns that could correlate with a breach.

    • Login details to track user access.

Page 19: Reviewing User Activity

  • Tools used to trace user actions include:

    • Logged users identifying who had access to the system.

    • Websites visited evidencing internet activity relevant to the investigation.

    • Applications and flash drives accessed which may have been used to exfiltrate data.

    • Downloaded files that could contain malware or relate to unauthorized activities.

    • Networks connected to during critical periods.

Page 20: Malware Analysis

  • Involves analyzing malicious software to support investigations by providing insights into its operations.

  • Identifies the extent of damage caused by malware and offers valuable evidence for court presentations.

Page 21: Malware Alerts

  • Utilize antivirus software to review flagged malware incidents and related information that could assist in understanding threat vectors.

Page 23: Challenges of Live Forensics

  • Conducting analysis on active systems introduces specific complications.

  • Volatile data, such as RAM contents, is critical to investigations but may be accidentally altered during the process.

Page 24: Live Forensics

  • Involves analyzing original systems in real-time, capturing valuable data that reflects the system's status at the point of investigation.

  • Emphasizes that volatile data is key for understanding active threats.

Page 25: Data Contamination Risks

  • Discuss the risk of changing data which poses a significant threat to evidence integrity during investigations.

  • Identify how active malware complicates investigations by altering or deleting critical data.

Page 26: Data Corruption Factors

  • Investigative actions may corrupt data, thus highlighting the need for specialized recovery methods to mitigate risks.

Page 28: Capturing Active Memory

  • Active memory can reveal:

    • Network connections that indicate current communications.

    • Running processes that could signify ongoing attacks or system integrity issues.

    • Open files that may contain sensitive information.

    • Malware details crucial for understanding threats.

Page 29: Losing Temporary Data

  • Temporary files can hold critical recovery information, especially if a program unexpectedly shuts down.

  • Emphasize the importance of keeping devices on during analysis to avoid losing this vital information.

Page 31: Summary

  • Post-cyber crime investigations focus on:

    • Identification of affected devices.

    • Data extracted from system images.

    • Specific malware involved in the attack, aiding in understanding and preventing similar incidents in the future.

Page 32: Lesson Objectives

  • Reiterate lesson objectives focusing on the practical application of desktop forensics and evaluation of live forensic analysis methods, ensuring comprehensive learning outcomes.