Data Forensics - Static Acquisitions
In the world of Data Forensics, or the investigation of computer devices, there are two types of acquisitions: static and live acquisitions. Static acquisitions are the preferred method of obtaining forensic evidence. They are done on a forensically obtained copy of the hard drive and data, rather than the original. It is done with the computer powered off. Live acquisitions are used when the device at hand in the investigation is still powered on. A live acquisition can obtain running data by extracting RAM, as well as taking photos of the windows currently open on the device. The downside to a live acquisition is that it is vulnerable to remote-wiping methods from the device owner. If an owner has a kill switch that requires a pin once every 48 hours or else it wipes the drive, for instance. Another example could be that the suspect is part of a group of individuals. If one of the other individuals catches wind that the suspect is apprehended, they may initiate a remote-wipe technique. In general, it's preferred to do a static acquisition on copies of the device to secure the data and to create clear non-repudiation of the data.
Tools include hashing software (X-Ways WinHex), decryption software (Elcomsoft Forensic Disk Decryptor), image copying software (FTK Imager Lite), remote investigation software (ProDiscover), recovery software and log analysis software (X-Ways Forensics). Additionally, having software to acquire data with a write-blocker, for the operating systems most likely to be encountered, is essential (such as Linux Live CD for Linux, Mini-WinFE for Windows). Together, these tools help acquire, analyze, and preserve evidence in a forensically sound way, to "minimize the risk of failure in your investigation" (Nelson, 2019).
A crime scene should be secured, preventing well-intentioned or curious individuals from contaminating the evidence. Photographs and video should be taken of the crime scene, and of the extraction of data. A journal should be kept of all activities within the crime scene, the data acquisition process, and the acquired data. Unless a live acquisition is necessary, usually determined by the Digital Evidence First Responder, a graceful shutdown of the evidence devices should be done. This helps protect valuable log data and prevent remote tampering or automated kill switches from the suspect.
Evidence should be stored in an anti-static bag when retrieving it from the crime scene. Once obtained, it should be kept in a secured facility that has controlled access so as to maintain a chain of custody. Chain of custody helps ensure that the evidence and expert analysis is admissible in court, and reduces the chance that a court can find a reason to dismiss your evidence. Lastly, ensure that U.S. DOJ standards are followed, and IOS standard 27037 is consulted. All of these measures are important so as to reduce the likelihood of your evidence being corrupted, damaged, or rendered inadmissible in court.
As Sun Tzu states, you must determine the field of battle if you wish to succeed, or in this case prepare for the evidence search (Sun Tzu, 2009). Questions such as: is it private or public sector and is it a criminal case or a policy violation? What operating systems are involved? Does the evidence reside on a cloud ecosystem? Is there concerns of biological, radiological, or chemical contaminants that require the usage of HAZMAT equipment? What is the temperature and humidity range of the environment? You must also determine if you can retrieve the evidence, and where you are authorized to store it for the entirety of the investigation.
Data classification helps characterize data with standardized labels to ensure the data is properly utilized and managed (Newhouse, 2023). With proper data classification, the optimal application of evidentiary protection methods can be applied and the evidence can maintain its admissibility in court. Additionally, it helps ensure that data is acquired within the scope of the investigation and that only legally authorized data is acquired and stored. For example, if child pornography is discovered the data must be handed over to law enforcement, and not accessed or stored on private or public storage. Lastly, proper classification helps streamline the analysis process by narrowing the scope of tools and techniques needed.
References Nelson, B. P. (2019). Guide to computer forensics and investigations. (6, Ed.) Cengage Learning. https://uagc.instructure.com/courses/143518/modules/items/7319808
Newhouse, e. a. (2023). Data Classification Concepts and Considerations for Improving Data Protection. National Institute of Standards and Technology. Retrieved from https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8496.ipd.pdf
Sun Tzu. (2009). The art of war (L. Giles, Trans.). Digireads.com Publishing. (Original work published 1910) http://www.gutenberg.org/ebooks/132Links to an external site..
Tools include hashing software (X-Ways WinHex), decryption software (Elcomsoft Forensic Disk Decryptor), image copying software (FTK Imager Lite), remote investigation software (ProDiscover), recovery software and log analysis software (X-Ways Forensics). Additionally, having software to acquire data with a write-blocker, for the operating systems most likely to be encountered, is essential (such as Linux Live CD for Linux, Mini-WinFE for Windows). Together, these tools help acquire, analyze, and preserve evidence in a forensically sound way, to "minimize the risk of failure in your investigation" (Nelson, 2019).
A crime scene should be secured, preventing well-intentioned or curious individuals from contaminating the evidence. Photographs and video should be taken of the crime scene, and of the extraction of data. A journal should be kept of all activities within the crime scene, the data acquisition process, and the acquired data. Unless a live acquisition is necessary, usually determined by the Digital Evidence First Responder, a graceful shutdown of the evidence devices should be done. This helps protect valuable log data and prevent remote tampering or automated kill switches from the suspect.
Evidence should be stored in an anti-static bag when retrieving it from the crime scene. Once obtained, it should be kept in a secured facility that has controlled access so as to maintain a chain of custody. Chain of custody helps ensure that the evidence and expert analysis is admissible in court, and reduces the chance that a court can find a reason to dismiss your evidence. Lastly, ensure that U.S. DOJ standards are followed, and IOS standard 27037 is consulted. All of these measures are important so as to reduce the likelihood of your evidence being corrupted, damaged, or rendered inadmissible in court.
As Sun Tzu states, you must determine the field of battle if you wish to succeed, or in this case prepare for the evidence search (Sun Tzu, 2009). Questions such as: is it private or public sector and is it a criminal case or a policy violation? What operating systems are involved? Does the evidence reside on a cloud ecosystem? Is there concerns of biological, radiological, or chemical contaminants that require the usage of HAZMAT equipment? What is the temperature and humidity range of the environment? You must also determine if you can retrieve the evidence, and where you are authorized to store it for the entirety of the investigation.
Data classification helps characterize data with standardized labels to ensure the data is properly utilized and managed (Newhouse, 2023). With proper data classification, the optimal application of evidentiary protection methods can be applied and the evidence can maintain its admissibility in court. Additionally, it helps ensure that data is acquired within the scope of the investigation and that only legally authorized data is acquired and stored. For example, if child pornography is discovered the data must be handed over to law enforcement, and not accessed or stored on private or public storage. Lastly, proper classification helps streamline the analysis process by narrowing the scope of tools and techniques needed.
References Nelson, B. P. (2019). Guide to computer forensics and investigations. (6, Ed.) Cengage Learning. https://uagc.instructure.com/courses/143518/modules/items/7319808
Newhouse, e. a. (2023). Data Classification Concepts and Considerations for Improving Data Protection. National Institute of Standards and Technology. Retrieved from https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8496.ipd.pdf
Sun Tzu. (2009). The art of war (L. Giles, Trans.). Digireads.com Publishing. (Original work published 1910) http://www.gutenberg.org/ebooks/132Links to an external site..
Comments
Post a Comment