4.5 Digital Forensics

Digital Forensics

Collecting and protecting information relating to an intrusion

RFC 3227 - Guidelines for Evidence Collection and Archiving

Legal hold - legal technique to preserve relevant information

Admissibility - the determination of whether evidence will be allowed at trial

Chain of custody - controlling the evidence, maintaining the integrity, everyone who contacts the evidence

Forensics Data Acquisition

Volatility - duration that a data will remain. frequency at which data changes or is modified over time - most volatile (which loses its state or changes rapidly, such as data in RAM) - least volatile (like data on hard drives or archived storage)

RAM, swap/pagefile, cache, network, artifacts

Managing Evidence

Integrity - hashing - checksum

Provenance = documentation of authenticity, chain of custody for data handling - block chain technology can be used for detailed tracking

E-discovery = collect, prepare, review, interpret, and produce electronic document

Data recovery = extract missing data without altering the integrity

Non-repudiation = proof of data integrity and the origin of the data - MAC (message authentication code) provides non-repudiation - digital signature provides non-repudiation

Strategic intelligence = focusing on key threat activities for a domain

Strategic counterintelligence (CI) = we identify someone performing intelligence on us, and disrupt their operations, then we start to perform intelligence, gather threat intelligence on them