After completing this video, the learner will understand the basic concepts of computer forensics, including order of volatility, video capture, recording time offset, using witnesses and tracking time and expenses.
- [Voiceover] Information security professionals often find themselves asked to participate in many different types of investigations. In some cases, these are purely technical investigations of security incidents or other unusual circumstances. In other cases, security professionals may be called upon to assist law enforcement or other authorities in criminal and civil court cases. When asked to participate in the evaluation of electronic evidence, security professionals engage in a field known as Digital Forensics.
The goal of digital forensics is to collect, preserve, analyze and interpret digital evidence in support of an investigation. This includes everything from pulling data from a smart phone or laptop to analyzing network traffic logs. Digital forensic investigators have a wide variety of tools and techniques at their disposal and must follow some basic principles when working with evidence. One of the most important guiding principles of any forensic science is that investigators must never take any action that alters the evidence itself and may lead to misinterpretation of that evidence.
This is easy to understand when applied to physical forensics: investigators should wear gloves at a crime scene and avoid contaminating samples with their own DNA. It's a little more difficult to understand how this applies to digital forensics, but it is equally important that investigators working with digital data also take steps to ensure that they don't contaminate the evidence. I'll talk about this more in the System and File Forensics video. Volatility is an important consideration when it comes to digital evidence.
Every form of digital evidence has a different degree of permanence that requires investigators to gather the evidence in a timely manner. For example, data written to a hard drive will last longer than information stored in RAM. Hard disks, therefore, are less volatile than memory. The order of volatility influences how investigators should gather evidence. Investigators should place more urgency on gathering more volatile evidence during an investigation because time is of the essence.
Generally speaking, you should collect digital evidence in this order: Begin with network traffic, and then memory contents, moving on to system configuration, and process information, and files, being sure to collect temporary files such as system swap space first. Then you can move on to logs and archived records. Whenever you gather any digital evidence, time is often a critical factor. Many investigations want to determine the precise time that an event occurred or at least the order of certain events.
When analyzing digital evidence, it's important to always remember the source of time stamps. Just because a system recorded a time stamp on a file or log entry, doesn't mean that that time is accurate. After all, how many of us have devices in our homes that constantly display an incorrect time. When conducting any forensic data capture, investigators should take note of the current time from a reliable source and compare it to the time on the device. This process is known as recording the time offset and is very useful when conducting analysis later.
Digital forensic investigators may also make use of data sources that might not be considered truly digital. For example, video recordings of a facility, whether stored in digital or analog form may provide evidence useful to investigators. Similarly, witness statements are often critical to putting together the pieces of digital evidence. Forensic investigators working on multiple cases should take the time to track their use of time and any expenses associated with the case.
In some situations, this may be important for properly billing a client. In any situation, it provides management with an accurate picture of how resources are used on different cases.
- Implementing security controls and policies
- Performing a risk assessment
- Understanding the five risk management actions
- Managing third-party relationships (vendors, etc.)
- Mitigating risk with change management, audits and assessments, and more
- Building an incident response program
- Understanding digital forensics
- Providing security and compliance training
- Ensuring physical security
- Planning for business continuity and disaster recovery
- Matching controls to security goals