Part 4 - Keys of Preservation

Video Activity

This lesson covers the keys to preservation. In order to keep evidence clean and accurate, it is important investigators not tamper or alter any evidence. In addition, it is important to remember that evidence goes beyond computers and could also include devices such as IDS, routers, firewalls, sniffers or other devices. Finally, evidence must be c...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers the keys to preservation. In order to keep evidence clean and accurate, it is important investigators not tamper or alter any evidence. In addition, it is important to remember that evidence goes beyond computers and could also include devices such as IDS, routers, firewalls, sniffers or other devices. Finally, evidence must be collected in the order of volatility, which basically means the order that evidence that will change once power is shut off. Volatile evidence provides the strongest information about an incident.

Video Transcription
00:03
>> Moving on from photography,
00:03
we go to the keys of preservation.
00:03
Preserving evidence should be your primary goal.
00:03
The investigators should not attempt to
00:03
alter the system or alter it as little as
00:03
possible during the course of the investigation by
00:03
following sound incident responder principles.
00:03
Some of the techniques that we're going to show
00:03
you they're going to
00:03
be very minimal storage changing
00:03
>> the state of the system.
00:03
>> However, some of the techniques
00:03
that we're going to show you,
00:03
they're going to change
00:03
the state of the system slightly,
00:03
and that's going to be really the only way that you
00:03
can collect some evidence.
00:03
That being said, you'd have to take
00:03
certain considerations in mind as to why
00:03
you're doing certain procedures and what evidence
00:03
you may or may not be giving
00:03
up if you do these procedures.
00:03
Keep in mind though, as
00:03
you're going about attempting to preserve
00:03
evidence that computers may not
00:03
be your only piece of evidence.
00:03
There could be other witnesses devices such
00:03
as IDSs, routers, firewalls,
00:03
sniffers are other devices along
00:03
that path that could have
00:03
captured traffic during the incident.
00:03
So don't just think of the computer,
00:03
think of the other devices as well.
00:03
Then as we're collecting and preserving evidence,
00:03
we want to collect it and preserve
00:03
it in the order of volatility.
00:03
That essentially it's going to
00:03
prioritize your preservation and
00:03
collection to evidence that
00:03
can change once the power is shut off.
00:03
The goal being to collect the information that has
00:03
the greatest likelihood of being
00:03
changed once power is lost.
00:03
Then the volatile data which we've talked about,
00:03
it's running on the route system.
00:03
The amount of data essentially is going to provide
00:03
insight into the activities that
00:03
>> occurred on that system.
00:03
>> That could be the most important piece
00:03
of information together.
00:03
Again, the caveat that it is
00:03
>> going to be time sensitive.
00:03
>> Depending on how old the case might be
00:03
>> or when you were
00:03
>> notified of the incident if something that's
00:03
been ongoing or the computers
00:03
>> have been shut on and off,
00:03
>> that may limit the need to collect that volatile data.
00:03
One of the other things that you have to be cognizant
00:03
of when preserving evidence is destructive activity.
00:03
Particular, if a malicious actor
00:03
has had foreknowledge of investigation,
00:03
he or she may attempt to destroy
00:03
that evidence to hide their activities.
00:03
That destruction could come
00:03
anywhere from physical destruction,
00:03
that once you arrive on a scene,
00:03
you've got somebody standing
00:03
>> there with a hammer and he's
00:03
>> dashing in his computer system or hard drive,
00:03
they could be attempting to delete files,
00:03
which is not necessarily the worst thing.
00:03
Hopefully we can recover those.
00:03
He may attempting to format and/or wipe the system
00:03
using CCleaner or some other type
00:03
of program like BleachBit,
00:03
so you want to be paying
00:03
particular attention to
00:03
destructive activity, such as that.
00:03
That activity obviously has observable indicators for
00:03
the investigator if you get there and
00:03
someone's holding a hammer
00:03
and they're dashing on the computer.
00:03
That's a pretty good indicator.
00:03
If you get there and you see
00:03
certain files or programs up on
00:03
the computer system such as CCleaner
00:03
and running and cleaning all of the data on the system.
00:03
That should be an indicator.
00:03
Other indicators are generally more subtle.
00:03
It could be a flashing or
00:03
solid illuminated hard drive
00:03
to eliminate hard drive activity.
00:03
You could have a spinning hard drive
00:03
which resembles rattling or whirring.
00:03
However, don't confuse that cooling fans.
00:03
Then you can also attempt to detect
00:03
that through touch, that slight vibration.
00:03
Other destructive activities, though,
00:03
could be routine such as defragmentation.
00:03
There are certain processes that are set up to run.
00:03
You just happen to get there as
00:03
it's defragmenting the disk.
00:03
Obviously that will change the state of the system,
00:03
so you would want to disable that from occurring.
00:03
Again, we talked about automatic cleaners.
00:03
Every time you log on a system
00:03
may be CCleaner is going to run.
00:03
Or after it gets to a certain point,
00:03
CCleaner is going to run at 12 o'clock every day.
00:03
Those are things to consider.
00:03
Then even something as downloading
00:03
material over the Internet can also
00:03
overwrite any type of data
00:03
that is going to be in that volatile memory.
00:03
The big questions that you have to ask
00:03
yourself is what type of destruction occurring?
00:03
Then will that destruction cause
00:03
harm if it is allowed to continue?
00:03
Is there encrypted data that needs to be captured?
00:03
If you're going to shut off the system and
00:03
there are certain files,
00:03
folders that are unencrypted,
00:03
and by shutting the system off,
00:03
it will re-encrypt that data and you'll lose it.
00:03
Is it important to maybe capture that data first?
00:03
Then is the computer connected to cloud
00:03
storage devices that may be
00:03
pertinent to your investigations?
00:03
Again, disconnecting that computer, turning it off,
00:03
you might lose that connection
00:03
to cloud storage and that could
00:03
be the keys to unlocking your investigation.
00:03
Stopping the destructive activity, how you do it?
00:03
Stop the person from dashing
00:03
in the computer with the hammer.
00:03
Well, I'll leave that up to
00:03
you how you go about doing that,
00:03
but stopping a particular program and
00:03
our application could be
00:03
just as simple as clicking the red X.
00:03
You could also try a graceful shutdown of
00:03
a system or a hard shutdown of the system.
00:03
Lastly, pulling the power cord
00:03
from the back of the system including on your PC,
00:03
obviously a laptop,
00:03
pulling the cord is not going to
00:03
>> do a whole lot of good.
00:03
>> However, pulling that power cord,
00:03
there's going to be some caveats to that.
00:03
That's going to be the universal power supply.
00:03
If you have an UPS attached to your system,
00:03
when you pull the power cord,
00:03
nothing's going to happen.
00:03
Your computer system will continue to
00:03
run and it will not know
00:03
that power has been lost because the UPS has been
00:03
kicked on and continues to power the system.
00:03
UPS can either be internal or external to the system.
00:03
An internal UPS can look like a power supply.
00:03
It can look like a control panel
00:03
>> at the front of the box.
00:03
>> PCI card, or externally,
00:03
it can look like a power supply as well.
00:03
The safest option when dealing with some of
00:03
these UPSs is if
00:03
you don't know where they are or what they look like,
00:03
and pulling the power cord
00:03
out of the wall is not working.
00:03
The safest option then is to open the case
00:03
and handle the components while the power is still on,
00:03
and then disconnect
00:03
the input output cables from the drive.
00:03
I will remind you that it is
00:03
important to use the proper grounding techniques or to
00:03
discharge any static electricity before handling
00:03
these hard drives because you
00:03
could essentially damage them with
00:03
that static electricity and
00:03
any evidence on them would then become useless.
00:03
We hinted out the order of
00:03
volatility a little bit earlier in
00:03
this discussion about capturing
00:03
data that it's going to be lost once power is shut off.
00:03
Here we have the order of volatility.
00:03
From most volatile,
00:03
to least volatile,
00:03
we have registers and cache.
00:03
Then we move on to the routing tables, ARP cache,
00:03
process tables,
00:03
kernel statistics, connections, and memory.
00:03
Down from that we have temporary files.
00:03
Then we have hard disk and/or
00:03
other non-volatile storage media.
00:03
Then we have remote logging and monitoring devices.
00:03
Then we have network topology and
00:03
physical configuration and lastly
00:03
>> we have archive media.
00:03
>> Those are in order of how you
00:03
>> would generally want to go
00:03
>> about and collect data
00:03
during your forensic investigation.
Up Next