Part 4 - Keys of Preservation

Video Activity

This lesson covers the keys to preservation. In order to keep evidence clean and accurate, it is important investigators not tamper or alter any evidence. In addition, it is important to remember that evidence goes beyond computers and could also include devices such as IDS, routers, firewalls, sniffers or other devices. Finally, evidence must be c...

Join over 3 million cybersecurity professionals advancing their career

Sign up with

or

Already have an account? Sign In »

Incident Response and Advanced Forensics

Course

Time

7 hours 26 minutes

Difficulty

Advanced

CEU/CPE

7

Video Description

This lesson covers the keys to preservation. In order to keep evidence clean and accurate, it is important investigators not tamper or alter any evidence. In addition, it is important to remember that evidence goes beyond computers and could also include devices such as IDS, routers, firewalls, sniffers or other devices. Finally, evidence must be collected in the order of volatility, which basically means the order that evidence that will change once power is shut off. Volatile evidence provides the strongest information about an incident.

Video Transcription

00:04

moving on from photography. We go to the keys of preservation, so

00:09

preserving evidence should be your primary goal. And the investigators should not attempt to alter the system or alter it as little as possible during the course of the investigation by following sound incident responders. Princip.

00:25

So some of the techniques that were going to show you are very, um

00:30

are there going to be very minimal As far as changing the state of system,

00:35

however, some of the techniques that were going to show you they're going to change the state of the system slightly, and that's going to be really the only way that you can collect some evidence. That, being said, you have to take certain considerations in mind a cz two why you're doing

00:53

certain procedures and what evidence you may or may not be getting up.

00:57

If you do these procedures,

00:59

keep in mind, though a CZ. You're going about attempting to preserve evidence that computers may not be your only piece of evidence there could be other witness devices such as I. D. S is routers, firewalls, sniffers are other devices along that path

01:17

that could have captured traffic

01:19

during the incidents and don't just think of the computer. Think of the other devices as well.

01:26

And then as we're collecting and preserving evidence, we want to collect it and preserve it in the order of volatility. And that essentially, is going to prioritize your preservation and collection to evidence that can change once the power is shut off.

01:42

The goal being to collect the information that has the greatest likelihood of being changed once power is lost.

01:49

And then the volatile data, which would talk about the running on the ground system, the bomb data simply going to provide insight into the activities that occurred on that system. And that could be the most important piece of information together

02:05

again. The caveat that it is going to be time sensitive.

02:08

So depending on how old the case might be or when you were notified of the incident, been something that's been ongoing, our computer's been shut on off

02:21

may, uh, limit the need to collect that volatile that

02:25

one of the other things that you have to be cognizant of

02:30

when preserving evidence is destructive activity.

02:34

In particular. If they malicious actor has had four knowledge of investigation, he or she may attempt to destroy the evidence to hide their activities,

02:42

and that destruction could come anywhere from physical destruction that once you arrive on the scene, you've got somebody standing there with the hammer and he's dashing in his computer system or hard drive.

02:53

They could be attempting to delete files, which is not a certain the worst thing. Hopefully, we can recover those,

03:00

um,

03:01

baby attempting to format and or white with the system using, see cleaner or some other type of program like a leech.

03:10

So you want to be paying particular attention to destructive activity such as that.

03:19

That activity obviously has observable indicators for the investigator. If you get there and someone's holding a hammer and they're dashing in the computer, that's a pretty good indicator.

03:29

If you get there and you see certain files for programs up on the computer system, such a C cleaner saying I'm running and cleaning all of the data on the system that should be an indicator.

03:42

Other indicators are generally subtle. It could be a flashing, are solid, eliminated hard drive,

03:47

uh,

03:49

to eliminate hard drive activity.

03:52

You could have a spinning hard drive, which resembles rattling or worrying However, don't confuse that cooling fins, and then you can also

04:00

attempt to detect that through touch. That slight vibration.

04:06

Uh,

04:09

other destructive activities, though, could be routine. Such a CZ d fragmentation of that. They're certain

04:15

processes that are set up to run

04:18

on. You just happen to get there as its be fragmenting the desk. Obviously, that could change will change the state of the system. So you would want to disable that from occurring

04:30

again. We talked about automatic cleaners, So every time you log on a system ABC cleaner's gonna run our after it gets to a certain point, C clean is gonna run a 12 o'clock every day.

04:43

So those were things to consider,

04:46

and then even something is downloading material over the Internet can also override any type of data that is going to be in that volatile member.

04:56

So the big questions that you have to ask yourself is what type of destruction is occurring

05:02

and then rule that destruction caused harm that is allowed to continue.

05:06

Is there encrypted data that needs to be captured? So if you're going to shut off this system and they're certain files folders that are unencrypted and by shutting the system off, it will re encrypt that data and you lose it.

05:24

Is it important to maybe captured that data first?

05:28

And then is the computer connected to cloud storage devices that may be important to your investigations again, disconnecting that computer, turning it off? You might lose that connection to cloud storage, and that could be the keys to unlocking your investigation.

05:46

So

05:47

stopping the destructive activity, how you do it, stop a person from dashing in the computer with the hammer.

05:55

I'll leave that up to you how you go about doing that. But

05:59

stopping a particular program and our application,

06:02

uh, could be just a simple as clicking the red X. You could also try a graceful shutdown of the system are a hard shut down of the system

06:13

and, lastly, pulling the power poured from the back of the system. If you're dealing with PC, obviously a laptop pulling reported not going to do a lot of good, however, pulling that power cord. There's going to be some caveats to that,

06:28

and that's going to be the universal power supply.

06:31

So if you haven't ups attached to your system, when you pull the power cord. Nothing is gonna happen. Your computer system will continue to run on. It will not know that power has been lost because the upset then kicked on and continues to power the system

06:50

so that being in mind

06:53

and UPS can either be internal or external to the system,

06:58

and an internal ups can look like a power supply.

07:02

It could look like a control panel at the front of the box

07:05

PC I card or externally, it could look like the power supply as well.

07:12

The safest option when dealing with some of these

07:16

ups is is if you don't know where they are, what they look like on pulling the power cord out of the wall is not working the safest option. Then it's to open the case and handle the components while the power is still on,

07:31

and then disconnect the input output cables from the drive.

07:35

And I will remind you that it is important to use the proper grounding. Techniques are to discharge any static electricity before handing these hardened handling these hard drives

07:47

because you could essentially damage them with that static electricity and any evidence on them would then become useless.

07:59

So we hinted at the order of volatilities a little bit earlier in this discussion

08:05

about capturing data that is going to be lost once power shut off. So here we have the order of volatilities. So from most volatile to least volatile,

08:20

um, we have registers in cash.

08:22

Then we move on to the routing tables are cash process tables,

08:28

colonel, statistics, connections and memory.

08:33

Down from that, we have temporary files.

08:35

Then we have hard desk and our other nonviolent storage media.

08:39

Then we have remote logging and monitoring devices. Then we have network apology, visible configuration, and lastly, we have archive media. So

08:50

those are in order of how you would generally want to go about and collect data during your forensic investigation.

Up Next

Part 5 - Volatile Data Considerations

Part 6 - Capturing the data

Part 7 - Imaging concepts

Part 8 - Volatile Memory Capture

Part 9 - Forensics in Support of Incident Response

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

VP, Cybersecurity Incident Response Planning at JPMorgan