What Tools or Scientific Processes Will You Use to Analyze the Evidence Collected?
Accepted methods and procedures to properly seize, safeguard, analyze data and determine what happen. Actionable information to deal with computer forensic cases. Repeatable and effective steps. It'southward a skilful way to describe the SANS methodology for Information technology Forensic investigations compelled by Rob Lee and many others. It is an 8 steps methodology. It will aid the investigator to stay on track and assure proper presentation of reckoner bear witness for criminal or ceremonious case into court, legal proceedings and internal disciplinary actions, handling of malware incidents and unusual operational problems. Furthermore, is a skilful starting betoken in order to have a reasonable knowledge of forensic principles, guidelines, procedures, tools and techniques.
The purpose of these viii steps is to respond systematically to forensic investigations and determine what happen. A like process exists and was created by NIST on the Guide to Integrating Forensic Techniques into Incident Response (pub. #: 800-86) published in 2006. This special publication is consequent with SANS methodology and reflect the aforementioned basic principles, differing on the granularity of each phase or terms used. Other similar methodologies are described in the ISO-27041.
As well is important to consider that a computer forensic investigation goes mitt in hand with calculator incident handling and is normally a break-off point of the containment phase.
Below a short and high level introduction of the 8 Figurer Forensic Investigation steps:
Verification: Normally the computer forensics investigation will be done as role of an incident response scenario, as such the first step should be to verify that an incident has taken place. Determine the breadth and scope of the incident, appraise the example. What is the situation, the nature of the case and its specifics. This preliminary footstep is important because volition help determining the characteristics of the incident and defining the best approach to identify, preserve and collect testify. It might also assistance justify to business organisation owners to take a system offline.
Organization Description: Then it follows the step where you start gathering data well-nigh the specific incident. Starting past taking notes and describing the arrangement you are going to analyze, where is the organisation being acquired, what is the system function in the arrangement and in the network. Outline the operating arrangement and its general configuration such as disk format, amount of RAM and the location of the evidence.
Evidence Acquisition: Identify possible sources of data, acquire volatile and not-volatile data, verify the integrity of the data and ensure chain of custody. When in doubt of what to collect be on the prophylactic side and is better to rather collect too much than non. During this stride is also important that you prioritize your evidence collection and appoint the business owners to determine the execution and business bear on of chosen strategies. Because volatile data changes over time, the society in which data is collected is of import. One suggested order in which volatile data should exist caused is network connections, ARP cache, login sessions, running processes, open files and the contents of RAM and other pertinent data – please note that all this data should exist collected using trusted binaries and not the ones from the impacted system. Subsequently collecting this volatile data y'all go into the next step of collecting non-volatile information such equally the difficult drive. To assemble information from the hard bulldoze depending on the case there are normally three strategies to practice a bit stream paradigm: using a hardware device like a write blocker in case you lot can take the system offline and remove the difficult drive ; using an incident response and forensic toolkit such every bit Helix that will be used to boot the system ; using alive system acquisition (locally or remotely) that might exist used when dealing with encrypted systems or systems that cannot be taken offline or only accessible remotely. After acquiring data, ensure and verify its integrity. You should also be able to clearly describe how the show was constitute, how it was handled and everything that happened to it i.eastward. chain of custody.
Note that equally part of your investigation and analysis the following steps piece of work in a loop where you can jump from one into another in guild to detect footprints and tracks left past Evil. If yous become stuck, don't surrender!
Timeline Analysis: After the bear witness acquisition you volition start doing your investigation and analysis in your forensics lab. Showtime by doing a timeline analysis. This is a crucial step and very useful because information technology includes information such as when files were modified, accessed, inverse and created in a human readable format, known equally MAC fourth dimension evidence. The data is gathered using a variety of tools and is extracted from the metadata layer of the file system (inode on Linux or MFT records on Windows) and then parsed and sorted in order to be analyzed. Timelines of retentivity artifacts can also be very useful in reconstructing what happen. The cease goal is to generate a snapshot of the activity washed in the system including its date, the antiquity involved, action and source. The cosmos is an piece of cake process but the interpretation is difficult. During the interpretation information technology helps to exist meticulous and patience and it facilitates if y'all have comprehensive file systems and operating system artifacts knowledge. To accomplish this step several commercial or open source tools exists such every bit the SIFT Workstation that is freely bachelor and often updated.
Media and Artifact Analysis: In this footstep that you will be overwhelmed with the amount of data that y'all could exist looking at. You should exist able to answer questions such as what programs were executed, which files were downloaded, which files were clicked on, witch directories were opened, which files were deleted, where did the user browsed to and many others. One technique used in guild to reduce the information set is to identify files known to be good and the ones that are known to be bad. This is done using databases like the Nation Software Reference Library from NIST and hash comparisons using tools like hfind from the Sleuth Kit. In case you are analyzing a Windows system you can create a super timeline. The super timeline will comprise multiple time sources into a single file. You must have knowledge of file systems, windows artifacts and registry artifacts to take advantage of this technique that will reduce the amount of information to be analyzed. Other things that you volition exist looking is evidence of account usage, browser usage, file downloads, file opening/cosmos, program execution, usb fundamental usage. Memory analysis is another key assay footstep in order to examine rogue processes, network connections, loaded DLLs, bear witness of code injection, process paths, user handles, mutex and many others. Beware of anti-forensic techniques such as steganography or data alteration and destruction, that will impact your investigation assay and conclusions
String or Byte search: This step volition consist into using tools that will search the low level raw images. If yous know what you lot are looking and then you tin use this method to detect it. Is this step that you use tools and techniques that will look for byte signatures of know files known every bit the magic cookies. It is likewise in this step that you do string searches using regular expressions. The strings or byte signatures that you volition be looking for are the ones that are relevant to the case you lot are dealing with.
Information Recovery: This is the stride that you will be looking at recover data from the file organization. Some of the tools that will help in this step are the ones bachelor in the Sleuth Kit that can be used to analyze the file organisation, information layer and metadata layer. Analyzing the slack infinite, unallocated infinite and in-depth file system assay is role of this step in order to detect files of interest. Etching files from the raw images based on file headers using tools like foremost is another technique to farther gather prove.
Reporting Results: The final phase involves reporting the results of the assay, which may include describing the deportment performed, determining what other deportment need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic procedure. Reporting the results is a primal part of any investigation. Consider writing in a style that reflects the usage of scientific methods and facts that you can evidence. Adapt the reporting style depending on the audition and be prepared for the report to be used every bit bear witness for legal or administrative purposes.
References and farther reading:
SANS 508 – Avant-garde Computer Forensics and Incident Response
Guide to Integrating Forensic Techniques into Incident Response (pub. #: 800-86), 2006, Us NIST
Figurer Security Incident Handling Guide (pub. #: 800-61), 2004, US NIST
The ComplexWorld of Corporate CyberForensics Investigations by Gregory Leibolt
Source: https://countuponsecurity.com/2014/08/06/computer-forensics-and-investigation-methodology-8-steps/
0 Response to "What Tools or Scientific Processes Will You Use to Analyze the Evidence Collected?"
Post a Comment