Preparation for Host-Based Evidence:
Optimizing Key Tools:
In order to gather evidence from a host-based system, analysts need to have the right tools to accomplish their task. For example, if the organization is using a Microsoft operating system, the analyst should have tools that can retrieve information from such a system. Tools such as FTKImager are commonly used by analysts for this purpose.
Establishing Procedures:
Prior to collecting any evidence, analysts must establish proper procedures for the collection process. This includes setting up access to the system, determining the type of evidence to be collected, and establishing the proper chain of custody for the evidence. Additionally, analysts should also ensure that the system is not altered in any way during the collection process.
Securing the System:
After the proper procedures have been established, the system must be secured in order to prevent any further changes from occurring. This includes disabling any unnecessary services, disabling access to certain file systems, and setting up proper authentication measures. It is also important to ensure that any data that is collected is kept secure and not altered in any way.
Preserving the Evidence:
Finally, the collected evidence must be preserved in its original form in order to ensure that it is not tampered with. This includes making sure that the data is copied to a secure external location and that the original data is not modified or deleted. Additionally, the analyst should document any steps taken during the evidence collection process in order to ensure an accurate audit trail.
two types volatile and non-volatile data
Volatile Data
Volatile data is data that is lost when a system is turned off. It exists in RAM, cache (such as ARP caches), and other areas of a system’s memory.
Non-Volatile Data
Non-volatile data is data that is stored on a hard drive or other persistent storage device. This includes Master File Table (MFT) entries, registry information, and other system data that is retained even when the system is powered off.
Types of Evidence Acquisition
There are several different types of evidence acquisition that can be used depending on the situation, constraints of time and geography, and the type of incident.
Local Evidence Acquisition
Local evidence acquisition occurs when the security analyst has direct physical access to the system. This can involve using specialized tools and hardware to collect data from the system.
Remote Evidence Acquisition
Remote evidence acquisition occurs when the security analyst is not physically present at the location where the system resides. This type of acquisition is done using tools and network connections to acquire data remotely.
Online Evidence Acquisition
Online evidence acquisition is also known as collecting evidence from a live computer or running memory (RAM). This type of evidence can be useful for analyzing activities that have recently occurred on the system.
Offline Evidence Acquisition
Offline evidence acquisition involves collecting data from the hard drive of a system. This requires powering off the system and using specialized tools to acquire data from the hard drive. The main drawbacks of this process are the loss of volatile memory and the long amount of time it takes to mirror a hard drive.
Photographing the System
The first step in collecting evidence is to take images of the system. It is important to document the system in its current state; if the system is still powered on, leave it in that state. This is because evidence can be captured from the running memory if the system is on, and evidence can be retrieved from the hard drive if the system is off. Photograph the model series of the system, as well as any details that will help with the chain of custody process.
Packaging the Hard Drive
The next step is to remove the hard drive from the system and package it into an anti-static bag. This is to ensure that the hard drive is not tampered with and the evidence remains intact. The package should be labeled with the chain of custody information and stored in a secure location.
Preserving Digital Evidence
It is important to preserve digital evidence in a way that prevents it from being altered or corrupted. This can be done by making a copy of the evidence and storing it in a secure location. Additionally, it is important to document the process of collection and preservation, including the date and time of collection, as well as any details about the system that may be important.
Securing the Evidence
The evidence should be stored in a secure location. This can include a locked filing cabinet, safe, or other secure storage device. The evidence should also be catalogued and documented with the chain of custody information, to ensure that it is not tampered with or lost. Additionally, it is important to keep a record of who accessed the evidence, when, and for what purpose.
Chain of Custody
The chain of custody is a process that ensures that evidence is not tampered with or destroyed. It involves documenting the evidence from the time it is collected until it is presented in court. This includes details about who collected the evidence, when it was collected, who had access to the evidence, and where it was stored. It is important to maintain an accurate and thorough chain of custody to ensure that the evidence remains admissible in court.
# Memory Acquisition
Memory acquisition is the method used to collect digital evidence from a device for forensic analysis. It is a critical component of digital forensics and is used to uncover details related to a criminal investigation.
## Traditional Memory Acquisition
Traditional memory acquisition involves collecting data from a hard drive or other storage device. This is also known as dead box forensics and can help investigators uncover evidence related to financial fraud, child exploitation, and other criminal activities.
## Benefits of Memory Acquisition
Memory acquisition is an important component of digital forensics because it helps investigators to find evidence related to a crime that may be stored on a device. Memory acquisition can also help to reveal deleted files or other data that may have been hidden or otherwise inaccessible. Finally, memory acquisition can help to uncover malicious activities and provide evidence for legal proceedings.