« Version 4.1 - 7.9 Incident Response Framework | Main | Version 4.1 - 7.11 Desktop security risk management and assessment »

Version 4.1 - 7.10 Computer security forensics

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

If you do not work in computer forensics, do not try to D-I-Y this. You may destroy/contaminate evidence and may not be able to prosecute.

Two basic types of data are collected in computer forensics. Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off. Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). Since volatile data is ephemeral, it is essential an investigator knows reliable ways to capture it.

If you think about this, you should be able to answer any questions on this section. If you have a single device that is compromised, you should disconnect it from the network (unplug the cable). Do NOT reboot the machine - this could lose any volatile data. Know that this is not in your wheelhouse and is really one of those "a little bit of knowledge is a dangerous thing" situations. Part of your Business Continuity Process should include what to do if you detect/suspect a computer attack. You should have a plan on who to call and what would be the criteria that would initiate that call.

There are special devices and software (that is not available to the public) to make a forensic copy of the computer's hard drive. Normally, after the copy is made, the original is removed and secured as evidence. You should probably be familiar with chain-of-custody ideas and procedures. Forensic analysis is normally performed on the copy (or a copy of the copy) instead of the actual device itself.

There are also practical implications that may not be obvious. If you D-I-Y this, you may end up spreading the attack (or activating other related attacks). If you are capturing packets of the attack traffic - the malicious material is in the copies of the traffic. Any time you're doing a packet analysis of suspect traffic, you should do this on a machine that is not connected to the Internet or network. If you analyze malicious traffic, you may trigger the attack and an offline machine would contain it. A VM does not qualify as an offline machine.

If you have not read much on this topic, here is a site where you can find all the books on Digital Forensics that you can ever want. I recommend the "Incident Response & Computer Forensics" book. Know that any book you read on this may be out-of-date. Operating systems and attacks are constantly evolving. This is one of those subjects that is hard to keep up with when you have a casual interest. [Which is another reason against trying to do this yourself.]


Powered by
Movable Type 3.2