🌟
Noel's Cyberkshetra Blogspace
LinkedIn ProfileGithub ProfilePersonal Blogspot
  • Welcome to my Gitbooks Page
  • 💽Let's Defend Blue Team Walkthroughs
    • SOC164 - Suspicious Mshta Behavior Alert
    • SOC147 - SSH Scan Activity Alert
    • SOC146  -  Phishing Mail Detected Alert
    • SOC145 - Ransomware Detected Alert
    • SOC144  -  New scheduled task created Alert
    • SOC143 - Password Stealer Detected Alert
    • SOC141  -  Phishing URL Detected Alert
    • SOC141 - Phishing URL Detected Alert
    • SOC137 — Malicious File/Script Download Attempt: A Walkthrough
    • SOC109  -  Emotet Malware Detected Alert
    • SOC104 - Malware Detected Alert
    • SOC101  -  Phishing Mail Detected Alert
    • HTTP Basic Auth: Let's Defend DFIR Challenge
    • ShellShock Attack: Let’s Defend Challenge
    • 2021’s 0-Day MSHTML: Let's Defend Lab
  • 🤺BTLO Walkthroughs
    • BTLO: Network Analysis-Web Shell Challenge
    • BTLO: Suspicious USB Stick Challenge
  • 💒WiCYS CyberStart
    • Chapter 1 - Amsterdam A Running Start
      • WiCYS CyberStart (Amsterdam) Challenge 1
      • WiCYS CyberStart (Amsterdam) Challenge 2
      • WiCYS CyberStart (Amsterdam) Challenge 3
      • WiCYS CyberStart (Amsterdam) Challenge 4
    • Chapter 2 - Tokyo Patterns of Behaviour
      • WiCYS CyberStart (Tokyo) Challenge 1
      • WiCYS CyberStart (Tokyo) Challenge 2
      • WiCYS CyberStart (Tokyo) Challenge 3
      • WiCYS CyberStart (Tokyo) Challenge 4
    • Chapter 3 - Barcelona In the thick of it
      • WiCYS CyberStart (Barcelona) Challenge 1
      • WiCYS CyberStart (Barcelona) Challenge 2
      • WiCYS Cyberstart (Barcelona) Challenge 3
      • WiCYS CyberStart (Barcelona) Challenge 4
  • 📕Technical Cyber articles
    • An in-depth analysis of an Intrusion Prevention System
    • DevSecOps-Making a difference from traditional DevOps
    • CVE - 2020–1472 (Zerologon Vulnerability)-Exploitation & Remediation
    • Computer Forensics Acquisition
    • Cyber Hygiene Tips
    • Hack your System - Linux Edition
    • Markovian Parallax Denigrate-Breaking the cipher
    • SIEM-Incorporating Incident Response into Network Security
    • Social Engineering-A leading cause for vulnerability occurrence
    • Report Writing in Digital & Multimedia Forensics
    • Zero-Day Vulnerabilities: A short overview
    • Zero Trust Network Access-A solution to Network Security
  • 🧑‍💻Hack The Box : Starting Point Machines
    • Meow
    • Fawn
    • Dancing
    • Redeemer
Powered by GitBook
On this page
  • Introduction
  • Steps of a Computer Forensics Investigation
  • Preparation
  • Triage
  • Working with the evidence
  • Types of Evidence Acquisition
  • Physical Acquisition
  • Logical Acquisition
  • Targeted
  • Forensics Cloning
  • Documentation of Evidence
  • Reflection
  • Conclusion
  • References
  1. Technical Cyber articles

Computer Forensics Acquisition

What is Computer Forensics Acquisition and the guidelines to be followed, while performing one

PreviousCVE - 2020–1472 (Zerologon Vulnerability)-Exploitation & RemediationNextCyber Hygiene Tips

Last updated 3 years ago

Introduction

Crime and Investigation scenes in the movies are overrated period.

It has led many of us to wish and believe to fascinate about the prospect of hacking into systems with hoodies, secret codes, signals, flashing binary digits, the FBI, and whatnot.

Well, when coming into the prospect of working with computers in an investigation, where digital evidence needs to be plucked out, there are a few best practices to follow, to keep the situation ethical. You can’t just go poking around everywhere for fun, without following some guidelines.

This activity, known as Computer Forensics can be applied to cases dealing with Child porn, bank fraud, etc.

Steps of a Computer Forensics Investigation

Let’s discuss the steps involved in a Computer Forensics Investigation:-

Preparation

The golden tip, in any investigation, is to take a copy of the disk, to ensure that the original is maintained for judicial and evidence submission purposes.

The investigative team must know their legal boundaries. What is permitted to do and what not. Having a legal team, on the side, is an advantage.

Ensure that the devices to be investigated, are properly secured, under physical security mechanisms, and are available for investigation, at all times. This is why the Chain of Custody mechanism is important.

Targets on a device-Log files, metadata, encryption keys etc. Prioritize devices, as per their importance towards the case.

Triage

Triage is carried out to preview the data present on the device, to prevent inspecting files or data that may prove useless to the case.

A tool that can be used for device triage is Cyber Triage, developed by Basis Technologies.

Once the relevant data is uncovered, these can be transferred to another storage device, for hassle-free investigation. Documentation for this process is relevant. Note the data that has been left out. It may prove useful, at a later stage.

Working with the evidence

The guiding principle for computer forensic acquisitions is to minimize, to the fullest extent possible, changes to the source data. This is usually accomplished by the use of a hardware device, software configuration, or application intended to allow reading data from a storage device without allowing changes (writes) to be made to it. This is done to prevent the data’s integrity loss. Encrypted Data-Will requires a key or passphrase to be decrypted.

The faster the key is gained, the better for the investigation

Keys may be obtained through technical means, i.e. storage of keys onto cloud platforms or security vaults

Non-technical means involve procuring it from the culprit, dumpster diving among papers, etc.

Log files-Timestamps and date stamps are of vital importance and should not be discarded

Every application will have a log file associated with it.

It has to be kept in mind that tools such as netcat and PsTools can be used to wipe records from logs

TYPES OF EVIDENCE ACQUISITION

Types of Evidence Acquisition

Physical Acquisition

It means to copy data verbatim (ditto) from the storage media of the device. It is done with making modifications.

Here, we perform data dumping after which the decoding phase. Once we get the physically extracted copy, we can chase and find records of deleted media. This is demonstrated in the Autopsy software too.

Logical Acquisition

Anything ranging from a full device backup, containing files and folders can be considered as a logical acquisition.

Targeted

In this method, we target specific files ranging from documents, images, log files, etc., that pique our interest. Rightful targets can help a long way in solving the case.

Forensics Cloning

A forensic clone is the process of creating a bitstream duplicate of data, from one storage media to another.

DOCUMENTATION OF EVIDENCE

Documentation of Evidence

These may involve any of the following:-

  1. Electronic Tags

  2. Acquisition Record/Report for each device acquired

  3. Hash Values

Reflection

Upon the successful closure of the case, these are a few things that investigators can ponder on:-

a. What evidence was overlooked? b. How did it change the overall view of the case? c. Did it prove important towards the end? d. What were the mistakes made during the investigation? e. Correction mechanisms to overcome it in the next investigation? f. Were all members of the investigation team involved? g. Was anyone’s suggestions overlooked?

Conclusion

This article gave a clear insight into what goes into a computer forensics investigation. Criminals are getting smarter by the day and security mechanisms that are released by the day are being used by them, for their immoral deeds.

Bitlocker encryption, security vaults…Phew!!

It surely seems challenging and doesn’t appear to be what we see at the movies, but surely it is a cool thing to do besides putting those miscreants behind bars.

References

1)SWGDE_Best_Practices_for_Computer_Forensic_Acquisitions

2)

3)

📕
https://resources.infosecinstitute.com/topic/android-forensic-logical-acquisition/#:~:text=The%20logical%20acquisition%20is%20a,and%20parsed%20by%20forensic%20tools.
https://blog.eccouncil.org/how-to-handle-data-acquisition-in-digital-forensics/