Forensics is the work of investigating the evidence and establishing the facts of interest that links to an incident. In this article we just discuss something about Digital Forensics. Here we try to give an introduction to digital forensics as we believe it is necessary to have a reaction plan when one of our assets, such as a server or web application, is compromised. We also recommend researching other sources for a more thorough training as this topic extends beyond the tools available in Kali Linux. Digital forensics is a faster growing area of interest in cyber security with very few people that know it well.
1. Never touch the evidence
Now
it is not like the physical evidence touch. It means "never work on
original data", always use a copy of evidence for forensics testing. We
also need to ensure that we didn't modify the data while creating a
copy. The moment we touch or modify original data, our case becomes
worthless. Tampered evidence can never be used in any legal proceeding
regardless of what is found. The reason is once an original is modified,
there is a possibility of identifying false evidence that can
misrepresent the real incident. An example is making a change that
adjusts the timestamp in the system logs. There would be no way to
distinguish this change from an noob analyst's mistake or attacker
trying to cover his traces.
Most digital forensic analysts
will use specialized devices to copy data bit for bit. There are also
very reputable softwares that will do the same thing. It is important
that our process be very well documented. Most digital copies in legal
proceedings that have been thrown out were removed due to a hash of a
storage medium, such as a hard drive, not matching copied data. The hash
of a hard drive will not match a contaminated copy, even if only a
single bit is modified. A hash match means it is extremely likely the
original data including filesystem access logs, deleted data disk
information, and metadata is an exact copy of the original data source.
2. Look for everything
The
second vital rule for digital forensics is anything that can store data
should be examined. In famous cases involving digital media, critical
evidence has been found on a camera, DVR recorders, video game consoles,
phones, iPods, and other random digital devices. If the device has any
capability of storing user data, then it is possible that device could
be used in a forensics investigation. Do not dismiss a device just
because it is unlikely. A car navigation system that stores maps and
music on SD cards could be used by culprits to hide data, as well
provide evidence for Internet usage based on download music tags.
3. Well Documentation
This
is the last crucial rule of digital forensics. Most of newcomers ignore
it, but we MUST ensure documenting our findings. All evidence and steps
used to reach a conclusion must be easy to understand for it to be
credible. More importantly, our findings must be re-creatable.
Independent investigators must arrive at the same conclusion as we using
our documentation and techniques. It is also important that our
documentation establishes a timeline of events on when specifics
occurred and how they occurred. All timeline conclusions must be
documented.
A forensic investigation is all about the
perception of being a security expert validating evidence linked to an
incident. It is easy to get caught up looking for bad guys and drawing
conclusions on what may have happened based on opinion. This is one of
the fastest ways to discredit our work.
As a forensics specialist, we must only state the facts. Did the person Tony steal Steve's files, or did the account that was logged on as the username Tony initiate a copy from the user account Steve's home directory to a USB drive with serial number XXX at the timestamp XXX on date XXX? See the difference? The real bad guy could have stolen Tony's login credentials (using methods covered in this book) and steal Steve's data while posing as Tony. The moment you jump to a conclusion is the moment your case becomes inconclusive based on personal interference. Remember, as a forensics specialist, we could be asked under oath to give testimony on exactly what happened. When anything outside of facts enters the record, our credibility will be questioned.
Extra Talks
These
are the basic rules of digital forensics that we need to remember and
follow all the time. Digital forensics is not so easy and it is very
potential as a career option. As the basics we need to collect the
information carefully and painstakingly analyzed with a view to extract
evidence relating to the incident to help answer questions, as shown in
the following diagram:
