Term
|
Definition
- Capture system image
- Network traffic and logs
- Capture video
- Record time offset
- Take hashes
- Screenshots
- Witness interviews |
|
|
Term
|
Definition
-Admissible
-Authentic
-Complete
-Reliable: Nothing about how evidence was collected or handled casts doubt about its authenticity and veracity.
-Believable |
|
|
Term
|
Definition
-Disk Duplicator
-Software image capture with boot media
-Add drive to hardware write blocker prior to accessing |
|
|
Term
|
Definition
-Document time zone include daylight saving
-NTFS systems use GMT or UTC
-Time offset is stored in registry, must be recorded
-FAT uses local time |
|
|
Term
|
Definition
-Don't shutdown until you've completed evidence collection.
Much evidence may be lost and the attacker may have altered the
startup/shutdown scripts/services to destroy evidence.
-Don't trust the programs on the system. Run your evidence
gathering programs from appropriately protected media (see
below).
-Don't run programs that modify the access time of all files on
the system (e.g., 'tar' or 'xcopy'). |
|
|
Term
|
Definition
-ESI repository
-Ongoing" includes old and new data
-Includes emails, personal files, documents |
|
|
Term
|
Definition
-Event outside the scope of a computer and a network
-Security and surveillance recordings
-External Capture
-Internal Capture screen shot |
|
|
Term
|
Definition
-Log hours gathering information
-May be used for restitution later
-Cost of incident including labor hours and expenses should be documented |
|
|
Term
|
Definition
-Logging everything from anywhere
-Maybe able to replay attack from start to finish |
|
|
Term
|
Definition
-Logs from switches, routers, firewalls
-Exact network stream recording
-NIDS/NIPS logs |
|
|
Term
|
Definition
-anyone who may have seen information
-document anything that they may have seen
-do it as quickly as possible
-able to build more evidence by interviewing more people and being able to correlate all of those different stories |
|
|
Term
|
Definition
-capture what the state might be of a particular screen
-valuable forensic information on screen |
|
|
Term
|
Definition
-catalog and seal that evidence so there’s no tampering
-take md5 or crc checksum value of digital evidence |
|
|
Term
|
Definition
-collect and process all of these details
-important information may protect from future incidents
-make policy changes
-modifications to processes and procedures |
|
|
Term
Strategic intelligence/
counterintelligence gathering |
|
Definition
-details about the attacker
-may be able to learn more information about who they are
-find different habits or different methods that are unique to this particular attacker
-log as much information as possible
-may track exactly what an attacker does from the very beginning until the very end of their attack |
|
|
Term
| Avoid disconnecting from the network |
|
Definition
| -may trigger "deadman switches" that detect when they're off the net and wipe evidence. |
|
|
Term
|
Definition
1. registers, cache
2. routing table, arp cache, process table, kernel statistics, memory
3. temporary file systems
4. disk
5. remote logging and monitoring data that is relevant to the system in question
6. physical configuration, network topology
7. archival media |
|
|
Term
|
Definition
A legal technique to preserve relevant information
Used to prepare for litigation
Initiated by legal counsel |
|
|
Term
|
Definition
Control Evidence
-Maintain Ingegrity
Everyone who contacts the evidence must be documented
-Avoid tampering
Label and catalog everything
-Seal and store |
|
|
Term
|
Definition
1. CPU, cache, registers
2. Routing table, ARP cache process table kernel stats
3. Memory
4. Swap File, Temp files
5. Data on Hard Disk
6. Remotely Logged Data
7. Archives |
|
|
Term
|
Definition
1. Photograph computer and scene, screen shots
2. If it is off do not turn on. If it is on do not turn it off.
3. Separate People from devices
4. Collect Live data - start with RAM image, collect info pm processes that are running or terminated
5. Collect logical image of hard disk using forensic tool like dd, helix3, encase, f-repsonse
6. Take hashes of system image
7. Note time offsets
8. Unplug power cord or remove battery do not use power switch in case it is rigged
9. Diagram and label all cords, document device model numbers and serial numbers
10. Preserve evidence. Legal Hold - Data that has been identified as material to an investigation is copied or moved to an immutable location
11. Examine image copy |
|
|
