"Unless you know where you are going, you won't know how to get there!" | ||
--Neil Strauss, The Rules of the Game |
In this chapter, you will learn how to identify the different sources of evidence and get your hands on the evidence. You will learn how to acquire, manage, and handle the evidence to understand how a crime was committed.
The chapter will cover the following topics:
For any successful investigation, it is extremely important to successfully collect, collate, preserve, and analyze the evidence.
To begin with, we need to identify the sources of evidence for any investigation.
The sources of evidence can be easily divided into the following two categories:
This can include the following:
A log is a record of all the activities and outcomes performed by a device or by outside agents on a device. Thus, all the incoming or outgoing events are logged on a system. Logs are a crucial part of the investigation ecosystem.
Devices such as firewalls, intrusion prevention and detection systems, anti-virus servers, and so on generate logs. Other logs include operating system event logs, application logs, and so on.
As discussed in the previous chapter, network traffic is transmitted in packets. The data is split up and transmitted in the form of packets that need to be captured and reconstructed for analysis.
Volatile memory can be a valuable source of evidence. A lot of malware may only reside in the memory of a computer, which is under investigation. Similarly, computers with whole disk encryption (WDE) may save the key on a USB stick and the key will only be accessible to the investigator if it is grabbed from the volatile memory. Any kind of investigation that involves memory will require us to acquire the data from the suspect system's memory.
Substantial evidential data resides on the hard drives of compromised computers. Traces of internet activity, web mail communications, efforts to cover tracks and obfuscate evidence, and so on will all be found post an investigation of hard drive contents. The registry of Windows computers is also a treasure trove of information. A bit stream image has to be obtained for each drive under investigation.
This can include the following:
These logs are a detailed record of access to various Internet resources that are provided by the ISP. This can include details related to log on, log off, user names, resources accessed, online content, online activity, IP addresses, date and time of usage, as well as the duration of usage.
The domain name controller logs may also include date and time, IP addresses, queried domain names, protocol used, and so on. This data is usually available for a very short period of time due to the high volume of data in the logs as well as the log rotation policies followed by the service provider.
These are online resources that archive websites and pages for a specific period of time. This can help us to determine the state of an Internet server offering up websites before a defacement attack. The URL to the Wayback Machine is http://archive.org/web/.
These are servers that host a domain. Unauthorized attempts to log in to the domain host are all logged here. A log of the activities of, for example, a criminal attempting to hack in would be available with this machine.
When hand-held devices such as phones or tablets are used to access network resources, evidence of their interaction is created on these devices. This too may be required from an investigation perspective.
A number of these sources of evidence may be protected by privacy laws and may not be easily available to the company investigators without a formal request from the law enforcement officers or a subpoena.
Further along in this chapter, we will discuss the tools and the methodology required to acquire the evidence from network packets and system memory in a step-by-step manner for further analysis.
3.148.108.112