In this chapter we're going CSI. Well, not the CSI you see on CSI—Cyber. This is the real deal. There may come a time in your Sysadmin career when you may have to deliver data that must maintain a Chain of Evidence. The Chain of Evidence is a documented and auditable list of how, why, and by whom evidence was handled, stored, and examined. Kali is your friend when it comes to this duty. You'll also find that some of the techniques we will use can also be handy in day to day data retrieval, copying disk images, and scanning your own systems for data that should not be where it is – or maybe isn't where you expected it to be. Doing pen testing, we have seen a lot of companies fail their compliance assessments because credit card and personal data is found in the wrong place. It's amazing where employees will rat-hole files on the network. We will explore Guymager first, and then dive into Autopsy:
- Getting into Digital Forensics
- Exploring Guymager
- Diving into Autopsy
Today, with computer systems used in everything, when legal battles or crimes happen, sometimes the bulk of the evidence involved will be digital. How the chain of evidence is handled can make or break a case. When preforming third-party penetration testing for PCI or HIPPA, your collected data is your evidence and should be handled just like it would be handled is a legal case. A Chain of Evidence should be laid out and followed during testing and the storage of your evidence after testing. You never know when what you think will be just a normal test may end up being a legal case. An example is when you're testing and find you are not the only one on the network. The network you are testing has already been breached. Now your test has turned into an Incident Response case where legal actions may be taken. Your testing data is now legal evidence. Yes, this does happen in real life. Bo has, on several occasions, found he wasn't the only one in the network while doing a routine penetration test for a customer. You could be the one who discovers the clues to bring a criminal hacker to justice. Forensics has a lot of different aspects to it. You have to look at the whole body of the incident being investigated. A forensic investigation and the tools you choose will vary, depending on the type of investigation being done. An investigation of a network hack will be different than an investigation into suspected data theft by an employee. The tools we will cover all have their special use so, most of the time, tools will be used in conjunction with other tools to complete an investigation.
In most cases, you will not work with the original but with a clone of the system, in legal cases. In the case of a machine being breached and replaced, you are just investigating the breach to see what happened. In this case, be sure to use a sandboxed network—either a virtual one with no access but to the virtual host, or use a small switch with no uplink to create a physically sequestered network with only the machines needed on the switch to do the investigation.