3.7 Summarize basic forensic concepts - Paiet/Tech-Journal-for-Everything GitHub Wiki

3.7 Summarize basic forensic concepts

  • First responder
    • The first person or team that should called upon and arrive at the scene of an incident.
      • These first responders will be your most experienced and qualified people
        • IT security team
        • Tier 3 techs
        • Chief Security Officer (CSO)
      • May include someone from HR
  • Secure the area
    • You don't want the crime scene contaminated in any way
      • Close (and lock) doors
      • Cordon off open areas using signs or tape
      • Send an email informing that the area will be inaccessible
    • Escalate when necessary
      • You may need to call in help from a manager to keep others from entering the scene
      • You may need to call in a third party company that specializes in computer forensics
    • If the incident is isolated to a single device you can just take that device to a more secure location to avoid contamination/tampering
  • Document the scene
    • Start documenting as soon as you arrive
      • Be as detailed as possible
      • Don't integrate your thougts/opinions with the scene description
        • Add thoughts/opinions as side notes for yourself
    • Get photos/videos of the scene
  • eDiscovery
    • The request for electronic evidence called Electronically Stored Information (ESI)
      • Email
      • Electronic files/documents
      • Audio/video/photos
      • Websites
      • Syslogs
  • Evidence/data collection
    • Be sure to follow and legal restrictions/stipulations when gathering evidence
    • You may need to report to a manager before collecting any data or evidence
    • When dealing with damaged data devices you may need to employ a third party company that specializes in data retrieval
  • Chain of custody
    • Tracking the movement and handling of evidence for the purpose of maintaining integrity
    • Documents many attributes of the evidence and the last person to handle it
      • When was it collected
      • What state was it in
      • Who collected it
      • Who was the last to have possession
      • Where was it collected
      • How was it handled
  • Data transport
    • Important to maintain data integrity during transport
    • Best practice is to use encryption to avoid alteration
  • Forensics report
    • Summary report of the evidence
    • Gives a run down of what evidence was gathered (or lack thereof), who was involved in gathering it and the steps they took to gather it
  • Legal hold
    • A stop to normal data processing when litigation or investigation is anticipated or in process
      • Backup tape recycling is halted to ensure that any necessary data is retrievable
      • Any data that might be deemed as evidence is set aside for legal investigation
  • Helpful links