Chapter 103 · Flashcards

Digital Forensics — Flashcards

Twelve cards covering RFC 3227, legal hold, chain of custody, cryptographic hashes, volatility order, acquisition types, write blockers, preservation from copies, live collection for encryption, e-discovery vs. forensics, forensic report structure, and mobile device preservation. Click any card to flip it.

What is RFC 3227, and what are its core evidence collection principles?

RFC 3227 (Guidelines for Evidence Collection and Archiving): the internationally recognized best-practice document for digital evidence handling. Core principles: (1) Collect in volatility order — most volatile evidence first (RAM before disk). (2) Avoid modifying evidence — use write blockers, work from copies. (3) Document everything — every action, every tool, every setting used. (4) Maintain chain of custody — documented, unbroken record of all evidence handling. Following RFC 3227 ensures evidence is admissible in legal proceedings and can be independently verified by another analyst.

What is a legal hold, who initiates it, and what does it require of custodians?

Legal hold (litigation hold / preservation order): an obligation to preserve potentially relevant ESI (Electronically Stored Information) when litigation is anticipated or ongoing. Who initiates: legal counsel — not IT, not security. Custodian obligations: (1) immediately stop any deletion or modification of relevant data; (2) preserve all relevant ESI in a separate repository or protected state; (3) maintain this obligation ongoing until legal formally lifts the hold. Scope: all relevant digital information: email, documents, IMs, logs, database records, metadata. A custodian who deletes data after receiving a legal hold notice may face sanctions or obstruction charges.

What is chain of custody, and what five documentation requirements does it impose?

Chain of custody: the documented, unbroken record of every person who handled evidence, every location it was stored, and every action taken on it from initial collection through legal proceedings. A broken chain renders evidence inadmissible. Five requirements: (1) Cryptographic hashes — compute SHA-256 before and after analysis to prove no modification. (2) Digital signatures — authenticate who created and transmitted evidence packages. (3) Labeling/cataloging — unique identifiers, case numbers, descriptions. (4) Physical sealing — tamper-evident packaging; broken seal indicates tampering. (5) Secure storage — locked location; all access logged.

What is the volatility order for evidence collection, and why must it be followed?

RFC 3227 requires collecting evidence from most volatile to least volatile to prevent loss of short-lived data. Order: (1) RAM — lost on power loss or reboot (running processes, encryption keys, network connections). (2) Network connections and routing tables — current state changes rapidly. (3) Running processes — disappear when system reboots. (4) Disk image — stable, persists without power. (5) Firmware — very stable. (6) Removable media and external storage. (7) Backups — least volatile. If disk is collected first and the system is rebooted, RAM evidence is permanently lost. Volatility order prevents irreversible evidence loss.

What six acquisition types are used in digital forensics, and what does each capture?

Disk image: bit-for-bit copy of storage including deleted files and unallocated space. RAM/memory image: running processes, injected code, encryption keys, credentials, network connections — most volatile. Firmware image: UEFI/BIOS level; can reveal rootkits persisting below the OS. OS files: registry hives, event logs, user account data, configuration. VM snapshots: complete VM state at a point in time including RAM and disk — less volatile once saved. Artifacts: browser history, bookmarks, saved logins, recycle bin, temp files, prefetch data, recently accessed files. Each type reveals different evidence; complex investigations require multiple acquisition types.

What is a write blocker, and why is it required for forensic disk imaging?

Write blocker: a hardware device placed between the evidence drive and the forensic workstation that allows data to be read from the drive but prevents any data from being written to it. Why required: connecting an evidence drive to a normal computer can trigger automatic writes (OS mount operations, drive indexing, swap file writes, thumbnail cache creation) that would modify the evidence. A modified drive has a different hash than the original, breaking chain of custody and potentially making the evidence inadmissible. Hardware write blockers operate at the physical/electrical level, making them more reliable than software-only write protection. Always use with original evidence — even when making the initial forensic copy.

What does "work from copies" mean in forensic preservation, and when is live collection required instead?

Work from copies: forensic analysis is always performed on a verified copy (forensic image), never on the original evidence. Reason: any tool malfunction, analysis error, or accidental write modifies a copy, not the original. The original remains untouched for verification and remains admissible. Live collection exceptions: (1) Full-disk encryption: if the system is running with an active decrypted session, powering it off produces an encrypted (unreadable) image — live RAM and disk collection must occur while the system is on. (2) Volatile data: RAM, network connections, and running processes only exist on a live system. Live collection for volatile evidence is not an exception to preservation — it IS preservation of the most important volatile evidence.

What special preservation steps are required for mobile devices?

Mobile devices have unique forensic risks: Remote wipe: an attacker, MDM policy, or device owner can send a remote wipe command that destroys all data. Mitigation: place the device in airplane mode or inside a Faraday bag (RF-shielded container) immediately upon seizure. This prevents cellular, WiFi, and Bluetooth signals from reaching the device, blocking remote wipe commands. Work from the preserved state, not the live device. Additional risks: automatic cloud sync may overwrite local data; screen lock activation may prevent access; biometric authentication may be unavailable after a timeout. Chain of custody for mobile devices must document network isolation method and time.

What are the four components of a complete forensic report?

(1) Summary: non-technical executive summary; describes what happened and the significance of findings for decision-makers. Written for audiences without technical backgrounds. (2) Detailed acquisition method: precise documentation of every tool, setting, evidence item collected, and hash value computed; enables independent verification by another analyst. (3) Findings and analysis: technical evidence — artifacts found, timeline of events, attacker tools and techniques, accounts used, data exfiltrated; each finding linked to specific evidence. (4) Conclusion: synthesizes findings into what the evidence indicates about the incident; must acknowledge uncertainty where evidence is incomplete. Conclusions must be supported by findings, not by assumptions.

What is e-discovery, and how does it differ from digital forensics?

E-discovery: the legal process of collecting, processing, reviewing, and producing electronically stored information in response to legal proceedings. Phases: Collection → Processing (filter/deduplicate) → Review (attorney review for relevance and privilege) → Production (deliver to opposing counsel). Key differences from digital forensics: E-discovery does NOT require forensic analysis — it collects documents, forensics reconstructs events. E-discovery is driven by legal counsel; forensics is driven by the security team. E-discovery output = document production; forensics output = technical report with findings. They can operate simultaneously on the same data but serve different purposes. A legal hold often precedes both.

What is the forensic process sequence, and what must each phase document?

Three-phase forensic process: (1) Acquisition: collection of evidence from digital sources following RFC 3227 volatility order; must document every tool used, hash values before and after, and chain of custody for each item collected. (2) Analysis: examination of acquired evidence (copies, not originals) to identify artifacts relevant to the investigation; must document methodology, tools, search criteria, and all artifacts found. (3) Reporting: documentation of findings in a form suitable for legal proceedings, management, or regulatory bodies; must include summary, acquisition method, findings, and conclusions. The entire process must be reproducible — another analyst following the same methodology must reach the same conclusions using the same evidence.

What forensic artifacts are found under the "artifacts" acquisition category, and why are they forensically valuable?

Artifacts are residual data created by normal user and system activity: Browser history: websites visited with timestamps; reveals attacker reconnaissance and communication. Browser bookmarks and saved logins: reveal accounts the attacker managed or targeted. Recycle bin contents: files "deleted" by the attacker but not yet overwritten; may contain malware samples or exfiltrated data staging. Temp files: partial downloads, extracted archives, decrypted files created during normal operation. Prefetch data: Windows records application execution with timestamps; proves a program was run even if the program itself was deleted. Recently accessed files: OS maintains MRU (most recently used) lists; reveals what was opened. Artifacts often survive after attackers delete their primary tools.