دوره SANS FOR308 - مقدمات دیجیتال فارنزیک

Overview

The volume of digital information in the world is growing at a scarily fast rate. In fact, 90 percent of the digital data that exists worldwide today was created within the last two years and it's not slowing down with, 2.5 quintillion bytes of new data created each and every day.

If you are investigating any matter, whether it is a crime, an administrative or civil issue, or trying to figure out how your network was compromised, you need evidence. If you are gathering intelligence you need information. The simple reality is that these days the vast majority of potential evidence or information that we can use, whether it is for investigations, court, or intelligence purposes, is digital in nature. To effectively conduct digital investigations, one needs to understand exactly what digital evidence is, where to find it, the issues affecting digital evidence, and the unique challenges facing digital evidence. This will allow one to understand the crucial role that digital forensics plays with regards to digital evidence.

Topics

MODULE 1.1: Understanding Digital Investigation

• Why we need to conduct investigations:
  • Incident response and Threat Hunting
  • Regulatory investigations
  • Media Exploitation
  • Military action
  • Administrative investigations (HR/internal investigations)
  • Auditing
  • Law Enforcement investigations
  • Civil and Criminal litigation

MODULE 1.2: Digital Forensics 101

• The history and evolution of digital forensics
• Defining digital forensics

The purpose of digital forensics

• Asking the right questions
• Knowledge, skills and attributes of digital forensics practitioners
  • First responders
  • Digital forensic investigators
  • Digital forensic analyst
• Digital Forensics vs Incident Response vs Threat Hunting
• Digital forensics tools
  • Hardware
  • Software

MODULE 1.3: Digital Evidence Overview

• What is digital evidence?
• The difference between data and metadata
  • File formats and extensions
  • File system metadata and file metadata
• The nature of digital evidence
  • Binary and hexadecimal
  • Bits, nibbles, and bytes
  • Converting data between binary, hex and ASCII
• Disk structures
• Data structures
  • Filesystems
  • Slack space and keyword searching
  • Memory data structures
  • Network data structures
  • Volatile and non-volatile data structures
  • Allocated and unallocated data
  • File deletion and recovery
• Data encoding
  • ASCII and Unicode
  • Base64
• The fragility of digital evidence
  • Understanding how easy it is to alter or change digital evidence
  • The importance of minimizing changes to digital evidence
  • Understanding when it is unavoidable to change digital evidence and how to address it

MODULE 1.4: Sources and Digital Evidence

• Computers and laptops
• Servers
• Virtual machines
• Tablets and mobile devices
• Removable storage media
• RAM
• Network devices and data
• Embedded/IoT devices
• Digital evidence in the Cloud
• ICS/SCADA
• Drones and vehicles

MODULE 1.5: Digital Evidence Challenges

Device volumes

• Number of devices per person is increasing
• Data volumes
  • The problem of increasing data volumes
  • Do you really need to collect everything?
• Constantly updated operating systems/apps/services

Device support/locked down devices

• Android and iOS uptake
• Data corruption and recovery
• IoT devices and acquisition

Overview

Digital forensics is the core set of principles and processes necessary to produce usable digital evidence and uncover critical intelligence

CSI and similar television shows has popularized forensics in the public consciousness and increased awareness of forensics. Digital forensics is the forensic discipline that deals with the preservation, examination and analysis of digital evidence. However, television and movies have created misunderstandings about exactly what digital forensics is and does. As a result, many people interested in forensics have no real understanding about what it entails.

These misperceptions have also seen lawyers that make use of digital evidence in court, investigators that need digital evidence to solve cases, information security practitioners responding to security incidents, and even people conducting digital forensics; making mistakes in relation to digital evidence, which can have negative consequences.

Digital forensics is crucial to ensure accurate and usable digital evidence, but it is important to understand exactly what it is, what it can do, and how it can be used. If you are a user of digital forensics and digital evidence, understanding exactly how digital forensics works will enable you to better make use of digital forensics and digital evidence. If you are a manager or supervisor of a digital forensic capacity, this will help you understand exactly how it should be functioning and how to build and maintain it. Finally, if you are a prospective digital forensics practitioner or an existing one, this will equip you with the fundamental knowledge and skills that form the core of the digital forensic profession.

Topics

MODULES 2.1: Digital Forensics Principles

• ACPO guidelines
• SWGDE guidelines
• Locard's Exchange Principle
• The Inman-Rudin Paradigm
  • Transfer
  • Divisibility

Identification

• Digital evidence categorization model
• Classification/individualization
• Association
• Reconstruction
  • Relational analysis
  • Functional analysis
  • Temporal analysis
• The philosophy of science and the scientific method

MODULE 2.2: Documentation and Reporting

• Understanding the need for documentation
• Making contemporaneous notes
• Supporting your documentation with evidence
• Maintaining the integrity of your documentation
• Types of documentation
• Investigation authorization and mandates
• Case notes
• Quality assurance documentation
• Tool validation documentation

MODULE 2.3: Quality Assurance in Digital Forensics

• The digital forensics process
• ISO 27043
• The scientific method in digital forensics
• Forensic process in practice
• Validation processes
• Quality assurance

MODULE 2.4: Digital Forensics Challenges

• Rapidly changing technology
  • Moore's Law
  • Koomey's Law
  • Kryder's Law
• Over reliance on forensic tools
• Commercial vs free and open source tools
• Competency & motivation of practitioners
• Mental health issues
• Ongoing education
• Anti-forensics

Overview

INCIDENT RESPONSE

Incident Response is the core set of principles and processes necessary to allow an organization to successfully respond, react and remediate against potential attack scenarios

Digital forensics deals with the preservation, examination and analysis of digital evidence. However, Incident Response is often the preceding activity that leads to the requirement to conduct a forensic investigation. If not executed properly, the Incident Response processes and team have the ability to inadvertently disrupt or damage subsequent forensic activities. It is therefore a vitally important aspect of an investigation.

The Incident Response team must be adept at recognizing incidents and responding appropriately to collect and preserve evidence, whilst identifying and containing the incident. This same team are also usually involved in Forensic Readiness planning, which defines what evidence may be useful in a number of attack scenarios and ensures that systems are configured to collect and retain this evidence. Evidence that is collected in advance of an investigation can provide vital clues to a digital forensic investigator and when used in addition to subsequently acquired data, can provide insights into what data may have changed during specified periods of time that may be pertinent to the case.

Digital Forensics and Incident Response therefore go hand-in-hand and are often referred to by the acronym DFIR. If you are a prospective or current digital forensics practitioner, understanding exactly how incident response works will enable you better leverage these teams before, during and after investigations to obtain the best and most useful evidence and improve reporting. If you do not plan to build a career in digital forensics, understanding how the Incident Response teams and processes work will demonstrate when and how to engage if you suspect an incident may have occurred and the types of actions on your part that may assist (or impair) any potential investigation, to provide you with the best possible outcome.

Topics

MODULE 3.1: Introduction to Incident Response

• Defining incident response
• Incident response processes and best practice
  • Order of volatility
  • Phases of incident response
• Knowledge, skills and attributes of an incident response team
  • SOC analysts
  • First responders
  • Management
  • Relationships and use of specialists
• Legal considerations
• Incident Response tools
  • Hardware
  • Software
  • Grab-bags

MODULE 3.2: Incident Response Standards

• ISO27035 - Security Incident management
• NIST Incident Handling Guide
• Government guidelines
  • UK - NCSC / Crest
  • US-CERT
  • IT Governance EU
• Templates for policies and plans

MODULE 3.3: Incident Response Challenges

• Lack of suitable preparation
  • network diagrams, system details and access
  • out-of-date documentation
• Over reliance on tools
• Malware, antivirus and anti-forensics
  • What is malware?
  • What is antivirus?
• Sophisticated attacks

Overview

The acquisition of digital evidence is the most critical part of the digital forensics process and as such it must be done right

Acquiring digital evidence is a crucial component in any investigation. Digital forensics is about finding answers, and if we cannot get to the evidence that we need, which is often stored on devices, in memory, on the wire or wireless, or in the Cloud, then we will never be able to get the answers we seek. Getting the digital evidence and selecting the appropriate method to obtain it can mean the difference between success and failure in an investigation.

The acquisition of digital evidence has evolved over the years and the old way of doing it may not always be the best or most effective way of getting the evidence and may actually compromise an investigation. By understanding the various strategies and methods that we have available to us to acquire digital evidence means that informed decisions can be made as to the best method to use to acquire evidence in a given situation or environment.

Topics

MODULE 4.1: Forensic Acquisition Principles and Standards

• Preserving the integrity of digital data
• Minimizing the alteration of digital data
• Copying versus imaging
• Forensic imaging methods
  • Live imaging versus "dead" imaging
  • Triage image, sparse image, full logical images and physical images
• Write blocking
  • Software based write blocking
  • Hardware write blocking

Data verification and integrity preservation

• Hashing
• The forensic acquisition processes
• ISO 27037 forensic acquisition processes
• SWGDE forensic acquisition guidelines
• ACPO guidelines

MODULE 4.2: Understanding Forensic Images

• Physical and logical images
• Forensic image formats
• Raw image versus forensic image

MODULE 4.3: Forensics Acquisition Processes

• General rules of acquisition
• Handling and controlling physical evidence
• Addressing encryption
• Acquisition types
  • Live acquisitions
  • "Deadbox" acquisitions
  • Network acquisitions
  • Remote acquisitions
  • Cloud acquisitions
  • Mobile acquisition
  • Advanced Extraction Techniques
    • JTAG/ISP
    • Chip off acquisitions

MODULES 4.4: Acquisition Challenges

• Available space vs. drive size
• Speed of acquisition vs. available time
• Operating System security
• Encryption
  • Types of encryption
    • Full Disk Encryption
    • File Based Encryption
    • Single File Encryption
  • Encryption methods
  • Encryption tools
  • Decryption options
• Acquiring data from the Cloud
• Damage devices
• Unsupported devices
• Legal authority
  • Obtaining evidence in other jurisdictions - mutual legal assistance treaty
  • Data sovereignty

Overview

The only way to get answers is to ask questions, and the only way to get the right answers is to ask the right questions

The key purpose of digital forensics is to find answers, and it is through the analysis process that digital forensics transforms raw data into either evidence or intelligence that we can use to answer the questions that we need answered. The use of technology is so integral to our day to day activities that it allows us an unprecedented opportunity to reconstruct what has happened in the past, to learn what is happening in the present, and even predict what may happen in the future, all based on the data available to us.

By understanding digital forensic analysis, we can see how we can ask the right questions in our investigations and intelligence efforts, how we can critically examine and analyze the data at hand in a manner that can withstand scrutiny and finally, understand the types of answers we can get.

Topics

MODULE 5.1: What Can Forensic Analysis Prove

• What are the questions that forensic analysis can provide answers for
  • Who
    • User attribution
    • Assessing alibis and statements
  • What

When

• Timelines

Where

• Location information

Why

• Determining intent
• How

MODULE 5.2: Planning the Examination

• Understanding what you are investigating

Identify what artefacts can answer your questions

• Types and examples of artefacts and techniques
• Kitchen sink vs targeted approach (include triage)
• Documentation

MODULE 5.3: The Art and Science of Forensic Analysis

• Understanding and applying critical thinking in an investigation
• Applying the scientific method to forensic analysis
• Gather information and make observations
• Form a hypothesis to explain observations
• Evaluate the hypothesis
• Draw conclusions
• Hypothesis formulation
• Evaluating hypotheses

MODULE 5.4: Forensic Examination and Analysis Standards

• SWGDE standards
• ISO 27042 guidelines for the analysis and interpretation of digital evidence

MODULE 5.5: Forensic Examination and Analysis Challenges

• Breadth and depth of required knowledge
• Forensic artifact documentation challenges
• Tool capability variation
• Identifying data of interest
• Stakeholder expectations
• Analysis scoping and planning
• Ongoing documentation and notetaking

SECTION 6

DOCUMENTING AND REPORTING IN DIGITAL FORENSICS

It doesn't matter how good your technical skills are, if you are not able to effectively document what you have done and report on your findings in a manner that non-technical people understand, your investigation is on shaky ground

Digital forensics is at its core about getting answers to questions, whether as evidence or intelligence. So, it is important that we can get the answers that we find in our investigations to the right people so that they can make decisions and act on what is found in the digital forensics process.

It is crucial that we are able to effectively communicate these answers to those people who need them, in a manner that is useful to them, and to be able to effectively support our answers. Not only must we be able to effectively communicate, but it is important that the users of these answers understand what our various reports means and how they can use them effectively. Without effective communication and understanding of what is communicated, all effort expended in the digital forensic process is lost.

Topics

MODULE 6.1: Presenting Your Findings

• How to communicate technical concepts to non-technical audiences
• Educating your audience
• Telling the story
• Supporting your narrative with evidence
• Written reports
• Verbal presentations

MODULE 6.2: Legal Evidence

• What is evidence
• The legal requirements for court directed evidence
• Admissibility

Legality

• Chain of custody
• Legal processes to secure evidence
• Consent
• Organizational policy and contractual frameworks

Reliability of the evidence

• Integrity
• Relevance
  • Proving legal elements
  • Exculpatory evidence

MODULE 6.3: Testifying in Court

• Understanding the court process
• Technical versus expert witnesses
• The responsibility of a witness
• The testifying process
• How to be an effective witness

Overview

Good management of a digital forensic or incident response team is key in allowing an organization to successfully respond to potential attack scenarios and investigate digital evidence

Management of a DFIR team is crucial to the success or failure of investigations. This includes suitably preparing the team and environment, providing support throughout each case, escalating issues as required, as well as conducting reviews and providing regular feedback. If sufficient management support is not in place at any stage in the lifecycle of an investigation, it may not be possible to proceed, or insufficient analysis may be conducted. Understanding how to build, manage and prepare a DFIR capability is essential.

Digital Forensic Readiness is the key element in preparation to allow an organization to successfully respond to potential attack scenarios and investigate digital evidence. Digital forensic readiness acknowledges and defines the tools, processes and resources that must be in place to allow an organization to suitably deal with Digital Forensic investigations and Incident Response cases. If Readiness policies and processes are not defined properly, digital evidence may be unsuitable or may not be available when required, which can hinder or entirely prevent an investigation. It is therefore a vitally important aspect of pre-investigation planning.

MODULE 7.1: Introduction to Forensic Readiness

• Defining forensic readiness
• Differences between forensic readiness and incident response

MODULE 7.2: The need for Forensic Readiness

• Use of digital evidence in organizations
• Forensic readiness and ISO standards
• Legislation and regulation
• Benefits of forensic readiness

MODULE 7.3: Building and Managing a DFIR Capacity

• Building a business case for digital forensics and incident response
• DFIR service models
• Building a DFIR capacity
• Selecting team members
  • Roles
  • Skill sets
  • Complementary Skills
  • Specialist skills to be able to call upon when required
• Managing a DFIR capacity

DIGITAL FORENSICS CHALLENGE

Consolidation of the skills and knowledge learned throughout the course with a hands-on challenge

The best consolidation of new skills and knowledge is through practice. On day 6, you will have the option to undertake an individual hands-on challenge that makes use of the SANS virtual cyber range. Your digital forensics skills are put to the test with a variety of scenarios involving mounting evidence, identifying data and metadata, decoding data and decrypting data. Knowledge of digital forensics and incident response processes and standards will also be tested when answering scoring server questions, to compete for the FOR308 Challenge Coin. These challenged strengthen the student’s understanding of digital evidence, digital forensics, and incident response fundamentals, and provide a learning opportunity where more practice on specific skills may be useful.

Topics

• Data and metadata
• Converting data
• Decoding data
• Decrypting data
• Identifying file types
• Mounting evidence
• Hashing data
• Digital forensics and incident response processes
• Digital forensics and incident response standards
• Documentation and reporting

The students who score the highest on the digital forensics fundamentals challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin. Game on!