CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
3. Page 3
– Collecting the evidence.
– After the evidence has been collected.
PACE-IT.
5. Page 5
The first step in basic forensics
is the recognition that forensic
measures need to take place
(i.e., that a security incident
has occurred).
Most of us, hopefully, will not need to deal with a murder mystery
in the workplace. With that said, it is almost a certainty that we
will have to deal with some type of security or legal issue when
supporting an organization’s network.
The response to security and legal issues needs to be done in a
manner such that evidence is recorded and preserved. The first
step is recognizing that something has occurred which needs to
be documented and that evidence needs to be collected and
preserved.
Basic forensic concepts.
6. Page 6
– First responder responsibilities.
» Secure the area and limit who has access to the area as much
as possible; do not power down computer systems.
• This is to protect possible evidence from being contaminated.
• Document anyone who has accessed the area after it has
been secured.
• If necessary, to stop an ongoing computer attack, it is
permissible to unplug the network cable.
» If necessary, escalate the response.
• Depending on the situation, you may need to bring in
specialists or even the police.
» Document the scene thoroughly, including what is on any
computer monitors.
• Polaroid type pictures, not digital pictures, work well as
evidence.
• It may also be necessary to diagram the area.
• Interview any witnesses as soon as possible.
» Start the electronic evidence collection process by order of
volatility.
Basic forensic concepts.
7. Page 7
– Evidence/data collection.
» Electronic evidence is volatile and easily corruptible just
because of what it is, so the order of collection is important.
• Contents of memory – the most volatile of all types of data.
• Swap files – not as volatile as RAM, but still very temporary.
• Network processes – all network processes that are active
on the affected system or systems.
• System processes – all system processes that are active on
the affected system or systems.
• File system information – including the attributes of all files.
• Raw disk blocks – all of the contents on all of the disk drives
of all affected systems.
» After isolating the affected system or systems from the network,
create a bit level image of the system or systems.
• Create two copies of the bit level image and create a
message digest (e.g., an MD5 or SHA hash) of the images to
be able to later prove they have not been tampered with.
• One image should be securely stored to be used as evidence.
• The other image can be examined.
Basic forensic concepts.
9. Page 9
– Chain of custody.
» A document that identifies who collected the evidence, when it
was collected, and who has had access to it.
• A proper chain of custody document can prove that evidence
has been accurately preserved and can also be considered
part of the evidence.
• A chain of custody document will help to ensure that all
evidence is admissible in court.
• A broken chain of custody will negate the collected evidence.
– eDiscovery (electronic discovery).
» In legal situations, the discovery process involves the exchange
of evidence between both sides of a litigation or prosecution
situation.
» eDiscovery refers to the discovery process as it pertains to
electronic data (e.g., email or chat records).
• Once identified in the eDiscovery process, a legal hold is
placed on data identified.
Basic forensic concepts.
10. Page 10
– Legal hold.
» If data is deemed to be possibly relevant in either a prosecution
or litigation situation, all normal processing of that data needs
to cease.
• Requires that backup tapes not be recycled and that the
normal archival process for that data be suspended until the
legal hold is removed.
– Data transport.
» If physical evidence is required to be transported, a chain of
custody document must be created for the transportation
process and it needs to include:
• A description of the evidence.
• The means of transport.
• Who received the evidence.
• Who has had access to the evidence.
» If electronic means of transport are used, a message digest
should also be included to prove that the exact evidence sent is
the evidence that is received.
Basic forensic concepts.
11. Page 11
Once the investigation has
been completed, a forensic
report needs to be created
based on the findings.
During the evidence collection and investigative process, the
characteristics of the evidence (e.g., time stamps and identifying
properties) should have been documented. All of this information
needs to be recorded and analyzed using scientific methods.
Once completed, the forensic report should be able to completely
reconstruct and document the incident.
A forensic report may be used in the litigation or prosecution
process. In addition, a good forensic report may help in the
creation of a better response plan for use in the future.
Basic forensic concepts.
12. Page 12
Basic forensic concepts.
The first step is recognizing that an incident requires the use of forensic
measures. First responder responsibilities: secure the scene, escalate if
necessary, document everything, collect evidence. Collect electronic
evidence in order of volatility: contents of memory, swap files, network
processes, system processes, file system information, and raw block data.
Create two bit images of the affected system, along with a message digest
of the images.
Topic
Collecting the evidence.
Summary
A chain of custody document must be created for the evidence and it is
considered part of the evidence as well. If eDiscovery occurs, the normal
processing of the identified data needs to cease as a legal hold will be
placed on that data. When transporting physical evidence, a chain of
custody document must be created for the transportation process. When
sending electronic data, a message digest needs to be included to prove
the validity of the data. A forensic report should be capable of completely
reconstructing the incident and can be used as evidence and in the creation
of future response plans.
After the evidence has been
collected.
14. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.