Forensic science can be defined as the application of scientific principles to legal matters. In an incident, CSIRT (short for computer security incident response team) members may be called upon to perform analysis on digital evidence acquired during the incident, utilizing digital forensics tools, techniques, and knowledge. To make certain that the evidence is processed correctly and can subsequently be admitted in a courtroom, digital forensics examiners need to understand the legal issues, along with the fine points, of the digital forensics process.
In this chapter, we will examine the legal statutes that impact the CSIRT and digital forensics examiners, as well as the rules that govern how evidence is admitted in court. To provide context to the kinds of actions taken, we will also explore the digital forensics process and, finally, address the infrastructure necessary to incorporate a digital forensics capability into a CSIRT.
We will be covering the following topics in this chapter:
In the last 20 years, we have seen an explosion in the interest in forensic science. Simply put, forensics is the application of science to legal matters. The actual practice of forensics is to take physical and digital evidence through a process of analysis and present scientific findings in a court of law. Despite its depiction within popular media, forensic science is a detailed and exacting process, which requires well-thought-out processes and procedures, technology, and experience.
Forensic science has become integral to a wide range of disciplines, even outside the purview of criminal justice. Air crash investigators use forensic techniques to investigate aircraft failures, for example. Accounts use very similar principles and techniques when conducting investigations into suspected fraud and money laundering schemes. Even the art world, known for historic fakes, employs forensic techniques to verify the authenticity of works of art.
The first high-profile case where forensics played a role was in the Jack the Ripper murders in the late 1800s. Investigators in the London Metropolitan Police were able to identify, collect, and later examine physical evidence left by the unknown perpetrator. Around that time, two other tried and true forensic practices, fingerprint comparison and crime scene photography, were added to the growing body of knowledge and practices.
These practices would continue to slowly build based on the available technology until after World War II. This seventy-five-year period would see the inclusion of DNA evidence as a powerful way to identify perpetrators. Technology was applied to tool marks and ballistics. It was also in the latter half of the twentieth century that digital forensics found its way into the various forensic science disciplines.
A key principle that guides forensics is Locard’s exchange principle. Dr. Edmond Locard was a pioneer in the fields of forensics and criminalistics. His contributions to these fields led to many deeming him the Sherlock Holmes of France. His principle, simply put, is that every moment of contact with the physical world leaves a trace. For example, a burglar breaks a window to enter a home. They then crawl through this window and begin to grab the items around them. According to Locard’s exchange principle, the burglar will leave traces of dirt from their shoes on the carpet. Skin and hairs may fall away from their body onto the various surfaces of the home. Without gloves, the burglar might also leave fingerprints on the door handles.
This exchange is a two-way street. As our burglar leaves traces of themself around the house, traces of the house are left on them. Carpet fibers attach to their shoes. Fragments of the broken windows may also embed themselves into the burglar’s footwear and clothing. These pieces of trace evidence can tie the burglar to the scene.
This principle has been in force since the first criminal activity took place. What has changed is the ability of forensic scientists and criminalistic practitioners to detect and analyze this trace evidence. For example, DNA evidence has been around since Cain slew Abel. It is only recently that it has become useful in an investigation because methods and technologies have developed to the point that forensic scientists can definitively prove that biological material can be tied to a specific individual to the exclusion of every other human being.
There are a few considerations to keep in mind about this principle. First, there is a good deal of variation in how long trace evidence can be found. For example, some trace evidence, such as tool marks that are left when a pry bar is used to force open a door, may persist for months or even years. On the other hand, fingerprints exposed to the elements are easily rendered unsuitable days or even hours after they were left. Second, certain processes that maintain the integrity of trace evidence need to be followed. If trace evidence is not collected properly, it can be altered or destroyed, making it completely unusable for investigative purposes. Third, there needs to be a corresponding technology that aids in the analysis of trace evidence. DNA has existed since the dawn of life on Earth. The ability to leverage this trace evidence for investigative purposes relies on the technology to properly compare and analyze DNA samples. Finally, the human element is also present. Trace evidence needs to be handled by trained and qualified analysts who can review the data and draw conclusions.
It may seem a bit odd to be discussing Locard’s exchange principle within the field of digital forensics. The reality is that the same principle that underpins forensics in the physical world has the same applicability in digital forensics. For example, a simple connection to a system via the Microsoft Windows Remote Desktop feature leaves traces. In this case, an external threat actor has obtained valid user credentials and is able to connect through an exposed system. The connection itself would create a log entry on the exposed system. The use of valid credentials to log into the system would create a second log entry. Contained within this log entry is the IP address of the threat actor’s system. This IP address may also be contained within firewall logs. The threat actor would also have log entries and potentially files from the compromised system on their own system.
What is important to understand about Locard’s exchange principle is the concept of trace evidence. Threat actors will go to great lengths to remove their tracks the same way very good criminals will but there is still a trace. The key is having the tools and ability to discover these traces and tie them back to a threat actor.
As we saw in Chapter 1, a proper incident response involves key individuals from a variety of disciplines. This highlights one frequently held misconception: incident response is strictly a technological matter. One realm into which incident response falls heavily is the legal arena. There is a wide range of laws and regulations that directly impact an organization’s incident response capability, ranging from breach notification to privacy. These laws provide a framework for governments to prosecute offenders, as well as provide strict rules concerning topics such as how evidence is handled and presented in court.
In the mid-1980s, as computer crime started to become more prevalent, jurisdictions began crafting laws to address ever-increasing instances of cybercrime. In the United States, for example, federal criminal law has specific statutes that deal directly with criminal activity when utilizing a computer, as follows:
Being familiar with the ECPA is critical for those organizations that have a presence in the United States. Provisions of the law make it a crime for an organization to conduct surveillance and capture traffic on networks, even those under their control, if the users have a reasonable expectation of privacy. This can lead to an organization being held liable for sniffing traffic on its own network if, in fact, its users have a reasonable expectation of privacy. For CSIRT members, this creates potential legal problems if they access network resources or other systems. This can be easily remedied by having all system users acknowledge that they understand their communications can be monitored by the organization and that they have no reasonable expectation of privacy in their communications when using computer and network resources provided by the organization.
Federal rules of evidence serve as the basis by which evidence can be admitted or excluded during a criminal or civil proceeding. Having knowledge of the following rules is important for CSIRT members so that any evidence collected is handled in a manner that prevents contamination and the possibility of the evidence being barred from being seen in court:
Next, we will have a look at the fundamental procedures of digital forensics as they apply to incident response.
As was stated in the previous chapter, digital forensics is an important component of incident response. It is often the application of digital forensics methods that allows incident responders to gain a clear understanding of the chain of events that led to a malicious action, such as a compromised server or other data breach. For other incidents, such as internal fraud or malicious insider activity, digital forensics may provide the proverbial smoking gun that points to the guilty party. Before a detailed examination of tools and techniques available to incident responders, it is critical to address the foundational elements of digital forensics. These elements not only provide context for specific actions but also a method to ensure that evidence made part of an incident investigation is usable.
Law enforcement first started to pay attention to the role that computers play in criminal activity in the mid-1980s. Prior to this, existing laws and law enforcement techniques were not adept at identifying and prosecuting computer criminals. As the use of computers by criminals began to gain more prominence, agencies such as the United States Federal Bureau of Investigation (FBI) decided to incorporate a dedicated digital and forensic investigation capability. This led to the creation of the FBI Computer Analysis and Response Team (CART). Other agencies, such as the Metropolitan Police Service, started to build a capability for investigating cybercrime.
FBI CART information
An excellent historical document that addresses the FBI’s CART is a short article in the United States Department of Justice Crime Laboratory Digest, dated January 1992: https://www.ncjrs.gov/pdffiles1/Digitization/137561NCJRS.pdf.
Two other seminal events brought the need for cyber investigations and forensics into the minds of many. The first was hacker Markus Hess breaking into the Lawrence Berkeley National Laboratory. This break-in might have gone undetected had it not been for the efforts of Clifford Stoll, who hatched a plan to trap the attacker long enough to trace the connection. These efforts paid off and Stoll, along with other authorities, was able to trace the hacker and eventually prosecute him for espionage. (The next chapter will go into Stoll’s efforts in depth, as they not only serve as a key event indicating the need for digital forensics but his investigative techniques also provide insight.)
The second high-profile event was the Morris worm, which was unleashed on the fledgling internet in 1988. The worm, created and released by Robert Tappan Morris, caused the denial of service on several thousand systems, subsequently causing damage worth more than $100,000. A post-incident investigation by several individuals, including Clifford Stoll, found that at least 6,000 systems were infected. The rapid spread of the worm and the damage associated with it led to the creation of the Carnegie Mellon CERT Coordination Center (CERT/CC).
Throughout the 1990s, as more law enforcement agencies began to incorporate digital forensics into their investigative capabilities, the need for the standardization of forensic processes became more apparent. In 1993, an international conference was held to specifically address the role of computer evidence. Shortly thereafter, in 1995, the International Organization on Computer Evidence (IOCE) was formed. This body was created to develop guidelines and standards around the various phases of the digital forensic examination process. In 1998, in conjunction with the IOCE, federal crime laboratory directors created the Scientific Working Group on Digital Evidence (SWGDE). This group represented the United States component of the IOCE’s attempt to standardize digital forensics practices.
As organizations continued to standardize practices, law enforcement agencies continued to incorporate digital forensics in their overall forensic capabilities. In 2000, the FBI established the first Regional Computer Forensic Laboratory (RCFL). These laboratories were established to serve law enforcement at various levels in a variety of cybercriminal investigations. The capability of the RCFL has grown over the last two decades, with 17 separate RCFLs spread across the United States. In addition, other federal, state, and local police agencies have formed task forces and standalone digital forensics capabilities. With ever-increasing instances of computer-related crime, these agencies will continue to perform their critical work.
Much like the incident response process, the digital forensics process defines the flow of digital evidence related to an incident from when it is first identified to when it is presented to either senior leadership or a trier of fact, such as a civil or criminal court. There are several schemas that define this process and they generally follow a similar path for the most part. Here, we will be utilizing the Digital Forensics Research Workshop (DFRWS) digital investigation framework. This framework is depicted in the following diagram:
Figure 3.1 – The digital forensics process
The framework contains six elements:
From an incident response standpoint, personnel will not normally seize network components or critical systems and take them offline unless there is a compelling reason to do so. This is one of the balancing acts inherent in digital forensics and incident response. A purely digital forensics approach will take all relevant evidence, secure it, and process it.
This process can take months, depending on the type of incident. This approach, while thorough and detailed, can leave an organization without critical components for some time. The CSIRT may be able to tell the leadership which chain of events led to a breach after a month-long analysis but this would be pointless if a month’s revenue had been lost.
The examiners assigned to a CSIRT must be ready to balance the need for thoroughness against the need to resume or continue normal operations.
Starting the digital forensic process begins with the identification of potential evidence. This is where the previously discussed Lockard’s exchange principle comes into play. This principle can guide the identification of potential sources of evidence during an incident. For example, if a CSIRT is attempting to determine the root cause of a malware infection on a system, it will start by analyzing the infected system. As some malware requires access to a C2 server, analysts can search firewall connections or proxy logs for any outbound traffic from the infected system to external IP addresses. A review of those connection IP addresses may reveal the C2 server and, potentially, more details about the specific malware variant that has infected the system.
However, it should be noted that threat actors can very easily manipulate digital evidence, so reliance on a single piece of digital evidence without other corroborating evidence should always be treated with caution; it should be verified before it can be trusted.
Once evidence is identified, it is important to safeguard it from any type of modification or deletion. For evidence such as log files, it may become necessary to enable controls that protect log files from removal or modification. In terms of host systems such as desktops, it may become necessary to isolate the system from the rest of the network, through either physical or logical controls, network access controls, or perimeter controls. It is also critical that no users are allowed to access a suspect system. This ensures that users do not deliberately or inadvertently taint the evidence. Another facet of preservation measures has been increased reliance on virtual platforms. Preservation of these systems can be achieved through snapshotting systems and by saving virtual machines on non-volatile storage.
The collection element is where digital forensics examiners begin the process of acquiring digital evidence. When examining digital evidence, it is important to understand the volatile nature of some of the evidence that an examiner will want to look at. Volatile evidence is evidence that can be lost when a system is powered down. For network equipment, this could include active connections or log data stored on the device. For laptops and desktops, volatile data includes running memory or the Address Resolution Protocol (ARP) cache.
The Internet Engineering Task Force (IETF) has put together a document titled Guidelines for Evidence Collection and Archiving (RFC 3227), which addresses the order of volatility of digital evidence, as follows:
It is imperative that digital forensics examiners take this volatility into account when starting the process of evidence collection. Methods should be employed whereby volatile evidence is collected and moved to a non-volatile medium, such as an external hard drive.
Proper handling and securing of evidence are critical. Mistakes in how evidence is acquired can lead to that evidence being tainted and, subsequently, not forensically sound. In addition, if an incident involves potential legal issues, critical evidence can be excluded from being admitted in a criminal or civil proceeding. There are several key tenets for evidence handling that need to be followed, as listed here:
Evidence handling guidance
There is a wide range of resources available from various law enforcement agencies on proper evidence handling in the field. You should become familiar with these procedures. The following guides are utilized by law enforcement agencies:
Chain of custody describes the documentation of a piece of evidence through its life cycle. This life cycle begins when an individual first takes custody of the piece of evidence and ends when the incident is finally disposed of and the evidence can either be returned or destroyed. Maintaining a proper chain of custody is critical. In the event that a piece of evidence has to be brought into a courtroom, any break in the chain of custody can lead to the piece of evidence being excluded from ever being admitted into the proceedings. It is therefore critical to ensure that the entire life cycle of the piece of evidence is recorded.
There are two primary ways that a CSIRT can record and maintain the chain of custody of a piece of evidence.
The first is electronically. There are manufacturers that provide organizations such as forensic laboratories or law enforcement agencies with hardware and software that automates the chain of custody process for evidence. These systems utilize unique barcoded stickers for each piece of evidence. A scanner then creates an electronic trail as it reads these barcodes.
The second method for creating and maintaining a chain of custody is the paper and pen method. This method makes use of paper forms that contain the necessary information to start and maintain a chain of custody. While the paper and pen method can be a bit cumbersome and requires more due diligence to ensure that the form is safeguarded from destruction or manipulation, it is a much more cost-effective solution for smaller CSIRTs that may not have the resources necessary to implement an automated solution.
In terms of what a proper chain of custody form contains, there are several sections, each with its own details that need to be provided. The following screenshot shows a template chain of custody form (an editable chain of custody form is available from NIST at https://www.nist.gov/document/sample-chain-custody-formdocx).
Figure 3.2 – The evidence chain of custody form
The first section that needs to be completed is the Incident Information section, as shown in Figure 3.3. The Intake ID field requires a unique identifier for the case or incident. This can be an incident number or a ticketing system number. The second field, Analyst, documents the analyst that is completing the first sections of the chain of custody form. Finally, each separate evidence item needs a Submission number. This ensures that each has its own separate chain of custody form.
Figure 3.3 – The Incident Information section on a chain of custody form
The second of these sections is a detailed description of the item. It may seem redundant to include several different elements but digital forensics is about details. Having the information recorded leaves no doubt as to its authenticity. This description should contain the following elements:
A completed first section for the chain of custody form will look like this.
Figure 3.4 – The Electronic Media Details section on a chain of custody form
An alternate section can be used in circumstances where the evidence may be a logical file, such as log files or images captured during the investigation. These include the following elements:
A completed Image or File Details section of the chain of custody form will look like this.
Figure 3.5 – The Image or File Details section on a chain of custody form
The next section details the specific steps that the piece of evidence went through in its life cycle. For each stage, the following details should be captured:
The following screenshot is a sample of the movement of the hard drive recorded in the previous screenshot. Each movement of each individual piece of evidence is recorded here. The first move is the actual seizure of the drive from the system. In this case, there is no individual custodian, as the drive has been taken from the data center. What is critical is that the author is the custodian of the drive until he can transfer it to Carol Davis of IRProactive for analysis. The details are as follows:
Figure 3.6 – Chain of custody details
The chain of custody is maintained throughout the life of the piece of evidence. Even when the evidence is destroyed or returned, an entry is made in the chain of custody form. These forms should be maintained with any other material generated by the incident and made part of any subsequent report that is created.
The examination phase details the specific tools and forensic techniques that are utilized to discover and extract data from the evidence that is seized as part of an incident. For example, in a case where malware is suspected to have infected a desktop system as part of a larger attack, the extraction of specific information from an acquired memory image would take part at this stage. In other cases, digital forensics examiners may need to extract Secure Shell (SSH) traffic from a network capture. The examination of digital evidence also continues the process of proper preservation, in that examiners maintain evidence with the utmost care during the examination. If the digital forensics examiner does not take care to preserve the evidence at this stage, there is the possibility of contamination, which would result in the evidence being unreliable or unusable.
Once the examination phase has extracted potentially relevant pieces of data, the digital forensics examiner then analyzes the data, considering any other relevant data obtained. For example, if the digital forensics analyst has discovered that a compromised host has an open connection to an external IP address, they would then correlate that information with an analysis of a packet capture taken from the network. Using the IP address as a starting point, the analyst would be able to isolate that traffic. From here, the analyst may be able to determine that the compromised host is sending out a beacon to a C2 server. From here, using additional sources, the analyst may be able to determine which attack vector is linked to that IP address.
The reporting of facts related to digital forensics needs to be clear, concise, and unbiased. In nearly all instances, a forensic examiner will be required to prepare a detailed written report, which addresses every action and captures the critical data required. This report should be thorough, accurate, and without opinion or bias. This report will often be made part of a larger incident investigation and aids in determining the root cause of an incident.
Another aspect of presentation is the role that a forensic examiner might play in a criminal or civil proceeding. Testifying in court may be required if the incident under investigation has yielded a suspect or other responsible party. It is during this testimony that the forensic examiner will be required to present the facts of the forensic examination, in much the same dispassionate manner as the report. The examiner will be required to present facts and conclusions without bias and may be limited as far as what the opinions they can testify are. How an examiner will be allowed to testify is often dependent on their training and experience. Some may be limited to presenting the facts of the examination. Other times, as an examiner acquires skills and has been deemed an expert witness, they may be able to offer an opinion.
Digital forensics is an exacting process, which involves the use of proper tools, techniques, and knowledge in order to extract potential evidence from systems. It is imperative that forensic examiners have a location that is separate from normal business operations. The best approach to achieving this separation is to provide CSIRT members directly involved in the examination of digital evidence with a location that is completely separate from the rest of the organization. A digital forensics lab should have several key features to ensure that examiners have the necessary privacy, but also to ensure the integrity of the evidence while it is being examined.
Access to the forensic lab needs to be strictly controlled. In order to maintain a chain of custody, only those with a justifiable need should be allowed access to the lab. This limitation is necessary to remove any chance that the evidence can be tampered with or destroyed. The lab should therefore remain locked at all times. Ideally, access should be granted via access cards or fobs, with a central management system granting access. This allows for a complete reconstruction of all personnel who access the laboratory within a specific time period.
The laboratory should also contain evidence lockers so that evidence can be properly stored while not being examined. Lockers should be secured, either through an onboard lock or through the use of a combination lock. The keys to these lockers should be secured within the laboratory and access should only be given to examiners. If the organization has adequate resources, each specific incident should have its own locker, with all the evidence contained within a single locker. This reduces the chance of digital evidence becoming commingled.
The climate and humidity should be controlled in much the same way as in any data center and should be set to the appropriate levels.
Depending on the specific examinations to be performed, it may become necessary to remove screws or cut wires. Having a small set of hand tools will be convenient for examiners. The laboratory should also be stocked with boxes for securing evidence. If examiners may have to process smartphones or tablets, Faraday bags should be available. These bags allow examiners to isolate a smartphone or tablet from the cellular network while still maintaining a power source.
The laboratory should have sufficient computers and other hardware to perform a variety of necessary functions. Examiners will be tasked with imaging hard drives and processing gigabytes of data. As a result, a forensic computer with sufficient RAM is necessary. While there are personal preferences for the amount, a minimum of 32 GB of RAM is recommended. In addition to memory and processing power, examiners will often be looking at a large amount of data. Forensic workstations should have a primary OS drive that can contain forensic software and a secondary drive to hold evidence. The secondary drive should contain 2 TB of storage or more.
In addition to a forensic workstation, the examiner should also be provided with an internet-connected computer. The forensic workstation should have no internet connection to maintain security, but also to guard against the possible corruption of evidence during an examination. A secondary machine should be used to conduct research or write reports.
Another piece of critical information is a physical write blocker. This device allows for a connection between a hard drive seized as evidence and the forensic imaging machine. The critical difference between this physical write blocker and a USB or Thunderbolt connection is that the digital forensics examiner can be sure that there is no data written to the evidence drive. Figure 3.7 shows the Tableau eSATA Forensic Bridge physical write blocker:
Figure 3.7 – A physical write blocker
For digital forensics laboratories that conduct a higher number of imaging tasks, there is the option of including a dedicated forensic imaging station. This allows for quicker imaging of evidence drives and does not tie up a forensic workstation. The drawback is its expense: if the CSIRT member does not see a performance drop without it, it may be hard to justify such an expense.
The CSIRT should also invest in an inventory of high-capacity external USB drives. These are much easier to work with and use in the imaging process than traditional SATA or IDE drives. These drives are utilized to store an evidence drive image for further analysis. The CSIRT member should have at least six of these high-capacity drives available. Drives that have 2 TB to 3 TB of storage space can possibly store several images at a time. Smaller USB drives are also useful to have on hand to capture log files and memory images for later processing. With any of these USB drives, having the latest 3.0 version allows for faster processing as well.
Finally, digital forensics examiners that support a CSIRT should have a durable case to transport all the necessary hardware, in the event they have to conduct an off-site examination. Many of these tools are fragile and would not stand the pounding enacted by baggage handlers at the local airport. The CSIRT should invest in at least two hard-sided cases, such as those used for electronic or photographic equipment. One case can transport hardware such as external hard drives and the second can transport a forensics laptop and minimize the potential damage caused by rough handling.
There are a number of software tools on the commercial and freeware market today. A digital forensics laboratory should have access to several tools to perform similar functions. At a minimum, the lab should have software that can perform imaging of evidence drives, examine images, analyze memory captures, and report findings.
There are several different types of forensic software that a digital forensics analyst can utilize. The first of these is forensic applications. These applications are purpose-designed to perform a variety of digital forensics tasks. They are often commercially available and are widely used in law enforcement and government communities, as well as in private industry. The following four forensic applications are the most common and widely deployed:
Use validated tools
There are several high-profile cases where digital forensic tools were called into question. In the United States, Casey Anthony was on trial for the murder of her daughter. During the trial, the prosecution submitted Anthony’s internet browser history as evidence. The history was extracted with the tool CacheBack. A review of this software by the tool’s author found that it had a software bug. There is little evidence that the tool had an impact on the jury deliberations, but it does serve as a lesson to ensure that the tools used in digital forensics, specifically in cases that may proceed into the legal arena, are validated.
There is also a wide range of Linux distributions that have been created for digital forensics purposes. These distributions, often provided for free, provide tools that can aid a digital forensics investigator. These tools are divided into two main types. The first of these are distributions that are intended as boot CD/DVD or USBs. These are useful for conducting triage or obtaining access to files without having to image the drive. These distributions can be placed onto a CD/DVD or, more commonly these days, a USB device. The examiner then boots the system under investigation into the Linux distribution. There are a number of these distributions available.
The following are two that are popular with digital forensics examiners:
Figure 3.8 – The DEFT digital forensics OS
Figure 3.9 – The CAINE digital forensics OS
Another category of Linux distributions is those designed as platforms for conducting examinations of evidence such as RAM captures and network evidence. There are several distributions available:
Figure 3.10 – The SANS SIFT Workstation
Figure 3.11 – The CSI Linux digital forensics OS
Figure 3.12 – The REMNUX digital forensics OS
One facet of incident response that can present a challenge to CSIRT team members is the possibility that they may have to respond to incidents outside their own location. Off-site response is quite common in larger enterprises and is even the norm in CSIRTs that consult for other organizations. As a result, CSIRTs may often have to perform the entire response at another location, without the support of a digital forensics laboratory. With this challenge in mind, CSIRTs should prepare several jump kits. These kits are preconfigured and contain the hardware and software necessary to perform the tasks a CSIRT would be called upon to carry out during an incident. These kits should be able to sustain an incident investigation throughout the process, with the CSIRT identifying secure areas at the incident location in which to store and analyze evidence.
Jump kits should be portable, able to be configured to fit within a secure hard-sided case, and ready to be deployed at any time. CSIRTs should ensure that after each incident, the jump kit is restocked with any items that were utilized in the last incident, and that hardware and software are properly configured so that analysts can be confident in their availability during an incident. An example of a jump kit can be seen in the following photo.
Figure 3.13 – A digital forensics jump kit
At a minimum, a jump kit should contain the following:
Figure 3.14 – Contents of a jump kit
Congratulations on successfully completing this chapter!
Incident response spans a wide range of disciplines, from legal to scientific. CSIRT members responsible for conducting digital forensics examinations should be very familiar with the legal and technical aspects of digital forensics. In addition, they should be familiar with a wide variety of tools and equipment necessary to acquire, examine, and present data discovered during an examination. The proper application of forensic techniques is critical to provide insight into the chain of events that led to the deployment of the CSIRT to investigate an incident. In this chapter, we initially delved into the various legal aspects of digital forensics, such as the rules of evidence and laws pertaining to cybercrime. Next, we discussed the science of digital forensics, providing an understanding of how techniques should be applied to investigations. To enhance this knowledge, we looked at how these techniques fit into a framework of digital investigations. We then conducted an overview of the various tools available for digital forensics examiners.
In the next chapter, we are going to tie digital forensics into an investigative methodology for incident response.