Digital Forensics Fundamentals
Digital forensics is a branch of forensic science that performs “scientific” tests or techniques used in connection with the detection of crime, the key word in the definition being “scientific”. The ultimate test of a scientific process is whether it can be repeated by a third party and arrive at the same conclusion.
An investigator/analyst must first perform the necessary steps before and after acquiring evidence during an incident. The investigator must ensure the integrity of the evidence(hashing) and ensure the process is well documented of how the evidence is passed throughout the whole investigation(chain of custody) to be valid when an investigator is asked to deliver the evidence to the court or to the executives.
Chain of Custody is the most fundamental concept in any forensic investigation. This refers to the series of processes and documents that track how the evidence is passed throughout the investigation, ranging from the moment the evidence is collected, to transfer, analysis, maintaining its integrity, and finally delivery. The chain of custody must be well documented to match its accuracy throughout the whole investigation.
Why this must be done?
The Chain of Custody ensures to the avoidance of a situation that could throw an entire case, which may blow back to the investigator if the accused claims that the evidence was tempered or spoiled. A responsible and well-documented chain of custody of the investigator can avoid this kind of situation at this moment. An investigator must have proof such as photographs or logs that the evidence is placed in a highly secured environment, which is important to include in the documentation.
This portion of Digital Forensics helps the investigator to not directly analyze the original evidence
itself. This ensures that the investigator has only READ-ONLY permission when analyzing the evidence, which
ensures that there is no tampering or manipulating of evidence that might be used to throw the whole case out.
Every single action an investigator takes during the course of an investigation must be documented. This is to ensure that the scientific integrity of the work remains intact. For your work to be considered admissible and valid, a totally different investigator should be able to work on the same evidence, run the same tests, and come to the same conclusion as you did. This includes having a copy of all the digital fingerprints of the evidence(s) gathered during the acquisition to ensure the evidence’s integrity throughout the investigation and to prove that the evidence has not been changed, tampered with, or spoiled.
2 Stages of Memory Forensics
Memory acquisition involves copying the contents of volatile memory to non-volatile storage. This is arguably one of the most important and precarious steps in the memory forensics process.
MagnetRAM
Belkasoft RAM
DumpIt RAM
FireEye Memoryze
OSForensics
Velociraptor
Memory Analysis is the task performed by the investigator during digital forensics right after acquiring the volatile memory (RAM) of the infected system. This stage requires understanding of the operating system where the analyst is tasked with extracting evidence and certain information that supports the incident.
pslist
handles
yarascan
mftparser
ldrmodules
netscan
