Attacks/Breaches
1/11/2016
11:30 AM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

7 Criteria For Enriching Digital Evidence

Context is the essential ingredient that is missing from many digital forensic investigations.

Digital forensic investigations are, for the most part, predominantly conducted in direct response to an incident.  By taking a reactive approach like this, investigators are under great pressure to gather and process digital evidence before it has been modified or is no longer available.

There are practical and realistic scenarios where a more proactive approach to gathering digital evidence can ease tension during forensic/incident response activities.  (See How ‘Digital Forensic Readiness’ Reduces Business Risk.) But what is often overlooked in  these situations  is the need to supplement the data content with relevant context.

Here are seven examples of criteria that can be used to enhance the relevance of digital evidence during a forensic investigation.

Time Synchronization

When it comes to analyzing digital evidence collected from different systems and/or devices, time synchronization is a major factor in establishing a chronology. Using Network Time Protocol (NTP) set to Greenwich Mean Time (GMT), with the time zones of each system configured locally, is the best practice for establishing consistent and verifiable timestamps to ensure digital evidence can be correlated, corroborated, and chronologically ordered during a forensic investigation.

Metadata

On its own, digital evidence content presents a number of challenges because it lacks situational awareness. However, when combined with a supplemental layer of information, or “data about data,” investigators can bring about a better understanding of digital evidence structural metadata (e.g. used to describe arrangement of information) or guide metadata (e.g. used to assist with locating information) Because that metadata is also electronically stored information (ESI), the same digital evidence management requirements must be taken to ensure its authenticity and integrity are maintained.

Cause and Effect

A common challenge with any digital forensic investigation is to determine the cause of an event because the effect can vary depending on the context of the event. The "Pareto Principle," also referred to as the "80/20 Rule," states that approximately 80 percent of all effects come from roughly 20 percent of the causes. Instead of trying to understand every cause-and-effect combination, referring back to the six business risk scenarios can reduce the scope of which cause-and-effect combinations need to be considered. By narrowing the scope down to the applicable risk scenarios, supplementary information can be identified and considered for collection.

Correlation and Association

The scope of a digital forensic investigation can be made up of several interconnected and distributed technologies where an event on one system can have a relationship to an event on other systems. Creating a linkage amongst the various technologies is critical when it comes to establishing a complete trail of evidence, so a more comprehensive picture of the incident can be compiled. Achieving a holistic view requires thinking in terms of gathering digital evidence in support of the entire trail of evidence, instead of as individual data sources that may or may not be useful during the investigation.

Corroboration and Redundancy

Generally, the goal of every forensic investigation is to use digital evidence as a means of providing credible answers to substantiate an event and/or incident. However an investigation is initiated, establishing credible facts can be challenging, because individual pieces of evidence on their own may not provide the necessary context. By aggregating different data sources, the strength of digital evidence collected will improve because it can be vetted across multiple data sources. Over time, continuing to gather data from multiple sources will provide a sufficient amount of digital evidence that can minimize the need for forensic analysis of systems.

Storage Duration

Retention of ESI, regardless of whether it is preserved as digital evidence, has unique requirements for the length of time for which it has to be preserved; such as those defined by regulators or legal entities. Not only does preserving ESI support regulator or legal requirements, but it also has evidentiary value and might need to be recalled to support one of the six business risk scenarios.  Careful planning must be done to determine which type of electronic storage medium will be used to ensure that the type of backup media used will not impact the authenticity and integrity of ESI.

Storage Infrastructure

Although advancements have been made in the processing and analysis of digital evidence, there remains an underlying issue of how to effectively manage the ever increasing volumes of data that are gathered. Solutions such as an Enterprise Data Warehouse (EDW) can be easily adapted and scaled to support the growing volumes of ESI that need to be accessed in both real-time and near-real time. When implementing any type of digital evidence storage solution, it is important that the solution adheres to the best practices for maintaining the integrity and authenticity of digital evidence and not risk making the ESI inadmissible in a court of law.

Determining the meaningfulness, usefulness, and relevance of digital evidence requires additional layers of supplemental information to enhance its contextual awareness. By ensuring the factors discussed in this article are included when proactively gathering digital evidence, the significance of digital evidence can be better realized during a digital forensic investigation.

This article was sourced from the forthcoming book by Jason Sachowski, titled Implementing Digital Forensic Readiness: From Reactive To Proactive Process, available for pre-order at the Elsevier Store and other online retailers.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
1/15/2016 | 3:23:43 PM
Re: NTP Hacks Endangering Infrastructure
Both NTP and SNMP protocols have been and are still actively used in amplification attacks such as KoD packets. In NTPv4 and SNMPv4 there are no good technical means to counteract abuse of these protocols other than to disable them completely. 
jfrank16
50%
50%
jfrank16,
User Rank: Apprentice
1/13/2016 | 9:00:26 AM
7 Criteria for Enriching Digital Evidence
I honestly find the article difficult to follow under the context of your theme.  Criteria examples overlap content and lack depth to be useful.  ESI is the major theme in your article but it represents 3 of your 7 criteria.  Why not buundle it as one point.   Dont get me wrong there are good points regarding time sync but you also forget the most imortant criteria is the forensic investigator her/himself..   
cyberpink
50%
50%
cyberpink,
User Rank: Strategist
1/12/2016 | 3:05:08 PM
NTP Hacks Endangering Infrastructure
Great article, but just a word of caution.  I have recently been reading about the NTP hacks.   A weakness in NTP, which is widely used to synchronize the clocks in servers across networks, can be exploited to take over the computer.  CIO-Today has article titled "Feds Warn of New NTP Hack Endangering Infrastructure"
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.