Attacks/Breaches
1/11/2016
11:30 AM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

7 Criteria For Enriching Digital Evidence

Context is the essential ingredient that is missing from many digital forensic investigations.

Digital forensic investigations are, for the most part, predominantly conducted in direct response to an incident.  By taking a reactive approach like this, investigators are under great pressure to gather and process digital evidence before it has been modified or is no longer available.

There are practical and realistic scenarios where a more proactive approach to gathering digital evidence can ease tension during forensic/incident response activities.  (See How ‘Digital Forensic Readiness’ Reduces Business Risk.) But what is often overlooked in  these situations  is the need to supplement the data content with relevant context.

Here are seven examples of criteria that can be used to enhance the relevance of digital evidence during a forensic investigation.

Time Synchronization

When it comes to analyzing digital evidence collected from different systems and/or devices, time synchronization is a major factor in establishing a chronology. Using Network Time Protocol (NTP) set to Greenwich Mean Time (GMT), with the time zones of each system configured locally, is the best practice for establishing consistent and verifiable timestamps to ensure digital evidence can be correlated, corroborated, and chronologically ordered during a forensic investigation.

Metadata

On its own, digital evidence content presents a number of challenges because it lacks situational awareness. However, when combined with a supplemental layer of information, or “data about data,” investigators can bring about a better understanding of digital evidence structural metadata (e.g. used to describe arrangement of information) or guide metadata (e.g. used to assist with locating information) Because that metadata is also electronically stored information (ESI), the same digital evidence management requirements must be taken to ensure its authenticity and integrity are maintained.

Cause and Effect

A common challenge with any digital forensic investigation is to determine the cause of an event because the effect can vary depending on the context of the event. The "Pareto Principle," also referred to as the "80/20 Rule," states that approximately 80 percent of all effects come from roughly 20 percent of the causes. Instead of trying to understand every cause-and-effect combination, referring back to the six business risk scenarios can reduce the scope of which cause-and-effect combinations need to be considered. By narrowing the scope down to the applicable risk scenarios, supplementary information can be identified and considered for collection.

Correlation and Association

The scope of a digital forensic investigation can be made up of several interconnected and distributed technologies where an event on one system can have a relationship to an event on other systems. Creating a linkage amongst the various technologies is critical when it comes to establishing a complete trail of evidence, so a more comprehensive picture of the incident can be compiled. Achieving a holistic view requires thinking in terms of gathering digital evidence in support of the entire trail of evidence, instead of as individual data sources that may or may not be useful during the investigation.

Corroboration and Redundancy

Generally, the goal of every forensic investigation is to use digital evidence as a means of providing credible answers to substantiate an event and/or incident. However an investigation is initiated, establishing credible facts can be challenging, because individual pieces of evidence on their own may not provide the necessary context. By aggregating different data sources, the strength of digital evidence collected will improve because it can be vetted across multiple data sources. Over time, continuing to gather data from multiple sources will provide a sufficient amount of digital evidence that can minimize the need for forensic analysis of systems.

Storage Duration

Retention of ESI, regardless of whether it is preserved as digital evidence, has unique requirements for the length of time for which it has to be preserved; such as those defined by regulators or legal entities. Not only does preserving ESI support regulator or legal requirements, but it also has evidentiary value and might need to be recalled to support one of the six business risk scenarios.  Careful planning must be done to determine which type of electronic storage medium will be used to ensure that the type of backup media used will not impact the authenticity and integrity of ESI.

Storage Infrastructure

Although advancements have been made in the processing and analysis of digital evidence, there remains an underlying issue of how to effectively manage the ever increasing volumes of data that are gathered. Solutions such as an Enterprise Data Warehouse (EDW) can be easily adapted and scaled to support the growing volumes of ESI that need to be accessed in both real-time and near-real time. When implementing any type of digital evidence storage solution, it is important that the solution adheres to the best practices for maintaining the integrity and authenticity of digital evidence and not risk making the ESI inadmissible in a court of law.

Determining the meaningfulness, usefulness, and relevance of digital evidence requires additional layers of supplemental information to enhance its contextual awareness. By ensuring the factors discussed in this article are included when proactively gathering digital evidence, the significance of digital evidence can be better realized during a digital forensic investigation.

This article was sourced from the forthcoming book by Jason Sachowski, titled Implementing Digital Forensic Readiness: From Reactive To Proactive Process, available for pre-order at the Elsevier Store and other online retailers.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
1/15/2016 | 3:23:43 PM
Re: NTP Hacks Endangering Infrastructure
Both NTP and SNMP protocols have been and are still actively used in amplification attacks such as KoD packets. In NTPv4 and SNMPv4 there are no good technical means to counteract abuse of these protocols other than to disable them completely. 
jfrank16
50%
50%
jfrank16,
User Rank: Apprentice
1/13/2016 | 9:00:26 AM
7 Criteria for Enriching Digital Evidence
I honestly find the article difficult to follow under the context of your theme.  Criteria examples overlap content and lack depth to be useful.  ESI is the major theme in your article but it represents 3 of your 7 criteria.  Why not buundle it as one point.   Dont get me wrong there are good points regarding time sync but you also forget the most imortant criteria is the forensic investigator her/himself..   
cyberpink
50%
50%
cyberpink,
User Rank: Strategist
1/12/2016 | 3:05:08 PM
NTP Hacks Endangering Infrastructure
Great article, but just a word of caution.  I have recently been reading about the NTP hacks.   A weakness in NTP, which is widely used to synchronize the clocks in servers across networks, can be exploited to take over the computer.  CIO-Today has article titled "Feds Warn of New NTP Hack Endangering Infrastructure"
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.