Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki [...]... Hackers can hide data in the slack space to avoid detection Chapter 20 – Review Questions Q What is the concept of best evidence Q When you want to do forensics on a computer, you should make a copy of the hard drive What type of copy should you make? Q What is the MINIMUM number of copies you should make of the original hard drive Chapter 20 – Review Questions Q Put these step of analysis in the correct... evidence should be maintained • There should be a witness to verify evidence collection Evidence Protection • You must protect the evidence physically from damage and tampering – Protect from heat/cold – Vibration – Magnetic fields – If a device can receive electronic signals Shield the device Transporting evidence • Log all times someone removes evidence • Be careful when transporting Storing Evidence... Terms When a user deletes a file, it’s not actually removed (unless using a highly secure OS) Some important terms relating to this are • Free space – the space a file takes up that is still available after deletion (before something else uses it) • Slack space – When file space is allocated, it is done in fixed sized blocks A file will not actually use all this space The unused area of a file even when... the tools on the computer in question, you should use a clean forensics station” to analyze the hard drives (why?) • You should always record the checksums of all the files on the computer before analysis (do example) See related next slide (tripwire) (more) Tripwire screen shot Evidence Collection • Evidence should be marked when collected – Investigator, case number, date, time, location, description... Provide controls against tampering while in storage Conducting the investigation • • • • • • • • Have a formal procedure before hand! Have a professional do the analysis Take pictures before hand Use a forensics station or a live CD for analysis (what is a live CD?) Image the hard drives multiple times with a bit level method, work only on a copy Label hard drive and store in anti-static bag Before doing . Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki