So far, the evidence that has been analyzed has focused on those elements that are obtained from the network or the system's memory. Even though incident root cause may be ferreted out from these evidence sources, it is also important to understand how to obtain evidentiary material from a system's storage, whether that is removable storage such as USB devices or the larger connected disk drives. In these containers is a good deal of data that may be leveraged by incident response analysts in determining root cause. It should be noted that this chapter will only be able to scratch the surface, as entire volumes have been devoted to the depth of forensic evidence available. Rather, it is hoped that this chapter provides some concrete areas of focus with the understanding that analysts will gain a better sense of some of the tools that can be employed, as well as an understanding of some of the critical data that can be leveraged.
You're reading from Digital Forensics and Incident Response
Over the past 15 years, there has been an increase in the power of disk forensic platforms. For the incident response analyst, there are options as to what type of platform can be leveraged for conducting an examination of the disk drives. Often, the limiting factor in utilizing these platforms is the cost of more robust systems, when a lower cost alternative will be just as effective for an incident response team.
There are several factors that should be addressed when examining software for disk analysis. First, has the platform been tested? There are several organizations that test platforms for efficacy, such as the National Institute of Standards and Technology Computer Forensic Tools Testing Program (https://www.cftt.nist.gov/). Second is an examination of the tool's use in criminal and civil proceedings. There is no single court- accepted standard but tools should conform to the rules of evidence. The use of a platform that has not been tested or does not conform...
In many ways, this chapter just scratches the surface of what information can be found by leveraging disk forensic tools. Specific tools and techniques are largely dependent on the tool utilized. What is important to understand is that modern operating systems leave traces of their activity all over the disk, from file change evidence in the Master File Table to registry key settings when new user accounts are added.Incident response analysts should have expertise in understanding how modern operating systems store data and how to leverage commercial or freeware tools to find this data. Taken in concert with other pieces of evidence obtained from network sources and in memory, disk evidence may provide more clarity on an incident and aid in determining its root cause. One critical piece that is addressed in the next chapter is how analysts need to record and report their findings. The previous chapters have discussed a good deal of technical work that unless it is documented will...