Incident Response and computer network forensics are both important areas for the cyber security professional to understand. USD CSOL590 covered both of these topics. We holistically explored these topics ranging from roles and responsibilities of incident response to conducting forensic analysis and chain of custody requirements. A sample forensic report based on the fictitious M57.biz is included here.
Chain of custody was particularly interesting for me as without it, good forensic work can be wasted. Some of my key take-aways about chain of custody are as follows. Chain of custody in cyber forensics is in essence the process of how digital evidence is collected, tracked, and protected. Chain of custody is important ensure that the integrity of the evidence is maintained. If there are questions or doubts about the authenticity, it is possible that the evidence could be challenged and inadmissible in a court of law (Infosec). When collecting digital evidence, there are some considerations that can help ensure the evidence is properly preserved. The Infosec Institute had some good tips (Infosec).
- Examination of the evidence should not be performed on the original evidence. Investigators should work only with copies to ensure that the original is not tampered
- Use clean media for collecting evidence. The concern here is that media that has already been used for other purposes could be infected with malware and pose a threat or damage the collected evidence.
- Consider the collection environment carefully. There could be limited access to the collection site, so it is important to document as much as possible, including interviews with persons (e.g. sys admins), note number and types of machines present, identify any connected or off-site storage, and document any proprietary software.
References:
Infosec (undated) Computer Forensics: Chain Of Custody
https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/legal-and-ethical-principles/chain-of-custody-in-computer-forensics/#gref