Ryan_Gillard_ITDI_375_Unit2

docx

School

American InterContinental University *

*We aren’t endorsed by this school

Course

375

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

3

Uploaded by ryangillard155

Report
Title: Memorandum To: Chief Technology Officer Subject: Digital Forensics Investigation Date: 06/29/21 1. Volatility of evidence means which evidence is the most temporary and easily changed on a system’s hard drive. There are seven volatile data places that forensic examiners must collect. From most volatile to least volatile: “registers/cache, routing table/ ARP cache/ process table/ kernel statistics/ memory, temporary file systems, disk, remote logging, and monitoring data that is relevant to the system in question, physical configuration/ network topology, and archival media” (Order of Volatility, 2016). Since the CPU of a system is always changing, registers and cache must always be done first because the evidence can be lost if it is done too slowly. The routing table and ARP cache are found on network devices, so they must be collected as evidence quickly due to the data being able to change quickly. Kernel statistics is highly volatile because it goes from cache to main memory, thus needing to be collected to not lose data or evidence. Random access memory (RAM) is also to be collected during this because it can vanish if there is a loss of power or if there is a power surge. Temporary file systems have the potential to be used in a case, thus they will need to be collected as well with less worry about losing them. Disk data is collected because that data does not stay there forever, contrary to popular belief, and the chances of someone messing with it is lower than the previous data forms. Remote logging and monitoring data changes a lot more than a hard drive does, but it is less important than one. Physical configuration, network topology, and archival media are not volatile because they are outside of the system in question, are great sources as evidence, and do not normally have a big impact on a case. 2. Steps to be taken to perform the collection: see if the device is on/ off, record the model number/ serial number/ passcodes, takes pictures of the system and the surrounding area, start a chain of custody document, check for removable media, package the system and its components in anti-static bags, and deliver to a forensic lab. Determining if the device is on/ off means that the person must look for lights, sounds, vibrations, heat, wiggling the mouse for laptops/ computers, and pressing the home button or swiping the screen. If the device is off, the person must not turn the system on at any costs because that can make the data be lost that could be used for the investigation. If the device is on, the person must make sure if the device is locked, if the user interface is accessible, if the device is encrypted and if they know the passcode, and if the battery is charged. If a smartphone, laptop, or tablet is on, turn on airplane mode and then record the serial number, the model number, and the passcodes (if applicable). The person will need to take pictures of the device and the surrounding area to provide a photo record of the scene and start a chain of custody document. Shut down the device properly if the device must be shut down and if there is suspicion of destructive software, immediately turn off the device by pulling the plug. Check for any removable media that can be used in the investigation, such as CDs/DVDs, SD cards, flash drives, and sticky notes. Once the device is off, all components and the device must be put in appropriately labelled bags/ boxes and then taken to the forensics lab further analysis. 3. The procedure be done according to the policy or guideline that the company or investigation team has so that the investigation can “hold up in court” (Digital Forensics
Guidelines, Policies, and Procedures n.d.). The procedure or guideline must be written concisely, otherwise the case will not be able to be held up in court. Tool use should not be the same across all levels. For example, network admins and forensic experts should not have the same level of access to monitoring tools as a help desk personnel. The forensic technician should make sure that their paperwork is accurate and detailed so that if the evidence does go to court, then the evidence can not be thrown out for improper documentation.
References: Digital Forensics Guidelines, Policies, and Procedures . USA Learning. (n.d.). https://fedvte.usalearning.gov/courses/CSI/course/videos/pdf/CSI_D01_S01_T04_STEP.pd f . Order of Volatility . Computer Forensics Recruiter. (2016, June 29). https://www.computer- forensics-recruiter.com/order-of-volatility/ .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

IT140_IP5.docx
IT340_IP5.docx
CS346_IP5.docx
Module 13_ Quiz_ (LAW6003-0001.fa23) Contract Risk Management.pdf
IMG_6255.png
Assignment - EVA Pitch Paper.docx
Ryan_Gillard_ITDI_372_Unit2.docx
week 2 ( task 3).docx
Week 4 Mini case Analysis.docx
WEEK 2 Mini Case.docx
Activity 2_ Ethical and regulatory aspects related to Business Intelligence.docx
Week 5.docx