登录查看更多内容

What are the most effective ways to collect digital evidence from a network?

由人工智能和领英社区提供技术支持

Digital evidence is any data that can be used to prove or disprove a fact in a legal or forensic investigation. It can include emails, chat logs, web browsing history, files, logs, network traffic, and more. Collecting digital evidence from a network requires careful planning, execution, and documentation to ensure its integrity, authenticity, and admissibility. Here are some of the most effective ways to collect digital evidence from a network.

本文章的要点总结

Define your investigation's boundaries:

Identifying the scope involves determining sources, types, and locations of evidence. This ensures legal and ethical compliance while minimizing network disruptions.### *Utilize passive data collection methods:Employing high-fidelity network taps or port mirroring helps capture network data without deploying agents. This method is especially useful in ICS/OT environments to collect telemetry passively.

本摘要由 AI 和以下专家提供支持

1 Identify the scope

Before you start collecting digital evidence from a network, you need to identify the scope of your investigation. This means defining the sources, types, and locations of the evidence you are looking for, as well as the legal and ethical boundaries you have to follow. You also need to consider the potential impact of your actions on the network performance, security, and privacy. You should consult with the network administrator, the legal team, and the stakeholders to establish the scope and the objectives of your evidence collection.

添加您的观点

A.F.M.Shakhawat Ullah

|Technology & IT Leadership |Cyber Security |Strategy & Transformation | Project Management | CISSP | CCSP | PMP |CSM | ACBA|
举报内容
Collecting digital evidence should be attempted only by professional forensic technicians. The IOCE outlines following principles to guide digital evidence technicians as they perform media analysis, network analysis, software analysis and hardware/embedded system analysis in the pursuit of forensically recovered evidence: - Only a trained person should access original digital evidence. -Upon seizing digital evidence, actions taken should not change that evidence. -All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. -An individual is responsible for all actions taken while the digital evidence is in their possession.

已翻译

赞
Giuseppe Antonio Triolo

CSA Certified SOC Analyst, Cisco ASA and Check Point firewalls knowledge especially in log analysis for SOC Analyst use cases.
举报内容
Absolutely define the scope is the first step to collect network evidence from a network, define how deep you want to go in your network analysis, choose the right tools to start packet inspection, install, configure and create custom rules in an IDS and finally search index of compromise or any other suspect behavior.

已翻译

赞

2 Prepare the tools

In order to collect digital evidence from a network, you need reliable, validated, and compatible tools. Having backup tools is also important in case of failure or incompatibility. Network forensic software such as Wireshark, tcpdump, FTK Imager, and EnCase can capture, analyze, and preserve network traffic and data. Write blockers are essential to prevent any changes to the data on a storage device and avoid contamination or tampering. You should also have storage media with enough capacity, speed, and security to handle the data. Examples of storage media are external hard drives, flash drives, and optical discs. Documentation tools like digital cameras, audio recorders, notebooks, and forms can help document every step of your evidence collection process.

添加您的观点

Mika D.

Advising Security at Scale with Google | Black Hat Review Board, US & Asia
举报内容
To zoom in on "network" data including L2-3 data; a high-fidelity network tap or port mirroring in environments where you cannot deploy agents or copy over serial/wired connection is a forensically sound way to duplicate network data. ICS/OT environments in particular require a passive way to collect network telemetry

已翻译

赞

3 Follow the best practices

When you collect digital evidence from a network, it's important to follow the best practices of digital forensics. This includes tracking and documenting who handled the evidence, when, where, how, and why in order to maintain the chain of custody and prove its authenticity. Additionally, you should use hashing to verify the integrity and consistency of the evidence and detect any changes or alterations. Live analysis is not recommended as it can alter or destroy the evidence or trigger malicious code. Therefore, it's preferable to make copies or images of the evidence and analyze them on a separate system to avoid affecting the original source.

添加您的观点

Adolfo Grego

CTO / CISO
举报内容
Best practices sure are important but keep in mind that every environment is different and presents multiple challenges. For example: How will you deal with encrypted traffic? Do you have keys to decrypt the traffic ? Are you in the correct segment where you expect the traffic to flow through? Make sure that the equipment that will be dumping the traffic is fast enough to avoid dropping packets!

已翻译

赞

4 Analyze the evidence

After you collect the evidence from the network, you need to analyze it to find the relevant information and answer the questions of your investigation. You should use the tools and techniques that are appropriate for the type and format of the evidence you have. For example, you can use network forensic software to filter, sort, and search the network traffic and data, or you can use file carving to recover deleted or hidden files. You should also document your analysis process and results and report any findings or anomalies.

添加您的观点

5 Report the findings

The final step of collecting digital evidence from a network is to report your findings to the relevant parties. You should prepare a clear, concise, and accurate report that summarizes your evidence collection and analysis process, methods, tools, and results. You should also include any recommendations, conclusions, or opinions based on your findings. You should present your report in a format and language that is suitable for your audience and follow any legal or professional standards or guidelines.

添加您的观点

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

N. Erim ?nceo?lu

General M. / Software D. Manager
举报内容
In order to collect all the facts of what is happening on a computer, including network traffic, you need to retrieve all HDD data, including the data in the temporary memory and the data in the cache memories, without ever turning off the computer. For this evidence collection process, without turning off the computer, all data on RAM, temporary memory, and cache memory must be saved as an image in another digital storage using a tool.

已翻译

赞

IT Services

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

What are the most effective ways to collect digital evidence from a network?

1

2

3

4

5

6

1 Identify the scope

2 Prepare the tools

3 Follow the best practices

4 Analyze the evidence

5 Report the findings

6 Here’s what else to consider

IT Services

给文章评分

感谢您的反馈

更多IT Services相关文章

更多相关阅读内容