If you’re planning to take the SY0-501 version or SY0-601 version of the Security+ exam, you should understand the basic concepts of digital forensics. This includes understanding the order of volatility in collecting information after an incident.
For example, can you answer this question?
Q. You are reviewing incident response procedures related to the order of volatility. Which of the following is the LEAST volatile?
A. Hard disk drive
B. Memory
C. RAID-10 cache
D. CPU cache
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Forensic Evaluation
A forensic evaluation helps the organization collect and analyze data as evidence it can use in the prosecution of a crime. In general, forensic evaluations proceed with the assumption that the data collected will be used as evidence in court. Because of this, forensic practices protect evidence to prevent modification and control evidence after collecting it.
Once the incident has been contained or isolated, the next step is a forensic evaluation. What do you think of when you hear forensics? Many people think about the TV program CSI (short for “crime scene investigation”) and all of its spin-offs. These shows demonstrate the phenomenal capabilities of science in crime investigations.
Computer forensics analyzes evidence from computers to determine details on computer incidents, similar to how CSI personnel analyze evidence from crime scenes. It uses a variety of different tools to gather and analyze computer evidence. Computer forensics is a growing field, and many educational institutions offer specialized degrees around the science. Although you might not be the computer forensics expert analyzing the evidence, you should know about some of the basic concepts related to gathering and preserving the evidence.
Forensic experts use a variety of forensic procedures to collect and protect data after an attack. A key part of this process is preserving the evidence during the data acquisition phase. In other words, they ensure that they don’t modify the data as they collect it, and they protect it after collection. A rookie cop wouldn’t walk through a pool of blood at a crime scene, at least not more than once. Similarly, employees shouldn’t access systems that have been attacked or power them down.
For example, files have properties that show when they were last accessed. However, in many situations, accessing the file modifies this property. If the file is evidence, then accessing it has modified the evidence. This can prevent an investigation from identifying when an attacker accessed the file. Additionally, data in a system’s memory includes valuable evidence, but turning a system off deletes this data. In general, an incident response team does not attempt to analyze evidence until they have taken the time to collect and protect it.
Forensic experts have specialized tools they can use to capture data. For example, many experts use EnCase Forensic by Guidance Software or Forensic Toolkit (FTK) by AccessData. These tools can capture data from memory or disks. This includes documents, images, email, webmail, Internet artifacts, web history, chat sessions, compressed files, backup files, and encrypted files. They can also capture data from smartphones and tablets.
Order of Volatility
Order of volatility refers to the order in which you should collect evidence. Volatile doesn’t mean it’s explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.
For example, random access memory (RAM) is lost after powering down a computer. Because of this, it is important to realize you shouldn’t power a computer down if you suspect it has been involved in a security incident and might hold valuable evidence.
A processor can only work on data in RAM, so all the data in RAM indicates what the system was doing. This includes data users have been working on, system processes, network processes, application remnants, and much more. All of this can be valuable evidence in an investigation, but if a rookie technician turns the computer off, the evidence is lost.
Many forensic tools include the ability to capture volatile data. For example, Kali Linux includes the application Volatility (available in Applications > Forensics > Volatility) that can capture the contents of RAM. Once it’s captured, experts can analyze it and gain insight into what the computer and user were doing.
In contrast, data on a disk drive remains on the drive even after powering a system down. This includes any files and even low-level data such as the Master Boot Record on a drive. However, it’s important to protect the data on the disk before analyzing it, and a common method is by capturing an image of the disk.
The order of volatility from most volatile to least volatile is:
• Data in cache memory, including the processor cache and hard drive cache
• Data in RAM, including system and network processes
• A paging file (sometimes called a swap file) on the system disk drive
• Data stored on local disk drives
• Logs stored on remote systems
• Archive media
In case you don’t remember from your CompTIA A+ days, the page file is an extension of RAM and it is stored on the hard drive. However, the page file isn’t a typical file and it’s rebuilt when the system is rebooted, making it more volatile than other files stored on hard drives.
Q. You are reviewing incident response procedures related to the order of volatility. Which of the following is the LEAST volatile?
A. Hard disk drive
B. Memory
C. RAID-10 cache
D. CPU cache
Answer is A. Data on a hard disk drive is the least volatile of those listed.
All other sources are some type of memory, which will be lost if a system is turned off.
This includes data in normal memory, a redundant array of inexpensive disks 10 (RAID-10) cache, and the central processing unit’s (CPU’s) cache.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide and CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on implementing policies to mitigate risks.
