Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Engineering and Technology Courses Security Operations Center (SOC) Operations and Threat Analysis Flashcard

After a computer is broken into, the security team needs to gather clues. What is the special rule that says how they must keep every clue safe and untouched so everyone trusts it, and what exact way do they copy a computer's memory or hard drive to get all its secrets without changing the original?



The special rule that ensures clues are kept safe and untouched so everyone trusts them is called the Chain of Custody. The Chain of Custody is a chronological record that documents the seizure, custody, control, transfer, analysis, and disposition of evidence. It proves that the evidence has been handled properly and has not been tampered with, making it admissible in legal proceedings. Each person who handles the evidence must sign and date an official log, noting when and why they had possession of it. This meticulous documentation prevents any doubt about the integrity of the evidence.

To copy a computer's memory or hard drive without changing the original, a process called forensic imaging is used. This creates an exact bit-for-bit copy, also known as a forensic duplicate or clone, of the storage media. The original media is then set aside and not used in any further analysis. The most common method for creating a forensic image is by using a hardware write-blocker. A hardware write-blocker is a device that physically connects between the original storage device (like a hard drive) and the forensic workstation. It allows data to be read from the original drive but prevents any data from being written to it, thus preserving the original data's integrity. The imaging process copies every sector of the original drive, including deleted files, unallocated space, and slack space, into a forensic image file. This image file is typically stored in a format like E01 (EnCase Evidence File) or AFF (Advanced Forensics Format). During the imaging process, a cryptographic hash value, such as MD5 or SHA-256, is calculated for both the original drive and the created image. A hash value is a unique digital fingerprint generated from the data. If the hash values of the original drive and the forensic image match, it proves that the image is an exact, unaltered copy. The analysis of the computer's secrets is then performed on this forensic image, leaving the original evidence untouched and preserved.



Redundant Elements