In this article, we will discuss the overview of Host-Based Evidence. And also will elaborate on Evidence Volatility, acquisition types, collection procedures, and memory acquisition. Let’s discuss it one by one.
Host-Based Evidence :
This type of evidence is found on a system. It includes system date, time, the application currently in the running state on the machine.
Preparation for Host-Based Evidence :
Now, as we know that preparation is the initial step to achieve good results. In terms of collecting evidence incident response, analysts should have the necessary tools to gather information. Suppose an organization has Microsoft operating system, so an analyst has to have tools that can gather information from such a system. Tools like FTKimager is usually used by the analyst. Now before discussing evidence acquisition and collection procedures. It is important to understand evidence volatility.
Evidence Volatility :
Data on a system can be of two types volatile and non-volatile data. Let’s discuss it one by one.
- Volatile Data –
It is a type of data that is lost when the system is turned off. Volatile data can be data in CPU, ARP cache, etc.
- Non-Volatile Data –
It is a type of data that is stored in a hard drive. Nonvolatile data includes Master File Table (MFT) entries, registry information, etc.
Evidence acquisition types :
Depending on the type of incidence and any constraints in time and geography evidence acquisition occurs. Let’s discuss it one by one.
- Local –
This type of acquisition is having direct physical access to the system
- Remote –
The remote acquisition comes to play when the security analyst is not physically present at the location where the system resides. In this type of acquisition, analysts use tools and network connections to acquire data.
- Online –
This type of evidence is also called collecting evidence from a live computer or running memory which is RAM.
- Offline –
This type of evidence acquisition done from the hard drive of the system. First, the system turned off then the hard drive got removed and specialized tools are used to acquire data. One of the drawbacks which are included in this process is loss of volatile memory, secondly, it is a time-consuming process for mirroring a hard drive for a long time.
Evidence Collection Procedures :
These are the necessary procedures to preserve or handle evidence during acquisition as follows.
- First, photograph the system.
- If the system is turned on keeping it in that state and if it is turned off state keep it like that because when the system is in the live state we can capture the running memory and if it is in the turned-off state we can capture the evidence from the hard drive.
- Photograph the model series of systems and details to help the chain of custody process.
- Remove the hard drive from the system and package it into an anti-static bag to ensure that no tampering is done to the hard drive.
Memory Acquisition :
Traditional digital forensics teams used to acquire data from the hard drive which is also called dead box forensics. This type of memory acquisition helps in cases like child exploitation, monetary frauds, etc. because files are usually stored in a hard drive