WGU C840 - Digital Forensics in Cybersecurity - Proper Procedure - collecting, seizing and protecting all Questions & answers solved accurately with Complete Solution Graded A+ latest version
0 view 0 purchase
Course
WGU C840
Institution
WGU C840
WGU C840 - Digital Forensics in Cybersecurity - Proper Procedure - collecting, seizing and protecting all Questions & answers solved accurately with Complete Solution Graded A+ latest version
WGU C840 - Digital Forensics in
Cybersecurity - Proper Procedure -
collecting, seizing and protecting
evidence
netstat - ANSWER-command shows network statistics and any current
connections. For example, a Windows 7 computer that is part of a homegroup
will have communications with other members of that group. What you are
looking for are external connections, particularly ones from outside the local
network.
net sessions - ANSWER-command is actually more helpful than netstat. The
netstat command shows even meaningless connections, such as your computer
opening a web browser. But _____ shows only established network
communication sessions, such as someone logging on to that system.
openfiles - ANSWER-command is very useful. It tells you if any shared files or
folders are open and who has them open. Before shutting down the suspect
machine, this is a critical command to run.
Magnet RAM Capture and DumpIt - ANSWER-two free tools that will capture
memory. Both can be easily found on the internet using your favorite search
engine. AccessData's FTK (which we will see later used to capture a drive
image) can also be used to capture memory.
Proper Procedure - collecting, seizing and protecting evidence- 1st step -
ANSWER-at a minimum, you need to see what is currently running on the
computer but touch it as little as possible. But you do need to find out if someone
is currently accessing the computer or if there is malware running on the
computer before you shut it down. Although the specifics may vary depending on
the installed operating system. The first thing to do is to check for running
processes. Press Ctrl+Alt+Delete then select Task Manager; select the
, Processes tab. Take a picture of the screen so you have a record of the running
processes. In this case, "take a picture" means taking an actual photo with a
camera, not taking a screenshot. In many cases, your photos are also subject to
the rules of the chain of custody for evidence. You should assume that they are.
Next, it is important to see if there are live connections to this system.
Fortunately, there are built-in commands (most work in Linux as well as
Windows) that will help you with that.
Proper Procedure - collecting, seizing and protecting evidence- 1st step
commands to run - ANSWER-Run netstat, net sessions, and openfiles. run each
of these commands and photograph the results before shutting down the
machine. Also document that you ran them, the time you started them, and the
results. Then power down the machine. Most sources recommend you simply
pull the plug. This may be contrary to how you usually power down a machine,
but the idea is to interrupt normal operations. It is possible, though not likely, that
there is some malware on the machine that would delete files, clear the swap, or
otherwise destroy evidence during a normal power-down or the subsequent
power-up of a machine.
Proper Procedure - collecting, seizing and protecting evidence- 2nd step -
ANSWER-Capturing Memory- If you believe that you may wish to analyze the
system's memory at a later time, then it is imperative that you capture the
memory now. Many tools exist that will capture memory. Remembering Locard's
principle of transference—that interacting with an environment changes it—you
will want to run these tools from a USB device, not actually on the suspect
system. OSForensics can be installed to USB and can capture the system's
memory
Proper Procedure - collecting, seizing and protecting evidence- 3rd step -
ANSWER-Transporting the Computer System to a Secure Location - Both law
enforcement agencies and corporations sometimes fail to transport and store
suspect systems properly. It is imperative that you treat a subject computer as
evidence and store it out of reach of curious computer users. Sometimes,
individuals operate seized computers without knowing that they are destroying
potential evidence and the chain of custody. A seized computer left unattended
can easily be compromised. Someone could plant evidence or destroy crucial
evidence. Lack of a proper chain of custody can make a savvy defense attorney's
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller TUTORSON. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.99. You're not tied to anything after your purchase.
