Chapter 1: Understanding the Digital Forensics Profession and Investigations

¡Supera tus tareas y exámenes ahora con Quizwiz!

What are the steps for problem solving?

1) make an initial assessment about the type of case you are investigating 2) determine a preliminary design or approach to the case 3) create a detailed checklist 4) determine the resources you need 5) obtain and copy an evidence drive 6) identify the risks 7) mitigate or minimize the risks 8) test the design 9) analyze and recover the digital evidence 10) investigate the data you recover 11) complete the case report 12) critique the case

The computer fraud and abuse act was passed when?

1986

How is digital forensics different from data recovery?

data recovery involves retrieving information that was deleted by mistake or lost during a power surge or server crash

During private investigations, what do you search for?

evidence to support allegations of violations of a company's rules or an attack on its assets

bit-stream image

file containing the bit-stream copy of all data on a disk or partition, also known as "image" or "image file"

describe private-sector investigations

focus more on policy violations

Describe a Digital Evidence Specialist (DES)

has the skill to analyze the data and determine when another specialist should be called in to assist

Why was the Federal Rules of Evidence (FRE) created?

to ensure consistency in federal proceedings; signed into law in 1973

What is the role of a digital forensics professional?

to gather evidence to prove that a suspect committed a crime or violated a company policy; collect evidence that can be offered in court or at a corporate inquiry

What is the role of a computing investigator

to instruct the investigator conducting the interview on what questions to ask and what the answers should

What is a private-sector investigator's job?

to minimize risk to the company

What activities should a basic investigation plan include?

- Acquire the evidence - complete an evidence form and establish a chain of custody - transport the evidence to a computer forensics lab - secure evidence in an approved secure container - prepare your forensics workstation - retrieve evidence from the secure container - make a forensic copy of the evidence - return the evidence to the secure container - process the copied evidence with computer forensic tools

In private investigations, what are three types of situations that are common?

- abuse or misuse of computing assets - email abuse - internet abuse

To conduct an email abuse investigation, you need what?

- an electronic copy of the offending email that contains message header data - if available, email server log records - for email systems that store users' messages on a central server, access to the server - access to the computer so that you can perform a forensic analysis on it - your preferred computer forensics tools

To conduct internet abuse investigations, you need what?

- organization's internet proxy server logs - suspect computer's IP address - suspect computer's disk drive - your preferred computer forensics analysis tool

When conducting public-sector investigations, you must understand laws on computer-related crimes including what?

- standard legal processes - guidelines on search and seizure - how to build a criminal case

What are the two types of evidence custody forms

-Single evidence form: lists each piece of evidence on a separate page multi-evidence form

Most important policies define rules for using the company's computers and networks. What is this known as?

Acceptable Use Policy

In October 2012, an ISO standard for digital forensics was ratified. what is it?

ISO 27037 Information Technology- Security techniques

What is the difference between an interview and an interrogation?

Interview-- usually conducted to collect information from a witness or suspect about specific facts related to an investigation Interrogation- process of trying to get a suspect to confess

Existing laws can't keep up with the rate of technological change. When statutes don't exist, case law is used. What is this?

It allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws

Digital investigations fall into 2 categories. What are they?

Public-sector investigations Private-sector investigations

Businesses are advised to specify an authorized requester. Who is this?

Someone who has the power to initiate investigations

Forensic investigators often work as part of a team, known as the investigations triad. What makes up the triad? What does each discipline do?

Vulnerability Threat Assessment and Risk Management-- tests and verifies the integrity of stand-along workstations and network servers, Network Intrusion Detection and Incident Response-- detects intruder attacks by using automated tools and monitoring network firewall logs, and Digital Investigation- manages investigations and conducts forensics analysis of systems suspected of containing evidence

What is a police blotter

a historical database of previous crimes

What is an affidavit

a sworn statement of support of facts about or evidence of a crime; must include exhibits that support the allegation

Describe a digital evidence first responder (DEFR)

arrives on an incident scene, assesses the situation, and take precautions to acquire and preserve evidence

What is a bit-stream copy?

bit-by-bit copy of the original storage medium

How can businesses reduce the risk of litigation?

by publishing and maintaining policies that employees find easy to read and follow; also displaying a warning banner on computer screens that informs end users that the organization reserves the right to inspect computer systems and network traffic at will

Investigating digital devices includes

collecting data securely, examining suspect data to determine details such as origin and content, presenting digital information to courts, applying laws to digital device practices

Describe network intrusion detection and incident response

detects intruder attacks by using automated tools and monitoring network firewall logs

What kinds of crimes are private sector crimes?

e-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage

What are write blocker devices?

enable you to boot to Windows without writing data to the evidence drive

What is an evidence custody form

helps you document what has been done with the original evidence and its forensics copies; also called a chain-of-evidence form

When was the FBI Computer Analysis and Response Team (CART) formed?

in 1984 to handle cases involving digital evidence; by late 1990s, CART teamed up with Department of Defense Computer Forensics Laboratory (DCFL)

describe digital investigations

manages investigations and conducts forensics analysis of systems suspected of containing evidence

What is the 4th amendment to the U.S. Constitution

protects everyone's right to be secure from search and seizure; separate search warrants might not be necessary for digital evidence

What is a chain of custody

route the evidence takes from the time you find it until the case is closed or goes to court

What is attorney-client privilege (ACP)

rules for an attorney that they must keep all findings confidential

What is a Bring your own device (BYOD) environment?

some companies state that if you connect a personal device to the business network, it falls under the same rules as company property

What is the line of authority

states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

Describe vulnerability/threat assessment and risk management

tests and verifies the integrity of stand-along workstations and network servers

Digital Forensics

the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation

What are public-sector investigations

they involve government agencies responsible for criminal investigations and prosecution

How should you secure your evidence?

use evidence bags to secure and catalog the evidence; use computer safe products when collecting computer evidence (antistatic bags, antistatic pads), well padded containers, used evidence tape to seal all openings (CD drive bays, insertion slots for power supply electrical cords, USB cables); write your initials on tape to prove the evidence has not been tampered with; consider computer specific temperature and humidity ranges; make sure you have a safe environment for transporting and storing it until a secure evidence container is available

When does a criminal investigation usually begin?

when someone finds evidence of or witnesses a crime; witness or victim makes an allegation to the police

Private-sector investigations involve private companies and lawyers who do what?

who address company policy violations and litigation disputes. ex: wrongful termination; businesses strive to minimize or eliminate litigation;

How can you avoid altering evidence when conducting an investigation and analysis?

write blocker devices


Conjuntos de estudio relacionados

Unfair Trade & Claims Settlement Practices

View Set

3060 Final Exam CH 15-18, 24, 26, 27

View Set

Marketing Analysis (MKTG 4080) FINAL

View Set

Cristóbal Colón (Palabras y Preguntas)

View Set

Cyber Security II - Linux Commands

View Set

Gastroenterology-Diseases and Conditions

View Set

Section 3: Ethos, pathos, and logos - part 2

View Set