Chapter 13 Digital Forensics
If the case comes to trial and the analyst is called he or she will have two duties
1. Analyst must testify to his/her direct experience. Analyst may testify about everything from receiving the initial evidence to the final report. 2. Analyst may play the role of a technical expert, qualified to give summaries and opinions as to the meaning of evidence.
Two imperatives of hard drive manufacturers:
1. Storage Density 2. Speed
Hash
A number generated by an algorithm from a text string. Also known as a message digest.
hex editor
A type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.
L2 cache
A type of memory cache that is slightly slower than L1 cache, but has a much larger capacity, ranging from 64 KB to 16 MB. (SLOWER BUT HOLDS MORE INFO)
L1 Cache
Cache used by a CPU for short-term storage of data and instructions. It is the fastest and closest to the CPU.
The image produced should be written to a true, write once media such as a
DVD-R or CD-R
EFS
Encrypting File System.
True or False: Field Acquisition is the preferred method
False: Because failure to maintain control of the evidence device can also lead to problems in establishing the authenticity or chain of custody of the evidence in court (least preferred bc makes it easier for defense to undermine your testimony)
The forensic analyst's process must include a step to calculate an ___________ hash of the evidence device
MD5
Most important task for examiner
Maintaining the continuity of evidence from the source to the final anlysis product.
The examination of stored data is often referred to as _________ analysis
Post-Mortum
Write blocker
Prevents data writes to a hard disk. Usually used on the windows operating system to prevent the analysts lab computer from writing data to the HD.
True or False: Analysis creates investigation leads and summaries not evidence
True
True or False: Logical copies do not produce latent data
True
True or False: Rule of evidence: original evidence, not a copy be brought to court
True
True or false: Bulk of evidence is from active files
True
Lossless Compression
a data compression algorithm that allows the original data to be perfectly reconstructed from the compressed data.
Direct-access storage
a storage method that allows a data-retrieval mechanism to quickly find data
The Gold Standard
an analyst must be able to reliably reproduce any result from procedure notes and a copy of the original data seized.
Digital evidence is more easily ____________ than physical evidence
authenticated
Best method of imaging the evidence drive is to create a _______ copy
bit stream. (also called a mirror or image)
Botable CDS
create a RAM drive and can be used to load larger programs, thus they do not alter data on the hard drive.
One of the most important characteristics of FAT systems is
deleted files aren't wiped from the drive.
Most common source of latent files is __________
deletion
Two broad classes of removable storage media:
direct access and sequential access.
Disk drives allow
direct storage access, they do not have stored information in sequential order like a magnetic tape or other device.
Storage Forensics
examination of information stored on a physical medium
hex editor can be used to _______________
examine intact files (active data) or obscured/deleted data (latent)/ Can access active and latent files without interfering with hard disks
Latent files
files that are not recognized by the OS, therefore, do not show up on a list of files.
A hash value is essentially the _________ of the digital data set
fingerprint
Electronic Crime Scene Investigation: A Guide for First Responders
intended to assist state and local law enforcement w ho may be responsible for preserving an electronic crime scene for recognizing, collecting, and safeguarding digital evidence.
RAM
largest reserve of info that supplies the processor
computer forensic packages
make it easier to find elements and establish elements of a crime -Can bring all the info form the hard drive at once -All digital data are stored as a pattern of bits -Generally validated by an external expert and used in standard practice
Physical medium
real world object that may be inside or outside the computer.
A bit stream copy
reproduces every bit of info found on the evidence device, even unused storage space.
Sequential access storage
requires longer to fast forward through unneeded data to find requested data
The expert witness presents
simplified explanations and abbreviations to the fact finder.
When information is stored on a physical medium, it is said to be __________
static
Activity Log
steps of analysis that must be organized in a consistent and reproducible fashion.
Power of the search
the ability of a search to achieve results; like when you misspell something and it helps you find stuff easier
Time access of Direct access storage
the time required to access data is reduced, making retrieval faster
True or False: Digital evidence is easier to authenticate than physical evidence
true
True or False: The image of a device is considered to be "best evidence"
true; The Federal Rule of Evidence allows unaltered digital evidence to be presented as a copy. A comparison of MD5 hashes can verify that the data is unaltered.
Structures of digital storage can be divided into two parts
volatile and nonvolatile storage
Active Files
word processing docs, spreadsheets, text files, graphics, etc
