Digital Forensics Exam #1 (Chapters 1, 2, and 3)
Case Law
Allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws
Host Protected Area (HPA)
An area of a disk drive reserved for booting utilities and diagnostic programs. It's not visible to the computer's OS.
Whole Disk Encryption
feature in Windows called BitLocker makes static acquisitions more difficult
attorney-client privilege (ACP)
under ______ rules for an attorney, you must keep all findings confidential
Redundant array of independent disks (RAID)
•Computer configuration involving two or more disks •Originally developed as a data-redundancy measure
Business Case
Plan you can use to sell your services to management or clients
Interview
Usually conducted to collect information from a witness or suspect
CRC-32, MD5, and SHA-1 to SHA-512
Validation techniques for data acquisitions
1. Single-evidence form 2. Multi-evidence form
Two types of evidence custody forms:
Static acquisitions and live acquisitions
Types of acquisitions include:
TEMPEST facilities
Electromagnetic Radiation (EMR) proofed
Configuration Management
Keep track of software updates to your workstation
dd ("data dump") command
-Can read and write from media device and data file -Creates raw format file that most computer forensics analysis tools can read
Digital Evidence First Responder (DEFR)
Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence
warning banner
Business can avoid litigation by displaying a ________ on computer screens
authorized requester
Businesses should have a _______, who can launch an investigation
Department of Defense Computer Forensics Laboratory (DCFL)
By late 1990s, CART teamed up with
Certified Forensic Computer Examiner (CFCE)
Candidates who complete the IACIS test are designated as a
image file
Data in a forensics acquisition tool is stored as an
Network intrusion detection and incident response
Detects intruder attacks by using automated tools and monitoring network firewall logs
risk management
Determining how much risk is acceptable for a process or operation is called
1. Public-sector investigations 2. Private-sector investigations
Digital investigations fall into two categories:
investigations triad
Forensics investigators who work as part of a team
Digital Evidence Specialist (DES)
Has the skill to analyze the data and determine when another specialist should be called in to assist
•Collecting data securely •Examining suspect data to determine details such as origin and content •Presenting digital information to courts •Applying laws to digital device practices
Investigating digital devices includes:
Digital investigations
Manages investigations and conducts forensics analysis of systems suspected of containing evidence
Budget development
Needs to include: •Facility cost •Hardware requirements •Software requirements •Miscellaneous budget needs
Interrogation
Process of trying to get a suspect to confess
Repeatable findings
Repeat the steps and produce the same result
Chain of Custody
Route the evidence takes from the time you find it until the case is closed or goes to court
search warrants
Separate _______ might not be necessary for digital evidence
Secure facility
Should preserve integrity of evidence data
True
T or F. Forensic images created in the raw format require a separate manual validation to be conducted
False
T or F. Raw format forensic images contain metadata
True
T or F. Some acquisition tools do not copy data in the host protected area (HPA) of a disk drive
Vulnerability/threat assessment and risk management
Tests and verifies the integrity of stand-along workstations and network servers
dcfldd
The _______ command is similar to the dd command but has added features for computer forensics
Digital Forensics
The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation
•Raw format •Proprietary formats •Advanced Forensics Format (AFF)
Three formats of an image file include:
Disk-to-image file copy
What is the most common and flexible data acquisition method?
Raw image
What kind of image is useful if compatibility is the main priority?
Computer Analysis and Response Team (CART)
Which FBI team was formed to handle digital evidence?
disaster recovery plan
Which plan specifies how to rebuild your forensic workstations if they have been damaged?
Approval and acquisition
You must present a business case with a budget to upper management for approval
off-site
You should have at least one copy of your backups in a safe ____ facility.
Correction for Acceptance
Your business case must anticipate problems that can cause delays in lab production
AccessData Forensic Toolkit (FTK)
a popular commercial product
Affidavit
a sworn statement of support of facts about or evidence of a crime
Fourth Amendment
amendment to the U.S. Constitution protects everyone's right to be secure from search and seizure
Uniform Crime Report (UCR)
an official measure of crime in the United States, produced by the FBI's official tabulation of every crime reported by more than 18,000 law enforcement agencies
Logical acquisition
captures only specific files of interest to the case
Sparse acquisition
collects fragments of unallocated (deleted) data
mkfs.msdos
command formats a FAT file system from Linux
fdisk
command lists, creates, deletes, and verifies partitions in Linux
Acceptance testing
consider the following items: •Inspect the facility to make sure it meets security criteria for containing and controlling digital evidence •Test all communications •Test all hardware to verify it is operational •Install and start all software tools
ASR Data
created Expert Witness for Macintosh
IRS
created search-warrant programs
ILook
currently maintained by the IRS Criminal Investigation Division
evidence custody form
helps you document what has been done with the original evidence and its forensics copies
Professional Conduct
includes ethics, morals, and standards of behavior
International Association of Computer Investigative Specialists (IACIS)
introduced training on software for digital forensics
Public-sector investigations
involve government agencies responsible for criminal investigations and prosecution
Private-sector investigations
involve private companies and lawyers who address company policy violations and litigation disputes and focus more on policy violations
data recovery
involves retrieving information that was deleted by mistake or lost during a power surge or server crash
Computer Technology Investigators Network (CTIN)
meets to discuss problems with digital forensics examiners encounter
Examiners
must be familiar with recent court rulings on search and seizure in the electronic environment
International Standardization Organization (ISO)
organization that created the standard for digital forensics
Line of Authority
states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
Department of Justice (DOJ)
updates information on computer search and seizure regularly
Federal Rules of Evidence (FRE)
was created to ensure consistency in federal proceedings
Production
•After all essential corrections have been made the lab can go into production •Implement lab operations procedures
Implementation
•As part of your business case, describe how implementation of all approved items will be processed •A timeline showing expected delivery or installation dates and expected completion dates must be included Schedule inspection dates
High-Tech Crime Network (HTCN)
•Certified Computer Crime Investigator, Basic and Advanced Level •Certified Computer Forensic Technician, Basic and Advanced Level
Risk Management
•Involves determining how much risk is acceptable for any process or operation •Identify equipment your lab depends on so it can be periodically replaced •Identify equipment you can replace when it fails
EnCase Certified Examiner (EnCE) Certification
•Open to the public and private sectors •Specific to use and mastery of EnCase forensics analysis •Candidates are required to have a licensed copy of EnCase
ANSI-ASQ National Accreditation Board (ANAB)
•Provides accreditation of crime and forensics labs worldwide •Accreditation includes forensics labs that analyze digital evidence •Audits lab functions and procedures
ISC² Certified Cyber Forensics Professional (CCFP)
•Requires knowledge of -Digital forensics -Malware analysis -Incident response -E-discovery -Other disciplines related to cyber investigations
Digital Forensics Lab
•Where you conduct your investigation •Store evidence •House your equipment, hardware, and software
Justification
•You need to justify to the person controlling the budget the reason a lab is needed •Requires constant efforts to market the lab's services to previous, current, and future customers and clients