CHFIv9 Flash Cards Part 1
External attacks
Originate from outside of an organization. Such attacks occur when there are inadequate information security policies and procedures. Chapter 1
Oxygen Forensic Kit
ready to use and customizable mobile forensics solution for both field and in lab use. Offers data extraction and report creation. Chapter 2 Software Tools
WriteProtect-DESKTOP
secure read-only write blocking of suspect hard drives. Chapter 2 Hardware tool
Capsa
sniffer with support for over 300 network protocols Chapter 2 Software Tools
PC-3000 Data Extractor
software add-on that diagnosis and fixes file system issues. Recovers data from any media. Chapter 2 Hardware tool
Locard's Exchange Principle
anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind. Chapter 1
Rule 705
Disclosing the Facts or Data Underlying an Expert's Opinion Chapter 2
Paraben's StrongHold
Faraday bags block out wireless signals to protect evidence. Chapter 2 Hardware tool
Incident Analyzer
Forensic team member analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it. Chapter 2
Evidence Examiner/Investigator
Forensic team member examines the evidence acquired and sorts the useful evidence and prioritizes from high to low Chapter 2
Evidence Documenter
Forensic team member gathers info and documents it from incident occurrence to the end of the investigation. Chapter 2
Evidence Manager
Forensic team member has all the information about the evidence: name, evidence type, time, source of evidence etc. Manages and maintains a record of the evidence such that it is admissible in a court of law. Chapter 2
Photographer
Forensic team member photographs crime scene and all evidence. Should be certified. Chapter 2
Attorney
Forensic team member provides legal advice regarding investigation as well as legal issues involved in the forensics investigation process. Chapter 2
Decision Maker
Forensic team member responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decisions about the policies and procedures to handle the incident. Chapter 2
Incident Responder
Forensic team member responsible for measures taken when an incident occurs, secures the incident area and collects the evidence present at the crime scene. Also disconnects the system from others to contain an incident. Chapter 2
18 USC 1029
Fraud and related activity in connection with access devices. Chapter 2
18 USC 1030
Fraud and related activity in connection with computers Chapter 2
Ophcrack
Free GUI tool used to recover passwords based on Rainbow tables Chapter 2 Software Tools
Rule 402
General Admissibility of Relevant Evidence Chapter 2
Investigation Phase
Main Phase -acquire, preserve, and analyze evidence -identify the source of crime and culprit -implement technical knowledge to find evidence, -examine document, and preserve findings and evidence. Chapter 2
18 USC 1361-2
Prohibit malicious mischief Chapter 2
SWGDE Standards and Criteria 1.5
The agency must use hardware and software that is appropriate and effective for the seizure/examination procedure Chapter 1
Image MASSterTM Wipe PRO
a hard drive Sanitization Station. Chapter 2 Hardware tool
The Sleuth Kit
- C library and collection of command-line tools for analysis of disk images and file recovery. - Plugin framework expands functionality and allows for automation Chapter 2 Software Tools
Criminal Cases
- crimes that are harmful to society and involve action by law enforcement against a company, group, or individual - guilty = monetary damages, imprisonment, or both - The investigation must follow set of standard forensic processes accepted by law - Investigators (with a warrant) can force seize devices - formal report required - law enforcement responsible for the collection and analyzing evidence - Punishment is harsh - Standard of proof is high - difficult to capture specific evidence (GPS) Chapter 1
Civil Cases
- plaintiff registers case and responsible for burden of proof - disputes between two parties - relate to violation of contracts and lawsuits - guilty = monetary damages to the plaintiff - Investigator try to show some evidence to the opposite party to induce settlement - Device searches based on mutual understanding (giving opposite party notice and time to hide evidence) - Informal reporting - Claimant is responsible for collection and analysis of evidence - Poorly documented or unknown chain of custody - Evidence can be under third party control Chapter 1
Administrative Cases
-Agency or government performing inquiries to identify facts with reference to its own management and performance -Non-criminal, related to misconduct or activities of an employee such as --Violation of org police, rules, protocol --Resource misuse or theft --Threatening or violent behavior Chapter 1
CFL Physical Security Standards / Licenses
-American Society of Crime Laboratory Directors (ASCLD) / Lab Accreditation -ISO/IEC 17025 Chapter 2
Tasks preformed by forensic investigator
-Evaluate the damage of a security breach -Identify and recover data required for investigation -Extracts the evidence in a forensically sound manner -Ensure proper handling -Acts as a guide to the investigation team -Creates reports and documents -Reconstructs the damaged storage devices and uncovers information hidden on the computer -Update the orgs about various methods of attack and data recovery techniques -Addresses the issue in a court of law and attempts to win the case through testimony. Chapter 1
CFL Setup
-Plan and budget -Break down costs into daily and annual expenditures -Refer to investigation expenses in the past -Be aware and budget for updates to technology -Use cybercrime statistics to estimate case load and personnel requirements Chapter 2
Computer Forensics Investigation Process
-Pre Investigation Phase -Investigation Phase -Post-Investigation Phase Chapter 2
Post-investigation Phase
-Reporting and documentation of all actions and finding during the investigation -Ensure target audience can easily understand report -report must provide adequate and acceptable evidence -report must comply will all laws and standards -report must be legally sound and acceptable in the court of law Chapter 2
Pre-investigation Phase
-assemble investigation team, CFL, forensic workstations and toolkits -gaining approval from the relevant authority -planning and defining mission goals -Secure perimeter and devices Chapter 2
Forensics Investigation Checklist
1. Don't turn the computer off, run any programs, or attempt to access data on the computer. 2. Secure any relevant media hard drives, cell phones, DVDs, USB drives, etc 3. Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue. 4. Preform a prelim assessment of the crime scene and identify the data you seek, the information you are looking for, and the urgency level of the examination. 5. Once machine is secured, obtain info about the machine, it's peripherals,and the network where connected 6. If possible obtain passwords to access encrypted or password protected files. 7. Compile a list of names, emails, and other info of those with whom the subject might have communicated. 8. If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. If possible find out why. 9. Maintain chain of custody for each piece of original media indicating where it has been, whose possession, and the reason. 10. Create a list of key words or phrases to use when searching for relevant data. Chapter 2
Dry pipe system
A fire suppression sprinkler system that has pressurized air in all pipes. The air is released in the event of a fire, allowing water to flow from a central area. Chapter 2
Rule 1003
Admissibility of Duplicates Chapter 2
Rule 1004
Admissibility of Other Evidence of Content Chapter 2
SWGDE Standards and Criteria 1.2
Agency must review SOPs on annual basis to ensure continued suitability and effectiveness. Chapter 1
SWGDE Standards and Criteria 1.6
All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony. Chapter 1
SWGDE Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. Chapter 1
Forensic Readiness
An organizations ability to make optimal use of digital evidence in a limited period and with minimal investigation cost. Technical and nontechnical actions that maximize competence to use evidence. Chapter 1
Rule 502
Attorney-Client Privilege and Work Product; Limitations on Waiver Chapter 2
Rule 901
Authenticating or Identifying Evidence Chapter 2
Characteristics of Digital Evidence
Be Admissible Be Authentic Be Complete Be probative Be convincing Be accurate Be relevant Chapter 1 IT Pro TV
Rule 614
Calling and interrogation of witnesses by court Chapter 2
CFL
Computer forensics Lab Houses the instruments, software and hardware tools, suspect media, and the forensic workstations required to preform investigations. Chapter 2
Volatile Data
Data on a device that requires constant power to preserve it. system time logged-on user(s) open files network information process information process-to-port mapping (netstat) process memory clipboard contents service / driver information command history Chapter 1
FRED systems
Digital Intelligence complete digital forensics hardware acquire data directly from hard drives and other storage devices and output forensic images to Blu-Ray, CD/DVD or hard drive Chapter 2 Hardware tool
Precaution system
Employs a modified dry pipe scheme. Utilizing triggers to release liquid suppressant Chapter 2
Wet pipe system
Employs piping scheme that maintains a constant water load Chapter 2
Authentic Evidence
Evidence details such as source, relevance, author, and the transmission path that attest to the authenticity, accuracy, and integrity. Chapter 1
Rule 608
Evidence of Character and Conduct of Witness Chapter 2
Believable Evidence
Evidence presented in a clear manner to a jury and bolstered by expert opinion when necessary. Chapter 1
Admissible Evidence
Evidence that is relevant to the case and acts in support of the client presenting it and will be well communicated and nonprejudiced. Chapter 1
Complete Evidence
Evidence that proves or disproves the consensual fact in the litigation. Chapter 1
Digital Forensics Challenge
Extracting, Preserving, and Analyzing digital evidence. Chapter 1
Rule 609
Impeachment by Evidence of a Criminal Conviction Chapter 2
TEMPEST
Investigations and studies of compromising emanations (intelligence-bearing signals) that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment. integrating these principles into lab design cuts down on information leakage while increasing cost. Chapter 2
L0phtCrack
Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks. Uses dictionary, hybrid, rainbow table, and brute force attacks to recover Windows passwords. Chapter 2 / 5 Software Tools
Scientific Working Group on Digital Evidence (SWGDE) Principle 1
Law Enforcement and Forensic Organization mandate to establish and maintain a system for quality control. Ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence. Chapter 1
18 USC 2252A
Law regarding child porn Chapter 2
Enterprise Theory of Investigation (ETI)
Methodology for investigating criminal activity. It adopts a holistic approach toward any criminal activity as a criminal operation rather a than as a single criminal act. Chapter 1
Expert Witness
Offers a formal opinion as a testimony in a court of law. Chapter 2
Rule 701
Opinion Testimony by Lay Witness Chapter 2
Cain & Abel
PW recovery for MS OS Users sniffing, dictionary, brute force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols. Chapter 2 Software Tools
Non-volatile data
Permanent data stored on secondary storage devices (hard disks, memory cards) hidden files slack space swap file index.dat files unallocated clusters unused partitions registry settings event logs Chapter 1
Best Evidence Rule
Prevent alteration of digital evidence Duplicate evidence will suffice provided that The best or highest form is presented in court Original is destroyed by fire and/or flood Original is destroyed in the normal course of business Original evidence is in possession of a third party Chapter 1
42 USC 2000AA
Privacy Protection Act special steps to take during seizure that don't prevent freedom or expression. Chapter 2
Guidance Software's EnCase
Rapidly acquire data from variety of devices and unearth potential evidence with disk level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of investigation in a court trusted format. Chapter 2 Software Tools
Recuva
Recovers pictures, music, documents, videos, emails, or any other file type that are lost. Can also recover from rewritable media like memory cards, external hard drives, USB, etc Chapter 2 Software Tools
Rule 1002
Requirement of the Original Chapter 2
Fourth Amendment
Restricts government search and seizure powers where a person has a reasonable expectation of privacy, without a search warrant. Note: Private intrusions not acting on behalf of the government don't come under protection. Chapter 1
SWGDE Standards and Criteria 1.3
SOPs must be generally accepted or supported by data gathered and recorded in a scientific manner. Chapter 1
SWGDE
Scientific Working Group on Digital Evidence Chapter 1
Rule 101
Scope: governs proceedings in the courts of the United States Chapter 2
ZX-Tower
Secure sanitization of hard disk. Chapter 2 Hardware tool
SWGDE Standards and Criteria 1.4
The agency must maintain written copies of the appropriate technical procedures. Chapter 1
Computer Forensics
The process of finding evidence related to a digital crime. Chapter 1
18 USC 2702
Voluntary disclosure of customer communications or records Chapter 2
Cybercrime
any illegal act that involves a computer, its systems, or its applications. Chapter 1
NIST Computer Forensic Tool Testing Project CFTT
establishes a methodology for testing computer forensic software tools by development of general to specifications, test criteria, test sets, and test hardware Chapter 2 Software Tools
Class B fire
flammable liquid, and gas fires Chapter 2
RoadMASSter-3 X2
forensic ruggedized portable lab for HDD data acquisition and analysis. Chapter 2 Hardware tool
Data Recovery Stick
can recover deleted files Chapter 2 Hardware tool
FileMerlin
converts work processing, xls, ppt, and database files between a wide range for file formats. Chapter 2 Software Tools
AccessData FTK
court-cited digital forensics platform that provides processing and indexing up front, so filtering and searching is fast. Can be setup for distributed processing and incorporate web-based case management and collaborative analysis. Chapter 2 Software Tools
RAPID IMAGE 7020 X2
designed to copy one "Master" hard disk to up to 19 "Target" hard drives. Chapter 2 Hardware tool
Autopsy
digital forensics platform and gui for The Sleuth Kit and other forensics tools Chapter 2 Software Tools
Class C fire
energized electrical equipment fire Chapter 2
Rule 102
ensures that the truth may be ascertained and the proceedings justly determined. Eliminate unjustifiable expense and delay. Chapter 2
PC-3000 Flash
hardware and software suite for recovering flash based storage. Chapter 2 Hardware tool
Rule 801
hearsay Chapter 2
Digital Evidence
includes all information that is either stored or transmitted in digital form and has probative value. Investigators should take utmost care while gathering evidence as it is fragile in nature. Chapter 1
18 USC 2252B
misleading domains on the internet. Chapter 2
PALADIN
modified live Linux distro Chapter 2 Software Tools
Class A fire
paper, trash, plastic fire Chapter 2
Nuix Corporate Investigation Suite
used to collect, process, analyze, review, and report evidence Chapter 2 Software Tools
R-Drive Image
utility that provides creation of disk image files for backup or duplication purposes. Chapter 2 Software Tools
Rules of Forensics Investigation
• Limit access and examination of the original evidence • Record changes made to the evidence files • Create a chain of custody document • Set standards for investigating the evidence • Comply with the standards • Hire professionals for analysis of evidence • Evidence should be strictly related to the incident • The evidence should comply with the jurisdiction standards • Document the procedures applied on the evidence • Securely store the evidence Chapter 1