CHFIv9 Flash Cards Part 1

External attacks

Originate from outside of an organization. Such attacks occur when there are inadequate information security policies and procedures. Chapter 1

Oxygen Forensic Kit

ready to use and customizable mobile forensics solution for both field and in lab use. Offers data extraction and report creation. Chapter 2 Software Tools

WriteProtect-DESKTOP

secure read-only write blocking of suspect hard drives. Chapter 2 Hardware tool

Capsa

sniffer with support for over 300 network protocols Chapter 2 Software Tools

PC-3000 Data Extractor

software add-on that diagnosis and fixes file system issues. Recovers data from any media. Chapter 2 Hardware tool

Locard's Exchange Principle

anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind. Chapter 1

Rule 705

Disclosing the Facts or Data Underlying an Expert's Opinion Chapter 2

Paraben's StrongHold

Faraday bags block out wireless signals to protect evidence. Chapter 2 Hardware tool

Incident Analyzer

Forensic team member analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it. Chapter 2

Evidence Examiner/Investigator

Forensic team member examines the evidence acquired and sorts the useful evidence and prioritizes from high to low Chapter 2

Evidence Documenter

Forensic team member gathers info and documents it from incident occurrence to the end of the investigation. Chapter 2

Evidence Manager

Forensic team member has all the information about the evidence: name, evidence type, time, source of evidence etc. Manages and maintains a record of the evidence such that it is admissible in a court of law. Chapter 2

Photographer

Forensic team member photographs crime scene and all evidence. Should be certified. Chapter 2

Attorney

Forensic team member provides legal advice regarding investigation as well as legal issues involved in the forensics investigation process. Chapter 2

Decision Maker

Forensic team member responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decisions about the policies and procedures to handle the incident. Chapter 2

Incident Responder

Forensic team member responsible for measures taken when an incident occurs, secures the incident area and collects the evidence present at the crime scene. Also disconnects the system from others to contain an incident. Chapter 2

18 USC 1029

Fraud and related activity in connection with access devices. Chapter 2

18 USC 1030

Fraud and related activity in connection with computers Chapter 2

Ophcrack

Free GUI tool used to recover passwords based on Rainbow tables Chapter 2 Software Tools

Rule 402

General Admissibility of Relevant Evidence Chapter 2

Investigation Phase

Main Phase -acquire, preserve, and analyze evidence -identify the source of crime and culprit -implement technical knowledge to find evidence, -examine document, and preserve findings and evidence. Chapter 2

18 USC 1361-2

Prohibit malicious mischief Chapter 2

SWGDE Standards and Criteria 1.5

The agency must use hardware and software that is appropriate and effective for the seizure/examination procedure Chapter 1

Image MASSterTM Wipe PRO

a hard drive Sanitization Station. Chapter 2 Hardware tool

The Sleuth Kit

- C library and collection of command-line tools for analysis of disk images and file recovery. - Plugin framework expands functionality and allows for automation Chapter 2 Software Tools

Criminal Cases

- crimes that are harmful to society and involve action by law enforcement against a company, group, or individual - guilty = monetary damages, imprisonment, or both - The investigation must follow set of standard forensic processes accepted by law - Investigators (with a warrant) can force seize devices - formal report required - law enforcement responsible for the collection and analyzing evidence - Punishment is harsh - Standard of proof is high - difficult to capture specific evidence (GPS) Chapter 1

Civil Cases

- plaintiff registers case and responsible for burden of proof - disputes between two parties - relate to violation of contracts and lawsuits - guilty = monetary damages to the plaintiff - Investigator try to show some evidence to the opposite party to induce settlement - Device searches based on mutual understanding (giving opposite party notice and time to hide evidence) - Informal reporting - Claimant is responsible for collection and analysis of evidence - Poorly documented or unknown chain of custody - Evidence can be under third party control Chapter 1

Administrative Cases

-Agency or government performing inquiries to identify facts with reference to its own management and performance -Non-criminal, related to misconduct or activities of an employee such as --Violation of org police, rules, protocol --Resource misuse or theft --Threatening or violent behavior Chapter 1

CFL Physical Security Standards / Licenses

-American Society of Crime Laboratory Directors (ASCLD) / Lab Accreditation -ISO/IEC 17025 Chapter 2

Tasks preformed by forensic investigator

-Evaluate the damage of a security breach -Identify and recover data required for investigation -Extracts the evidence in a forensically sound manner -Ensure proper handling -Acts as a guide to the investigation team -Creates reports and documents -Reconstructs the damaged storage devices and uncovers information hidden on the computer -Update the orgs about various methods of attack and data recovery techniques -Addresses the issue in a court of law and attempts to win the case through testimony. Chapter 1

CFL Setup

-Plan and budget -Break down costs into daily and annual expenditures -Refer to investigation expenses in the past -Be aware and budget for updates to technology -Use cybercrime statistics to estimate case load and personnel requirements Chapter 2

Computer Forensics Investigation Process

-Pre Investigation Phase -Investigation Phase -Post-Investigation Phase Chapter 2

Post-investigation Phase

-Reporting and documentation of all actions and finding during the investigation -Ensure target audience can easily understand report -report must provide adequate and acceptable evidence -report must comply will all laws and standards -report must be legally sound and acceptable in the court of law Chapter 2

Pre-investigation Phase

-assemble investigation team, CFL, forensic workstations and toolkits -gaining approval from the relevant authority -planning and defining mission goals -Secure perimeter and devices Chapter 2

Forensics Investigation Checklist

1. Don't turn the computer off, run any programs, or attempt to access data on the computer. 2. Secure any relevant media hard drives, cell phones, DVDs, USB drives, etc 3. Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue. 4. Preform a prelim assessment of the crime scene and identify the data you seek, the information you are looking for, and the urgency level of the examination. 5. Once machine is secured, obtain info about the machine, it's peripherals,and the network where connected 6. If possible obtain passwords to access encrypted or password protected files. 7. Compile a list of names, emails, and other info of those with whom the subject might have communicated. 8. If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. If possible find out why. 9. Maintain chain of custody for each piece of original media indicating where it has been, whose possession, and the reason. 10. Create a list of key words or phrases to use when searching for relevant data. Chapter 2

Dry pipe system

A fire suppression sprinkler system that has pressurized air in all pipes. The air is released in the event of a fire, allowing water to flow from a central area. Chapter 2

Rule 1003

Admissibility of Duplicates Chapter 2

Rule 1004

Admissibility of Other Evidence of Content Chapter 2

SWGDE Standards and Criteria 1.2

Agency must review SOPs on annual basis to ensure continued suitability and effectiveness. Chapter 1

SWGDE Standards and Criteria 1.6

All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony. Chapter 1

SWGDE Standards and Criteria 1.1

All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. Chapter 1

Forensic Readiness

An organizations ability to make optimal use of digital evidence in a limited period and with minimal investigation cost. Technical and nontechnical actions that maximize competence to use evidence. Chapter 1

Rule 502

Attorney-Client Privilege and Work Product; Limitations on Waiver Chapter 2

Rule 901

Authenticating or Identifying Evidence Chapter 2

Characteristics of Digital Evidence

Be Admissible Be Authentic Be Complete Be probative Be convincing Be accurate Be relevant Chapter 1 IT Pro TV

Rule 614

Calling and interrogation of witnesses by court Chapter 2

CFL

Computer forensics Lab Houses the instruments, software and hardware tools, suspect media, and the forensic workstations required to preform investigations. Chapter 2

Volatile Data

Data on a device that requires constant power to preserve it. system time logged-on user(s) open files network information process information process-to-port mapping (netstat) process memory clipboard contents service / driver information command history Chapter 1

FRED systems

Digital Intelligence complete digital forensics hardware acquire data directly from hard drives and other storage devices and output forensic images to Blu-Ray, CD/DVD or hard drive Chapter 2 Hardware tool

Precaution system

Employs a modified dry pipe scheme. Utilizing triggers to release liquid suppressant Chapter 2

Wet pipe system

Employs piping scheme that maintains a constant water load Chapter 2

Authentic Evidence

Evidence details such as source, relevance, author, and the transmission path that attest to the authenticity, accuracy, and integrity. Chapter 1

Rule 608

Evidence of Character and Conduct of Witness Chapter 2

Believable Evidence

Evidence presented in a clear manner to a jury and bolstered by expert opinion when necessary. Chapter 1

Admissible Evidence

Evidence that is relevant to the case and acts in support of the client presenting it and will be well communicated and nonprejudiced. Chapter 1

Complete Evidence

Evidence that proves or disproves the consensual fact in the litigation. Chapter 1

Digital Forensics Challenge

Extracting, Preserving, and Analyzing digital evidence. Chapter 1

Rule 609

Impeachment by Evidence of a Criminal Conviction Chapter 2

TEMPEST

Investigations and studies of compromising emanations (intelligence-bearing signals) that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment. integrating these principles into lab design cuts down on information leakage while increasing cost. Chapter 2

L0phtCrack

Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks. Uses dictionary, hybrid, rainbow table, and brute force attacks to recover Windows passwords. Chapter 2 / 5 Software Tools

Scientific Working Group on Digital Evidence (SWGDE) Principle 1

Law Enforcement and Forensic Organization mandate to establish and maintain a system for quality control. Ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence. Chapter 1

18 USC 2252A

Law regarding child porn Chapter 2

Enterprise Theory of Investigation (ETI)

Methodology for investigating criminal activity. It adopts a holistic approach toward any criminal activity as a criminal operation rather a than as a single criminal act. Chapter 1

Expert Witness

Offers a formal opinion as a testimony in a court of law. Chapter 2

Rule 701

Opinion Testimony by Lay Witness Chapter 2

Cain & Abel

PW recovery for MS OS Users sniffing, dictionary, brute force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols. Chapter 2 Software Tools

Non-volatile data

Permanent data stored on secondary storage devices (hard disks, memory cards) hidden files slack space swap file index.dat files unallocated clusters unused partitions registry settings event logs Chapter 1

Best Evidence Rule

Prevent alteration of digital evidence Duplicate evidence will suffice provided that The best or highest form is presented in court Original is destroyed by fire and/or flood Original is destroyed in the normal course of business Original evidence is in possession of a third party Chapter 1

42 USC 2000AA

Privacy Protection Act special steps to take during seizure that don't prevent freedom or expression. Chapter 2

Guidance Software's EnCase

Rapidly acquire data from variety of devices and unearth potential evidence with disk level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of investigation in a court trusted format. Chapter 2 Software Tools

Recuva

Recovers pictures, music, documents, videos, emails, or any other file type that are lost. Can also recover from rewritable media like memory cards, external hard drives, USB, etc Chapter 2 Software Tools

Rule 1002

Requirement of the Original Chapter 2

Fourth Amendment

Restricts government search and seizure powers where a person has a reasonable expectation of privacy, without a search warrant. Note: Private intrusions not acting on behalf of the government don't come under protection. Chapter 1

SWGDE Standards and Criteria 1.3

SOPs must be generally accepted or supported by data gathered and recorded in a scientific manner. Chapter 1

SWGDE

Scientific Working Group on Digital Evidence Chapter 1

Rule 101

Scope: governs proceedings in the courts of the United States Chapter 2

ZX-Tower

Secure sanitization of hard disk. Chapter 2 Hardware tool

SWGDE Standards and Criteria 1.4

The agency must maintain written copies of the appropriate technical procedures. Chapter 1

Computer Forensics

The process of finding evidence related to a digital crime. Chapter 1

18 USC 2702

Voluntary disclosure of customer communications or records Chapter 2

Cybercrime

any illegal act that involves a computer, its systems, or its applications. Chapter 1

NIST Computer Forensic Tool Testing Project CFTT

establishes a methodology for testing computer forensic software tools by development of general to specifications, test criteria, test sets, and test hardware Chapter 2 Software Tools

Class B fire

flammable liquid, and gas fires Chapter 2

RoadMASSter-3 X2

forensic ruggedized portable lab for HDD data acquisition and analysis. Chapter 2 Hardware tool

Data Recovery Stick

can recover deleted files Chapter 2 Hardware tool

FileMerlin

converts work processing, xls, ppt, and database files between a wide range for file formats. Chapter 2 Software Tools

AccessData FTK

court-cited digital forensics platform that provides processing and indexing up front, so filtering and searching is fast. Can be setup for distributed processing and incorporate web-based case management and collaborative analysis. Chapter 2 Software Tools

RAPID IMAGE 7020 X2

designed to copy one "Master" hard disk to up to 19 "Target" hard drives. Chapter 2 Hardware tool

Autopsy

digital forensics platform and gui for The Sleuth Kit and other forensics tools Chapter 2 Software Tools

Class C fire

energized electrical equipment fire Chapter 2

Rule 102

ensures that the truth may be ascertained and the proceedings justly determined. Eliminate unjustifiable expense and delay. Chapter 2

PC-3000 Flash

hardware and software suite for recovering flash based storage. Chapter 2 Hardware tool

Rule 801

hearsay Chapter 2

Digital Evidence

includes all information that is either stored or transmitted in digital form and has probative value. Investigators should take utmost care while gathering evidence as it is fragile in nature. Chapter 1

18 USC 2252B

misleading domains on the internet. Chapter 2

PALADIN

modified live Linux distro Chapter 2 Software Tools

Class A fire

paper, trash, plastic fire Chapter 2

Nuix Corporate Investigation Suite

used to collect, process, analyze, review, and report evidence Chapter 2 Software Tools

R-Drive Image

utility that provides creation of disk image files for backup or duplication purposes. Chapter 2 Software Tools

Rules of Forensics Investigation

• Limit access and examination of the original evidence • Record changes made to the evidence files • Create a chain of custody document • Set standards for investigating the evidence • Comply with the standards • Hire professionals for analysis of evidence • Evidence should be strictly related to the incident • The evidence should comply with the jurisdiction standards • Document the procedures applied on the evidence • Securely store the evidence Chapter 1