Digital Forensics EXAM 1
SATA (serial ATA)
Better cable and speed, no jumpers direct connect to controller (no chaining of devices)
Child Exploitation
Chat log, photo/video, image editing software, internet/SNS activity, movie files, relevant file and directory names
Power On Self Test (POST)
Checking the BIOS chip and then tests CMOS RAM Checking video card, hard drives, floppy drives, ports, keyboard and mouse, etc. If functioning properly, successful CPU initialization
Search Warrant
Clearly state what you are searching for. Clearly state the area in which you are authorized to search. Be signed by a judge.
Forensic Investigation Process -(American Board of Information Security and Computer Forensics)
Collection Examination Analysis Reporting
Civil Investigations
Conducted In case of IPR risk, company's network security breach, unauthorized use of company resource E.g., Intrusion, DoS attack, malicious code/comm, misuse, etc.
Internal Investigations
Conducted In case of violation of company policies and guidelines
As an instrument of the crime
Cyber Stalking and bullying Identity theft Pirated computer software Forgery or falsification of documents Corporate fraud Terrorism and national security
CHS
Cylinder address (C), Head number (H), Sector address (S) Based on Physical address Obsolete, older computers still use it.
True
DF investigation does not need to have deepest understanding on theoretic knowledge on CS but must have a familiarity with a wide range of subject matter.
reconstruction (Physical)
Develop theories - Phase Goals (Physical)
Legally obtained
Different regulation applies to internal/civil/criminal investigations while criminal investigation is most restrictive in terms of legal requirements.
incident, laboratory
Digital Forensics Hardware Tools Can be used for _______ response and forensic _____
law, hardware
Digital forensics requires knowledge on ____ and computer science as well as various forensic _____and software tools.
Corporate/private Investigation
E.g., employees who violate the company's security policy
Locard's Exchange Principle
Everything that enters a crime scene does two things. It leaves part of itself behind, and it takes part of the scene with it.
Relevance
Evidence must have a bearing on the event being investigated. Information about unrelated crime cannot be used as an evidence for the case.
Authenticity
Evidence presented came from where he/she claims
original
Evidence presented in court should be ______and the actual item investigated or examined.
printout of computer data
Federal Rules of Evidence consider a____________ to be "original" if it can be read by sight and if it accurately represents the stored data.
Documentary evidence
Files, log, e-mail
Computer Fraud
Financial and asset data, credit card data, emails
Digital Forensics Hardware Tools
Forensics computers Write-blocking devices Imaging devices (disk duplicator) Data wiping devices Encryption hardware
hard disk
HPA is created at the end of _____
Guidelines for entering technical evidence into U.S. Court:
Has the procedure been published in Journals and generally accepted? Had the procedure been independently tested and what is the error rate?
Name found in Floppy Disk
How was the BTK killer caught
little-endian
IA32-based systems (i.e., Intel Pentium) and their 64-bit counterparts use the ______ ordering.
Examination
Identify and extract the relevant information from the collected data, using appropriate forensic tools and techniques, while continuing to maintain integrity of the evidence.
Survey(Digital)
Identify obvious evidence (in lab) -Phase Goals (Digital)
Collection (Acquisition)
Identify, isolate, label, record, and collect the data and physical evidence related to the incident being investigated, while establishing and maintaining integrity of the evidence through chain-of-custody.
Guideline for First Responder
If computer is on, leave it on. If computer is off, leave it off. No technical assist from anyone unauthorized should be allowed. Avoid compromising physical evidence (fingerprint, blood, DNA, etc.) on computer devices (mouse, keyboard, etc.) Protect yourself from biohazards
Pull the plug
Immediately halts processing but destroys data in memory and can corrupt files Data in memory could be collected using "cold boot" attack or DMA attack.
Search & Collection (Physical)
In-depth search - Phase Goals (Physical)
3 types of forensic investigations
Internal Civil Criminal
True
Judge can render the evidence admissible or inadmissible
LBA (logical Block address)
LBA address 0 = CHS address 0,0,1 LBA address 1 = CHS address 0,0,2 CHS 0,1,1 = sector 1 of the second head in the same cylinder
Incident Response - Corporate
Large company incident responder might be a technician-level employee in security or information technology Small company network administrator or security officer might also be the incident responder
Four,4
MBR includes partition table which has _____entries. (up to ____ partitions)
Network intrusion and hacking
Network user id and IP addresses, virus and spyware, system logs, etc.
Chain of Custody
A critical function of investigation that continuously records log information of each and every action that is taken on or against a piece of evidence and of every movement that evidence makes from the moment an object is identified as having evidentiary value. **Critical for evidence admissibility.
Digital Forensics
A discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law.
Cluster
A group of sector Allocation unit of data in file systems
forensic image
A proper _______ can be considered Best evidence if the original evidence has been returned to its owner.
ASCIII stands for the
"American Standard Code for Information Interchange"
ATA/IDE
(Integrated Disk Electronics) or PATA IDE means a hard disk has a built-in logic board IDE disk uses ATA interface 40 or 44 pin connectors
SCSI
(Small Computer Systems Interface) More costly, used mainly for servers Various connector types (difficult to carry all)
DOJ guidelines - late 90's
-Preparation: prepare equipment and tools, -Collection: Search physical location for possible digital evidence and acquire (e.g., collect or copy digital media) -Examination: review the media for evidence (initial screening) -Analysis: review the results for their value in the case -Reporting: document results of investigation
Digital Investigation in 6 Steps - by Casey (2004)
1) Identification/Assessment 2) Collection/acquisition 3) Preservation 4) Examination 5) Analysis 6) Reporting
documentation (Digital)
Photo & description of digital device -Phase Goals (Digital)
documentation (Physical)
Photograph, sketches, evidence/scene maps - Phase Goals (Physical)
(Paul Kirk, 1953)
Physical evidence cannot be wrong or wholly absent. Only human failure to find it, study and understand it, can diminish its value
Preservation (Digital)
Prevent changes (network isolation, collecting volatile data, copy entire digital environment -Phase Goals (Digital)
Complementary Metal Oxide Silicon (CMOS)
RAM with battery
Reporting
Reporting the results of the analysis, including: Findings relevant to the case Actions that were performed Actions left to be performed Recommended improvements to procedures and tools
Incident Response
Response to a computer crime, security policy violation, or similar event Secure, preserve and document digital evidence Happens BEFORE the forensic analysis begins. Incident responder is not necessarily the forensic specialist who will conduct the analysis of the digital evidence
Securing the Scene (by first responder or DFI (DIGITAL FORENSICS INVESTIGATOR)
Safety first. Integrity second. (computer, data, network) Then secure evidence.
Preservation (Physical)
Secure entrance/exit Prevent changes - Phase Goals (Physical)
Reliability
Should be no question about the truth of the investigator's conclusion. Use standardized/verified forensics tools and methods (see Daubert guideline). Investigator qualification
reconstruction (Digital)
Similar to physical -Phase Goals (Digital)
Big Endian
Sun SPARC and Motorola PowerPC (i.e., Apple computers) systems use_______ordering.
No Search Warrant is required if..
The "plain view" doctrine says that an officer can seize evidence that is in plain view as long as: The officer is legally present at the site of the evidence. The officer can legally access the evidence. The officer has probable cause to believe that the evidence or contraband is related to a crime. A device can be seized in case there is owner's written consent which acknowledges future forensic examination by trained examiner
Analysis Phase
The case is typically "solved" in this phase.
True
The purpose of a partition system is to organize the layout of a volume
Sector
The smallest addressable unit of storage
Three ways of storing a Unicode character
UTF (Unicode Transformation Formats)- 32 UTF-16 UTF-
Survey (Physical)
Walking through scene Identify evidence - Phase Goals (Physical)
Shut down
Writes entries into the system activity logs (change of the state of the evidence)
Digital forensics
_____ is a discipline that collect and analyze data from computing devices to find court-admissible evidence.
Digital evidence
______must be authentic, reliable, relevant, integrity guaranteed, legally obtained to be admissible to a court.
Host Protected Area (HPA)
a special area of the disk that can be used to save data a casual observer (including OS) might not see it.
an Incident Responder
a sworn law enforcement officer or "crime lab" technician can be ______
secondary file system partition
also called a*** logical partition ****in Windows, is located inside the primary extended partition bounds and contains a file system or other structured data.
ASCII
assigns a numerical value to the characters in American English.
As a target of the crime
e.g., computer network intrusion, DDOS attack
The Case of Daubert v. Merrill Dow Pharmaceuticals (1993)
established new criteria to determine the reliability, relevancy, and admissibility of scientific evidence
A volume
is a collection of addressable sectors that an Operating System (OS) or application can use for data storage. The sectors in a volume need not be consecutive on a physical storage device
Partition
is a collection of consecutive sectors in a volume.
secondary extended partition
is a partition that contains a partition table and a secondary file system partition.
primary file system partition
is a partition whose entry is in the MBR and the partition contains a file system or other structured data.
primary extended partition
is a partition whose entry is in the MBR, and the partition contains additional partitions.
MBR (MASTER BOOT RECORD)
is in the first 512-byte sector of a disk
Integrity
was not altered in any way during examination, and there was no opportunity for it to have been replaced or altered in the interim
Forensic Tools
*Network forensics *Mobile device forensics *Activity tracking device forensics, etc.
American English
ASCII works if you use ______ only limited for the rest of the world because their native symbols cannot be represented.
True
According to some studies, almost 95 percent of criminals leave evidence which could be investigated through computer forensic procedure.
Unicode
Allows for Characters besides English, ex Japanese
Basic Input Output System (BIOS)
Also known as System BIOS, ROM BIOS or PC BIOS
Search & Collection (Digital)
Analysis of system for nonobvious evidence -Phase Goals (Digital)
Analysis
Analyze the results of the examination to generate useful answers to the questions presented in the previous phases.
Real evidence
Things you can carry to court and show
System‐to‐System Disk Imaging
This method uses two separate computer systems ‐‐ the suspect and a specialized forensics imaging system.
The Fifth Amendment
To prevent the government from ever forcing a citizen to provide self-incriminating testimony.
The Fourth Amendment
To prohibit unreasonable searches and seizures and requires warrants to be judicially sanctioned and supported by probable cause.
Demonstrative evidence
To recreate or explain other evidence
Testimonial evidence
To support or validate other evidence types
Digital forensics includes computer forensics as well as forensics on all other digital devices capable of storing digital data
True
Corporate/private Investigation
not subject to the same "search and seizure" rules and Fourth Amendment issues often involve misuse or abuse of company assets, falsification of data, discrimination, harassment, and similar matters likely to involve litigation.
False
passwords for protected/encrypted data can be forcefully acquired with a warrant
Forensic
relating to the use of scientific knowledge or methods in solving crimes