Digital Forensics

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What do police need in order to search someone's property?

A search warrant

Affidavit

A sworn statement of support of facts about or evidence of a crime. Must include exhibits that support the allegation

A basic investigation plan should include the following activities:

Acquire the evidence Complete an evidence form and establish a chain of custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare your forensics workstation Retrieve the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools

What businesses advised to specify to?:

An authorized requester which is a person who has the power to initiate investigations

Policies can address rules for which of the following? When you can log on to a company network from home The Internet sites you can or can't access The amount of personal e-mail you can send Or any of the any above

Any of the above is the answer.

Digital Evidence First Responder (DEFR)

Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence

What is professional conduct, and why is it important?

Behavior that is required out of an employee in the workplace or other professional settings is important since it determines how credible you are.

Is it possible to figure out someone's password without them telling you? If the answer is yes, what are some things that make it harder to do so?

Brute Force Rainbow Tables Dictionary attacks

List three items that should be on an evidence custody form.

Case number, investigating organization, and investigator.

What do you call a list of people who have had physical possession of the evidence?

Chain of Custody

Computers can contain information that helps law enforcement determine:

Chain of events leading to a crime Evidence that can lead to a conviction

Investigating digital devices includes:

Collecting data securely Examining suspect data to determine details such as origin and content Presenting digital information to courts Applying laws to digital device practices

Examples of groups with authority

Corporate security investigations Corporate ethics office Corporate equal employment opportunity office Internal auditing The general counsel or legal department

Network intrusion detection and incident response

Detects intruder attacks by using automated tools and monitoring network firewall logs

Guidelines when initiating an investigation

Determine whether this investigation involves a possible industrial espionage incident Consult with corporate attorneys and upper management Determine what information is needed to substantiate the allegation Generate a list of keywords for disk forensics and sniffer monitoring List and collect resources for the investigation Determine goal and scope of the investigation Initiate investigation after approval from management

Business can avoid litigation by:

Displaying a warning banner on computer screens which informs end users that the organization reserves the right to inspect computer systems and network traffic at will

Private-sector crimes can involve:

E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage

List two types of digital investigations typically conducted in a business environment.

Email and internet abuse.

List two items that should appear on a warning banner.

Entry into a system and network is not allowed and use of this system and network is only for official businesses.

Why should evidence media be write-protected?

Evidence media should be write-protected because that way data can not be altered.

Planning considerations

Examine all e-mail of suspected employees Search Internet newsgroups or message boards Initiate physical surveillance Examine facility physical access logs for sensitive areas Determine suspect location in relation to the vulnerable asset Study the suspect's work habits Collect all incoming and outgoing phone logs

Digital forensics and data recovery refer to the same activities. True or False?

False

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False

You should always prove the allegations made by the person who hired you. True or False?

False

Private-sector investigations, what it involves, and its ultimate goals

Focus more on policy violations Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes Job is to minimize risk to the company

Police in the United States must use procedures that adhere to which of the following?

Fourth Amendment

Steps to conducting an industrial espionage case

Gather all personnel assigned to the investigation and brief them on the plan Gather resources to conduct the investigation Place surveillance systems at key locations Discreetly gather any additional evidence Collect all log data from networks and e-mail servers Report regularly to management and corporate attorneys Review the investigation's scope with management and corporate attorneys

Digital Evidence Specialist (DES)

Has the skill to analyze the data and determine when another specialist should be called in to assist

Evidence custody form

Helps you document what has been done with the original evidence and its forensics copies

Ask yourself the following questions:

How could you improve your performance in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research?

What are some ways to determine the resources needed for an investigation?

In order to determine the resources needed for an investigation one must determine the OS of the suspected computer. Also, one must list the software which would be used for an examination.

Professional conduct

Includes ethics, morals, and standards of behavior

Public-sector investigations

Involve government agencies responsible for criminal investigations and prosecution

The role of a digital forensics professional is?

Is to gather evidence to prove that a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect's computer Preserve the evidence on a different computer

How is data recovery is different from digital forensics ?

It involves retrieving information that was deleted by mistake or lost during a power surge or server crash

What is a container?

It is a digital device contains evidence of criminal activity.

What is a tool?

It is a digital device is used to commit a crime.

What is a target?

It is a digital device which is the target of the crime?

What's the purpose of an affidavit?

It is mainly used in order to justify issuing a warrant or dealing with abuse in a corporation.

What's the purpose of maintaining a network of digital forensics specialists?

It's good to have the option of a specialist readily available for you to call in order to help with a case you either can not solve or need help with.

Multi-evidence form

Lists all items associated with a case

Single-evidence form

Lists each piece of evidence on a separate page

Steps for problem solving

Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach to the case Create a detailed checklist Determine the resources you need Obtain and copy an evidence drive Identify the risks Mitigate or minimize the risks Test the design Analyze and recover the digital evidence Investigate the data you recover Complete the case report Critique the case

Digital investigations

Manages investigations and conducts forensics analysis of systems suspected of containing evidence

If the police think your computer has been used in a crime, can they search it without a warrant?

No

What is the difference between stenography and cryptography?

One deals with hiding the existence of the data and it has protection that no one knows exists. The other one deals with protecting data itself and everyone can see it but no one can read it.

Fourth Amendment

Protects everyone's right to be secure from search and seizure. Separate search warrants might not be necessary for digital evidence

What are the two distinct categories of investigations?

Public investigations Private or corporate investigations

Digital investigations fall into two categories:

Public-sector investigations Private-sector investigations

Steps for conducting an ACP case

Request a memorandum from the attorney directing you to start the investigation Request a list of keywords of interest to the investigation Initiate the investigation and analysis For disk drive examinations, make two bit-stream images using different tools for each image Compare hash signatures on all files on the original and re-created disks Methodically examine every portion of the disk drive and extract all data Run keyword searches on allocated and unallocated disk space For Windows OSs, use specialty tools to analyze and extract data from the Registry For binary data files such as CAD drawings, locate the correct software product For unallocated data recovery, use a tool that removes or replaces nonprintable data Consolidate all recovered data from the evidence bit-stream image into folders and subfolders

Chain of custody

Route the evidence takes from the time you find it until the case is closed or goes to court

Attorney-client privilege (ACP)

Rules for an attorney

Systematically outline the case details

Situation Nature of the case Specifics of the case Type of evidence Known disk format Location of evidence

Line of authority

States who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

Vulnerability/threat assessment and risk management

Tests and verifies the integrity of stand-along workstations and network servers

Digital Forensics

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

What is cryptography?

The art of writing or solving codes. (i.e. encryption).

What must an investigator be able to do?

The person must be able to exhibit the highest level of professional behavior at all times Maintain objectivity Maintain credibility by maintaining confidentiality Should also attend training to stay current with the latest technical changes in computer hardware and software, networking, and forensic tools

What is stenography?

The practice of concealing messages or information within other nonsecret text or data.

List three items that should be in your case report.

There needs to be an explanation of standard computer and network techniques used, an account of the steps you took, and a description of your findings.

Why should you critique your case after it's finished?

To decide what changes you made during each case for the better, what could have been changed, and how to apply what you learnt into future cases.

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?

True

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

True

Sample text that can be used in internal warning banners:

Use of this system and network is for official business only Systems and networks are subject to monitoring at any time by the owner Using this system implies consent to monitoring by the owner Unauthorized or illegal users of this system or network will be subject to discipline or prosecution

The triad of computing security includes which of the following?

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation.

Federal Rules of Evidence (FRE)

Was created to ensure consistency in federal proceedings Signed into law in 1973 Many states' rules map to this law

FBI Computer Analysis and Response Team (CART)

Was formed in 1984 to handle cases involving digital evidence.

If you work in a business and they think your work computer has been used to embezzle from the company can they search it without a warrant?

Yes

What are the necessary components of a search warrant?

You need an affidavit that shows the evidence needed to conduct an investigation.

Why should you do a standard risk assessment to prepare for an investigation?

You should do a standard risk assessment so you can know the risks which could stop an investigation.

Six Ws:

who, what, when, where, why, how


Kaugnay na mga set ng pag-aaral

Chapter 11: Public Speaking Preparation

View Set

Intro to business. How to form a business

View Set

HB1: Cellular Function and Medical Genetics

View Set

Laboratory Management - Financial Management

View Set

Understanding Business: Chapter 5

View Set

Varcarolis: Chapter 18 eating and feeding disorders, Ch 24 Varcarolis; Personality Disorders

View Set

Geography W-12 Final Study Guide

View Set

13 Colonies (Just the Facts) Review (8.2B, 8.3B)

View Set