Chapter 13 Digital Forensics

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

If the case comes to trial and the analyst is called he or she will have two duties

1. Analyst must testify to his/her direct experience. Analyst may testify about everything from receiving the initial evidence to the final report. 2. Analyst may play the role of a technical expert, qualified to give summaries and opinions as to the meaning of evidence.

Two imperatives of hard drive manufacturers:

1. Storage Density 2. Speed

Hash

A number generated by an algorithm from a text string. Also known as a message digest.

hex editor

A type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.

L2 cache

A type of memory cache that is slightly slower than L1 cache, but has a much larger capacity, ranging from 64 KB to 16 MB. (SLOWER BUT HOLDS MORE INFO)

L1 Cache

Cache used by a CPU for short-term storage of data and instructions. It is the fastest and closest to the CPU.

The image produced should be written to a true, write once media such as a

DVD-R or CD-R

EFS

Encrypting File System.

True or False: Field Acquisition is the preferred method

False: Because failure to maintain control of the evidence device can also lead to problems in establishing the authenticity or chain of custody of the evidence in court (least preferred bc makes it easier for defense to undermine your testimony)

The forensic analyst's process must include a step to calculate an ___________ hash of the evidence device

MD5

Most important task for examiner

Maintaining the continuity of evidence from the source to the final anlysis product.

The examination of stored data is often referred to as _________ analysis

Post-Mortum

Write blocker

Prevents data writes to a hard disk. Usually used on the windows operating system to prevent the analysts lab computer from writing data to the HD.

True or False: Analysis creates investigation leads and summaries not evidence

True

True or False: Logical copies do not produce latent data

True

True or False: Rule of evidence: original evidence, not a copy be brought to court

True

True or false: Bulk of evidence is from active files

True

Lossless Compression

a data compression algorithm that allows the original data to be perfectly reconstructed from the compressed data.

Direct-access storage

a storage method that allows a data-retrieval mechanism to quickly find data

The Gold Standard

an analyst must be able to reliably reproduce any result from procedure notes and a copy of the original data seized.

Digital evidence is more easily ____________ than physical evidence

authenticated

Best method of imaging the evidence drive is to create a _______ copy

bit stream. (also called a mirror or image)

Botable CDS

create a RAM drive and can be used to load larger programs, thus they do not alter data on the hard drive.

One of the most important characteristics of FAT systems is

deleted files aren't wiped from the drive.

Most common source of latent files is __________

deletion

Two broad classes of removable storage media:

direct access and sequential access.

Disk drives allow

direct storage access, they do not have stored information in sequential order like a magnetic tape or other device.

Storage Forensics

examination of information stored on a physical medium

hex editor can be used to _______________

examine intact files (active data) or obscured/deleted data (latent)/ Can access active and latent files without interfering with hard disks

Latent files

files that are not recognized by the OS, therefore, do not show up on a list of files.

A hash value is essentially the _________ of the digital data set

fingerprint

Electronic Crime Scene Investigation: A Guide for First Responders

intended to assist state and local law enforcement w ho may be responsible for preserving an electronic crime scene for recognizing, collecting, and safeguarding digital evidence.

RAM

largest reserve of info that supplies the processor

computer forensic packages

make it easier to find elements and establish elements of a crime -Can bring all the info form the hard drive at once -All digital data are stored as a pattern of bits -Generally validated by an external expert and used in standard practice

Physical medium

real world object that may be inside or outside the computer.

A bit stream copy

reproduces every bit of info found on the evidence device, even unused storage space.

Sequential access storage

requires longer to fast forward through unneeded data to find requested data

The expert witness presents

simplified explanations and abbreviations to the fact finder.

When information is stored on a physical medium, it is said to be __________

static

Activity Log

steps of analysis that must be organized in a consistent and reproducible fashion.

Power of the search

the ability of a search to achieve results; like when you misspell something and it helps you find stuff easier

Time access of Direct access storage

the time required to access data is reduced, making retrieval faster

True or False: Digital evidence is easier to authenticate than physical evidence

true

True or False: The image of a device is considered to be "best evidence"

true; The Federal Rule of Evidence allows unaltered digital evidence to be presented as a copy. A comparison of MD5 hashes can verify that the data is unaltered.

Structures of digital storage can be divided into two parts

volatile and nonvolatile storage

Active Files

word processing docs, spreadsheets, text files, graphics, etc


Ensembles d'études connexes

Chapter 11 NY Licensing: Medicare Supplement Insurance

View Set

Ch. 16 The Oceans, Coastal Processes, and Landforms -- GEOG 1710

View Set

Psych Exam #4 (Ch 11-19, 21-24, 32-35)

View Set

Financial Literacy Lesson 1- Banking Basics

View Set

Strategic Management: Chapter Nine

View Set

Managerial Accounting- Chapter 18

View Set

Reproductive System - Preparation for Lecture Exam

View Set

Practice Midterm Review - BIO LAB

View Set