Computer Forensics Final
What are some of the cloud artifacts that might be found on a suspect's hard drive if they were using cloud services?
cloud log in id, cloud email, dropbox file, google drive
What is the chain of custody? Why is it important especially in computer forensics?
A chain of custody form documents the route the evidence takes from the time it is collected until the case is closed or goes to court. This helps protect the evidence from being manipulated before or during a trial. Important because it makes sure that evidence is not tampered with and if it is, you will know who most likely did it
What challenges are presented to the forensic investigator with respect to cloud usage in investigations?
Access to the data, we have to convince a judge that this site unseen cloud storage has data in there that could incriminate or exonerate the suspect. Then we need a judge to sign off on that and provide a subpoena to the cloud service provider who will process it to their illegal department. So now we are not dealing with the suspect anymore, but also the whole infrastructure of attorneys whose job it is to protect to people who stores stuff in the cloud. Jurisdictions of where the cloud drive or medium containing information is stored overseas/ other countries, figuring out whose law are we abiding by.
Be able to explain what the BIOS is and what it is responsible for accomplishing. Explain what an Operating System (OS) is and what it is responsible for accomplishing. Understand the difference in what an OS is responsible for and what an application program is responsible for. Be able to articulate why this distinction is important.
BIOS: basic input output system → makes sure all other chips, hard drives, ports, and CPU function together, determines the boot order. OS: starts with power, responsible for talking to devices, managing the devices, managing the file system, memory management Application program: does not write files to the disk, but is responsible for making those files.
Understand and clearly articulate the three types of graphics file formats. Be able to explain the difference in bitmap and vector graphics. Why does this matter to a forensic analyst?
Bitmap is a series of pixels on a grid, and each dot/pixel have a particular color value and intensity value in RGB sector. Dependent on screen resolution for its image quality. Vector uses lines and it uses mathematical formula to calculate the lines. Can be resized without looking pixelated. mata file that include both bitmap and vector picture with a camera is a bitmap graphic and then putting it in a program like adobe illustrator which can do vector graphics.
Understand how changing the file header of a graphics file can fool operating systems and application software. Be able to describe the process of editing header information to correct intentionally altered headers.
Can change header to hide the file Open with hex editor and edit the offset necessary to change file name
Understand and be able to define the field of computer forensic science. Why is it different than data recovery and other forensic science fields such as chemistry, physics and biology?
Computer forensic science is used to discover evidence for the court of law in a criminal or civil case. Different than data recovery because in data recovery you usually know what you're looking for whereas in computer forensics the data is hidden Different from other forensic science fields because the evidence is used in court
Explain what encrypted file systems are and the challenges they present to computer forensic scientists. How might one go about examining an encrypted file system?
Encrypted file systems employ technology that enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer With encrypted file systems, a live acquisition is best → need a key to get any info Examine: try to crack the passcode → go to the suspect and try to obtain it, find other devices that may have useful information regarding the passcode
What are encrypted wireless networks? What are open public wireless networks? What challenges do encrypted networks pose to network forensic techniques? What are the dangers of using open public wireless networks?
Encrypted network: need a key to acquire data If you don't have the key, you cannot access the data, can present problems for forensic scientists Open network: anyone can access data Challenges: data privacy → someone can collect data from someone else on the network
Explain what a "file system" is and be able to name the different types of file systems. Understand why it is important for a forensic scientist to know the difference in file systems.
File system: a systematic way to control how information is stored and retrieved. Different files behave differently so you must be familiar with all of them. Types: NTFS: proprietary file system developed by Microsoft HFS+: newest file system for Apple It is important for a forensic scientist to know the difference between the file systems because files are stored and organized differently in each and they need to know how to investigate them accordingly
Be familiar with the four types of cloud deployments that a forensic investigator would commonly see in the field. How would forensic techniques vary for each of the deployments?
Four types of deployment methods for a cloud: Public: accessible to anyone Private: can be accessed only by people who have the necessary credentials Community: a way to bring people together for a specific purpose Hybrid: enables a company to keep some information private and designate other files as public or community information
What is an IP Address? Why is it important in computer forensics - what is the difference in an IP Address and a MAC address?
IP address (internet protocol address) Unique string of numbers separated by periods that identifies each computer using the internet protocol to communicate over a network IP addresses are important in computer forensics because every computer that interacts with the internet is assigned an IP address→ can help discover which computer something (criminal activity) was done from Each computer has a unique one Some computers' IP addresses are permanent Some computers borrow an IP address while they are connected to the internet IP addresses are not human friendly The IP address for most host machines are mapped to a domain name service (DNS) address in order to be more people friendly
Understand and be able to describe how basic networking works. What is a packet? What relevant information is contained in network packets? Why is this important in computer forensics?
IP addresses-software- Packet- small unit of big amount of data Breaking communication down into packets allows the same data path to be shared among many users in the network.
What is a MAC address in a computer or device - why is it important to computer forensics?
MAC address. This is a unique serial number assigned to each network adapter, making it possible to deliver data packets to a destination within a subnetwork.
Understand the basics of the Windows, Unix and Mac file systems.
Mac: hierarchical file system; data fork and resource fork; HFS and HFS+ came before macOS Unix: multi-user, multithreaded, secure OS. four components: boot block, super block, inode block, and data block
What is network monitoring? What information can be captured from a network? What are the legal issues surrounding network acquisition?
Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator in case of outages or other trouble. Network monitoring is part of network management.
Understand and be able to articulate the issues with investigations that include large, active RAID arrays and how to acquire data from such systems.
RAID arrays that run a business cannot be shut down as the entire business is running on it (company could sue if you shut it down) Acquire data by doing a logical acquisition
Be able to define and articulate the three main types of cloud services recognized today. What are they and what does each one mean - be able to use examples of each of the types of services.
SaaS - google apps PaaS- doesn't live in your data center , lives in other people's computers IaaS - the whole IT infrastructure goes into someone else's computer (in the cloud)
What is a search warrant and why are they required? How does one obtain a search warrant? What is an affidavit? Why do search warrants matter to a computer forensic scientist or technician?
Search warrant: a court document that allows/specify what can be legally searched and/or seized based on probable cause or evidence presented in an affidavit. Affidavit: statement of probable cause This matters because you need to make sure it will be useful in the court of law and to make sure we can do what we need to do - only look at specific files for example
Understand and be able to describe the 2 types of acquisitions with respect to digital media. Be able to explain which type of acquisition would suite a particular case or circumstances if given the appropriate details. Understand the 4 methods of acquisitions and under what conditions they might be used.
Static - most common and most preferred Evidence has been seized and probably turned off, plug it into write blocker, do one of 4 types of acquisition on it Live - machine is on and running If comp is on, not encrypted, files are decrypted 4 methods of acquisition (Disk to disk) Bit for bit replication of the original drive, Includes unallocated space, Most common & most flexible (Disk to image) Bit for bit, Copies entire disk to a similar disk, Includes unallocated space Use when disk to image is not available (Logical disk to disk) Copies of files that are specified by the warrant/ in the case, Not bit by bit, Use when time is limited/or when you have large disks (Sparse copy method) Could include unallocated space, Use when time is limited/or when you have large disks
What is steganography? Why is it important in computer forensics?
Steganography is a method of hiding data by using a host file to cover the contents of a secret message. Hiding text in a picture or image. Criminal might hide a message or critical information for evidence in a picture and you must be able to find it.
Understand and be able to describe virtual machines. What are they, what purpose do they serve? What are the issues and challenges around acquisition of VMs? What are some telltale signs that a VM was used on a suspect computer?
Virtual machines are used extensively in organizations and are a common part of forensic investigations. Investigators must be familiar with file extensions that indicate the existence of VMs. They help offset hardware costs for companies and are handy when you want to run legacy or uncommon OSs or software. Live acquisitions: a problem faces is the order of volatility, which determines how long a piece of information lasts on a system. Data such as RAM and running processes might exist for only milliseconds; other data, such as data stored on the hard drive, might last for years. To determine whether a VM is present: look in users/documents folder, check host registry for clues of installation/uninstallation, look for existence of a virtual network adapter