Final Exam Study Sheet

disk to disk copy

A bit-by-bit duplicate of the data on the original storage medium. The data is copied to a newer drive in a way that allows the new drive to be an exact copy of the original. This technique is used for older drives, where a disk to image copy cannot be attained.

Live Acquisition

A data acquisition method used when a suspect's computer can't be shut down to perform a static acquisition. Captured data might be altered during the acquisition because it's not write-protected. Live acquisitions aren't repeatable because data is continually being altered by the suspect computer's OS.

Static acquisition

A data acquisition method used when a suspect's drive can be / is powered off. The data in a static acquisition is write-protected and can't be altered. If disk evidence is preserved correctly, static acquisitions are repeatable.

Understand and be able to describe disk partitions (logical disk) with a windows file system. What is a partition, why would there be more than one? Why is it important to understand as a computer forensic scientist?

A disk partition is a logical disk that acts like a physical disk. It is programed in the disk, although it is one hard drive the software tell it how should be divided. A criminal can create a separate partition and hide that partition.

What challenges are presented to the forensic investigator with respect to cloud usage in investigations?

Access to the data, we have to convince a judge that this site unseen cloud storage has data in there that could incriminate or exonerate the suspect. Then we need a judge to sign off on that and provide a subpoena to the cloud service provider who will process it to their illegal department. So now we are not dealing with the suspect anymore, but also the whole infrastructure of attorneys whose job it is to protect to people who stores stuff in the cloud. Jurisdictions of where the cloud drive or medium containing information is stored overseas/ other countries, figuring out whose law are we abiding by.

the 5 basic functions of digital forensic tools.

Acquisition Validation & Verification Extraction Reconstruction Reporting

Mac

Before: Hierarchical File system(HFS) Files stored in nested directories Extended format file system (HFS+) Apple file system(APFS) When data is written to a device, a metadate is also copied to help with crash protection. File consists of 2 parts: Data fork: contains data the users creates ex: text or spread sheets Resources fork: contains additional information

What is a chain of custody?

Chain of custody is the documented and unbroken transfer of evidence

Why is computer forensics different than data recovery and other forensic science fields such as chemistry, physics and biology?

In CFS, you may be searching for data that has been intentionally hidden, and you are preparing evidence for a court of law. Data recovery involves retrieving information that was deleted by mistake or lost during a power surge or server crash.

What is steganography? Why is it important in computer forensics?

Hiding text in a picture or image. Criminal might hide a message or critical info in a picture and you must be able to find it.

Explain what encrypted file systems are and the challenges they present to computer forensic scientists. How might one go about examining an encrypted file system?

Human as suspect cooperation to get the encrypted key, is the weakest chain in anything that can be decrypted. And find other devices or cloud storage that may have that aren't decrypted. Bitlocker key would usually in a USB or cloud service somewhere, it will never be in the same computer as the encrypted computer.

Why is chain of evidence important especially in computer forensics?

It is important in order to preserve evidence from the time it is collected to the time it is presented in court

why are cloud deployments important?

It is important to know what type of cloud is being used, because it could make a huge difference on what type of tools and techniques we could use to collect evidence.

differences between Linux and macOS

Linux has the /home/username and /root directories In macOS, the folders are /users/username and /private/var/root The /home directory exists in the macOS but it is empty macOS users have limited access to other user accounts' files and the guest account is disabled

What are metadata when referring to an image file? What might this metadata contain? Why might this be important in an investigation?

Metadata is data about the data, contains when the file was created, modifies opened. Graphic image metadata

Understand and be able to articulate what is the field of computer forensics science.

Digital forensics: The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

Understand how changing the file header of a graphics file can fool operating systems and application software. Be able to describe the process of editing header information to correct intentionally altered headers.

File header is a way the OS determines what kind of file type it is. People can change the header to mask a file. The process of editing header information to intentionally alter headers involves opening up a hex editor or file editor and editing whatever offset is necessary to change it to a different file type and save it as a new file and see if you can open it through that file type.

Explain what a "file system" is and be able to name the different types of file systems. Understand why it is important for a forensic scientist to know the difference in file systems.

File system: a systematic way to control how information is stored and retrieved. Different files and OS behave differently so you must be familiar with all of them. Gives OS a road map to data on a disk. A file system determines the way an operating system stores files on disk. NTFS is a proprietary file system developed by Microsoft. HFS+ is the newest file system for apple. it is important because different file systems store and organize files differently Window, linux, mac It is important to know the differences of the file system, bc different files that can be held as evidence can be found in different places in different OS.

Unix

Second and third extended file system Fourth extended file system: Improved management of large files and offered more flexibility Everything is a file Standard file system for most distributions Consists of 4 components Boot block Located in the main disk Super block Keeps track of inodes Manages file system Inode block First data after super block Assigned to every allocation unit Data block Directories stored on disk drive Location linked directly to inodes

Why do search warrants matter to a computer forensic scientist or technician?

The details of a search warrant affect which parts of a computer can be searched.

Explain the fourth amendment of the U.S. constitution. Why is it important to the field of computer forensics?

The fourth amendment protects everyone's rights to be secure in their person, residence, and property from UNREASONABLE search and seizure, requires a warrant issued on probable cause which particularly describes the place to be searched.

Understand what the Windows Registry is, what it is used for and why it is important for a computer forensic scientist to understand it.

The registry has a lot of info about the system and applications, describes the system (password recovery).

validation and verification

Validation: a way to confirm that a tool is functioning as intended. Verification: the process of proving that 2 sets of data are identical by calculating hash values of using another similar method.

what purpose virtual machines serve?

Virtual machines are used extensively in organizations and are a common part of forensic investigations. Investigators must be familiar with file extensions that indicate the existence of VMs. They help offset hardware costs for companies and are handy when you want to run legacy or uncommon OSs or software.

Be able to explain in general terms what a RAID storage array is and why their use can be problematic for data acquisition.

R.A.I.D. stands for Redundant Array of Inexpensive or Independent Disks, and takes multiple hard drives and make it run as one. RAID makes it hard for forensic investigators to do data acquisition because one file maybe broken up into several locations and when that file is deleted, parts of the file may be gone and some not. Sparse/logical copy acquisition is the best bet because it lets you choose what data you want to acquire, and it is faster.

what are virtual machines?

Running an OS inside another OS

three main types of cloud services

Saas Paas Iaas

How does one obtain a search warrant?

Search warrants are obtained by the police who submit an affidavit, which is a signed documents expressing why and how a person's property should be searched.

Understand the basics of the Windows, Unix and Mac file systems.

Windows uses folder, Linux uses directories.

Understand the difference in what an OS is responsible for and what an application program is responsible for. Be able to articulate why this distinction is important

Word, Internet Explorer, file manager, does not write files to the disk, but is responsible for making those files.

mata

a file that includes both bitmap and vector picture with a camera is a bitmap graphic and then putting it in a program like adobe illustrator which can do vector graphics.

Bitmap

a series of pixels on a grid, and each dot/pixel have a particular color value and intensity value in RGB sector. Dependent on screen resolution for its image quality.

What is a MAC address in a computer or device -

a unique serial number assigned to each network adapter and device, making it possible to deliver data packets to a destination within a subnetwork.

community cloud

a way to bring people together for a specific purpose

Public cloud

accessible to anyone (goes through the cloud service provider)

explain what the BIOS is and what it is responsible for accomplishing

basic input output system. Booting process that exists in ROM and can determine the order of what is to run. This is important to know in case this order would destroy evidence.

the three types of graphics file formats

bitmap vector mata

private cloud

can be accessed only by people who have the necessary credentials (needs some kind of cooperation of an entity in order to get into the cloud)

logical copy

captures only specific files of interest (does not capture deleted data)

sparse copy

collects fragments of unallocated (deleted) disks. Used for large disks.

disk to image copy

creates a bit for bit replication of the original drive in the form of an image. This technique offers most flexibility because making further copies is easy, and most digital forensics tools read this format.

what are the four methods of acquisition?

disk to disk copy disk to image copy logical sparse

hybrid cloud

enables a company to keep some information private and designate other files as public or community information

why are packets and networks important for computer forensics?

in order to determine the source of network security attacks.

why are MAC addresses important to computer forensics?

it provides with the most unique ID that a device can have. Since this address comes attached to the hardware of the device, this can provide useful information for a forensics investigations in terms of the exact device that was used as a mean in a computer crime.

what are the two types of acquisitions?

live static

Be knowledgeable enough with a Unix command line to log into a Linux server, change to a specified directory, read the contents of a file and report its contents.

ls list cd change/home directory cp copy mv move or rename mkdir make directories pwd print working directory root owner of file less/more cat reads/shows file

Explain what an Operating System (OS) is and what it is responsible for accomplishing

manages the system, the memory, reads, writes, execute files and loads the drivers. It is important to know different OS's because knowing which OS you are working with might change your investigation strategy.

What is an IP Address

numerical label used to identify a computer/device within the network. Severs 2 functions: host or network interface identification(who are they) and pin point location(where are they)

What is network monitoring?

process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack took place

four types of cloud deployments

public private community hybrid

What relevant information is contained in network packets

the sender's IP address, the intended receiver's IP address, something that tells the network how many packets the message has been broken into and the number of this particular packet. The packets also carry the data in the protocols that the Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet contains part of the body of your message.

public wireless network

unsecured without a password

What are encrypted wireless networks?

uses encryption to secure your network from intruders.

vector

uses lines and it uses mathematical formula to calculate the lines. Can be resized without looking pixelated.

types of file systems

windows: FAT, NTFS MAC: hierarchical system, apple file system, Unix: fourth extended file system

Acquisition

- the process of creating a duplicate image of data. Physical data copy Logical data copy Data acquisition format Command-line acquisition GUI acquisition Remote, live, and memory acquisitions.

extraction

- the process of pulling relevant data from an image and recovering or reconstructing data fragments. Data viewing Keyword searching Decompressing or uncompressing. Decrypting

reconstruction

- the process of rebuilding data files. Disk-to-disk copy Partition-to-partition copy Image-to-disk copy Image-to-partition copy Rebuilding files from data runs and carving.

What does the term "reasonable expectation of privacy" mean?

A reasonable expectation of privacy means that if a reasonable person were in a particular situation, they would expect privacy. For example writing a letter at you desk in your room with the door closed: reasonable expectation of privacy talking on the phone in public: no reasonable expectation of privacy

What is a search warrant, why are they required?

A search warrant is a document issued by a judge, stating that a person's property, residence may be searched and lists the things that may be searched. A search warrant is required because of the fourth amendment to the constitution, which protects Americans from unreasonable search and seizure

reporting

Bookmarking or tagging Log reports, report generator

Explain what encrypted file systems are and the challenges they present to computer forensic scientists. How might one go about examining an encrypted file system?

Encrypted file is non-comprehensible to the human eye, you would need a key to decode or decrypt the file.

Be able to discuss in detail the importance of report writing in forensic investigations. What are the key attributes of good forensic report writing and why are they important?

Forensic reports summarizes the substantive evidence in a criminal case. These reports are very important to a case, since the improper processing of the data or missing key evidence can mean the difference between winning and losing a case. Key attributes of good forensic report is that it has to be clear, concise, unbiased and non-technica

Be able to outline the steps necessary for the conduct of a digital forensic investigation. Beginning with the execution of a warrant, acquisition, detailed examination planning, conducting the investigation and note taking, and ending with creating a final report.

Get a search warrant based on a probable cause. Collecting evidence Put evidence in a static bag Lock/block evidence in evidence locker Sign the chain of custody forms Wrist strap to protect electricity from ur forensic lab Create a write block image acquisition of the evidence media Return all the originals back to the evidence locker Hash the evidence and the disk image to make sure both are identical and nothing has been altered Search for information and media based on the OS and the file system, application file, media files and graphics files Look for stuff that are hidden files Look for deleted files in an unallocated space and registories Run through Autopsy Take notes during investigation according to a plan Document everything you are doing Write up you final report Submit the report

What are some of the cloud artifacts that might be found on a suspect's hard drive if they were using cloud services?

Google drive, dropbox, uses synchronization algorithm so they would have a folder on the hard drive called Dropbox, or Drives. Look in their registries for softwares that are installed. Also log files for all the transaction that happens in the synchronized folders.

Windows

Grouped into clusters from 512 - 32000 bytes each When OS stores data in FAT it is assigned cluster are chained together If the next available cluster isn't contiguous to the current cluster it becomes fragmented. File Allocation Table (FAT): originally designed for floppy disk FAT16, FAT32, and exFAT used for mobile storage NT File System (NTFS) Introduced with Windows NT Primary file system for Windows 10 Improvements over FAT file systems NTFS provides more information about a file NTFS gives more control over files and folders NTFS was Microsoft's move toward a journaling file system It records a transaction before the system carries it out Records in the MFT contain attribute IDs that store metadata about files In NTFS, alternate data streams can obscure information that might be of evidentiary value File slack, RAM slack, and drive slack are areas in which valuable information can reside on a drive NTFS can encrypt data with EFS and BitLocker NTFS can compress files, folders, or volumes Windows Registry keeps a record of attached hardware, user preferences, network connections, and installed software Virtualization software enables you to run other OSs on a host computer

Be able to explain how a hard drive works in basic magnetic terms. Understand how this translates to an understanding of a bit-stream copy of digital evidence.

Hard drive can read and write information. This information is stored and written in bits symbolized as a 1's or 0'son the hard drive magnetically

Iaas

Infrastructure as a service (IaaS) - customers can rent hardware and install whatever OSs and applications they need (there would be servers in the cloud, applications that run on servers on the cloud) best for startups

identify and explain the components of a computer to include: input devices, processor, memory, storage, and output devices.

Input: mouse and keyboards Output: monitors, printers, speakers Memory: RAM stores variables and files while they are being created, RAM is volatile and requires power to hold data. Storage: Hard drives, SSD computer saved files, storage is non-volatile CPU: The central processing unit is the brain of the computer and tells computer when and how to do something, like starting or stopping a process.

Understand the steps to acquire a disk image from a USB key, find a deleted file, explore the contents and report on it.

Insert USB key Copy contents to computer Open new case with software such as autopsy or prodiscover Add the image as evidence Search manually or use keyword searching to find deleted files (explain the difference between allocated and unallocated space) Use the reporting tool to organize evidence, then write an explanation of each step you took in your investigation(explain that reports must be clear, in plain terms, and unbiased)

What are some telltale signs that a VM was used on a suspect computer?

Look in the Users or Documents folder (in Windows) or user directories (in Linux) Check the host's Registry for clues that VMs have been installed or uninstalled Existence of a virtual network adapter

The difference between an IP and Mac

MAC identifies the physical address of a computer, assigned by the manufacturer of NIC card IP identifies connections of a computer on the internet, assigned by the administrator or Internet Service Provider

What is a packet?

Packet is the unit of data that is routed between an origin and a destination on the Internet and carries the information that will help it get to its destination --

Paas

Platform as a service (PaaS) - an OS has been installed on a cloud server

Be able to explain what the plain view doctrine is and how it relates to the field of computer forensics in digital evidence discovery.

Police may seize, without a warrant, items that are in plain, view. Requirements are: The police cannot use sensory enhancement devices The police must have a legal right to be where they are Any discovery must be made by chance. The officer must have probable cause to believe that the item(s) are evidence to a crime, and he or she can't move items to see a suspicious item.

Saas

Software as a service (SaaS) - applications are delivered via the Internet (google apps, microsoft 365)

explain the difference in volatile and non-volatile storage and why it is important to a forensic scientist.

Volatile: data stored in memory will be lost if there is no power supply Non-volatile: the data does not disappear when the hard drive is not receiving power. This allows you to retrieve the data later on. and is permanent storage