CHFI Notes Will

Duplicate evidence will also suffice as evidence under the following conditions:

Original evidence is destroyed due to fire and flood. Original evidence is destroyed in the normal course of business. Original evidence is in possession of a third party.

Cain & Abel

pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols.

Recuva

recover lost pictures, music, docs, video, email, or other file type from all types of media

Cybercrime

refers to "any illegal act that involves a computer, its systems, or its applications."

administrative investigation

refers to an internal investigation by an organization to discover if its employees, clients and partners are abiding by the rules or policies. Violation of company policies.

Forensic Readiness

refers to an organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs. It includes technical and nontechnical actions that maximize an organization's competence to use digital evidence.

Non-volatile data

refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards.

Volatile Data

refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted.

Admissible Evidence

relevant to the case, act in support of the client presenting it, and be well communicated and non-prejudiced.

A ___________ is a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location

search warrant

Capsa

sniffer with support for over 300 network protocols

FRED

will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.

Paraben's StrongHold ______ block out wireless signals to protect evidence.

Faraday Bags

Investigation Phase

Main phase of the computer forensics investigation performed by professionals

SWGDE Standards and Criteria 1.5

The agency must use hw and sw that is appropriate and effective for the seizure/examination procedure.

Locard's Exchange Principle

"anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind."

Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation.

- Ensure that the target audience can easily understand the report - ensure report provides adequate and acceptable evidence. - report should comply with all local laws and standards - it should be legally sound and acceptable in the court of law.

Considerations for setting up a Computer Forensics Lab (CFL) include:

- Planning and budgeting - Location and structural concerns. Work area considerations (50-63 sqft per station) no windows - HR Considerations (certifications and experience) - Physical security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025

Investigation Phase: Main phase of the computer forensics investigation performed by professionals

- acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. - implementing the technical knowledge to find evidence, examine, document, and preserve the findings.

Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation

- setting up a computer forensics lab(CFL), toolkit, and workstation - the investigation team and getting approval from the relevant authority - planning the process, defining mission goals, and securing the case perimeter and devices involved.

Computer Forensics Lab (CFL) accreditations provided by:

ASCLD/Lab Accreditation, ISO/IEC

Characteristics of Digital Evidence

Admissible, Authentic, Complete, reliable, Believable,

SWGDE Standards and Criteria 1.2

Agency mgmt. must review SOPs on an annual basis to ensure their continued suitability and effectiveness.

SWGDE Standards and Criteria 1.6

All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.

SWGDE Standards and Criteria 1.1

All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document.

Incident Analyzer

Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it

Forensic Investigation Team

Attorney ; Photographer ; Incident Responder ; Decision Maker ; Incident Analyzer ; Evidence Examiner/Investigator ; Evidence Documenter ; Evidence Manager ; Expert Witness

Types of approaches to manage cybercrime investigations:

Civil cases, Criminal cases, Administrative investigation

__________ are unintentional intelligence-bearing signals that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment.

Compromising emanations

NIST has launched the _____ (CFTT), which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."

Computer Forensic Tool Testing Project

Evidence Examiner/Investigator

Examines the evidence acquired and sorts the useful evidence.

External attacks

External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when there are inadequate information security policies and procedures.

Internal Attacks

Insider attacks, considered as a primary threat, refer to attacks by disgruntled individuals working in the same firm or household as the victim. Examples of internal attacks include espionage, theft of intellectual property, manipulation of records, and Trojan horse attack.

L0phtCrack

Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks.

Rules of Forensics Investigation

Limit access and examination of the original evidence Record changes made to the evidence files Create a chain of custody document Set standards for investigating the evidence Comply with the standards Hire professionals for analysis of evidence Evidence should be strictly related to the incident The evidence should comply with the jurisdiction standards Document the procedures applied on the evidence Securely store the evidence Use recognized tools for analysis

Photographer:

Photographs the crime scene and all evidence. Should have an authentic certification.

Phases Involved in the Computer Forensics Investigation Process

Pre-investigation Phase, Investigation Phase, Post-investigation Phase

Fourth Amendment states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant. Note: ____ intrusions not acting in the color of governmental authority do not come under the Fourth Amendment.

Private

Guidance Software's EnCase

Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust

Post-investigation Phase

Reporting and documentation of all the actions undertaken and the findings during the course of an investigation.

Incident Responder

Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident

SWGDE Standards and Criteria 1.3

SOPs must be generally accepted or supported by data gathered and recorded in a scientific manner.

SWGDE stands for:

Scientific Working Group on Digital Evidence

SWGDE Standards and Criteria 1.4

The agency must maintain written copies of the appropriate technical procedures.

Decision Maker

The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident.

SWGDE Principle 1

To ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective system for quality control.

Forensic investigators should memorize the rules listed below. Limit _____ and examination of the original evidence Record _____ made to the evidence files Create a chain of _____ document Set ______ for investigating the evidence Comply with the ______ Hire professionals for analysis of ______ Evidence should be strictly _____ to the incident The evidence should comply with the ____ standards Document the ____ applied on the evidence Securely ____the evidence Use _____ tools for analysis

access ; changes ; custody ; standards ; standards ; evidence ; related ; jurisdiction ; procedures ; store ; recognized

Pre-investigation Phase

all the tasks performed prior to the commencement of the actual investigation

Reliable Evidence

extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence.

Paraben's StrongHold Faraday Bags

block out wireless signals to protect evidence.

Considerations for setting up a Computer Forensics Lab (CFL) include: - Planning and _____ - Location and _____ concerns. Work area considerations (50-63 sqft per station) no windows - ___ Considerations (certifications and experience) - ____ security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025

budgeting ; structural ; HR ; Physical

Duplicate evidence will also suffice as evidence under the following conditions: Original evidence is destroyed due to ______. Original evidence is destroyed in the ________. Original evidence is in possession of a ____.

fire and flood ; normal course of business ; third party

Data Recovery Stick

can recover deleted files.

Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence. For example, system data that an intruder can easily ____ or destroy should have ___ while assembling the evidence.

change ; priority

The Sleuth Kit

cmd line tools and a C library to analyze disk images and recover files from them.

The _______ process includes a methodological approach for preparing for the investigation, collecting and analyzing evidence, and managing the case from reporting to the conclusion.

computer forensics investigation

Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation: - setting up a _____(CFL), toolkit, and workstation - build the _____ and getting approval from the relevant authority - _____ the process, defining mission goals, and securing the case perimeter and devices involved.

computer forensics lab ; investigation team ; planning

FileMerlin

converts word processing, xls, ppt and database files between a wide range of file formats.

AccessData FTK

court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.

Evidence Documenter

gathers info and documents it from incident occurrence to the end of the investigation.

TEMPEST

is an unclassified short name referring to investigations and studies of compromising emanations.

A forensic investigator performs the following tasks: - Evaluates the ____ of a security breach - ____ and recovers data required for investigation - ___ the evidence in a forensically sound manner - Ensures proper ____ of the evidence - Acts as a ___ to the investigation team -Creates ____ and documents about the investigation required to present in a court of law - ____ the damaged storage devices and uncovers the information hidden on the computer - _____ the organization about various methods of attack and data recovery techniques, and maintains a record of them (following a variant of methods to document) regularly - Addresses the issue in a ____ and attempts to win the case by testifying in court

damages ; Identifies ; Extracts ; handling ; guide ; reports ; Reconstructs ; Updates ; court of law

Computer Forensics

deals with the process of finding evidence related to a digital crime

RAPID IMAGE 7020 X2

designed to copy one "Master" hard drive to up to 19 "Target" hard drives

PC-3000 Data Extractor

diagnoses and fixes file system issues, so that the client's data can be obtained.

Autopsy

digital forensics platform and gui to The Sleuth Kit® and other digital forensics tools.

In this Data Acquisition Method, Norton Ghost use Bit-stream disk-to-______

disk

The forensic examiner must make duplicate copies of the original evidence and start by examining only the _______. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the _______ of the evidence.

duplicates ; integrity

Computer Forensic Tool Testing Project (CFTT)

establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."

Digital evidence

includes all such information that is either stored or transmitted in digital form and has probative value. Investigators should take utmost care while gathering digital evidence as it is fragile in nature.

A forensic examiner must keep in mind certain rules to follow during a computer forensic examination, as well as to handle and analyze the evidence. This will safeguard the ______ of the evidence and render it _____ in a court of law.

integrity ; acceptable

Authentic Evidence

investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence with details such as source and its relevance to the case. If necessary, they must also furnish details such as author of the evidence or path of transmission.

Criminal Case

involve actions that are against the norms of society. DID YOU KNOW WHAT YOU DID? IF SO, IT IS CRIMINAL.

Civil cases

involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or a company versus another. They relate to violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to plaintiff.

RoadMASSter-3 X2

is a forensic ruggedized portable lab for hdd data acquisition and analysis.

Ophcrack

is a free GUI driven Windows password cracker based on rainbow tables

Image MASSterTM Wipe PRO

is a hard Drive Sanitization Station.

PC-3000 Flash

is a hardware and software suite for recovering flash- based storage

Enterprise Theory of Investigation (ETI)

is a methodology for investigating criminal activity. It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.

PALADIN

is a modified "live" Linux distribution based on the PALADIN Toolbox.

Oxygen Forensic Kit

is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.

Paraben's Chat Stick

is a thumb drive device that will search the entire computer and scan it for chat logs

Best Evidence Rule

is to prevent any alteration of digital evidence, either intentionally or unintentionally.

In criminal cases: Investigators must follow a set of standard forensic processes accepted by law in the respective ____. Investigators, under court's warrant, have the authority to seize the ____ devices. A formal investigation ____ is required. The ____ agencies are responsible for collecting and analyzing evidence. Punishments are ____ and include fine, jail sentence or both. Standard of ____ needs to be very high. Difficult to ____ certain evidence, e.g., GPS device evidence

jurisdiction ; computing ; report ; law enforcement ; harsh ; proof ; capture

The computer forensic examiner must not continue with the investigation if the examination is going to be beyond his or her ______ level or ______ level.

knowledge ; skill

Attorney

legal advice about the investigation, and legal issues involved in the forensics investigation process.

Complete Evidence

must either prove or disprove the consensual fact in the litigation

Information stored in ___ form includes hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, registry settings, and event logs.

non-volatile

Tableau T8-R2 Forensic USB Bridge

offers secure, hw-based write blocking of USB storage devices.

Believable Evidence

present evidence in a clear manner to the jury and obtain expert opinions where necessary

Investigation Phase: Main phase of the computer forensics investigation performed by professionals. - acquisition, _______, and analysis of the data to identify the source of crime and the culprit. - implementing the technical ______ to find evidence, examine, document, and preserve the findings.

preservation ; knowledge

Fourth Amendment states that government agents may not search or seize areas or things in which a person has a reasonable expectation of ____, without a search warrant.

privacy

ZX-Tower

provides secure sanitization of hard disk

WriteProtect-DESKTOP

provides secure, read-only write-blocking of suspect hard drives.

Fourth Amendment

states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant.

FRED

systems are optimized for stationary laboratory acquisition and analysis.

Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation. - Ensure that the _______ can easily understand the report - ensure _____ provides adequate and acceptable evidence. - report should comply with _______ - it should be legally sound and ________

target audience ; report ; all local laws and standards ; acceptable in the court of law.

Nuix Corporate Investigation Suite

used to collect, process, analyze, review, and report evidence

R-Drive Image

utility that provides creation of disk image files for backup or duplication purposes.

Important ___ data includes system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.

volatile