CHFI Notes Will
Duplicate evidence will also suffice as evidence under the following conditions:
Original evidence is destroyed due to fire and flood. Original evidence is destroyed in the normal course of business. Original evidence is in possession of a third party.
Cain & Abel
pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols.
Recuva
recover lost pictures, music, docs, video, email, or other file type from all types of media
Cybercrime
refers to "any illegal act that involves a computer, its systems, or its applications."
administrative investigation
refers to an internal investigation by an organization to discover if its employees, clients and partners are abiding by the rules or policies. Violation of company policies.
Forensic Readiness
refers to an organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs. It includes technical and nontechnical actions that maximize an organization's competence to use digital evidence.
Non-volatile data
refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards.
Volatile Data
refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted.
Admissible Evidence
relevant to the case, act in support of the client presenting it, and be well communicated and non-prejudiced.
A ___________ is a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location
search warrant
Capsa
sniffer with support for over 300 network protocols
FRED
will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.
Paraben's StrongHold ______ block out wireless signals to protect evidence.
Faraday Bags
Investigation Phase
Main phase of the computer forensics investigation performed by professionals
SWGDE Standards and Criteria 1.5
The agency must use hw and sw that is appropriate and effective for the seizure/examination procedure.
Locard's Exchange Principle
"anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind."
Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation.
- Ensure that the target audience can easily understand the report - ensure report provides adequate and acceptable evidence. - report should comply with all local laws and standards - it should be legally sound and acceptable in the court of law.
Considerations for setting up a Computer Forensics Lab (CFL) include:
- Planning and budgeting - Location and structural concerns. Work area considerations (50-63 sqft per station) no windows - HR Considerations (certifications and experience) - Physical security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025
Investigation Phase: Main phase of the computer forensics investigation performed by professionals
- acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. - implementing the technical knowledge to find evidence, examine, document, and preserve the findings.
Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation
- setting up a computer forensics lab(CFL), toolkit, and workstation - the investigation team and getting approval from the relevant authority - planning the process, defining mission goals, and securing the case perimeter and devices involved.
Computer Forensics Lab (CFL) accreditations provided by:
ASCLD/Lab Accreditation, ISO/IEC
Characteristics of Digital Evidence
Admissible, Authentic, Complete, reliable, Believable,
SWGDE Standards and Criteria 1.2
Agency mgmt. must review SOPs on an annual basis to ensure their continued suitability and effectiveness.
SWGDE Standards and Criteria 1.6
All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
SWGDE Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document.
Incident Analyzer
Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it
Forensic Investigation Team
Attorney ; Photographer ; Incident Responder ; Decision Maker ; Incident Analyzer ; Evidence Examiner/Investigator ; Evidence Documenter ; Evidence Manager ; Expert Witness
Types of approaches to manage cybercrime investigations:
Civil cases, Criminal cases, Administrative investigation
__________ are unintentional intelligence-bearing signals that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment.
Compromising emanations
NIST has launched the _____ (CFTT), which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."
Computer Forensic Tool Testing Project
Evidence Examiner/Investigator
Examines the evidence acquired and sorts the useful evidence.
External attacks
External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when there are inadequate information security policies and procedures.
Internal Attacks
Insider attacks, considered as a primary threat, refer to attacks by disgruntled individuals working in the same firm or household as the victim. Examples of internal attacks include espionage, theft of intellectual property, manipulation of records, and Trojan horse attack.
L0phtCrack
Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks.
Rules of Forensics Investigation
Limit access and examination of the original evidence Record changes made to the evidence files Create a chain of custody document Set standards for investigating the evidence Comply with the standards Hire professionals for analysis of evidence Evidence should be strictly related to the incident The evidence should comply with the jurisdiction standards Document the procedures applied on the evidence Securely store the evidence Use recognized tools for analysis
Photographer:
Photographs the crime scene and all evidence. Should have an authentic certification.
Phases Involved in the Computer Forensics Investigation Process
Pre-investigation Phase, Investigation Phase, Post-investigation Phase
Fourth Amendment states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant. Note: ____ intrusions not acting in the color of governmental authority do not come under the Fourth Amendment.
Private
Guidance Software's EnCase
Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust
Post-investigation Phase
Reporting and documentation of all the actions undertaken and the findings during the course of an investigation.
Incident Responder
Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident
SWGDE Standards and Criteria 1.3
SOPs must be generally accepted or supported by data gathered and recorded in a scientific manner.
SWGDE stands for:
Scientific Working Group on Digital Evidence
SWGDE Standards and Criteria 1.4
The agency must maintain written copies of the appropriate technical procedures.
Decision Maker
The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident.
SWGDE Principle 1
To ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective system for quality control.
Forensic investigators should memorize the rules listed below. Limit _____ and examination of the original evidence Record _____ made to the evidence files Create a chain of _____ document Set ______ for investigating the evidence Comply with the ______ Hire professionals for analysis of ______ Evidence should be strictly _____ to the incident The evidence should comply with the ____ standards Document the ____ applied on the evidence Securely ____the evidence Use _____ tools for analysis
access ; changes ; custody ; standards ; standards ; evidence ; related ; jurisdiction ; procedures ; store ; recognized
Pre-investigation Phase
all the tasks performed prior to the commencement of the actual investigation
Reliable Evidence
extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence.
Paraben's StrongHold Faraday Bags
block out wireless signals to protect evidence.
Considerations for setting up a Computer Forensics Lab (CFL) include: - Planning and _____ - Location and _____ concerns. Work area considerations (50-63 sqft per station) no windows - ___ Considerations (certifications and experience) - ____ security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025
budgeting ; structural ; HR ; Physical
Duplicate evidence will also suffice as evidence under the following conditions: Original evidence is destroyed due to ______. Original evidence is destroyed in the ________. Original evidence is in possession of a ____.
fire and flood ; normal course of business ; third party
Data Recovery Stick
can recover deleted files.
Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence. For example, system data that an intruder can easily ____ or destroy should have ___ while assembling the evidence.
change ; priority
The Sleuth Kit
cmd line tools and a C library to analyze disk images and recover files from them.
The _______ process includes a methodological approach for preparing for the investigation, collecting and analyzing evidence, and managing the case from reporting to the conclusion.
computer forensics investigation
Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation: - setting up a _____(CFL), toolkit, and workstation - build the _____ and getting approval from the relevant authority - _____ the process, defining mission goals, and securing the case perimeter and devices involved.
computer forensics lab ; investigation team ; planning
FileMerlin
converts word processing, xls, ppt and database files between a wide range of file formats.
AccessData FTK
court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.
Evidence Documenter
gathers info and documents it from incident occurrence to the end of the investigation.
TEMPEST
is an unclassified short name referring to investigations and studies of compromising emanations.
A forensic investigator performs the following tasks: - Evaluates the ____ of a security breach - ____ and recovers data required for investigation - ___ the evidence in a forensically sound manner - Ensures proper ____ of the evidence - Acts as a ___ to the investigation team -Creates ____ and documents about the investigation required to present in a court of law - ____ the damaged storage devices and uncovers the information hidden on the computer - _____ the organization about various methods of attack and data recovery techniques, and maintains a record of them (following a variant of methods to document) regularly - Addresses the issue in a ____ and attempts to win the case by testifying in court
damages ; Identifies ; Extracts ; handling ; guide ; reports ; Reconstructs ; Updates ; court of law
Computer Forensics
deals with the process of finding evidence related to a digital crime
RAPID IMAGE 7020 X2
designed to copy one "Master" hard drive to up to 19 "Target" hard drives
PC-3000 Data Extractor
diagnoses and fixes file system issues, so that the client's data can be obtained.
Autopsy
digital forensics platform and gui to The Sleuth Kit® and other digital forensics tools.
In this Data Acquisition Method, Norton Ghost use Bit-stream disk-to-______
disk
The forensic examiner must make duplicate copies of the original evidence and start by examining only the _______. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the _______ of the evidence.
duplicates ; integrity
Computer Forensic Tool Testing Project (CFTT)
establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."
Digital evidence
includes all such information that is either stored or transmitted in digital form and has probative value. Investigators should take utmost care while gathering digital evidence as it is fragile in nature.
A forensic examiner must keep in mind certain rules to follow during a computer forensic examination, as well as to handle and analyze the evidence. This will safeguard the ______ of the evidence and render it _____ in a court of law.
integrity ; acceptable
Authentic Evidence
investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence with details such as source and its relevance to the case. If necessary, they must also furnish details such as author of the evidence or path of transmission.
Criminal Case
involve actions that are against the norms of society. DID YOU KNOW WHAT YOU DID? IF SO, IT IS CRIMINAL.
Civil cases
involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or a company versus another. They relate to violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to plaintiff.
RoadMASSter-3 X2
is a forensic ruggedized portable lab for hdd data acquisition and analysis.
Ophcrack
is a free GUI driven Windows password cracker based on rainbow tables
Image MASSterTM Wipe PRO
is a hard Drive Sanitization Station.
PC-3000 Flash
is a hardware and software suite for recovering flash- based storage
Enterprise Theory of Investigation (ETI)
is a methodology for investigating criminal activity. It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.
PALADIN
is a modified "live" Linux distribution based on the PALADIN Toolbox.
Oxygen Forensic Kit
is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.
Paraben's Chat Stick
is a thumb drive device that will search the entire computer and scan it for chat logs
Best Evidence Rule
is to prevent any alteration of digital evidence, either intentionally or unintentionally.
In criminal cases: Investigators must follow a set of standard forensic processes accepted by law in the respective ____. Investigators, under court's warrant, have the authority to seize the ____ devices. A formal investigation ____ is required. The ____ agencies are responsible for collecting and analyzing evidence. Punishments are ____ and include fine, jail sentence or both. Standard of ____ needs to be very high. Difficult to ____ certain evidence, e.g., GPS device evidence
jurisdiction ; computing ; report ; law enforcement ; harsh ; proof ; capture
The computer forensic examiner must not continue with the investigation if the examination is going to be beyond his or her ______ level or ______ level.
knowledge ; skill
Attorney
legal advice about the investigation, and legal issues involved in the forensics investigation process.
Complete Evidence
must either prove or disprove the consensual fact in the litigation
Information stored in ___ form includes hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, registry settings, and event logs.
non-volatile
Tableau T8-R2 Forensic USB Bridge
offers secure, hw-based write blocking of USB storage devices.
Believable Evidence
present evidence in a clear manner to the jury and obtain expert opinions where necessary
Investigation Phase: Main phase of the computer forensics investigation performed by professionals. - acquisition, _______, and analysis of the data to identify the source of crime and the culprit. - implementing the technical ______ to find evidence, examine, document, and preserve the findings.
preservation ; knowledge
Fourth Amendment states that government agents may not search or seize areas or things in which a person has a reasonable expectation of ____, without a search warrant.
privacy
ZX-Tower
provides secure sanitization of hard disk
WriteProtect-DESKTOP
provides secure, read-only write-blocking of suspect hard drives.
Fourth Amendment
states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant.
FRED
systems are optimized for stationary laboratory acquisition and analysis.
Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation. - Ensure that the _______ can easily understand the report - ensure _____ provides adequate and acceptable evidence. - report should comply with _______ - it should be legally sound and ________
target audience ; report ; all local laws and standards ; acceptable in the court of law.
Nuix Corporate Investigation Suite
used to collect, process, analyze, review, and report evidence
R-Drive Image
utility that provides creation of disk image files for backup or duplication purposes.
Important ___ data includes system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.
volatile