Digital Forensics EXAM 1

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

SATA (serial ATA)

Better cable and speed, no jumpers direct connect to controller (no chaining of devices)

Child Exploitation

Chat log, photo/video, image editing software, internet/SNS activity, movie files, relevant file and directory names

Power On Self Test (POST)

Checking the BIOS chip and then tests CMOS RAM Checking video card, hard drives, floppy drives, ports, keyboard and mouse, etc. If functioning properly, successful CPU initialization

Search Warrant

Clearly state what you are searching for. Clearly state the area in which you are authorized to search. Be signed by a judge.

Forensic Investigation Process -(American Board of Information Security and Computer Forensics)

Collection Examination Analysis Reporting

Civil Investigations

Conducted In case of IPR risk, company's network security breach, unauthorized use of company resource E.g., Intrusion, DoS attack, malicious code/comm, misuse, etc.

Internal Investigations

Conducted In case of violation of company policies and guidelines

As an instrument of the crime

Cyber Stalking and bullying Identity theft Pirated computer software Forgery or falsification of documents Corporate fraud Terrorism and national security

CHS

Cylinder address (C), Head number (H), Sector address (S) Based on Physical address Obsolete, older computers still use it.

True

DF investigation does not need to have deepest understanding on theoretic knowledge on CS but must have a familiarity with a wide range of subject matter.

reconstruction (Physical)

Develop theories - Phase Goals (Physical)

Legally obtained

Different regulation applies to internal/civil/criminal investigations while criminal investigation is most restrictive in terms of legal requirements.

incident, laboratory

Digital Forensics Hardware Tools Can be used for _______ response and forensic _____

law, hardware

Digital forensics requires knowledge on ____ and computer science as well as various forensic _____and software tools.

Corporate/private Investigation

E.g., employees who violate the company's security policy

Locard's Exchange Principle

Everything that enters a crime scene does two things. It leaves part of itself behind, and it takes part of the scene with it.

Relevance

Evidence must have a bearing on the event being investigated. Information about unrelated crime cannot be used as an evidence for the case.

Authenticity

Evidence presented came from where he/she claims

original

Evidence presented in court should be ______and the actual item investigated or examined.

printout of computer data

Federal Rules of Evidence consider a____________ to be "original" if it can be read by sight and if it accurately represents the stored data.

Documentary evidence

Files, log, e-mail

Computer Fraud

Financial and asset data, credit card data, emails

Digital Forensics Hardware Tools

Forensics computers Write-blocking devices Imaging devices (disk duplicator) Data wiping devices Encryption hardware

hard disk

HPA is created at the end of _____

Guidelines for entering technical evidence into U.S. Court:

Has the procedure been published in Journals and generally accepted? Had the procedure been independently tested and what is the error rate?

Name found in Floppy Disk

How was the BTK killer caught

little-endian

IA32-based systems (i.e., Intel Pentium) and their 64-bit counterparts use the ______ ordering.

Examination

Identify and extract the relevant information from the collected data, using appropriate forensic tools and techniques, while continuing to maintain integrity of the evidence.

Survey(Digital)

Identify obvious evidence (in lab) -Phase Goals (Digital)

Collection (Acquisition)

Identify, isolate, label, record, and collect the data and physical evidence related to the incident being investigated, while establishing and maintaining integrity of the evidence through chain-of-custody.

Guideline for First Responder

If computer is on, leave it on. If computer is off, leave it off. No technical assist from anyone unauthorized should be allowed. Avoid compromising physical evidence (fingerprint, blood, DNA, etc.) on computer devices (mouse, keyboard, etc.) Protect yourself from biohazards

Pull the plug

Immediately halts processing but destroys data in memory and can corrupt files Data in memory could be collected using "cold boot" attack or DMA attack.

Search & Collection (Physical)

In-depth search - Phase Goals (Physical)

3 types of forensic investigations

Internal Civil Criminal

True

Judge can render the evidence admissible or inadmissible

LBA (logical Block address)

LBA address 0 = CHS address 0,0,1 LBA address 1 = CHS address 0,0,2 CHS 0,1,1 = sector 1 of the second head in the same cylinder

Incident Response - Corporate

Large company incident responder might be a technician-level employee in security or information technology Small company network administrator or security officer might also be the incident responder

Four,4

MBR includes partition table which has _____entries. (up to ____ partitions)

Network intrusion and hacking

Network user id and IP addresses, virus and spyware, system logs, etc.

Chain of Custody

A critical function of investigation that continuously records log information of each and every action that is taken on or against a piece of evidence and of every movement that evidence makes from the moment an object is identified as having evidentiary value. **Critical for evidence admissibility.

Digital Forensics

A discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law.

Cluster

A group of sector Allocation unit of data in file systems

forensic image

A proper _______ can be considered Best evidence if the original evidence has been returned to its owner.

ASCIII stands for the

"American Standard Code for Information Interchange"

ATA/IDE

(Integrated Disk Electronics) or PATA IDE means a hard disk has a built-in logic board IDE disk uses ATA interface 40 or 44 pin connectors

SCSI

(Small Computer Systems Interface) More costly, used mainly for servers Various connector types (difficult to carry all)

DOJ guidelines - late 90's

-Preparation: prepare equipment and tools, -Collection: Search physical location for possible digital evidence and acquire (e.g., collect or copy digital media) -Examination: review the media for evidence (initial screening) -Analysis: review the results for their value in the case -Reporting: document results of investigation

Digital Investigation in 6 Steps - by Casey (2004)

1) Identification/Assessment 2) Collection/acquisition 3) Preservation 4) Examination 5) Analysis 6) Reporting

documentation (Digital)

Photo & description of digital device -Phase Goals (Digital)

documentation (Physical)

Photograph, sketches, evidence/scene maps - Phase Goals (Physical)

(Paul Kirk, 1953)

Physical evidence cannot be wrong or wholly absent. Only human failure to find it, study and understand it, can diminish its value

Preservation (Digital)

Prevent changes (network isolation, collecting volatile data, copy entire digital environment -Phase Goals (Digital)

Complementary Metal Oxide Silicon (CMOS)

RAM with battery

Reporting

Reporting the results of the analysis, including: Findings relevant to the case Actions that were performed Actions left to be performed Recommended improvements to procedures and tools

Incident Response

Response to a computer crime, security policy violation, or similar event Secure, preserve and document digital evidence Happens BEFORE the forensic analysis begins. Incident responder is not necessarily the forensic specialist who will conduct the analysis of the digital evidence

Securing the Scene (by first responder or DFI (DIGITAL FORENSICS INVESTIGATOR)

Safety first. Integrity second. (computer, data, network) Then secure evidence.

Preservation (Physical)

Secure entrance/exit Prevent changes - Phase Goals (Physical)

Reliability

Should be no question about the truth of the investigator's conclusion. Use standardized/verified forensics tools and methods (see Daubert guideline). Investigator qualification

reconstruction (Digital)

Similar to physical -Phase Goals (Digital)

Big Endian

Sun SPARC and Motorola PowerPC (i.e., Apple computers) systems use_______ordering.

No Search Warrant is required if..

The "plain view" doctrine says that an officer can seize evidence that is in plain view as long as: The officer is legally present at the site of the evidence. The officer can legally access the evidence. The officer has probable cause to believe that the evidence or contraband is related to a crime. A device can be seized in case there is owner's written consent which acknowledges future forensic examination by trained examiner

Analysis Phase

The case is typically "solved" in this phase.

True

The purpose of a partition system is to organize the layout of a volume

Sector

The smallest addressable unit of storage

Three ways of storing a Unicode character

UTF (Unicode Transformation Formats)- 32 UTF-16 UTF-

Survey (Physical)

Walking through scene Identify evidence - Phase Goals (Physical)

Shut down

Writes entries into the system activity logs (change of the state of the evidence)

Digital forensics

_____ is a discipline that collect and analyze data from computing devices to find court-admissible evidence.

Digital evidence

______must be authentic, reliable, relevant, integrity guaranteed, legally obtained to be admissible to a court.

Host Protected Area (HPA)

a special area of the disk that can be used to save data a casual observer (including OS) might not see it.

an Incident Responder

a sworn law enforcement officer or "crime lab" technician can be ______

secondary file system partition

also called a*** logical partition ****in Windows, is located inside the primary extended partition bounds and contains a file system or other structured data.

ASCII

assigns a numerical value to the characters in American English.

As a target of the crime

e.g., computer network intrusion, DDOS attack

The Case of Daubert v. Merrill Dow Pharmaceuticals (1993)

established new criteria to determine the reliability, relevancy, and admissibility of scientific evidence

A volume

is a collection of addressable sectors that an Operating System (OS) or application can use for data storage. The sectors in a volume need not be consecutive on a physical storage device

Partition

is a collection of consecutive sectors in a volume.

secondary extended partition

is a partition that contains a partition table and a secondary file system partition.

primary file system partition

is a partition whose entry is in the MBR and the partition contains a file system or other structured data.

primary extended partition

is a partition whose entry is in the MBR, and the partition contains additional partitions.

MBR (MASTER BOOT RECORD)

is in the first 512-byte sector of a disk

Integrity

was not altered in any way during examination, and there was no opportunity for it to have been replaced or altered in the interim

Forensic Tools

*Network forensics *Mobile device forensics *Activity tracking device forensics, etc.

American English

ASCII works if you use ______ only limited for the rest of the world because their native symbols cannot be represented.

True

According to some studies, almost 95 percent of criminals leave evidence which could be investigated through computer forensic procedure.

Unicode

Allows for Characters besides English, ex Japanese

Basic Input Output System (BIOS)

Also known as System BIOS, ROM BIOS or PC BIOS

Search & Collection (Digital)

Analysis of system for nonobvious evidence -Phase Goals (Digital)

Analysis

Analyze the results of the examination to generate useful answers to the questions presented in the previous phases.

Real evidence

Things you can carry to court and show

System‐to‐System Disk Imaging

This method uses two separate computer systems ‐‐ the suspect and a specialized forensics imaging system.

The Fifth Amendment

To prevent the government from ever forcing a citizen to provide self-incriminating testimony.

The Fourth Amendment

To prohibit unreasonable searches and seizures and requires warrants to be judicially sanctioned and supported by probable cause.

Demonstrative evidence

To recreate or explain other evidence

Testimonial evidence

To support or validate other evidence types

Digital forensics includes computer forensics as well as forensics on all other digital devices capable of storing digital data

True

Corporate/private Investigation

not subject to the same "search and seizure" rules and Fourth Amendment issues often involve misuse or abuse of company assets, falsification of data, discrimination, harassment, and similar matters likely to involve litigation.

False

passwords for protected/encrypted data can be forcefully acquired with a warrant

Forensic

relating to the use of scientific knowledge or methods in solving crimes


Set pelajaran terkait

Chapter 4: Income Tax Withholding

View Set

Information Systems Project Mgmt - Chapter 7 Quiz

View Set

Peyton Auto--Unit 1-2--Design Lab activities

View Set

Microeconomics, Chapter 4, Market Equilibrium

View Set

AC 311 Test 1 - Bonds Chapter 14

View Set

Intro to Social Problems Exam 3: Gender Inequality and Sexual Orientation

View Set