11. Digital Forensic Flashcards

1
Q

what is digital forensic

A
  1. to find, preserve, analyse digital data
  2. criminal , private investigation, civil cases,
  3. acquisition and documentation of evidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

forensic process

A
  1. acquisition
    - obtain data and source of data
    - use electro static bags
    - if device is powered on, be careful not to accidentally modify data
    - bring UPS to site in case battery runs out
  2. identification
    - extract data artefacts like images, headers, emails…
    - write blocker used to extract
  3. evaluation
    - evaluate and analyse data
    - is the data relevant to the case
  4. presentation
    - present the result of findings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

chain of custody

A
  1. documentation of evidence from time of collection until disposed
  2. evidence handled by multiple people using different techniques
  3. evidence is hashed at every iteration to check signature
  4. if hashed signature is different, stop as it is changing the evidence
  5. purpose is to show that evidence has not been modified, can be used in court
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

image formats

A
  1. raw
    - bit by bit
    - readable by most tools
    - takes up as much space as original
  2. proprietary
    - compress, store and validate
    - limited to single tool
    - cannot share evidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

identification

A
  1. physical layer
    - identify and recover data across entire drive
    - file carving
    - keyword searching
  2. logical layer
    - identify and recover data based on installed OS
    - extract meta data
    - recover deleted files

use different tools to show same results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

anti forensics

A
  1. wiping hard drive
  2. modify file meta data
  3. steganography
  4. encrypt or compress artifacts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

block chain advantages

A

scalable
cost effective
no single point of failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what is a block

A

block one = genesis
contains a hash of its content

block 2
contains a hash of its content + hash of block 1

therefore, if attacker wants to attack block 1, hash for block 1 changes which changes hash for block 2. Attacker has to attack all blocks after block 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

proof of work

A

easy to validate
hard to solve
slow down attackers

when adding new blocks, 1 block calculates proof of work, the others wait and validate calculation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

block validation

A

to validate, need to start from first block to target block

arrange block in binary tree structure, Merkle tree

compare the hashes. If hash of children = parent, no issue
if hash of children != parent, one side has issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

block tampering

A

need to either:

  • tamper with all blocks, redo proof of work for all blocks
  • take control of more than 50% of the blocks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

block chain vulnerabilities

A
  1. 51% attack
    - legit miners always follow longest chain
    - if longest chain is malicious, they unknowingly join the attacker
    - to mitigate, miner from the original chain no delay, private miners have delay
  2. double spend attack
    - when crypto currency is spent, blocks need to calculate proof of work which takes time
    - until proof of work is calculated, transaction is not recorded.
    - spend the same currency before transaction is recorded
    - to mitigate, use backup chain of blocks
    - notorised blocks will not follow longest chain
  3. DDoS
    - to mitigate, systems mainly use to calculate proof of work, therefore use low bandwidth
    - if DDoS, direct to spare bandwidth
    - use deep web so attacker cannot find the IP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly