15 Digital Forensics Flashcards

1
Q

What are the key objectives covered in Chapter 15?

A

Domain 4.0: Security Operations

Includes 4.8 Explain appropriate incident response activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is digital forensics?

A

Investigation and analysis tools and techniques to determine what happened on a system or device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of digital forensics?

A

To respond to legal holds and electronic discovery requirements, support internal investigations, and assist in incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are legal holds?

A

Notifications sent by opposing counsel to preserve and retain data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is chain of custody?

A

Practices that ensure the integrity of evidence in the electronic discovery process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does forensic data acquisition involve?

A

Capturing forensic artifacts at greatest risk of being lost, known as the order of volatility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the order of volatility?

A

Identifies forensic artifacts that need to be captured first due to their risk of being lost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What must be ensured for data captured in digital forensics?

A

That it is admissible in court and useful as evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is required for digital forensic preservation efforts?

A

Tools and agreements to handle the need for forensic data from cloud providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are examples of forensic acquisition tools?

A
  • dd
  • FTK Imager
  • WinHex
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why is validation important in digital forensics?

A

To ensure the integrity and accuracy of the forensic data captured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can image validation be performed?

A

Manually.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What should a forensic report include?

A

Details about the findings and processes used in the investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What role does forensics play in intelligence and counterintelligence?

A

To support activities related to data analysis and incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is digital forensics used for?

A

Responding to legal cases, conducting internal investigations, supporting incident response processes

Digital forensics techniques are essential for various organizational tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What types of data can be acquired in digital forensics?

A

Drives, files, copies of live memory, digital artifacts

Digital forensic data can come from multiple sources generated during normal computer and network usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Why is planning forensic information gathering crucial?

A

To have a complete and intact picture of what occurred

Effective planning ensures all relevant data is collected for analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What role does documentation play in digital forensics?

A

Necessary for observing, concluding from data, and supporting conclusions

Documentation includes timelines, sequences of events, and evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What can interviews with individuals involved in a case provide?

A

Important clues

Understanding human behavior is essential in forensic investigations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a legal hold?

A

A notice to preserve data and records that might be destroyed or modified

Legal holds are crucial when litigation is pending or anticipated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define ‘spoliation of evidence’.

A

Intentionally, recklessly, or negligently altering, destroying, fabricating, hiding, or withholding evidence

Spoliation can negatively impact an organization in court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is e-discovery?

A

An electronic discovery process for obtaining evidence in legal cases

E-discovery is part of the broader discovery process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

List the nine stages of the Electronic Discovery Reference Model (EDRM).

A
  • Information governance
  • Identification
  • Preservation
  • Collection
  • Processing
  • Review
  • Analysis
  • Production
  • Presentation

The EDRM provides a framework for managing e-discovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the challenge of preserving electronic information?

A

Data is frequently used or modified, complicating preservation under legal holds

Organizations must effectively manage data to comply with legal requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What tools can assist with electronic discovery and legal holds?
Electronic discovery and legal hold support tools with desktop, mobile, and server agents ## Footnote These tools help capture data and document data handling.
26
How has cloud operations affected e-discovery?
Increased complexity due to restrictions on intrusive legal holds in cloud services ## Footnote Organizations must develop strategies for managing legal holds in cloud environments.
27
What is the purpose of tools like Google's Vault?
Email archiving and discovery support ## Footnote These tools help organizations meet their discovery requirements in cloud services.
28
True or False: The Security+ exam outline focuses on legal holds, chain of custody, and e-discovery-related activities in very specific terms.
False ## Footnote The exam outline covers these topics in broad terms.
29
What tools are commonly used for forensic data acquisition?
Forensic tools like disk and memory imagers, image analysis tools, low-level editors ## Footnote These tools help display detailed information about data contents and structure.
30
What is the order of volatility in digital forensics?
1. CPU cache and registers 2. Routing table, ARP cache, process table, kernel statistics 3. System memory (RAM) 4. Temporary files and swap space 5. Data on the hard disk 6. Remote logs 7. Backups ## Footnote This order helps forensic analysts capture data intact.
31
What is the significance of the order of volatility?
It helps determine the sequence in which data should be captured to avoid loss ## Footnote Items higher in the order are more likely to change or disappear.
32
Fill in the blank: The content of _______ can contain encryption keys and ephemeral data from applications.
random access memory (RAM)
33
What is the purpose of capturing swap and pagefile information?
To gain insight into running processes and system memory usage ## Footnote This information can be volatile and change quickly.
34
Why is it important to capture the entire disk during forensic investigations?
To see deleted files and other artifacts that remain resident ## Footnote Copying files alone may miss critical evidence.
35
What is chain-of-custody documentation?
Documentation of each time the drive, device, or artifact is accessed, transferred, or handled ## Footnote It is crucial for legal cases.
36
True or False: Evidence in court must be the best evidence available and must not violate the law.
True
37
What are right-to-audit clauses in cloud services?
Clauses that provide the ability to audit the cloud provider or use a third-party audit agency ## Footnote These clauses are important for ensuring data integrity and compliance.
38
What challenges do forensic analysts face when working with cloud services?
Regulatory and jurisdiction concerns, limited access to forensic data from cloud providers ## Footnote Organizations need to plan for incident handling without direct forensic techniques.
39
What does the term 'nexus' refer to in regulatory issues?
The connection between a company and a state or locality regarding legal obligations ## Footnote Nexus can determine tax responsibilities and legal jurisdictions.
40
What is the function of the dd command in Linux?
To create images for forensic or other purposes at a bit-for-bit level ## Footnote It allows for detailed copying of drives.
41
What is FTK Imager?
A free tool for creating forensic images supporting multiple formats ## Footnote Formats include raw, E01, and AFF.
42
What is WinHex used for in digital forensics?
A disk editing tool that can acquire disk images and modify data ## Footnote It supports raw format and its own dedicated format.
43
What role does network forensics play in digital investigations?
To analyze network traffic and logs for forensic investigation ## Footnote It is crucial for understanding communications and behaviors on networks.
44
What is the purpose of using a packet analyzer like Wireshark?
To review captured network traffic for detailed analysis ## Footnote It helps analyze packets, traffic flows, and metadata.
45
Fill in the blank: Capturing all or selected network traffic often requires a direct effort to _______.
capture and log the data in advance
46
What is a common tool used by forensic examiners to analyze network traffic?
Wireshark ## Footnote Wireshark is a packet analyzer that allows in-depth analysis of packets, traffic flows, and metadata.
47
What are taps, span ports, and port mirrors used for in network forensics?
They allow copies of network traffic to be sent to collection servers. ## Footnote These tools help in capturing network traffic for forensic analysis.
48
What types of information do most organizations rely on for forensic activities?
Logs, metadata, traffic flow information ## Footnote These are commonly collected network information to support forensic activities.
49
What is a key challenge when acquiring forensic information from virtual machines?
They often run in a shared environment. ## Footnote Removing a VM can disrupt multiple servers and services.
50
What is the purpose of a virtual machine snapshot in forensic analysis?
To provide necessary information without disrupting the shared environment. ## Footnote Snapshots can be captured and imported into forensic tools.
51
What challenges do containers present in forensic analysis?
They create fewer forensic artifacts and are designed to be ephemeral. ## Footnote Capturing containers can be complex due to resource sharing.
52
What is necessary to validate the integrity of acquired forensic data?
Creating and comparing hashes of the original and copied data. ## Footnote If the hashes match, the forensic copy is identical to the original.
53
What hashing algorithms are mentioned as useful for quickly hashing forensic images?
MD5 and SHA1 ## Footnote Although largely outmoded, they are still used for quick hashing.
54
What is the difference between a forensic copy and a logical copy?
A forensic copy preserves the exact structure and content, while a logical copy does not. ## Footnote Forensic copies capture deleted files, metadata, and timestamps.
55
What is the role of write blockers in forensic examinations?
They prevent any writes to a drive or image being examined. ## Footnote This ensures that the contents of the drive remain unaltered during analysis.
56
What is the primary method of recovering deleted files from a drive?
Reviewing the drive for headers or metadata. ## Footnote Deleted files often remain recoverable unless securely erased.
57
What is slack space in forensic analysis?
Open space on a drive that may contain remnants of deleted files. ## Footnote Slack space analysis can reveal previously stored data.
58
What makes data recovery from SSDs and flash media challenging?
Wear leveling can complicate the removal of data. ## Footnote SSDs may retain data in cells marked as unusable due to wear.
59
Name two major commercial forensic suites.
* FTK * EnCase ## Footnote Autopsy is also a notable open-source forensic suite.
60
What is the importance of timelines in forensic analysis?
They help identify when filesystem changes and events occurred. ## Footnote Timelines can assist in connecting activities to specific incidents.
61
What can happen if time settings on machines are incorrect during forensic analysis?
It can lead practitioners to incorrect conclusions about events. ## Footnote Different timestamps can cause confusion in investigations.
62
True or False: A logical copy of a drive matches the exact state of the drive from which it was copied.
False ## Footnote A logical copy does not preserve the exact structure or deleted content.
63
What tools are commonly used for forensic data acquisition?
Forensic tools like disk and memory imagers, image analysis tools, low-level editors ## Footnote These tools help display detailed information about data contents and structure.
64
What is the order of volatility in digital forensics?
1. CPU cache and registers 2. Routing table, ARP cache, process table, kernel statistics 3. System memory (RAM) 4. Temporary files and swap space 5. Data on the hard disk 6. Remote logs 7. Backups ## Footnote This order helps forensic analysts capture data intact.
65
What is the significance of the order of volatility?
It helps determine the sequence in which data should be captured to avoid loss ## Footnote Items higher in the order are more likely to change or disappear.
66
Fill in the blank: The content of _______ can contain encryption keys and ephemeral data from applications.
random access memory (RAM)
67
What is the purpose of capturing swap and pagefile information?
To gain insight into running processes and system memory usage ## Footnote This information can be volatile and change quickly.
68
Why is it important to capture the entire disk during forensic investigations?
To see deleted files and other artifacts that remain resident ## Footnote Copying files alone may miss critical evidence.
69
What is chain-of-custody documentation?
Documentation of each time the drive, device, or artifact is accessed, transferred, or handled ## Footnote It is crucial for legal cases.
70
True or False: Evidence in court must be the best evidence available and must not violate the law.
True
71
What are right-to-audit clauses in cloud services?
Clauses that provide the ability to audit the cloud provider or use a third-party audit agency ## Footnote These clauses are important for ensuring data integrity and compliance.
72
What challenges do forensic analysts face when working with cloud services?
Regulatory and jurisdiction concerns, limited access to forensic data from cloud providers ## Footnote Organizations need to plan for incident handling without direct forensic techniques.
73
What does the term 'nexus' refer to in regulatory issues?
The connection between a company and a state or locality regarding legal obligations ## Footnote Nexus can determine tax responsibilities and legal jurisdictions.
74
What is the function of the dd command in Linux?
To create images for forensic or other purposes at a bit-for-bit level ## Footnote It allows for detailed copying of drives.
75
What is FTK Imager?
A free tool for creating forensic images supporting multiple formats ## Footnote Formats include raw, E01, and AFF.
76
What is WinHex used for in digital forensics?
A disk editing tool that can acquire disk images and modify data ## Footnote It supports raw format and its own dedicated format.
77
What role does network forensics play in digital investigations?
To analyze network traffic and logs for forensic investigation ## Footnote It is crucial for understanding communications and behaviors on networks.
78
What is the purpose of using a packet analyzer like Wireshark?
To review captured network traffic for detailed analysis ## Footnote It helps analyze packets, traffic flows, and metadata.
79
Fill in the blank: Capturing all or selected network traffic often requires a direct effort to _______.
capture and log the data in advance
80
What is a common tool used by forensic examiners to analyze network traffic?
Wireshark ## Footnote Wireshark is a packet analyzer that allows in-depth analysis of packets, traffic flows, and metadata.
81
What are taps, span ports, and port mirrors used for in network forensics?
They allow copies of network traffic to be sent to collection servers. ## Footnote These tools help in capturing network traffic for forensic analysis.
82
What types of information do most organizations rely on for forensic activities?
Logs, metadata, traffic flow information ## Footnote These are commonly collected network information to support forensic activities.
83
What is a key challenge when acquiring forensic information from virtual machines?
They often run in a shared environment. ## Footnote Removing a VM can disrupt multiple servers and services.
84
What is the purpose of a virtual machine snapshot in forensic analysis?
To provide necessary information without disrupting the shared environment. ## Footnote Snapshots can be captured and imported into forensic tools.
85
What challenges do containers present in forensic analysis?
They create fewer forensic artifacts and are designed to be ephemeral. ## Footnote Capturing containers can be complex due to resource sharing.
86
What is necessary to validate the integrity of acquired forensic data?
Creating and comparing hashes of the original and copied data. ## Footnote If the hashes match, the forensic copy is identical to the original.
87
What hashing algorithms are mentioned as useful for quickly hashing forensic images?
MD5 and SHA1 ## Footnote Although largely outmoded, they are still used for quick hashing.
88
What is the difference between a forensic copy and a logical copy?
A forensic copy preserves the exact structure and content, while a logical copy does not. ## Footnote Forensic copies capture deleted files, metadata, and timestamps.
89
What is the role of write blockers in forensic examinations?
They prevent any writes to a drive or image being examined. ## Footnote This ensures that the contents of the drive remain unaltered during analysis.
90
What is the primary method of recovering deleted files from a drive?
Reviewing the drive for headers or metadata. ## Footnote Deleted files often remain recoverable unless securely erased.
91
What is slack space in forensic analysis?
Open space on a drive that may contain remnants of deleted files. ## Footnote Slack space analysis can reveal previously stored data.
92
What makes data recovery from SSDs and flash media challenging?
Wear leveling can complicate the removal of data. ## Footnote SSDs may retain data in cells marked as unusable due to wear.
93
Name two major commercial forensic suites.
* FTK * EnCase ## Footnote Autopsy is also a notable open-source forensic suite.
94
What is the importance of timelines in forensic analysis?
They help identify when filesystem changes and events occurred. ## Footnote Timelines can assist in connecting activities to specific incidents.
95
What can happen if time settings on machines are incorrect during forensic analysis?
It can lead practitioners to incorrect conclusions about events. ## Footnote Different timestamps can cause confusion in investigations.
96
True or False: A logical copy of a drive matches the exact state of the drive from which it was copied.
False ## Footnote A logical copy does not preserve the exact structure or deleted content.
97
What tools are commonly used for forensic data acquisition?
Forensic tools like disk and memory imagers, image analysis tools, low-level editors ## Footnote These tools help display detailed information about data contents and structure.
98
What is the order of volatility in digital forensics?
1. CPU cache and registers 2. Routing table, ARP cache, process table, kernel statistics 3. System memory (RAM) 4. Temporary files and swap space 5. Data on the hard disk 6. Remote logs 7. Backups ## Footnote This order helps forensic analysts capture data intact.
99
What is the significance of the order of volatility?
It helps determine the sequence in which data should be captured to avoid loss ## Footnote Items higher in the order are more likely to change or disappear.
100
Fill in the blank: The content of _______ can contain encryption keys and ephemeral data from applications.
random access memory (RAM)
101
What is the purpose of capturing swap and pagefile information?
To gain insight into running processes and system memory usage ## Footnote This information can be volatile and change quickly.
102
Why is it important to capture the entire disk during forensic investigations?
To see deleted files and other artifacts that remain resident ## Footnote Copying files alone may miss critical evidence.
103
What is chain-of-custody documentation?
Documentation of each time the drive, device, or artifact is accessed, transferred, or handled ## Footnote It is crucial for legal cases.
104
True or False: Evidence in court must be the best evidence available and must not violate the law.
True
105
What are right-to-audit clauses in cloud services?
Clauses that provide the ability to audit the cloud provider or use a third-party audit agency ## Footnote These clauses are important for ensuring data integrity and compliance.
106
What challenges do forensic analysts face when working with cloud services?
Regulatory and jurisdiction concerns, limited access to forensic data from cloud providers ## Footnote Organizations need to plan for incident handling without direct forensic techniques.
107
What does the term 'nexus' refer to in regulatory issues?
The connection between a company and a state or locality regarding legal obligations ## Footnote Nexus can determine tax responsibilities and legal jurisdictions.
108
What is the function of the dd command in Linux?
To create images for forensic or other purposes at a bit-for-bit level ## Footnote It allows for detailed copying of drives.
109
What is FTK Imager?
A free tool for creating forensic images supporting multiple formats ## Footnote Formats include raw, E01, and AFF.
110
What is WinHex used for in digital forensics?
A disk editing tool that can acquire disk images and modify data ## Footnote It supports raw format and its own dedicated format.
111
What role does network forensics play in digital investigations?
To analyze network traffic and logs for forensic investigation ## Footnote It is crucial for understanding communications and behaviors on networks.
112
What is the purpose of using a packet analyzer like Wireshark?
To review captured network traffic for detailed analysis ## Footnote It helps analyze packets, traffic flows, and metadata.
113
Fill in the blank: Capturing all or selected network traffic often requires a direct effort to _______.
capture and log the data in advance
114
What is a common tool used by forensic examiners to analyze network traffic?
Wireshark ## Footnote Wireshark is a packet analyzer that allows in-depth analysis of packets, traffic flows, and metadata.
115
What are taps, span ports, and port mirrors used for in network forensics?
They allow copies of network traffic to be sent to collection servers. ## Footnote These tools help in capturing network traffic for forensic analysis.
116
What types of information do most organizations rely on for forensic activities?
Logs, metadata, traffic flow information ## Footnote These are commonly collected network information to support forensic activities.
117
What is a key challenge when acquiring forensic information from virtual machines?
They often run in a shared environment. ## Footnote Removing a VM can disrupt multiple servers and services.
118
What is the purpose of a virtual machine snapshot in forensic analysis?
To provide necessary information without disrupting the shared environment. ## Footnote Snapshots can be captured and imported into forensic tools.
119
What challenges do containers present in forensic analysis?
They create fewer forensic artifacts and are designed to be ephemeral. ## Footnote Capturing containers can be complex due to resource sharing.
120
What is necessary to validate the integrity of acquired forensic data?
Creating and comparing hashes of the original and copied data. ## Footnote If the hashes match, the forensic copy is identical to the original.
121
What hashing algorithms are mentioned as useful for quickly hashing forensic images?
MD5 and SHA1 ## Footnote Although largely outmoded, they are still used for quick hashing.
122
What is the difference between a forensic copy and a logical copy?
A forensic copy preserves the exact structure and content, while a logical copy does not. ## Footnote Forensic copies capture deleted files, metadata, and timestamps.
123
What is the role of write blockers in forensic examinations?
They prevent any writes to a drive or image being examined. ## Footnote This ensures that the contents of the drive remain unaltered during analysis.
124
What is the primary method of recovering deleted files from a drive?
Reviewing the drive for headers or metadata. ## Footnote Deleted files often remain recoverable unless securely erased.
125
What is slack space in forensic analysis?
Open space on a drive that may contain remnants of deleted files. ## Footnote Slack space analysis can reveal previously stored data.
126
What makes data recovery from SSDs and flash media challenging?
Wear leveling can complicate the removal of data. ## Footnote SSDs may retain data in cells marked as unusable due to wear.
127
Name two major commercial forensic suites.
* FTK * EnCase ## Footnote Autopsy is also a notable open-source forensic suite.
128
What is the importance of timelines in forensic analysis?
They help identify when filesystem changes and events occurred. ## Footnote Timelines can assist in connecting activities to specific incidents.
129
What can happen if time settings on machines are incorrect during forensic analysis?
It can lead practitioners to incorrect conclusions about events. ## Footnote Different timestamps can cause confusion in investigations.
130
True or False: A logical copy of a drive matches the exact state of the drive from which it was copied.
False ## Footnote A logical copy does not preserve the exact structure or deleted content.
131
What is the key product of the forensic process?
The report produced at the end of the forensic process ## Footnote This report summarizes the findings and analysis of digital artifacts and evidence.
132
What should forensic reports contain?
Relevant information without delving into every technical nuance ## Footnote The goal is to make the report useful for the intended audience.
133
What does a typical forensic report include?
* A summary of the forensic investigation and findings * An outline of the forensic process * Sections detailing findings for each device or drive * Recommendations or conclusions in more detail ## Footnote Each section is critical for understanding the investigation and its outcomes.
134
Why is accuracy critical in forensic reporting?
Findings must be shared accurately and conclusions backed up with evidence ## Footnote Inaccuracies can undermine the credibility of the forensic investigation.
135
What additional documentation may forensic practitioners provide?
A report with full detail of the analysis ## Footnote This is part of their documentation package.
136
What does the Security+ exam outline include regarding forensic processes?
Acquisition, preservation, and reporting aligned with incident response activities ## Footnote Understanding these processes is crucial for effective incident response.
137
Fill in the blank: A forensic report provides a summary of the forensic investigation and _______.
findings ## Footnote This summary is essential for conveying the results of the investigation.
138
True or False: A forensic report should include every technical detail found during the investigation.
False ## Footnote The report should focus on relevant information instead.
139
What should be included in the outline of the forensic process in a report?
* Tools used * Assumptions made about the tools or process ## Footnote This helps contextualize the findings and the methodology used.
140
What is the primary use of digital forensics in most organizations?
Legal cases, internal investigations, and incident response (IR)
141
In addition to legal cases, what other efforts does digital forensics support?
Strategic intelligence and counterintelligence efforts
142
What key tool has become essential for national defense and intelligence groups?
The ability to analyze adversary actions and technology
143
What can forensic capabilities be used for in intelligence operations?
Recovering data from systems and devices
144
What types of tools are used by both traditional forensic practitioners and intelligence organizations?
Many of the same forensic tools
145
What advanced methods are required by intelligence and counterintelligence organizations?
Breaking encryption, analyzing software and hardware, recovering data from resistant systems
146
True or False: The Security+ exam will quiz you on specific intelligence and counterintelligence tools or techniques.
False
147
Fill in the blank: Forensic techniques play an important role in both _______ and counterintelligence communities.
[strategic intelligence]
148
What types of systems and devices do forensic practitioners recover data from?
Systems and devices designed to resist or prevent tampering