1D - Understanding Digital Forensics

Question 1

What is digital forensics?

Answer 1

Used by police when investigating crimes to find digital evidence to secure conviction

Question 2

What is the Forensic Process 19, proposed by NIST?

Answer 2

Four cyclical phases:

1. Collection: examined, extracted, converted into format for forensic investigation
2. Examination: carried out by forensic tool
3. Analysis: analyse and transform into information that can be used as evidence
4. Reporting

Question 3

What are the principles in forensic investigation? Describe each

Answer 3

1. Admissibility - must be relevant to the disputed fact and does not violate any laws or legal statutes
2. Order of volatility - secure the most perishable evidence first

Question 4

What is the volatile evidence in a web-based attack?

Answer 4

Capturing the network traffic

Question 5

What is order of volatility for a host based attack?

Answer 5

1. CPU Cache - a fast block of volatile memory used by CPU
2. Random Access Memory (RAM) - volatile memory used to run applications
3. Swap / Page File / Virtual Memory - used for running applications when RAM is totally exhausted
4. Hard Drive - Data at rest for storing

Question 6

Command line tool that disappears upon reboot?

Answer 6

netstat

Question 7

What is e-discovery?

Answer 7

Collection, review and interpretation of electronic documents on hard disks, USB drives and other forms of storage.

Question 8

What is the chain of custody?

Answer 8

Lists the evidence and who has handled it along the way

Question 9

What to do when evidence is collected?

Answer 9

Bag, tie, tag - ensuring no tampering. Log in evidence log

Question 10

What is data provenance?

Answer 10

Chain of custody has been carried out properly and the original untampered data has been presented to the court

Question 11

What is legal hold?

Answer 11

Process of protecting any documents that can be used in evidence from being altered or destroyed.

Question 12

What can legal hold be known as?

Answer 12

Litigation hold

Question 13

What is data acquisition?

Answer 13

Process of collecting all of the evidence from devices such as USB flash drives, cameras, computers and data in paper format (letters / bank statements etc).

Question 14

What are artifacts?

Answer 14

Evidence that is invisible to the naked eye?

Question 15

Examples of artifacts?

Answer 15

log files, registry hives, DNA, fingerprints, fibres of clothing

Question 16

What is the time offset?

Answer 16

The regional time

Question 17

What is time normalisation?

Answer 17

Time from different zone is corrected to a common time zone so that it can be put into a meaningful sequence

Question 18

What 3 time stamps are given on files?

Answer 18

When they were

• created
• last modified
• last accessed

Question 19

What are forensic copies?

Answer 19

When data is collected, a forensic copy is taken for analysis so that the original data can remain unaltered

Question 20

How do you ensure data integrity of forensic copies or other data?

Answer 20

Hashing at beginning and end and ensuring that they match

Question 21

7 Types of evidence?

Answer 21

1. Capturing system images
2. Firmware - must compare source code from developer against current source code b a coding expert.
3. Snapshots - VMs.
4. Screenshots - of applications or viruses on desktops
5. Network traffic and logs
6. Videos (CCTV)
7. Interviews (of witnesses)

Question 22

Types of network traffic and logs to collect?

Answer 22

Firewall, NIPS, NIDS. SIEM can collate entries

Question 23

What does SIEM stand for?

Answer 23

Security Information Event Management (SIEM)

Question 24

Describe measures for preservation of data?

Answer 24

Taking copies to keep original data untampered
Taking and checking hashes
Putting a copy of vital evidence on a WORM drive (cannot delete data)
Write-protecting storage drives

Question 25

Examples of recovery steps?

Answer 25

Recovering from backup
Hot-sites / cold-sites
Purchasing additional hardware if original is damaged

Question 26

What is strategic intelligence / counterintelligence gathering?

Answer 26

Different governments exchange data about cyber criminals so that they can work together to reduce threats

Question 27

What is active logging?

Answer 27

Active monitoring and logging of changes.

Question 28

What does a SIEM do?

Answer 28

Real-time monitoring and collating entries in log files.

Question 29

What are the stages of the Cloud Forensic Process 26 (2012)

Answer 29

Stage A - Verify the purpose of cloud forensics
Stage B - Verify the type of cloud service
Stage C - Verify the type of technology behind the cloud
Stage D - Verify the role of the user and negotiate with the CSP to collect all the evidence required

Question 30

What is a CSP?

Answer 30

Cloud Service Provider

Question 31

Why is the collection of forensic evidence more difficult in the cloud?

Answer 31

CSPs create virtual machines and destroy them on a regular basis

Question 32

What does the forensic team need to consider in discussions with a CSP?

Answer 32

1. State reasons for the collection of evidence

2. Rely on the CSP to send them the correct evidence

Question 33

What is a Right-to-Audit clause?

Answer 33

Auditor can visit the premises of supply-chain without notice and inspect the contractor’s books, records to ensure that the contractor is complying with its obligation under the contract.

Question 34

What can a Right-to-Audit clause help identify? (7)

Answer 34

1. Faulty or inferior quality of goods
2. Short shipments
3. Goods not delivered
4. Kickbacks
5. Gifts and gratuities to company employees
6. Commissions to brokers and others
7. Services allegedly performed that weren’t needed in the first place, such as equipment repairs

Question 35

What was the CLOUD ACT 2018?

Answer 35

Following problems that FBI faced in forcing Microsoft to hand over stored data in Ireland.

Allows U.S. law enforcement through a warrant, subpoena or court order to access electronically-stored communications data located outside the United States provided that the information sought is relevant and material to an ongoing criminal investigation

Question 36

What is COPOA?

Answer 36

Overseas production act.

Allows UK to seek data stored overseas as part of criminal investigation.

Question 37

Data sharing agreements between countries?

Answer 37

US & UK (2019)

US & EU (2016)

Question 38

Data breach notification / laws?

Answer 38

Eu: GDPR - must be reported within 72 hours.

Fines > £10M