1D - Understanding Digital Forensics Flashcards

1
Q

What is digital forensics?

A

Used by police when investigating crimes to find digital evidence to secure conviction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Forensic Process 19, proposed by NIST?

A

Four cyclical phases:

  1. Collection: examined, extracted, converted into format for forensic investigation
  2. Examination: carried out by forensic tool
  3. Analysis: analyse and transform into information that can be used as evidence
  4. Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the principles in forensic investigation? Describe each

A
  1. Admissibility - must be relevant to the disputed fact and does not violate any laws or legal statutes
  2. Order of volatility - secure the most perishable evidence first
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the volatile evidence in a web-based attack?

A

Capturing the network traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is order of volatility for a host based attack?

A
  1. CPU Cache - a fast block of volatile memory used by CPU
  2. Random Access Memory (RAM) - volatile memory used to run applications
  3. Swap / Page File / Virtual Memory - used for running applications when RAM is totally exhausted
  4. Hard Drive - Data at rest for storing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Command line tool that disappears upon reboot?

A

netstat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is e-discovery?

A

Collection, review and interpretation of electronic documents on hard disks, USB drives and other forms of storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the chain of custody?

A

Lists the evidence and who has handled it along the way

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What to do when evidence is collected?

A

Bag, tie, tag - ensuring no tampering. Log in evidence log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is data provenance?

A

Chain of custody has been carried out properly and the original untampered data has been presented to the court

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is legal hold?

A

Process of protecting any documents that can be used in evidence from being altered or destroyed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What can legal hold be known as?

A

Litigation hold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is data acquisition?

A

Process of collecting all of the evidence from devices such as USB flash drives, cameras, computers and data in paper format (letters / bank statements etc).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are artifacts?

A

Evidence that is invisible to the naked eye?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Examples of artifacts?

A

log files, registry hives, DNA, fingerprints, fibres of clothing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the time offset?

A

The regional time

17
Q

What is time normalisation?

A

Time from different zone is corrected to a common time zone so that it can be put into a meaningful sequence

18
Q

What 3 time stamps are given on files?

A

When they were

  • created
  • last modified
  • last accessed
19
Q

What are forensic copies?

A

When data is collected, a forensic copy is taken for analysis so that the original data can remain unaltered

20
Q

How do you ensure data integrity of forensic copies or other data?

A

Hashing at beginning and end and ensuring that they match

21
Q

7 Types of evidence?

A
  1. Capturing system images
  2. Firmware - must compare source code from developer against current source code b a coding expert.
  3. Snapshots - VMs.
  4. Screenshots - of applications or viruses on desktops
  5. Network traffic and logs
  6. Videos (CCTV)
  7. Interviews (of witnesses)
22
Q

Types of network traffic and logs to collect?

A

Firewall, NIPS, NIDS. SIEM can collate entries

23
Q

What does SIEM stand for?

A

Security Information Event Management (SIEM)

24
Q

Describe measures for preservation of data?

A

Taking copies to keep original data untampered
Taking and checking hashes
Putting a copy of vital evidence on a WORM drive (cannot delete data)
Write-protecting storage drives

25
Q

Examples of recovery steps?

A

Recovering from backup
Hot-sites / cold-sites
Purchasing additional hardware if original is damaged

26
Q

What is strategic intelligence / counterintelligence gathering?

A

Different governments exchange data about cyber criminals so that they can work together to reduce threats

27
Q

What is active logging?

A

Active monitoring and logging of changes.

28
Q

What does a SIEM do?

A

Real-time monitoring and collating entries in log files.

29
Q

What are the stages of the Cloud Forensic Process 26 (2012)

A

Stage A - Verify the purpose of cloud forensics
Stage B - Verify the type of cloud service
Stage C - Verify the type of technology behind the cloud
Stage D - Verify the role of the user and negotiate with the CSP to collect all the evidence required

30
Q

What is a CSP?

A

Cloud Service Provider

31
Q

Why is the collection of forensic evidence more difficult in the cloud?

A

CSPs create virtual machines and destroy them on a regular basis

32
Q

What does the forensic team need to consider in discussions with a CSP?

A
  1. State reasons for the collection of evidence

2. Rely on the CSP to send them the correct evidence

33
Q

What is a Right-to-Audit clause?

A

Auditor can visit the premises of supply-chain without notice and inspect the contractor’s books, records to ensure that the contractor is complying with its obligation under the contract.

34
Q

What can a Right-to-Audit clause help identify? (7)

A
  1. Faulty or inferior quality of goods
  2. Short shipments
  3. Goods not delivered
  4. Kickbacks
  5. Gifts and gratuities to company employees
  6. Commissions to brokers and others
  7. Services allegedly performed that weren’t needed in the first place, such as equipment repairs
35
Q

What was the CLOUD ACT 2018?

A

Following problems that FBI faced in forcing Microsoft to hand over stored data in Ireland.

Allows U.S. law enforcement through a warrant, subpoena or court order to access electronically-stored communications data located outside the United States provided that the information sought is relevant and material to an ongoing criminal investigation

36
Q

What is COPOA?

A

Overseas production act.

Allows UK to seek data stored overseas as part of criminal investigation.

37
Q

Data sharing agreements between countries?

A

US & UK (2019)

US & EU (2016)

38
Q

Data breach notification / laws?

A

Eu: GDPR - must be reported within 72 hours.

Fines > £10M