1D - Understanding Digital Forensics Flashcards
What is digital forensics?
Used by police when investigating crimes to find digital evidence to secure conviction
What is the Forensic Process 19, proposed by NIST?
Four cyclical phases:
- Collection: examined, extracted, converted into format for forensic investigation
- Examination: carried out by forensic tool
- Analysis: analyse and transform into information that can be used as evidence
- Reporting
What are the principles in forensic investigation? Describe each
- Admissibility - must be relevant to the disputed fact and does not violate any laws or legal statutes
- Order of volatility - secure the most perishable evidence first
What is the volatile evidence in a web-based attack?
Capturing the network traffic
What is order of volatility for a host based attack?
- CPU Cache - a fast block of volatile memory used by CPU
- Random Access Memory (RAM) - volatile memory used to run applications
- Swap / Page File / Virtual Memory - used for running applications when RAM is totally exhausted
- Hard Drive - Data at rest for storing
Command line tool that disappears upon reboot?
netstat
What is e-discovery?
Collection, review and interpretation of electronic documents on hard disks, USB drives and other forms of storage.
What is the chain of custody?
Lists the evidence and who has handled it along the way
What to do when evidence is collected?
Bag, tie, tag - ensuring no tampering. Log in evidence log
What is data provenance?
Chain of custody has been carried out properly and the original untampered data has been presented to the court
What is legal hold?
Process of protecting any documents that can be used in evidence from being altered or destroyed.
What can legal hold be known as?
Litigation hold
What is data acquisition?
Process of collecting all of the evidence from devices such as USB flash drives, cameras, computers and data in paper format (letters / bank statements etc).
What are artifacts?
Evidence that is invisible to the naked eye?
Examples of artifacts?
log files, registry hives, DNA, fingerprints, fibres of clothing
What is the time offset?
The regional time
What is time normalisation?
Time from different zone is corrected to a common time zone so that it can be put into a meaningful sequence
What 3 time stamps are given on files?
When they were
- created
- last modified
- last accessed
What are forensic copies?
When data is collected, a forensic copy is taken for analysis so that the original data can remain unaltered
How do you ensure data integrity of forensic copies or other data?
Hashing at beginning and end and ensuring that they match
7 Types of evidence?
- Capturing system images
- Firmware - must compare source code from developer against current source code b a coding expert.
- Snapshots - VMs.
- Screenshots - of applications or viruses on desktops
- Network traffic and logs
- Videos (CCTV)
- Interviews (of witnesses)
Types of network traffic and logs to collect?
Firewall, NIPS, NIDS. SIEM can collate entries
What does SIEM stand for?
Security Information Event Management (SIEM)
Describe measures for preservation of data?
Taking copies to keep original data untampered
Taking and checking hashes
Putting a copy of vital evidence on a WORM drive (cannot delete data)
Write-protecting storage drives
