1D - Understanding Digital Forensics Flashcards
What is digital forensics?
Used by police when investigating crimes to find digital evidence to secure conviction
What is the Forensic Process 19, proposed by NIST?
Four cyclical phases:
- Collection: examined, extracted, converted into format for forensic investigation
- Examination: carried out by forensic tool
- Analysis: analyse and transform into information that can be used as evidence
- Reporting
What are the principles in forensic investigation? Describe each
- Admissibility - must be relevant to the disputed fact and does not violate any laws or legal statutes
- Order of volatility - secure the most perishable evidence first
What is the volatile evidence in a web-based attack?
Capturing the network traffic
What is order of volatility for a host based attack?
- CPU Cache - a fast block of volatile memory used by CPU
- Random Access Memory (RAM) - volatile memory used to run applications
- Swap / Page File / Virtual Memory - used for running applications when RAM is totally exhausted
- Hard Drive - Data at rest for storing
Command line tool that disappears upon reboot?
netstat
What is e-discovery?
Collection, review and interpretation of electronic documents on hard disks, USB drives and other forms of storage.
What is the chain of custody?
Lists the evidence and who has handled it along the way
What to do when evidence is collected?
Bag, tie, tag - ensuring no tampering. Log in evidence log
What is data provenance?
Chain of custody has been carried out properly and the original untampered data has been presented to the court
What is legal hold?
Process of protecting any documents that can be used in evidence from being altered or destroyed.
What can legal hold be known as?
Litigation hold
What is data acquisition?
Process of collecting all of the evidence from devices such as USB flash drives, cameras, computers and data in paper format (letters / bank statements etc).
What are artifacts?
Evidence that is invisible to the naked eye?
Examples of artifacts?
log files, registry hives, DNA, fingerprints, fibres of clothing