20 first questions Flashcards
Discuss and reason about the similarities and differences between the following:
Digital Forensics and Security
Similarities:
How to make data & information secure following implemented procedures. They can depend on each other
Differences:
DF is about how the security has been violated, finding the flaws
Discuss and reason about the similarities and differences between the following:
Digital Forensics and Auditing
Similarities:
Both are reactive
Both are done by external examiners
Differences:
Auditing can be done at any time, DF is more used after an occurance
Discuss the concept of quality assurance in the context of digital evidence and
digital forensic examination. What are the key components of QA.
Digital evidece: Integrity Understandable Admissible Probative Reliable Accurate Reproducible Legally accepted
Please enumerate the three main computer crime categories and explain their
characteristics. Give an example for each one of the categories
Computer as target
Computer that have beenn hacked (object)
Computer as data storage
Store child pornograph, stolen passwords (object)
Computer as tool
For commiting a crime (subject)
Explain briefly the Locard’s principle? Provide at least two ways how
Locard’s principle might affect a digital event scene?
The perpetrator of a crime will both bring something to the crime scene and leave something
- The perpetrator steal identity via a Trojan horse an a computer - there may be lot of traces (the trojan itself, logs, changed password)
- USB inserted to steal something - registry of USB time and serial number
What are hypothesis formation and evaluation in the context of DFI?
The process of scientific metolodgy to proceed the case
A necessary start - may be proved or disproved
The prove hypotesis we perform multiple tests & experiments. If not succeded form another hypotesis and evalute that one
What are the essential characteristics of the CFSAP model?
Secure - obtain valuble data copy and store safley
Anayze - Use correct tools and metholodgy to analyze in order to obtain evidence
Present - Collect and present evidence, making them understandable to court
Computer Forensics Secure Analyze Present
important about CFSAP: iterative process about collecting and analyzing data
Contrast live vs. frozen system processing with respect to digital forensic
examination. Pros and cons. Provide examples
Live:
Evidences changes in the live system
Duplicate main memory before doing operations
Maximum info to be reseved (RAM passwords, encryption keys, open connections)
Obtain order of volatility
Frozen:
prevents errors comitted after reported incident
may destroy evidence and ongoing processes
Malware that only resides in memory handled easily using live forensics dump of RAM - more difficult when frozen
What does the property of preimage resistance mean in a context of a hashing
function?
That its computonally infeasible to find the original message from the value in the hash sum. One way operation
What does it mean to forensically “wipe clean” an acquisition drive? Please
explain the ramifications of a forensically clean drive.
No data can be recoverd or carved from a wiped clean drive.
All the deleted files are owerwritten, a tool like eraser can be used to do this
State the digital evidence extraction/acquisition hierarchy
Manual Logical Physical Chipp-off Micro read
Start from lowest level extracting as much data as possible manually (collect evidence)
What is meant by the term “Order of Volatility”? Why is it an important
principle to apply in a forensic acquisition
While collecting evidence order of volatility should be maintained = the most volatile memory on a system.
cache = more volatile then RAM RAM = more volatile than drive
Less chance of data loss
Explain the concept of a ‘file header’ and discuss to what extent it can be
trusted as an indicator of a file’s contents
Info stored before tha actual data of the file. Tells the type (png, mp3, gif) - A kind of metadata about the file
Can be manipulated - like in the lab with mp3
Why in the Windows operating system there is a difference between Logical
file size and Physical file size? What causes such a difference to appear
Every file has a logical and physical size. Physical larger or equal.
Its because how the system allocates space for the files - its arranged in clusters - all clusters are not filled = slack space
Briefly describe the usage of $LogFile
In MFT record
Data is persistent in logfile
Used in recovery in case of failure in MFT
Keeps track of transactions
What type of information can be retrieved from Standard Information
Attribute?
What type of information can be retrieved from File Name
Attribute?
SIA Attribute in MFT Holds info about files Date-time, modification, access, creation Frequently changed
FNA
Name, size parent directory
Date-time stamps not as frequently updated - maybe only creation date
Differentiate between Metadata and File System Metadata?
Metadata: data about data. Tells the characteristics of a file
File system metadata: Generic to all the files on that file system; File permissions, security policy
What is the importance of Thumbnail Cache in a Windows XP system for an
investigator?
When you view images = separate file is created thumbnail.db. Contains metadata about images.
If all images on a computer are deleted one might find them here
In operating systems using NTFS, a term “slack space“ is very well know
phenomenon. Explain what it is and how it can be used in the context of
digital forensic investigations.
The “unused” space in a cluster. A cluster has a fixed space.
Sometimes it contain user deleted data .
Name one important forensic artifact that is present in a Windows 10 system,
and what evidentiary value it could hold.
Cortana artefacts - recorded activity, geo, location, timestamps
If a Unix user tends to use a command line interface how might a systems
administrator easily review what that user had been doing on the system recently
By entering the “history” command
With respect to content of this course; What is the definition of evidence on an overarching level?
With respect to the definition of evidence, what is the definition of the following:
e-Evidence or Digital evidence?
Evidence - includes everything that is used to determine and demonstrate the truth of a statement
E-evidence: is valuble info stored or transmitted in digital form and can be used at trial
The seven major types of evidence that has been presented during this course?
Please list and briefly explain the various types of evidence.
Circumstansial - not direct but can indicate something
Direct - first heard, eg letter
Real
Hearsay - gotten outside of court but re-produced in court
Documentation - documents
Testimony - produced by a person in front of court
Original
(Expert is a witness)
What is the major goal or purpose of a forensic examination process?
A) Which are the important attributes of the gathered evidence in order to maintain the forensic soundness of the evidence?
B) Why are these attributes so important?
To perform structured investigation while maintaining a documented chain of custody to find out what happend and who responsible A) Understandable Integrity Reliable Accurate Reproducible Legally accepted
B) To be admissible and probative and able to use in court
Please provide an overarching description of the concept of data recovery. Also describe the following in more detail:
A) What various actions or processes can cause the need of data recovery?
B) Is the process of data recovery always the same? Explain and elaborate.
Trying to recover deleted or partially overwritten files.
What is residual data?
Data that was left after deleting something (ex a program) and the link file of the program is still on the computer
