3 - Digital Investigation Process

Question 1

Kruse & Heiser

Answer 1

Assessment
Acquisition
Analysis
Reporting

Question 2

Assessment

Answer 2

Short: prepare plan of action and find potential sources of evidence
Define the scope and likely venue of examination
Collect legal documentation needed
Determine sources of evidence

Question 3

Acquisition

Answer 3

All issues of legal search & seizure are followed, integrity was preserved, evidence is authentic and as complete as possible

Question 4

Issues with chain of custody

Answer 4

incomplete
inconsistent dates
custodian is not competent or authorized

Question 5

Checksum/One-way hash/Digital signature

Answer 5

Checksum and hash easy to compute
Checksum fast but low assurance
Hash does not bind but is more secure
Digital binds and secures more but more slow and must protect key

Question 6

Analysis

Answer 6

Extract all material evidence, inculpatory and exculpatory

Question 7

Types of evidence

Answer 7

Overt
Hidden
Deleted
Anti-forensic

Question 8

Forms of offense reconstitution

Answer 8

Temporal
Relational
Functional

Question 9

Reporting

Answer 9

General Case documentation
Procedural documentation
Process documentation
Case timeline
Evidence chain of custody

Question 10

Casey 2001

Answer 10

Identification/assessment
Collection/Acquisition
Preservation
Examination
Analysis
Reporting

Question 11

Limitations of models

Answer 11

Complexity
Rigidness
Incompleteness

Question 12

Scientific method

Answer 12

Simple, flexible, methodological

Steps: observation, hypothesis, testing, conclusions