4.5 Flashcards

1
Q

Legal hold

A

Legal hold is the process of protecting any documents that can be used in evidence from being altered or destroyed. Sometimes, this is also known as litigation hold.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

video

A

Capturing Video: CCTV can be a good source of evidence for helping to identify attackers and the time the attack was launched. This can be vital in apprehendingsuspects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Admissibility

A

All evidence relevant to the case is deemed admissible only if it is relevant to the disputed facts of the case and does not violate any laws or legalstatutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Chain of Custody

A

The chain of custody is one of the most crucial aspects of digital forensics, ensuring the evidence has been collected and there is not a break in the chain. It starts when the evidence has been collected, bagged, tied, and tagged, ensuring the evidence has not been tampered with. It lists the evidence and who has handled it along the way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Time Stamps

A

Each file has timestamps showing when files were created, last modified, and last accessed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Time offset

A

When we collect evidence from computers, we should record the time offset. This is the regional time so that in a multinational investigation, we can put them into a time sequence—this is known as time normalization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Tags

A

Physical serialized tags are attached to each item, and the tag number is used to identify a specific item. Frequently the items are then stored in anti-static bags to protect them from damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Reports

A

Reports are the official descriptions of the forensic data. Reports can have a variety of elements—from pure descriptive information, such as machine/device identifiers (make, model and serial number), to information on the data, including size and hash values. Reports can also have specific elements that are derived from this information, such as a timeline, an analysis of keywords, specific artifacts, and present or missing items. An expert can opine on what these elements mean or can mean with respect to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Event logs

A

are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls all have event logs that detail actions that happen. Once you know the time and date of an event, you can gather information from various log files. These can be stored in Write-Once Read-Many (WORM) drives so that they can be read but not tampered with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Interviews

A

The police may also take witness statements to try and get a picture of who was involved and maybe then use photo-fits so that they can be apprehended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Acquisition

A

This is the process of collecting all of the evidence from devices, such as USB flash drives, cameras, and computers; as well as data in paper format, such as letters and bank statements. The first step in data acquisition is to collect the volatile evidence so that it is secured. The data must be bagged and tagged and included in the evidence log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Order of Volatility

A

a. CPU Cache: Fast block of volatile memory used by the CPU
b. Random Access Memory (RAM): Volatile memory used to run applications
c. Swap/Page File/Virtual Memory: Used for running applications when RAM isexhausted.
d. Hard Drive: Data at rest for storing data

Order of volatility is collecting the most perishable evidence first. In a web-based attack, we should collect the network traffic with a packet sniffer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Disk

A

A physical hard disk drive (HDD) will persist data longer than a solid state drive (SSD). And the newer file systems with journaling and shadow copies can have longer persistence of information than older systems such as File Allocation Table–based (FAT-based) systems. Raw disk blocks can be recovered in some file systems long after data has been rewritten or erased, due to the nature of how the file systems manage the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Random-access memory(RAM)

A

Random-access memory (RAM) is the working memory of the computer that handles the current data and programs being processed by the CPU. This memory, once limited to a single megabyte, now commonly consists of 4 GB or more. This memory holds the current state of the system as it is processing and is continuously changing. There are cases of malware that exists only in RAM, and without memory analysis and forensics, you would never see it. But this information is lost forever when the system is powered down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Swap/pagefile

A

Used for running applications when RAM isexhausted.
The swap or pagefile is a structure on a system’s disk to provide temporary storage for memory needs that exceed a system’s RAM capacity. The operating system has provisions to manage the RAM and pagefile, keeping in RAM what is immediately needed and moving excess to the pagefile when RAM is full. This causes a performance hit, and with the reasonable cost of RAM, most systems avoid this by having sufficient RAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

OS

A

The OS is the source of many forensic artifacts, most of which are created to enhance system responsiveness to user requests. The two major OSs, Microsoft Windows and Linux, perform basically the same tasks: they enable applications to perform on a system. How they function, what artifacts are generated, all the technical details relevant to a forensics investigation, are different and thus require separate and specialized treatment with respect to the OS.

17
Q

Device

A

One of the most common device acquisitions is USB storage devices. These devices are used to transport files between machines and are common in any case where the removal of information is suspected. A number of artifacts can be tied to USB device usage on a system, including when it was connected, link files and prefetch items on the drive, and who was logged in to the machine at the time of use.

18
Q

Firmware

A

Firmware can be of interest in a forensics investigation when the malfunctioning of a device is an issue, as malware has targeted the firmware. As such, it takes a very specialized set of tools and equipment to analyze the firmware, as it is not readily accessible to outside users.

19
Q

Snapshot

A

Snapshots are common in virtual machines, providing a point in time to which the machine can be recovered. Operating systems also have adopted this technology for some of their information, using point-in-time recovery to assist in fixing problems from updates or changes to the system. This capturing of points in time can be useful to a forensic investigator because it allows a means of looking at specific content at an earlier point in time.

20
Q

Cache

A

Caches are temporary storage locations for commonly used items and are designed to speed up processing. Cashes exist all over in computer systems and are performance-enhancing items. Caches exist for files, for memory, for artifacts; they exist for fast retrieval of items that the OS expects. As such, they are inherently relevant to a specific activity that has been done and is likely to be done again and can serve as evidence of specific activities that have been done.

21
Q

Network

A

When investigating a web-based or remote attack, we should first capture the volatile network traffic before stopping the attack. This will help us identify the source of the attack. In addition to this, we should look at different log files from the firewall, NIPS, NIDS, and any server involved. If we use a Security Information Event Management (SIEM) system, this can help collate these entries and give a good picture of any attack.

22
Q

Artifacts

A

This can be log files, registry hives, DNA, fingerprints, or fibers of clothing normally invisible to the naked eye.

23
Q

On-premises vs cloud

Right-to-audit clauses

A

By inserting right-to-audit clauses into supply chain contracts, an auditor can visit the premises without notice and inspect the contractor’s books and records to ensure that the contractor is complying with its obligation under the contract. This would help them identify the following:

Faulty or inferior quality of goods
Short shipments
Goods not delivered
Kickbacks
Gifts and gratuities to company employees
Commissions to brokers and others
Services allegedly performed that weren’t needed in the first place, such as equipment repairs

24
Q

On-premises vs. cloud

Regulatory/Jurisdiction

A

Whether on premises or in the cloud, there will be cases where regulatory or law enforcement actions raise jurisdictional issues. If you have your software development data in the cloud, and the servers/storage elements are in a foreign country, whose laws will apply? It is important to consult with the company’s legal counsel to understand the ramifications of data location with respect to forensics and subsequent data use.

25
Q

On-premises vs cloud

Data Breach notification

A

Many forensic investigations are related to the theft of intellectual property, and many times that is also a breach of data protected under privacy laws.

26
Q

Hashing integrity

A

We use a technique called hashing that takes the data and converts it into a numerical value called a hash or message digest. When you suspect changes have taken place, you would check the hash value against the original. If the hash value has changed, then the data has been tampered with.

27
Q

Checksums

A

Checksums are mathematical algorithms that produce a check digit based on an incoming stream. Designed for error testing across small data sets, they have advantages and disadvantages. One advantage is that for error checking, they are fast and can detect a single-bit error. A disadvantage is that they miss larger numbers of errors as a second error can cancel the effect of the first on a checksum.

28
Q

Integrity Provenance

A

Provenance is a reference to the origin of data. In the case of digital forensics, it is not enough to present a specific data element as “proof”; one must also show where it came from. Provenance is specific, as in where on a file structure and where on a device; in most cases, there will be multiple representations, as in the file structure with respect to where a file resides and with respect to the OS (logical) and its location on a physical drive in sectors (physical). Provenance involves metadata, which can include timestamps, access control information, and a host of other data that can assist in determining which user did which action at what time with respect to the object.

29
Q

Preservation

A

One of the key elements in preservation is to ensure nothing changes as a result of data collection. If a machine is off, do not turn it on—the disk drives can be imaged with the machine off. Turning on the machine causes a lot of processes to run and data elements to be changed. When making a forensic copy of a disk, always use a write blocker, as this prevents any changes on the media being imaged. Normal copying leaves traces and changes behind, and a write blocker prevents these alterations.

30
Q

E-discovery

A

Electronic discovery, or e-discovery, is the term used for the document and data production requirements as part of legal discovery in civil litigation. When a civil lawsuit is filed, under court approval, a firm can be compelled to turn over specific data from systems pursuant to the legal issue at hand. Electronic information is considered to be the same as paper documents in some respects and completely different in others.

31
Q

Data Recovery

A

When the incident has been eradicated, we may have to recover the data from a backup; a faster method would be a hot site that is already up and running with data less than 1 hour old. We may also have to purchase additional hardware if the original hardware was damaged during the incident.

32
Q

Non-Repudiation

A

Nonrepudiation is a characteristic that refers to the inability to deny an action has taken place. This can be a very important issue in transactions via computers that involve money or things of value. Did the transaction occur and did the parties involved actually do it? These are the core questions of nonrepudiation.

33
Q

Strategic Intelligence/Counterintelligence

A

This is where different governments exchange data about cyber criminals so that they can work together to reduce threats. It is also possible for companies who have suffered an attack to log as much information as they can and have a third party who specializes in incident response to help them find a way to prevent re-occurrence.