4.5 Digital Forensics Flashcards

1
Q

Define legal hold

A

A legal notice requiring preservation of specific data until a specific date or until notified that it is no longer required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Admissibility of digital evidence

A

All digital evidence must be collected and secured against tampering per local laws to ensure it can be used in court proceedings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Chain of custody

A

Documentation including any access to the data and what was done after it was collected to ensure that it has not be altered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

For chain of custody, how can one ensure that the data has not been altered?

A

By using hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Time stamps

A

It is important to know what time zone was used by the system for file data. For example, FAT file system used local time zone set on device and NTFS uses GMT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Time offsets

A

Sometimes there are time offset settings for different things that are configured in the OS. One must check this to know what different time stamps really mean

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is order of volatility relevant to digital data collection for forensics?

A

Data may not be preserved very long, depending on the component it is stored by. So data collection must start with the most volatile data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Order of Volatility (4)

A
  1. CPU - registers, cache
  2. Router tables, ARP cache, process tables, and anything stored in system memory
  3. Temporary files
  4. Hard drives, configuration data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How to preserve disk data?

A

Must make a bit-for-bit exact copy of the drive that is write-protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How to preserve memory data?

A

Use a third-party tool that provide a memory dump to more permanent storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to preserve swap/page file

A

Swap/page files are created to add virtual memory that is actually stored on disk and must be included when doing the memory dump

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

OS information that must be preserved but will be lost when generating an image of the drive (4)

A
  1. Logged-in users
  2. Open ports
  3. Running processes
  4. Any attached devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Preserving data from mobile devices

A

Can connect via USB to create an image of the device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Firmware data for forensics

A

Accessing the firmware of a device can indicate if it was compromised and allowed an attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How is VM data preserved?

A

Snapshot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define cache relative to forensics (3)

A
  1. Many applications & components store temporary data in a cache
  2. May be very volatile or not volatile
  3. Must be sure to preserve any cache information
17
Q

Define network data gathering for forensics

A

Various network data can be gathered from devices, such as connections and packet captures, depending on the type of device

18
Q

Define artifacts relative to forensics

A

Artifacts are bits and pieces of data in miscellaneous places

19
Q

How does use of cloud-based services complicate gathering forensic data? (3)

A
  1. Don’t have physical access to or possession of the data
  2. Rules and regulations may be different from your local rules & regulations depending on where the data is actually stored
  3. Access to this might be denied if it is stored in a different country
20
Q

Define right to audit clause and its importance

A

When initiating relationship with cloud service provider, the terms and conditions of allowing access to audit the data should be defined prior to utilizing the service

21
Q

Define relevance of data breach notification laws

A

Depending on where data is stored, or the locale of the people who provided it, data breach notification laws/requirements may be very different

22
Q

Define relevance of checksums in forensics

A

A way to verify data transmitted via network wasn’t altered during transmission. Not designed to replace hashing, but offers a simple integrity check

23
Q

Define provenance

A

The original source of the data

24
Q

Considerations for preservation of data (3)

A
  1. Must be an exact copy of the data
  2. Powering off a system could destroy some data
  3. If drive is encrypted, it must be accessed from the live system and not removed
25
Q

Define e-Discovery

A

Gathering (not analyzing or altering) information requested by authorities and providing it to them

26
Q

Define data recovery

A

Recovering data that was deleted or from a physically damaged storage device

27
Q

2 ways to provide non-repudiation relative to forensics

A
  1. MAC - message authentication code that is privately known by communicating parties
  2. Digital signatures
28
Q

Define strategic intelligence

A

Gathering information about a specific target with specific goal in mind

29
Q

Define strategic counter-intelligence

A

Gathering information about a source performing strategic intelligence on you