4.5 Explain the Key aspect Of Digital Forensics Flashcards

1
Q

Documentation and Evidence

A

When collecting documentation and evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law. If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Legal hold

A

A legal hold refers to a court order to maintain different types of data as evidence. As an example, imagine that ZiffCorp is being sued for fraud and the Securities and Exchange Commission is investigating ZiffCorp. A court orders them to maintain digital and paper documents for the past three years related to the case. ZiffCorp now needs to take steps to preserve the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Video

A

Video surveillance methods such as closed-circuit television (CCTV) systems are often used as a detective control during an investigation. If a person is recorded on video, the video provides reliable proof of the person’s location and activity. For example, if a person is stealing equipment or data, the video might provide evidence of the theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Admissibility

A

If personnel don’t follow proper procedures, the evidence won’t be admissible. Following proper procedures also ensures that personnel control the evidence after collecting it, maintaining an unaltered original.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Chain of study

A

A chain of custody is a process that provides assurances that evidence has been controlled and appropriately handled after collection. Forensic experts establish a chain of custody when they first collect evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

timeline of sequence of events

A

Digital forensic analysis typically tries to determine the timeline of an event. If the incident results in a data breach or ransomware spread throughout a network, they try to determine how the attacker got in. Today, the first failure is often a user responding inappropriately to a phishing email. By identifying the first failure in the incident, it becomes easier to make recommendations to prevent such a failure in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Time stamps

A

Log entries include timestamps, so anyone reading the logs can determine when the event occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Time offsets

A

However, it’s essential to consider time offsets based on how the timestamps are recorded.

Imagine you live in Virginia Beach and you see a server log entry of 12:01. You might assume that this indicates 12:01 Eastern Standard Time (EST), but if it’s in the winter months, it may be Eastern Daylight Time (EDT). However, the server may be in the cloud and physically located in Las Vegas, which follows Pacific Standard Time (PST) and Pacific Daylight Time (PDT) in the winter months. If you compare this log entry with a log entry on a server located in Pensacola, you need to consider Central Standard Time (CST) and Central Daylight Time (CDT). To simplify this, many servers use Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC). Neither GMT or UTC observe daylight savings time, and they are both based on the time at the Royal Observatory in Greenwich, London.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Tags

A

After an item is identified as possible evidence, it needs to be tagged. This can be a formal document, but it’s more common to be something simple, such as a sticker. The tag is placed on the item with the date, time, and name of the person placing the tag. It’s also common to include a control number that can be included in a chain of custody.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Reports

A

After analyzing all the relevant evidence, digital forensic experts create a report documenting their findings. These often document the tactics, techniques, and procedures (TTP) used in an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Event Logs

A

A forensic investigation often includes an analysis of available logs. This information helps the investigators re-create events leading up to and during an incident. This can be as simple as looking at Event logs on computers, or Device Logs on routers and firewalls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Interviews

A

Another element of an investigation is interviewing witnesses. Witnesses provide firsthand reports of what happened and when it happened. However, witnesses won’t necessarily come forward with relevant information unless someone asks them. Often witnesses don’t recognize what information is valuable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Acquisition

A

When performing data acquisition for digital forensics, it’s important to follow specific procedures to ensure that the data is not modified. In many cases, this ensures that the evidence is preserved in case it is needed in a legal proceeding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Order of Volatility

A

Order of volatility refers to the order in which you should collect evidence. Volatile doesn’t mean it’s explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Disk

A

Data files are stored on local disk drives, and they remain there even after rebooting a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

RAM.

A

Data in RAM is used by the operating system (OS) and applications.

17
Q

Swap or pagefile.

A

A swap file (sometimes called a pagefile) is on the system disk drive. It is an extension of RAM and is stored on the hard drive. However, the pagefile isn’t a typical file, and the system rebuilds the pagefile when rebooting. This makes the pagefile more volatile than other files stored on hard drives.

18
Q

OS

A

OS forensics refers to the process of collecting data from the OS. This includes things like the cache, RAM, swap file, and artifacts. It can also include much more depending on the operating system. As an example, the Windows Registry includes a wealth of information on installed applications and holds user data to enhance the user experience.

19
Q

Device

A

Mobile device metadata is often a treasure trove of evidence for investigators. It includes users’ location (tracked through apps), who they called, who called them, who they messaged, and who messaged them, website history, and more.

20
Q

Firmware

A

Firmware forensic methods are useful when a forensic specialist suspects malware has infected firmware. It starts by extracting the firmware code. It then attempts to reverse engineer the code to discover what it is doing. In some cases, the firmware has a backdoor embedded in it that attackers can exploit. In other cases, the firmware has malicious code embedded within it.

21
Q

snapshots

A

Security experts sometimes use snapshots to capture data for forensic analysis. Various tools are available to capture snapshots of memory (including cache memory), disk contents, cloud-based storage, and more.

22
Q

Cache.

A

This is data in the cache memory, including the processor cache and hard drive cache. Data in the cache is removed as new data is used.

23
Q

Network

A

Networks typically have servers and shared folders accessible by users and used to store log files. These remote systems often have more robust backup policies in place, making them the least volatile.

24
Q

Artefacts

A

Forensic artifacts are pieces of data on a device that regular users are unaware of, but digital forensic experts can identify and extract. In general, logs and data files show direct content, but the artifacts are not so easy to see.

25
Q

On premises vs cloud

A

Digital forensics can be challenging enough when all the evidence is on-premises. When an organization uses cloud resources, it can add additional risks. Anytime an organization contracts with a cloud provider, the cloud provider becomes a third-party source providing the service. This includes when the cloud provider holds data or provides any type of service.

26
Q

Right to Audit Clauses

A

Cloud providers are expected to take precautions to protect any data they maintain in the cloud and ensure all the services they provide are secure. This isn’t always apparent, so more and more customers are demanding a right to audit clause be included in a contract. This allows a customer to hire an auditor and review the cloud provider’s records.

27
Q

Regulatory Jurisdiction

A

If all data and resources for ZiffCorp are contained and processed within a single building in Virginia Beach, Virginia, the regulatory jurisdiction is clear. The company must comply with relevant U.S. laws, Virginia laws, and Virginia Beach laws. However, if ZiffCorp contracts with a cloud provider to store data, things change. Imagine that the cloud provider’s headquarters are in San Jose, California, but it runs data centers across the United States and in Canada to hold the data. At this point, ZiffCorp is now responsible for complying with the laws in any location used by the cloud provider.

28
Q

Data Breach Notification Laws

A

Data breach notification laws require organizations to notify customers about a data breach and take steps to mitigate the loss. When the data is stored in the cloud, this could require notification based on several different laws.

29
Q

Integrity

A

Hashes and checksums are important elements of forensic analysis to provide proof that collected data has retained integrity.

30
Q

Hashing/checksum

A

hashing and checksums allow you to prove the analyzed copy of data is the same as the original data. This is required if the evidence needs to be admissible in a court of law.

31
Q

Provenance

A

Provenance refers to tracing something back to its origin. In the context of digital forensics

32
Q

Preservation

A

this ensures that the evidence is preserved in case it is needed in a legal proceeding.

33
Q

E-discovery

A

Electronic discovery, or eDiscovery, is the identification and collection of electronically stored information. This includes files of any kind, voice mail, social media entries, and website data.

34
Q

Data recovery

A

Generically, data recovery refers to restoring lost data, such as restoring a corrupt file from a backup. In the context of forensics, data recovery goes further. Even without backups, it’s often possible to recover data that a user has intentionally or accidentally deleted.

35
Q

Non-repudiation

A

Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action, such as creating information, sending a message, approving information, or receiving a message.

36
Q

Strategic Intelligence and Counterintelligence

A

Intelligence is the ability to learn by acquiring new knowledge and skills. Digital forensic intelligence refers to knowledge and information which has value to investigative personnel and has been gathered using digital forensic methods and techniques.

Generically, strategic intelligence refers to collecting, processing, and analyzing information to create long-term plans and goals. Digital forensics strategic intelligence is collecting, processing, and analyzing digital forensic data to create long-term cybersecurity goals.

Counterintelligence activities assume that attackers are also using strategic intelligence methods. It refers to any activities designed to prevent or thwart spying, intelligence gathering, or attacks.