4.5 Explain the key aspects of digital forensics.

Question 1

digital forensic

Answer 1

Collect and protect information relating to an intrusion
RFC 3227 - guidelines for evidence collection and archiving

Describes standard for digital forensics process
1. Acquisition of data
2. Analysis of data
3. Reporting of data

Question 2

Legal hold

Answer 2

A legal technique to preserve relevant information
ESI ( electronically stored information)
Once notified, there’s an ongoing obligation to
preserve data

Question 3

Capture video

Answer 3

• A moving record of the event
  – Gathers information external to the computer
  and network
• Captures the status of the screen and other
  volatile information
  – Today’s mobile video devices are remarkable
• Don’t forget security cameras and your phone
• The video content must also be archived
  – May have some of the most important records
  of information

Question 4

chain of custody

Answer 4

Control evidence and maintain integrity. Keeps track of anyone who has come in contact with the evidence.
This is used to protect against tampering.

Question 5

Describe the data volatility chart from most to least volatile.

Answer 5

1. CPU registers and CPU cache
2. Router table, ARP cache, process table kernel stats, memory
3. Temporary file systems
4. Disk
5. Remote logging and monitoring data
6. Physical configuration, network topology
7. Archival media

Question 6

tcpdump

Answer 6

tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol.