5.5 Basic concepts of forensics

Question 1

Order of volatility

Answer 1

Order of volatility of evidence from more to less:

• CPU registers and cache memory
• Routing table, arp cache, process table, kernel statistics
• Memory (RAM)
• Temporary file systems
• Disk
• Remote logging and monitoring data
• Physical configuration and network topology
• Archival media

Question 2

Chain of custody

Answer 2

Form records where, when, and who collected the evidence, who subsequently handled it, and where it was stored.

Question 3

Legal hold

Answer 3

Refers to the fact that information that may be relevant to a court case must be preserved.

Question 4

Capture system image

Answer 4

The process of obtaining a forensically clean copy of data from a device held as evidence.

Question 5

Task hashes

Answer 5

Demonstrates that analysis has been performed on an image of the data that is identical to the data present on the disk and that neither data set has been tampered with.

Question 6

Preservation

Answer 6

Best practice is that evidence should be preserved and documented at the crime scene in its original state; that is, computers or other devices that are off should not be switched on and those that are on should not be switched off.

Question 7

Recovery

Answer 7

Analyzing information from hard drives taken as evidence

Question 8

Strategic intelligence/counterintelligence gathering

Answer 8

Counterintelligence is the process of information gathering to protect against espionage and hacking.