5.5 Summarize basic concepts of forensics. Flashcards
What is the order of volatility?
- CPU Cache
- ARP/Routing Tables
- RAM
- SWAP/Temp files
- Hard Drive 6. Archival Media (CD/DVD/Print outs)
Chain of Custody
A document that indicates various details about evidence across its lifecycle.
Legal Hold
A notice to a data custodian that specific data or information must be preserved.
Data Acquisition
The process and procedures by which data relevant to a criminal action is discovered and collected.
Capture System Image
- Taking a snapshot of the current state of the computer that contains all current settings and data
- Must take the order volatility in to account
- Use a write blocker to prevent changing evidence
- Take hashes before and after making a bit-for-bit copy.
Network Traffic And Logs
Sources of evidence can include network traffic and network device logs
Capture Video
Collect and video from surveillance cameras.
Record Time Offset
Ensuring that you take note of the time difference between the device clock and the standard.
Take Hashes
Take hashes before collecting any digital evidence.
Take hashes after coping any digital evidence
Screenshots
Take photographs of screens rather that trusting the native software.
Witness Interviews
Its important to interview all those with knowledge of what occurred
This allows you to build a chronological order of events.
An organization has been sent a lawyer’s letter demanding that they retain specific records, logs, and other files pertaining to suspected illegal activity. What has jus been done? A. Financial Audit B. Forensics C. Big Data request D. Legal Hold
D. Legal Hold
In the initial stages of an investigation, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO). A. Take hashes B. Begin the chain of custody paperwork C. Take screen shots D. Capture the system image E. Decompile suspicious files
A. Take hashes
D. Capture the system image
Evidence is inadmissible in court if which of the following is violated or mismanaged? A. Chain of custody B. Service-level agreement C. Privacy policy D. Change management
A. Chain of custody