5A. Digital Forensics Techniques obj 4.4, 5.3

Question 1

Forensic Procedure

Answer 1

1) Identification
2) Collection
3) Analysis
4) Reporting

Question 2

1. Identification

Answer 2

• ensure scene is safe
• secure scene to prevent contamination
• identify scope of evidence to be collected

Question 3

2) collection

Answer 3

• ensure authorisation to collect evidence
• use tools/methods that will withstand legal scrutiny
• document and prove integrity of evidence
• store evidence in secure packaging

Question 4

3) Analysis

Answer 4

• create verifiable copy of evidence for analysis
• use repeatable methods

Question 5

4) Reporting

Answer 5

• create report of methods/tools used
• present findings/conclusions

Question 6

Legal hold

Answer 6

refers to the fact that information that may be relevant to a court case must be preserved

Question 7

work product retention

Answer 7

refers to the way in which a forensic examiner is retained (hired) to investigate a case

Question 8

Data Acquisition

Answer 8

the process of obtaining a forensically clean copy of data from a device held as evidence

Question 9

Order of volatility

Answer 9

1) CPU registers and cache memory
2) RAM (incl, routing table, ARP cache, process table, kernel stats, temp file systems/virtual memory)
3) Persistent storage (HDD, SSD, flash)
4) Remote logging and monitoring data
5) Physical configuration and network topology
6) Archival media

Question 10

Forensics software

Answer 10

• Encase (case management)
• Forensic Toolkit (FTK)
• Sleuth kit (open-source, command line tools, disk imaging and file analysis)

Question 11

Why use Bit-by-Bit copies instead of using Copy command?

Answer 11

to ensure that slack space and unallocated space are both copied as part of the image. This captures deleted files that have not yet been overwritten, fragments of older files, and data that was stored on a drive before it was partitioned.

Question 12

Tool for making bit-by-bit clones of drives…

Answer 12

dd utility in Linux.

Question 13

What do system memory dump file reveal?

Answer 13

• running processes
• temp file contents
• registry data
• network connections
• cryptographic keys

Question 14

Disk Image Acquisition methods:

Answer 14

1) Live
- copying data with computer running
- not legally sound
2) Static (by shutting down)
- risk malware will detect the shutdown process and perform anti-forensics
3) Static (by pulling the plug)
- legally sound, but may corrupt data

Question 15

Write blocker

Answer 15

Forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media.
- hardware blocker more popular

Question 16

Issue with MD5

Answer 16

No longer considered secure as there are ways to exploit collisions. Still used by some: - faster than SHA
- more compatible with other tools

Question 17

Why is hashing and validation important?

Answer 17

• To verify the integrity of an image to demonstrate that it has not been tampered with or changed from its original state
• To validate binaries (file containing code, libraries, drivers) to detect (malicious) changes to the binaries

Question 18

Carving

Answer 18

The process of recovering data that has been deleted where there us no associated file system metadata. A file-carving tool analyses the disk at sector/page level and attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files

Question 19

Chain of custody

Answer 19

reinforces the integrity and proper custody of evidence from collection, to analysis, to storage, and finally to presentation