Book One-Chapter Two Flashcards
What is the purpose of a write-block protection device?
These tools prevent the alteration or erasure of data during an investigation These devices are used when examining or copying data from a storage device to a forensic laptop or workstation. They can be used for a variety of devices (from hard drives to USB drives, to media cards) There are different types for different storage device connections. Ex: a SATA write block protection device allows an investigator to attach a storage device to a computer’s SATA connector, and a USB or Firewire write block protection device allows an investigator to attach a storage device to a computer’s USB or Firewire port.
What is a TEMPEST lab? Why would anyone choose not to build a TEMPEST lab?
Telecommunications Electronics Material from Emanatig Spurious Transmissions (TEMPEST) lab prevents eavesdropping (workstations should be shielding from transmitting electromagnetic signals. It is known that electronic equipment emits electromagnetic radiation. There are certain pieces of equipment that can intercept this radiation. The radiation can be used to determine the data that the equipment is transmitting or diplaying) to shield the emissions, a tempest lab is constructed.
Sheets of metal that are good conductors, such as copper should be used for lining the walls, ceilings, and floors. Even the power cables need to be insulated to prevent radiation. Telephones within the lab must have line filters.
Cost is a deterrant for building a TEMPEST lab.
Write down the various types of computer forensic investigations that can be conducted at a computer forensic lab?
Child pornography and sexual expoitation Use of e-mail, IM, and chat Computer hacking and network intrusion Copyright infringement Software piracy Intellectual property disputes Identity theft Online auction fraud Credit card fraud Other financial frauds and schemes Telecommunications fraud Threats, harassment, and/or stalking Extortion and/or blackmail Online gambling Drug abuse and/or distribution Employee or employer misconduct Theft, robbery, and/or burglary
What is the purpose of a log register?
As a basic security requirement for a forensic lab. The log register should contain the following information for each visitor:
Name of visitor
Date and time of the visit
Purpose of the visit
Name of the official the visitor has come to see
Place the visitor has come from
Address of the visitor
This helps prevent unauthorized physical access to the lab.
How can a fire start inside a computer system?
Fires may break out in computers if the servo-voice coil actuators in a hard drive freeze due to damage in the drive. The the actuators freeze, the head assembly stops moving. The internal programming of the disk tries to force the head assembly to move by applying more power to the servo-voice coil actuators. The components of the drive can handle a certain amount of power before they fail and overload the ribbon cable connecting the drive to the motherboard. These ribbon cables do not respond well to excessive power. High voltage passed through a ribbon cable causes sparks to fly.
The following are fire-suppression systems that should be in place in a forensic lab:
- Dry chemical fire extinguisher system to deal with fires that occur due to chemical reactions
- Sprinkler system that should be checked frequently to make sure it is still working
- Fire extinguishers should be placed within and outside the lab, the lab personnel and guards should be given instructions on how to use them so that in case of a fire, the trained staff will know how to use the equipment effectively.
What is a UPS and why does a lab need one?
The need for an uninterruptible power supply (UPS) arises as a preventative measure for a power failure during an investigative process. Separate backup power generators are recommended for a forensic lab. Any electrical connections should be monitored, as any fluctuations in voltage may also disrupt the power supply or damage electrical equipment.
Describe the recommended features of evidence lockers:
The containers used to store evidence must be secured so that unauthorized persons cannot access the evidence. They should be located in a restricted area that is only accessible to lab personnel. All evidence containers must be monitored, and they must be locked when not in use.
The storage containers or cabinents should be made of steel and should include either an internal cabinet lock or external padlock. There must be a limited number of duplicate keys so that authorized access is limited. Evidence can also be sotred in safes of superior quality to secure the evidence from fire damage. Media devices and digital media should be stored in media safes.
Lab personnel must regularly inspect the content of the evidence storage containers to ensure that only current evidence is stored. Evidence from closed cases must be moved to other containers.
Identify and describe two types of forensic storage bags:
When evidence is collected in the field, the forensic investigator needs to store the evidence for transport back to the lab so it can be examined. The investigator must make sure that the evidence is not damaged or tampered with, so different types of bags have been developed to make sure evidence stays safe and secure. Different types of storage bags:
- Wireless storage bags: These types of bags are used to store wireless devices. The fabric used to make these bags shields the wireless devices from wireless signals that could potentially alter or eliminate data on the devices. There are also tents that provide the same capabilities. An Investigator with a laptop sites inside the tent while he/she captures that data from a wireless device. The data is still protected, but the investigator does not have to wait to get back to the lab to acquire it.
- Passport bags: Many passports contain radio-frequency identification (RFID) chips. These types of bags shield these chips so that data cannot be read from them. As more and more passports are fitted with RFID chips, securing the data stored on them is vital.
Identify and describe the types of software that should be on a mobile forensic laptop:
Should be equipped with all the specialized software a forensic specialist needs in the field.
- Fast processors
- large amts of RAM
- large hard drives
- DVD burners
- Media card readers
- Some form of write-block protection provided through either hardware or software
Explain the function of forensic archive and restore robotic devices:
Investigators use forensic archive and restore robotic devices to archive forensic data. These devices can copy a large number of CD-ROM or DVD media disks containing forensic data. May of these devices can also print labels for the copies so the investigator will know what is on the disks.
bandwidth
The width of the range of frequencies that an electronic signal uses on a given transmission medium. There should be a dedicated broadband connection for network and voice communications.
bookrack
(In a forensic lab) are necessary to hold all the reference books, articles, and magazines that an investigator would need in the course of an investigation. This helps clear clutter off of desks, giving more space to the investigators.
configuration management
The process of keeping track of all changes made to hardware, software, and firmware throughout the liffe of a system; source code management and revision control are a part of this.
risk management
The decision-making process involving considerations of polital, social, economic, and engineering factors with relevant risk assessments relating to a potential hazard so as to develop, analyze, and compare regulatory options and to select the optimal regulatory response for safety from that hazard.
