Chapter 6 : Conducting Digital Investigations

Question 1

What the use of forensics trusted methodologies and techniques ensure

Answer 1

That the analysis, interpretation, and reporting of evidence are reliable, objective, and transparent

Question 2

forensic computing

Answer 2

The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.

Question 3

The most common steps for conducting a complete and competent
digital investigation

Answer 3

• *Preparation
• *Survey/Identification
• *Preservation
• *Examination and Analysis
• *Presentation

Question 4

Preparation

Answer 4

Generating a plan of action to conduct an effective digital investigation, and obtaining supporting resources and materials

Question 5

Survey/Identification:

Answer 5

Finding potential sources of digital evidence (e.g., at a

crime scene, within an organization, or on the Internet)

Question 6

Preservation:

Answer 6

Preventing changes of in situ digital evidence, including isolating the system on the network, securing relevant log files, and collecting volatile data that would be lost when the system is turned off. This step includes subsequent collection or acquisition

Question 7

Examination and Analysis

Answer 7

Searching for and interpreting trace evidence.

Some process models use the terms examination and analysis interchangeably

Question 8

Presentation

Answer 8

Reporting of findings in a manner which satisfies the

context of the investigation, whether it be legal, corporate, military, or any other

Question 9

Distinction between examination and Analysis in forensic

Answer 9

**forensic examination is the process of extracting and
viewing information from the evidence, and making it available for analysis.
**forensic analysis is the application of the scientific method and
critical thinking to address the fundamental questions in an investigation:
who, what, where, when, how, and why

Question 10

What is the end goal of most digital

investigation

Answer 10

To identify a person who is responsible and therefore the digital investigation needs to be tied to a physical investigation.

Question 11

Digital Crime scene preservation

Answer 11

Preventing changes in potential digital evidence, including network isolation, collecting volatile
data, and copying entire digital environment

Question 12

Accusation or Incident Alert

Answer 12

Every process has a starting point—a place, event, or for lack of a better term, a “shot from a starting gun” that signals that the race has begun

Question 13

What Computer security professionals should obtain

Answer 13

instructions and written authorization

from their attorneys before gathering digital evidence relating to an investigation within their organization.

Question 14

Why digital investigators should establish thresholds

Answer 14

in order to prioritize cases and make decisions about how to allocate resources

Question 15

What threshold considerations include

Answer 15

the likelihood of missing exculpatory evidence and seriousness of the offense

Question 16

What threshold considerations disctates

Answer 16

When the considerations are not met, no further action is required. But when they are met, Continue to apply investigative resources based on the merits of evidence examined to this point with priority based on initial available information

Question 17

The history model

Answer 17

The history model is then related to
the general scientific method of observation, hypothesis formulation, and predicting
and testing, by casting the digital examination as a process of formulating
and testing hypotheses about previous states and events.

Question 18

the scientific method

Answer 18

is applied to each step of a digital investigation (preparation, survey, preservation, examination,
and analysis), which can guide a digital investigator through almost any investigative situation,

Question 19

Steps of the the scientific method

Answer 19

1-Observation:One or more events will occur that will initiate your investigation. These events will include several observations that will represent the initial facts of the incident. Digital investigators will proceed
from these facts to form their investigation.

2-Hypothesis: Based on the current facts of the incident, digital investigators will form a theory of what may have occurred

3-Prediction: Based on the hypothesis, digital investigators will then predict where the artifacts related to that event may be located

4 -Experimentation/Testing: Digital investigators will then analyze the available evidence to test the hypothesis, looking for the presence of the predicted artifacts.

5- Conclusion: Digital investigators will then form a conclusion based upon the results of their findings