Computer Forensics Flashcards
Describe the following types of Digital Evidence:
1) Volatile Data
2) Non-volatile Data
1) Data that is lost as soon as the device is powered off; logged-in users, open files, etc.
2) Permanent data stored on the secondary storage.
Describe these Rules of Evidence:
1) Understandable
2) Admissable
3) Authentic
4) Reliable
5) Complete
1) Evidence must be clear and understandable to the judges.
2) Evidence must be related to the fact being proved.
3) Evidence must be real and related to the incident.
4) No doubt about the authenticity of the evidence.
5) Evidence must prove the attacker’s actions/innocence.
What is Best Evidence?
The court only allows the original evidence of a document. A duplicate can be accepted for a valid reason.
Describe the following phases in the Forensics Investigation Process:
1) Pre-Investigation
2) Investigation Phase
3) Post-Investigation
1) Involves setting up the lab, workstations, team and getting approval.
2) Data acquisition, preservation analysis or evidentiary data.
3) Documenting all action and findings conducted during the investigation.
Explain these types of Cybercrimes:
1) Internal/Insider Attack
2) External Attack
1) An attack performed by a trusted person who has access authorized access to the network.
2) When an unauthorized attacker outside the network tries to gain access to computer systems or informational assets.
Give examples of the following types of Potential Evidence Sources:
1) User-created Files
2) User-protected Files
3) Computer-Created Files
1) Address books, database files, media, documents, Internet bookmarks, favourites.
2) Compressed files, encrypted files, password-protected files, hidden files, stenography.
3) Backups, logs, configurations, printer, cookies, systems files, history files, temporary files.
Describe these types of logs:
1) Network
2) System
3) Application
4) Security
1) Records events related to system or user activities such as accessing a resource or performing authentication.
2) Provides details of process success state, devices, warnings, system failures, errors, and alerts.
3) Records all events and actions generated during the runtime of an application.
4) Store data related to failed logins, passwords, and resources accessed.
Describe these types of logs:
1) Web Access
2) DNS logs
3) Dump Files
4) Authentication
5) Session Initiation Protocol (SIP)
1) Records information such as IP addresses, data/time, client ID, request type, and status code.
2) Records all activities on a server such as spoofed IPs, unexpected spikes, inconsistent DNS lookups.
3) Compressed versions of system log files that record when a system crashes or turns off unexpectedly.
4) Logs events during the authentication process such as verifying or granting permission to access a network or resource.
5) Records details about connections that are established for applications such as conferences, chats, and voice calls.
Describe these Security Solutions:
1) SIEM Dashboards
2) Sensors
3) Sensitivity
1) Assists investigators by visualizing data to anaylze log data and identify abnormal behavioural patterns.
2) Aggregate logs from various sources and correlate them with device data.
3) Specialists assign sensitivity levels to aggregated data.
Explain these types of Data Acquisition techniques:
1) Live
2) Dead/Static
3) Logical
4) Spare
5) Bit-stream Imaging
1) Collecting data from a system that is ON
2) Collecting data from a system that is OFF.
3) only selected files or files types that are of interest to the case can be collected.
4) Collecting fragments of unallocated data, allowing investigator to acquire deleted files.
5) Creates a bit-by-bit copy of a suspect drive.
Describe these types of data that is captured during Live Acquisition:
1) System
2) Network
1) Configurations, running state, date/time, system uptime, running processes, loggin on users, DLLS or shared libraries, temp files.
2) Routing tables, ARP cache, network configs, network connections.
