COMPUTER FORENSICS

Question 1

investigations typically involve four phases:Seizure

Answer 1

In the seizure phase, it is important to understand who has the authority to seize the digital
equipment as well as the proper methodology to use so that evidence is not destroyed or tainted.

Question 2

investigations typically involve four phases:Image Acquisition

Answer 2

The image-acquisition phase involves the use of decision-making processes to determine the
best method for acquiring an image of the suspect system and the proper use of software and hardware tools to facilitate the image capture. The examiner has to be sure that the image is created and preserved in a manner that will withstand a legal challenge

Question 3

investigations typically involve four phases:Analysis

Answer 3

This phase involves the use of specialised software designed to give the examiner the means to locate and extract artefacts that will be used as evidence in the investigation. The evidence can serve to incriminate the subject of the investigation or it
can be exculpatory by disproving the subject’s involvement.

Question 4

investigations typically involve four phases:Reporting and Testifying

Answer 4

In this phase, a qualified computer forensics expert may be asked to render an opinion about the use or misuse of a computer system.

Question 5

Digital Evidence

Answer 5

binary data (ones and zeroes) that is interpreted by the computer

Question 6

There are three types of situations in which computer evidence is generally discovered:

Answer 6

(1) computers as the target of crime, (2) computers as the instrument of crime, and (3) computers as the repository of evidence

Question 7

Considerations when Conducting the Seizure

Answer 7

1 subject debriefing, when the subject is asked for passwords and whether any encrypted data exists on the target computer
2 identify any destructive processes that may be running on the machine
3 If such a process appears to be running, unplug the machine immediately
4 Before beginning to disconnect the system, make certain to isolate it from any outside
connections
5 document the scene with photographs or a diagram
6 document what is on the screen if the system is on, as well as what processes are currently running
7 look around for notes that may appear to be passwords
8 Good notes should be taken regarding to the time and date that the system was seized and
the personnel involved in the seizure.
9 The status of the system should also be noted. Was it on, off, or on standby? Was there anything unusual attached to the system? Was there any
obvious damage? Did any files have to be saved? 10 Make sure to start a chain of custody
document and note each person and storage location through which each piece of evidence
passes.

Question 8

When securing a computer system, follow the two golden rules

Answer 8

The first rule is, if the computer is off, don’t turn it on.

The second golden rule when securing a computer is, don’t peek through the files

Question 9

The admissibility of evidence obtained from computers in a court case is really no different
from the admissibility of any other type of evidence. The evidence must be:

Answer 9

• Relevant
• Supported by a foundation for its introduction into court
• Legally obtained
• Properly identified
• Properly preserved

Question 10

In the handling of computer data in criminal investigations, the examiner or investigator
must be aware of some of the vulnerabilities of computer evidence:

Answer 10

• The investigator must ensure that turning off power to computer equipment will not destroy or erase evidence that is required for the investigation.
• The read/write heads of hard disk drives must be parked in a retracted position so that powering down the disk drive will not cause the read/write head to contact the surface of the disk platter.
• Be aware that magnetic storage media are vulnerable to magnetic fields. Evidence might
be erased without the investigator being aware of the erasure if the media are brought close to a magnetic field.
• Be aware that other equipment attached to the computer might be needed to complete the investigation into the data that resides in the computer.
• The investigator should write-protect all disks that are being used in the investigation so that they cannot be written upon inadvertently.

Question 11

Affidavit for the search warrant

Answer 11

detail the probable cause or legal reasoning behind the request for the warrant

Question 12

Only a ___can issue a search warrant and only ___ can seek and serve a search warrant.

Answer 12

judge - law enforcement

Question 13

Pre-Search Preparation

Answer 13

• Determine the type of computer systems that will be involved in the search. What operating system is used? Are the computers networked together?
• Determine how many people will be needed to conduct the search.
• If expert witnesses with a specific expertise are required during the search, identify and clear them before the search warrant is written. Depending on the circumstances, their credentials should possibly be included in the warrant affidavit before they are approved by the magistrate issuing the search warrant. The time to discover that an “expert witness” has a criminal conviction is before the search warrant affidavit has even been written
• Determine the resources that will be required to successfully conduct the search. If a great deal of equipment is to be seized, consider how the equipment will be transported from the location. Obtain sufficient boxes, labels, bags, and other supplies at this time.

Question 14

Items to be seized might contain any or all of the following, depending on the nature of the fraud case:

Answer 14

•  Computers  
•  Computer components  
•  Computer peripherals 
•  Word-processing equipment 
•  Modems 
•  Monitors 
•  Printers and plotters 
•  Optical scanners 
•  Data storage devices 
−  Magnetic 
−  Laser 
−  Optical  
−  Tape 
−  PCMCIA 
−  ZIP or JAZ drives 
  Cables, wiring, cords 
∗  Storage media 
−  Disks 
−  Magnetic tape (reels) 
−  PCMCIA RAM cards 
−  CD-ROMs 
−  Magnetic/optical disks 
−  Digital audio tape (DAT) 
−  Personal data managers 
−  Flash RAM cards (consider digital-camera storage) 
−  Computer programs 
−  Operating systems  
−  Application software 
−  Utility programs 
−  Compilers 
−  Interpreters 
∗  Documents  
∗  Manuals 
∗  Printouts 
∗  File listings

Question 15

If possible, before executing a search warrant for which computer equipment and/or magnetic storage media is to be seized, make sure that _________

Answer 15

someone who is familiar with computer equipment will be present to assist in the identification of the various components

Question 16

It is critical that anyone not involved in the investigation , _______and ______

Answer 16

be kept away from any computer equipment - not be allowed to touch any of the equipment!

Question 17

If the person seizing the system has the appropriate training and expertise, it might be useful to observe

Answer 17

the video display of the system. Information might be displayed that will be of value in the case. If this occurs, document with a close-up photograph of the 
video screen (take care if using a camera with a flash that the flash does not reflect back into the camera lens).

Question 18

If a computer or peripheral is not covered by the respective search warrant,

Answer 18

leave it alone until a supplemental warrant can be obtained

Question 19

If the computer is to be removed from the location, do not enter _____ or attempt ________

Answer 19

anything via the system keyboard to read information from the system or any associated magnetic media

Question 20

Do not move the computer any more than is necessary until ______

Answer 20

it is properly secured

Question 21

Photograph the

Answer 21

overall view of the computer system (wide view)

Question 22

Document the state of

Answer 22

the computer when first observed (was it operational, what was displayed on the monitor, etc.)

Question 23

Depending on the experience of the person seizing the system, it might be advisable to

Answer 23

unplug the power from the central processing unit (CPU) before taking any further action.

Question 24

Turn off the power to ____

Answer 24

all other components and/or pieces of peripheral equipment

Question 25

Be aware that many peripherals have ___when power is removed.

Answer 25

have random access memory, which can contain evidence that will be lost

Question 26

If possible, ______ before disconnecting.

Answer 26

photograph all cable connections (usually in the rear of the system),

Question 27

Disconnect all components that are attached to an ___

Answer 27

external power supply only

Question 28

Never ________ when the computer is operating.

Answer 28

connect or disconnect any of the cables of the system

Question 29

___ all cable connections, including any telephone cables that are connected to the system so that the system can be reconstructed at a later time for analysis.

Answer 29

Label

Question 30

Before photographing, try to ____

Answer 30

arrange the cable connector labels in such a way that they will be visible in the photographs.

Question 31

Label each item of equipment that will be confiscated. This includes ___

Answer 31

the CPU, monitor, and printers. Each item that has a removable exterior case should be sealed
with tamper-proof evidence tape

Question 32

Consideration should be given to ____ for each

item to be seized.

Answer 32

separate close-up isolation photographs

Question 33

Document the ______ of all items seized (which ___)

Answer 33

location - room, specific location in the room,

reference to photographs, the person who seized the item, serial numbers, special identification markings, etc

Question 34

Check all disk drives to determine ___ . If so, ___

Answer 34

if they contain a disk. remove the disk from
the drive and place it in a case. Write-protect the disk immediately. Label the particular disk drive to show which drive the disk came from, and then label a paper bag to indicate that the disk was taken from the labelled drive. Place the disk in the paper bag and seal it.

Question 35

Place ___ into the disk drive and close the drive

door to secure the drive heads for transportation.

Answer 35

a cardboard insert or a throwaway disk -

Question 36

Check any other ___, remove any ___ , and ___

Answer 36

removable storage media drives storage media they contain label the media for identification purposes

Question 37

If there is any uncertainty as to what a piece of equipment is ___

Answer 37

do not speculate, just label the equipment with a unique identifying number and secure the item for later analysis.

Question 38

When all components and cables have been labeled and documented ____

Answer 38

disconnect the cables from their respective components and secure the cables

Question 39

If covered in the search warrant, confiscate ___

Answer 39

all related manuals and other documentation and all magnetic media, confiscate any other items that might be
evidence in the case and that are covered by the terms of the search warrant.

Question 40

If at all possible, after all equipment and magnetic media have been labeled and inventoried, each item should be ____

Answer 40

stored in a paper bag or a cardboard box and sealed (to keep out dust)

Question 41

Plastic bags ___

Answer 41

should not be used to store evidence

Question 42

Ensure that ___ is given to all items when they are being moved

Answer 42

adequate support

Question 43

Thoroughly document the ___

Answer 43

inventory of everything to be removed from the location

Question 44

These precautions must be followed explicitly when working with computers:

Answer 44

• Do not eat, drink, or smoke close to the computer system or near any of the storage
media (such as disks).
• Do not fold or bend floppy disks, or touch the magnetic media inside the disk cover.
• Do not write on a disk, on a label of a disk, or on a bag that contains a disk.
• Do not place magnetic media near magnetic fields, as this could cause damage.
• Do not expose magnetic media to either extreme heat or cold.
• Do not fingerprint magnetic media

Question 45

The storage environment should be:

Answer 45

• Relatively dust-free
• Both temperature- and humidity-controlled
• Free of magnetic and electronic fields

Question 46

POSSIBLE THREATS TO MAGNETIC MEDIA

Answer 46

• Telephones
• Radio speakers
• Radio transmitters
• Copy machines
• Plastic bags
• Degaussing equipment
• Electric fans
• Under-shelf lighting (heat)
• Leaving media in vehicle trunk during extreme temperatures (either hot or cold)
• Magnets
• Proximity to a radiator or an open heating vent

Question 47

Keyword Searches

Answer 47

Based on the information known about the case, a list of relevant keywords should be established. Examiners and investigators should take care in keeping the list as short and relevant as possible, and should avoid common words or words that can be part of others.
There is a strong likelihood that more keywords will be identified as the case progresses and physical and digital evidence is analyzed. Furthermore, search terms can be devised to look for patterns in data.

Question 48

Recovering Evidence

Answer 48

In addition to live files, a wealth of information can be recovered and analyzed on seized
systems. This includes information generated by the operating system and applications or
information hidden by the perpetrator to avoid detection.

Question 49

Camouflaged Files

Answer 49

Using file signature analysis, the examiner can analyze the hard drive to determine whether
any file types have been camouflaged. This is done by analyzing the first bits of data in a file,
known as a file header, which contains data identifying the file format.

Question 50

Deleted Files

Answer 50

The remnants of the original file can still be recovered until the free space is overwritten by another file.
Oftentimes, the new data will not take up all the space available on the designated sectors. When this occurs, parts of the previously deleted file will
remain on the unused part of the sector in what is known as slack space. The computer examiner can recover incriminating evidence in the file slack or unallocated clusters of the hard drive.

Question 51

Steganography

Answer 51

Steganography takes one piece of information and hides it within another.

Question 52

Encryption

Answer 52

numerous utility programs that can decrypt documents
Other encryption programs have a secret key for use in cases of emergency that investigators can access.
There is precedent for forcing a suspect (or employee) to divulge the decryption code

Question 53

Alternate Data Streams

Answer 53

An alternate data stream (ADS) is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file-browsing utilities.

Question 54

Print Spools

Answer 54

When computers print files under Windows, a print-spooling process is run. This process allows the user to keep working while printing is performed as a background task. This is done by creating spooling files that are sent to the printer as it becomes available, one of which is a graphic file containing the document to print. Once printing has occurred, the files are deleted, but as we have previously seen, deleted files can be recovered.

Question 55

Swap Space

Answer 55

Operating systems have a limited supply of random access memory (RAM), and when they run out of RAM, operating systems will write some of the data stored in RAM to a file whose purpose is to cache this information, the swap file. Because the swap file stores information that is supposed to be stored in RAM, it may be possible to recover data that
was never written to the hard drive when nalyzing the swap file.

Question 56

Windows Registry

Answer 56

The Windows Registry is a central database that stores settings and configurations for the
operating system and most of the applications installed on the system. It contains information on the user’s preferences, the system’s hardware, and network. It also contains remnants of a user’s activity, such as lists of most recently used files, USB storage devices that have been connected to the system, and other valuable information.

Question 57

Link Files

Answer 57

From a forensic standpoint, this allows the examiner to track the user’s activities by examining the properties, the content, and the context of the file. In the case where a file is opened and subsequently deleted, the link file would remain as a system artifact.

Question 58

Internet Activity

Answer 58

The Internet history contains the websites that were recently visited by users and usually includes time and date information relevant to the visit. Depending on the browser being used, this could be a single file, a folder, or folders containing a number of files.

Certain communication software, like instant messaging and chat, will keep a history of the
user’s conversations in a proprietary and sometimes encrypted format. Using tools designed
for recovery of these files, the examiner may, in certain circumstances, be able to recover these files.

The purpose of the cache directory is to store files downloaded from a website and to make these files available when a user visits the site again. The forensic examiner can recover Web pages and
images that were previously viewed by the system’s users.