COMPUTER FORENSICS Flashcards

1
Q

investigations typically involve four phases:Seizure

A

In the seizure phase, it is important to understand who has the authority to seize the digital
equipment as well as the proper methodology to use so that evidence is not destroyed or tainted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

investigations typically involve four phases:Image Acquisition

A

The image-acquisition phase involves the use of decision-making processes to determine the
best method for acquiring an image of the suspect system and the proper use of software and hardware tools to facilitate the image capture. The examiner has to be sure that the image is created and preserved in a manner that will withstand a legal challenge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

investigations typically involve four phases:Analysis

A

This phase involves the use of specialised software designed to give the examiner the means to locate and extract artefacts that will be used as evidence in the investigation. The evidence can serve to incriminate the subject of the investigation or it
can be exculpatory by disproving the subject’s involvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

investigations typically involve four phases:Reporting and Testifying

A

In this phase, a qualified computer forensics expert may be asked to render an opinion about the use or misuse of a computer system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Digital Evidence

A

binary data (ones and zeroes) that is interpreted by the computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

There are three types of situations in which computer evidence is generally discovered:

A

(1) computers as the target of crime, (2) computers as the instrument of crime, and (3) computers as the repository of evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Considerations when Conducting the Seizure

A

1 subject debriefing, when the subject is asked for passwords and whether any encrypted data exists on the target computer
2 identify any destructive processes that may be running on the machine
3 If such a process appears to be running, unplug the machine immediately
4 Before beginning to disconnect the system, make certain to isolate it from any outside
connections
5 document the scene with photographs or a diagram
6 document what is on the screen if the system is on, as well as what processes are currently running
7 look around for notes that may appear to be passwords
8 Good notes should be taken regarding to the time and date that the system was seized and
the personnel involved in the seizure.
9 The status of the system should also be noted. Was it on, off, or on standby? Was there anything unusual attached to the system? Was there any
obvious damage? Did any files have to be saved? 10 Make sure to start a chain of custody
document and note each person and storage location through which each piece of evidence
passes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When securing a computer system, follow the two golden rules

A

The first rule is, if the computer is off, don’t turn it on.

The second golden rule when securing a computer is, don’t peek through the files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The admissibility of evidence obtained from computers in a court case is really no different
from the admissibility of any other type of evidence. The evidence must be:

A
  • Relevant
  • Supported by a foundation for its introduction into court
  • Legally obtained
  • Properly identified
  • Properly preserved
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In the handling of computer data in criminal investigations, the examiner or investigator
must be aware of some of the vulnerabilities of computer evidence:

A

• The investigator must ensure that turning off power to computer equipment will not destroy or erase evidence that is required for the investigation.
• The read/write heads of hard disk drives must be parked in a retracted position so that powering down the disk drive will not cause the read/write head to contact the surface of the disk platter.
• Be aware that magnetic storage media are vulnerable to magnetic fields. Evidence might
be erased without the investigator being aware of the erasure if the media are brought close to a magnetic field.
• Be aware that other equipment attached to the computer might be needed to complete the investigation into the data that resides in the computer.
• The investigator should write-protect all disks that are being used in the investigation so that they cannot be written upon inadvertently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Affidavit for the search warrant

A

detail the probable cause or legal reasoning behind the request for the warrant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Only a ___can issue a search warrant and only ___ can seek and serve a search warrant.

A

judge - law enforcement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Pre-Search Preparation

A
  • Determine the type of computer systems that will be involved in the search. What operating system is used? Are the computers networked together?
  • Determine how many people will be needed to conduct the search.
  • If expert witnesses with a specific expertise are required during the search, identify and clear them before the search warrant is written. Depending on the circumstances, their credentials should possibly be included in the warrant affidavit before they are approved by the magistrate issuing the search warrant. The time to discover that an “expert witness” has a criminal conviction is before the search warrant affidavit has even been written
  • Determine the resources that will be required to successfully conduct the search. If a great deal of equipment is to be seized, consider how the equipment will be transported from the location. Obtain sufficient boxes, labels, bags, and other supplies at this time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Items to be seized might contain any or all of the following, depending on the nature of the fraud case:

A
•  Computers  
•  Computer components  
•  Computer peripherals 
•  Word-processing equipment 
•  Modems 
•  Monitors 
•  Printers and plotters 
•  Optical scanners 
•  Data storage devices 
−  Magnetic 
−  Laser 
−  Optical  
−  Tape 
−  PCMCIA 
−  ZIP or JAZ drives 
  Cables, wiring, cords 
∗  Storage media 
−  Disks 
−  Magnetic tape (reels) 
−  PCMCIA RAM cards 
−  CD-ROMs 
−  Magnetic/optical disks 
−  Digital audio tape (DAT) 
−  Personal data managers 
−  Flash RAM cards (consider digital-camera storage) 
−  Computer programs 
−  Operating systems  
−  Application software 
−  Utility programs 
−  Compilers 
−  Interpreters 
∗  Documents  
∗  Manuals 
∗  Printouts 
∗  File listings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

If possible, before executing a search warrant for which computer equipment and/or magnetic storage media is to be seized, make sure that _________

A

someone who is familiar with computer equipment will be present to assist in the identification of the various components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

It is critical that anyone not involved in the investigation , _______and ______

A

be kept away from any computer equipment - not be allowed to touch any of the equipment!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

If the person seizing the system has the appropriate training and expertise, it might be useful to observe

A
the video display of the system. Information might be displayed that will be of value in the case. If this occurs, document with a close-up photograph of the 
video screen (take care if using a camera with a flash that the flash does not reflect back into the camera lens).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

If a computer or peripheral is not covered by the respective search warrant,

A

leave it alone until a supplemental warrant can be obtained

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

If the computer is to be removed from the location, do not enter _____ or attempt ________

A

anything via the system keyboard to read information from the system or any associated magnetic media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Do not move the computer any more than is necessary until ______

A

it is properly secured

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Photograph the

A

overall view of the computer system (wide view)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Document the state of

A

the computer when first observed (was it operational, what was displayed on the monitor, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Depending on the experience of the person seizing the system, it might be advisable to

A

unplug the power from the central processing unit (CPU) before taking any further action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Turn off the power to ____

A

all other components and/or pieces of peripheral equipment

25
Q

Be aware that many peripherals have ___when power is removed.

A

have random access memory, which can contain evidence that will be lost

26
Q

If possible, ______ before disconnecting.

A

photograph all cable connections (usually in the rear of the system),

27
Q

Disconnect all components that are attached to an ___

A

external power supply only

28
Q

Never ________ when the computer is operating.

A

connect or disconnect any of the cables of the system

29
Q

___ all cable connections, including any telephone cables that are connected to the system so that the system can be reconstructed at a later time for analysis.

A

Label

30
Q

Before photographing, try to ____

A

arrange the cable connector labels in such a way that they will be visible in the photographs.

31
Q

Label each item of equipment that will be confiscated. This includes ___

A

the CPU, monitor, and printers. Each item that has a removable exterior case should be sealed
with tamper-proof evidence tape

32
Q

Consideration should be given to ____ for each

item to be seized.

A

separate close-up isolation photographs

33
Q

Document the ______ of all items seized (which ___)

A

location - room, specific location in the room,

reference to photographs, the person who seized the item, serial numbers, special identification markings, etc

34
Q

Check all disk drives to determine ___ . If so, ___

A

if they contain a disk. remove the disk from
the drive and place it in a case. Write-protect the disk immediately. Label the particular disk drive to show which drive the disk came from, and then label a paper bag to indicate that the disk was taken from the labelled drive. Place the disk in the paper bag and seal it.

35
Q

Place ___ into the disk drive and close the drive

door to secure the drive heads for transportation.

A

a cardboard insert or a throwaway disk -

36
Q

Check any other ___, remove any ___ , and ___

A

removable storage media drives storage media they contain label the media for identification purposes

37
Q

If there is any uncertainty as to what a piece of equipment is ___

A

do not speculate, just label the equipment with a unique identifying number and secure the item for later analysis.

38
Q

When all components and cables have been labeled and documented ____

A

disconnect the cables from their respective components and secure the cables

39
Q

If covered in the search warrant, confiscate ___

A

all related manuals and other documentation and all magnetic media, confiscate any other items that might be
evidence in the case and that are covered by the terms of the search warrant.

40
Q

If at all possible, after all equipment and magnetic media have been labeled and inventoried, each item should be ____

A

stored in a paper bag or a cardboard box and sealed (to keep out dust)

41
Q

Plastic bags ___

A

should not be used to store evidence

42
Q

Ensure that ___ is given to all items when they are being moved

A

adequate support

43
Q

Thoroughly document the ___

A

inventory of everything to be removed from the location

44
Q

These precautions must be followed explicitly when working with computers:

A

• Do not eat, drink, or smoke close to the computer system or near any of the storage
media (such as disks).
• Do not fold or bend floppy disks, or touch the magnetic media inside the disk cover.
• Do not write on a disk, on a label of a disk, or on a bag that contains a disk.
• Do not place magnetic media near magnetic fields, as this could cause damage.
• Do not expose magnetic media to either extreme heat or cold.
• Do not fingerprint magnetic media

45
Q

The storage environment should be:

A
  • Relatively dust-free
  • Both temperature- and humidity-controlled
  • Free of magnetic and electronic fields
46
Q

POSSIBLE THREATS TO MAGNETIC MEDIA

A
  • Telephones
  • Radio speakers
  • Radio transmitters
  • Copy machines
  • Plastic bags
  • Degaussing equipment
  • Electric fans
  • Under-shelf lighting (heat)
  • Leaving media in vehicle trunk during extreme temperatures (either hot or cold)
  • Magnets
  • Proximity to a radiator or an open heating vent
47
Q

Keyword Searches

A

Based on the information known about the case, a list of relevant keywords should be established. Examiners and investigators should take care in keeping the list as short and relevant as possible, and should avoid common words or words that can be part of others.
There is a strong likelihood that more keywords will be identified as the case progresses and physical and digital evidence is analyzed. Furthermore, search terms can be devised to look for patterns in data.

48
Q

Recovering Evidence

A

In addition to live files, a wealth of information can be recovered and analyzed on seized
systems. This includes information generated by the operating system and applications or
information hidden by the perpetrator to avoid detection.

49
Q

Camouflaged Files

A

Using file signature analysis, the examiner can analyze the hard drive to determine whether
any file types have been camouflaged. This is done by analyzing the first bits of data in a file,
known as a file header, which contains data identifying the file format.

50
Q

Deleted Files

A

The remnants of the original file can still be recovered until the free space is overwritten by another file.
Oftentimes, the new data will not take up all the space available on the designated sectors. When this occurs, parts of the previously deleted file will
remain on the unused part of the sector in what is known as slack space. The computer examiner can recover incriminating evidence in the file slack or unallocated clusters of the hard drive.

51
Q

Steganography

A

Steganography takes one piece of information and hides it within another.

52
Q

Encryption

A

numerous utility programs that can decrypt documents
Other encryption programs have a secret key for use in cases of emergency that investigators can access.
There is precedent for forcing a suspect (or employee) to divulge the decryption code

53
Q

Alternate Data Streams

A

An alternate data stream (ADS) is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file-browsing utilities.

54
Q

Print Spools

A

When computers print files under Windows, a print-spooling process is run. This process allows the user to keep working while printing is performed as a background task. This is done by creating spooling files that are sent to the printer as it becomes available, one of which is a graphic file containing the document to print. Once printing has occurred, the files are deleted, but as we have previously seen, deleted files can be recovered.

55
Q

Swap Space

A

Operating systems have a limited supply of random access memory (RAM), and when they run out of RAM, operating systems will write some of the data stored in RAM to a file whose purpose is to cache this information, the swap file. Because the swap file stores information that is supposed to be stored in RAM, it may be possible to recover data that
was never written to the hard drive when nalyzing the swap file.

56
Q

Windows Registry

A

The Windows Registry is a central database that stores settings and configurations for the
operating system and most of the applications installed on the system. It contains information on the user’s preferences, the system’s hardware, and network. It also contains remnants of a user’s activity, such as lists of most recently used files, USB storage devices that have been connected to the system, and other valuable information.

57
Q

Link Files

A

From a forensic standpoint, this allows the examiner to track the user’s activities by examining the properties, the content, and the context of the file. In the case where a file is opened and subsequently deleted, the link file would remain as a system artifact.

58
Q

Internet Activity

A

The Internet history contains the websites that were recently visited by users and usually includes time and date information relevant to the visit. Depending on the browser being used, this could be a single file, a folder, or folders containing a number of files.

Certain communication software, like instant messaging and chat, will keep a history of the
user’s conversations in a proprietary and sometimes encrypted format. Using tools designed
for recovery of these files, the examiner may, in certain circumstances, be able to recover these files.

The purpose of the cache directory is to store files downloaded from a website and to make these files available when a user visits the site again. The forensic examiner can recover Web pages and
images that were previously viewed by the system’s users.