Day 3: Manual Examination, Reporting, Hashing and Imaging Flashcards
Why do we manually examine a device? (6 answers)
- Unsupported device.
- Corroboration (Make sure the files in the logical read match up).
- As the user saw it (more impactful).
- Incomplete Extraction (Files missing)
- Incomplete decoding (Files there but unreadable)
- Time sensitive (I.e TTL, imminent harm, serious case)
When, ideally should a manual examination be conducted? Why?
Manual examinations may change the data on a device. As such, conduct them after all required extractions have been performed.
What should be contained within the “mobile examination package” (5 options)
- Media (photographs and video of examination).
- A log auditing your actions.
- Tool logs.
- Tool reports.
- Recovered data.
What is Hashing?
An irreversible, one way, mathematical algorithm that produces a digital fingerprint of data.
How long is a MD5 hash?
32 characters.
How long is a SHA1 hash?
40 characters.
Are hashes unique?
No! They are prone to hash collisions (where more than one input generates the same output).
However the probability of this occurring is low enough for forensic purposes.
Why are MD5 and SHA1 used at the same time to compare hashes?
It further reduces the probability of a hash collision occurring. It’s very unlikely that two will occur at the same time, so we can thus validate the input is the same even if we encounter one hash collision.
Why do we use hashes in forensics?
- Validation. Is the file/data the same or has it changed?
- Verification - Is that file the one we expect? Does the file match a specific signature we are after? Is it a file we’re not interested in and can this be discarded. See known and notable.
What is a Hash Set?
A collection of hashes that generated hashes are compared against to determine if they are known or notable.
If known, the input is most likely a common system file that can be ignored from the examination.
If the match is notable, we’ve found a file that we are specifically searching for based on its input. This is useful as people may try changing names for the same file data, but we can still identify the same content.
What is imaging
A bit for bit copy of data on a storage medium.
What is a RAW image (DD)
A Raw image is an exact copy of all of the storage medium including empty storage space. No compression takes place so it the size of the image is equal to the size of the original storage volume.
What is a compressed image (E01)
An image that compresses the copied data for a reduction in size. The file format includes the compressed data, metadata and an embedded computed hash of the content just image for validation purposes.
A compressed image will always be smaller than the original source of the image.
What is a logical image?
A logical image is a bit for bit copy of a specified portion of memory (for example a drive partition). A logical image will have some parts of the data missing from the entirety of the storage medium the image was taken from.
What are the benefits of taking an image?
- Entire data space is copied (including deleted files).
- Tools such as carvers can be used to retrieve missing or partially corrupted data.
- Can easily pass to other tools which may give us different results/find us files that others couldn’t.
- We can find hidden partitions and data.
- We can hash to verify the integrity of any changes we make to ensure our examinations don’t make changes.
- Multiple copies can be made.
- If we take a copy of the data, the original data can be preserved, and we can work on the image, thus ACPO 1 is preserved.
- We create an audit trail by creating a snapshot of memory that can be compared against and referred to in our contemporaneous notes.
