Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cybersecurity Fundamentals > Digital Forensic Fundamentals > Flashcards

Digital Forensic Fundamentals Flashcards

1
Q

What is digital forensics?

A

Digital forensics is the process of identifying, preserving, analysing, and presenting digital evidence from electronic devices and data storage systems. It is used in investigations to uncover and interpret information related to cybercrimes, security breaches, or other incidents involving digital data. The goal of digital forensics is to recover and examine digital information in a way that maintains its integrity, ensuring it can be used as evidence in legal proceedings or internal investigations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Locard’s principle?

A

Locard’s Principle, also known as Locard’s Exchange Principle, is a fundamental concept in forensic science. It states that whenever two objects come into contact with each other, there is always an exchange of materials between them. In other words, a person will both bring something into an environment and leave something behind when interacting with it.

In the context of digital forensics, Locard’s Principle suggests that whenever someone interacts with a digital system, they leave traces of their activity (named artefacts), such as logs, files, or data remnants. These traces can be collected and analysed to reconstruct actions, identify perpetrators, and understand the sequence of events during a security incident or cybercrime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the two fundamental questions that should always be asked in digital forensics?

A
  • Who was operating the device when the artefacts were created?
  • Did the user initiate the observed activity, or was it the result of an automatic function of the computer system or device?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between digital evidence implying guilt as opposed to proving guilt?

A

The difference between digital evidence implying guilt and proving guilt lies in the strength and conclusiveness of the evidence:

  • Implying Guilt: Digital evidence that implies guilt suggests a possible connection between the suspect and the crime, but it does not definitively establish that the suspect committed the offence. This type of evidence might raise suspicions or point towards involvement, but it may require additional context or corroboration to support a conclusion.
  • Proving Guilt: Digital evidence that proves guilt provides a clear and definitive link between the suspect and the crime, leaving little or no doubt about their involvement. This evidence is strong enough to meet the legal standard required to establish guilt beyond a reasonable doubt in a court of law.

In summary, implying guilt indicates a potential connection, while proving guilt confirms that connection with a high degree of certainty.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the five fundamental steps in a digital forensics investigation?

A

Steps in a Digital Forensics Investigation:

  1. Identify: Determine potential sources of inquiry-relevant information (devices and data) and pinpoint their location.
  2. Preserve: Securely preserve electronic evidence by protecting the scene, capturing visual images, and documenting all actions taken to ensure data integrity.
  3. Recover: Recover relevant data by creating a forensically sound copy (image) of data on digital devices, either on-site or in a controlled off-site environment.
  4. Analyse: Conduct a systematic search for incident-related information within the acquired data. Analyse both system and user-generated artefacts to support conclusions about the actions or activities on the device.
  5. Present: Compile findings into a formal or informal report, clearly detailing the methods used so that another examiner could replicate the results. Reports for court must meet specific standards and formats.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between cyber security and digital forensics?

A

The difference between cybersecurity and digital forensics can be summarised as follows:

  • Cybersecurity is a preventative and detective practice focused on safeguarding information systems from intrusion, attacks, and other threats. It involves implementing measures to protect networks, devices, and data, as well as detecting and responding to potential security incidents.
  • Digital forensics is an investigatory practice aimed at collecting, analysing, and preserving artefacts and digital evidence to prove or imply guilt related to an intrusion event or digital crime. It focuses on uncovering what happened after a security breach or cybercrime has occurred.

In essence, cybersecurity seeks to prevent and detect threats, while digital forensics is concerned with investigating and understanding incidents after they happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is evidence, and what are the two types?

A

Evidence is any information or material that is presented to support or refute a fact or claim in a legal or investigative context.

The two types of evidence are:

  1. Spoken Evidence (Testimonial Evidence): This type of evidence includes testimony from a witness who directly observed the event or incident. It can also include verbal statements, confessions, or other oral accounts that directly prove a fact without the need for inference. Spoken evidence can also involve experts or specialists who assist the court by providing context and explanations for specialised issues, such as medicine, digital forensics, or engineering.
  2. Physical Evidence: This type of evidence consists of tangible objects or materials that can be linked to the crime or incident. It includes items like fingerprints, DNA, digital logs, video recordings, or objects found at the crime scene. Physical evidence may directly or indirectly suggest a fact or occurrence.

These categories help distinguish between what is observed and reported verbally (spoken/testimonial evidence) and what is physically present and can be examined (physical evidence), with spoken evidence often supported by expert testimony for specialised matters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the definition of the word ‘digital’?

A

The word digital refers to the representation, processing, or transmission of information in binary form, where data is encoded as a series of discrete values, typically 0s and 1s. Digital systems are used to manage, store, and communicate data in formats that can be easily processed by computers and other electronic devices. This allows for precise, efficient, and often automated handling of data in various applications, from computing and communications to media and technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is forensic readiness?

A

Forensic readiness refers to the proactive preparation and planning to ensure that an organisation can efficiently collect, preserve, and analyse digital evidence in the event of a cyber security incident, such as a hack or data breach. This involves knowing where data is stored, how long it will remain there, and how it can be accessed. By implementing forensic readiness, an organisation ensures that its systems are ready to respond to incidents while maintaining functionality and meeting legal requirements. Forensic readiness planning, as detailed in ISO/IEC 27043:2015, involves preparing for cyber security attacks and breaches before they occur, ensuring that an organisation can quickly and effectively manage and investigate such events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is meant by the term forensically sound?

A

The term forensically sound refers to the integrity and reliability of digital evidence throughout the forensic process. It means that the evidence has been collected, handled, preserved, and analysed in a manner that ensures it has not been altered or tampered with at any stage. Maintaining a forensically sound approach is crucial, as any doubt about the integrity of the evidence could lead to its rejection in a court of law. Detailed and meticulous record-keeping is essential to demonstrate that the evidence remains unchanged from its original state, making it reliable and admissible in legal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What information would be typically required on a computer equipment form during a digital forensics investigation?

A

During a digital forensics investigation, a computer equipment form typically requires detailed information to document the devices being collected and preserved as evidence. The form helps ensure that all relevant details are recorded, maintaining the chain of custody and the integrity of the evidence. The following information is usually included:

  1. Identification Information:
    • Make and Model: The manufacturer and model number of the computer or device.
    • Serial Number: The unique serial number of the device.
    • Asset Tag Number: Any asset identification number used by the organisation.
    • Device Type: Whether the device is a desktop, laptop, server, or other type of computing equipment.
  2. Ownership Details:
    • Owner/User: Name of the individual or department to which the device is assigned.
    • Organisation Details: The name of the organisation owning the device.
  3. Physical Description:
    • Condition of Device: Note the physical condition of the device at the time of collection, including any visible damage.
    • Accessories: List any accessories collected with the device, such as power cables, external drives, or peripherals.
  4. Location Details:
    • Location of Seizure: The specific location (e.g., office, home) where the device was collected.
    • Date and Time of Collection: The date and exact time when the device was collected.
  5. Collection Details:
    • Collected By: Name and signature of the person collecting the device.
    • Witnesses: Names and signatures of any witnesses to the collection.
    • Chain of Custody: Documentation of the transfer of the device, including names, dates, and times each time custody changes hands.
  6. Device Status:
    • Power Status: Whether the device was on, off, or in sleep mode when collected.
    • Connected Devices: Any devices connected to the computer at the time of collection, such as USB drives or network cables.
  7. Storage Information:
    • Storage Location: Where the device will be stored during the investigation.
    • Environmental Conditions: Description of the storage conditions to ensure the device is preserved correctly.
  8. Digital Evidence Details:
    • Data Acquisition: If applicable, note whether a forensic image was created at the scene, including details of the tools and methods used.
    • Hash Values: Record the cryptographic hash values of the data to verify its integrity.

This information ensures that the digital evidence is properly documented, preserved, and handled throughout the investigation, maintaining its integrity for use in legal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How should exhibits be properly packaged and labelled during a digital forensics investigation?

A

Proper packaging and labelling of exhibits are crucial to maintaining the integrity of evidence. Ideally, exhibits should be placed in a tamper-proof evidence bag with a unique seal number, which must also be documented in the investigator’s contemporaneous notes. As a minimum, the following details should be recorded on the front of the evidence bag:

  • A brief description of the evidential item.
  • The name of the person or location from which the evidence was obtained.
  • The name of the person taking custody of the evidence.
  • The signature of the person taking custody of the evidence.
  • The time and date when the evidence was placed in the bag.

For large or bulky items, sealed boxes with tamper-evident tape can be used for transportation. The tape should be signed by the person seizing the items, with the signature crossing the seal. Additionally, sticky labels should be attached to the box, noting at a minimum:

  • The time of the seizure.
  • The date of the seizure.
  • The location of the seizure.
  • The identity of the person seizing the items.
  • A reference number for the exhibit.

These steps help ensure that evidence remains secure, properly documented, and intact throughout the investigative process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the convention for allocating exhibit numbers?

A

Investigators will usually use their initials followed by incremental numbers.

for example: JL/01

Cross-referencing Exhibits:

Exhibits often need to be cross-referenced, especially when parts are removed from a larger item, such as a hard disk taken out of a computer housing. It’s important to clearly establish the connection between the items. One method to achieve this is by appending an additional number to the original exhibit reference. For instance, if the computer is recorded as Exhibit JL/01, the associated hard disk could be labelled as Exhibit JL/01/01. A second hard disk found in the same computer casing could then be recorded as Exhibit JL/01/02. This approach ensures a clear and organised reference system for related items.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the chain of custody (CoC)?

A

CoC stands for Chain of Custody. In the context of digital forensics and legal investigations, it refers to the documented process that tracks the movement, handling, and storage of evidence from the time it is collected until it is presented in court or archived. The Chain of Custody ensures that the evidence remains untampered and is handled by authorised individuals only, maintaining its integrity and admissibility in legal proceedings.

Key components of the Chain of Custody include:

  • Detailed Records: Every person who handles the evidence must be documented, including their name, the time and date they took custody, and the purpose of the transfer.
  • Secure Storage: Evidence must be stored in a secure environment to prevent unauthorised access or tampering.
  • Preservation of Evidence: The condition and integrity of the evidence must be preserved throughout the process, with any changes or observations carefully recorded.

Maintaining a proper Chain of Custody is crucial to ensure that the evidence is reliable and can be used effectively in court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a write blocker?

A

A write blocker is a tool used in digital forensics to prevent any data from being modified or written to a storage device, such as a hard drive, during the process of accessing or copying data from it.

Key Functions of a Write Blocker:
- Protects Evidence Integrity: By blocking any write commands, a write blocker ensures that the original data on the device remains unchanged. This is crucial for maintaining the integrity of the evidence, as any modification could compromise its admissibility in court.
- Allows Read-Only Access: It allows forensic investigators to read and copy data from the device without risking any accidental or intentional alteration of the original content.
- Supports Forensic Analysis: Write blockers are essential when creating forensic images (exact copies) of storage devices, ensuring that the original evidence is preserved in its pristine state.

In summary, a write blocker is a critical tool in digital forensics that ensures data integrity by preventing any changes to the original evidence during analysis or investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do you handle live systems?

A

When responding to an incident or conducting an on-scene forensic acquisition, it may not always be possible to capture RAM from a live computer due to time constraints or lack of equipment. In such cases, the first step should be to photograph any data displayed on the monitor. For mini-tower systems, the power plug should be pulled directly from the back of the unit, rather than disconnecting it from or switching off the wall socket. For laptops, close the lid, switch off the power supply at the wall, and then disconnect it from the laptop. If possible, remove the laptop’s battery as well.

17
Q

How would you handle non-live systems?

A

Handling Non-Live Systems

When dealing with non-live systems during an incident response or forensic acquisition, the following steps should be taken to ensure the preservation of evidence:

  1. Document the System: Before taking any action, photograph or document the system’s physical state, including any connected peripherals, cables, and the environment in which it is found.
  2. Check for Power: Ensure the system is completely powered off. If the system is already off, do not attempt to power it on. Verify that no power lights or indicators are active.
  3. Secure Storage Media: If the system is powered off, the internal storage media (e.g., hard drives, SSDs) should be carefully removed for forensic imaging. Use anti-static precautions to protect the components.
  4. Label Components: Label the storage media and any other critical components, such as external drives or USB devices, with identifying information, including their original location within the system.
  5. Create Forensic Images: Once the storage media are removed, create a forensically sound image of each drive using write blockers to prevent any alterations to the original data. Generate cryptographic hash values to verify the integrity of the forensic images.
  6. Package and Secure: Place the storage media and any other removed components in tamper-evident bags or containers, clearly labelled with identifying information and chain of custody details.
  7. Document All Actions: Keep detailed notes of each step taken, including the tools used, actions performed, and the condition of the system when it was found. This documentation is essential for maintaining the chain of custody and ensuring the evidence is admissible in legal proceedings.

By following these steps, non-live systems can be handled in a way that preserves evidence integrity and supports a thorough forensic investigation.

18
Q

What should always be acquired before interacting with the system for as part of digital forensic analysis?

A

Explicit permission from the device owner.

To avoid any legal implications, this permission should be documented or recorded.

19
Q

What are the relevant parts of the computer misuse act 1990 (CMA) to a digital forensics practitioner?

A

Section 1 of the Act provides that a person is guilty of an offence if:

  • a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or enable any such access to be secured;
  • b) the access he intends to secure or to enable to be secured, is unauthorised; and
  • c) he knows at the time when he causes the computer to perform the function that that is the case.

Section 3 of the Act provides that a person is guilty of an offence if:

  • a) he does any unauthorised act in relation to a computer;
  • b) at the time when he does the act he knows that it is unauthorised; and
  • c) either subsection (2) or subsection (3)
    below applies.

Subsection (2) applies if the person intends, by doing the act:

  • a) to impair the operation of any computer;
  • b) to prevent or hinder access to any program or data held in any computer; or
  • c) to impair the operation of any such program or the reliability of any such data.
  • d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.

Subsection (3) applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above.

(Computer Misuse Act 1990)

20
Q

What are the best practice guidelines for handling digital evidence?

A

For computers and mobile phones, staff should be advised as follows:

  • Do not interfere with the device.
  • Prevent others from interfering with the device.
  • Isolate the incident area immediately.
  • If the device is OFF, do not turn it on.
  • If the device is ON, do not turn it off.
  • Document every action taken.
  • Call for first responders promptly.
21
Q

What are the four main principles in the ACPO guidelines?

A

The ACPO Good Practice Guide for Digital Evidence outlines four key principles that are essential for handling digital evidence, particularly in legal contexts, though they are also highly relevant to private and corporate investigations:

  1. Preservation of Data: No action taken by law enforcement, their agents, or other involved parties should alter the data that may later be relied upon in court. Wherever possible, a forensic image of the entire device should be made. In cases where this is impractical due to the volume of data or remote storage, partial copying may be considered, but efforts should be made to capture all relevant evidence.
  2. Competence and Evidence Handling: If accessing the original data is unavoidable, it must be done by a competent individual who can explain their actions and the implications in court. This is particularly important when data cannot be imaged and must be retrieved directly from the original source.
  3. Audit Trail and Process Transparency: Every action taken during the investigation must be thoroughly documented, creating an audit trail. This documentation should be detailed enough that an independent third party can replicate the process and achieve the same results. It is essential to maintain the continuity and integrity of the evidence.
  4. Responsibility of the Lead Investigator: The investigator in charge holds overall responsibility for ensuring that these principles, as well as legal requirements, are followed throughout the investigation.

These principles ensure that digital evidence is handled with the utmost care, maintaining its integrity and admissibility in legal proceedings.

22
Q

What are the relevant ISO standards to digital forensics?

A

ISO/IEC Standards Overview

  • 27037:2016: Guidelines for activities related to the handling and capture of digital evidence.
  • 27041:2015: Appropriate methods and tools for IT incident investigation.
  • 27042:2016: Analysis and interpretation of captured digital data.
  • 27043:2015: IT incident investigation, including good practice methods and processes for digital evidence.
  • 27050-4:2021: Guidance for the governance and management of electronic discovery.
23
Q

Why are file extensions required by the OS?

A

File extensions indicate the type of content encapsulated within the file and provide the necessary information for the operating system to handle it appropriately, such as determining which application should be used to open or render the file.

24
Q

What are file signatures?

A

File signatures (also known as magic numbers) in hexadecimal for the specified file types, with their corresponding ASCII values:

  • DOC: D0 CF 11 E0 A1 B1 1A E1
    ASCII: ÐÏࡱá
    (This is the signature for older Microsoft Word documents using the Compound File Binary Format, typically .doc files from Office 97-2003).
  • DOCX: 50 4B 03 04
    ASCII: PK
    (This is the signature for newer Microsoft Word documents, which are actually ZIP-compressed XML files. DOCX files have this signature because they start with a ZIP header).
  • JPEG/JPG: FF D8 FF E0
    ASCII: ÿØÿà
    (This is the signature for JPEG image files. JPG is just a shortened version of JPEG).
  • XLS: D0 CF 11 E0 A1 B1 1A E1
    ASCII: ÐÏࡱá
    (This is the signature for older Microsoft Excel files using the Compound File Binary Format, similar to older .doc files).
  • XLSX: 50 4B 03 04
    ASCII: PK
    (This is the signature for newer Microsoft Excel files, which are ZIP-compressed XML files, just like DOCX).
  • PDF: 25 50 44 46 2D
    ASCII: %PDF-
    (This is the signature for PDF files, corresponding to %PDF- at the start of the file).

These file signatures are used by software and forensic tools to identify the true type of a file, regardless of its extension.

25
Q

What is ‘exif’ data?

A

EXIF stands for Exchangeable Image File Format. It is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, smartphones, and other devices.

EXIF data refers to the metadata embedded within image files (like JPEGs) and sometimes audio files. This metadata includes various details about the file, such as:

  • Camera Settings: Information about the camera or device used to capture the image, including the make and model, shutter speed, aperture, ISO, and focal length.
  • Date and Time: The date and time when the photo was taken.
  • Location Information: GPS coordinates of where the image was captured, if the device has location services enabled.
  • Image Information: Data about the image itself, such as resolution, colour space, orientation, and thumbnail image.
  • Software Information: The software or firmware used to process or edit the image.

EXIF data is useful in digital forensics, photography, and image management, as it provides context and technical details about how and where an image was created.

26
Q

What are some of the issues around interpreting metadata?

A

Regarding device systems, it is important to keep in mind the following:

  • The ‘Created’ date and time metadata of a file is only as accurate as the clock on the computer or device at the moment the file was initially created or saved using the ‘Save As’ feature.
  • If a file has been transferred, such as from one computer to another, be aware that different systems may be running various versions of an operating system (e.g., Microsoft Windows). These versions may handle the stamping of date and time data differently.
27
Q

What is the difference between exhibits and artefacts in digital forensics?

A

In digital forensics, exhibits and artifacts refer to different aspects of evidence handling and investigation. Let’s break down the difference between the two:

Exhibits:
- Definition: In digital forensics, an exhibit refers to physical evidence or digital media that is collected during an investigation. Exhibits are often considered the primary source of evidence and typically include devices or storage media.
- Examples:
- Hard drives
- USB drives
- Mobile phones
- Computers
- Servers
- Any physical device that holds digital data
- Role: Exhibits are the actual physical or digital objects that are acquired, preserved, and analyzed. For example, if a forensic investigator seizes a laptop during an investigation, that laptop becomes an exhibit. Exhibits are carefully documented, and a chain of custody is maintained to ensure the integrity of the evidence.

Artefacts:
- Definition: Artifacts refer to specific pieces of digital evidence that are found during the analysis of the exhibits. These are the individual traces, files, or pieces of data that investigators extract from the digital media. Artifacts are the result of the forensic investigation and help reconstruct what happened on a device or system.
- Examples:
- Browser history (cookies, URLs visited)
- Deleted files
- Log files (e.g., system logs, security logs)
- Registry entries (e.g., recent programs or network connections)
- Metadata (e.g., timestamps, file creation/modification details)
- Emails, messages, or application data
- Role: Artifacts are the digital footprints left behind that provide valuable information about user activities, system behavior, or the timeline of events. These are derived from exhibits during forensic analysis.

  • Exhibits: The physical or digital storage media collected during an investigation (e.g., a hard drive or computer).
  • Artifacts: The specific pieces of digital evidence extracted from the exhibits (e.g., logs, file fragments, or user activity data).

Example Scenario:
1. Investigators seize a hard drive (the exhibit) from a suspect’s computer.
2. Upon analyzing the hard drive, investigators discover deleted emails and browser history that show evidence of illegal activity. These specific pieces of data are the artifacts.

In summary:
- Exhibits are the physical or digital media collected as part of the investigation.
- Artifacts are the specific pieces of evidence (digital traces) found during the forensic analysis of those exhibits.

Cybersecurity Fundamentals (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions