Digital Forensics 1

Question 1

is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.… Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.

Answer 1

Forensics

Question 2

is a formal document that lists what tests you conducted, what you found, and your conclusions. It also includes your curriculum vitae (CV), which is like a résumé, only much more thorough and specific to your work experience as a forensic investigator. Specific rules will vary from court to court, but as a general rule, if you don’t put it in your report, you cannot testify about it at trial.

Answer 2

expert report

Question 3

A deposition—testimony taken from a witness or party to a case before a trial—is less formal, and is typically held in an attorney’s office. The other side’s lawyer gets to ask you questions. In fact, the lawyer can even ask some questions that would probably be disallowed by a trial judge. But do remember, this is still sworn testimony, and lying under oath is perjury, which is a felony.

Answer 3

2 parts to expert testimony

Question 4

is information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.

Answer 4

Digital evidence

Question 5

Real Evidence = like a laptop that someone can touch, Documentary = data stored as written matter on paper or in electronic files, like email messages, logs, databases, photographs, etc … Testimonial = info that forensic specialists use to support or interpet real or documentary evidence, Demonstrative.

Answer 5

4 types of evidence

Question 6

which is data about information, such as disk partition structures and file tables. Metadata also includes file creation and modification times. Who authored a file and when it was revised or updated are also important pieces of metadata for a forensic analyst to document.

Answer 6

metadata

Question 7

This term refers to the functional dimensions of a drive in terms of the number of heads, cylinders, and sectors per track.

Answer 7

Drive Geometry

Question 8

This is the space between the end of a file and the end of the cluster, assuming the file does not occupy the entire cluster. This is space that can be used to hide data.

Answer 8

Slack Space

Question 9

This creates a structure of sectors, tracks, and clusters.

This is the process of setting up an empty file system on the disk and installing a boot sector. This is sometimes referred to as a quick format.

Answer 9

Low-Level Format / High-Level Format

Question 10

physical journaling, the system logs a copy of every block that is about to be written to the storage device, before it is written. The log also includes a checksum of those blocks, to make sure there is no error in writing the block. With logical journaling, only changes to file metadata are stored in the journal.

Answer 10

journaling