Digital Forensics Flashcards
What is a legal hold?
A legal hold is a notification sent from an organizations legal team telling them not to delete electronically stored information that may be relevant to a new or imminent legal case.
Data custodians will be instructed to preserve this data.
This information needed to be held will be stored in a separate repository and is then often called ESI, or electronically stored information.
What is chain-of-custody?
A document used in digital forensics for controlling evidence and being able to maintain integrity.
Anyone who comes into contact with this data or analyzes this data must document what they did using this chain of custody.
We will often use hashes to prove the integrity has not been lost.
In terms of data on a computer can you rank the volatility of different locations for data to exist?
From most volatile to least volatile:
CPU registers, CPU cache Memory, Router table, ARP cache, kernal statistics, process table, Temporary file systems Disk storage Remote logging and monitoring data Physical configuration, network topology Archival media
(grouped together items are about the same)
When dealing with data acquisition what does order of volatility mean? and how should it be applied?
This is the process gathering data during digital forensics in the order of most volatile to least volatile to ensure you lose as little as possible.
When preparing a drive to be imaged for the purpose of digital forensics what would be some of the steps?
First we want to power down the drive to prevent changes
Then remove the storage drive from the system.
Then connect it to an imaging device with write protection so that nothing can be edited.
Then we will create a forensic clone, which a bit for bit copy. This allows us to preserve all data, even the “deleted” data.
What is SWAP/PAGEFILE?
This is a place to store RAM when memory is depleted.
There is a lot more space on the storage drive.
It transfers pages of ram to an area of your storage drive that you can use to swap information out of your RAM and free up memory for other applications to execute.
It is important to get information from the SWAP when you are doing a memory dump for digital forensic purposes. It is basically a temporary extension of your RAM.
Which type of backup system would snapshots of a VM be? Incremental or differential?
It would be incremental, because you need the whole tree of snapshots if you wanted to restore from a really old one with multiple in between.
The original image you installed with is the full backup and then all of your snapshots are incremental backups.
What is a cache?
A cache is a way to store data for use later.
A temporary storage area used to increase performance.
Generally a cache is for storing information that was queried originally so that if a second query is made that is identical we can simply go to the cache instead of performing the query again.
Usually temporary, erased after a specified time frame or when the cache is full.
What is an artifact?
These are digital items left behind when data is gone. Sometimes things leave a trace.
These are things lie log information, flash memory, prefetch cache files, recycle bin, browser bookmarks and logins, etc.
What is a right-to-audit clause?
With cloud computing providers you will need to work out where the data is being held, how it is being accessed over the internet and what security features are in place to protect the data.
While the initial contract with a cloud service provider is being created a right-to-audit clause can be added that would specify how you would be able to create a security audit of your data.
This would provide you access to perform security audits and make sure your data is safe well before you would run into a situation where a security breach may occur.
What is a checksum?
This is a relatively simple integrity check (does not replace a hash) that protects against accidental changes during transmission.
What is provenance?
This is documentation of authenticity, like a chain of custody for data handling during the digital forensics process.
This might even be an opportunity for blockchain technology.
What is e-discovery?
This is the process of gathering data required for the legal process.
This doesn’t generally involve analysis, there’s no consideration of intent.
You are simply gathering the data and providing it to the legal authorities.
Works together with digital forensics.
What is non-repudiation?
This means the only person that could have sent that data is the sender.
This is proof of the integrity of the data combined with being able to prove the origin of data.
With non repudiation the data is proven to be unchanged and proven to really come from the sender.
There are two ways that you can verify non-repudiation
Digital signatures - where everyone who has your your public key can prove non-repudiation
Message authentication codes (MAC) where only the two parties on either end of a conversation can verify non-repudiation.
What is strategic intelligence? What about strategic counterintelligence?
Strategic intelligence takes focus on key threat activity for a domain.
Who are your organization’s threats? what are your industries’ threats?
Strategic counterintelligence takes a less passive approach to this same concept and takes measures to stop a particular group from gathering information on us, and then takes steps to gain intelligence on this threat organization.
