Digital Forensics Flashcards
The process of gathering and submitting computer evidence to trial and
interpreting that evidence by providing expert analysis
Digital Forensics
Written procedures ensure that personnel handle forensics properly, effectively, and in
compliance with required regulations
Forensic Procedures
Ensure the scene is safe, secure the scene to prevent evidence
contamination, and identify the scope of evidence to be collected
Identification
Ensure authorization to collect evidence is obtained, and then
document and prove the integrity of evidence as it is collected
Collection
Create a copy of evidence for analysis and use repeatable methods and
tools during analysis
Analysis
Create a report of the methods and tools used in the investigation and
present detailed findings and conclusions based on the analysis
Reporting
A process designed to preserve all relevant information when litigation is
reasonably expected to occur
Legal Hold
Contractual method of retaining (hiring) forensics investigators so that their analysis is
protected from disclosure by the work product doctrine
Work Product Retention
The method and tools used to create a forensically sound copy of data from a
source device, such as system memory or a hard disk
Data Acquisition
A kit containing the software and hardware tools required to acquire and analyze
evidence from system memory dumps and mass storage file systems
Digital Forensics Kit
A digital forensics case management product created by Guidance
Software with built-in pathways or workflow templates that show the
key steps in many types of investigations
EnCase
A digital forensics investigation suite by AccessData that runs on
Windows Server or server clusters for faster searching and analysis due
to data indexing when importing evidence
The Forensic Toolkit (FTK)
An open-source digital forensics collection of command line tools and
programming libraries for disk imaging and file analysis that interfaces
with Autopsy as a graphical user front-end interface
The Sleuth Kit
A process that creates an image file of the system memory that can be analyzed
to identify the processes that are running, the contents of temporary file systems,
Registry data, network connections, cryptographic keys, and more
System Memory Image Acquisition
Capturing the contents of memory while the computer is running using a
specialist hardware or software tool
Live Acquisition
The contents of memory are written to a dump file when Windows encounters an
unrecoverable kernel error
Crash Dump
A file that is written to the disk when the workstation is put into a sleep state
Hibernation File
A file that stores pages of memory in use that exceed the capacity of the host’s
physical RAM modules
Pagefile
A process that creates an image file of the system’s disks that can be analyzed to
identify current, deleted, and hidden files on a given disk
Disk Image Acquisition
Capturing the contents of the disk drive while the computer is still running
Live Acquisition
The computer is shut down through the operating system properly and then the
disk is acquired
Static Acquisition by Shutting Down
The system’s power is disconnected by removing the power plug from the wall
socket
Static Acquisition by Pulling the Plug
Bit-by-bit copy of a disk that includes every non-bad sector on the
target disk including deleted or hidden data
Physical Acquisition
Copies files and folders from partitions using the file system table
stored on the media
Logical Acquisition