Digital Forensics Flashcards
The process of gathering and submitting computer evidence to trial and
interpreting that evidence by providing expert analysis
Digital Forensics
Written procedures ensure that personnel handle forensics properly, effectively, and in
compliance with required regulations
Forensic Procedures
Ensure the scene is safe, secure the scene to prevent evidence
contamination, and identify the scope of evidence to be collected
Identification
Ensure authorization to collect evidence is obtained, and then
document and prove the integrity of evidence as it is collected
Collection
Create a copy of evidence for analysis and use repeatable methods and
tools during analysis
Analysis
Create a report of the methods and tools used in the investigation and
present detailed findings and conclusions based on the analysis
Reporting
A process designed to preserve all relevant information when litigation is
reasonably expected to occur
Legal Hold
Contractual method of retaining (hiring) forensics investigators so that their analysis is
protected from disclosure by the work product doctrine
Work Product Retention
The method and tools used to create a forensically sound copy of data from a
source device, such as system memory or a hard disk
Data Acquisition
A kit containing the software and hardware tools required to acquire and analyze
evidence from system memory dumps and mass storage file systems
Digital Forensics Kit
A digital forensics case management product created by Guidance
Software with built-in pathways or workflow templates that show the
key steps in many types of investigations
EnCase
A digital forensics investigation suite by AccessData that runs on
Windows Server or server clusters for faster searching and analysis due
to data indexing when importing evidence
The Forensic Toolkit (FTK)
An open-source digital forensics collection of command line tools and
programming libraries for disk imaging and file analysis that interfaces
with Autopsy as a graphical user front-end interface
The Sleuth Kit
A process that creates an image file of the system memory that can be analyzed
to identify the processes that are running, the contents of temporary file systems,
Registry data, network connections, cryptographic keys, and more
System Memory Image Acquisition
Capturing the contents of memory while the computer is running using a
specialist hardware or software tool
Live Acquisition
The contents of memory are written to a dump file when Windows encounters an
unrecoverable kernel error
Crash Dump
A file that is written to the disk when the workstation is put into a sleep state
Hibernation File
A file that stores pages of memory in use that exceed the capacity of the host’s
physical RAM modules
Pagefile
A process that creates an image file of the system’s disks that can be analyzed to
identify current, deleted, and hidden files on a given disk
Disk Image Acquisition
Capturing the contents of the disk drive while the computer is still running
Live Acquisition
The computer is shut down through the operating system properly and then the
disk is acquired
Static Acquisition by Shutting Down
The system’s power is disconnected by removing the power plug from the wall
socket
Static Acquisition by Pulling the Plug
Bit-by-bit copy of a disk that includes every non-bad sector on the
target disk including deleted or hidden data
Physical Acquisition
Copies files and folders from partitions using the file system table
stored on the media
Logical Acquisition
Forensic tool to prevent the capture or analysis device or workstation from
changing data on a target disk or media
Write Blockers
A software utility that conducts the disk imaging of a target
Imaging Utilities
A Unix/Linux/macOS command that can perform disk image acquisition
dd
A function that converts an arbitrary length string input to a fixed length string
output
Hash
A cryptographic hashing algorithm created to address possible weaknesses in the
older MD5 hashing algorithm
▪ SHA-1 uses a 160-bit hash digest, but isn’t considered strong
▪ SHA-2 uses a 256-bit or 512-bit hash digest and is the current version in
used in modern forensics
Secure Hash Algorithm (SHA)
A cryptographic hashing algorithm created in 1990 with the most commonly used
variant being MD-5
▪ MD-5 uses a 128-bit hash digest, but is susceptible to collisions should
only be used as a second-factor of integrity checking
Message Digest Algorithm (MD5)
A type of software that reviews system files to ensure that they have not been
tampered with
File Integrity Monitoring (FIM)
A tool that shows the sequence of file system events within a source image in a
graphical format
Timeline
HDDs and SSDs are divided into sectors of either 512 bytes (standard) or 4096 bytes
(advanced)
Carving
The smallest unit the file system can address (default is 4096 bytes)
Block/Cluster
A table that contains metadata with the location of each file in terms of
blocks/clusters for disks formatted as NTFS
Master File Table (MFT)
The process of extracting data from a computer when that data has no associated
file system metadata
A table that contains metadata with the location of each file in terms of
blocks/clusters for disks formatted as NTFS
An open-source command line tool that is part of The Sleuth Kit that is used to
conduct file carving on Linux and Windows systems
Scalpel
The record of evidence history from collection, to presentation in court, to
disposal
Chain of Custody
