Digital Forensics 4 Flashcards
is a formal document that details the expert’s findings. Often this is filed in a case prior to trial. If there are depositions, then the expert report will probably be used as the basis for some questions you are asked during deposition. An expert report will always be needed in civil cases, but may or may not be required in criminal cases.
expert report
The first issue is the format of the report. You usually list all items, documents, and evidence you considered. You also detail tests you performed, analysis done, and your conclusion. You should list your entire curriculum vitae (CV)—an extensive document detailing your experience and qualifications for a position—in an appendix. Keep in mind that a CV is much more thorough than a résumé. You should list every publication, award, or credential you have earned. A CV should also include more detail on work history and educational history. And Thoroughness and back up everything you say.
expert report info …
is a very widely used forensic toolkit. This tool allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine. EnCase prevents the examiner from making any accidental changes to the suspect machine.
EnCase from Guidance Software
forensic tool, good at cracking passwords and search and analyze Windows Registry which contains any programs installed like viruses, worms, trojans, hidden programs and spyware. Can also examine email.
*** Helix : linux live CD for computer forensics.
FTK
scans for anomalies that identify odd formats, extra tracks, and extra sectors. It can be used to uncover sophisticated data-hiding techniques.
AnaDisk
from NTI essentially turns a PC into a disk duplicator. In a single pass, it formats, copies, and verifies a disk.
*** There are options to search for a given file or to search for only deleted versions of a file.
CopyQM Plus / The Sleuth Kit
net sessions (windows) : shows only established connections.
openfiles (windows) : tells you if any shared files/folders are open and who has open them.
Capture memory of PC for forensics, take photos with a camera of screen etc …
info …
If the device you have seized is a computer, you need to remove the drive(s) from the suspect machine even if the drive(s) are not currently attached to any cabling. Create a chain of custody form. Before taking PC apart take pics from all angles to document system hardware components and how they are connected. Labeling each wire is important to reconnect once PC is restored to original condition. Record BIOS info, and if not then get UEFI info. in BIOS record system date and time in COC. After power restored to system eject all media drives and remove them and fill out separate COC forms for each item removed.
info …
After imaging a drive create a hash of original and copy. And document type of hash algorithm used.
Catalog all erased files and sort files by filename, file size, file content, creation date and last modified date and time.
Evaluate hidden partitions and document them.
info …
list of all website URLs and all email address on PC. Then index the different kinds of file formats.
Physical Analysis
