Digital Forensics Flashcards
Which of the following computer event logs records events executed on an operating system, such as starting up and shutting down, configuration updates, and system crashes?
A. System log
B. Security log
C. Application log
D. None of the above
A. System log
Every operating system generates event logs, or files that record events or transactions on a computer. In fact, a log entry is created for each event or transaction that takes place on any computer, and consequently, there are numerous types of event logs. Some common types of logs include system logs, application logs, and security logs. System logs record events executed on an operating system, including miscellaneous events and those generated during system startup, like hardware and controller failures. Common types of system events include starting up and shutting down, configuration updates, and system crashes. Application logs record the events regarding access to application data. Such events would include data files being opened or closed; specific actions such as reading, editing, deleting, or printing of application files; or the modification of records in an application file. Security logs track security-related events like logon and logoff times and changes to access rights.
Although an organization can lower employees’ expectation of privacy in their workspaces by issuing written privacy policies communicating the organization’s right to search such spaces, it is not necessary for such policies to address personal electronic devices because privacy rights do not attach to information on personal devices that employees bring to work. T/F
False
Employees often carry personal electronic devices into the workplace. Because such devices can be used to facilitate fraud or other types of misconduct, employers should include the right to search such devices in their privacy policies. Personal electronic devices such as smart phones, thumb drives, MP3 players, laptops, and so forth are capable of a multitude of functions that can be used to facilitate fraud or other misconduct, but because they are personal devices, employees can have a reasonable expectation of privacy for data stored in them. Employers, however, can retain the right to search employees’ personal electronic devices by adopting written privacy policies stating that any personal electronic devices brought onto the organizations’ premises are subject to search. This type of policy serves to lower employees’ expectations of privacy in personal electronic devices by putting employees on notice that such devices are subject to search.
Which of the following best describes the image acquisition process used in examinations involving digital evidence?
A. Taking photos of the digital equipment’s physical layout and connections
B. Analyzing the systems data in order to identify evidence
C. Acquiring the digital evidence from the suspect
D. Creating an exact duplicate of the data on original storage media
D. Creating an exact duplicate of the data on original storage media
Once a computer system is seized and before any analysis occurs, it should be imaged for analysis. Forensic analysis should not be performed on suspect devices directly because doing so can alter or damage digital evidence, and imaging the data from suspect devices allows a fraud examiner to view and analyze a computer’s contents without altering the original data in any way.
Imaging refers to the process whereby a forensic image of a hard drive or other digital media is made and imaged to another hard disk drive or other media for forensic analysis. A forensic image (also called a forensic copy, mirror image, or ghost image) is an image or exact, sector by sector, copy of a hard drive or other digital media.
During the analysis phase in digital forensic investigations, the fraud examiner should look for both inculpatory and exculpatory evidence. T/F
True
When analyzing data for evidence, the fraud examiner should look for inculpatory evidence (i.e., evidence that serves to incriminate the subject of the investigation) and exculpatory evidence (i.e., evidence that serves to disprove the subject’s involvement in the misconduct).
During the analysis phase in digital forensic investigations, the fraud examiner’s primary concern is to protect the collected information from seizure. T/F
False
The primary concern when analyzing digital evidence is to maintain the integrity of the data at all times. Fraud examiners must be especially careful with computer equipment because a careless investigator might inadvertently alter important evidence. Therefore, it is helpful to develop procedures to prevent the opposing party from raising allegations that the methodology used to collect or analyze data was improper and could have damaged or altered the evidence.
When a forensic investigator is seizing a running computer for examination, he can retrieve data from the computer directly via its normal interface if the evidence needed exists only in the form of volatile data. T/F
True
When seizing a computer that is running, the party seizing the system should not, in most situations, search the computer for evidence because doing so might damage and taint relevant evidence. But in some situations, it might be appropriate to perform live evidence collection (i.e., collect evidence during the seizure phase when a suspect system is not shut and is up and running). Generally, live evidence collection (i.e., collection directly from the computer via its normal interface) is appropriate when a formally trained computer investigator is seizing the computer, and the evidence that the investigator needs to collect exists only in the form of volatile data.
Which of the following is a unique challenge of cloud forensics not faced in traditional forensic practices?
A. Lack of data control
B. Lack of information accessibility
C. Lack of frameworks and specialist tools
D. All of the above
D. All of the above
Conducting digital forensic investigations in the cloud environment (i.e., cloud forensics) presents challenges not faced in traditional forensic practices. Some of the important challenges of acquiring evidence from the cloud are: • Lack of frameworks and specialist tools • Lack of information accessibility • Lack of data control • Jurisdiction of storage • Electronic discovery • Preserving chain of custody • Resource sharing • Lack of knowledge
Forensic investigations in cloud environments can be complicated by the lack of physical access to evidence stored on the cloud. T/F
True
Conducting digital forensic investigations in the cloud environment (i.e., cloud forensics) presents challenges not faced in traditional forensic practices, and lack of information accessibility is one factor that complicates such investigations.
Cloud computing complicates the collection of data because cloud storage systems are not local; therefore, investigators generally do not have physical access to evidence stored on the cloud—something that investigators typically have when examining traditional privately owned and locally hosted systems.
Lack of information accessibility also means that often, cloud customers do not have much information about the physical locations of their data.
Steganography refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable. T/F
False
Encryption refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable.
Steganography is the process of hiding one piece of information within an apparently innocent file. For example, a user can use the least significant bits of a bitmap image to hide a message. By hiding the message in the least significant bits of an image, there is almost no perceivable change in the bitmap image itself. And without directly comparing the altered image to the original, it is practically impossible to tell that the image was altered.
Forensic analysis should not be performed directly on suspect devices because doing so can alter or damage digital evidence. T/F
True
Once a computer system is seized and before any analysis occurs, it should be imaged for analysis. Forensic analysis should not be performed on suspect devices directly because doing so can alter or damage digital evidence. Imaging the data from suspect devices allows a fraud examiner to view and analyze a computer’s contents without altering the original data in any way.
Imaging refers to the process whereby a forensic image of a hard drive or other digital media is made and imaged to another hard disk drive or other media for forensic analysis. A forensic image (also called a forensic copy, mirror image, or ghost image) is an image or exact, sector by sector, copy of a hard drive or other digital media.
The rules of admissibility for digital evidence are stricter than such rules for tangible evidence. T/F
False
Although digital evidence is different from—and more volatile than—tangible evidence, the rules regarding its admissibility in court are really no different from the admissibility of any other type of evidence.
Darren is conducting a fraud examination of Cooper, an employee at his organization, a government entity. Darren has strong reason to believe that Cooper has incriminating evidence on a personal smart phone that he brings to work. Which of the following statements is most accurate?
A. Cooper has an inalienable right to privacy for information on his personal smart phone, and Darren must obtain a warrant to search the device.
B. Darren may conduct a search of Cooper’s smart phone because the U.S. Constitution does not apply to workplace investigations.
C. Darren may search the phone if his organization has a privacy policy informing employees that personal smart phones are subject to search.
D. Employees never have an expectation of privacy for information on personal devices they bring to work, so Darren may search the phone.
C. Darren may search the phone if his organization has a privacy policy informing employees that personal smart phones are subject to search.
Employees often carry personal electronic devices into the workplace. Because such devices can be used to facilitate fraud or other types of misconduct, employers should include the right to search such devices in their privacy policies. Personal electronic devices such as smart phones, thumb drives, MP3 players, laptops, and so forth are capable of a multitude of functions that can be used to facilitate fraud or other misconduct, but because they are personal devices, employees can have a reasonable expectation of privacy for data stored in them. Employers, however, can retain the right to search employees’ personal electronic devices by adopting written privacy policies stating that any personal electronic devices brought onto the organizations’ premises are subject to search. This type of policy serves to lower employees’ expectations of privacy in personal electronic devices by putting employees on notice that such devices are subject to search.
Which of the following is TRUE about using computer-created metadata in forensic investigations?
A. Metadata information can help determine who wrote a document
B. Metadata information can help determine when a document was created
C. Metadata information can help determine who received a document
D. All of the above
D. All of the above
Metadata is a type of computer-generated data that can be helpful in a fraud investigation. Metadata is data about data, and these file tidbits contain a tremendous amount of information. Metadata information can help determine who wrote a document; who received, opened, copied, edited, moved, or printed the document; and when these events occurred.