FINAL Flashcards
1
Q
What are Hardware Forensic Tools
A
single-purpose components to computer systems and servers
2
Q
What are software forensic tools used for
A
create copy of data from suspect’s disk drive to an image file
3
Q
Types of Software forensic tools
A
Command-line applications, GUI applications
4
Q
What are the categories of validated tools
A
Acquisition, Validation & Verification, Extraction, Reconstruction, Reporting
5
Q
ISO Standard 27037
A
Digital evidence first responders should use validated tools
6
Q
Acquisition definition
A
Making a copy of the original drive
7
Q
Acquisition subfunctions
A
Physical data copy, logical data copy, data acquisition format, command-line acquisition, gui acquisition, remote & live & memory acquisition
8
Q
Acquisition methods
A
Physically copying entire drive, logically copying disk partition
9
Q
Format for Disk Acquisition
A
vary from raw data to vendor-specific proprietary
10
Q
Acquisition Common feature
A
Creating smaller segmented files
11
Q
What do larger organizations use for acquisition
A
Remote acquisition
12
Q
Validation Definition
A
Way to confirm that a tool is functioning as intended
13
Q
Verification Definition
A
Proves that two sets of data are identical by calculating hash values or using another similar method, also separating good and suspicious data (filtering)
14
Q
Validation: common file header value purpose
A
see whether a file extension is incorrect for the file type, identifiable by most forensic tools
15
Q
Extraction Definition
A
Recovery task in digital investigation, most challenging
16
Q
Extraction Subfunctions
A
Data viewing, keyword searching, decompressing, carving, decrypting, bookmarking
17
Q
What can be used to speed up analysis (extraction)
A
Keyword search
18
Q
What can you do when things are password protected (2 options)
A
Brute force or dictionary attack
19
Q
Reconstruction definition
A
Re-create a suspect drive to show what happened during a crime or an incident
20
Q
Reconstruction methods
A
Disk-to-disk copy, partition-to-partition copy, image-to-disk copy, image-to-partition copy, disk-to-image copy, rebuilding files from data runs and carving
21
Q
How to recreate an image of a suspect drive
A
Copy an image to another location, such as a partition, physical disk, or a virtual machine, easiest: direct disk to image copy
22
Q
Disk to image copy tools
A
Linux dd command, ProDiscover, Voom technologies shadow drive
23
Q
Reporting purpose
A
to perform a forensics disk analysis and examination, you need to create a report
24
Q
Report subfunctions
A
Bookmarks or tagging, log reports, timelines, report generator
25
First tools for analysis
MS-DOS, Norton DiskEdit, Command-line tools
26
What has mostly replaced Unix
Linux
27
SMART features
Multiple linux versions, several file systems, many plug-in utilities, hex viewer
28
Helix 3 features
One of easiest, can load on Windows, loads bootable Linux OS from cold boot, not necessarily valid in international court
29
Kali Linux features
Includes variety of tools and has an easy-to-use K Desktop Environment interface
30
Autopsy and SleuthKit features
Sleuthkit is linux forensics tool, autopsy was the browser interface to access SleuthKit
31
Forcepoint Threat Protection features
Linux memory analysis tool, both onsite and remote memory acquisitions
32
GUI Forensic tools purpose
Simplify digital forensics investigations
33
Structure of GUI tools
Suites of tools with simplified training
34
Advantages of GUI tools
ease of use, multitasking, no need for learning old OS's
35
Disadvantages of GUI tools
Excessive resource requirements, inconsistent results, tool dependencies
36
Budget Considerations
time of workstation, failures, consultant and vendor fees, anticipate equipment restrictions
37
Categories of Forensic Tools
Stationary, portable, lightweight
38
Advantages of Forensic Workstations
Customized to needs, save money
39
Disadvantages of Forensic Workstations
Hard to find support, can become expensive
40
Vendor Workstations
F.R.E.D, mounts from ForensicsPC
41
Advantages of Vendor Workstations
Support, mix and match components
42
Write blocker definition
Prevents data writes to hard disk
43
Software Blocker Feature
run in shell mode
44
Hardware blocker features
ideal for GUI tools, bridge between suspect drive and workstation
45
Write blocker connecting technologies
Firewire, USb 2.0 & 3.0, Sata & Pata & scsi controllers
46
Recommendations for forensic lightweight workstation
full tower to allow expansion, memory and processor power as budget allows, different size hard drives, 400-watt or better power supply with backup battery, external fireWire and USB ports, assortment of drive adapter bridges, good video card, high-end video card and dual monitors
47
CFTT
Computer forensics tool testing, manages research on forensics tools
48
Lab must meet these criteria
Establish categories for tools, identify forensics category requirements, test assertions, identify test cases, establish a test method, report test results
49
ISO 5725
Specifies results must be repeatable and reproducible
50
National Software Reference Library Project
Collects all known hash values for commercial software applications and OS files, filtering known information, use RDS to locate and identify known bad files
51
Validation Protocols
Verify results, use at least two tools, understand how tools work, compare results
52
Disk editor features
reliable tools, access raw data
53
Digital Forensics Examination Protocol
Perform investigation with GUI tool, verify your results with disk editor, compare hash values obtained with both tools
54
Digital Forensics tool upgrade protocol
Test, report problems with tools, use test hard disk for validation, check for any updates
55
Types of Images
Bitmap images, vector graphics, metafile graphics
56
Bitmap Images
Collection of dots, grid of individual pixels
57
Vector Graphics
Based on mathematical instructions
58
Metafile Graphics
Combination of bitmap and vector
59
Types of Graphic file programs
Graphics editors, image viewers
60
Raster Images
Pixels are stored in rows, better for printing
61
Image Quality is based on...
Screen resolution, software, number of color bits per pixel
61
Characteristics of Vector Graphics
Use lines instead of dots, store calculations for drawing lines and shapes, smaller than bitmap files, preserve quality when scaled up
61
Vector Graphic Softwares
CoreIDRAW, Adobe illustrator
61
Metafile advantages and disadvantages
Share with both types, when enlarged bitmap part loses quality
62
PNG
Portable Network Graphic
63
GIF
Graphic Interchange Form
64
JPEG
Joint Photographic Experts Group
65
TIFF
Tagged Image File Format
66
BMP
Window Bitmap
67
Standard Vector File Formats
Hewlett Packard Graphics Language (hpgl), Autocad (dxf)
68
TGA
Targa
69
RTL
Raster Transfer Language
70
.psd and .ai
Adobe Photoshop and Illustrator
71
Freehand
.fh11
72
SVG
Scalable Vector Graphics
73
PCX
Paintbrush
74
Raw file format properties
'digital negative', typically found on many higher-end digital cameras, maintains best picture quality
75
Raw file format disadvantage
Not all image viewers can display proprietary images
76
Demosaicing
Process of converting raw picture data to another format
77
EXIF
Exchangeable image file, used to store digital pictures
78
How to view EXIF metadata
Exif reader, IrfanView, Magnet Forensics AXIOM, Autopsy metadata at beginning of file
79
What type of files compress their data
Graphics (GIF and JPEG)
80
Types of data compression
Lossy and Lossless
81
Properties of Lossless compression
Reduces size without removing data, based on Huffman or Lempel-Ziv Welch coding
82
Properties of Lossy Conversion
Permanently discards bits of information using Vector Quantization
83
Vector Quantization
Determines what data to discard based on vectors in graphics file
84
Properties of OS Tools for Locating and Recovering Graphics Files
Time consuming, results are difficult to verify
85
Properties of Forensic tools for locating and recovering graphics files
Use image headers to create a baseline analysis, reconstruct fragmented files by identifying data patterns and modified headers
86
Carving or Salvaging
Recovering ay type of file fragments
87
How to reconstruct image header
compare hex values of known graphics file formats with the pattern of found header
88
Steps to Reconstruct File Fragments
Locate and export all clusters of file, determine starting and ending cluster number for each fragmented group of sectors, copy each fragmented group of sectors in their correct sequence to a recovery file, rebuild file header, add .txt extension on all copied sectors
89
Analyzing Graphics File Headers
Necessary on unrecognized tools, use hex editor such as winhex to record hex values in header and use them to define file type
90
Properties of tools for viewing images
no one tool works for all types, most GUI forensics tools include image viewers that display common image formats
91
Steganography
hides information inside image files
92
Steganography major forms
insertion and substitution
93
Insertion Steganography
Hidden data is not displayed when viewing host file in its associated program
94
Substitution Steganography
Replaces bits of the host file with other bits of data, usually change last two least significant bits
95
Clues for Steganography
Duplicate files with different hashes, steganography programs on suspect's drive
96
Steganalysis Tools Purpose
detect, decode, and record hidden data
97
Scope Creep
When investigation expands beyond original description, due to unexpected evidence, increases time and resources needed to extract, analyze, and present evidence
98
What to include in investigation plan
goal/scope of investigation, materials needed, tasks to perform
99
What should you investigation plan rely on
Type of case, i.e. corporate, criminal, civil
100
Steps for digital forensic investigations
1. Use wiped media reformatted and inspected for viruses for target drive
2. Inventory the hardware on the suspect's computer, note condition of seized computer
3. For static acquisitions, remove original drive
4. Record how you acquired
5. Process contents
6. List folders and files
7. Examine contents
8. Recover file contents for password-protected
9. Identify function of executable files that don't match hash values
10. maintain control of all evidence and findings
101
Autopsy File Systems Microsoft
FAT, NTFS, ExFAT, UFS1, and UFS2
102
Autopsy File Systems ISO
9660, YAFFS2
103
Autopsy File Systems MAC
HFS+, HFSX
104
Autopsy File Systems Linux
Ext2fs, ext3fs, Ext4fs
105
Autopsy file formats
Raw, Expert Witness, and vm image files
106
Validating Forensic Data Process
Ensure integrity of data, hash image files, advanced hex editors to ensure integrity
107
What do Hex editors offer that forensics tools do not
hashing specific files or sectors
108
Advantage of recording hash values
Determine whether data has changed
109
Block-wise hashing
process that builds a data set of hashes of sectors from the original file, examines sectors on suspect drive to find sector match, confirmation of file stored on suspect drive
110
AccessData's own hashing database
Known File Filter, filters known program files from view and contains hash values of known illegal files, compares known file hash values with files on your evidence drive to see whether they contain suspicious data, others import NSRL db
111
Validate with Expert witness or SMART format
additional options for hashing all the data are available, validation report lists MD5 and SHA-1 hash values
112
Data-Hiding
Changing or manipulating a file to conceal information
113
Techniques for Data-Hiding
Hide entire partition, change file extensions, set file attributes to hidden, bit-shifting, encryption, password protection
114
what command hides by unassigning the partition
diskpart remove letter
115
How to detect if partition is hidden
Account for all the disk space when examining an evidence drive, analyze space you can't account for
116
Can forensics tools detect and view hidden partitions
Most can
117
FAT file systems data-hiding technique
placing data in free or slack space on partition clusters
118
How does the FAT system trick other OS's into thinking good clusters are unusable
Mark them as bad clusters
119
What is bit-shifting
Low level encryption program that changes the order of binary data, changes data from readable code to data that looks like a binary executable
120
What softwares provide ability to bit-shift
winHex and Hex workshop
121
Digital Watermarking Definition
Way to protect file ownership, usually not visible when used for steganography
122
Way to make cracking message really difficult (steganalysis)
Encrypt plaintext file with PGP and insert encrypted text into steganography file
123
Steganalysis Methods
stego-only, known cover, known message, chosen stego, chosen message
124
What is key escrow
Technology designed to recover encrypted data if users forget passwords or use key is corrupted
125
Key escrow key sizes
128 bits to 4096 bits
126
Password cracking tools
Last bit, AccessData PRTK, ophcrack, John the Ripper, Passware
127
Rainbow Table
File containing the hash values for every possible password that can be generated from a computer's keyboard
128
Salting Passwords
Alters hash values and makes cracking passwords more difficult
129
Ways to recover passwords
Dictionary attacks, brute-force attacks, rainbow tables
130
Software that runs virtual machines
hypervisor
131
Types of hypervisor
Type 1: Loads on physical hardware and doesn't require separate OS, Type 2: rests on top of existing OS
132
Which type of hypervisor is typically found on suspect machine
Type 2
133
What type of hypervisor is typically on servers or workstations with a lot of RAM and storage
Type 1
134
Virtualization Technology
Intel's CPU design for security and performance enhancements that enable the BIOS to support virtualization
135
Virtualization Machine Extensions
Instruction sets created for intel processors to handle virtualization
136
Popular type 2 hypervisors
Parallels Desktop, Kernel-Based Virtual Machine, Microsoft Hyper-V, VMware Workstation and Player, VirtualBox
137
How to detect if VM is on a host computer
Look in Users or Documents folder, check hosts registry for clues that VMs have been installed or uninstalled, existence of virtual network adapter or USB drives
138
Process for Investigation with Type 3 Hypervisors
1. Image the host machine
2. Locate Virtualization software and VMs
3. Export from ost machine all VM files
4. Record hash of all files
5. Open VM as image file in forensics software and create a forensic image or mount as drive
139
Why are live acquisitions of VMs importabt
Make sure snapshots are incorporated
140
Mounting VM as external drive features
Make it behave more like physical computer, use same standard examination procedures for static drive
141
Other VM Examination Methods
Mount VMs as external drive, make copy of VM forensic image and open the copy while it is running
142
Where are type 1 hypervisors installed
Directly on hardware
143
Type 1 Hypervisors
VMware vSphere, Microsoft Hyper-V 2016, XenProject XenServer, IBM PowerVM, Parallels Desktop for MAC
144
Order of Volatility
How long a piece of information lasts on a system
145
When are live acquisitions especially useful?
When dealing with active network intrusions of attacks (must be before taking system offline)
146
Steps of Live Acquisition
1. Create bootable forensic CD or USB
2. Log all actions
3. Send info to network drive
4. Copy RAM
4. Varies based on incident
5. Get hash value of all files recovered
147
Tools to Capture RAM
Mandiant Memoryze, Belkasoft RamCapturer, Kali Linux
148
Network Forensics
Process of collecting and analyzing raw network data and tracking network traffic
149
What is an important part in spotting variations in network traffic
Knowing network's typical traffic patterns
150
Need for Established Procedures
Necessary for ensuring all compromised systems have been found, must be based on needs and complement network infrastructure
151
Layered Network Defense Strategy
Sets up layers of protection to hide the most valuable data at the innermost part of the network
152
Defense in Depth (DiD)
Modes of protection: people, technology, operations
153
Are security precautions against internal threats necessary for companies with less than ten people
Yes
154
Testing ____ is as important as testing servers
Networks
155
Networks forensics standard procedures
1. Use standard installation image for systems on network
2. Fix any vulnerability after attack
3. Attempt to retrieve all volatile data
4. Acquire all compromised drives
5. Compare files on forensic image to original installation image
156
Where can you work from to find most of the deleted or hidden files and partitions
The image
157
What do you have to do in order to understand attack
Restore drives
158
Tools for examining network traffic
Tcpdump and wireshark
159
Network logs record ingoing and outgoing traffic of what
Network servers, routers, firewalls
160
Network tools
Splunk, spiceworks, Nagios, Cacti
161
Packet analyzers
Devices or software that monitor network traffic
162
What level of OSI do packet analyzers work at
2 or 3
163
most tools for packet analysis use this format
Packet Capture (Pcap)
164
How to identify packets in packet analysis
TCP headers (tcpdump or tethereal)
165
packet Analysis Tools
Tcpslice, Tcpreplay, Etherape, Netdude, Argus, Wireshark
166
How is virtual switch different than physical switch
No spanning tree between virtual switches
167
Complications of Investigating Virtual Networks
Hypervisors can assign MAC addresses to virtual devices, devices can have same MAC address on different Virtual Networks, Cloud service providers host networks for several to hundreds of companies
168
Tools for investigating virtual networks
Wireshark, network miner
169
DDoS attack
Major threat that may go through other organizations' networks, hundreds or thousands of zombie machines can be used
170
Honeynet Project
Make information widely available in attempt to thwart internet and network attackers
171
Zero Day Attacks
Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available
172
Honeypot
Normal looking computer that lures attackers to it
173
Honeywalls
Monitor what's happening to honeypots on your network and record what attackers are doing
174
When are live acquisitions necessary
To retrieve volatile items (RAM, running processes)
175
Items stored on cell phones
Calls, Text/Sms, email, IM, web pages, pictures, videos, music, Calendars, social media info, gps data, voice recordings, back account, access to home
176
Are warrants required for mobile devices
Yes
177
Is there a standard for how and where phones store messages
No, makes investigating them difficult
178
Generations of Phones
Analog, Digital personal communication service, Third generation (3G)
179
When was fourth generation introduced
2009
180
when was fifth generation finalized
2020
181
Code Division Multiple Access
Conform to IS-95, referred to as CDMA1, when 3G became CDMA2000
182
What technique for Global System for Mobile Communications
Time division Multiple access, multiple phones take turns sharing a channel
183
International Telecommunications Union
Developed 3G under UN
184
What standard was developed specifically for 3G
Enhanced Data GSM Environment
185
4G Network Technologies
Orthogonal Frequency Division Multiplexing, Mobile WiMAX, Ultra Mobile Broadband, Multiple input multiple output, long term evolution
186
Main Components for Mobile Communication
Base transceiver station, Base station controller, mobile switching center
187
Hardware components of mobile devices
Microprocessor, ROM, RAM, digital signal processor, radio module, microphone and speaker, hardware interfaces, LCD display
188
Do smartphones use same OSs and PCs
Yes, but it is proprietary
189
Where do phones store data
Electronically erasable programmable read-only memory (EEPROM)
190
Why do phones store data in EEPROM
Enables service providers to reprogram phones without having to physically access memory chips
191
Where is OS stored
ROM
192
PDA
Personal digital assistants, mostly irrelevant
193
Peripheral memory cards used with PDAs
Compact Flash, Multimedia Card, Secure Digital
194
SIM
Subscriber identity module
195
Where are sim cards found
GSM devices
196
What do SIM cards consist of
Microprocessor and internal memory
197
How many sizes do SIM cards come in
3
198
What makes SIM cards versatile
Portability
199
ME
Mobile equipment, need SIM card
200
Additional purposes of SIM card
Identifies subscriber, stores service related information, can be used to backup device
201
What do phones include for external storage
SD cards
202
3 main concerns of mobile devices
Loss of power, syncing with cloud, remote wiping
203
What type of memory do mobile devices have
Volatile
204
If mobile device attached to PC what should be done and why
Disconnect to prevent syncing that might occur automatically and overwrite data
205
How can you isolate device from incoming signals
Airplane mode, pain can, faraday bag, turn off
206
Downside of isolating device
Drains battery
207
SANS DFIR Forensics Recommendation if device on and unlocked
Isolate from network, disable lock screen, remove passcode
208
SANS DFIR Forensics recommendation if on and locked
Depends on type of device
209
SANS DFIR Forensics Recommendation if off
Physical static acquisition and turn device on
210
What areas to check in forensics lab
Internal memory, SIM, removable or external memory cards, network provider
211
Complication of warrant or subpeona
Backup might be stored in cloud or with third party
212
Structure of SIM file system
Hierarchial
213
Categories of information retrieved
Service data, call data, message information, location information
214
What might be required if power to device is lost
PINs or other access codes
215
Biggest challenge of mobile forensics
Constantly changing phone models
216
Procedure for working with mobile device
1. Identify device
2. Make sure you have installed mobile device forensic software
3. Attach phone to power and connect cables
Start forensics software and download information
217
What is used to access SIM card
Combination of hardware and software devices
218
Are all SIM card readers forensically sound
No
219
Should you document messages that haven't been read yet
Yes
220
Mobile phone forensics tools
AccessData FTK Imager, MacLockPick 3.0
221
Types of mobile forensics methods
Manual, logical, physical, hex dumping and joint test action group, chip-off, micro read
222
Datapilot
Collection of cables that can interface with phones from different manufacturers
223
BitPam
Used to view data on many CDMA phones
223
Cellbrite UFED Forensic System
works with smartphones, PDAs, Tablets, and GPS devices, often used by law enforcement
224
MOBILedit Forensic
Contains built in write blocker
225
Are tools used to edit information forensically sound
Not typically
226
Options for data extraction
Logical, file system, physical
227
What is required if you connect a mobile device to a computer to browse file system and examine and retrieve files
USB write-blocker
228
Projected number of IoT devices in next few decades
50 billion
229
What is IoE
Internet of everything, includes non-tangible but widespread technology
230
What is IoA
Includes cars, homes, pets, livestock, and applications for making all these things work together, eventually 5G devices
231
5G Devices Categories
Enhanced mobile broadband, ultra-reliable and low latency communications, massive machine type communications
231
New forensic challenges of 5G devices
People to device, device to device, device to cloud
231
What service led the way to cloud
Salesforce.com
232
233
Who came up with cloud computing
John McCarthy and DR. J.C.R. Licklider
234
Amazon Mechanical Turk
2002, storage, computations, and human intelligence
235
What year and after which web version did providers start their own cloud services
2009, 2.0
236
What is cloud computing
Computing storage system that provides on-demand network access for multiple users and can allocate storage to users to keep up with changes in their needs
237
Service levels of Cloud
Software as a Service, Platform as a Service, Infrastructure as a Service
238
Software as a Service
Applications are delivered via the internet
239
Platform as a service
An OS has been installed on a cloud server
240
Infrastructure as a Service
Customers can rent hardware and install whatever OSs and applications they need
241
Deployment methods for a cloud
Public, private, community, hybrid
242
Some cloud service providers (CSP)
Salesforce, Cisco cloud computing, IBM cloud, Amazon EC2, AT&T Synaptic, Google Cloud Storage, HP Helion, Microsoft Azure, XenServer and XenCenter Windows Management Console, Rackspace, Oracle cloud
243
What is cloud forensics a subset of
Digital forensics
244
Dimensions of Cloud Forensics
Organizational, legal, technical
245
Organizational Dimension
address structure of cloud
246
Legal Dimension
Covers service agreements and other jurisdictional matters
247
Technical Dimension
Deals with procedures and specialized applications designed to perform forensics recovery and analysis in the cloud
248
Forensic Data Collection for cloud
Must be able to identify, label, record, and acquire data from the cloud
249
Elastic, static, and live forensics for cloud
Must be able to expand and contract their storage
250
Evidence segregation for cloud
Different businesses and users share the same applications and storage space
251
Investigations in virtualized environments for cloud
Should have capability to examine virtual systems
252
Cloud Service agreements
Contract between CSP and the customer that describes what services are being provided and at what level
253
CSAs also specify
Support options, penalties for services not provided, system performance, fees, provided software or hardware
254
What do CSAs define
Scope of services the CSP provide (service hours, restrictions to the customer, response time for data transfers, throughput limitations, contingency plan for incident response, business continuity and disaster recovery plan, fees, security measures, terminology)
255
What must CSP components state
Who is authorized to access data and what the limitations are in conducting acquisitions for an investigation
256
Policies for CSPs
detailed rules for CSPs internal operation
257
Standards for CSPs
Give guidance to staff for unique operations, hardware, and software and describe the staff's obligations regarding security of CSP env
258
Guidelines for CSPs
Describe best practices for cloud processes and give staff an example of what they should strive to achieve in their work
259
What are CSP processes and procedures
Detailed documents that define workflow and step-by-step instructions for CSP staff (often with hardware config, network maps, application flow charts)
260
What are CSP Processes and Procedures used for by digital forensics examiners
Understand how data is stored, manipulated, secured, backed up, restored, and accessed by CSP staff and customers
261
What is an example of a document of interest
CSP Business continuity and disaster recovery plans
262
Is there a law that ensures uniform access or required handling procedures for the cloud
No
263
What should investigators be concerned about
Cases involving data commingled with other customers' data
264
What is a factor in problems with right to access data
How privacy rights are defined in different jurisdictions
265
EU Directive 95/46/EC
Protects private information for all EU citizens, more restrictive than rules in other countries
266
Can digital forensics investigators be held liable when conducting an investigation involving cloud data
Yes
267
ECPA
Electriconic Communications Privacy Act
268
ECPA mechanisms (5)
Search warrants, subpoenas, subpoenas with prior notice to customer, court orders, court orders with prior notice to customer
269
Search Warrants
Only issued in criminal cases, requires probable cause, specific descriptions of what is to be seized, typically data in the case of cloud, must include location, how carried out
270
Government Agency Subpoenas
Customer communications and records. can't be knowingly divulged to any person or entity
271
non-government and civil litigation subpoenas
Used to produce information from private parties for litigation
272
Court Orders
Written by judges to compel someone to do or not so something
273
Challenges in conducting cloud forensics
Architecture, data collection, analysis of cloud forensic data, anti-forensics, incident first responders, role managements, legal issues, standards and training
274
Are CSPs configured the same way as any othe CSP
No
275
Where do CSPs keep data
Often kept secret for security reasons
276
What can complicate the chain of evidence of an investigation
Differences in recording procedures or log keeping
277
What does analyzing digital evidence from a cloud require
verifying data with other data and other log records
278
What might need to happen to data so that investigators can determine what actually occured
Reconstruction
279
What can be compared using logs
modifications, las access, create dates and times
280
Anti-forensics
Destroying electronically stored information (ESI) that may be potential evidence
281
Methods for anti-forensics
Malware, encryption of malware, data-hiding
282
How do anti-forensic methods affect file metadata
Changing modify and last access date
283
How can you determine what files may have been altered
Compare hash values of files to those of known good files
284
factors in incident first response, if not already part of CSP
CSPs staff cooperation, brief about security options, train staff in evidence collection
285
Functions of Role management in cloud covers
Data owners, identity protection, users, access controls
286
CSA
Cloud Security Alliance, develops resource documentation for CSPs and their staff
287
What is there an effort to standardize cloud architecture for
Operating procedures, interoperability, testing, validation
288
Sources for cloud forensics training
(ISC)^2's Certified Forensics Professional, INFOSEC Institute, SANS Cloud Forensics with F-Response, National Institute of Justice Digital Forensics Training, University College Dublin Centre for Cybersecurity and Cybercrime Investigation
289
What do methods to collect evidence count on
The nature of the case
290
Why might recovering deleted data be limited
The type of file the CSP uses
291
States of data in the cloud
reset and motion
292
Data at rest
Data that has been written to disk
293
Data in motion
Data being transmitted over a network
294
Vendors for cloud data encryption
Atalla, SecureCloud, Safeguard
295
Homomorphic Encryption
Use an 'ideal lattice' mathematical formula to encrypt data
296
Where can you find cloud data if the application is not installed
Web Cache
297
Prefetch file
contain the DLL pathnames and metadata of an application
298
Where is the prefetch file loaded once OS reads it
Computer's memory
299
Widely used cloud services
Dropbox, Google Drive, One Drive
300
