Final Exam fall 2019

Question 1

Discuss the similarities and the differences between Digital Forensics and Digital Security

Answer 1

Similarites:
Work with risk assessments.
Work with policies

but different aims and functions.

Security wants to keep malware of the computer by upholding policies and like.
Security wants to sanitize the computer from all malware and other malicious files.

Forensics investigates how the computer came to be infected and if any policies were violated.
Forensics wants to preserve the system.

Question 2

Discuss the similarities and the differences between Digital Forensics and Auditing

Answer 2

Both want to extract hidden data an analyze it.
Both imply methodical and systematic examination or processes.
Both are reactive.
Both should be done externally to ensure impartiality and independence.

Auditing can be scheduled as a recurring process.

???????

Question 3

Please enumerate the three main computer crime categories and explain their characteristics.

Answer 3

Computer as a target; system locked by ransomware, stolen company information

Computer as data repositories; storing illegal material

Computer as a tool; Sending virus, hacking, deleting files.

Question 4

Discuss the concept of Quality Assurance in the context of digital evidence and digital forensic examination.

Answer 4

Digital Evidence and Digital Forensics should produce high quality results that are; Reliable, Accurate, Reproducible and legally acceptable. Therefore it is necessary that the investigation and documentation is according to the QA Documentation set and upheld by the QA Manager

QA Manager makes sure all these policies and other do

Question 5

Explain briefly the Locard’s principle.

How might Locard’s principle affect a digital event scene?

Answer 5

Contact between two items will result in an exchange of data and/or physical evidence.

Offender - evidence transf. - Crime Scene - evidence transf. - Victim

Question 6

Why is Daubert standard so important with respect to Digital Evidence?

Answer 6

Daubert standard defines the principles that makes the expert witness testimony admissible in the court of law.
( Judge as a gatekeeper, Reliable, Relevant, Scientific knowledge )

This is easy to apply in any situation and sets the standard for expert witness and the evidence presented. The Daubert standard is intensively tested, commonly agreed on and has known potential error rates.

Question 7

What makes the transportation of digital evidence such a critical factor in a digital forensic investigation?

Answer 7

It is always important to protect the chain of custody
Transportation makes it extra important to ensure that the transported evidence is the same as the original data and that nothing has been altered.
The transportation and packaging should be done with care to make sure that the evidence is protected from the environment and theft.

Question 8

Contras live vs frozen system processing with respect to digital forensic examination.
Pros and Cons?

Answer 8

Live evidence:
Pros;
Possibility to find the live connections to other evidence and/or suspects.
Possibility of the system being unlocked/decrypted
Access to RAM
Possibility to find encryption keys in the memory

Cons;
Limited time
Might tip off or interfere with the attacker
Restricted by the order of volatility.
Risk of ruining evidence.
Transient process

Frozen evidence:
Pros;
More time
Less risk of accidentally contamination/destroying evidence

Cons;
Evidence can have been altered/hidden or destroyed by the offender before the system was frozen
No access to RAM

Question 9

What does the property of preimage resistance mean in a context of a hashing function?

Answer 9

Preimage resistance = Shouldn’t be able to recreate a document with the hash value

Second Preimage Resistance = Shouldn’t be possible to create a new document with the same hash sum.

Question 10

What does it mean to forensically “wipe clean” an acquisition drive?
Explain the ramifications of a forensically clean drive

Answer 10

To “wipe clean” an acquisition drive means that you “remove” all data from a drive to make it impossible to recover the data.

Ramification:
Being unable to recover any data from the drive.
Can’t find files from old case by mistake.
Chain of Custody

?????

Question 11

State the digital evidence extraction/acquisition hierarchy.

Answer 11

The higher up the harder to do, less commonly used.

Micro-read
Chip-off
Physical
Logical
Manual

Question 12

What is meant by the principle “Order of Volatility”?

Why is it important to apply this principal to a digital forensic acquisition?

Answer 12

You should collect your evidence in order of volatility; from the most volatile to the least volatile.

Registers, cash
Routing table, ARP cache, process table memory
Disk
Remote logging and monitoring data
Physical configuration, Network topology
Archival media

Question 13

In the context of the Windows $MFT, please answer the following question:

What type of information can be retrieved from Standard Information attribute (SIA)?

Answer 13

A resident attribute identifier

Contains information about date and timestamps displayed by Windows and most forensics tools.

FYLL PÅ

Question 14

In the context of the Windows $MFT, please answer the following question:

What type of information can be retrieved from File Name Attribute (FNA)?

Answer 14

A resident attribute identifier

Reference to parent folder (by MFT Record Number)
File Names (Unicode)
File’s physical and logical size
Usually not updated through system usage
Useful for investigating date-time tampering

Question 15

As an investigator you have found a Link File on Windows system. This link file point to a missing file.

What could be the significance of this link file in your investigation?
Explain what information can be retrieved from it?

Answer 15

Link Files contain important user knowledge such as timestamps, volume label, UID an path to target.

It could provide knowledge about the existence of another disk. Might indicate knowledge, existence or usage of the linked file

Question 16

Why in the Windows operation system is there a difference between Logical file size and Physical file size?
What is the reason behind the appearance of the difference?

Answer 16

Logical size = Actual size of the file
Physical size = Represents the space the file allocates on the disk

When a file is saved the data is stored in clusters. If the cluster size is 512 bytes and a files Logical size is 678 bytes it will require two clusters to fit the 678 bytes, rendering the files Physical size to 1024 bytes. The unused space is called file slack

Question 17

What type of information can be redrived from Standard Information Attribute (SIA)?

Answer 17

Resident attribute identifiers

Information about date and timestamps displayed by windows and most forensic tools.

Question 18

What type of information can be retrieved from File Name Attribute (FNA)?

Answer 18

Reference to parent folder (by MFT Record Number)
File name (Unicode)
Files Physical and Logical Size
Usually not updated through system usage and is useful for investigating date-time tempering.

Question 19

Explain the concept of the “prefetch” folder in a Windows operation system and how it can be used to infer user activity.

Answer 19

Prefetch is a Windows program that speeds up programs and files by pre loading the ones that are used regularly by the user in order to be able to start them faster. In the Prefetch folder you see the last run time and run count.
If a file/program is shown in the prefetch folder it may prove that the program file has been opened by the user.

Question 20

Differentiate between File Metadata and File System Metadata

Answer 20

File System Metadata contains informations such as timestamps, permissions, status of a file, resident or non resident and file path. (Data från att man hanterar filerna) (Attributes about the data in a spcific file)

File Metadata is created when the file is created and changed. GPS coordinates from a picture, camera model.

Question 21

What does the “MAC times” stand for and what each for the properties represents. Explain how and when the violation of MAC times metadata can happen.

Answer 21

mtime - Modification - When were the file last modified?

atime - Access - When did the file last get opened?

ctime - Creation/Change - When did the file get created? (win) / When did the metadata last change? (unix)

Question 22

Name one important forensic artifact that is present in a Windows 10 System, and what evidentiary value could it hold.

Answer 22

Link file, prefetch and the system hive all contain vital information about the user, the OS and it’s changes.

Question 23

If a Unix user tends to use a command line interface how might a systems administrator easily review what tha user had been doing on the system recently?

Answer 23

~/.bash_history

Question 24

Briefly outline the first tier and the second tier phases of the Digital Forensics Investigation Processing Framework

Answer 24

First tier; 
Preparation
Incidence response
Data collection
Data analysis
Presentation
Incident closure
Digital investigations principles

Second tier;
Complex processes from the first tear can be extended to the required level of details - for example the Data Analysis Phase can be extended to three objective sub-phases such as Survey, Extract and Examine.
Every sub phase may also be viewed as an abstraction. For instance the survey sub phase has four sub phases such as Physical medium, Media management event, File system application and Network.

Question 25

What is the highest level in the hierarchical model for the examination of digital evidence?

Answer 25

Few - Principles of examination

Large scape concepts
Consensus among professionals
Collective Scientific experience

Question 26

Who is the plaintiff and the accused in the case of a criminal investigation?

Answer 26

The Plaintiff (victim) is the party that contends that some actions took place which require legal remedy.

The Accused (perp) is the party who is accused of breaking the law and is responsible to answer the claim by the plaintiff.

Question 27

Discuss the concept of mutability in the context of digital evidence.

Answer 27

Evidence and a systems structure might change from its original state.
This is mainly a problem on transient evidence (RAM, cashe, register) compared to non volatile (disks, CD, DVD) . This is why its important to collect evidence following the order of volatility.

Question 28

What are the five concerns that should be addressed by a Digital Forensic Investigator (DFI) according to the FBI handbook of Forensic service?

Answer 28

Content - What type of data files are stored?
Comparison - Compare found data with known data
Transaction - Time and sequence of data files creation
Extraction - Retrieving the files from the computer
Format conversion - Convert to wanted format

Question 29

What is the avalanche effect when it refers to a specific hashing function?

Answer 29

If the input for a hashing function is changed the output will behave pseudo-randomly and there in no control over the new output.

Even if you only change 1 byte the hash sum will be totally different.

Question 30

Explain the concept of a file header and discuss to what extent it can be trusted as an indicator of a files contents.

Answer 30

A file header is the file’s signature and will hold information about the files format.

The file header might be an indication to the file’s content but can not be fully trusted. The header can be altered to hide the content of a file.

Question 31

What are the major differences between NTFS and FAT systems?

Answer 31

NTFS
16TB max file 
More efficient, faster and secure
Follows UTC time
Different compression alternatives

FAT
Only 4GB max file size
Compatible with most operation systems
Follows local time

Question 32

What is time frame analysis and why is it important?

Answer 32

Time frame analysis = timeline of incident events

Timeline analysis is mainly used for various purposes in the investigation which mainly involves collection information within particular time frame.

It is a great technique to determine the activity occurring on a system at a certain time. It helps to make inferences very fast in an easy manner.

Question 33

How can you differentiate between a Manual, User scheduled and Windows automatic defragmentation?

Answer 33

Manual Defrag. - mmc.exe has been utilized and you will be able to find timestamps and other information in the prefetch file.

User Scheduled Defrag. - Check the task scheduler id the task has been scheduled by the user.

Windows automatic Defrag. - WAD is scheduled to run about every three days by default on newer systems. Run on files listed in layout.ini

Question 34

What is Alternate Data Stream (ADS) and how can it by used in a malicious fashion?

Answer 34

(NTFS) ADS are files that can be tied to other “original” files and contain information about it. The size of an ADS in not accounted for in the size of the file.
Malicious software can be hidden in this entry.

The ADS is hidden unless you specifically look for it

Stored in $data attribute

Question 35

What is the purpose and the content of a file descriptor in a Unix-like OS?

Answer 35

????????

Question 36

What are the 7 main category’s of evidence

Answer 36

Hearsay - Heard outside court but used in cour

Testimony - Given by expert in a field to help court understand the case

Documentary - Provided by document

Real - Must be real

Direct - Firsthand - verbal

Original - First hand evidence - letters, financial statements

Circumstantial - No concrete evidence in it self but becomes evidence when used together with other evidende

Question 37

What are the significance of the Frye principle concerning digital evidence, its probative value and the admissibility in the court of law

Answer 37

All methods and techniques used to provide evidence in court should be publicly known, well tested, and its correctness of it should be known (accuracy or fail rate).

This ensures that the probative value and admissibility of the evidence are stronger since no untested or newly invented methods are used to decide if someone is is being charged or not.

Question 38

Which are types of forensics services according to FBI?

Answer 38

(FETCC)
Format Converting - Convert the evidence file for a more suitable file type
Extraction - from computer, external drive ect.
Transaction - Time and sequence of datafiles creation
Content - Find out the context of an evidence
Compare - Compare evidence to known files

Question 39

Casey Model?

Answer 39

Assess - Acquire - Analyze - Report

Question 40

Which duplication method produces an exact replica of the original drive?

Answer 40

Bit-by-Bit should give a close to exact replica of a drive. A physical copy gives more information (unallocated space and deleted items) which won’t be given by logical copy

Question 41

What is a residual data?

Answer 41

Residual data are data accidentally left behind on a computer when trying to completely remove files. Residual data stays on the computer and will be able to be found by a forensics investigator later on.

Question 42

Explain the concept of a “registry hive” in a Windows operation system and give examples of what kind of forensically interesting data may be found within.

Answer 42

The registry hives a major folder of the registry containing
keys
Subkeys
information about how the system is configured.
usernames/accounts
passwords
OS configured

Question 43

Briefly describe the usage of $Boot

Answer 43

Boot process of the system. Points to the files that are needed for initiating the system.

MBR?

Question 44

What is spoliation?

Answer 44

The act of intentionally destroy/remove/alter the evidence of interest in an investigation. This is a crime

Question 45

Where to you find information about when and how many times a USB device where connected to the system?

Answer 45

System/USBstor

All devices are identified with a unique ID. Can tell how man y times each device has been connected.
(Can also look in other places such as windows/setuplog)

Question 46

What is a Spool File in the context of printer files and what does it contain?

Answer 46

Spool file is created when a printing job is initiated. The file is only “alive as ling as the job is going and then deleted. A Spool File contains information about the printing;
name of the file, printer name and name of user account, size and format of the file and printing format.
Files can be left in the system if the job is never succefully printed

Question 47

When an operation system starts, what is the role of a boot-loader such as GRUB.

Answer 47

boot loaders job is to initiate the booting process, check the file needed and the process
check integrity of files loaded from MFT so nothing goes wrong

Question 48

Where will you search for artifacts from installed programs?

Answer 48

Programs installed are stored in a folder “installed programs”

Check prefetch files to see what programs are regularly used and run times.

Event log - When was the program installed.

SIA attribute to see what was last run/accessed

Can also check RAM for active sessions

Question 49

What is Data Run?

Answer 49

when data is too large to fit in $MFT (>600kb) a pointer is used to indicate where the data is being stored.

Question 50

What are the essential characteristics of the CFSAP model?

Answer 50

Computer Forensics Secure Analyze Present

CFSAP is the most abstract and least granular model. This model is an iterative model and not a linear model.

Secure;
Identify the source - Preserve digital evidence

Analysis;
Analysis of the evidence, extract, process, interpret

Present;
Presentation, report, testimony

Question 51

What kind of questions can be answered based on digital evidence using various methods for sequencing, linkage, source evaluation, and attribution?

Answer 51

Sequencing - What happened?

Linkage - The extent and the relations of interactions

Source evaluation - Sources and where they come from

Attribution - Allocation of responsibilities

Question 52

What is the first concern of the DF investigator when she/he wants to establish what evidence is admissible?

Answer 52

Relevant
Legal
Reliable
???
???
???

Question 53

Which are the main stakeholders in Digital Forensics?

Answer 53

Principals (Accused/Accuser)
Mediators
Regulators