Finals - L4 - Retrieving Data from Memory And Hard disk

Question 1

What is the term used to describe this?

This is the process of investigating and analyzing digital devices to detect, preserve. This field involves the use of specialized tools and techniques to identify how a system was compromised, what data was accessed or altered.

Answer 1

Digital Forensics

Question 2

What is the term used to describe this?

This is a form of electronic computer memory that can be read and changed in any order, typically used to store working data and machine code.

Answer 2

RAM - Random-access memory

Question 3

What is the term used to describe this?

This is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnetic material.

Answer 3

Hard disk, hard drive, or fixed disk

Question 4

What is the term used to describe this?

It concerns the process of obtaining, processing,
analyzing, and storing digital information.

Answer 4

Digital Forensics

Question 5

True or False?

Data can be retrieved from existing files (even those that have
been deleted, encrypted, or damaged)

Answer 5

True

Question 6

What scenario is this?

An offense may be committed or a policy may be violated as follows:
Example: theft of intellectual property, industrial espionage, or destruction of data

Answer 6

A company may be the victim of the crime

Question 7

What scenario is this?

An offense may be committed or a policy may be violated as follows:
Example: A computer owned by a company may be used to store contraband (e.g., pirated software or images) Information that is obtained from workplace computers can be used as evidence in harassment, discrimination, wrongful termination, embezzlement, and other criminal cases.

Answer 7

A company may be the victim of the crime

Question 8

What scenario is this?

An offense may be committed or a policy may be violated as follows:
Example: Employees may violate company policy by improperly using computer resources such as surfing the web for personal reasons during company time.

Answer 8

A company may be the victim of the crime

Question 9

What scenario is this?

An offense may be committed or a policy may be violated as follows:
Example: Employees may violate company policy by improperly using computer resources such as surfing the web for personal reasons during company time.

Answer 9

A company may be the victim of the crime

Question 10

During a computer forensics investigation, blank must be protected. If an incident occurs, company and client data must be secured.

Spcial considerations in corporate investigations

Answer 10

Confidential data

Spcial considerations in corporate investigations

Question 11

True or False?

Computer and information systems must remain available to the company for use in daily operations while the investigation is ongoing.

Spcial considerations in corporate investigations

Answer 11

True

Spcial considerations in corporate investigations

Question 12

True or False?

The integrity of the data should be maintained, and no data should be altered or lost during an investigation.

Spcial considerations in corporate investigations

Answer 12

True

Spcial considerations in corporate investigations

Question 13

What are the 4 steps in computer forensics investigations?

4 Steps of Computer Forensics Investigations

Answer 13

1. Acquisition
2. Identification
3. Evaluation
4. Presentation

4 Steps of Computer Forensics Investigations

Question 14

What is the step that involves the process of evidence retrieval - from the search for the evidence to its collection and documentation? It must also document all aspects of the computer search, including the following:

• Which evidence was obtained
• Which individual/s retrieved the evidence
• Where the evidence was gathered
• When was the evidence collected
• How was the evidence acquired

4 Steps of Computer Forensics Investigations

Answer 14

1. Acquisition

4 Steps of Computer Forensics Investigations

Question 15

True or False?

A computer is seized during a cybercrime investigation and taken off site - typically to a forensic lab - for a search of its contents for evidence.

In fact, numerous court rulings have upheld the validity of the seizure of computer systems and subsequent search of them off site as the only reasonable means to conduct a search.

4 Steps of Computer Forensics Investigations

Answer 15

True

4 Steps of Computer Forensics Investigations

Question 16

What is the step that involves the process where:

• an investigator explains and documents the origin of the evidence and its significance.
• it determines the context in which the evidence was found.
• It looks at both the physical environment and the logical context of the location of the electronic evidence.
• evidence may reside on a specific medium such as a hard drive. (where data can be physically extracted).
• includes file carving (looking for specific files in a hard drive based on the header, footer, and other identifiers of the file. This helps in recovering files or file fragments of damaged or deleted files in corrupted directories or damaged media.

4 Steps of Computer Forensics Investigations

Answer 16

2. Identification

4 Steps of Computer Forensics Investigations

Question 17

What is the step that involves the process where:

• the data retrieved during the investigation are analyzed to establish their significance and relevance to the case at hand?

4 Steps of Computer Forensics Investigations

Answer 17

3. Evaluation

4 Steps of Computer Forensics Investigations

Question 18

What is the step that involves the process where:

• reporting data pertinent to the case that was found during the investigation.
• evalutation of evidence by outside parties
• investigators must be prepared to testify in court (usually required to defend their personal qualifications, methods, validity of procedures, handling of evidence, findings)
• reporters must also be able to communicate their findings to a variety of audiences.
• the chain of custody (chronological record documenting each indiv who possessed evidence and the points they had it) may also be challenged at this stage.

4 Steps of Computer Forensics Investigations

Answer 18

4. Presentation

4 Steps of Computer Forensics Investigations

Question 19

What process is this?

This involves the process of:
* seizing data
* approval, go signal
* with a witness
* process of data acquisition is recorded

Data Collection

Answer 19

Data Collection

Data Collection

Question 20

What process is this?

What is the evidence defined as any object or piece of information that is relevant to the crime being investigated and whose collection was lawful?

Which is sought for the following reasons:
* To prove that an actual crime has taken place (“corpus delicti”)
* To link a particular person to the crime
* To disprove or support the testimony of a victim, witness, or suspect
* To identify a suspect
* To provide investigative leads
* To eliminate a suspect from consideration

Data Collection

Answer 20

Electronic Evidence

Data Collection

Question 21

What is the type of evidence that can be useful forincreasing credibility by drawing parallels when there isn’t enough information to prove something in a workplace investigation? It also involves the comparison of things to form an analogy?

Types of Evidence (usually presented in court)

Answer 21

Analogical Evidence

Question 22

What is the type of evidence that is a testimony or document used to help prove that someone acted in a particular way based on the person’s character (while it can be used to prove that a people’s behavior at a certain time was consistent with their character, it can be used to prove intent, motive, or opportunity)?

Types of Evidence (usually presented in court)

Answer 22

Character Evidence

Question 23

What is the type of evidence that is also known as “indirect evidence”, used to infer something based on a series of facts separate from the fact the argument is trying to prove (requires a deduction of facts from other facts, while not considered to be strong evidence, it can be releveant in a workplace investigation)?

Types of Evidence (usually presented in court)

Answer 23

Circumstantial Evidence

Question 24

What is the type of evidence that is:
An object or document that directly demonstrates a fact Considered as a common and reliable kind of evidence
Example: photographs, video, audio recordings, charts, etc?

Types of Evidence (usually presented in court)

Answer 24

Demonstrative Evidence

Question 25

What is the type of evidence that can:
* be any sort of digital file from an electronic source
* includes email, text messages, instant messages, files and documents extracted from hard drives and other types of files
* can be found on any server or device that stores data
* often found through internet searches using open source intelligence (OSINT)?

Types of Evidence (usually presented in court)

Answer 25

Digital Evidence

Question 26

True or False?

Collecting digital evidence is challenging because:

• Collecting digital evidence requires a skillset
• There are many methods for extracting digital evidence from different devices
• Investigators need to develop specific tech expertise or rely on experts to extract evidence
• Digital evidence can be altered or deleted remotely
• Need to be authenticated to prove its integrity

Challenges of Digital Evidences

Answer 26

True

Challenges of Digital Evidences

Question 27

What is the type of evidence that is the most powerful and requires no interference (The evidence alone is the proof. This could be the testimony of a witness who saw first-hand the crime that took place)?

Types of Evidence (usually presented in court)

Answer 27

Direct Evidence