Forensic Tools and Techniques C9 Flashcards

1
Q

3 categories of activities in a digital forensic investigation

A
  1. Acquisition
  2. Examination
  3. Presentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

7 steps in Digital Forensic Investigation

A
  1. Authorization
  2. Evidence Identification
  3. Evidence Collection and Presentation
  4. Documentation
  5. Analysis and Examination
  6. Reconstruction
  7. Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Two types of evidence extraction

A
  1. Physical Extraction
    - identifies and recovers data across the physical drive
  2. Logical Extraction
    - Identifies and recovers files based on the installed OS and applications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Hiding Analysis

A

Hidden data may indicate a deliberate attempt to avoid detection
Users with binary (hex) editors, disk wiping software, steganography might demonstrate to alter files and keep information secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Capturing contents of RAM

A

In order to capture volatile data on a device the device WILL have to be accessed. Therefore changes to original evidence WILL be caused by the examiner.
Necessary for examiner to gather evidence from a computer while in a “live” state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Step-by-step capturing RAM

A
  1. select a disk
  2. wipe the disk for the image
  3. mount the freshly read-write image disk
  4. create a directory
  5. create a sub-directory
  6. document details of the investigation
  7. mount the disk to be imaged (use write blocker)
  8. perform application, file, timeframe, data hiding, and ownership and possession analysis.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly