Forensic Tools and Techniques C9 Flashcards
1
Q
3 categories of activities in a digital forensic investigation
A
- Acquisition
- Examination
- Presentation
2
Q
7 steps in Digital Forensic Investigation
A
- Authorization
- Evidence Identification
- Evidence Collection and Presentation
- Documentation
- Analysis and Examination
- Reconstruction
- Reporting
3
Q
Two types of evidence extraction
A
- Physical Extraction
- identifies and recovers data across the physical drive - Logical Extraction
- Identifies and recovers files based on the installed OS and applications
4
Q
Data Hiding Analysis
A
Hidden data may indicate a deliberate attempt to avoid detection
Users with binary (hex) editors, disk wiping software, steganography might demonstrate to alter files and keep information secret
5
Q
Capturing contents of RAM
A
In order to capture volatile data on a device the device WILL have to be accessed. Therefore changes to original evidence WILL be caused by the examiner.
Necessary for examiner to gather evidence from a computer while in a “live” state.
6
Q
Step-by-step capturing RAM
A
- select a disk
- wipe the disk for the image
- mount the freshly read-write image disk
- create a directory
- create a sub-directory
- document details of the investigation
- mount the disk to be imaged (use write blocker)
- perform application, file, timeframe, data hiding, and ownership and possession analysis.