Forensic Tools and Techniques C9

Question 1

3 categories of activities in a digital forensic investigation

Answer 1

1. Acquisition
2. Examination
3. Presentation

Question 2

7 steps in Digital Forensic Investigation

Answer 2

1. Authorization
2. Evidence Identification
3. Evidence Collection and Presentation
4. Documentation
5. Analysis and Examination
6. Reconstruction
7. Reporting

Question 3

Two types of evidence extraction

Answer 3

1. Physical Extraction
   - identifies and recovers data across the physical drive
2. Logical Extraction
   - Identifies and recovers files based on the installed OS and applications

Question 4

Data Hiding Analysis

Answer 4

Hidden data may indicate a deliberate attempt to avoid detection
Users with binary (hex) editors, disk wiping software, steganography might demonstrate to alter files and keep information secret

Question 5

Capturing contents of RAM

Answer 5

In order to capture volatile data on a device the device WILL have to be accessed. Therefore changes to original evidence WILL be caused by the examiner.
Necessary for examiner to gather evidence from a computer while in a “live” state.

Question 6

Step-by-step capturing RAM

Answer 6

1. select a disk
2. wipe the disk for the image
3. mount the freshly read-write image disk
4. create a directory
5. create a sub-directory
6. document details of the investigation
7. mount the disk to be imaged (use write blocker)
8. perform application, file, timeframe, data hiding, and ownership and possession analysis.