Forensics - Manual 1

Question 1

What is computer forensics?

Answer 1

The process of acquiring and analysing data stored on some form of physical storage media. The acquired data needs to not be corrupted and acceptable to a court of law. Includes recovery of hidden, deleted data, file identification.

Question 1

Two types of digital data

Answer 1

Where information is gathered through internet
Where information is gathered through fragile data stored in electronic, optical or magnetic storage media (floppy, hard disk)

Question 2

Some requirements for Computer Forensics Applications

Answer 2

1. Read any IDE or SCSI hard drive or CD-ROM and replicate an exact snapshot of the disk to an evidence file.
2. Password Cracker.
3. View the entire drive imagine, including hidden and unallocated disk space and search for keywords
4. Analyse and authenticate file signatures to find those renamed to conceal contents.
5. Built in picture, gallery view.
6. Acquire and preview via network cable
7. View files without changing date time stamp and contents.

Question 3

Principles of General Forensics

Answer 3

1. Take Appropriate Anti-contamination precautions
2. Crime scenes should be searched systematically and thoroughly
3. Digital evidence to be examined in lab rather than at scene, only scene if removal impractical
4. Laboratory rules of evidence management to be applied to all evidence.
5. All times submitted for forensics should be reviewed for integrity of packaging
6. All activity related to evidence access and examination to be documented.
7. Any anti-contamination precautions to be done before examination.
8. Health and Safety of evidence. All personel to take adequate precautions to preserve evidence from hazards such as electrical ones.
9. Maintain forensic workplace temperature
10. read and adhere to equipment manufacturer’s instructions for lab tools.
11. All personnel to be properly trained
12. Mirror image obtained should be authenticated via HAS value.

Question 4

Cardinal rules of computer forensics

Answer 4

1. Never mishandle evidence
2. Never work on original evidence
3. Never trust the subject’s Operating system
4. Document all findings
5. Results should be repeatable, reproducible and verifiable.

Question 5

Manner of evidence acquistion

Answer 5

1. Digital data is fragile, so data should be preserved against accidental manipulation. Make a bit stream mirror image of the media on sterile media of capacity larger.
2. Acquire the original digital evidence in a manner that protects the evidence.

Question 6

Shutdown procedure when preserving evidence

Answer 6

1. Power down in a way that won’t corrupt the integrity of the files. Even viewing files would change it. it might no longer be original evidence.
2. Opening a file changes its time and date accessed.
3. Consideration should be given to other storage media, handwritten notes, and documents found in the vicinity of the computer.
4. No one should be allowed contact with the storage media or computer involved in the security incident. people can wipe entire drives with a few commands
5. Determine the operating system, for some, merely pulling plug is preferred, for others, it might crash the hard drive. Windows generates new files and opens existing files when it boots, this might destroy evidence.

Question 7

Some exceptional circumstances when you don’t remove storage devices from the subejct system.

Answer 7

RAID systems – Removing disks individually may render data unusable.

Laptop systems – System drives may be inaccessible or unusable when detached.

Hardware dependency (legacy equipment) – Older drives may not be readable in newer systems.

Equipment availability – Lack of necessary equipment (e.g., network storage) may require using the original system.

Question 8

What to do when you can’t remove storage device?

Answer 8

Reattach subject storage device and connect examiner’s evidence storage device (e.g., external HDD, tape drive).

Ensure examiner’s storage is forensically clean before acquisition.

Enable write protection (hardware or software) to preserve original evidence.

Create a known value (CRC, hash) to verify evidence integrity.

Check drive geometry to account for all data (including hidden areas).

Capture drive serial numbers and host-specific data.

Acquire evidence using appropriate tools:

Stand-alone duplication software.

Forensic analysis software suite.

Dedicated hardware devices.

Question 9

Ways to acquire a drive safely

Answer 9

Local with Write-Block (Safe in Windows)
Uses a hardware write-blocker (e.g., FastBloc) to prevent writes.
Suspect drive connected via IDE/SCSI to forensic PC.

Local “Drive-to-Drive” (Fast but Risky)
Suspect drive installed in examiner’s PC (or examiner’s drive in suspect’s PC).
Must boot from a forensic OS (e.g., EnCase DOS) to avoid accidental writes.

Parallel-Port Cable (Slow but Secure)
Connects suspect PC (in server mode via boot disk) to examiner’s PC.
No risk of writes; useful when other methods fail.

Cross-Over Network (Faster than Cable)
Similar to parallel but uses Ethernet.
Suspect PC boots into server mode for secure transfer.

Question 10

What is ambient Data

Answer 10

In backup, ambient data will not be copied. This is an area
where the most important source for the evidence could be found. Ambient data is a data stored in
Windows swap file, unallocated space and file slack.