Handling digital evidences Flashcards
Preventing unauthorized access to a network is cybersecurity or digital forensics task?
Cybersecurity
Collecting evidence to prove what has happened is cybersecurity or digital forensics task?
Digital forensics
Reconstruct a specific incident is a cybersecurity or a digital forensics task?
Digital forensics
Avoiding misuse of a computing facility is a cybersecurity or digital forensics task?
Cybersecurity
Monitoring the working state of a computing facility is a cybersecurity or digital forensics task?
Cybersecurity
Performing offline analysis of a digital evidence is cybersecurity or digital forensics task?
Digital Foresics
Taking care of the acquisition, storage, and validation of digital evidence is cybersecurity or digital forensics task?
Digital forensics
Considering acquisition and collection operations, reorder the following operations from the most to the least critical one (i.e., putting first those where the loss of data is highly-probable).
Acquisition of a switched‑on device
Acquisition of a switched‑off device
Collection of switched‑on devices
Collection of switched‑off devices
- Collection of switched‑on devices
- Acquisition of a switched‑on device
- Collection of switched‑off devices
- Acquisition of a switched‑off device
In a collection process, place the following operations in chronological order.
Check if there are volatile data Check if the data are stable Perform live acquisition Standard switch‑off Unplug, collect cables
- Check if there are volatile data
- Perform live acquisition
- Check if the data are stable
- Standard switch‑off
- Unplug, collect cables
Given the following properties of a hash function
h(f): file -> {0,1}^n
associate each requirement to the proper definition.
- Resilience to collision
- Resilience to second pre-image
- Resilience to pre-image
- Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
- Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
- Given a digest d, finding a string such that h(f)=d is computationally-unfeasible
- Resilience to collision → Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
- Resilience to second pre-image → Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
- Resilience to pre-image → Given a digest d, finding a string such that h(f)=d is computationally-unfeasible
Associate the correct digest length to each hashing algorithm
- SHA-256
- SHA-1
- MD5
- 256 bits
- 160 bits
- 128 bits
- SHA-256 → 256 bits
- SHA-1 → 160 bits
- MD5 → 128 bits
In the acquisition and handling processes of digital evidence (DE), we must ensure:
- the pertinence
- the reliability
- adequateness
- verificability
- reproducibility of the tools and operations that we adopted
Assign each explanation to the most suitable feature.
- The authenticity of the DE (no alteration) must be granted and proved
- The DE must be relevant to the incident (proved in the documentation)
- The Digital Evidence First Responder must select the best acquisition tools and strategies
- DEFR and DES can justify their choices
- The chain of operation can be reconstructed and re-applied
- The authenticity of the DE (no alteration) must be granted and proved → Reliability
- The DE must be relevant to the incident (proved in the documentation) → Pertinence
- The Digital Evidence First Responder must select the best acquisition tools and strategies → Adequateness
- DEFR and DES can justify their choices → Verificability
- The chain of operation can be reconstructed and re-applied → Reproducibility
Among the following fields, choose the ones that can be included within digital forensics
a. forensic genomics
b. multimedia forensics
c. cloud forensics
d. mobile forensics
e. disk forensics
multimedia forensics
cloud forensics
mobile forensics
disk forensics
Among the following statements concerning the Chain-of-Custody characteristics and procedures, select those that are TRUE.
Select one or more:
a. The evidence must be identified by an ID
b. It must report when, where, who and why the evidence was accessed
c. it must document and justify possible alterations
d. the evidence must be available to everyone
e. it must keep a log file of the acquisition and the accesses
- It must report when, where, who and why the evidence was accessed,
- it must keep a log file of the acquisition and the accesses,
- it must document and justify possible alterations,
- The evidence must be identified by an ID
Please select , among the following standards, the one that defines the guidelines for the identification, acquisition and the preservation of digital evidences.
a. ISO IEC 27037/2012
b. ISO/IEC 17025:2005
c. ISO/IEC 27041
ISO IEC 27037/2012
Given the following tasks:
- Check the area involved in the incident
- Profile the persons that access the area and keep people away from devices
- Avoid changing the state of devices
- Document the scene, components, cables (pictures, video, drawings),
which of the following roles must take care of them
Select one:
a. Digital Evidence Specialist
b. Forensic Laboratory Operator
c. Digital Evidence First Responder
d. Incident Response Analyst
Digital Evidence First Responder
Which of the following phases are defined within the ISO IEC 27037/2012 standard
a. Documentation
b. Acquisition
c. Identification
d. Preservation
e. Seizure
f. Incrimination.
Identification
Seizure
Acquisition
Preservation
Select which of the following statements concerning the Digital Evidence First Responder (DEFR) and the Digital Evidence Specialist (DES) are TRUE.
Select one or more:
a. DES can operate as a DEFR
b. DES can never perform an acquisition of a digital evidence
c. DEFR operates first on the crime scene
d. DEFR can deal with a wide range of different technical issues
DES can operate as a DEFR,
DEFR operates first on the crime scene
Concerning the ISO/IEC 27037/2012, select the digital forensics which is NOT described in the standard among the following:
Select one:
a. Acquisition
b. Identification
c. Conservation
d. Acquisituion if analogic data
Acquisituion if analogic data
Concerning the ISO/IEC 27037/2012, select among the following digital forensic procedure the one that is described in the standard
a. Technical instrumentation
b. Presentation
c. Analysis
d. Conservation
Conservation
Considering all the experts involved in the acquisition of digital evidence, select the most appropriate statement about the Incident Response Specialist (IRS)
Select one:
a. He/She can be someone not in charge of the investigation
b. He/She has the competencies to deal with a wide range of forensic and scientific issues
c. He/She documents the scene and all the components
d. He/She analyzes the evidence in the forensic lab
He/She can be someone not in charge of the investigation
Considering all the experts involved in the acquisition of digital evidence, select the wrong statement about the Digital Evidence First Responder (DEFR):
a. He/She profiles all the persons authorized to access the investigation area
b. He/She needs to present the results of his/her lab analysis on the digital evidence
c. He/She can identify and seize digital evidence
d. He/She can use collaborators
He/She needs to present the results of his/her lab analysis on the digital evidence
Considering ISO IEC 27037/2012, along with Identification (inspection), Seizure (virtual), Acquisition and Preservation (conservation and sealing), what does this standard identify?
- logging (keep documentation of each phase of the analysis)
- Chain of custody (traceability)
- Priorities (plan the investigation activity)
- Protection (sealing and packing of the devices)
- Transportation of evidence (real/virtual)
- Roles in evidence exchanges (who and why)
What is not specified in ISO IEC 27037/2012?
- Legal issues
- Analysis
- Technical instruments
- Report writing and presentation
- Dealing with analogic data
Describe the steps of the process for digital evidence handling?
- Identification - search, recognition and documentation of the possible evidence.
- Seizure - acquisition of the physical device containing possible DE.
- Acquisition - the creation of a copy of the data.
- Preservation - storage and conservation of the integrity and original condition of the potential DE.
Assign each feature to the appropriate requirement for the acquisition of digital evidence:
- the pertinence
- the reliability
- adequateness
- verifiability
- reproducibility, repeatability
- Provable
a. Operations can be repeated using the same method, procedures, tools and conditions
b. Prove that the adopted methods are the best possible
c. Results can be reproduced using the same methods but with different tools and conditions
e. DE must be useful to prove guilty or innocent
f. Ensure that the evidence is authentic (no alteration)
g. Material can ve copied or seized
h. A third party needs to verify the activities of DEFR and DES
i. A complete copy is not always required
j. DEFR and DES must be able to justify their operations
k. All the processes and operations applied on the DE must be documented and reproducible
l. DEFR must evaluate which/how much evidence must be acquired
m. Documentation must prove that the DE is relevant of worth to acquisition
-
Pertinence
- DE must be useful to prove guilty or innocent
- Documentation must prove that the DE is relevant of worth to acquisition
-
Reliability
- Ensure that the evidence is authentic (no alteration)
- All the processes and operations applied on the DE must be documented and reproducible -
Adequsteness
- DEFR must evaluate which/how much evidence must be acquired
- Material can ve copied or seized
- A complete copy is not always required -
Verifiability
- A third party needs to verify the activities of DEFR and DES
- DEFR and DES must be able to justify their operations -
Repeatability, Reproducibility
- Operations can be repeated using the same method, procedures, tools and conditions
- Results can be reproduced using the same methods, but with different tools and conditions -
Provable
- Prove that the adopted methods are the best possibletinence
Define the reliable forensics copy
- clone of the disk
- Bit-wise copy image
- Compressed bit-wise copy image
What are the different phases in the acquisition and handling of digital evidence? Which are the main figures/actors that interplay within these phases? Provide a description of the process.
Describe MD5 and SHA hash functions providing details about their use in the acquisition of disk images and in the chain of custody
Describe the chain-of custody? Why is it important in digital forensics?