Given the following properties of a hash function h(f): file -> {0,1}^n associate each requirement to the proper definition. 1. Resilience to collision 2. Resilience to second pre-image 3. Resilience to pre-image - Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible - Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d. - Given a digest d, finding a string such that h(f)=d is computationally-unfeasible

1. Resilience to collision → Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible 2. Resilience to second pre-image → Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d. 3. Resilience to pre-image → Given a digest d, finding a string such that h(f)=d is computationally-unfeasible

Associate the correct digest length to each hashing algorithm 1. SHA-256 2. SHA-1 3. MD5 - 256 bits - 160 bits - 128 bits

1. SHA-256 → 256 bits 2. SHA-1 → 160 bits 3. MD5 → 128 bits

In the acquisition and handling processes of digital evidence (DE), we must ensure: - the pertinence - the reliability - adequateness - verificability - reproducibility of the tools and operations that we adopted Assign each explanation to the most suitable feature. 1. The authenticity of the DE (no alteration) must be granted and proved 2. The DE must be relevant to the incident (proved in the documentation) 3. The Digital Evidence First Responder must select the best acquisition tools and strategies 4. DEFR and DES can justify their choices 5. The chain of operation can be reconstructed and re-applied

1. The authenticity of the DE (no alteration) must be granted and proved → Reliability 2. The DE must be relevant to the incident (proved in the documentation) → Pertinence 3. The Digital Evidence First Responder must select the best acquisition tools and strategies → Adequateness 4. DEFR and DES can justify their choices → Verificability 5. The chain of operation can be reconstructed and re-applied → Reproducibility

Handling digital evidences Flashcards by Sitora Salaeva

Preventing unauthorized access to a network is cybersecurity or digital forensics task?

Cybersecurity

How well did you know this?

Not at all

Perfectly

Collecting evidence to prove what has happened is cybersecurity or digital forensics task?

Digital forensics

How well did you know this?

Not at all

Perfectly

Reconstruct a specific incident is a cybersecurity or a digital forensics task?

Digital forensics

How well did you know this?

Not at all

Perfectly

Avoiding misuse of a computing facility is a cybersecurity or digital forensics task?

Cybersecurity

How well did you know this?

Not at all

Perfectly

Monitoring the working state of a computing facility is a cybersecurity or digital forensics task?

Cybersecurity

How well did you know this?

Not at all

Perfectly

Performing offline analysis of a digital evidence is cybersecurity or digital forensics task?

Digital Foresics

How well did you know this?

Not at all

Perfectly

Taking care of the acquisition, storage, and validation of digital evidence is cybersecurity or digital forensics task?

Digital forensics

How well did you know this?

Not at all

Perfectly

Considering acquisition and collection operations, reorder the following operations from the most to the least critical one (i.e., putting first those where the loss of data is highly-probable).

Acquisition of a switched‑on device
Acquisition of a switched‑off device
Collection of switched‑on devices
Collection of switched‑off devices

Collection of switched‑on devices
Acquisition of a switched‑on device
Collection of switched‑off devices
Acquisition of a switched‑off device

How well did you know this?

Not at all

Perfectly

In a collection process, place the following operations in chronological order.

Check if there are volatile data
Check if the data are stable
Perform live acquisition
Standard switch‑off
Unplug, collect cables

Check if there are volatile data
Perform live acquisition
Check if the data are stable
Standard switch‑off
Unplug, collect cables

How well did you know this?

Not at all

Perfectly

Given the following properties of a hash function
h(f): file -> {0,1}^n

associate each requirement to the proper definition.

Resilience to collision
Resilience to second pre-image
Resilience to pre-image

Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
Given a digest d, finding a string such that h(f)=d is computationally-unfeasible

Resilience to collision → Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
Resilience to second pre-image → Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
Resilience to pre-image → Given a digest d, finding a string such that h(f)=d is computationally-unfeasible

How well did you know this?

Not at all

Perfectly

Associate the correct digest length to each hashing algorithm

SHA-256
SHA-1
MD5

256 bits
160 bits
128 bits

SHA-256 → 256 bits
SHA-1 → 160 bits
MD5 → 128 bits

How well did you know this?

Not at all

Perfectly

In the acquisition and handling processes of digital evidence (DE), we must ensure:

the pertinence
the reliability
adequateness
verificability
reproducibility of the tools and operations that we adopted

Assign each explanation to the most suitable feature.

The authenticity of the DE (no alteration) must be granted and proved
The DE must be relevant to the incident (proved in the documentation)
The Digital Evidence First Responder must select the best acquisition tools and strategies
DEFR and DES can justify their choices
The chain of operation can be reconstructed and re-applied

The authenticity of the DE (no alteration) must be granted and proved → Reliability
The DE must be relevant to the incident (proved in the documentation) → Pertinence
The Digital Evidence First Responder must select the best acquisition tools and strategies → Adequateness
DEFR and DES can justify their choices → Verificability
The chain of operation can be reconstructed and re-applied → Reproducibility

How well did you know this?

Not at all

Perfectly

Among the following fields, choose the ones that can be included within digital forensics

a. forensic genomics
b. multimedia forensics
c. cloud forensics
d. mobile forensics
e. disk forensics

multimedia forensics
cloud forensics
mobile forensics
disk forensics

How well did you know this?

Not at all

Perfectly

Among the following statements concerning the Chain-of-Custody characteristics and procedures, select those that are TRUE.

Select one or more:

a. The evidence must be identified by an ID
b. It must report when, where, who and why the evidence was accessed
c. it must document and justify possible alterations
d. the evidence must be available to everyone
e. it must keep a log file of the acquisition and the accesses

It must report when, where, who and why the evidence was accessed,
it must keep a log file of the acquisition and the accesses,
it must document and justify possible alterations,
The evidence must be identified by an ID

How well did you know this?

Not at all

Perfectly

Please select , among the following standards, the one that defines the guidelines for the identification, acquisition and the preservation of digital evidences.

a. ISO IEC 27037/2012
b. ISO/IEC 17025:2005
c. ISO/IEC 27041

ISO IEC 27037/2012

How well did you know this?

Not at all

Perfectly

Given the following tasks:

Check the area involved in the incident
Profile the persons that access the area and keep people away from devices
Avoid changing the state of devices
Document the scene, components, cables (pictures, video, drawings),
which of the following roles must take care of them

Select one:

a. Digital Evidence Specialist
b. Forensic Laboratory Operator
c. Digital Evidence First Responder
d. Incident Response Analyst

Digital Evidence First Responder

Which of the following phases are defined within the ISO IEC 27037/2012 standard

a. Documentation
b. Acquisition
c. Identification
d. Preservation
e. Seizure
f. Incrimination.

Identification
Seizure
Acquisition
Preservation

Select which of the following statements concerning the Digital Evidence First Responder (DEFR) and the Digital Evidence Specialist (DES) are TRUE.

Select one or more:

a. DES can operate as a DEFR
b. DES can never perform an acquisition of a digital evidence
c. DEFR operates first on the crime scene
d. DEFR can deal with a wide range of different technical issues

DES can operate as a DEFR,

DEFR operates first on the crime scene

Concerning the ISO/IEC 27037/2012, select the digital forensics which is NOT described in the standard among the following:

Select one:

a. Acquisition
b. Identification
c. Conservation
d. Acquisituion if analogic data

Acquisituion if analogic data

Concerning the ISO/IEC 27037/2012, select among the following digital forensic procedure the one that is described in the standard

a. Technical instrumentation
b. Presentation
c. Analysis
d. Conservation

Conservation

Considering all the experts involved in the acquisition of digital evidence, select the most appropriate statement about the Incident Response Specialist (IRS)

Select one:

a. He/She can be someone not in charge of the investigation
b. He/She has the competencies to deal with a wide range of forensic and scientific issues
c. He/She documents the scene and all the components
d. He/She analyzes the evidence in the forensic lab

He/She can be someone not in charge of the investigation

Considering all the experts involved in the acquisition of digital evidence, select the wrong statement about the Digital Evidence First Responder (DEFR):

a. He/She profiles all the persons authorized to access the investigation area
b. He/She needs to present the results of his/her lab analysis on the digital evidence
c. He/She can identify and seize digital evidence
d. He/She can use collaborators

He/She needs to present the results of his/her lab analysis on the digital evidence

Considering ISO IEC 27037/2012, along with Identification (inspection), Seizure (virtual), Acquisition and Preservation (conservation and sealing), what does this standard identify?

logging (keep documentation of each phase of the analysis)
Chain of custody (traceability)
Priorities (plan the investigation activity)
Protection (sealing and packing of the devices)
Transportation of evidence (real/virtual)
Roles in evidence exchanges (who and why)

What is not specified in ISO IEC 27037/2012?

Legal issues
Analysis
Technical instruments
Report writing and presentation
Dealing with analogic data

Describe the steps of the process for digital evidence handling?

1. Identification - search, recognition and documentation of the possible evidence. 2. Seizure - acquisition of the physical device containing possible DE. 3. Acquisition - the creation of a copy of the data. 4. Preservation - storage and conservation of the integrity and original condition of the potential DE.

Assign each feature to the appropriate requirement for the acquisition of digital evidence: 1. the pertinence 2. the reliability 3. adequateness 4. verifiability 5. reproducibility, repeatability 6. Provable a. Operations can be repeated using the same method, procedures, tools and conditions b. Prove that the adopted methods are the best possible c. Results can be reproduced using the same methods but with different tools and conditions e. DE must be useful to prove guilty or innocent f. Ensure that the evidence is authentic (no alteration) g. Material can ve copied or seized h. A third party needs to verify the activities of DEFR and DES i. A complete copy is not always required j. DEFR and DES must be able to justify their operations k. All the processes and operations applied on the DE must be documented and reproducible l. DEFR must evaluate which/how much evidence must be acquired m. Documentation must prove that the DE is relevant of worth to acquisition

1. **Pertinence** - DE must be useful to prove guilty or innocent - Documentation must prove that the DE is relevant of worth to acquisition 2. **Reliability** - Ensure that the evidence is authentic (no alteration) - All the processes and operations applied on the DE must be documented and reproducible 3. **Adequsteness** - DEFR must evaluate which/how much evidence must be acquired - Material can ve copied or seized - A complete copy is not always required 4. **Verifiability** - A third party needs to verify the activities of DEFR and DES - DEFR and DES must be able to justify their operations 5. **Repeatability**, **Reproducibility** - Operations can be repeated using the same method, procedures, tools and conditions - Results can be reproduced using the same methods, but with different tools and conditions 6. **Provable** - Prove that the adopted methods are the best possibletinence

Define the reliable forensics copy

- clone of the disk - Bit-wise copy image - Compressed bit-wise copy image

What are the different phases in the acquisition and handling of digital evidence? Which are the main figures/actors that interplay within these phases? Provide a description of the process.

Describe MD5 and SHA hash functions providing details about their use in the acquisition of disk images and in the chain of custody

Describe the chain-of custody? Why is it important in digital forensics?