Handling digital evidences

Question 1

Preventing unauthorized access to a network is cybersecurity or digital forensics task?

Answer 1

Cybersecurity

Question 2

Collecting evidence to prove what has happened is cybersecurity or digital forensics task?

Answer 2

Digital forensics

Question 3

Reconstruct a specific incident is a cybersecurity or a digital forensics task?

Answer 3

Digital forensics

Question 4

Avoiding misuse of a computing facility is a cybersecurity or digital forensics task?

Answer 4

Cybersecurity

Question 5

Monitoring the working state of a computing facility is a cybersecurity or digital forensics task?

Answer 5

Cybersecurity

Question 6

Performing offline analysis of a digital evidence is cybersecurity or digital forensics task?

Answer 6

Digital Foresics

Question 7

Taking care of the acquisition, storage, and validation of digital evidence is cybersecurity or digital forensics task?

Answer 7

Digital forensics

Question 8

Considering acquisition and collection operations, reorder the following operations from the most to the least critical one (i.e., putting first those where the loss of data is highly-probable).

Acquisition of a switched‑on device
Acquisition of a switched‑off device
Collection of switched‑on devices
Collection of switched‑off devices

Answer 8

1. Collection of switched‑on devices
2. Acquisition of a switched‑on device
3. Collection of switched‑off devices
4. Acquisition of a switched‑off device

Question 9

In a collection process, place the following operations in chronological order.

Check if there are volatile data
Check if the data are stable
Perform live acquisition
Standard switch‑off
Unplug, collect cables

Answer 9

1. Check if there are volatile data
2. Perform live acquisition
3. Check if the data are stable
4. Standard switch‑off
5. Unplug, collect cables

Question 10

Given the following properties of a hash function
h(f): file -> {0,1}^n

associate each requirement to the proper definition.

1. Resilience to collision
2. Resilience to second pre-image
3. Resilience to pre-image

• Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
• Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
• Given a digest d, finding a string such that h(f)=d is computationally-unfeasible

Answer 10

1. Resilience to collision → Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
2. Resilience to second pre-image → Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
3. Resilience to pre-image → Given a digest d, finding a string such that h(f)=d is computationally-unfeasible

Question 11

Associate the correct digest length to each hashing algorithm

1. SHA-256
2. SHA-1
3. MD5

• 256 bits
• 160 bits
• 128 bits

Answer 11

1. SHA-256 → 256 bits
2. SHA-1 → 160 bits
3. MD5 → 128 bits

Question 12

In the acquisition and handling processes of digital evidence (DE), we must ensure:

• the pertinence
• the reliability
• adequateness
• verificability
• reproducibility of the tools and operations that we adopted

Assign each explanation to the most suitable feature.

1. The authenticity of the DE (no alteration) must be granted and proved
2. The DE must be relevant to the incident (proved in the documentation)
3. The Digital Evidence First Responder must select the best acquisition tools and strategies
4. DEFR and DES can justify their choices
5. The chain of operation can be reconstructed and re-applied

Answer 12

1. The authenticity of the DE (no alteration) must be granted and proved → Reliability
2. The DE must be relevant to the incident (proved in the documentation) → Pertinence
3. The Digital Evidence First Responder must select the best acquisition tools and strategies → Adequateness
4. DEFR and DES can justify their choices → Verificability
5. The chain of operation can be reconstructed and re-applied → Reproducibility

Question 13

Among the following fields, choose the ones that can be included within digital forensics

a. forensic genomics
b. multimedia forensics
c. cloud forensics
d. mobile forensics
e. disk forensics

Answer 13

multimedia forensics
cloud forensics
mobile forensics
disk forensics

Question 14

Among the following statements concerning the Chain-of-Custody characteristics and procedures, select those that are TRUE.

Select one or more:

a. The evidence must be identified by an ID
b. It must report when, where, who and why the evidence was accessed
c. it must document and justify possible alterations
d. the evidence must be available to everyone
e. it must keep a log file of the acquisition and the accesses

Answer 14

• It must report when, where, who and why the evidence was accessed,
• it must keep a log file of the acquisition and the accesses,
• it must document and justify possible alterations,
• The evidence must be identified by an ID

Question 15

Please select , among the following standards, the one that defines the guidelines for the identification, acquisition and the preservation of digital evidences.

a. ISO IEC 27037/2012
b. ISO/IEC 17025:2005
c. ISO/IEC 27041

Answer 15

ISO IEC 27037/2012

Question 16

Given the following tasks:

• Check the area involved in the incident
• Profile the persons that access the area and keep people away from devices
• Avoid changing the state of devices
• Document the scene, components, cables (pictures, video, drawings),
  which of the following roles must take care of them

Select one:

a. Digital Evidence Specialist
b. Forensic Laboratory Operator
c. Digital Evidence First Responder
d. Incident Response Analyst

Answer 16

Digital Evidence First Responder

Question 17

Which of the following phases are defined within the ISO IEC 27037/2012 standard

a. Documentation
b. Acquisition
c. Identification
d. Preservation
e. Seizure
f. Incrimination.

Answer 17

Identification
Seizure
Acquisition
Preservation

Question 18

Select which of the following statements concerning the Digital Evidence First Responder (DEFR) and the Digital Evidence Specialist (DES) are TRUE.

Select one or more:

a. DES can operate as a DEFR
b. DES can never perform an acquisition of a digital evidence
c. DEFR operates first on the crime scene
d. DEFR can deal with a wide range of different technical issues

Answer 18

DES can operate as a DEFR,

DEFR operates first on the crime scene

Question 19

Concerning the ISO/IEC 27037/2012, select the digital forensics which is NOT described in the standard among the following:

Select one:

a. Acquisition
b. Identification
c. Conservation
d. Acquisituion if analogic data

Answer 19

Acquisituion if analogic data

Question 20

Concerning the ISO/IEC 27037/2012, select among the following digital forensic procedure the one that is described in the standard

a. Technical instrumentation
b. Presentation
c. Analysis
d. Conservation

Answer 20

Conservation

Question 21

Considering all the experts involved in the acquisition of digital evidence, select the most appropriate statement about the Incident Response Specialist (IRS)

Select one:

a. He/She can be someone not in charge of the investigation
b. He/She has the competencies to deal with a wide range of forensic and scientific issues
c. He/She documents the scene and all the components
d. He/She analyzes the evidence in the forensic lab

Answer 21

He/She can be someone not in charge of the investigation

Question 22

Considering all the experts involved in the acquisition of digital evidence, select the wrong statement about the Digital Evidence First Responder (DEFR):

a. He/She profiles all the persons authorized to access the investigation area
b. He/She needs to present the results of his/her lab analysis on the digital evidence
c. He/She can identify and seize digital evidence
d. He/She can use collaborators

Answer 22

He/She needs to present the results of his/her lab analysis on the digital evidence

Question 23

Considering ISO IEC 27037/2012, along with Identification (inspection), Seizure (virtual), Acquisition and Preservation (conservation and sealing), what does this standard identify?

Answer 23

• logging (keep documentation of each phase of the analysis)
• Chain of custody (traceability)
• Priorities (plan the investigation activity)
• Protection (sealing and packing of the devices)
• Transportation of evidence (real/virtual)
• Roles in evidence exchanges (who and why)

Question 24

What is not specified in ISO IEC 27037/2012?

Answer 24

• Legal issues
• Analysis
• Technical instruments
• Report writing and presentation
• Dealing with analogic data

Question 25

Describe the steps of the process for digital evidence handling?

Answer 25

1. Identification - search, recognition and documentation of the possible evidence.
2. Seizure - acquisition of the physical device containing possible DE.
3. Acquisition - the creation of a copy of the data.
4. Preservation - storage and conservation of the integrity and original condition of the potential DE.

Question 26

Assign each feature to the appropriate requirement for the acquisition of digital evidence:

1. the pertinence
2. the reliability
3. adequateness
4. verifiability
5. reproducibility, repeatability
6. Provable

a. Operations can be repeated using the same method, procedures, tools and conditions
b. Prove that the adopted methods are the best possible
c. Results can be reproduced using the same methods but with different tools and conditions
e. DE must be useful to prove guilty or innocent
f. Ensure that the evidence is authentic (no alteration)
g. Material can ve copied or seized
h. A third party needs to verify the activities of DEFR and DES
i. A complete copy is not always required
j. DEFR and DES must be able to justify their operations
k. All the processes and operations applied on the DE must be documented and reproducible
l. DEFR must evaluate which/how much evidence must be acquired
m. Documentation must prove that the DE is relevant of worth to acquisition

Answer 26

1. Pertinence
   
   • DE must be useful to prove guilty or innocent
   • Documentation must prove that the DE is relevant of worth to acquisition
2. Reliability
   - Ensure that the evidence is authentic (no alteration)
   - All the processes and operations applied on the DE must be documented and reproducible
3. Adequsteness
   - DEFR must evaluate which/how much evidence must be acquired
   - Material can ve copied or seized
   - A complete copy is not always required
4. Verifiability
   - A third party needs to verify the activities of DEFR and DES
   - DEFR and DES must be able to justify their operations
5. Repeatability, Reproducibility
   - Operations can be repeated using the same method, procedures, tools and conditions
   - Results can be reproduced using the same methods, but with different tools and conditions
6. Provable
   - Prove that the adopted methods are the best possibletinence

Question 27

Define the reliable forensics copy

Answer 27

• clone of the disk
• Bit-wise copy image
• Compressed bit-wise copy image

Question 28

What are the different phases in the acquisition and handling of digital evidence? Which are the main figures/actors that interplay within these phases? Provide a description of the process.

Question 29

Describe MD5 and SHA hash functions providing details about their use in the acquisition of disk images and in the chain of custody

Question 30

Describe the chain-of custody? Why is it important in digital forensics?