Handling digital evidences Flashcards
Preventing unauthorized access to a network is cybersecurity or digital forensics task?
Cybersecurity
Collecting evidence to prove what has happened is cybersecurity or digital forensics task?
Digital forensics
Reconstruct a specific incident is a cybersecurity or a digital forensics task?
Digital forensics
Avoiding misuse of a computing facility is a cybersecurity or digital forensics task?
Cybersecurity
Monitoring the working state of a computing facility is a cybersecurity or digital forensics task?
Cybersecurity
Performing offline analysis of a digital evidence is cybersecurity or digital forensics task?
Digital Foresics
Taking care of the acquisition, storage, and validation of digital evidence is cybersecurity or digital forensics task?
Digital forensics
Considering acquisition and collection operations, reorder the following operations from the most to the least critical one (i.e., putting first those where the loss of data is highly-probable).
Acquisition of a switched‑on device
Acquisition of a switched‑off device
Collection of switched‑on devices
Collection of switched‑off devices
- Collection of switched‑on devices
- Acquisition of a switched‑on device
- Collection of switched‑off devices
- Acquisition of a switched‑off device
In a collection process, place the following operations in chronological order.
Check if there are volatile data Check if the data are stable Perform live acquisition Standard switch‑off Unplug, collect cables
- Check if there are volatile data
- Perform live acquisition
- Check if the data are stable
- Standard switch‑off
- Unplug, collect cables
Given the following properties of a hash function
h(f): file -> {0,1}^n
associate each requirement to the proper definition.
- Resilience to collision
- Resilience to second pre-image
- Resilience to pre-image
- Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
- Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
- Given a digest d, finding a string such that h(f)=d is computationally-unfeasible
- Resilience to collision → Looking for f_1 and f_2 s.t. h(f_1)=h(f_2) is computationally-unfeasible
- Resilience to second pre-image → Given d_1=h(f_1), it is computationally-unfeasible to find f_2 s.t. h(f_2)=d.
- Resilience to pre-image → Given a digest d, finding a string such that h(f)=d is computationally-unfeasible
Associate the correct digest length to each hashing algorithm
- SHA-256
- SHA-1
- MD5
- 256 bits
- 160 bits
- 128 bits
- SHA-256 → 256 bits
- SHA-1 → 160 bits
- MD5 → 128 bits
In the acquisition and handling processes of digital evidence (DE), we must ensure:
- the pertinence
- the reliability
- adequateness
- verificability
- reproducibility of the tools and operations that we adopted
Assign each explanation to the most suitable feature.
- The authenticity of the DE (no alteration) must be granted and proved
- The DE must be relevant to the incident (proved in the documentation)
- The Digital Evidence First Responder must select the best acquisition tools and strategies
- DEFR and DES can justify their choices
- The chain of operation can be reconstructed and re-applied
- The authenticity of the DE (no alteration) must be granted and proved → Reliability
- The DE must be relevant to the incident (proved in the documentation) → Pertinence
- The Digital Evidence First Responder must select the best acquisition tools and strategies → Adequateness
- DEFR and DES can justify their choices → Verificability
- The chain of operation can be reconstructed and re-applied → Reproducibility
Among the following fields, choose the ones that can be included within digital forensics
a. forensic genomics
b. multimedia forensics
c. cloud forensics
d. mobile forensics
e. disk forensics
multimedia forensics
cloud forensics
mobile forensics
disk forensics
Among the following statements concerning the Chain-of-Custody characteristics and procedures, select those that are TRUE.
Select one or more:
a. The evidence must be identified by an ID
b. It must report when, where, who and why the evidence was accessed
c. it must document and justify possible alterations
d. the evidence must be available to everyone
e. it must keep a log file of the acquisition and the accesses
- It must report when, where, who and why the evidence was accessed,
- it must keep a log file of the acquisition and the accesses,
- it must document and justify possible alterations,
- The evidence must be identified by an ID
Please select , among the following standards, the one that defines the guidelines for the identification, acquisition and the preservation of digital evidences.
a. ISO IEC 27037/2012
b. ISO/IEC 17025:2005
c. ISO/IEC 27041
ISO IEC 27037/2012
Given the following tasks:
- Check the area involved in the incident
- Profile the persons that access the area and keep people away from devices
- Avoid changing the state of devices
- Document the scene, components, cables (pictures, video, drawings),
which of the following roles must take care of them
Select one:
a. Digital Evidence Specialist
b. Forensic Laboratory Operator
c. Digital Evidence First Responder
d. Incident Response Analyst
Digital Evidence First Responder
Which of the following phases are defined within the ISO IEC 27037/2012 standard
a. Documentation
b. Acquisition
c. Identification
d. Preservation
e. Seizure
f. Incrimination.
Identification
Seizure
Acquisition
Preservation
Select which of the following statements concerning the Digital Evidence First Responder (DEFR) and the Digital Evidence Specialist (DES) are TRUE.
Select one or more:
a. DES can operate as a DEFR
b. DES can never perform an acquisition of a digital evidence
c. DEFR operates first on the crime scene
d. DEFR can deal with a wide range of different technical issues
DES can operate as a DEFR,
DEFR operates first on the crime scene
Concerning the ISO/IEC 27037/2012, select the digital forensics which is NOT described in the standard among the following:
Select one:
a. Acquisition
b. Identification
c. Conservation
d. Acquisituion if analogic data
Acquisituion if analogic data
Concerning the ISO/IEC 27037/2012, select among the following digital forensic procedure the one that is described in the standard
a. Technical instrumentation
b. Presentation
c. Analysis
d. Conservation
Conservation
Considering all the experts involved in the acquisition of digital evidence, select the most appropriate statement about the Incident Response Specialist (IRS)
Select one:
a. He/She can be someone not in charge of the investigation
b. He/She has the competencies to deal with a wide range of forensic and scientific issues
c. He/She documents the scene and all the components
d. He/She analyzes the evidence in the forensic lab
He/She can be someone not in charge of the investigation
Considering all the experts involved in the acquisition of digital evidence, select the wrong statement about the Digital Evidence First Responder (DEFR):
a. He/She profiles all the persons authorized to access the investigation area
b. He/She needs to present the results of his/her lab analysis on the digital evidence
c. He/She can identify and seize digital evidence
d. He/She can use collaborators
He/She needs to present the results of his/her lab analysis on the digital evidence
Considering ISO IEC 27037/2012, along with Identification (inspection), Seizure (virtual), Acquisition and Preservation (conservation and sealing), what does this standard identify?
- logging (keep documentation of each phase of the analysis)
- Chain of custody (traceability)
- Priorities (plan the investigation activity)
- Protection (sealing and packing of the devices)
- Transportation of evidence (real/virtual)
- Roles in evidence exchanges (who and why)
What is not specified in ISO IEC 27037/2012?
- Legal issues
- Analysis
- Technical instruments
- Report writing and presentation
- Dealing with analogic data