Introduction to Digital Forensics

Question 1

Acquisition

Answer 1

• the process of obtaining a forensic sound image (physically or remotely) of the evidence to be analyzed
• the validity of other steps depends on the validity of this phase

Question 2

What should investigators be able to guarantee?

Answer 2

• the delivery of the evidence is as it was found

- the evidence will not be exposed to alteration

Question 3

How does just opening a file affect it?

Answer 3

• opening a file affects the temporal property of the file “time”, which will change the last access time of the file

Question 4

What are the concealment steps?

Answer 4

• use digital safe containers for evidence keeping, such as antistatic bags and antistatic pads
• make sure the containers are well padded
• write notes on the tape to prevent tampering with the evidence
• ensure that the temperature and humidity ranges are adequate for all evidence

Question 5

What is the most important part of the analysis phase?

Answer 5

• preserving evidence without alteration
• before starting your analysis, you should create a forensic image of the evidence and perform your analysis on this image

Question 6

What is the second most important part of the analysis phase?

Answer 6

• validate all your analysis steps to ensure your results later, and to leave no holes for questioning by a defense attorney

Question 7

Inculpatory Evidence

Answer 7

• supports a hypothesis

Question 8

Exculpatory Evidence

Answer 8

• contradicts a hypothesis

Question 9

Tampering Evidence

Answer 9

• indicates system tampering with the aim of deception

Question 10

What is the 3rd investigation stage, and what should be included?

Answer 10

• Presentation
• a report of your analysis results
• mentions the artifacts you found and the steps you followed to reveal these artifacts and the tools used for analysis

Question 11

Active Data

Answer 11

• all data and files that are created by the operating system or by a word processor, web browser, mail client or a scanner
• Examples include: documents, cached files, emails, and images

Question 12

Archive and Backup Data

Answer 12

• all data that is organized and preserved for long-term storage to avoid data loss due to attacks or disasters.
• Backup data is created by making an identical copy of original files and folders
• Example: data on a CD, USB drive, or SAN device

Question 13

What does Hidden Data Types encompass?

Answer 13

• metadata
• residual data
• replicant data

Question 14

Metadata

Answer 14

• “data about data”
• used to provide context or additional information about data and files, such as date of file creation, or information about the file structure
• Metadata is considered one of the most valuable pieces of evidence as it contains a lot of information about a file, such as:
• • name of the file owner
• • file last access time
• • modification time

Question 15

Residual Data

Answer 15

• This is deleted data on the disk

Question 16

Replicant Data

Answer 16

• generated when a program like word processor creates a temporary copy of an opened file
• this is needed as a backup to avoid data loss in case an error occurs and the file is forced to close without saving the changes
• these can be retrieved even after the file was deleted

Question 17

What are examples of Residual Data?

Answer 17

• web cache
• temporary directories
• data blocks resulting from a move
• memory

Question 18

Non-volatile data

Answer 18

• data that can be retrieved even if the computer has been turned off

Question 19

Volatile data

Answer 19

• data that resides in RAM and is acquired only when the device is running
• loss of power results in the loss of volatile data

Question 20

What characteristics should digital evidence have?

Answer 20

• admissibility: accepted in court
• authenticity: relevant to the case
• complete: no missing information

Question 21

What are the basic requirements before starting forensic analysis?

Answer 21

1. workstation running an OS
2. write-blocker device
3. digital forensic acquisition tools
4. digital forensic analysis tools
5. target drive to receive the source or suspect disk data
   - - spare PATA or SATA ports
   - - USB ports

Question 22

Forensic Image

Answer 22

• duplicate of the evidence (bit-by-bit copy)
• allocated, unallocated, and free sectors on the source evidence should be copied to the storage device
• before copying, make sure the evidence is connected to a write blocker

Question 23

Image Verifying

Answer 23

• after finishing the copy, you should make a has signature for both the original evidence and its copy and then compare the two hashes to ensure that the copy is an accurate duplicate of the evidence
• you should also create another image and keep it as an archive for further analysis

Question 24

Crime Reconstruction

Answer 24

• forensic science discipline in which one gains “explicit knowledge of the series of events that surround the commission of a crime using deductive and inductive reasoning, physical evidence, scientific methods, and their interrelationships
• want to get a “full picture”: locations, devices, and events…how, when, and why…relationship between them and the crime

Question 25

Temporal Analysis

Answer 25

• linking events together to get the timeline of the events that happened

Question 26

What are the characteristics of admissible evidence?

Answer 26

• relevant
• reliable
• competent (acquired legally)