Other Technical Aspects Flashcards

1
Q

Principles of Digital Forensics

A

Forensic investigations involve the collection and analysis of evidence in crime scenes, including fingerprints and DNA.

  • Dr. Edmond Locard’s exchange principle states that there will always be an exchange of microscopic material when two items come into contact.
  • In the digital world, actions performed on a computer leave a digital footprint or evidence.
  • Digital evidence is fragile and can be easily destroyed or tampered with if not handled properly.
  • Incidents in the digital realm can have adverse impacts, and it is crucial to gather information to determine the cause and seek redress from perpetrators.
  • Digital forensics, also known as computer forensics, involves retrieving digital evidence from various devices such as end user devices, network appliances, and mobile devices.
  • There are a variety of tools and techniques available for retrieving digital information for investigative purposes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Investigations

A

After an incident, three main types of investigations may be conducted: administrative, civil, and criminal.

Administrative investigations are internal to an organization. (Small minor investigation - Warning given)

Civil investigations involve presenting digital evidence in a civil court, such as employment tribunals. E.G. Breach of contract, libel, slander

Criminal investigations involve presenting digital evidence as part of a criminal prosecution.

The burden of proof in civil cases is demonstrating a reasonable likelihood of an event, while in criminal cases, the case must be proved beyond reasonable doubt.

Digital forensics requires competent investigators to prevent potential damage or destruction of evidence.

Deleting a file from a computer does not immediately remove the data; it removes the pointer to the data, making the space available for overwriting. Forensic tools can retrieve flagged data, providing valuable evidence.

Computers store vast amounts of information, including records of user activities, communication, file operations, and more. These records can serve as evidence in supporting a case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Process

A

The digital forensic process follows the discovery reference model, which consists of several stages.

The stages of the discovery reference model include Identification, Preservation, Collection, Processing, Review, Analyse, Production, and Presentation.

Identification involves identifying potential evidence.

Preservation is crucial to prevent loss, damage, or alteration of the evidence.

Collection involves acquiring the evidence in its original form.

Processing is carried out on the evidence for later analysis.

Reviewing is done to determine the value of the discovered evidence.

Analysis is conducted to gain insights into the incident.

Production involves packaging the results of the analysis as evidence for the investigation.

Presentation may involve presenting the evidence in court or other contexts.

Preservation is considered the most important stage because it ensures the original form of the captured evidence is maintained.

Another sequence of stages in digital forensic investigations can be Acquisition, Investigation and analysis, and Reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Type of examination - Dead Box

A

Two main methods of acquiring potential evidence in digital forensics: dead box forensics and live forensics.

Dead box forensics was the primary method in the early days, involving removing power from the running computer and creating a forensic image of the hard disk.

Forensic imaging software creates a bit stream copy of the hard disk, capturing all binary bits, including deleted files and partition tables.

A hash of the hard drive is created during the imaging process, serving as a signature of the hard drive at the point of seizure.

The original hard drive is sealed and preserved, and all forensic examination is conducted on the image copy.

The primary rule of digital forensics is to never work on the original evidence to avoid any potential modifications.

Forensic write blockers, hardware devices, ensure the integrity of the original evidence by allowing data flow only from the original to the copy.

Remember, preserving the integrity of the evidence and working on image copies are essential practices in digital forensics to ensure the admissibility and reliability of evidence in legal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Type of examination - Live Forensics

A

Live forensics is a current methodology for forensic investigations, allowing investigation of a running computer.

In live forensics, access is gained to the powered-up computer to capture real-time information.

Live forensics can capture the contents of RAM, including encryption keys and passwords.

It can also provide information about running processes, network connections, and contents of caches.

Live forensics can access disk contents of encrypted hard drives since the disk is unencrypted while running.

After live capture, the computer is powered down, and the subsequent analysis is conducted on the hard disk as in dead box forensics.

Note: Live forensics can provide valuable real-time information that complements the analysis conducted on the acquired forensic image during dead box forensics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Chain of custody

A

Chain of custody is crucial for evidence to be accepted by a court.

It is a record of the handling of evidence from seizure to presentation in court.

An evidence custodian is responsible for maintaining the chain of custody, and evidence should be stored in a locked evidence locker.

Write blockers and the chain of custody help ensure the integrity of evidence.

Digital artifacts such as log files can be seized and examined using similar procedures as hard disk imaging.

Digital signatures and hashing can be used to verify the integrity of seized artifacts.

Digital forensics requires skilled professionals, and organizations may need to hire forensic experts if they lack in-house capabilities.

Effective communication with forensic service providers is essential.

Anyone giving evidence in court should be trained for this activity due to the adversarial nature of the court environment.

Evidence should be factual, stand on its own, and produce consistent results when following the procedures.

Expert witnesses may be called upon to provide their professional opinion based on their expertise and experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The Four Principles of Digital Evidence

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Forensic Readiness

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Other Aspects – Cryptography

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cryptography

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What can cryptography do for us?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The language of cryptography

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The Four Elements of Cryptography

A

Symmetric ciphers
Asymmetric ciphers
Hashing
Digital signatures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Symmetric Ciphers - Block/Stream Ciphers

A

Symmetric ciphers work on blocks of data and use a single key for both encryption and decryption.

The key should be random and relatively short, such as 128 or 256 bits.

Symmetric ciphers provide confidentiality for bulk data and are relatively quick with their encryption.

Both parties need a copy of the same key, which may need to be exchanged securely.

The strength of a symmetric cipher depends on the length of the encryption key.

Keys lengths of 128 bits or greater are commonly used to ensure security against modern cryptanalysis techniques.

The secrecy of symmetric encryption relies on the key being an appropriate length and kept secret, while the algorithms and implementations are publicly known.

Kerkhoff’s principle states that a cryptographic system should be secure even if all its details, except for the key, are publicly known.

Examples of symmetric encryption algorithms include DES (56 bits), 3DES (168 bits), AES (128/192/256 bits), RC5 (usually 128 bits), Rijndael (128/192/256 bits), Blowfish (32-448 bits), and RC4 (stream cipher, rarely used nowadays).

Block ciphers encrypt data in blocks, while stream ciphers encrypt bit by bit.

Stream ciphers - These work by encrypting the plaintext data one bit at a time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Asymmetric Ciphers

A

Asymmetric ciphers use two keys: a public key and a private key.

The public key is freely distributed, while the private key must be kept private.

Whatever is encrypted with one key can only be decrypted with the other key.

To communicate with confidentiality, the sender encrypts the message with the recipient’s public key, and the recipient decrypts it with their private key.

The sender possesses the recipient’s public key, which is freely available.

Asymmetric encryption can also be used for authentication by encrypting the message with the sender’s private key and decrypting it with the sender’s public key.

Asymmetric encryption keys are typically much larger, around 2048 bits or longer.

Asymmetric encryption is slower than symmetric encryption.

Asymmetric ciphers work using various mathematical techniques.

Depending on how the keys are used, asymmetric encryption can provide confidentiality and authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Examples of asymmetric encryption algorithms

A

RSA functions by factorizing very large prime numbers.

ECC works by plotting points on an ellipse and can achieve strong encryption with smaller key lengths compared to RSA.

Diffie Hellman is primarily used for key exchange rather than encryption.

Typical key lengths for these algorithms range from 1024 bits to upwards of 2048 bits.

ECC with a 256-bit key length is considered equivalent to 3072 bits of RSA in terms of strength.

17
Q

Hashing

A

Hashing is a one-way mathematical function that takes an input of variable length and produces a fixed-length output called a digest.

The digest is a unique representation of the input data, ensuring that a unique input produces a unique output.

Hashing is used for two main purposes: concealment and integrity.

Concealment: Hashing can be used to conceal passwords by storing their hash representation instead of the plaintext password. The fixed-length output also conceals the length of the password.

Integrity: Hashing is primarily used to ensure data integrity. If the hash of a data set changes, it indicates that the input data has been modified.

Hashing algorithms produce different outputs for even small changes in the input data, making it easy to detect alterations.

Hashing is widely used for password storage, digital signatures, and data integrity checks.

18
Q

Properties of hash functions

A

Properties of Hash Functions:
One-way mathematical process: Hashing is a one-way process, meaning it is easy to compute a hash from the input, but it is computationally infeasible to derive the original input from the hash.

Fixed length output: Regardless of the length of the input, a hash function produces a fixed-length output.

Non-invertibility: It should not be possible to reverse or invert a hash to obtain the original input.

Collision-free: A hash function should produce a unique output for every unique input, avoiding collisions where two different inputs generate the same hash.

Avalanche effect: A small change in the input should result in a significantly different hash output, concealing the magnitude of the change.

Hashing Process for Integrity:
1. Sender creates input (message, data, or code).
2. Sender applies a chosen hashing algorithm to generate a fixed-length hash output.
3. The hash is appended to the message/data and sent to the recipient.
4. The recipient applies the same hashing algorithm to the received message/data.
5. The recipient compares the computed hash with the received hash.
6. If the hashes match, the recipient can conclude that the data has not changed during transmission.

Hashing is a fast process compared to encryption and is commonly used for data integrity checks and message authentication.

19
Q

Hashing Algorithms

A

MD5 (Message Digest 5): Common algorithm producing a fixed-length output of 128 bits (32 characters). Susceptible to collisions but still widely used.

SHA1 (Secure Hash Algorithm 1): Previously common algorithm generating a 160-bit output (40 characters). Vulnerable to collisions and being replaced by newer versions.

SHA2: A newer version of SHA with variable output lengths: SHA-224, SHA-256, SHA-384, SHA-512.

SHA3: Latest version of SHA with similar format to SHA2: SHA3-224, SHA3-256, SHA3-384, SHA3-512. Slower in software, often used in hardware implementations.

MAC (Message Authentication Code): Extends the use of hashing for both integrity and authentication. Involves adding a secret key to the input before hashing.

HMAC (Hashed Message Authentication Code): More complex implementation of MAC, deriving additional keys from the original key for computation.

Hashing for Integrity and Authentication:
1. Sender generates a message.
2. Sender adds a secret key to the message and applies the hashing process.
3. Sender sends the message along with the calculated hash to the recipient.
4. Recipient receives the message, adds the shared key, and applies the hashing process.
5. Recipient compares the received hash with the computed hash to verify integrity and authenticate the sender.

MAC and HMAC ensure data integrity and provide proof of source by using hashing algorithms with shared keys. Consistency in the hashing algorithm and keys is crucial for successful verification.

20
Q

Digital Signatures

A

Digital Signatures:
- Combines asymmetric encryption and hashing.
- Provides authentication and non-repudiation.
- Digital signature is the hash of the sender’s message encrypted with the sender’s private key.

Process for Sending a Message with Desired Properties:
1. Sender creates the message.
2. Sender creates a hash of the message.
3. Sender encrypts the message with the recipient’s public key for confidentiality.
4. Sender encrypts the hash with their own private key for signing.
5. Both encrypted components are sent to the recipient.
6. Recipient decrypts the message with their private key for confidentiality.
7. Recipient computes the hash of the received message using the same algorithm.
8. Recipient decrypts the received hash using the sender’s public key for authentication.
9. Authentication of the sender is achieved as the hash was encrypted with the sender’s private key, providing proof of origin.
10. Recipient compares the computed hash with the decrypted hash. If they match, integrity is established.

Digital signatures provide confidentiality, integrity, authentication, and non-repudiation by encrypting the message and signing the hash using asymmetric encryption and hashing techniques.

21
Q

Properties of Digital Signatures

A

Digital signatures provide integrity and source confirmation.

Support non-repudiation by proving the source of the message.

Only one party signs the message with their private key, but anyone with the corresponding public key can validate the hash.

Digital signatures can be used for signing messages, code, drivers, etc.

Digital certificates can simplify the propagation of public keys.

22
Q

Digital Certificates

A

Digital certificates are electronic documents used to convey public keys and are digitally signed by a trusted third party called a Certificate Authority (CA).

A digital certificate contains the public key of an entity (user or organization) and binds it to the entity.

Digital certificates follow the X.509 standard format, which includes information such as entity details, validity dates, public key, issuing authority name, reference number, and a digitally signed hash of the certificate.

The certificate being signed by a trusted CA adds trust and reliability to the public key.

Digital certificates are a crucial component of the Public Key Infrastructure (PKI), which provides trust and security for information exchange on the Internet.

PKI is essential for maintaining confidence in e-commerce and secure communication.

23
Q

Acquiring a digital certificate

A
  1. The end user generates a pair of keys: public key (appended to a certificate signing request) and private key (kept securely).
  2. The certificate signing request (CSR) is submitted to a certificate authority (CA) for approval.
  3. The CA validates the applicant and signs the certificate by hashing its contents and encrypting the hash with the CA’s private key.
  4. The signed certificate is returned to the client with a validity period.
  5. The certificate can be used to distribute the public key securely, backed by the trust of the CA.
  6. When receiving a public key through a certificate, users need to validate the certificate’s validity.
  7. The digital signature on the certificate is checked by hashing the certificate contents and decrypting the hash using the CA’s public key.
  8. The public key of the CA can be obtained from the CA itself or may already be installed in the browser.
  9. Browsers often have public keys of well-known CAs built-in for certificate validation.
24
Q

Public Key Infrastructure (PKI)

A
  1. Certificates can become compromised if the private key associated with them is exposed.
  2. When a private key is stolen or exposed, the certificate owner notifies the certificate authority (CA).
  3. The CA adds the compromised certificate to a Certificate Revocation List (CRL), which is a published list of revoked certificates.
  4. Anyone can check the CRL to determine if a certificate is valid or revoked.
  5. The Online Certificate Status Protocol (OCSP) is an online communication protocol that allows client browsers to check the validity of certificates directly with the CA.
  6. OCSP provides a real-time check of certificate validity, providing an alternative to relying solely on the CRL.
25
Q

Key Management

A
  1. Cryptographic processes rely on encryption keys, which need to be securely managed.
  2. Key management involves key generation, issuing keys, key storage, key recovery, and key destruction.
  3. Private keys must be securely restricted and kept confidential.
  4. Symmetric encryption keys require a large number of keys to scale with the number of users, which can be challenging to manage.
  5. Hybrid cryptography offers a solution for scalability by combining symmetric and asymmetric encryption techniques.
26
Q

Hybrid Cryptography

A

Hybrid cryptography combines both asymmetric and symmetric encryption for secure connections.

Public Key Infrastructure (PKI) is essential for distributing public keys and certificates.

The process of setting up a secure connection involves generating a key pair, validating the certificate, exchanging symmetric keys, and using symmetric encryption for data exchange.

Hybrid cryptography is used in TLS (Transport Layer
Security) and S/MIME (Secure Multipurpose Internet Mail Extensions) protocols.

PGP (Pretty Good Privacy) is another encryption scheme used for emails, relying on a web of trust instead of certificates.

27
Q

Management of Cryptography

A

Effective management of cryptography requires policies and processes.

Key management, approved algorithms, and preventing unauthorized access to cryptographic technologies are important aspects.

AES is commonly used for symmetric encryption, RSA for public keys, and ECC for devices with limited computing power.

The export of cryptographic technologies is regulated by the Wassenaar Agreement to control access based on national and international interests.

Dual use goods, including cryptography, have military and civilian applications, and their export is restricted to certain countries.

28
Q

In hybrid cryptography, what is the purpose of using both asymmetric and symmetric encryption?

a) To increase the speed of encryption
b) To improve the scalability of encryption
c) To establish a secure connection between client and server
d) To encrypt and sign emails using PGP

A

c) To establish a secure connection between client and server.

In hybrid cryptography, the use of both asymmetric and symmetric encryption is to establish a secure connection between the client and server. Asymmetric encryption is used for key exchange and authentication, while symmetric encryption is used for the actual data encryption and decryption. This combination allows for a more efficient and secure communication channel.

29
Q

Which cryptographic process is typically used to distribute public keys in a hybrid cryptography setup?

a) Symmetric encryption
b) Digital signatures
c) Public Key Infrastructure (PKI)
d) Certificate Revocation Lists (CRL)

A

c) Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is typically used to distribute public keys in a hybrid cryptography setup. PKI involves the use of digital certificates issued by trusted Certificate Authorities (CAs) to verify the authenticity of public keys. These certificates are used to establish trust and ensure the secure exchange of keys.

30
Q

What is the role of a digital certificate in hybrid cryptography?

a) To encrypt data using a symmetric key
b) To establish trust in the public key of an entity
c) To decrypt data using a private key
d) To authenticate users in a web server environment

A

b) To establish trust in the public key of an entity

The role of a digital certificate in hybrid cryptography is to establish trust in the public key of an entity. The digital certificate contains the public key and is digitally signed by a Certificate Authority (CA), ensuring that the public key belongs to the entity it claims to represent. This helps in authentication and establishing a secure connection between the parties involved.

31
Q

Which encryption method is commonly used to exchange symmetric keys in hybrid cryptography?

a) RSA
b) AES
c) ECC
d) MD5

A

b) AES

The commonly used encryption method to exchange symmetric keys in hybrid cryptography is AES (Advanced Encryption Standard). AES is a symmetric encryption algorithm known for its strong security and efficiency in encrypting and decrypting large amounts of data. It is widely adopted in various applications and provides a secure key exchange mechanism.

32
Q

What is the advantage of using symmetric encryption in hybrid cryptography after exchanging keys?

a) It provides a higher level of security than asymmetric encryption.

b) It allows for faster data exchange compared to asymmetric encryption.

c) It simplifies the management of encryption keys.

d) It ensures compatibility with all types of devices and platforms.

A

b) It allows for faster data exchange compared to asymmetric encryption.

The advantage of using symmetric encryption in hybrid cryptography after exchanging keys is that it allows for faster data exchange compared to asymmetric encryption. Symmetric encryption algorithms are generally faster in encrypting and decrypting data than asymmetric encryption algorithms. Once the symmetric key is securely exchanged using asymmetric encryption, the subsequent data exchange can be performed using the faster symmetric encryption, improving overall performance.

33
Q

Cryptanalysis:

A

Cryptanalysis refers to attempting to break cryptographic secrets.

All encryptions can be broken given sufficient time and computing power.

The strength of encryption relies on the size of the key space.

Once an encryption method can be broken feasibly, it needs to be replaced.

34
Q

Which of the following statements about cryptanalysis is true?

A. Cryptanalysis is the process of securely generating cryptographic keys.

B. Cryptanalysis guarantees that all encryption methods are unbreakable.

C. Cryptanalysis involves attempting to break cryptographic secrets.

D. Cryptanalysis only focuses on the security of symmetric encryption algorithms.

A

C. Cryptanalysis involves attempting to break cryptographic secrets.

Cryptanalysis is the practice of analysing and studying cryptographic systems with the goal of finding weaknesses or vulnerabilities that can be exploited to decrypt or decipher encrypted data. It is the process of trying to break the security of encryption methods through various techniques, such as mathematical analysis, statistical methods, or brute-force attacks. Cryptanalysis is an essential aspect of cryptography to ensure the strength and resilience of encryption algorithms.

35
Q

Which of the following is a key component of Public Key Infrastructure (PKI)?

A. Digital certificates
B. Symmetric encryption algorithms
C. Certificate Revocation List (CRL)
D. Brute-force attacks

A

A. Digital certificates

Digital certificates are a key component of Public Key Infrastructure (PKI). PKI is a framework that enables the secure exchange of information over networks by utilizing asymmetric encryption, digital signatures, and certificates. Digital certificates are electronic documents that bind a public key to an entity and are digitally signed by a trusted Certificate Authority (CA). They provide trust and authenticity in the exchange of public keys, verify the identity of users or entities, and support non-repudiation. Symmetric encryption algorithms, certificate revocation lists (CRL), and brute-force attacks are not core components of PKI.

36
Q

What is the role of a Certificate Authority (CA) in a Public Key Infrastructure (PKI)?

A. To generate public-private key pairs
B. To issue and sign digital certificates
C. To encrypt and decrypt data
D. To authenticate users during key exchange

A

B. To issue and sign digital certificates

The primary role of a Certificate Authority (CA) in PKI is to issue and sign digital certificates. CAs are trusted third-party entities that verify the identity of individuals, organizations, or devices and bind their public keys to their identities. The CA signs the certificate using its private key, providing a level of trust and assurance in the certificate’s authenticity. The CA’s signature ensures that the certificate has not been tampered with and can be trusted by relying parties. Generating public-private key pairs (option A) is typically done by the end user or entity, not the CA. Encryption and decryption of data (option C) are performed by cryptographic algorithms and not directly related to the role of a CA. Authenticating users during key exchange (option D) is typically handled by protocols like SSL/TLS, while the CA’s role is primarily focused on issuing and signing certificates.

37
Q

Which protocol is commonly used to validate the validity of digital certificates in Public Key Infrastructure (PKI)?

A. SSL/TLS
B. OCSP
C. PGP
D. SSH

A

B. OCSP

The Online Certificate Status Protocol (OCSP) is commonly used to validate the validity of digital certificates in PKI. OCSP allows client applications, such as web browsers, to check the status of a certificate in real-time by querying the Certificate Authority (CA) or an OCSP responder. It helps ensure that the certificate has not been revoked or compromised. SSL/TLS is a protocol used for secure communication over the internet but is not specifically designed for certificate validation. PGP (Pretty Good Privacy) is a protocol used for encrypting, decrypting, and signing emails but does not rely on digital certificates for validation. SSH (Secure Shell) is a protocol used for secure remote access but is not directly related to certificate validation in PKI.