Revision

Question 1

Can you explain to someone what “ACPO” is?

Answer 1

ACPO Good Practice Guide For Digital Evidence v5 2012 – The “… guide is still widely regarded as the definitive best practice guide for computer forensics in the UK and elsewhere.” (7safe.com, 2015)

Question 2

What is the main thing to remember about ACPO?

Answer 2

The principles;

Question 3

Apart from the answer to b. above, what other useful things does ACPO cover?

Answer 3

The processes and procedures

Question 4

Who uses ACPO?

Answer 4

Digital forensic professionals, Police, other countries…

Question 5

Principle 1

Answer 5

no action taken by law enforcement agencies, persons employed with those agencies or their agents should change data which may subsequently be relied upon in court

Question 6

principle 2

Answer 6

in circumstances where a person finds it necessary to access data, that person must be competent to do so and give evidence explaining the relevance and implications of their actions

Question 7

principle 3

Answer 7

an audit trail or other record of all processes applied to digital evidence should be created and preserved. an independent third party should be able to examine those processes and achieve the same result.

Question 8

principle 4

Answer 8

the person in charge of the investigation has overall responsibility that the law and these principles are adhered too.

Question 9

principles summarised

Answer 9

1. don’t change any data
2. if you have to access original data- you have to be able to explain exactly what effects your actions have had on the data
3. chain of evidence- who had it, when, why, what
4. the person in charge ensures the law and ACPO are followed to the letter

Question 10

What is the Computer Misuse Act 1990?

Answer 10

UK Legislation, law, about ways you break the law if you use a computer to do certain things

Question 11

What does ”unauthorised access” mean?

Answer 11

If you don’t have access to something and you get access to it in a way other than being given permission to have access to it, for example guessing a password, using an unlocked computer that is not for general use, using a file you have access to for an unauthorised purpose…

Question 12

What might you have made if you are charged under section 3A?

Answer 12

Malware…

Question 13

Section 3 and 3ZA both refer to what?

Answer 13

Intentionally breaking, hiding, preventing access to, or infecting a computer or system or causing damage or harm to a person or persons, economy by using a computer to cause that harm;

Question 14

What does GDPR stand for? What is GDPR?

Answer 14

General Data Protection Regulation. It is a European Regulation, which tells you how you MUST deal with data covered within the Regulation (the law), it differs from a European Directive which is more of a goal to acheive;

Question 15

What or whom does GDPR affect?

Answer 15

The data of European Citizens;

Question 16

Who has to follow GDPR?

Answer 16

GDPR has to be followed by any one or any company any where in the world who collects and stores the data of a European Citizen;

Question 17

What does GDPR mean you have to do?

Answer 17

European Citizens data can only be collected for appropriate, specific purposes, processed according to and stored according to GDPR guidelines, kept for no longer than is necessary, notify the appropriate channels within 72 hours of a data breach occurring…

Question 18

If the UK leaves Europe, will we still need to follow GDPR? Why?

Answer 18

Yes, if anyone in the UK is collecting European Citizens data because it affects every country in the entire world if they collect data on European Citizens…

Question 19

What is the Data Protection Act 2018?

Answer 19

UK Legislation that dictates how peoples personal data is collected, stored, how long it is kept for, how it is processed…

Question 20

Why do we need to know about the Data Protection Act 2018 and GDPR?

Answer 20

Because the GDPR has been written into UK law as the 2018 Data Protection Act and GDPR will still need to be followed if the UK leave the EU. Also, GDPR and therefore the DPA 2018, both are sensible and help keep all our data safe and allow us as data subjects more rights than we’ve previously had over our own data.

Question 21

How does the 2018 version differ from the previous 1998 version?

Answer 21

The 2018 DPA builds upon the 1998 act, things have moved on technology wise since 1998 so the act as been updated with that in mind. As mentioned in b. we as data subjects now have far more rights over our data, such as the right to be forgotten and the right to request the data a company hold on us – with out being charged for it.

Question 22

Why would we need to know about the Data Protection Act 2018 as forensics professionals?

Answer 22

We might need to know about the DPA 2018 for a couple of reasons, firstly we might be analysing a forensic image and find data that has been obtained unlawfully – if we don’t know the DPA 2018, how can we know that. We keep hold of peoples data in many formats throughout an investigation so we must know how to look after the data properly.

Question 23

what is ethics?

Answer 23

The philosophy of thinking about what is right & wrong

Question 24

Why do we need to know & think about Ethics?

Answer 24

As digital forensics professionals we need to be doing what is right so if we know what is and isn’t ethical then we can ensure we are acting appropriately at all times;

Question 25

Is there a set ethical standard?

Answer 25

There is no one set of ethical standards, but as we are working with digital devices we can use the ACM’s Code of Ethics to guide us. Other countries and specific companies might have more specific guidance or even less guidance than that so you would need to make sure you are following an educated moral compass – like how ACPO has been adopted or used as a basis of other countries digital forensics procedures.

Question 26

What sort of ethical issues could we come across as a digital forensic professional?

Answer 26

Knowing information about people that we could use against them but knowing about right & wrong, we know that we have come across that information as part of an investigation as morally it would be wrong of us to do anything with that information - unless the information was the person breaking the law, in which case we wouldn’t “use it against them” but we would report it to the relevant authorities.

Question 27

What is incident response?

Answer 27

Incident response is about how you deal with an event, this could be at a crime scene or within a company network/online, but it is how you deal with the artefacts connected to the event, the process of dealing with it (steps/stages), and ensuring you follow procedures and guidelines.

Question 28

How many stages are there to incident response?

Answer 28

6 in total but stage 6 feeds into stage 1 so they could merge and make it 5 steps: Plan, Respond, Acquire, Analyse, Report, Learn. It’s a circular evolving process;

Question 29

What should you do as one of the very first tasks at a crime scene?

Answer 29

Take photographs, but also: sketch the scene, make notes, look around you, look at what is there, the details, as questions, never assume…

Question 30

What might you need to do with a computer at a crime scene?

Answer 30

Take it apart, collect the hard drive to take back to the lab, look for other artefacts hidden inside it, forensically image it at the crime scene, leave it switched on and take photos of the desktop and take a RAM dump, then image it or cut the power… it depends!

Question 31

what is a graphics card

Answer 31

A graphics card puts the picture on the screen;

Question 32

what does CPU stand for

Answer 32

Central Processing Unit;

Question 33

What does a stick of RAM do?

Answer 33

Acts as the computers short term memory;

Question 34

what is the difference between HDD and SDD

Answer 34

A HDD is a mechanical disk drive that has “platters” on which the data is written to and read from. A SSD is a non-mechanical drive that uses integrated circuitry to store data persistently (continuously).

Question 35

what is an operating system

Answer 35

An operating system is the software a computer uses to manage the hardware and other software resources installed within it.

Question 36

What are the 3 main operating systems we have spoken about?

Answer 36

Windows, Linux, Mac;

Question 37

What are FAT, NTFS, HFS, APFS examples of?

Answer 37

Filing systems;

1st 2 windows second 2 Mac

Question 38

What do each of the acronyms in c. stand for?

Answer 38

FAT: File Allocation Table; NTFS: New Technology File System; HFS: Hierarchical File System; APFS: Apple File System;

Question 39

ways to hide files

Answer 39

Setting a files properties (on the right click menu) to hidden;

Changing the file type extension – e.g. from .docx to .jpg or .txt;

Adding a password to the file;

Storing the file somewhere other than the “normal” storage areas, e.g. the Rubbish Bin, a system folder, on an external drive;

Question 40

What is a database?

Answer 40

A collection of entities (things/items) and the attributes that make up each entity;

Question 41

Why would you use one?

Answer 41

You might use one to compare a sample from a crime scene to a previous crime scene, to speed up the search process, to narrow down your search;

Question 42

how do they work

Answer 42

They might use a search term you type in and they look for that search term in the records they hold, or they might need to to select options from drop down menus…

Question 43

What database would you use if you were looking for:
Fingerprints;
A Car;
A child;

Answer 43

You would use: i. IDENT1; ii. NPC; iii. CAID