Section 24.232 Digital Forensic Procedures

Question 1

Digital Forensics

Answer 1

Systematic process of investigating and analysing digital devices and data to uncover evidence for legal purposes

Question 2

Four Main Phases of Digital Forensic Procedures

Identification

1

Answer 2

Focus on scene safety, prevention of evidence contamination, and scope determination

● Secure the scene, preserve evidence, and document the scene

● Identify where relevant data might be stored (e.g., tablets, smartphones,
servers)

Question 3

Four Main Phases of Digital Forensic Procedures

Collection

2

Answer 3

Requires proper authorization (e.g.warrant, executive authorisation)

● Order of volatility:
○ Dictates the sequence in which data sources should be collected and preserved based on their susceptibility to modification or loss

○ Following order of volatility minimises data loss

○ 5 Steps of Order of Volatility:
■ Collect data from the system’s memory
■ Capture data from the system state
■ Collect data from storage devices
■ Capture network traffic and logs
■ Collect remotely stored or archived data

● Chain of Custody: Documented and verifiable record that tracks the handling,
transfer, and preservation of digital evidence from the moment it
is collected until it is presented in a court of law

● Evidence Collecting techniques:
○ Disk imaging: Involves creating a bit-by-bit or logical copy of a storage
device, preserving its entire content, including deleted files and unallocated space

○ File Carving: Focuses on extracting files and data fragments from
storage media without relying on the file system

Question 4

Four Main Phases of Digital Forensic Procedures

Analysis

3

Answer 4

Examine the forensically sound evidence copy

● Systematically scrutinise data for relevant information, timestamps, user
interactions, and signs of criminal activity

● Follow strict procedures and documented protocols for consistency and objectivity

Question 5

Four Main Phases of Digital Forensic Procedures

Reporting

4

Answer 5

Document methods, tools used, actions performed, findings, and conclusions in a final report

● The report serves as crucial evidence in legal proceedings, and the forensic analyst may need to testify

Question 6

Additional Concepts

Legal Hold

Answer 6

Issued when litigation is expected and preserves potentially relevant electronic data

● Ensures evidence is not tampered with, deleted, or lost

● Requires the implementation of preservation practices to protect systems
and evidence

Question 7

Additional Concepts

E-Discovery (Electronic Discovery)

Answer 7

Process of identifying, collecting, and presenting electronically stored information for potential legal proceedings

● Involves searching, analysing, and formatting electronic data for litigation

Question 8

Additional Concepts

Ethical Considerations

Answer 8

Adherence to a code of ethics that emphasises avoiding bias, repeatable actions, and evidence preservation

Question 9

Ethical Considerations

Avoiding bias

Answer 9

Analysis should be performed without bias or prejudice and be based solely on the evidence

○ Use forensic analysts who are removed from the situation to avoid potential bias

Question 10

Ethical Considerations

Repeatable actions

Answer 10

All analysis must be based on repeatable processes documented in the final report

○ Ensuring the original evidence remains unchanged is critical to maintaining evidentiary integrity

Question 11

Ethical Considerations

Evidence preservation

Answer 11

Evidence includes both the device (e.g., laptop hard disk) and the data recovered from it

○ Perform analysis on a disk image, not the original drive, to prevent modifications or alterations