Set 1 Flashcards
What is a forensics Lab?
Workspace to perform data extraction, analysis, and reporting, must be accredited such as with ISO/IEC 17025:2005
What is a Forensics Lab Manager responsible for?
for the overall operation of the lab, ensures analysts have what they need, handles staffing, ensures staff receive appropriate training.
What does a Forensics Analyst do?
Performs scientific analysis of collected digital evidence collected from a variety of sources.
Define a Forensics investigator.
Focuses on collection and retrieval of digital evidence. Similiar to Forensics Analyst.
What does ASCLD stand for?
American Society Crimes Laboratory Directors
What does ASCLD/Labs group do?
They conduct forensics lab certification.
What do the security mechanisms Preventive, Detective, & Corrective mean?
Preventive - Prevents a security incident from happening
Detective - Discovers if a security event is in progress or has already occurred
Corrective - Aimed at fixing the root cause of the vulnerability that gave rise to the incident
What do the security mechanisms Recovery, Deterrent, and Compensating mean?
Recovery - Restores the computing environment back to a “good known state”
Deterrent - Keeps an event from happening by creating an obstacle for the attacker
Compensating - A control inserted to compensate for lack of a permanent control
What are two principles of physical security?
Ensure the physical security of the lab.
Ensure the physical security of the evidence within the lab.
Why would you want two separate tables in a forensics lab?
One with two forensics workstations
One with one or two plain workstations for results validation.
What is 5WH?
Questions used for problem solving.
They consist of who, what, when, where, why, how.
Define computer forensics
The collection and preservation of evidence
What is used to manipulate mace attributes and how?
Time stomp, modifies the timestamp of a file
Who was a Nobel Prize winner and discovered blood types?
Karl Landsteiner
What is Locard’s exchange principle?
A criminal will bring something and leave something that can be used as forensic evidence.
How many set of criminal laws exist in the united states?
51
Unreasonable search and seizure is what bill?
The 4th
Security control that happens in the event of a crime?
Detection
what is considered investigation for business use?
Corporate
Data forensic analysis is responsible for what?
Collecting and preserving criminal evidence
Which are considered two great laws of forensics?
Never work with the original, preserve the state it was found in.
What determined the murderer of Robert eidman?
touch DNA from the lining of Eidman’s pocket
People vs holcolm is a criminal case? true or false
True
What two departments should you get authorization from before any search and seizure?
Legal and HR
What is an example of not digital evidence?
Document from a printer
Chain-of-custody?
Chain of custody is a documented record of who had possession and control over a particular piece of evidence at every moment until that object is entered into evidence in the courtroom.
chain-of-evidence?
Includes the search and seizure of that evidence and the cataloging of that evidence, as well as the chain of custody of that evidence once it has been obtained.
Digital evidence is not considered fragile true or false?
False
What is a magic byte?
Indicators at the beginning of a hash that tell you what type of file it is.
Which of the following would not be considered anti forensics techniques?
Encryption
Disk Wiping
Compression
preventing mace values from changing
preventing mace values from changing
What is anti-forensics?
Anti-forensics is the art of destroying data
What are the two main types of evidence?
Relevant (what is relevant to the case) and admissible (what is used in court)
What are Invisible attributes called?
Meta data
Difference between live collection and dead collection?
Live is when system is running, dead is when system is off
An incident responder is not concerned with what?
Determining motive
What attempting to solve a crime what would you use to create a hypothesis?
the Scientific method
According to first responders what should not be done during a crime scene?
Turning something on if its off
Which of the following peripherals is most likely to contain digital evidence?
Laptop
Computer
Printer
Hard Drive
Printer
The only peripheral listed.
What is the Magic byte of 5a4d?
An executable
Federal rules of evidence should be used by state level? yes or no
Yes
What is best evidence?
The best evidence rule applies when a party wants to admit as evidence the contents of a document at trial but the original document is not available.
What is a warrant?
probable cause or signed allowance for search and seizure or whatever is listed on the warrant
What is the HIPO (Hierarchical Input-Process-Output) diagram?
Guidelines for digital forensics investigators.
- Pre-Investigation
- Preparing the Investigation
- Search and Seizure
- Analyzing the Evidence
- Reporting and Testifying
- Post-Investigation
What do Pre-investigation, preparing the investigation, and search and seizure involve?
Pre-investigation-Learn requirements for case, build forensic capabilities, forensic hardware and methods
Preparing the investigation-Info about the case, develop hypothesis and plans, plan to obtain digital evidence
Search and seizure- Forensically sound seizure of evidence
What do
Analyzing the Evidence
Reporting and Testifying
Post-Investigation
involve?
Analyzing the Evidence- Using captured evidence and creating an analysis based on your hypotheses, getting results of an analysis that has value
Reporting and Testifying- Final report is written and testimony is given
Post-Investigation- Analyze notes taken and the process used to update investigative methods and risks
Which is used for having a smartphone not remotely wiped?
Faraday bag
When a system is powered on but screen is blank what should you do?
Move the mouse
If a warrant isn’t quick enough and it’s a dangerous circumstance can you go without a warrant?
Yes
A forensic image of a hard drive image is created how?
bit by bit
Which is not included in an investigation toolkit?
Magnets
Drunk driver can be sued with tort law? True or False
True
As a member of corporate what do you need before acting?
Authorization
What helps in keeping records of an investigation and writing a findings report?
photographs and sketches
When evidence changes hands?
Change of custody
What is not in the Analyzing the evidence phase?
Testifying in court
Who can assess what the evidence proves to the court?
expert witness
Before touching a laptop what should you do?
Photograph it
Which type of form would be completed as they collect things identified as evidence?
Chain-of-evidence
