Week 1 Flashcards

1
Q

Objectives of Computer Forensics (R.A.P)

A

To Recover , Analyze and present computer-based material in such a way that it can be presented as evidence in the court of law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who Performs Computer Forensics (L.C.C.P)

A

Law Enforcement for Criminal Cases
Corporate IT security personal for criminal / civil cases
Corporate HR investigators for workplace investigations
Private investigators for various investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does Computer Forensics Involve (P.I.E.I.D , L.I.F.P)

A

Preservation
Identification
Extraction
Interpretation
Documentation

Legal Processes
Integrity of Evidence
Factual Reporting of the information found
Providing expert opinion in the court of law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Preservation (P.O.M.C)

A

Preserve the integrity of the original evidence
Original evidence should not be modified or damaged
Make an image/copy of the original evidence and then perform analysis
Compare the copy to the original evidence to identify any modifications or damages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hashing (P)

A

prove that all the evidences are exactly the same as the original data, down to the very last bit !

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the values returned by the hash called ?

A

Hash values , Hash codes , Hash sum , Hashes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identification (S.L)

A

Start by identifying the evidence and its location.
Locating and identifying the evidence is a challenge for the Forensic Investigator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Extraction (O.V.E)

A

Once the evidence is identified and located , the evidence should be extracted immediately.

Volatile data can be lost at any point of time. FI should extract these data from the copy he made from the original evidence.

Extracted data must be compared with original evidence and analyzed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Interpretation (M.A)

A

Most important role of Fi during investigation is to is to interpret what he has found .

Analysis and inspection of the data must be interpreted in a lucid manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Documentation (M)

A

Maintained from the Beginning to End

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Forensics in a nutshell

A

Evidence Acquisition
Investigation and Analysis
Report Finding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is digital evidence (F.P.P.P)

A

Fragile , Protect , Preserve and Probative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Categories of Forensic Data (A.L.A)

A

Active Data - Data that can be seen
Latent Data - Data that exists despite being deleted
Archival Data - Data in backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Persistent vs Volatile Data

A

Persistent Data - preserved when the computer is turned off
Volatile Data - Will be lost when the computer loses power or it is turned off.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Forensic Image ?

A

Forensic image is a copy of original evidence generally collected by a tool that performs bit-level copying from one location to another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Three Common Disk Image Formats (E,R,V)

A

Expert Witness/Encase (E01)
Raw (dd)
Virtual machine disk file (VMDK,OVF)

17
Q

Forensic Disk Image Format (C.P.L)

A

Complete Disk - Most preferred method as it is the most comprehensive

Partition - Contains all allocation units from an individual partition on a drive / Includes Unallocated space and file slacks within that drive / Does not capture all data on a drive (As other partitions are not captured)/Taken only under certain circumstances (e.g , excessively large disk )

Logical - Only certain files are acquired

18
Q

Traditional Imaging Process (T.T.S)

A

Traditional imaging is performed on static drives

The computer is turned off and booted into a forensic imaging environment or the disk drive is plugged in a imager or examination workstation for duplication.

Special hardware is used to prevent source media from being modified.

19
Q

Hardware Write Blockers (S.M.M)

A

Sits in the connection between a computer and a storage unit.

Monitors the commands that are issued and prevents the computer from writing to the storage device.

Many Interface such as ATA , SCSI,Firewire,USB,SATA,etc.

20
Q

Image Creation Tools (G.A)

A

Guidance Software - Encase
AccessData FTK imager

21
Q

Encase Evidence File (C.C.H)

A

Called image file.

Contains suspects drive , CRC Verification , Case Identification Info (Header), MD5 Hash.

Header information is entered by the examiner and becomes part of the evidence file , and cannot be changed.

22
Q

Physical Layout of Encase Evidence File (H.D.C)

A

Header

Data Blocks - A bit by bit copy of the data blocks on the suspect media

Checksum and hash- 32 bits verification (CRC - cyclical redundancy Check)

MD5 hash for checking of integrity

23
Q

For every _ blocks Encase computes a CRC ?

A

Encase computes a CRC for every block of 64 sectors of data (34 kbytes) (1 sector = 512 bytes)

24
Q

_ bits MD5 hash is computed for the entire data block section (exclude the CRCs)

A

128 bit

25
Q

Hashing Objectives (E.E)

A

Enforces Integrity

Ensure data not modified

26
Q

When can the verification process of Encase evidence file be successful ?

A

The verification process can only be successfully completed after both the MD5 acquisition and verification hash values match and no CRC errors are reported

27
Q

Two examples of hash functions and more about them ?

A

MD5 and SHA1

MD5 - takes in a input message of arbitrary length and produces a 128-bit(16 bytes) hash

Source Hash Algorithm (SHA1) - It takes a message shorter than or equal to (2^64 -1) bits in length and produces a 160 bit (20 bytes) hash value.

28
Q

Properties of Hashing (F.P)

A

-Fast and efficient one-way function that generates a bit sequence of fixed length from the original message . i.e. creating the hash value is fast . The size of the hash value is small.

  • Process is proven to be irreversible (nearly impossible within a useful amount of time ).Original message cannot be recovered from the hash value.