Week 2 Flashcards

1
Q

Spinning Internal Hard Drives (HDD)

A

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Used in many computer applications including

A

Home PCs & laptop computers
▪ Gaming systems
▪ DVR or video recording systems
▪ Can be internal or external (portable,
stand-alone)
▪ Server arrays

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Benefits of HDDs

A

Readily available to consumers
▪ Varying storage sizes, currently 500 GB to 18 TB+
▪ Less expensive than solid state drives
▪ Data recovery generally easier
▪ Can be arranged in a RAID
▪ Redundant Array of Independent Disks
▪ Can be formatted in various ways
▪ Used to increase storage capacity &
Reduce data loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Downsides

A

More susceptible to mechanical
failure
▪ Can be heavy, depending on size
▪ Generally less reliable means of
storage
▪ Advanced Data Recovery costly
& time-consuming
▪ If handled improperly, can result in
data damage or loss (static,
magnetic

also these are made in 3/4 places, they come from families which need to be understood in order to recover them properly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Architecture of HDDs

A

Heads that read platters and transfer Data to the user

Magnetic Platters Or plates where Data is stored

platters can only spin so fast so data only gets read so fast

Interface hardware or ROM (read only memory) helps translate
The data to readable For the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Solid State Drives

A

SSDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

same applications as spinning hard drives

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

but

A

Generally lower storage capacity
▪ Cost is higher
▪ No moving parts
▪ Can also be set up in a RAID
▪ Multiple different types

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Same basic technology is used in USB
thumb drives, phone data storage, etc

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SSD Architecture

A

There are no moving
parts, So the
footprint and weight
Is much less than
spinning hard drives

Connection to
computer is made
via direct connection
to mother/logic
board of computer or
device

Data is stored on
Memory chips in
blocks and pages

Notes: SSDs (and thumb drives, etc.) have a
“shelf life” and can only be written to a specified
number of times before end of life. Some are also
non-removable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Peripheral Devices

A

Memory Cards, USBs, Gaming, Alexs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Memory Cards

A

Come in different sizes…
▪ SD, MiniSD, Micro SD
▪ Used in external storage on
cameras, phones (non-Apple), GPS
devices, etc.
▪ Usually formatted in FAT-32 (will
discuss in later lesson)
▪ Capacity currently up to 1.5TB
▪ Can be formatted to run operating
system or other utility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

USB Thumb or Stick drives

A

Often used for portability & data
Xfer on PCs & gaming systems
▪ Name-brand manufacturers usually
apply a serial number, which is
good forensic evidence
▪ Capacity currently up to 2TB
▪ Can be formatted to run operating
system or other utility
▪ Often used in software licensing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Mobile Phones/Tablets

A

Two main operating systems: Apple &
Android
 Android manufactured by multiple
companies
 Newest iterations store up to 2TB of
data, with potential external storage
 “Always on” cellular network
connectivity
 Stores valuable evidence including
text/app messages, geo-location data,
pictures, video & more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Other Storage Devices

A

Stand-alone GPS units, Gaming Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Gaming Systems

A

Usually have network connectivity
▪ Can store videos, pictures, chat
records, etc.
▪ Several have the ability to play Blue
Ray disks
▪ Increasingly relevant in child
exploitation investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Stand-alone GPS units

A

Still in use by truckers, hikers,
motorcyclists, etc.
▪ More modern versions run on
Android operating system
▪ Generally behave as an external
storage device when connected to
PC
▪ Excellent evidence in personal
injury/accident cases, missing
persons, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ASCLD

A

American Society of Crime Lab Directors - main body of accreditation for crime labs, but it’s not mandatory for all labs to have accreditation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Digital Forensic Lab Physical Requirements

A

Small room with true floor-to-ceiling walls
▪ Door access with a locking mechanism (limited to
authorized users, including cleaning crews), which can be
a regular key lock, combination lock, or an electronic lock
capable of logging who accessed it
▪ Secure container, such as a safe or heavy-duty file cabinet
with a quality padlock that prevents drawers from
opening
▪ Visitor’s log with legible entries listing all people who have
accessed the lab and showing the date, time in, and time
out

Video Surveillance
▪ Dedicated signal-blocking work area or signal-blocking
device for working
▪ Limited internet access (if any)
▪ Environmental controls conducive to mitigate heat
from high-level processing & electronic use
▪ License access logging
▪ License access area (dongle server optional)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Recommended Additional Equipment

A

Digital Camera (phone camera not recommended)
▪ Antistatic & signal blocking bags
▪ External CD/DVD/Blue Ray drive
▪ Assorted cables for USB 3.0 to USB-C, Thunderbolt,
hard drive connection cables (SATA, IDE, M.2)
▪ Assorted adapters
▪ A “toaster”
▪ External Hard Drives of varying capacity
▪ Computer/electronics tool kit

21
Q

Recommended Maintenance

A

Keep all operating systems up to date…
by putting update and plugging in to computer w/o internet

▪ Keep all forensic tools updated
▪ Keep all peripheral programs updated
▪ MS Office tools
▪ Video & image viewers
▪ Email tools
▪ Scripting tools

Disaster recovery…
▪ Image both OS drive & tools storage drive on a schedule
▪ Image administrative storage medium on a schedule..
▪ Instructor Siewert’s personal “ouch” moment
▪ Plan for equipment upgrades
▪ Budgeting
▪ Workload requirements
▪ Requirements of modern forensic tools & operating systems
▪ Slower computers = longer processing & analysis time
▪ Click & wait……….

22
Q

Accreditation

A

Governed by…
▪ American Society of Crime Lab Directors (ASCLD)
▪ Under the principles of…
▪ International Standards Organization (ISO)
▪ One common ISO Standard is ISO/IEC 17025
▪ Governs Accreditation for Forensic Service Providers
▪ Accreditation can be gained by public or private entities
▪ Manuals, documents can be found at:
https://anab.ansi.org/2018-iso-iec-17025-forensicaccreditation-documents-0

23
Q

What is the purpose ISO/ICE 17025 &
Accreditation?

A

Provides guidance on standard operation of forensic
labs
▪ Issues some standards of practice for forensics
generally
▪ Gives credibility to the lab
▪ Allows for business to be conducted in uniform matter
no matter the location
▪ Vets QC, policy, practice, personnel & other credentials

24
Q

Should I create a lab?

A

Do you have the workload to justify expense?
▪ Expense = Hardware + Software + Training (all takes time)
▪ Can your organization afford the necessary tools &
equipment?
▪ Full or part-time lab? Dedicated personnel?
▪ Accreditation or not?
▪ Infrastructure

space?

25
Q

Forensic Workstation: Hardware

A

Windows-based PC
 Separate HDDs and/or
SSDs for:
▪ Operating System
▪ Tools Storage
▪ Database Storage (tooldependent)
▪ Evidence storage
▪ May be part of a RAID array

Write-blocker (internal or
external)
 High CPU processing speed
with as many cores as
feasible within budget
 Graphical Processing Unit
(GPU) of high capacity &
speed to handle work
overload & password
cracking

Capacity for more than one
Monitor
 At least 32-64 GB of RAM
 Optional Equipment:
▪ Hot-swappable internal drive
bays
▪ Imaging tray with cooling fan
▪ Physical locking mechanism
▪ External drive connections for
SATA, IDE, etc.
(TEST)

26
Q

Portable/Field Forensic WOrkstations

A

Often have slower
processing speed & less
storage capacity
 Great for field triage or
on-site applications
 Often not as upgradable
as desktop PCs
 Can be custom built with
many of the same specs
as desktop PCs

27
Q

Forensic Workstation Software (Automatic Tools) Paid Computer Analysis

A

Magnet Axiom & Axiom Cyber
X-Ways Forensics
OpenText Encase Forensic
Cellebrite Blacklight

28
Q

Magnet Axiom & Axiom Cyber

A

▪ ”All-in-one” approach
▪ Supports Windows, Mac, Linux, iOS, Android & more
▪ Training & certification available
▪ Cost for tool: ~$7,000 + yearly maintenance ~$3,000

29
Q

X-Ways Forensics

A

Has free component called WinHex
▪ Robust tool that isn’t a system resource hog
▪ Training & Certification available
▪ Cost for tool: ~$1,750 + yearly maintenance ~$850

30
Q

OpenText Encase Forensic

A

Once a major contributor, not used as often
▪ Training & certification available
▪ Cost for tool: ~$7,500 + yearly maintenance ~$3,500

31
Q

Cellebrite Blacklight

A

Operates on both Windows & Mac platforms
▪ Specializes in Mac data acquisition & analysis
▪ Training & Certification available
▪ Cost for tool: ?

32
Q

Forensic Workstation Software (Automatic Tools) OPEN SOURCE Computer Analysis

A

Autopsy by Basis Technology
Sumuri Paladin
Eric Zimmerman’s Tools
RegRipper

33
Q

Autopsy by Basis Technology

A

Very capable tool for Windows & Android analysis
▪ Training & certification available
▪ Customizable plug-ins for those code-inclined
▪ Cost for tool: Free & Open Source

34
Q

Sumuri Paladin

A

Bootable Linux tool with multiple applications
▪ Most often used: image creation on systems with nonremovable drives
▪ Has apps included to perform virtually all forensic
needs

35
Q

Eric Zimmerman’s Tools

A

Suite of tools designed for triage & specific artifact
analysis
▪ Available on GitHub

36
Q

RegRipper

A

Command-line tool used to parse data & artifacts from
Windows registry (to be discussed in detail later)
▪ Developed by Harlan Carvey: Author & IR Expert
▪ Routinely updated with plug-ins. Communitysupported

37
Q

Forensic Workstation Software (Automatic Tools) Paid Mobile Analysis

A
  • Magnet Axiom(see previous)
  • Cellebrite Universal Forensic Extraction Device (UFED) & Physical Analyzer
  • Oxygen Forensics
  • XRY Xamine
  • Gray Key or Gray Shift
38
Q

Cellebrite Universal Forensic Extraction

A

Used by law enforcement worldwide
▪ Android, iOS, GPS, Blackberry, Windows Phone, etc.
support
▪ Constantly being developed, updated
▪ Training & certification available
▪ Cost for tool: ~$11,000 + yearly maintenance ~$7,500
▪ Advanced capabilities cost over $20,000 more per yea

39
Q

Oxygen Forensics

A

Used by law enforcement worldwide
▪ Android, iOS, GPS, Blackberry, Windows Phone, etc.
support
▪ Training & certifications available
▪ Cost for tool: ~$7,000 + yearly maintenance ~$3,000

40
Q

XRY Xamine

A

Acquisition & analysis tool
▪ Cost: ??

41
Q

Gray Key or Gray Shift

A

Law Enforcement Only Tool
▪ Tool is designed to bypass pass code security on iOS &
Android Devices
▪ Supports full file system extraction after first unlock
▪ Limited data if before first unlock
▪ Unit is tied to LE agency & monitored via IP address
▪ Cost for tool: ~$10,000 and up + yearly maintenance at
same cost… Annually!

42
Q

Analyst Training + Certification

A

Training in DF is extremely important!
 Field is always changing & evolving
▪ Mobile forensics is the most prominent with this
▪ Operating systems upgraded regularly (phone &
computer)
▪ Apple Mac OS is always changing
▪ Applications added & updated regularly
▪ Hardware advancements & improvements
▪ Tool-specific updates, improvements

Training and/or certification in DF is done in two
main ways
▪ Vendor-neutral
▪ Vendor Specific
 Vendor-Neutral training focuses on competencies,
concepts, methodologies & principles
▪ Generally offered as part of a DF organization or
association. Does NOT equal “free”
 Vendor-Specific training teaches participants how
to use a specific DF tool for specific purposes

43
Q

CFCE

A

Certified Computer Forensic
Examiner (CFCE) certification process

6+ month long process, peer-reviewed, coached

44
Q

(IACIS)

A

International Association of Computer Investigative
Specialists

45
Q

Vendor-Neutral Training Options

A

▪ International Association of Computer Investigative
Specialists (IACIS)
▪ Capstone course: Basic Computer Forensic Examiner (BCFE) – 2
weeks
▪ Open to any member of IACIS (not LE restrictive)
▪ Comprehensive basic vendor-neutral training with basic
equipment as part of tuition ($3,795)
▪ Upon completion, eligible to sit for Certified Computer Forensic
Examiner (CFCE) certification process
▪ 6+ month long process, peer-reviewed, coached
▪ Also has 1 &2-week specialized courses

SANS Institute
▪ Offers a library of courses for computer forensics, mobile device
forensics, information security, incident response, network
security, etc.
▪ Computer forensic certification is GIAC Certified Forensic
Examiner (GCFE)
▪ Open to all in the field of information security, compliance,
forensics, etc.
▪ Cost is HIGH - $5,000-$10,000

Vendor-Neutral Training Options (Cont.)
▪ International Society of Forensic Computer Examiners
(ISFCE)
▪ Primary course & certification is the Certified Computer
Examiner (CCE)
▪ Applicants can sit for the test without attending a class
▪ A “CCE Bootcamp” is also available at cost
▪ Open to all in the field of digital forensics
▪ Peer-reviewed, coached
▪ Re-certification mandatory to maintain

National White Collar Crime Center (NW3C)
▪ Non-profit, partially government-funded
▪ Offers a library of courses for computer forensics, mobile device
forensics, network forensics, online investigation, etc.
▪ Several computer and mobile-based forensic certifications
▪ Offers both LE-only & publicly available classes
▪ Online & in-person classes offered

National Computer Forensic Institute (NCFI)
▪ Operated by the US Secret Service
▪ Goal is to train state & local LE on basics of computer forensics,
mobile forensics & network forensics
▪ Must be LE & sponsored by local USSS office
▪ Free to LE. Class provides all software, hardware & training
▪ Basic Computer Evidence Response Training (BCERT) is
capstone 5-week course given in Hoover, AL
▪ Not specifically vendor-neutral, but provides training for
multiple vendor tools

46
Q

CCE

A

Certified Computer Examiner
Primary course & certification for ISFCE

47
Q

ISFCE

A

International Society of Forensic Computer Examiners

48
Q

Vendor-Specific Training

A

Offered by most (if not all) DF tool vendors
▪ Goal is competency within a discipline working with a tool created
by a specific vendor
▪ Some offer just training, while others offer both training &
certification
▪ Highlights:
▪ EnCase Certified Examiner (EnCE)
▪ Magnet Certified Forensic Examiner (MCFE)
▪ Cellebrite Certified Mobile Examiner (CCME)
▪ Also Cellebrite Certified Operator & Physical Analyst (CCO, CCPA)
▪ X-Ways Forensics X-Pert