Which of the following is true regarding computer forensics?
Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
Which of the following is NOT a objective of computer forensics?
Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack.
Which of the following is true regarding Enterprise Theory of Investigation (ETI)?
It adopts a holistic approach toward any criminal activity as a criminal operation rather as a single criminal act.
Forensic readiness refers to:
An organization’s ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs.
Which of the following is NOT a element of cybercrime?
Evidence smaller in size.
Which of the following is true of cybercrimes?
Investigators, with a warrant, have the authority to forcibly seize the computing devices.
Which of the following is true of cybercrimes?
The initial reporting of the evidence is usually informal.
Which of the following is NOT a consideration during a cybercrime investigation?
Value or cost to the victim.
Which of the following is a user-created source of potential evidence?
Address book.
Which of the following is a computer-created source of potential evidence?
Swap file.
Which of the following is NOT where potential evidence may be located?
Processor.
Under which of the following conditions will duplicate evidence NOT suffice?
When original evidence is in possession of the originator.
Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States?
Rule 101.
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined?
Rule 102.
Which of the following Federal Rules of Evidence contains rulings on evidence?
Rule 103
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly?
Rule 105
Which of the following refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law?
Computer Forensics.
Computer Forensics deals with the process of finding _ related to a digital crime to find the culprits and initiate legal action against them.
Evidence.
Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use.
True.
Cybercrimes can be classified into the following two types of attacks, based on the line of attack.
Internal and External.
Espionage, theft of intellectual property, manipulation of records, and trojan horse attacks are examples of what?
Insider attack or primary attacks.
External attacks occur when there are inadequate information-security policies and procedures.
True.
Which type of cases involve disputes between two parties?
Civil.
A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows the appropriate processes.
False.
__ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations.
Enterprise Theory of Investigation (ETI).
Forensic readiness includes technical and nontechnical actions that maximize an organization’s competence to use digital evidence.
True.
Which of the following is the process of developing a strategy to address the occurrence of any security breach in the system or network?
Incident Response.
Digital devices store data about session such as user and type of connection.
True.
Codes of ethics are the principles stated to describe the expected behavior of an investigator while handling a case. Which of the following is NOT a principle that a computer forensic investigator must follow?
Provide personal or prejudiced opinions.
What must an investigator do in order to offer a good report to a court of law and ease the prosecution?
Preserve the evidence.
What is the role of an expert witness?
To educate the public and court.
Which of the following is NOT a legitimate authorizer of a search warrant?
First Responder.
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant?
Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
Which of the following should be considered before planning and evaluating the budget for the forensic investigation case?
Breakdown of costs into daily and annual expenditure.
Which of the following should be physical location and structural design considerations for forensics labs?
Lab exteriors should have no windows.
Which of the following should be work area considerations for forensics labs?
Examiner station has an area of about 50-63 square feet.
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Testify as an expert defendant.
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Destroy the evidence.
Investigators can immediately take action after receiving a report of a security incident.
False.
In forensics laws, “authenticating or identifying evidences” comes under which rule?
Rule 901.
Courts call knowledgable persons to testify to the accuracy of the investigative process. These people who tesify are known as the:
Expert witnesses.
A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling.
True.
Identify the following which was launched by the National Institute of Standards and Technology (NIST), that establishes a “methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.”
Computer Forensic Tool Testing Project (CFTTP)
Which of the following is NOT a digital data storage type?
Quantum storage devices.
Which of the following is NOT a common computer file system?
EFX3
Which field type refers to the volume descriptor as a primary?
Number 1
Which logical drive holds the information regarding the data and files that are stored in the disk?
Extended partition.
How large is the partition table structure that stores information about the partitions present on the hard disk?
64-byte.
How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector?
32 bits
in the GUID Partition Table, which Logical Block Address contains the Partition Entry Array?
LBA 2
Which of the following describes when the user restarts the system via the operating system?
Warm booting.
Which Windows operating system power on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?
Windows 8.
Which item describes the following UEFI boot process phase?
The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors.
PEI (Pre-EFI Initialization) Phase.
Which of the following basic partitioning tools displays details about the GPT partition tables in Windows OS?
DiskPart.
What stage of the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk?
Bootloader Stage
What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents?
Boot Sector.
Which component of the NTFS architecture is a computer system file driver for NTFS?
Ntfs.sys
What is the name of the abstract layer that resides on top of a complete file system, allows client application to access various file systems, and consists of a dispatching layer and numerous caches?
Virtual File System (VFS)
Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system?
Revision Level.
Which file system used in Linux was developed by Stephen Tweedie in 2001 as a journaling file system that improves reliability of the system?
Ext3
How many bit values does HFS use to address allocation blocks?
16
What UFS file system part is composed of a few blocks in the partition reserved at the beginning?
Boot blocks.
What is a machine readable language used in major digital operations, such as sending and receiving emails?
ASCII
What is JPEG an acronym of?
Joint Photographic Experts Group
What is the proprietary Microsoft Office presentation file extension used in PowerPoint?
PPT
Which of the following is an example of optical media?
CD/DVD
In sector, addressing _ determines the address of the individual sector on the disk.
Cylinders, Heads, and Sectors (CHS)
__ is a 128 bit unique reference number used as an identifier in computer software?
Global Unique Identifier (GUID)
Mac OS uses a hierarchical file system.
True.
The main advantage of RAID is that if a single physical disk fails:
The system will continue to function without loss of data.
The command “fsstat” displays the details associated with an image file.
False.
What is the simplest RAID level that does not involve redundancy, and fragments the file into the user-defined stripe size of the array?
RAID 0
An investigator may commit some common mistakes while collecting data from the system that result in the loss of critical evidence. Which of the following is NOT a mistake that investigators commonly make?
Use of correct cables and cabling techniques.
In Linux Standard Tools, forensic investigators use the following build-in Linux Commands to copy data from a disk drive:
dd and dcfldd
Because they are always changing, the information in the registers or the processor cache are the most volatile data.
True.
Forensic data duplication involves the creation of a file that has every bit of information from the source in a raw bit-stream format.
True.
What document is used as a written record consisting of all processes involved in seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence?
Chain of custody document.
What is the process of permanently deleting or destroying data from storage media?
Media sanitization.
The process of acquiring volatile data from working computers )locked or in sleep condition) that are already powered on is:
Live data acquisition.
Which of the following refers to the data stored in the registries, cache, and RAM of digital devices?
Volatile information.
Where are deleted items stored on Windows Vista and later versions of Windows?
Drive;\$Recycle.Bin
Where are deleted items stored on Windows 98 and earlier versions of Windows?
Drive:\RECYCLED
Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows?
Drive:\RECYCLER
What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista?
3.99GB
Which of the following is NOT a feature of the Recover My Files tool?
recovering files from a network drive.
What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID
EaseUS
Which tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives?
Disk Digger
Which tool recovers files that have been lost, deleted, corrupted, and even deteriorated?
Quick Recovery
Which tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB?
Total Recall
Which tool scans the entire system for deleted files and folders and recovers them?
Advanced Disk Recovery
Which tool for MAC recovers files from a crashed or virus- corrupted hard drive?
Data Rescue 4
Which of the following are frequently left by criminals, assisting investigators in understanding the process of crime and the motive behind it, and allowing them to attempt to identify the person(s) who committed it?
Fingerprints
In Detecting Rootkits, the following technique is used to compare characteristics of all system processes and executable files with a database of known rootkit fingerprints.
Signature-Based Detection
In Anti Forensics Techniques, which of the following techniques is used to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of data?
Steganography
Which of the following consists of volatile storage?
RAM
What is NOT a command used to determine logged-on users?
LoggedSessions
What is NOT a command used to determine open files
Open files
What command is used to determine the NetBIOS name table cache in Windows?
Nbtstat
Which tool helps collect information about network connections operative in a Windows system?
Netstat
Which of the following commands is NOT a command used to determine running processes in Windows?
Netstat
Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples?
Volatility Framework
The information about the system users is stored in which file?
SAM database file
The value 0 associated with the registry entry Enable Prefetcher tells the system to use which prefetch?
Prefetching is disabled.
What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use?
Application prefetching is enabled.
What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use?
Boot prefetching is enabled.
What prefetch does the value 3 from the registry entry EnablePrefetcher tell the system to use?
Both application and boot prefetching are enabled.
What tool enables you to retrieve information about event logs and publishers in Windows 10?
Wevtutil.
Intruders attempting to gain remote access to a system try to find the other systems connected to the network and visible to the compromised system.
True.
__ command is used to display the network configuration of the NICs on the system.
ipconfig /all
Investigators can use Linux commands to gather necessary information from the system. Identify the following shell command that is used to display the kernel ring buffer or information about device drivers loaded into the kernel.
dmesg
What are the unique identification numbers assigned to Windows user account for granting user access to particular resources?
Microsoft security ID.
In the Windows Event Log File internals, the following file is used to store the Databases related to the system:
System.evtx
Thumbnails of images remain on computers even after files are deleted.
True
What is NOT one of the three tiers a log management infrastructure typically comprises?
Log rotation
Which is NOT a log management system function?
Log generation.
What is NOT one of the three major concerns regarding log management?
Log viewing
Which is a type of network-based attack?
Eavesdropping
Which attack does NOT directly lead to unauthorized access?
Denial of service
How can an attacker exploit a network?
Through wired or wireless connections.
What is the primary reason for forensic investigators to examine logs?
To gain an insight into events that occurred in the affected devices/network.
Which is true about the transport layer in the TCP/IP model?
It is the backbone for data flow between two devices in a network.
What is an ongoing process that returns results simultaneously so that the system or operators can respond to attacks immediately?
Real time analysis
Which of the following is an internal network vulnerability?
bottleneck
Which attack is specific to wireless networks?
Jamming signal attack.
Where can congressional security standards and guidelines be found, along with an emphasis for federal agencies to develop, document, and implement organization-wide programs for information security?
FISMA
What requires companies that offer financial products or services to protect customer information against security threats?
GLBA
Which of the following includes security standards for health information?
HIPAA
What is the act passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations?
SOX
What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?
PCI DSS
In what type of forensic examination do investigators perform an examination of logs to detect something that has already occurred in a network/device and determine what it is?
Postmortem
What are the most common network attacks launched against wireless networks?
AP MAC spoofing
In Event Correlation Approaches, which approach is used to monitor the computers and computer users behavior and provide an alert if something anomalous is found?
Role-based approach
The investigator uses which of the following commands to view the ARP table in Windows?
arp -a
Which is NOT an indication of a web attack?
logs found to have no known anomalies.
Which is a threat to web applications?
Cookie poisoning.
What layer of web application architecture includes all the web appliances, such as smartphones and PCs, where interaction with a web application deployed on a web server occurs?
Client layer
What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back?
Web server layer
What layer of web application architecture is responsible for the core functioning of the system and includes logic and application, such as .NET, used by developers to build websites according to client requirements?
Business layer
What layer of web application architecture is composed of cloud services that hold all commercial transactions and a server that supplies an organization’s production data in a structured form?
Database layer
Which web application threat occurs when the application fails to guard memory properly and allows writing beyond maximum size?
Buffer overflow
Which web application threat refers to the modification of a website’s remnant data for bypassing security measures or gaining unauthorized information?
Cookie poisoning
Which web application threat occurs when an attacker is allowed to gain access as a legitimate user to a web application or dad such as account records, credit card numbers, passwords, or other authenticated information?
Insecure storage.
Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user?
Information leakage.
Which web application threat arises when a web application is unable to handle technical issues properly and the website returns information, such as database dumps, stack traces, and codes?
Improper error handling
Which web application threat refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords?
Broken account management
Which web application threat occurs when attackers exploit HTTP, gain access to unauthorized directories, and execute commands outside the web server’s root directory?
Directory traversal
Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data?
SQL injection
Which web application threat occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data?
parameter tampering
Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients?
Denial of service
Which web application threat occurs when attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, or query strings?
Unvalidated input.
Which web application threat occurs when attackers bypass the client’s ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages?
Cross site scripting
Which web application threat occurs when attackers insert malicious code, commands, or scripts into the input gates of web applications, enabling the applications to interpret and run the newly supplied malicious input?
Injection flaws
Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker?
Cross site request forgery
Which web application threat occurs when attackers identify a flaw, bypass authentication, and compromise the network?
Broken access control
Which supports HTTP, HTTPS, FTP, SMTP, and NNTP?
Internet Information Server (IIS)
On Windows Server 2012, by default, the IIS log files are stored at which of the following locations?
%SystemDrive%\inetpub\Logs\LogFiles
Which of the following is a web analytics solution for small and medium size websites?
Deep log analyzer
Which command is used to find if TCP and UDP ports have unusual listening?
netstat -na
Which of the three different files storing data and logs in SQL servers holds the entire log information associated with the database?
LDF
Which of the three different files storing data and logs in SQL servers is optional
NDF
What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format?
EVTX
What type of forensics takes actions when a security incident has occurred and both detection and analysis of the malicious activities performed by criminals over the SQL database file are required?
MSSQL forensics
For Forensics Analysis, which of the following MySQL Utility Programs is used to export metadata, data, or both from one or more databases?
mysqldbexport
Which command line utility is used to take a backup of the database?
mysqldump
Which of the three different files storing data and logs in SQL servers is the starting point of a database and points to other files in the database?
MDF
What cloud service offers a platform for developing applications and services?
PaaS
What cloud service enables subscribers to use fundamental IT resources – such as computing power, virtualization, data storage, networ, etc. -on demand?
IaaS
What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay per use basis, by subscription, by advertising, or by sharing among multiple users?
SaaS
Which of the following is also known as an internal or corporate cloud infrastructure that a single organization operates?
Private cloud
What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models?
Hybrid cloud
Which cloud environment is a multi tenant infrastructure shared among organization with common computing concerns, such as security, regulatory compliance, performance requirements, and jurisdiction?
Community cloud
Which cloud environment allows the provider to make services- such as application, servers, and data storage-available to the public over the internet?
Public cloud
Which of the following stakeholders includes professionals- such as cloud security architects, network administrators, security administrators, and ethical hackers-responsible for managing and maintaining all aspects of the cloud?
IT professionals
Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud?
Investigators
Which of the following stakeholders are the first responders for all the security events or occurrences taking place on a cloud?
Incident handlers
Which of the following stakeholders are responsible to make sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements?
Law advisors
What type of cloud testing should organizations perform regularly to monitor their security posture?
Pen testing
On demand _ is a type of service rendered by cloud service providers that allow provisions for cloud resources such as computing power, storage, network, and so on- always on demand, without the need for human interaction with service providers.
Self service
Identify the following Cloud computing services that enable subscribers to use fundamental IT resources such as computing power, virtualization, data storage, network, and so on- on demand.
Infrastructure-as-a-service (IaaS)
On Windows 10 OS, by default, the Google Drive Client is installed at which of the following locations?
C:\Program Files (x86)\Google\Drive
Which of the following is a disadvantage of a private cloud?
Expense
What is a common technique used to distribute malware on the web by injecting malware into legitimate looking websites to trick users into selecting them?
Click jacking
What is a common technique used to distribute malware on the web with tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get higher search engine ranking for malware pages?
Blackhat SEO
What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and account data?
Spear phishing sites
What is a common technique used to distribute malware on the web by embedding malware-laden advertisements in authentic online advertising channels to spread onto systems of unsuspecting users?
Malvertising
What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by merely visiting a website?
Drive by downloads
When a reputable website is infected with malware that secretly installs itself on a visitor’s system and thereafter carries out malicious activities, it is an example of which common technique used by hackers to distribute malware?
Compromised legitimate websites
Why is it safe to conduct static analysis?
The investigator does not install or execute the suspect file.
In Port Monitoring, the following command is used to look for connections established to unknown or suspicious IP addresses.
Netstat -an
What is NOT one of CAN-SPAM’s main requirements for senders?
Honor recipients opt-out request within 30 business days.
Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act?
Retransmitting spam messages through a computer to mislead others about the origin of the message.
What is the first step an investigator should take to carry out the on-site examination of an email server?
Obtain a search warrant application in the appropriate language.
What is the primary information required for starting an email investigation?
The unique IP address.
What is NOT true of email crimes?
Email crime is not limited by the email organization.
Which RFC defines normal email communication?
RFC 5322
Which of the following is an internet protocol that’s designed for transmitting email over IP networks?
Simple Mail Transfer Protocol (SMTP)
Where do email archives store received and sent emails?
On the system hard drive.
An email client connects with a POP3 server via which of the following?
Port 110.
What is considered the biggest threat to mobile devices?
Data loss.
Which architectural layer of mobile device environments represents any program that runs on the Android platform?
Client application
Which architectural layer of mobile device environments simplifies the process of interacting with web services and other applications such as email, internet, and SMS?
Communication API
Which architectural layer of mobile device environments is responsible for creating menus and sub-menus in designing applications?
GUI API
Which architectural layer of mobile device environments provides telephony service related to the mobile carrier operator such as making calls, receiving call, and SMS?
Phone API
Which architectural layer of mobile device environments offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation?
Operating system.
Which architectural layer of mobile device environments contains items that are responsible for mobile operations – such as a display device, keypad, RAM, flash, embedded processor, and media processor?
Hardware
Which architectural layer of mobile device environments allow a mobile device to communicate with the network?
Network
What operating system was Android based on?
Linux
Identify which code can be used to obtain the International Mobile Equipment Identifier (IMEI) number on a mobile phone.
*#06#
Which of the following is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer?
Electronic Serial Number (ESN)
The mobile forensics investigation team should consist of person who have expertise in responding, seizing, collecting, and reporting the evidence from the mobile devices.
True.
How should expert witnesses conduct themselves while presenting testimony to any court or attorney?
Avoid leaning and develop self-confidence.
Which statement is correct about who attends a trial or deposition?
Both attorneys are present in a deposition.
Which of the following standards is a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?
Frye Standard.
The main objective of a cybercrime investigation is to identify which of the following?
Evidence and facts.
Quantitative Risk Analysis
Computer Forensics
A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computers in a way that is legally admissible
Cyber Crime
Any illegal act involving a computing device, network, its systems, or its applications. Both internal and external
Enterprise Theory of Investigation (ETI)
Methodology for investigating criminal activity
Types of Cyber Crime
Civil, Criminal, Administrative
Civil Cases
Involve disputes between two parties. Brought for violation of contracts and lawsuits where a guilty outcome generally results in monetary damages to the plaintiff
Criminal Cases
Brought by law enforcement agencies in response to a suspected violation of law where a guilty outcome results in monetary damages, imprisonment, or both
Administrative Cases
An internal investigation by an organization to discover if its employees/clients/partners are abiding by the rules or policies (Violation of company policies). Non-criminal in nature and are related to misconduct or activities of an employee
Rules of Forensic Investigation
Safeguard the integrity of the evidence and render it acceptable in a court of law. The forensic examiner must make duplicate copies of the original evidence. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. Must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level.
Cyber Crime Investigation Methodology/Steps
1.Identify the computer crime 2.Collect preliminary evidence 3.Obtain court warrant dor discovery/seizure of evidence 4.Perform first responder procedures 5.Seize evidence at the crime scene 6. Transport evidence to lab 7.Create two bitstream copies of the evidence 8. Generate MD5 checksum of the images 9. Maintain chain of custody 10. Store original evidence in secure location 11. Analyze the image copy for evidence 12. Prepare a forensic report 13. Submit a report to client 14. Testify in course as an expert witness
Locard’s Exchange Principle
Anyone of anything, entering a crime scene takes something of the scene with them and leaves something of themselves behind when they leave.
Types of Digital Data
Volatile Data
Non-volatile Data
Volatile Data
Temporary information on a device that requires a constant power supply and is deleted if the power supply is interrupted
Non-Volatile Data
Secondary storage of data. Long-term, persistent data.
Permanent data stored on secondary storage devices, such as hard disks and memory cards.
Characteristics of Digital Evidence
- Be Relevant
- Be probative
- Be authentic
- Be accurate
- Be complete
- Be convincing
- Be admissible
Admissible evidence
Evidence that can be legally and properly introduced in a civil or criminal trial.
Evidence is relevant to the case
Authentic Evidence
Evidence that is in its original or genuine state.
Investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence
Complete Evidence
Evidence must either prove or disprove the fact
Reliable Evidence
evidence that possesses a sufficient degree of likelihood that it is true and accurate
Evidence must be proven dependable when the evidence was extracted
Believable Evidence
Evidence must be presented in a clear manner and expert opinions must be obtained where necessary
Rules of Evidence
Rules governing the admissibility of evidence in trial courts.
Best Evidence Rule
states that secondary evidence, or a copy, is inadmissible in court when the original exists.
Duplicate evidence will suffice under the following conditions:
-Original evidence is destroyed due to fire or flood
-Original evidence is destroyed in the normal course of business
-Original evidence is in possession of a third party
Forensic Readiness
An organization’s ability to make optimal use of digital evidence in a limited period and with minimal investigation costs.
Fourth Amendment
Protects against unreasonable search and seizure. Government agents may not search or seize areas or things in which a person has reasonable expectation of privacy, without a search warrant.
Chain of Custody
a written record of all people who have had possession of an item of evidence
Rule 101: Scope
These rules govern proceedings in the courts of the United States and before United States bankruptcy judges and United States magistrate judges, to the extent and with the exceptions stated in rule 1101.
Rule 102: Purpose and Construction
These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined.
Rule 105: Limited Admissibility
When evidence that is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon ITProTV Video Notes for CHFI v9 request, shall restrict the evidence to its proper scope and instruct the jury accordingly
Rule 801: Hearsay
“Hearsay” means a statement that:
(1) the declarant does not make while testifying at the current trial or hearing; and
(2) a party offers in evidence to prove the truth of the matter asserted in the statement.
Rule 1002. Requirement of the Original
An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise.
Rule 1003. Admissibility of Duplicates
A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate.
Rule 1004. Admissibility of Other Evidence of Content
Admissibility of Other Evidence of Content
Scientific Working Group on Digital Evidence (SWGDE)
brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as to ensure quality and consistency within the forensic community.
Computer Forensics Investigation Process
- Pre-Investigation
- Investigation
- Post-Investigation
Pre-Investigation
Tasks performed prior to investigation
Setting up a computer forensics lab, toolkit, and workstation
Investiagtion
Main phase in computer forensics investigation
Acquisition, preservation, and analysis of the data
Post-Investigation
Reporting and documentation of all the actions undertaken and the findings
Ensure that the target audience can easily understand the report
Ensure report provides adequate and acceptable evidence
Computer Forensics Laboratory
Work area considerations (50-63 sq. ft per station) no windows
ASCLD/Lab Accreditation
ISO/IEC 17025
Forensic Hardware Tools
FRED, Paraben’s StrongHold, PC-3000 Data Extractor, Paraben’s Chat Stick, RAPID IMAGE 7020 X2, RoadMASSter-3 X2, ZX-Tower, Data Recovery Stick, Tableau T8-R2 Forensic USB Bridge
FRED
Acquires data directly from hard drives and storage devices
Paraben’s StrongHold
blocks out wireless signals
PC-3000 Data Extractor
Diagnoses and fixes file system issues, so data can be obtained
Paraben’s Chat Stick
Thumb drive devices; searches the entire computer and scan for chat logs
RAPID IMAGE 7020 X2
Copy one “Master” hard drive to up to 19 “Target” hard drives
RoadMASSter-3 X2
Ruggedized portable lab for HDD data acquisition and analysis.
ZX-Tower
Secure sanitization of hard disk
Data Recovery Stick
Recovers deleted files
Tableau T8-R2 Forensic USB Bridge
Write blocking of USB storage devices
Cain & Abel
Password recovery for Windows OS
Recuva
Recover lost pictures, music, docs, video, email. Recover all types of lost files from disk or removable media
Capsa
Sniffer
R-Drive Image
Creation of disk image files for backup
FileMerlin
Converts word processing to a wide range of file formats
AccessData FTK
Court-cited digital investigations platform provides processing and indexing up front
EnCase
Rapidly acquire data and unearth potential evidence with disk-level forensic analysis
The Sleuth Kit
Command line tools to analyze disk images and recover files
L0phtCrack
Password auditing and recovery software
Ophcrack
Password cracker based on rainbow tables
Computer Forensic Tool Testing Project (CFTT)
NIST, establishes a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.
Image Integrity Tools
HashCalc, MDF Calculator, HashMyFiles
HashCalc
Create MD5 has for files, text and hex string (13 different algorithms)
MDF Calculator
View MD5 hash to compare to provided hash value
HashMyFiles
Calculate MD5 hash on one or more files
Recover My Files
recover deleted files emptied from the windows recycle bin and files lost due to the format or corruption of a hard drive, virus, or trojan infection, and unexpected system shutdown or software failure
Advanced Disk Recovery
Quick or deep scan for lost or deleted files
UndeletePlus
Quick or deep scan for lost or deleted files. same as Advanced Disk Recovery
Data Analysis Tools
FTK Imager, EnCase Forensic, The Sleuth Kit (TSK)
FTK Imager
imaging tools that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives and examination of the content of forensic images or memory dumps
EnCase Forensic
Generates and evidence report, acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices
The Sleuth Kit (TSK)
Library and collection of command-line tools allowing investigation of volume and file system data
fsstat
istat
fls
img_stat
Forensic Investigation Team
Attorney, Photographer, Incident Responder, Decision Maker, Incident Analyzer, Evidence, Examiner/Investigator, Evidence Documenter, Evidence Manager, Expert Witness
18 USC 1029
Fraud and related activity in connection with access devices
18 USC 1030
Fraud and related activity in connection with computers
18 USC 1361-2
Prohibit malicious mischief
18 USC 2252A
Child pornography
18 USC 2252B
Misleading domains on Internet
18 USC 2702
Voluntary disclosure of customer communications or records
42 USC 2000AA
Privacy Protection Act
Rule 402
Relevant Evidence
Rule 502
Attorney-Client Privilege and Work Product; Limitations on Waiver
Rule 608
Evidence of character and conduct of witness
Rule 609
Impeachment by evidence
Rule 614
Interrogation of Witnesses
Rule 701
Opinion testimony
Rule 705
Disclosure of facts
Platters
Circular metal disks mounted into a drive enclosure
Tracks
Concentric rings on the platters that store data
Track Numbering
Starts at 0 and goes to 1023
Sectors
Smallest physical storage unites located on a hard disk platter (512 bytes long)
Clusters
Smallest accessible/logical storage unit on the hard disk
Slack Space
Wasted are of the disk cluster lying between end of the file and end of the cluster
Bad Sectors
Portions of a disk that are unusable due to some flaws (Don’t support read and write)
Sparse File
File that attempts to use file system space efficiently when allocated blocks are mostly empty.
Cylinders, Head, and Sectors (CHS)
Determine the sector addressing for individual sectors on a disk
Logical Block Addressing (LBA)
Address data by allotting a sequential number to each sector
Globally Unique Identifier (GUID)
128-bit unique number generated by windows used to identify COM DLLs
File Carving
The process of reassembling computer files from fragments in the absence of file system metadata.
JPEG
Joint Photographic Experts Group
File type for images, can achieve 90% compression
Hex value FF D8 FF
BMP
Device independent bitmap (DIB), standard graphics image file format for Windows
GIF
Contains 8 bits per pixel and displays 256 colors per frame
fsstat (TSK)
display details associated with the file system
istat (TSK)
Display details of meta-data structure (INODE)
fls (TSK)
List file and directory names in a disk image
img_stat (TSK)
Displays details of an image file
Master Boot Record (MBR)
The first sector on a hard drive, which contains the partition table and a program the BIOS uses to boot an OS from the drive.
512 bytes long
Contains four 16-byte master partition records
Starts at sector 0
Signature 0x55AA
Master Boot Code
Loads into BIOS and initiated system boot process
American Standard Code for Information Interchange (ASCII)
128 specified characters coded into 7-bit integers
Source code of a program, batch files, macros, scripts, HTML and XML documents
ASCII Table
Non-printable Coded between 0 and 31
Lower ASCII codes between 32 and 127
Higher ASCII codes between 128 and 255
Universal Coded Character Set (USC)
Standard for encoding, representation, and management of texts
More than 128000 characters
XML, Java, and Microsoft.NET
Back Up the MBR
dd if=/dev/xxx of=mbr.backup bs=512 count=1
Restore the MBR
dd if=mbr.backup of=/dev/xxx bs=512 count=1
GUID Partition Table (GPT)
Allows disks larger than 2TB
Can have 128 Windows partitions
CRC for data integrity
CRC32 checksum for header and partition table