Download Digital Forensics: Techniques and Tools for Investigating Cyber Incidents and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
Forensics -
The process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. Deals primarily with the recovery and analysis of latent evidence.
Expert Report -
A formal document that lists the tests you conducted, what you found, and your conclusions. It also includes your curriculum vita (CV), is very thorough, and tends to be very long. In most cases an expert cannot directly testify about anything not in his or her expert report.
Curriculum Vitae (CV) -
Like a resume, only much more thorough and specific to your work experience as a forensic investigator.
Deposition -
Testimony taken from a witness or party to a case before a trial; less formal and is typically held in an attorney's office.
Digital Evidence -
Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.
Chain of Custody -
The continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.
Objectives of Computer Forensics -
Recover computer-based material Analyze computer-based material Present computer-based material
Goals of Opposing Counsel in a Deposition -
To find out as much as possible about your position, methods, conclusions, and even your side's legal strategy To get you to commit to a position you may not be able to defend later
Real Evidence -
A physical object that someone can touch, hold, or directly observe. Examples: include a laptop with a suspect's fingerprints on the keyboard, a hard drive, a universal serial bus (USB) drive, or a handwritten note.
Documentary Evidence -
Data stored as written matter, on paper or in electronic files; includes memory-resident data and computer files. Examples: e-mail messages, logs, databases, photographs, and telephone call- detail records
Testimonial Evidence -
Information that forensic specialists use to support or interpret real or documentary evidence
Demonstrative Evidence -
Information that helps explain other evidence. An example is a chart that explains a technical concept to the judge and jury
Disk Forensics -
The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives, smartphones, GPS systems, and removable media. includes both the recovery of hidden and deleted information and the process of identifying who created a file or message
E-mail Forensics -
Later development of SDRAM
Read-only memory (ROM) -
This is usually used for instructions embedded in chips and controls how the computer, option cards, peripherals, and other devices operate. Cannot be changed
Programmable read-only memory (PROM) -
Can be programmed only once; data is not lost when power is removed.
Erasable programmable read-only memory (EPROM) -
Data is not lost when power is removed. Again, this is a technique for storing instructions on chips.
Electronically erasable programmable read-only memory (EEPROM) -
This is how the instructions in your computer's BIOS are stored.
Small Computer System Interface (SCSI) -
This has been around for many years, and is particularly popular in high-end servers. Must have a terminator at the end of the chain of devices to work and are limited to 16 chained devices
Integrated Drive Electronics (IDE) -
This is an older standard but one that was commonly used on PCs for many years. It is obvious you are dealing with this type of drive if you encounter a 40-pin connector on the drive.
Parallel Advanced Technology Attachment (PATA) -
An enhancement of IDE. It uses either a 40-pin (like IDE) or 80-pin connector.
Serial Advanced Technology Attachment (SATA) -
This is what you are most likely to find today. These devices are commonly found in workstations and many servers. Does not have jumpers like IDE and EIDE Serial SCSI - An enhancement of SCSI that supports up to 65,537 devices and does not require termination. Solid-state drives - Use microchips that retain data in non-volatile memory chips and contain no moving parts. Use NAND-based flash memory, which retains memory even without power. Generally, require one- half to one-third the power of hard disk drives Sector - The basic unit of data storage on a hard disk, which is usually 512 bytes. Cluster - A logical grouping of sectors; can be 1 to 128 sectors in size; organized by tracks Drive Geometry - This term refers to the functional dimensions of a drive-in terms of the number of heads, cylinders, and sectors per track. Slack Space - This is the space between the end of a file and the end of the cluster, assuming the file does not occupy the entire cluster. This is space that can be used to hide data Low-level format - This creates a structure of sectors, tracks, and clusters. High-level format - This is the process of setting up an empty file system on the disk and installing a boot sector. This is sometimes referred to as a quick format. File Header -
Data Destruction Data Hiding Data Transformation Data Contraception Data Fabrication File System Altercation Data Contraception - Storage of data where a forensic specialist cannot analyze it Data Fabrication - Uses false positives and false leads extensively File System Altercation - Corruption of data structures and files that organize data. Fraud - A broad category of crime that can encompass many different activities. Essentially, any attempt to gain financial reward through deception. Data Piracy - Distribution of illegally copied materials; frequently addressed via civil court rather than criminal. Telephony Denial of Service (TDoS) - Occurs when a call center or business receives so many inbound calls that the equipment and staff are overwhelmed and unable to do business. Virus - Any software that self-replicates; easy to locate, but hard to trace back FakeAV86 - Purports to be a free antivirus scanner, but is really itself a virus Flame -
Spyware specifically designed for espionage that can monitor network traffic and take screenshots of the infected system. This malware stores data in a local database that is heavily encrypted. Uses fraudulent Microsoft certificate The first step in investigating a virus - Document the virus Rules of Evidence - Govern whether, when, how, and why proof of a legal case can be placed before a judge or jury Federal Rules of Evidence (FRE) - A code of evidence law; governs the admission of facts by which parties in the U.S. federal court system may prove their cases. It also provides guidelines for the authentication and identification of evidence for admissibility under rules 901 and 902 Life Span - How long information is valid Bit-Level Information - Information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system's interpretation File Slack Space - Unused space between the logical end of file and the physical end of file Subclasses of Fraud - Investment Offers Data Piracy Daubert standard - Standard used by a trial judge to make a preliminary assessment of whether an expert's scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue. The Federal Privacy Act of 1974 -
Designed to protect persons 18 years of age and under from downloading or viewing material considered indecent. This act has been subject to court cases that subsequently changed some definitions and penalties. The Wireless Communications and Public Safety Act of 1999 - Allows for collection and use of "empty" communications, which means nonverbal and non-text communications, such as GPS information. The Sarbanes-Oxley Act of 2002 - Contains many provisions about record keeping and destruction of electronic records relating to the management and operation of publicly held companies. Denial of Service (DoS) Software - Low Orbit Ion Cannon Trin00 (DoS) Tribal Flood Network (DDoS) Identity Theft - Any use of another person's identity Ophcrack - A tool to crack the local passwords on Windows systems. Can be detected by a logout followed immediately by an administrator login. Cyberstalking - Using electronic communications to harass or threaten another person. Swap File - Might contain data that was live in memory and not stored on the hard drive. The swap file is used to optimize the use of random access memory (RAM). DoD Cyber Crime Center (DC3) - Sets standards for digital evidence processing, analysis, and diagnostics Provides computer investigation training to forensic examiners, investigators, system administrators, and others.
The Digital Forensic Research Workshop (DFRWS) Framework - A nonprofit volunteer organization whose goal is to enhance the sharing of knowledge and ideas about digital forensics research. DFRWS Classes - Identification Preservation Collection Examination Analysis Presentation Event-Based Digital Forensics Investigation Framework - Readiness Phase Deployment Phase Physical Crime Scene Investigation Phase Digital Crime Scene Investigation Phase Presentation Phase Evidence Handling Tasks - Find Evidence Preserve Evidence Prepare Evidence American Society of Crime laboratory Directors (ASCLD) - Provides guidelines for managing a forensic lab as well as acquiring crime lab and forensic lab certification. A lab must meet about 400 criteria to achieve accreditation. dd command - Linux command that can be used to wipe a target drive RAID 3 or 4 - Striped disks with dedicated parity
Linux command that is used to create a hash EnCase - Manufactured by Guidance Software; it is a very widely used forensic toolkit. This tool allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine. Prevents the examiner from making any accidental changes to the suspect machine. Based on the Evidence File concept. Evidence File - An exact copy of a hard drive; this file contains the header, the checksum, and the data blocks. Forensic Toolkit (FTK) - Manufactured by Access Data Provides a robust set of tools for examining email Helix - A customized Linux Live CD used for computer forensics BackTrack - A Linux Live CD used to boot a system and then use the tools It is not used just for forensics, however, as it offers a wide number of general security and hacking tools AnaDisk Disk Analysis Tool - Scans for anomalies that identify odd formats, extra tracks, and extra sectors. It can be used to uncover sophisticated data-hiding techniques. The Sleuth Kit - A collection of command-line tools that are available as a free download. The most obvious of the utilities included is ffind.exe Disk Investigator - This is a free utility that comes as a graphical user interface for use with Windows operating systems. Presents you with a cluster-by-cluster view of your hard drive in hexadecimal form.
Netstat - Command that shows network statistics and any current connections Net Sessions - Command that shows only established network communication sessions, such as someone logging on to that system Proper Procedure for Collecting, Seizing, and Protecting Evidence - Shut Down the Computer Transport the Computer System to a Secure Location Prepare the system Document the Hardware Configuration Mathematically Authenticate Data on All Storage Devices Types of data collected by forensic investigators - Volatile Data Temporary Data Persistent Data Evidence gathering measures -
- Avoid changing the evidence
- Determine when evidence was created
- Search throughout a device
- Determine Information about encrypted and steganized files
- Present the evidence well Forensic Analysis Techniques - Live Analysis Physical Analysis Logical Analysis
The Generic Forensic Zip - An open-source file format used to store evidence from a forensic examination. IXimager - This tool was developed by the U.S. Internal Revenue Service (IRS) and is restricted to law enforcement and government use only FAT16/32 - When a file is deleted, the data is not actually removed from the drive. Rather, the FAT is updated to reflect that those clusters are no longer in use. If new information is saved to the drive, it may be saved to those clusters overwriting the old information New Technology File System (NTFS) -
- Uses a Master File Table (MFT)
- When files are deleted clusters are first marked as deleted, thus "moved" to the Recycle Bin
- Only when you empty the Recycle Bin is the cluster marked as fully available EXT File System -
- Most common file system run by Linux
- Files are stored in contiguous 1,204, 2,048, or 4,096 byte blocks Inode - Stores all the information about a file except its name and its actual data. A link to a file Hard Link - An inode that links directly to a specific file. The operating system keeps a count of references to this link. When the reference count reaches zero, the file is deleted. Soft Link - Also called a symbolic link. In this case, the link is not actually a file itself, but rather a pointer to another file or directory. You can think of this as the same thing as a shortcut, such as you might find in Windows.
Logical damage - More common than physical damage; it may prevent the host operating system from mounting or using the file system. Can be caused by power outages. Damage to how the data is stored Linux Run Levels - 0 - Halt 1 - Single User Mode 2 - Not Used 3 - Full Multiuser (no GUI) 4 - Not Used 5 - Full Multiuser (GUI) 6 - Reboot Logical Damage Recovery Techniques - Consistency Checking Zero-Knowledge Analysis Zero-Knowledge Analysis - The file system is rebuilt from scratch using knowledge of an undamaged file system structure. Anonymous Remailing - A suspect who uses anonymous remailing sends an e-mail message to an anonymizer Anonymizer - An e-mail server that strips identifying information from an e-mail message before forwarding it with the anonymous mailing computer's IP address. RFC 2822 - The standard for e-mail format, including headers MUST include From, Date SHOULD include Message-ID, and In-Reply-To Precedence Email Field -
Real-time access - To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order. CAN-SPAM Act of 2003 - The first law meant to curtail unsolicited e-mail, often referred to as spam. Must provide an opt-out mechanism 18 U.S.C. 2252B - This law is about perpetrators who attempt to hide the pornographic nature of their Web site, often to make it more accessible to minors. This is a very serious concern, and one that sometimes arises in child predator cases. Foreign Intelligence Surveillance Act (FISA) - U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism Ntdetect.com - A program that queries the computer for basic device/config data like time/date from CMOS, system bus types, disk drives, ports, and so on Ntbootdd.sys - A storage controller device driver Ntoskrnl.exe - The core of the operating system Hal.dll - An interface for hardware Smss.exe - A program that handles services on your system Lsass.exe - The program that handles security and logon policies
Crss.exe - The program that handles tasks like creating threads, console windows, and so forth Volatile Memory Analysis - A live system forensic technique in which you collect a memory dump and perform analysis in an isolated environment. Volatile Memory Analysis vs Live Response - Volatile Memory Analysis analyzes evidence on the collection system. Dump - A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper PsList - Live data analysis tool that lists all running processes on the system PsInfo - Live data analysis tool that tells systems uptime (time since last reboot), OS details, and other general system information. PsLoggedOn - Live data analysis tool that helps you discover users who have logged on both locally and remotely. Also tells you who is logged on to shares of the current machine PTFinder - Perl script memory analysis tool that enumerates processes and threads in a memory dump Alternative Data Streams - Essentially a method of attaching one file to another file, using the NTFS file system Index.dat - File used by Microsoft Internet Explorer to store Web addresses, search queries, and recently opened files.
