08 Digital Forensics Flashcards
(33 cards)
Which of the following is a matter that fraud examiners should consider when engaging in examinations involving computers?
A. What to look for and where to look for it
B. Whether an outside forensic expert is needed
C. Whether law enforcement should be notified
D. All of the above
D. All of the above
Once an organization has received evidence that misconduct involving digital devices has occurred, it should determine the need for law enforcement assistance. If it is determined that the victim organization will make a formal referral to law enforcement or a prosecuting agency, then the organization should notify the authorities before conducting an investigation to determine whether law enforcement personnel should participate in the examination.
When conducting an examination involving computers, fraud examiners should determine whether a digital forensic expert is needed. Digital forensic experts are individuals who specialize in identifying, recovering, collecting, preserving, processing, and producing digital data for use in investigations and litigation.
To conduct a successful examination, fraud examiners must know what to look for and where to look for it, but this can be difficult because digital data can be stored in large volumes and in a number of different locations. For example, the fraud examiner should know where to look for information on any suspect computer systems, information on a suspect’s workstation, including any peripherals or other portable media devices that contain data, information stored on any network from which the suspect’s traffic flows, and information stored in cloud storage services.
Due to privacy issues, Web browsers do not record a user’s time and date information relevant to each visit.
A. True
B. False
B. False
Internet browsers create temporary files that store information about websites that a user has visited. These files can show websites that were recently visited and usually include time and date information relevant to the visit; they can also show images previously viewed online. This information allows the fraud examiner to recover websites and images previously viewed by the system’s users.
Which of the following is TRUE about using computer-created metadata in forensic investigations?
A. Metadata information can help determine who wrote a document
B. Metadata information can help determine who received a document
C. Metadata information can help determine when a document was created
D. All of the above
D. All of the above
Metadata is a type of computer-generated data that can be helpful in a fraud investigation. Metadata is data about data, and these files contain a tremendous amount of information. Metadata information can help determine who wrote a document; who received, opened, copied, edited, moved, or printed the document; and when these events occurred.
When seizing a computer for examination, the seizing party should look around the area for passwords because many people leave passwords written down near their computers.
A. True
B. False
A. True
Because many people write down or record their passwords near their computers, fraud examiners should look around for notes that might appear to be passwords. This might aid in discovering passwords needed to access encrypted or password-protected data if the individual who knows the password is uncooperative and will not divulge it. Although there are ways to access encrypted information without an encryption key—decryption, emergency keys, forcing cooperation—having the passwords for protected files will save time and reduce efforts.
Steganography refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable.
A. True
B. False
B. False
Encryption refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable.
Steganography is the process of hiding one piece of information within an apparently innocent file. For example, a user can use the least significant bits of a bitmap image to hide a message. By hiding the message in the least significant bits of an image, there is almost no perceivable change in the bitmap image itself. And without directly comparing the altered image to the original, it is practically impossible to tell that the image was altered.
Fraud examiners should take which of the following steps when securing a computer to help ensure that the machine can be fully analyzed?
A. Inspect the machine for traps
B. Examine and document the machine’s surroundings
C. Implement a system to manage the evidence
D. All of the above
D. All of the above
To ensure that a machine can be fully analyzed, the fraud examiner should adhere to the following practices:
1. Examine and document the machine’s surroundings.
2. Inspect for traps.
3. If the computer is off, leave it off.
4. Consider collecting volatile data “live.”
5. Secure the evidence.
6. Image the system hard drives.
7. Document the collection process.
8. Implement a system to manage the evidence.
Forensic analysis should not be performed directly on suspect devices because doing so can alter or damage digital evidence.
A. True
B. False
A. True
Once a computer system is seized and before any analysis occurs, it should be imaged for analysis. Forensic analysis should not be performed on suspect devices directly because doing so can alter or damage digital evidence. Imaging the data from suspect devices allows a fraud examiner to view and analyze a computer’s contents without altering the original data in any way.
Imaging refers to the process whereby a forensic image of a hard drive or other digital media is made and imaged to another hard disk drive or other media for forensic analysis. A forensic image (also called a forensic copy, mirror image, or ghost image) is a duplicate or exact copy of a hard drive or other digital media.
Which of the following is a unique challenge of cloud forensics not faced in traditional forensic practices?
A. Lack of information accessibility
B. Lack of frameworks and specialist tools
C. Lack of data control
D. All of the above
D. All of the above
Conducting digital forensic investigations in the cloud environment (i.e., cloud forensics) presents challenges not faced in traditional forensic practices. Some of the important challenges of acquiring evidence from the cloud are:
* Lack of frameworks and specialist tools
* Lack of information accessibility
* Lack of data control
* Jurisdiction of storage
* Electronic discovery
* Preserving chain of custody
* Resource sharing
* Lack of knowledge
Which of the following best describes the image acquisition process used in examinations involving digital evidence?
A. Acquiring the digital evidence from the suspect
B. Taking photos of the digital equipment’s physical layout and connections
C. Analyzing the systems data in order to identify evidence
D. Creating an exact duplicate of the data on original storage media
D. Creating an exact duplicate of the data on original storage media
Once a computer system is seized and before any analysis occurs, it should be imaged for analysis. Forensic analysis should not be performed on suspect devices directly because doing so can alter or damage digital evidence, and imaging the data from suspect devices allows a fraud examiner to view and analyze a computer’s contents without altering the original data in any way.
Imaging refers to the process whereby a forensic image of a hard drive or other digital media is made and imaged to another hard disk drive or other media for forensic analysis. A forensic image (also called a forensic copy, mirror image, or ghost image) is a duplicate or exact copy of a hard drive or other digital media.
If you are seizing a computer for forensic analysis, it is generally not necessary to seize printers connected to it.
A. True
B. False
B. False
Printers might contain valuable evidence. Many printers have internal hard drives that might contain information relevant to a fraud examination. In general, any information sent to and stored by a printer is recoverable unless the printer has overwritten the data. So, when seizing a computer for forensic analysis, it is generally necessary to seize any printers connected to it.
Generally, the rules of admissibility for digital evidence are stricter than such rules for tangible evidence.
A. True
B. False
B. False
Although digital evidence is different from—and more volatile than—tangible evidence, the rules regarding the admissibility of digital evidence in court are really no different from the rules regarding the admissibility of any other type of evidence.
Before removing a computer system from a scene for further analysis, it is important to document the system’s setup with photographs or diagrams.
A. True
B. False
A. True
The first step in the evidence-collection process is to examine and document the machine’s surroundings. The party seizing the computer should collect all printouts, disks, notes, and other physical evidence for further analysis, and he should document the scene with photographs or a diagram, depending on the complexity of the setup. Documenting the machine’s surroundings is important because the party seizing the computer might have to testify about what the area looked like on the day of the seizure, and it might be a year or longer before such testimony occurs.
Which of the following steps should a fraud examiner take prior to seizing evidence in a digital forensic investigation to ensure its admissibility?
A. Consider potential privacy issues related to the item(s) being searched
B. Ensure that all forensic equipment is legitimate, reliable, and used correctly
C. Obtain any necessary legal orders
D. All of the above
D. All of the above
Before the fraud examiner can seize evidence, he must take certain steps to help ensure that the evidence will be admissible. Such steps include determining whether there are any privacy interests in the item(s) to be searched; making appropriate preparations if the investigation involves the use of a legal order; and ensuring that all equipment used in a forensic capacity is legitimate and reliable (e.g., only use licensed software applications, independently validate all forensic equipment and maintain the validation on file). In addition, the fraud examiner must also ensure that he is properly trained to employ relevant digital forensic tools and that equipment is employed in the manner for which it was designed (e.g., know when to use write-blocking software prior to viewing data, confirm that imaging software was designed for use with the applicable operating system).
Which of the following is TRUE concerning the volatility of digital evidence?
A. Digital evidence is more volatile than tangible evidence because data can be altered or destroyed more easily than tangible information
B. The failure to preserve the integrity of digital evidence could result in evidence being deemed inadmissible in a legal proceeding
C. Once the integrity of digital evidence has been violated through alteration or destruction, it usually cannot be restored
D. All of the above
D. All of the above
Digital evidence is more volatile than tangible information because digital data can be altered or destroyed more easily than tangible information. And because digital evidence can be easily altered or destroyed, the integrity of digital evidence must be preserved. Data that has been altered or destroyed are considered violations of data integrity. What is more, the alteration or destruction of digital evidence is typically irreversible. So, once the integrity of digital evidence has been violated, it usually cannot be restored.
Additionally, the failure to preserve the integrity of digital evidence could result in evidence being deemed inadmissible in a legal proceeding, or, even if admitted, it might not be given much weight because evidence of questionable authenticity does not provide reliable proof.
________ are digital files created under the computer user’s direction, such as text-based documents, spreadsheets, databases, emails, audio/video files, and image files.
A. User-protected files
B. Generated project files
C. User-created files
D. Computer-created files
C. User-created files
User-created files are digital files created under the user’s direction, and include text-based documents, spreadsheets, databases, email, address books, presentation slides, audio/video files, image files, and Internet bookmarks.
Tangible evidence is more volatile than digital evidence because tangible information is subject to claims of spoliation, whereas digital data is not.
A. True
B. False
B. False
Digital evidence is more volatile than tangible information because digital data can be altered or destroyed more easily than tangible information. Additionally, both digital and tangible evidence are subject to claims of spoliation (the act of intentionally or negligently destroying documents relevant to litigation). If proven, such claims could lead to monetary fines and sanctions, adverse inference jury instruction sanctions, or dismissal of claims or defenses.
If you are seizing a computer for forensic analysis, it is generally not necessary to seize copiers connected to it.
A. True
B. False
B. False
Copiers, scanners, and other multifunction devices—machines that provide printing, copying, scanning, and faxing functionalities in one device—have internal hard drives that might contain information relevant to a fraud examination. In fact, almost every copier built since 2002 has a hard drive that stores images of documents the machines have copied, scanned, or emailed. Some copiers store user access records and a history of copies made. And, as with most file systems, it might be possible to retrieve information from a copier’s hard drive that has been deleted. So, when seizing a computer for forensic analysis, it is generally necessary to seize any copiers connected to it.
Even if incriminating files have been deleted from a target computer, it might be possible to recover those files.
A. True
B. False
A. True
There are, in fact, a variety of ways of recovering deleted or hidden data from a target computer, and digital forensic experts are specially trained for such tasks.
Deleted files are recoverable until they are overwritten because data is not erased from a computer’s hard drive until it is overwritten. A deleted file will remain present on a hard drive until the operating system overwrites all or some of the file. So, deleted files that have been overwritten are not recoverable.
Which of the following is a method that investigators can use to detect steganography?
A. Analyzing files on a computer system for structural oddities that suggest manipulation
B. Looking for visual anomalies in jpeg, bmp, gif, and other image files
C. Determining whether the statistical properties of files deviate from the expected norm
D. All of the above
D. All of the above
Steganography is the process of hiding one piece of information within an apparently innocent file. For example, a user can use the least significant bits of a bitmap image to hide a message. By hiding the message in the least significant bits of an image, there is almost no perceivable change in the bitmap image itself. And without directly comparing the altered image to the original, it is practically impossible to tell that the image was altered.
Some common methods of detecting the use of steganography are:
* Visual detection by looking for visual anomalies in jpeg, bmp, gif, and other image files
* Audible detection by looking for audible anomalies in wav, mp3, mpeg, and other media files
* Statistical detection by determining whether the statistical properties of files deviate from the expected norm
* Structural detection by looking for structural oddities that suggest manipulation (e.g., size differences, date differences, time differences, content modification)
When seizing a computer that is running, the seizing party should generally not search the computer for evidence because doing so might damage and taint relevant evidence.
A. True
B. False
A. True
When seizing a computer that is running, the party seizing the system should not, in most situations, search the computer for evidence because doing so might damage and taint relevant evidence. But in some situations, it might be appropriate to perform live evidence collection (i.e., collect evidence from a suspect system while the system is up and running via its normal interface). Generally, live evidence collection is appropriate when a formally trained computer investigator is seizing the system, and the evidence that the investigator needs to collect exists only in the form of volatile data.
Aston, a forensic investigator for Cadence Irrigation, is conducting an internal investigation into the alleged theft of trade secrets from Cadence. Kirby, a Cadence employee, is the prime suspect. Aston decides to seize Kirby’s work computer for forensic examination. If, at the time of seizure, Kirby’s computer is turned off, Aston should turn it on before seizing it.
A. True
B. False
B. False
When seizing a computer system that is switched off, it should not be turned on. Turning a system on might damage and taint any evidence that it contains.
Because digital evidence is different from tangible evidence, the rules regarding its admissibility in court are very different from the rules governing the admissibility of tangible evidence.
A. True
B. False
B. False
Although digital evidence is different from tangible evidence, the rules regarding the admissibility of digital evidence in court are really no different from the rules regarding the admissibility of any other type of evidence.
If a fraud examiner collects digital evidence, he should be able to state unequivocally that the evidence was not changed in any way by his actions. This requires that strict forensic methodologies be followed to satisfy the stringent evidentiary standards necessary to ensure the integrity of the evidence beyond a reasonable doubt for presentation in court. That is, digital evidence must be properly preserved in a forensically sound manner so that it will be admissible.
When a forensic investigator is seizing a running computer for examination, he can retrieve data from the computer directly via its normal interface if the evidence needed exists only in the form of volatile data.
A. True
B. False
A. True
When seizing a computer that is running, the party seizing the system should not, in most situations, search the computer for evidence because doing so might damage and taint relevant evidence. But in some situations, it might be appropriate to perform live evidence collection (i.e., collect evidence from a suspect system while the system is up and running via its normal interface). Generally, live evidence collection is appropriate when a formally trained computer investigator is seizing the system, and the evidence that the investigator needs to collect exists only in the form of volatile data.
Which of the following is the MOST ACCURATE statement about the types of information that digital forensic experts typically can recover from computer systems?
A. Deleted files that have been overwritten usually cannot be recovered.
B. Hidden files can never be recovered.
C. Communications sent via chat or instant messenger cannot be recovered.
D. Data that is corrupted cannot be uncorrupted.
A. Deleted files that have been overwritten usually cannot be recovered.
Digital forensics encompasses the recovery and investigation of material found in digital devices, and digital forensic experts are individuals who specialize in identifying, recovering, collecting, preserving, processing, and producing digital data for use in investigations and litigation.
Sometimes retrieving digital data is as easy as searching the target computer’s hard drive, but other times retrieval requires a thorough knowledge of computers. For example, many fraudsters delete or hide incriminating files, and in these instances, efforts must be made to recover or find such data. There are, in fact, a variety of ways to recover deleted or hidden data from a target computer, and digital forensic experts are specially trained for such tasks.
Specifically, digital forensic experts are capable of analyzing digital media at the hexadecimal level, which means that such experts can view every sector, and all the bytes in those sectors, on a system. Thus, digital forensic experts can recover data from deleted files, both those that have been purposefully deleted and those that were accidentally deleted.
Deleted files are recoverable until they are overwritten because data is not erased from a computer’s hard drive until it is overwritten. A deleted file will remain present on a hard drive until the operating system overwrites all or some of the file. So, deleted files that have been overwritten generally are not recoverable.
Digital forensic specialists can recover, among other things, the following types of information from computers:
* Deleted files and other data that has not been overwritten (e.g., deleted documents, images, link or shortcut files, and email messages)
* Temporary auto-save files
* Print-spool files
* Websites visited, even where the browser history and cache have been deleted
* Communications sent via chat or instant messenger
* Financial-based Internet transactions
* Documents, letters, and images created, modified, or accessed, even if the data was not saved on the computer in some situations
* Data that has been copied, corrupted, or moved
* The time and date information about files (e.g., when files were created, accessed, modified, installed, deleted, or downloaded)
* Data from a drive that has been defragmented or reformatted
