11. Digital Forensic

Question 1

what is digital forensic

Answer 1

1. to find, preserve, analyse digital data
2. criminal , private investigation, civil cases,
3. acquisition and documentation of evidence

Question 2

forensic process

Answer 2

1. acquisition
   - obtain data and source of data
   - use electro static bags
   - if device is powered on, be careful not to accidentally modify data
   - bring UPS to site in case battery runs out
2. identification
   - extract data artefacts like images, headers, emails…
   - write blocker used to extract
3. evaluation
   - evaluate and analyse data
   - is the data relevant to the case
4. presentation
   - present the result of findings

Question 3

chain of custody

Answer 3

1. documentation of evidence from time of collection until disposed
2. evidence handled by multiple people using different techniques
3. evidence is hashed at every iteration to check signature
4. if hashed signature is different, stop as it is changing the evidence
5. purpose is to show that evidence has not been modified, can be used in court

Question 4

image formats

Answer 4

1. raw
   - bit by bit
   - readable by most tools
   - takes up as much space as original
2. proprietary
   - compress, store and validate
   - limited to single tool
   - cannot share evidence

Question 5

identification

Answer 5

1. physical layer
   - identify and recover data across entire drive
   - file carving
   - keyword searching
2. logical layer
   - identify and recover data based on installed OS
   - extract meta data
   - recover deleted files

use different tools to show same results

Question 6

anti forensics

Answer 6

1. wiping hard drive
2. modify file meta data
3. steganography
4. encrypt or compress artifacts

Question 7

block chain advantages

Answer 7

scalable
cost effective
no single point of failure

Question 8

what is a block

Answer 8

block one = genesis
contains a hash of its content

block 2
contains a hash of its content + hash of block 1

therefore, if attacker wants to attack block 1, hash for block 1 changes which changes hash for block 2. Attacker has to attack all blocks after block 1

Question 9

proof of work

Answer 9

easy to validate
hard to solve
slow down attackers

when adding new blocks, 1 block calculates proof of work, the others wait and validate calculation

Question 10

block validation

Answer 10

to validate, need to start from first block to target block

arrange block in binary tree structure, Merkle tree

compare the hashes. If hash of children = parent, no issue
if hash of children != parent, one side has issue

Question 11

block tampering

Answer 11

need to either:

• tamper with all blocks, redo proof of work for all blocks
• take control of more than 50% of the blocks

Question 12

block chain vulnerabilities

Answer 12

1. 51% attack
   - legit miners always follow longest chain
   - if longest chain is malicious, they unknowingly join the attacker
   - to mitigate, miner from the original chain no delay, private miners have delay
2. double spend attack
   - when crypto currency is spent, blocks need to calculate proof of work which takes time
   - until proof of work is calculated, transaction is not recorded.
   - spend the same currency before transaction is recorded
   - to mitigate, use backup chain of blocks
   - notorised blocks will not follow longest chain
3. DDoS
   - to mitigate, systems mainly use to calculate proof of work, therefore use low bandwidth
   - if DDoS, direct to spare bandwidth
   - use deep web so attacker cannot find the IP