Chapter 15 - Digital Forensics

Question 1

Legal Hold

Answer 1

A Legal Hold is a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations. Backups, paper documents, and electronic files of all sorts must be preserved.

Question 2

e-discovery

Answer 2

The e-discovery process allows each side of a legal case to obtain evidence from each other and other parties involved in the case, and e-discovery is simply an electronic discovery process.

Question 3

Order of Volatility

Answer 3

The Order of Volatility documents what data is most likely to be lost due to system operations or normal processes. Frequently changing information like the state of the CPU’s registers and cache is first and thus most volatile. Backups are least likely to change.

Question 4

Chain-of-Custody

Answer 4

Chain-of-Custody forms are simple sign-off and documentation forms. Each time the drive, device, or artifact is accessed, transferred, or otherwise handled, it is documented.

Question 5

Admissibility

Answer 5

Admissibility for digital forensics requires that the data be intact and unaltered and have provably remained unaltered before and during the forensic process.

Question 6

dd

Answer 6

In Linux, dd is a command-line utility that allows you to create images for forensic or other purposes.

Question 7

FTK Imager

Answer 7

FTK Imager is a free tool for creating forensic images. It supports raw (dd)-style format as well as SMART, E01, and AFF formats commonly used for forensic tools.

Question 8

WinHex

Answer 8

WinHex is a disk editing tool that can also acquire disk images in raw format, as well as its own dedicated WinHex format. WinHex is useful for directly reading and modifying data from a drive, memory, RAID arrays, and other filesystems.

Question 9

Provenance

Answer 9

Provenance describes where an image or drive came from and what happened with it.

Question 10

Write Blocker

Answer 10

Write Blockers allow a drive or image to be read and accessed without allowing any writes to it.

Question 11

Electronic Discovery Reference Model (EDRM)

Answer 11

EDRM is a useful model for viewing the e-discovery process.

Question 12

What are the nine stages of the EDRM model?

Answer 12

1. Information governance before the fact to assess what data exists and to allow scoping of what needs to be provided.
2. Identification of electronically stored information so that you know what you have and where it is.
3. Preservation of the information to ensure that it isn’t changed or destroyed.
4. Collection of the information so that it can be processed and managed as part of the collection process.
5. Processing of the data to remove unneeded or irrelevant information.
6. Review of the data to ensure that it only contains what it is supposed to, and that information that should not be shared is not included.
7. Analysis of the information to identify key elements like topics, terms, and individuals or organizations.
8. Production of the data to provide the information to third parties or those involved in legal proceedings.
9. Presentation of the data, both for testimony in court and for further analysis with experts or involved parties.

Question 13

Checksum

Answer 13

A Checksum generally has more collisions than a hash. Checksums are primarily used as a quick means of checking that the integrity of a file is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password.