343 Flashcards
(97 cards)
1
Q
What is forensic computing
A
Application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation
Building a clear and evidence based report with regards to a computer system
2
Q
Describe IT in computer forensics
A
IT facilitates commission of and investigation into the act in question
3
Q
Describe the internet in reference to computer forensics
A
Internet provides major arena for new types of crime and means of potentially tracking criminal behaviour
4
Q
What are the 2 main themes of forensics
A
Computer forensics
Intrusion forensics
5
Q
Computer/intrusion forensics involves data…
A
Preservation
Identification
Extraction
Documentation
Interpretation
6
Q
Describe the methodologies/procedures of computer forensic specialists
A
Clear and well defined
Flexible when faced with the unusual/unexpected
7
Q
Describe the role of law in computer forensics
A
Legal terms often used
-Seizure, evidence and investigation
Not all computer misdeeds are criminal
8
Q
What applications of computer forensics are not for criminal prosecution
A
Determine root of event to ensure no repeat
Identify responsibility
Internal investigation within an organisation
Intelligence operations
Law enforcement
9
Q
Describe the global impact of the internet
A
Enhanced interconnected system allows for rapid data discovery and sharing
Opens area of investigation to a global investigation
Still growing
10
Q
List cyber concerns
A
Paedophilia/other abuse
Fraud, e.g. phishing, scam, identity theft
Cyber warfare
Hate crimes, harassment, bullying, stalking
Use of digital equipment for crime, e.g. encrypted email/messaging, crime related documents
Monitoring and capture of network traffic to steal sensitive information e.g. user IDs, passwords
Hacking- unauthorised access to resources e.g. disclosure, modification and destruction of resources
11
Q
What are the different computer crime classifications
A
The computer is the target of the crime, with the intention of damaging its integrity, confidentiality or availability
Computer is a repository for information used or generated in the commission of a crime
The computer is used as a tool for committing the crime
Not mutually exclusive
12
Q
What are the legal considerations of computer forensics
A
Search and seizure
Paradox of protecting privacy and solving computer crimes
-User perspective vs. law enforcement perspective
Global access for activities, e.g. banking, travel, email and phone
13
Q
What are the legal challenges of computer forensics
A
Jurisdiction/applicable laws
Crime classification- differences in laws/jurisprudence
Differences in legal systems
-accessing digital evidence, authority, human rights, ethics
14
Q
What are the operational challenges of computer forensics
A
Technical and legal cooperation across countries
Harmonisation of laws
Cooperative investigation
15
Q
Define computer security
A
Preserve a system as its meant to be (as per security policies)
16
Q
What is the aim of forensic computing
A
Set out to explain how a policy became violated
(especially intrusion forensics)
17
Q
How does discrepancy occur
A
Historic
Security policies
Technology changes
18
Q
What are the goals of computer security
A
Confidentiality
Integrity
Availability
19
Q
How is computer security enforced
A
Preventative countermeasures
Mitigating countermeasures
Transferring countermeasures
Recovery countermeasures
20
Q
Compare computer security and computer forensics
A
Degree of overlap between raw materials used by both fields
Different and sometimes opposing aims
Security functions implement minimal logging
Security countermeasures may work against forensic computing
21
Q
How were forensic examinations used in early computer crimes
A
To recover evidence
22
Q
What are the 2 scenarios for the role of a computer in a crime
A
Computers as facilitators/ repositories of evidence relating to more traditional crimes
Computers being targets for crime e.g. hacking
23
Q
What does CFSAP stand for
A
Computer Forensics
-Secure, Analyse, Present
24
Q
What are the 4 key elements of the CFSAP model
A
Identification
Preservation
Analysis
Presentation
25
What is the aim of CFSAP
To provide a high level view of procedures that may be developed
26
What are the principles of evidence
Admissible
Authentic
Complete
Reliable
Believable
27
What is the predominant model in the UK for forensic principles and methodologies
The association of chief police officers (ACPO) "Good Practices Guide for Computer Based Evidence"
Only accepted current standard of practice for digital evidence
28
What are the 4 ACPO principles
No action taken by law enforcement agencies or their agents should change data on a computer or storage media which should be subsequently relied on in court
In exceptional circumstances, when a person finds it necessary to access original data held on a computer/storage media, that person must be competent to do so and be able to give evidence explaining the relevance and implications of their actions
An audit trail or other record of all processes should be created and preserved. An independent 3rd party should be able to examine those processes and achieve the same results
The person in charge of the investigation (case officer) has overall responsibility for ensuring that the law and those principles are adhered to
29
What are the ACPO steps for investigating personnel
Pre-search
Briefing
Search preparation- toolkit
Records to be kept
Interviews
30
Define pre-search
Trying to get as much information about the type, location and connection of any computer system
31
Describe the records to be kept process
Record all steps of a crime
e.g. sketch map of scene, details of persons present, details of computer, display details
32
Define official sensitive
A descriptor within official that identifies the information that requires safeguarding against unwarranted disclosure and typically requires more rigorous handling controls
33
What are the categories for sexual offences
Category A- images involving penetrative sexual activity and/or images involving sexual activity with an animal or sadism
Category B- Images involving non-penetrative sexual activity
Category C- Other indecent images
34
What is addressed by the Computer Misuse Act 1990
Unauthorised access to computer material
Unauthorised access with intent to commit other offences
Unauthorised modification of computer material
35
What is addressed by the Police and Criminal Evidence Act 1984
General power of seizure
Power of requiring information held on a computer must be handed over
36
What is addressed by the Criminal Justice and Police Act 2001
Describes the power by which an item can be seized if it believed it may contain an item for which there is lawful authorisation to search
37
What is addressed by the Electronic Communications Act 2000
Regulation of Cryptography Service Providers
Facilitation of electronic commerce, data storage, etc.
Telecommunications licences and supplemental
38
Why are link analysis and link discovery becoming problematic
Multitude of devices
Often need to specify devices or files to be seized in the warrant
Admissible court evidence relies on concrete data- difficult to maintain assertations
Cheap processing power
39
What is the purpose of link analysis
Can indicate where to focus an investigation
Can infer some stateful knowledge about the players involved, but does not infer statistical knowledge
40
What components is state information describing what the computer is and has been doing distributed across during execution
CPU
Dynamic storage
The backup/permanent store
Network
41
Describe the CPU as storage media in computer forensics
Executes its current operation on data in dynamic storage
Its working registers show what the operation is doing and with what
42
Describe dynamic storage as storage media in computer forensics
Contains fragments of the OS, apps currently being executed and pages of temporary data
43
Describe the backup/permanent store as storage media in computer forensics
E.g. fixed/removable disks, tapes and CDs
Contain persistent data- files retained from one session to the next
44
Describe the network as storage media in computer forensics
Components' record contains network data such as data sent, phone connections and router information
45
What is the order of drive file structure
Hard drive ->
Partition ->
File system ->
File record ->
Field
46
Describe the structure of a hard drive
Sets of data structures organised in layers
47
Describe conceptual storage
Allows for hard drives to appear as multiple individual drives by configuring hard drive into more than one partition
Partition referenced separately by OS
48
What is a boot partition
The partition that takes control when the computer is switched on
49
Where is partition information held
The partition table
50
What is a filesystem
A hierarchy of directories that is used to organise files on a computer or storage media
51
Describe the process of a filesystem
OS stores files in filesystem
Filesystem has one (or more) indexes with a unique identifier for each object and contains location information
Enables access to objects when requested
Filesystem tables vary in sophistication
52
Describe NTFS (New Technology File System)
Modern, well-formed file system
Commonly used by windows vista, 7 and 8
Simple and feature rich organisation
Can be used in large volumes up to 16 EB
Files stored can be as large as partition
Partitions occasionally become fragmented and should be defragmented every 1-2 months
Can read/write with Windows/Linux
Can only read from MAC OS
Recommended to be used on all media primarily used on modern Windows systems
53
Describe FAT (32) (File Allocation Table)
General purpose file system compatible with all major operating systems
Relatively simple technical underpinnings
Default file system for all Windows OS before 2000
Due to oversimplistic structure, suffers from over-fragmentation, file corruptions and limited file names/size
Cannot extend beyond 2TB
Files cannot exceed 4GB
Need to be defragmented often to maintain decent performance
Generally used for small capacity devices where portability between OSs is paramount
Not recommended unless using old windows OS
54
Describe exFAT
A Microsoft file system that is compatible with windows and MAC OS
Compatible with many media devices
Partitions can extend up to extremely large disk sizes (512 TiB)
Can store files up to 16EiB
Not compatible with Linux/Unix
Should be defragmented often
Cannot pre-allocate disk space
55
Describe HFS+(Hierarchical File System Plus)
File system developed by apple for Mac OS
Maximum volume 8 EB
Files can be as large as partition
Can be read but not written by Windows
Can be read/written to by Linux with the use of drivers
56
Describe ext4
Extended file system
Created to be used with the Linux kernel
Can support volumes up to 1 EiB
16TB max file size
XFS recommended over ext4 for volumes over 100TB
Backwards compatible with ext2 and ext3
Can pre-allocate disk space
Cannot be read by Windows or Mac
57
What is mounting
The attaching of an additional filesystem to the currently accessible filesystem of a computer
Ensures your computer recognises the media's format and instructs your computer to incorporate the media's filesystem into your filesystem
58
What is a file format
Specifically coded template written on a piece of media
59
What is a mount point
A locally available link through which you access an external device
Created when media is successfully mounted
60
What is the block size for UNIX
1000 blocks = 1MB
61
What is the cluster size for Windows
Max cluster size = 4KB
62
What is slack space
Excess wasted capacity in the last block/cluster in a file
63
Describe slack space
In an OS there is usually a lot of unallocated space containing some data
Every file that is not an even multiple of the block/cluster size has some associated slack space
Last block/cluster in a file often has been used for some other purpose
Average slack space per file is half of block/cluster size
Larger block size = more unallocated space at the end of a file
64
Describe how slack space is hidden
Not deliberately hidden, waiting to be overwritten
OS does not allow access to slack space- not allowed to read beyond end of file
Reading a file into memory means slack space will not come with it
Writing a file to removable magnetic media with different block size = different slack space left behind on the media
Therefore, forensic level cannot take place on file level, an actual image must be made of part/whole of hard drive
65
How can partition utility be used
To identify location/type of all partitions and whether or not they use all of the space on a hard drive
66
How do you analyse partitions
Check size and amount of partitions
Ensure total space on partitions adds up to hard drive size
May be discrepancy between expected drive size
E.g. Disk drive vendor 1KB is 1000 bytes, but for fdisk it is 1024
67
What can unallocated space contain
Anything written to hard drive
-Virtual memory or swap space is a file that grows/shrinks as needed
-Can contain all types of sensitive data
68
Can you erase a hard drive
Faint image is retained after hard drive 'wipe'
Can recover overwritten tracks bit by bit with electron microscope
Magnetic 'residue' can be discovered given suitable lab and expense
Overwritten patterns can be reversed but truly random data makes recovery difficult
69
What is the purpose of a TRIM command
Allows an OS to inform a SSD which blocks of data are no longer in use so they can be erased internally
70
Describe how SSD works
Employs smart wear levelling techniques that will write to a different block when data is stored in a certain block is being modified, instead of reusing existing blocks of memory
This causes blocks containing potentially sensitive data scattered across the memory chip
71
What is the ATA Secure Erase (SE) command
Implemented by some SSD drives
Can wipe the entire contents of drives at hardware level
72
List obstacles to the forensic process
Computer evidence can be readily altered/deleted
Computer evidence can be invisibly and undetectably deleted
Computer evidence can appear to be copied when it is undergoing alteration
Computer evidence can share the same transport pipeline as other data while in transit
Computer evidence is stored in a different format to when it is printed/displayed
Generally difficult for the layman to understand
73
What are the courts' standards for searching/extracting data
Careful non-invasive imaging of the original data disk to a faithful bit-by-bit duplicate to be searched at leisure
Search warrants have to be more specific in terms of the particular file type or file content to be investigated
The party seizing the evidence must ensure all items seized fall within the terms of the warrant
74
What is the operational model of forensic computing
Collection->Examination->Analysis
->Reporting
Media->Data->Information
->Evidence
75
What investigation aspects must the investigator be prepared to show the integrity of
Collection
Chain of evidence
Authentication
Recovery
Verification
76
What is required for the collection process
All personnel at the search scene must be adequately briefed in respect to intelligence, information and logistics of the search and enquiry and the specific matter of computers
77
Define the collection process
The search for, recognition of, collection of and documentation of computer-based electronic evidence
Can involve real-time information and stored information that may be lost unless proper precautions are taken at the scene
78
Where can imaging take place
At investigation site
In the lab
79
What is the purpose of imaging
Allows analysis at physical and logical levels
-bit-by-bit, sector-by-sector or bit-stream image
Once imaging is complete, further analysis can take place on the duplicates
80
What is the purpose of records
Kept in order to record all steps taken at the scene of a search
81
What recordings are taken from a scene
Sketch map of scene
Details of all persons present where computers are located
Details of computers- make, model, serial number
Display details and connected peripherals
Remarks/comments/information offered by users of computers
Actions taken at a scene with exact time
82
Describe the chain of custody
The continuity of possession/custody of evidence and its movement and location from the point of discovery/ recovery to its transport to the lab for examination until it is allowed/ admitted to court
Most critical process of evidence documentation
Assures the court that evidence is authentic and all times in the custody of a person designated to handle it and it was never unaccounted for
Required for evidence to be relevant at court
83
What are the three steps of file imaging and authentication
Identify
Duplicate
Authenticate
84
Describe the purpose of the identify step
Investigator may need to identify just those files needed for analysis
85
Describe the purpose of the duplicate step
Subsequent analysis must take place on duplicate
86
Describe the authenticate step
Original and copies must be authenticated
87
What is the purpose of secure one way hash functions
To provide proof of data integrity by providing a verifiable fingerprint or signature of the data
88
What is a checksum
A calculated summary of a data portion
Used to ensure integrity of data portions for data transmission/storage
89
What is a secure boot
A requirement used in file imaging to preclude any data modification on the original
90
What is a write blocker
Intercepts inadvertent disk writes
Central requirement of a sound forensic examination that original evidence must not be modified during file imaging
91
What steps ensure successful file imaging
Use secure boot
Use a hard disk write block tool
Set a hardware jumper to make disk read only
Use OS/software that is trusted not to write to disk, unless given explicit instructions otherwise
92
What are the NIST hard disk write block tool requirements
Tool shall not allow a protected disk to be changed
Tool shall not prevent obtaining any information from or about any disk
Tool shall not prevent any change to a disk that is not protected
93
Describe logical (file-by-file) analysis
Investigates the contents of a file using the application that produced the file or an application-specific tool
Analyses files at the application level
-More convenient/efficient than physical analysis
94
What are the advantages of logical (file-by-file) analysis
Will not overlook search strings split across logically consecutive sectors (unlike physical-only analysis)
Provides high-level or semantic view of contents
95
What is timelining
Associating a timestamp with each event or data item of interest
Crucial to an investigation
File 'last access' and 'last written' correlated with other information
Builds up time graph of activities
-times must be consistent with non-computer crime events
96
What are the ACPO recommendations for search and seizure
1.Preparation- A review of scope of materials covered by court order and preparation of a plan of materials likely to be present and seized
2.Take notes/photograph everything at scene
3.Shut down- If a computer is switched off it should be left that way, if a computer is switched on:
-Record display of screen
-Note time displayed
-Look at running processes in certain cirumstances
-For MS shutdown, remove power cord, for UNIX safe shutdowm
4.Seizure- carry out appropriate labelling/packaging
5.Imaging
-Boot to a known trusted OS
-Use appropriate writeblocking
-Image and authenticate disks and files to be duplicated
6.Physical analysis- Sector-by-sector analysis of disk image to identify hidden/accidental residues or suspicious file structure
7.Logical analysis
-boot OS that supports filesystem of seized disk image
-file-by-file analysis of keywords/phrases keeping record of all metainformation
DOCUMENT ALL ACTIONS
97
