Advanced digital forensics practice

Question 1

What is forensic data carving

Answer 1

Identifying and recovering hidden or deleted files from digital media based on analysis of file formats

Question 2

Where might a file be hidden

Answer 2

Lost clusters
Unallocated clusters
Slack space

Question 3

List data hiding techniques

Answer 3

File manipulation
-file names
-hidden property

Disk manipulation
-hidden partitions
-bad clusters

Encryption
-Bit shifting
-Steganography

Question 4

How do you hide partitions

Answer 4

Delete references to partition
-recreate links for access

Use disk-partitioning utilities

Account for all disk space when analysing a disk

Question 5

How do you mark bad clusters

Answer 5

Place sensitive information on free space
Use disk editor to mark that space

Question 6

How is the logical size of a file determined

Answer 6

By the files actual size
Measured in bytes

Question 7

How is the physical size of a file determined

Answer 7

Number of sectors allocated to the file
Clustered into 4s, each cluster is 2048 bytes

Question 8

What is bit shifting

Answer 8

An old technique used to shift patterns to alter byte values of data to make files look like executable code

Question 9

How should you obtain the password needed to examine an encrypted file

Answer 9

Key escrow
Cracking password
-expert, powerful computers
Persuade suspect to reveal password
Dictionary attack
Brute force attack
Guess based on suspect profile

Question 10

What could be contained by a graphics file

Answer 10

Digital photographs
3D images
Scanned replicas of printed pictures

Question 11

What is data compression

Answer 11

Coding data from a larger to smaller form

Question 12

What is lossless compression

Answer 12

Reduces file size without removing data

Question 13

What is lossy compression

Answer 13

Permanently discards bits of information

Question 14

How do you locate and recover graphics files

Answer 14

OS tools
-time consuming
-results difficult to verify

Computer forensics tools
-image headers
-reconstruct fragmented image files

Question 15

How do you identify graphics file fragments

Answer 15

Carving/salvaging
-Recovers all file fragments

Computer forensics tools
-carve from slack/free space
-helps identify image file fragments and put them together

Question 16

How do you reconstruct file fragments

Answer 16

Locate and export all clusters of fragmented file
Determine starting and ending clusters of each group of clusters
Copy each group of clusters to a recovery file in the proper sequence
Rebuild file header so file is readable in a graphics viewer

Question 17

How does stenography hide data in image files

Answer 17

Insertion
-hidden data not displayed when host file is viewed
-can only hide a certain amount of data

Question 18

Describe program execution artifact investigations

Answer 18

Identify when certain programs were executed/used, how often they were used and who accessed them
Can help determine information about deleted and uninstalled programs
Proof of existing data in a location that is no longer available and the last time program was launched