Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Digital Forensics > Digital evidence and basic investigative procedures > Flashcards

Digital evidence and basic investigative procedures Flashcards

1
Q

What is digital evidence?

A

An evidence of value stored or transmitted in digital form, that can be relied upon in court

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name 3 great features of digital evidence

A
  1. Easy to replicate if needed
  2. Often reliable
  3. It can almost always be restored even though the device is destroyed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 3 computer crime categories?

A
  1. Computer as targets
  2. Computers as data repositories
  3. Computes as a tool
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain computer as targets

A

It means that the computer is the object of the crime, for example stolen, exposed to virus or hacked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain computer as repositories

A

A passive state of holding information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain computer as tools

A

The computer was used as a tool to planning and conducting a crime, like forging documents, deleting files or corrupting an image. + Communication for planning and conducting crimes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the importance of digital evidence?

A
  • Prove or disprove the integrity of other pieces of evidence.
  • Prove the guilt of a party (inculpatory evidence)
  • Prove the innocence of a party (exculpatory evidence)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Kruse & Heiser talks about an investigative procedure, which?

A

The three A´s:

  • Acquiring the evidence
  • Authenticating the validity of the extracted or retrieved data
  • Analyzing the data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain Locard´s principle

A

During any kind of activity there is an exchange of evidence between the perpetrator and the crime scene (including all the artifacts). Leaving and taking some evidence.

Contact between any to entities/items will result in an exchange of data, information and/or physical evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When starting an investigative procedure, there are two questions to be asked, which?

A
  1. What are we going to work with?
    (such as policies, system utilities, applications, logs, technical procedures)
  2. Whom and what are we monitoring?
    (Such as employees/employer, access rights, e-mails, surfing logs, chat room records)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the difference between Patent- and Latent evidence?

A
  • Patent evidence is easily seen, handled and photographed.

- Latent evidence usually needs additional processing to be revealed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the biggest different between paper vs e-format of a document, from a forensic perspective?

A

Unless written explicitly, paper documents have no metadata to indicate who, when and where the document as been created, modified or in any other way manipulated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Why is maintaining the metadata so important?

A

Metadata is the data about the data. When you change anything, like copying a file, deleting or opening a file, the metadata is changed. Which can make the evidence less trustworthy. It is critical to avoid any changes to evidence!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which two evidence characteristics are there?

+ why is this important to the investigation process?

A

-Class
-Individual
Starting from a general evidence (class) and going towards specific (Individual) evidence, the process is used to reduce the margin of error.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name the case assessments and requirements (7)

A
  • Situation (local and global environment)
  • Nature of the case
  • Specifics
  • Types of evidence
  • Operating system (working environment)
  • Archive storing formats
  • Location of evidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

There are 4 questions you need to ask when receiving handled evidence, which?

A
  1. Who extracted the evidence and how?
  2. Who packed it?
  3. Who stored the evidence, how and where?
  4. Who transported it?
17
Q

What are the steps of the Chain-of-Custody?

A
  1. Identify
  2. Photograph
  3. Document
  4. Package
  5. Transport
  6. Store
  7. Destroy or return
18
Q

Why is the chain-of-custody closely connected to authentication?

A

Sometimes authentication is the same thing as ensuring recovered evidence is the same as the original data.

19
Q

There is a technical standpoint to authentication, which?

A

it´s not always possible to compare original data to the acquired evidence

20
Q

There is a legal standpoint to authentication, which?

A

Authentication is the process of determining the worthiness of the evidence

21
Q

Which is the two stages in the authentication process?

A
  1. Check if the evidence is really what the proponent claims

2. Analyzing the value (relevance and validity)

22
Q

Is the absence of evidence the evidence of absence?

A

NO!

23
Q

Which two precautions should you take when authenticating evidence, according to best practice?

A
  1. Keep the number of people involved to a minimum

2. Document to demonstrate absence of evidence alternation

24
Q

Documentation is key for authentication, list the documentation requirements for Case, Equipment and Evidence.. 3 each

A

Case

  • Number
  • Investigators/Organization
  • Nature of the case

Equipment (any devices involved)

  • Manufacturer
  • Vendor
  • Model and serial number

Evidence

  • Location
  • Recording entity
  • Time and date of recording
25
Q

When recovering evidence, there is a rule of thump. Explain

A

Extract and collect as much as you can, avoid going back. There is often impossible

26
Q

When the evidence has been recovered, which two things should be done?

A
  1. Compress the evidence with lossless compressing tools

2. Hash for integrity after storing and transporting (using tools like MD5, Sha-1 ect..)

27
Q

When preserving evidence, there are no set standard, but it´s recommended that you follow 4 guidelines, which?

A
  1. Make back-ups
  2. Document everything
  3. Control access
  4. Validate and/or authenticate data based on standard procedures
28
Q

When transporting evidence there is important to protect the chain of custody. The Digital Forensic Investigator should demonstrate that there were no opportunities for evidence to be… (3 things)

A
  1. Altered
  2. Tempered with
  3. Comprised in any other way
29
Q

How can the digital forensic investigator protect the evidence during transport?

A

With strong data hiding techniques like encryption, passwords and steganography

30
Q

During transport, electronic devices must be protected from.. (5)

A
  1. electronic or magnetic interference
  2. impact and vibrations
  3. heat and humidity
  4. loss and theft
  5. breaking of the chain-of-custody
31
Q

When the evidence arrive to the storage facility you need to..

A
  1. Identify the evidence
  2. Inventory the evidence
  3. Make sure the evidence is stored safely
32
Q

Safety procedures to secure evidence (4) …

A
  1. Access limited to storage custodian
  2. Any access has to be documented
  3. Maintain the chain of custody
  4. Independent quality assurance

Digital Forensics (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions