Digital Forensics 2 Flashcards
any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. For a computer forensics investigator, that means that any tools, techniques, or processes you utilize in your investigation should be ones that are widely accepted in the computer forensics community.
*** Spyware can be done with cookies.
Daubert Standard
??? can leave forensic info check firewall logs to see where connection came from and check database logs, some relational database engines log transactions, when they occurred and what they were.
SQL Injection
the perpetrator seeks out someplace on the target website that allows end users to post text that other users will see. Product reviews are a great place for this. But instead of posting a review or other text, the attacker will post JavaScript. If the website does not filter the user input before displaying, then when other users navigate to this review, the script will execute. The attacker is only limited by his or her knowledge of JavaScript. One popular thing to do is to redirect the user to a phishing site. To search this for forensics an efficient method is to search the web server’s logs for any redirect messages (these are HTTP messages in the 300 range). Then determine if any of these redirects cannot be accounted for via legitimate web coding.
XSS
When you choose your local Windows password, the password you choose is hashed and stored in the SAM file, which is found in the Windows\System32\ directory. The hash of the password is not the password itself, but it is created from the password using a hashing algorithm that makes two identical hashes for different passwords very unlikely. When breaking passwords check reboot in logs with successful admin login, if physical intrusion is suspected use security cams and even fingerprints and check if actual user account is logged in when user is not even present can show signs of an attack.
info …
Cyberstalking and harassment is an interesting computer crime in that the computer is simply incidental. The intent of the crime is to target the human victim; the computer is just a vehicle. Fortunately, stalkers are often not the most technically savvy computer criminals. In stalking cases, you should begin with tracing emails and text messages. In many cases, they come directly from the perpetrator with little or no attempt to obfuscate the crime. Of course, if a suspect is arrested, any electronic devices in his or her possession should be examined for evidence. Stalking, by definition, indicates repeated, obsessive behavior. This means there is likely to be some evidence retained by the criminal.
info …
The key in this sort of crime is to begin by tracing the communications. If it is a fake blog that is endorsing some investment, then someone had to register the domain for that blog. If there are emails involved, they had to come from somewhere. Of course, the more sophisticated the attacker, the less evidence there will be. Another way to seek evidence outside computer forensics is to follow the money. Someone is reaping financial rewards from the scheme.
Investment Offers
??? ??? virus installs itself and then remains in RAM from the time the computer is booted up until it is shut down.
Memory Resident
virus attempts to elude detection by performing its malicious activities only sporadically. With a sparse infector virus, the user will see symptoms for a short period, then no symptoms for a time. In some cases the sparse infector targets a specific program but the virus only executes every 10th time or 20th time that target program runs.
Sparse infector Virus
Viruses are remarkably easy to locate, but difficult to trace back to the creator. The first step is to document the particulars of the virus—for example, its behavior, the file characteristics, and so on. Then, you must see if there is some commonality among infected computers. For example, if all infected computers visited the same website, then it is likely that the website itself is infected. In addition, numerous sources of information about known viruses are available on the Internet from software publishers and virus researchers, which is very useful in doing forensic research.
info …
A forensic specialist should touch the original data as little as possible. Instead, the information should be copied prior to examination. This means that the first step in any investigation is to make a copy of the suspected storage device. In the case of computer hard drives, you make a complete copy. That means a bit-level copy. Tools like EnCase, Forensic Toolkit, and OSForensics will do this for you; it is also possible to do this with basic Linux commands. In addition, it is common practice to make two copies of the drive. This gives you one to work with and a backup in the event you need it.
info …
