Digital Forensics

Question 1

What is the Digital Forensics Process

Answer 1

Incident Response:

• Securing the crime scene
• Identifying evidence

Managing Digital Evidence:

• Acquiring Digital Evidence
• Chain of custody
• Analyzing Evidence

Preparing Forensics Documentation:

• Reporting Findings
• Presenting Findings

Question 2

What is Incident Response

Answer 2

When a crime occurs, it is important that the crime scene is made secure in the first instance. The same protocol must be followed when a cybercrime occurs.

Securing the crime scene is the first response when a crime is committed as this contributes to maintaining the integrity of any evidence that may be present.

Securing the scene not only prevents unauthorized persons from attending the crime scene, but it also gives investigators an opportunity to identify potential
sources of evidence.

Question 3

What is a Digital Investigation

Answer 3

When a digital investigation is opened, there needs to be a clear understanding of what is being investigated.

− What is the general aim of the investigation?
− Who is commissioning the investigation?
− Who should reports be addressed to?
− What outcomes can be expected?
− Are there any specific elements that the investigation must cover?

Question 4

What is IDENTIFYING EVIDENCE

Answer 4

Digital evidence that may contribute to an investigation can come in many forms.

All our digital devices, from hard drives to smart watches, can store information that may be relevant.

It is also important to remember that not only digital devices can provide evidence, but physical evidence in the form of DNA may also be present.

Question 5

What is Continuity of evidence

Answer 5

The Chain of Custody refers to the continuity of evidence.

It is important that investigators can explain everything that happens to evidence between the acquisition, and it is appearing in court.

A record of all actions must be kept for every piece of evidence that is collected.

Not being able to provide this information, and proving that evidence has not been tampered with, can result in a case collapsing in court.

Question 6

What data can get acquired

Answer 6

We can acquire data from a range of different sources.

We generally have 3 different types of data that we can acquire:

• Volatile
• Non-Volatile
• Latent

Question 6

What is Contemporaneous notes

Answer 6

Notes that are taken at the time, when information is fresh. This also allows for justification of any decisions made.

Question 7

What is Volatile data

Answer 7

Non-persistent, or volatile data is the data that is generally stored in memory such as RAM or cache.

This data is lost when power to the system is lost, therefore it is important that the power source is maintained until all evidence has been acquired.

When acquiring digital evidence, it should be assumed that volatile data should be the first to be collected since it is the first to disappear.

Question 8

What is Non-Volatile data

Answer 8

Persistent, or non-volatile data, is preserved when power to the system is lost.

This type of data is generally found on storages devices such as hard drives and USB sticks.

Although data is not lost when power is removed, it is still important to ensure that the integrity of the data is maintained.

This can be done by using devices/software such as write blockers to make sure that data is only being retrieved from the device, and nothing is being written to it

Question 9

What is Latent Data

Answer 9

Latent data refers to data that we cannot initially see.

In terms of traditional forensics, this would be evidence such as DNA or fingerprints.

When dealing with digital evidence, we come across some data that is easily identifiable such as emails, log files, and other files saved on storage.

Latent data, however, takes a specific skill set and tools in order to uncover the data. An example of this would be deleted files.

Question 10

What is Analyzing data

Answer 10

When analyzing data, there are a number of different tools that can be used.

What tools are used will depend on the type of data that is being analyzed.

For example, when analyzing network traffic, we would use a packet analyzer such as Wireshark.

For persistent data, a platform such as Autopsy would be a suitable tool.

Question 11

What is Presenting Findings

Answer 11

When presenting the findings of a digital forensics’ investigation, this can take several different forms, such as:

• A report
• A presentation
• A witness statement (Expert Witness)

Question 12

What are some Legislation related to Digital Forensics

Answer 12

The Computer Misuse Act

The Data Protection Act

The Regulation of Investigatory Powers Act

Question 13

What is ACPO and what des it stand for

Answer 13

Association of Chief Police Officers (ACPO) have created a guide for computer based evidence.

The purpose of this guide is to ensure that investigators are following best practice.