Elements of digital forensics examination

Question 1

What is the key to forensic soundness?

Answer 1

Documentation!

Question 2

Why does the standard “Preserve everything, change nothing” not work 100% ?

Answer 2

It is almost impossible to maintain in digital forensics, disk information sometimes alters the original, even if we use write-blockers

Question 3

The legal standpoint of authentication is to determine the worthiness of the acquired data. How does it translate in the case of courts?

Answer 3

• the contents of the records have remained unchanged
• the info on the record originates from the purported source (human or machine)
• the extra info (like timestamps) that relate to the record is also accurate

Question 4

Why is handling digital evidence sometimes harder than handling of “traditional” evidence?

Answer 4

• It´s volatile
• It´s abstract
• It´s transformative

Question 5

The way we handle digital evidence may affect.. what?

Answer 5

• it´s veracity
• it´s fidelity
• It´s integrity

Veracity depends on fidelity, fidelity relies to integrity

Question 6

What are the uses of hash functions?

Answer 6

• searching and filtering files during a forensic examination
• in security for storing passwords, electronic signatures for both integrity and authenticity
• to make sure to preserve the chain of custody
• classification to recognize well known files (white- and blacklisting)

Question 7

What is the usual case for latent analysis? Step by step

Answer 7

1. Hash the original - results in h1
2. Make a copy of the disk
3. Compute the hash value of the copy (image) - results in h2
4. Analyze the copy in read-only mode
5. Again compute the hash value of the copy to see that you have preserved the chain of custody

Question 8

How do you make interpretation objective?

Answer 8

Objectivity - By keeping it free from bias and as clear as possible, let the evidence speak for itself.
Repeatability - independent validation and verification

Question 9

Proper forensic processing should follow 4 steps, which?

Answer 9

1. Collecting
2. Examination
3. Analysis
4. Reporting

Question 10

Which steps does the Casey model include? (6)

Answer 10

1. Identification/Assessment
2. Collection/Acquisition
3. Preservation
4. Examination
5. Analysis
6. Reporting

Question 11

Explain acquisition and preservation

Answer 11

One needs to collect all the relevant information about:
Service providers - records of service, billings, subscribers and information from indirect providers that include utility companies, financial institutions and communication companies…
Storage devices - seizure of hardware, software, documentation, user notes and the media itself

Question 12

What is the on-off principle and why is it needed?

Answer 12

What is on should stay on, what is off should stay off.

Going from on to off mat be a reason for a “lock-out”, going from off to on is modification of evidence

Question 13

What can´t you forget while acquiring evidence?

Answer 13

Document everything if possible, even visually!

Question 14

What is important while preserving the integrity of electronic devices?

Answer 14

The collection should be done according to the set of predefined policies. If transport is necessary, do it with extreme care!

Question 15

Name two main things to think about while examining digital evidence

Answer 15

1. Make a copy of the original evidence first, and work on that
2. Plan the work ahead together with an investigator

Question 16

Name to problems with digital evidence

Answer 16

• it´s omnipresent

- often large volumes that need to be reduced

Question 17

Which 2 levels of evidence reduction is there?

Answer 17

1. Digital evidence in its entirety pertinent to a specific case based on well defined set of criteria, goals and objectives
2. Digital reduction on the digital evidence selected for examination and analysis

Question 18

When do you need data recovery?

Answer 18

When data is:

• deleted
• damaged or corrupted
• hidden

Question 19

When do you need data reduction?

Answer 19

When you need to:

• compare
• filter
• eliminate (duplication)
• search

Remember to document everything you do!

Question 20

What should a forensic report include?

Answer 20

• a full description of the examination
• all the relevant information
• all activities, steps taken
• the documents found and used
• the forensic tools used
• the source of the evidence (primary or secondary)

Question 21

What do you do in the analysis phase?

Answer 21

Make an evaluation and organization of the information extracted from the process. An investigating analyst does this with respect to its relevance and reliability

Question 22

What is the ultimate goal with a forensic examination?

Answer 22

To generate knowledge that would assist in an investigation.

Question 23

How should the result be presented?

Answer 23

via written reports, oral presentation or testimonies.
The presentation should be factual and clear, even to someone with limited technical understanding, but still explain the technology behind the findings and the conclusions