Theme 3: Analysis

Question 1

Preliminary Investigation

Answer 1

a scientific, structured stage for identifying and organising core investigations to form the groundwork of a defensible, logical case

Question 2

Stages of Preliminary Investigation

Answer 2

1. Preparation: Prepare hardware, software, tools. Tools must be tested to function as expected and that the process is reliable
2. Validate Image: Confirm evidential provenance and integrity (imaging report, disk hash)
3. Understand Disk Layout: Create partition map. Identify gaps, suspicious patterns
4. Operating Systems: Note the version, system name, installation date etc.
5. Identify User Accounts: Actions can be linked to accounts
6. Note Additions: Identify software installed by the user
7. Investigate Connected Hardware: Understand storage and peripherals
8. Understand Activity: Build a timeline from programs run, files accessed

Question 3

Failure to do Preliminary Investigation

Answer 3

context may be lost and inability to defend findings in court

Question 4

Case-driven Analysis

Answer 4

Case-driven analysis contextualises information by corroborating artefacts and connecting supplementary data to understand the case

Question 5

Corroborating Data

Answer 5

Supports other evidence

Question 6

Supplementary Data

Answer 6

Adds context

Question 7

What is a core operating system artefacts

Answer 7

system-level records created by the operating system that can be used to reconstruct user activity and build timelines to support/refute claims

Question 8

Core OS Artefact: Registry Store

Answer 8

User and system settings useful for understanding user habits

Question 9

Core OS Artefact: Recent Files List

Answer 9

Useful for timeline and intent reconstruction

Question 10

Core OS Artefact: System Logs

Answer 10

Logs system and user events for a reliable timeline

Question 11

Core OS Artefact: Clipboard History

Answer 11

Short-lived data

Question 12

Core OS Artefact: Shellbags

Answer 12

Windows feature, preferences of folder views and settings. Shows navigation

Question 13

Core OS Artefact: Print History

Answer 13

Logs print jobs to prove intent to share

Question 14

Core OS Artefact: Swap/Page File

Answer 14

Extends RAM to disk. Contains snapshot of volatile data

Question 15

Core OS Artefact: Thumbnail Cache

Answer 15

Stores image previews, including those of deleted files

Question 16

Core OS Artefact: Recycle Bin

Answer 16

Holds ‘deleted’ files and can be used to recover data

Question 17

Core OS Artefact: Browser History

Answer 17

Web activity for intent, research, and external communication

Question 18

Core OS Artefact: App Launch Data

Answer 18

Execution of programs, can prove malware execution

Question 19

Core OS Artefact: Restore Points

Answer 19

Backups of OS state and files

Question 20

Core OS Artefact: Connected Devices

Answer 20

USB and hardware connections

Question 21

Core OS Artefact: Scheduled Tasks

Answer 21

Automate system and user tasks. For attempting alibi or for malware to maintain control

Question 22

Altering Artefacts

Answer 22

• Timestomping: Altering metadata to mislead timelines
• Log Clearing: Manual deletion of logs
• System Restore Abuse: Rollback artefacts

Question 23

Windows Thumbnail Cache

Answer 23

The Windows thumbnail cache stores thumbnail images generated by the OS to provide previews of files.

The cache shows residual evidence of a file’s existence even after the file is deleted. They also can contain useful metadata.

Question 24

Limitations of Thumbnail Cache

Answer 24

The OS can generated thumbnails automatically, they are not enough alone to prove access of a file

Question 25

Windows ESE Database

Answer 25

The ***Extensible Storage Engine (ESE)*** is used by Windows desktop search to index file system content for faster search operations. It stores - Filenames/paths - Timestamps - Volume Info It can serve as a historical record of files that were present on the system, even if now deleted. Helps in building timeline using timestamps of index time

Question 26

Limitations of Windows ESE Database

Answer 26

System actions may fill in fields such as `HitCount` and `Accessed` so cannot guarantee it was caused by deliberate user action

Question 27

What makes an unusual device

Answer 27

- **No Analysis Tool Exists**: A new method is needed - **Not Compatible with Existing Tools**: Build/version does not work with tools - **The Device is Modified**: Modification by a user or organised crime - **The Owner has High Technical Skills**: Potential for modification is high - **The Device is Previously Unseen**: New or unfamiliar devices - **Reason to Suspect Non-standard Behaviour**: Such as the device is used for a non-standard reason e.g. a phone only used for tracking creating an unusual usage pattern - **Traditional Techniques Indicate Nothing of Interest**: Other signs suggest something should be unusual but traditional analysis finds nothing - **Traditional Techniques Return Odd Results**: Device context matters

Question 28

How to understand unusual devices

Answer 28

***Controlled experimentation*** is used to understand the data of an unusual device. Perform steps that a user may perform to understand how data can be generated and interpreted Ensure the hardware (batch numbers etc) and versions (OS, updates, etc.) are the same as the seized device

Question 29

Extended Partition Flags

Answer 29

05 0F 85

Question 30

Bootable Flag

Answer 30

00 non bootable 80 Bootable