Outline based on [Exam Information - 201802.pptx].
Exam Information - 201802.pptx
Exam Sample Questions
1. If you were given a 20GB hard drive that had been used to image an 8GB USB device and
found during analysis that more than the 8GB image was on the disk, what would this
indicate? How would you then proceed?
- Due to the nature of hard drive and modern file system, deleted file will exist in hard drive. Any data other than the image of 8GB usb can be ignored.
2. Other than asking for a password to an encrypted file describe and compare other feasible
methods for gaining access to the files contents.
- Dictionary attack, brute-force attack, memory acquisition on live acquisition.
3. How does foremost/scalpel work?
- It will search for specific file header and footer with file size limit. It may not work properly when the file is fragmented.
4. Describe the forensic process.
- Plan, acquire, analyse, report.
5. Describe the issues associated with the acquisition of evidence from embedded systems.
- JTAG, embedded pinout for data acquisition of memory
6. Describe the content and structure of a forensic report.
- showing content, intent, quantity of file, timeline, running sheet, identification, installed software.
7. A new version of Windows has been released. List what you would need to do to be ready in 6 to 10 months when you begin encountering cases involving the new operating system.
- testing out investigation tools and check any bug in new version of Windows.
8. Describe the three formats for computer forensics data acquisitions.
- manual is manually browsing evidence using normal UI, logical is acquire files that related to the investigation., physical is copying entire storage device bit-by-bit.
9. You need to acquire an image of a disk on a computer that can’t be removed from the scene,
and you discover that it’s a Linux computer. What are your options for acquiring the image?
- use dd command to perform physical acquisition to usb or other external storage.
10. An employee suspects that his password has been compromised. He changed it two days
ago, yet it seems someone has used it again. What might be going on?
- compare login log and computer usage and find out the suspect's activity.
11. Briefly describe with examples the five major categories of forensic tools.
- imager is ftk image, multi tool is autopsy,
12. Briefly explain the Daubert Standard in relation to digital forensics.
- Daubert standard is more generous in the way of investigation method.
Module 1
What is computer forensics?
- Computer forensics is collecting and analysing data collected from computer and its related equipment to present in court of law as evidence.
- Answer from ppt: A subset of forensics. Application of scientific techniques to extract and analyse data from electronic devices. Objective is to recover, analyze, and present computer-based material to be used as evidence within a court of law
Civil versus criminal case requirements
- civil case means lawcase and normally do not involve government. Criminal case will be with investigator.
- Answer from ppt: Public investigations (criminal): A government agency is responsible for investigations and prosecution. Private sector investigations (civil): Deals with private companies, non-law-enforcement government agencies, and lawyers. Governed by internal policies that define expected employee behavior and conduct in the workplace
Incuplatory versus exculpatory evidence
- Inculpatory evidence shows guilt of a suspect. Exculpatory evidence against of suspect's guilt.
- Answer from ppt: Inculpatory – showing a person’s involvement in a crime (incriminating evidence). Exculpatory – showing a person’s innocents in a crime (exonerates the defendant of any guilt)
Computer forensics versus data recovery?
- Computer forensics involves data recovery. Computer forensics presents report to the court of law after analyse computer or storage devices.
Why is planning important in computer forensics?
- Planning in computer forensics will shorten the time taken in investigation. Structured investigation will less likely to miss some phases in investigation.
Consideration when preparing for an investigation? Why is planning important?
- Planning in computer forensics will shorten the time taken in investigation. Structured investigation will less likely to miss some phases in investigation.
Module 2
What is a computer forensics plan?
- A document that written before an investigator starts investigation. An approach to specific case will be addressed.
- Answer from ppt: A ‘proposal’ of your intentions pertaining to an upcoming investigation. Allows all parties involved to have a thorough understanding of the case. Approval of plan leads to a subsequent investigation.
Why is it important? What does it contain?
- Prevent any missing investigation part when collecting, analysing, and documenting the evidence. Also, It will make easier when distributing work throughout investigation team member. Introduction, timeframes, background, odjectives, strategies, resources, and milestones.
- Answer from ppt: Allows your business manager to determine resource and personnel requirements. Introduction, Timeframes, Background, Objectives, Strategies, Resources, Progress/performance indicators
Digital forensic reports – purpose?
- To present analysis of the investigation to court of law.
- Answer from ppt: A coherent document detailing specific outcomes of the investigation. A technical and non-technical audience should be able to interpret and extract the same meaning from the content. Typically contains 5 baseline ‘issues’ but these may increase to 6, 7, 8 etc. as the investigation progresses/advances
What is the purpose of segregating a report into issues (chapters)?
- To provide clear idea of each part of investigation.
- Answer from ppt: Allows investigators to stay focused on the task(s) at hand. It enables investigators to break large complex problems into smaller problems. Allows efficient allocation/use of resources
What is the purpose of a running sheet?
- To show processes that took to get the analysis so that any investigator can follow each step and get the same result.
- Answer from ppt: MUST BE REPEATABLE. The ‘event’ field should encompass: What did you do?; How did you do it?; What was the outcome?
You should be able to communicate the findings of an investigation
- Not a question.
Module 3
Acquisition formats :Definitions, examples, pros and cons of each
Raw
- Copy the data from evidence every sector. It requires large storage when evidence storage is large.
- Answer from ppt: A sector for sector duplicate of the drive. Advantages: Fast data transfers, Can ignore minor data read errors on source drive, Most computer forensics tools can read raw format. Disadvantages: Requires as much storage as original disk or data, Tools might not collect marginal (bad) sectors.
Proprietary
- It collect data with specific format depends on what investigation is used. It has smaller size with compressed data. It won't be compatible with other tools.
- Answer from ppt: A unique format specific to a particular tool. Commercial forensic tools typically use their own proprietary format. Proprietary formats: Allow acquired data (images) to be compressed, Can split an image into small segmented files, Can integrate metadata into the image file.n not be used between multiple tools
Advanced Forensics Format (AFF)
- Integration with raw and proprietary acquisition. It provide extensive meta data for image file.
- Answer from ppt: Developed by Dr. Simson L. Garfinkel. Combination of raw and proprietary: Compressed or uncompressed image files, No size restriction for disk to image files, Provide space in the image file or segmented files for metadata, Simple design with extensibility, Open source for multiple platforms and OSs.
Static versus live acquisitions: Focus on process, procedure, tools/software commands, benefits, issues and constraints
- Static acquisition is made after the computer is shut down. It won't modify any storage device. Live acquisition is made when the computer is still running. Any encryption or network connection can be examined in this acquisition.
- Answer from ppt: Static: Device is or can be powered down prior to any data being acquired. Live: Typically requires creating new or modifying existing data on the device. Beneficial when there is evidence of decrypted folders/files on the disk. Live acquisition of RAM may provide valuable evidence
Logical versus physical acquisitions: Focus on process, procedure, tools/software commands, benefits, issues and constraints
- Logical acquisition only collect data that exist on OS level. It is faster than physical acquisition. Physical acquisition copy every data in evidence drive bit by bit.
- Answer from ppt: When time is limited, Logical acquisition captures only specific files of interest to the case, Sparse acquisition also collects fragments of unallocated (deleted) data, Useful for large persistent storage drives, PST or OST mail files, RAID servers etc.
Security requirements before acquisitions: Media preparation, policies, procedures etc.
Forensic tool benefits and their limitations
Validation techniques: MD5 vs SHA1 vs etc.
Issues with acquiring a RAID
Network and remote acquisitions
Module 4
Understand binary/hex conversions etc.
- 1 hexadecimal code will represent 1 byte in memory. 12 in hexadecimal is 10 in decimal.
- Answer from ppt: Hex is a convenient way of representing long binary strings (which is ultimately the only way to represent data – two states; on or off). It is easier to read the value 0x1214 rather than 0001 0010 0001 0100. Hex is commonly used to interpret data in the unit via computer forensic tools
Little vs big endian – OS dependency
- Windows and linux uses different ways to read binary. This may cause wrong time reading.
- Answer from ppt: Big Endian: MSB is stored at the lower address. Little Endian: MSB is stored at the higher address. Windows data is stored in Little Endian formats
What does the ‘endian’ mean when interpreting data with a hex editor?
- The ways of reading data stored. Weather left to right to right to left.
- Answer from ppt: Big Endian: MSB is stored at the lower address. Little Endian: MSB is stored at the higher address. Windows data is stored in Little Endian formats
Why should we care in what order data is stored?
- It gives different data when it's not read correctly.
- Answer from ppt: Take the Windows date/time data 7A 5C 16 31. Depending on how we interpret the bytes we either get…: 7A 5C 16 31 = Jan 19th, 2035 21:35:45 GMT, 31 16 5C 7A = Feb 5th, 1996 19:37:30 GMT
Sectors vs clusters
- Sectors will defined in storage device level and clusters is group of sectors defined in OS-level.
- Answer from ppt: The smallest unit of addressable data by a file system is a sector (HDD) or page (SSD). A sector was 512 bytes for a long time. If a cluster size is 4 sectors (e.g. 2048 bytes) and a file is only 512 bytes in size (i.e. 1 sector), then the whole cluster chain of 4 sectors will be allocated to that 1 file. The remaining 3 sectors (1536 bytes) are theoretically wasted.
File slack
- A empty space that created after when a file is deleted.
- Answer from ppt: If a file does not fill a cluster 100%, then the remaining space within the cluster could contain data from a previously deleted file. Windows will ‘0x00’ out data from the end of the file’s data to the end of the sector
Partitions
- Partition will divide storage device to smaller section so that make easier file management.
- Answer from ppt: A partition means a hard drive has been segmented to create one or more ‘volumes’ (sometimes referred to as ‘drives’). Each partition may have different file structures and be used for different purpose: Operating system partition, Data storage partition, An encrypted partition, Recovery partition
Boot code
- Answer from ppt: The boot code in a drive exists in the first 446 bytes of the 1st sector (MBR), The boot code looks for the ‘bootable flag’ which is set in the partition table entries (only one entry can have this set), The 446th byte will be 0x80 for a bootable partition or 0x00 for a non-bootable partition
Module 5
What is a file system?
- A system that OS storing data to storage device. For example, NTFS, FAT, EXT.
- Answer from ppt: Provides the Operating System (OS) with a roadmap to access data on the drive. The type of file system the OS uses determines how data is stored on the drive. It is important to understand the structure of the file system you are analysing: Allows you to validate your findings at the lowest level
Explain how a FAT FS works?: Directory entry structure, Reading/deleting files
- Each file will recorded in table that shows next cluster if its continued and shows end-of-file code if it's last file.
- Answer from ppt: FAT is often considered the ‘universal’ file system because it can be read and written to by most operating systems
The FAT file system model consists of three concepts: File Allocation Table (FAT), Root directory, Data area
Explain how an NTFS FS works?: MFT, records, record structure, Reading/deleting files
- It is used in Windows system. When file is deleted, it won't change any data on drive but move file to recycle bin.
- Answer from ppt: New Technology File System (NTFS): Introduced with Windows NT, Primary file system for Windows 7, 8, 10 etc. Improvements over FAT file systems: NTFS provides more information about a file, NTFS gives more control over files and folders. NTFS was Microsoft’s move toward a journaling file system
Windows registry benefits in forensics: Structure, data, offline acquisition
- It shows numerous data including user log, programs installation.
- Answer from ppt: User-protected storage area; contains the list of most recently used files and desktop configuration settings, Contains the computer’s system settings, Contains user account management and security settings, Contains the computer’s security settings, Contains installed programs’ settings and associated usernames and passwords, Contains additional computer system settings, Contains additional NTUSER information
Module 6
Graphic file types – contemporary formats
- It contains image file. such as jpeg, gif, png, bmp.
- Answer from ppt: Graphic files may include digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures, Standard bitmap file formats: Graphic Interchange Format (.gif), Joint Photographic Experts Group (.jpeg, .jpg), Tagged Image File Format (.tiff, .tif), Window Bitmap (.bmp), Standard vector file formats: Hewlett Packard Graphics Language (.hpgl), Autocad (.dxf)
EXIF metadata and its use in forensics
- EXIF metadata includes camera model, time the photo taken, and GPS location information.
- Answer from ppt: Developed as a standard for storing metadata in JPEG and TIFF files, EXIF files store metadata at the beginning of the file in the first 160 bytes, If we just ‘recover’ the 1st sector of the jpg image we may have some intelligence regarding the date, time and location the photo was taken!
File signature – purpose, benefits, limitations
- To check the integrity of the file.
- Answer from ppt: A hexadecimal value that denotes the start and end of a file stored in a file system, In digital forensics we can use the file header and footer to retrieve deleted data
Fragmented vs continuous file carving: Issues related to fragmented files, Software strategies to carve fragmented files, Scalpel carving
- its harder to recover fragmented file.
- Answer from ppt: File recovery makes use of the file system’s ‘management’ layer, Successful file recovery is reliant on the data in the FAT32/NTFS file system being valid, File recovery is typically used when a drive dies/malfunctions etc. File carving makes use of raw data on the drive, The file system is irrelevant in file carving, File carving is typically used when we suspect or know that data may have been purposefully deleted
processes and procedures, Smart carving benefits and limitations
- it will recover fragmented file.
- Answer from ppt: File carving is used to recover deleted files. Carving works by searching through a disk for specific ‘headers’ and ‘footers’ to locate specific types of files. Headers/Footers are known pieces of data that exist at the beginning and end of specific file types. Problems occur if files are stored in non-contiguous blocks as the data between the header and footer may not contain all of the data belonging to that file
Web browser forensics analysis
- Use Autopsy
- Answer from ppt: Browsers are the epoch for much of the crime or misuse that occurs. Where or how does one search the Internet from. Where is most of the file transfer done? What tool is by default installed by most operating systems?
Potential digital artifacts from web browsers
- Browser history, bookmarks,
- Answer from ppt: Consider also custom browsers and applications, not just the most popular.: Where do they store sources of evidence?, Various platforms / devices / OS, Internet enabled devices such as TVs, Same in all versions / variants?, How would you determine this?
How can web browser history be used to show intent?
- When it shows repetitive, constant access to content, it proves intensity.
- Answer from ppt:
What files do we look for with browsers such as...Internet Explorer, Firefox, Chrome
- Browser history, bookmarks.
- Answer from ppt: Web Browsing History – URLs visited, Cookies, Downloads, Cache, Form history, Favourites, Profiles
The effects of anti-web browser forensic tools on digital forensics
- it forces to collect data from web browser.
- Answer from ppt: Browsers are the epoch for much of the crime or misuse that occurs. Where or how does one search the Internet from. Where is most of the file transfer done? What tool is by default installed by most operating systems?
Module 7
How do we evaluate digital forensic tools?: Standards? Models? Methods?
- Based on usage and its error rate.
- Answer from ppt: Test and validate your software to prevent damaging the evidence
Hardware vs software forensic tools
- hardware forensics tools are like write blocker, hard drive copier. Software forensics tool
- Answer from ppt: Hardware forensic tools: Single-purpose components, Complete computer systems and servers, Can be expensive. Software forensic tools: Command-line or GUI applications, Used to copy, recover/carve data, Generate reports
Define, explain, provide specific examples: Acquisition, Validation and discrimination, Extraction, Reconstruction, Reporting
- Like this semester's assessment, investigator may examine suspect's computer and analyse based on acquired file.
- Answer from ppt: Acquisition:Tools perform 2 types of data-copying methods: Physical copying of the entire drive, Logical copying of a disk partition. Validation and verification: Validation: A way to confirm that a tool is functioning as intended. Verification: Proves that two sets of data are identical by calculating hash values. Extraction: The ‘extraction’ of case related data from evidence to support or negate theories. Recovery task in a computing investigation. Reconstruction: Re-create a suspect drive to show what happened during a crime or an incident. Reporting: To complete the analysis of a forensics investigation/examination, you need to create a report.
Module 8
How to determine what data to collect and analyse?: NSRL RDS databases – pros/cons? limitations?, How to implement/use a RDS?
- Based on background of investigation.
- Answer from ppt: Examining and analyzing digital evidence depends on: Nature of the case, Amount of data to process, Search warrants and court orders, Company policies
Validation techniques of collected data
- hashing
- Answer from ppt: Ensuring the integrity of data you collect is essential for presenting evidence in court. Forensic tools offering hashing of image files
Locating/analysing hidden data
- scalptel data carving. hidden partition.
- Answer from ppt: Data hiding - changing or manipulating a file to conceal it or its information: Hiding entire partitions, Changing file extensions, Setting file attributes to hidden, Bit-shifting, Encryption or passwords
Tools for detecting encryption, breaking passwords, detecting concealment
- FTK, Autopsy, truecrack, hashcat.
- Answer from ppt: To decode an encrypted file: Users supply a password or passphrase. Some encryption program use a technology called “key escrow”: Designed to recover encrypted data if users forget their passphrase. Key sizes of 128 -> 4096 bits make breaking encryption nearly impossible with current technology
Module 9
Email investigations
- investigate email conversation that found
- Answer from ppt: Email messages related to the investigation, Email addresses related to the investigation, Sender and recipient information, Information about those copied on the email, Content of the communications, Internet Protocol (IP) addresses
Email headers as a source of evidence
- Email header includes sender, receiver, title, and date sent.
- Answer from ppt: RFC 2822: Standard for email format, including headers All email programs use the same email
Structure of email headers
- sender, receiver, title, and date sent.
- Answer from ppt: Date and time information, User information, Attachments, Passwords, Emails can demonstrate ‘identity’, ‘intent’ and a ‘motive’
Interpreting data in email headers
- use forensics software like Autopsy
- Answer from ppt: Investigators should know how to find e-mail headers: Dedicated GUI email clients, Web-based clients. Open e-mail headers, copy and paste them into a text document. Become familiar with as many e-mail programs as possible
Email forensic tools their functionality/limitations/benefits
- Autopsy shows interpreted data based on email header and organise in timeline.
- Answer from ppt: Tools include: MailXaminer, DataNumen, FINALeMAIL, Paraben E-Mail Examiner, AccessData FTK, Ontrack Easy Recovery EmailRepair, R-Tools, OfficeRecovery’s MailRecovery
Issues/challenges with cloud forensics
- its more difficult to find file from server as it's distributed through world.
- Answer from ppt: Ongoing debates about revising current laws: Many cross-jurisdiction legal issues haven’t been resolved. No law ensures uniform access or required handling procedures for the cloud. Investigators should be concerned about cases involving data commingled with other customers’ data. Often, figuring out what law controls data stored in the cloud is a challenge
Module 10
Order of Volatility – impact on the collection of evidence – what should you prioritize?
- Imaging RAM first
- Answer from ppt: Forensics performed on a running system. There are typically more ‘things’ to ‘look’ for compared to a static investigation. Two approaches: Using existing tools found on target host, Introduce (copy required) tools onto target host to extract data of interest. Combination of ‘acquisition’ and ‘analysis’
The impact of virtual machines on computer investigations?
- it will erase state of virtual machine if the computer is turned off.
- Answer from ppt: Virtual machines are important in today’s networks, Investigators must know how to detect and analyse virtual machines, The software that runs virtual machines is called a “hypervisor”
Tools for live acquisitions
- ftk imager, autopsy.
- Answer from ppt: Magnet Forensics RAM Capture, Belkasoft RamCapturer, FTK Imager
Network forensics – purpose/benefits/tools
- it shows remote connection through network. they might send or receive information from other location.
- Answer from ppt: Network forensics: Process of collecting and analyzing raw network data and tracking network traffic, To ascertain how an attack was carried out or how an event occurred on a network. Intruders leave a trail behind: Knowing your network’s typical traffic patterns is important in spotting variations in network traffic
Module 11
Types of evidence from smartphones?
- photos, contact list, call history, web history.
- Answer from ppt: Text messages, Calendar events, Photos and videos, Logs, Maps, Personal alarms, Notes, Music, E-mail, Web browsing history, Passwords, Voice mails, Call history, contacts, Interconnection with wireless networks, GPS logs
Issues with gathering evidence from phones
- password lock, difficult to get storage device from phone
- Answer from ppt: Smartphones are not standardized devices, How much technical information is actually supplied within the product manual?, What is the structure of the menu system?, What are the device’s capabilities?, Does it encompass memory expansion?, This information could be useful to appropriately plan your investigation
Types of tools their limitations and purpose
- ftk
- Answer from ppt:
Physical vs logical vs manual acquisition
- bit-by-bit copy / connect to pc and copy from it/ take storage chip from device
- Answer from ppt: Can circumvent pass codes, Can retrieve more data, included deleted data and discarded data /Utilising the Android Debug Bridge (ADB) utility the data from the SD card can be pulled from the device / Manually browse phone.
Flash file systems issues for forensics
- fat32, exfat
- Answer from ppt:
Bypassing FTL benefits?
-
- Answer from ppt:
JTAG/Flasher tools processes
-
- Answer from ppt: Test access ports that connect to CPU, which in turn connects to flash, You need to determine which pins are which, Can identify by voltages, signals, track tracing, Manufacturer dependent
Explain in detail, two issues associated with using a chip-off or JTAG centric data acquisition approach for embedded systems.
-
Describe Forensic Acquisition and why is it important?
-
What are hash values and why are they used in Computer Forensics?
-
Explain the concept of slack space.
-
Explain if it is possible to recover files from a disk that has been formatted?
-
What is meant by the ‘chain of custody’?
-
Describe Network Forensics and its usefulness in conducting a forensic investigation.
-
What happens when a user changes a file extension manually in FAT32? Is it possible to determine the original file type when this occurs and if so how?
-
Given that an individual is claiming that content has been placed on their PC by malicious code, how would you attempt to refute such a claim?
-
Other than asking for a password to an encrypted file describe, compare and contrast other feasible methods for gaining access to the files contents.
-
Compare and contrast the features of FAT and NTFS that effect forensic analysis.
-
Explain how the evolution of technology is impacting the traditional “Forensic Process”.
-
Describe the issues associated with the acquisition of evidence from smartphones.
-
Describe the format and structure of a Forensic Report.
-
You have been all tasked with constructing a digital forensics laboratory. The business anticipates investigations involving small -
businesses with 1-4 investigations per week of both a civil and criminal nature. Describe and justify the specialist forensic hardware and software that the business should acquire.
-
Compare and contrast the three unique acquisition approaches used for smartphones. Explain 1 issue associated with each of the acquisition methods.
-
