CHFI: Computer Forensics

Questions and Answers

Which of the following is the MOST accurate description of computer forensics?

• The practice of ethical hacking to improve system security.
• The process of identifying security vulnerabilities in computer systems.
• The development of software tools for data recovery and analysis.
• The application of scientific methods to digital evidence for legal purposes. (correct)

Which of the following is a KEY reason for an organization to invest in computer forensics capabilities?

• To publicly disclose details about security breaches for transparency.
• Exclusively to prevent all cybercrimes from occurring.
• To ensure the integrity of computer systems and prosecute cybercrime perpetrators. (correct)
• To replace the need for traditional security measures.

In what scenario would computer forensics be MOST essential?

• Upgrading software on all company computers.
• Conducting routine system maintenance.
• Implementing new employee training programs.
• Responding to a suspected data breach and intellectual property theft. (correct)

Why is it important to identify and gather evidence of cybercrimes in a forensically sound manner?

To ensure the evidence is admissible in court and the integrity of the investigation is maintained. (D)

Which of the following is the MOST important reason to prepare for security incidents in advance regarding network infrastructure?

To ensure the integrity and continuity of network infrastructure. (D)

When should an organization consider using computer forensics to settle disputes among employees?

When the dispute involves potential theft or misuse of company data. (C)

What is the KEY difference between internal and external cybercrime attacks?

Internal attacks originate from within the organization, while external attacks come from outside sources. (B)

Which type of cybercrime involves unauthorized access and extraction of confidential information from a system?

Espionage (D)

What is the POTENTIAL impact of cybercrimes on organizations, regarding trust?

Loss of customer and stakeholder trust. (D)

What is the PRIMARY goal of a cybercrime investigation?

To identify the source and perpetrators of the attack while proving their guilt. (B)

In which type of legal case would the outcome MOST likely result in imprisonment?

Criminal (C)

What is the PRIMARY purpose of an administrative investigation within an organization?

To discover if employees are complying with internal rules or policies. (A)

Why is digital evidence examined in a forensically sound manner?

To ensure the evidence is admissible in court. (A)

Which type of digital evidence is lost when a computer is turned off?

Volatile data (B)

In the context of digital forensics, what does the term 'admissible' mean regarding evidence?

The evidence is allowed in court. (B)

What step MUST be taken to clarify the ownership of digital evidence?

Providing supporting documentation regarding the authenticity of the evidence. (A)

According to the 'best evidence rule', which type of evidence is generally preferred in court?

The original evidence. (A)

What is the PRIMARY purpose of the Scientific Working Group on Digital Evidence (SWGDE)?

To set standards for handling digital evidence. (B)

According to the Association of Chief Police Officers (ACPO) principles of digital evidence, what action should be avoided?

Altering data that may be used in court. (A)

What does 'forensic readiness' refer to in the context of cybersecurity?

An organization's ability to optimally use digital evidence in a limited time with minimal investigation costs. (C)

What is the first key step in forensic readiness planning?

Identifying the potential evidence required for an incident. (B)

Why is it important to create a process for documenting the procedure in forensic readiness planning?

To ensure that all steps are followed correctly and can be reviewed for accuracy. (D)

What is the role of a Security Operations Center (SOC) in computer forensics?

To monitor, manage, and analyze ongoing security activities on an organization's systems. (A)

Which of the following activities is a TYPICAL part of the SOC workflow?

Collecting security logs and forwarding them to a SIEM. (B)

What is the PRIMARY reason for needing a forensic investigator?

To investigate and prosecute cybercrimes with specialized skills and experience. (B)

If a technically inexperienced person examines evidence, what could be a POTENTIAL consequence?

The evidence might become inadmissible in court. (D)

Which of the following tasks is TYPICALLY performed by a forensic investigator?

Reconstructing damaged storage devices to recover hidden information. (C)

What skill is MOST important for a computer forensics investigator when gathering case information?

Interviewing skills (C)

A computer forensics investigator must perform analysis on tests completed, regarding the data. What is a MOST important attribute they must maintain?

Accuracy (A)

What is MOST important when considering the challenges faced in an investigation?

Documenting digital evidence (A)

When was the Gramm-Leach-Bliley Act Enacted?

1999 (B)

What type of information is subject to the HIPAA Privacy Rule?

Health (A)

What information is protected by the Payment Card Industry Data Security Standard (PCI DSS)?

Cardholder (C)

What possibilities does the Sarbanes-Oxley Act (SOX) of 2002 exist to protect against?

Accounting fraud (A)

Which digital item can be evidence?

All of the above (E)

When must legal guidelines be followed?

All of the above (E)

What is the name of information that requires a constant power supply?

Volatile data (C)

What are the three approches to managing a cybercrime?

Civil, Criminal, Administrative (A)

Flashcards

Computer Forensics

A branch of digital forensics dealing with crimes across computing devices; it involves identifying, gathering, preserving, extracting, interpreting, documenting, and presenting evidence.

Need for Computer Forensics

Ensuring integrity, prosecuting cybercrime perpetrators, interpreting evidence, tracking perpetrators, saving organizational resources and investigating complex cases.

Why Use Computer Forensics?

Ensuring integrity, gathering evidence, offering data protection, preventing incidents, counteracting online crimes, minimizing losses and prosecuting perpetrators.

Cybercrime

Cybercrimes are any illegal act involving computing systems, applications, or networks, identified based on the crime's nature and target.

Internal/Insider attacks

Arise from within an organization from employees or associates.

External attacks

Originate from outside sources that target inadequate security policies.

Cybercrime Investigation

Studying a digital crime to identify its source and perpetrators, involving evidence collection, analysis, incident reconstruction, and presentation in court.

Civil Cases

Address disputes between two parties, resulting in monetary damages.

Criminal Cases

Consider crimes harmful to society, leading to law enforcement action.

Administrative Investigation

Refers to internal reviews by an organization to check compliance with rules or policies.

Digital Evidence

Probative information, stored or transmitted electronically, acquired and examined forensically, vital for cybercrime investigations.

Volatile Data

Temporary information on a digital device that requires constant power supply and is deleted if the power supply is interrupted

Non-volatile Data

Permanent data stored on secondary storage devices that remains intact even when the device is switched off.

Understandable Evidence

Investigators must present evidence clearly to the jury.

Admissible Evidence

Investigators need to present evidence in an admissible manner.

Authentic Evidence

Investigators must provide supporting documents regarding the authenticity of the evidence.

Reliable Evidence

Investigators extract and handle evidence while maintaining a record of the tasks performed during the process

Complete Evidence

Evidence must prove or disprove the point.

Best Evidence Rule

The court only allows the original evidence of a document, photograph, or recording at the trial and not a copy.

SWGDE Objective

Law enforcement and forensic organizations maintain quality.

ACPO Principle 1

Agencies should not alter potentially relied upon data.

ACPO Principle 2

A person must be competent to access original data.

ACPO Principle 3

All processes applied to the evidence must be recorded.

ACPO Principle 4

The investigator ensures law and ACPO principles are followed.

Forensic Readiness

An organization's ability to optimally use digital evidence in a limited time and with minimal investigation costs.

Forensic Readiness Planning

Identify evidence, determine sources, define extraction policy, and securely handle evidence.

Security Operations Center (SOC)

SOC is a centralized unit that continuously monitors, manages, and analyzes ongoing activities on the organization's information systems.

SOC Collection

Security logs are collected and forwarded to Security Information and Event Management (SIEM).

SOC Ingestion

SIEM ingests log data, threat information, indicators of compromise, and asset inventory for machine-based correlation and find out activity detection.

SOC Validation

SOC analysts identify the indicators of compromise, triage alerts, and validate incidents.

SOC Reporting Action

Validated incidents are submitted to incident response teams through a ticketing system.

Incident Handling and Response

Digital forensics investigators help organizations maintain forensics readiness and implement effective incident handling and response

Forensic Investigator Actions

Investigators evaluate damage, recover data, handle evidence appropriately and guide investigations.

Interviewing Skills

Skills to gather case information from victims and suspects.

Research Skills

Skills to know case background pertaining to victims and suspects.

Investigator Challenge

Investigators identify, extract, and preserve digital evidence.

Gramm-Leach-Bliley Act (GLBA)

Requires financial institutions to explain info-sharing and safeguard data.

FISMA (2014)

Provides a framework for federal info systems for security.

HIPAA (1996)

Provides federal protection to health information.

PCI DSS

A standard for organizations regarding credit card information.

Study Notes

Computer Hacking Forensic Investigator (CHFI)

• CHFI is a book by EC-Council

Table of Contents

• Outlines various modules for the CHFI certification
• Module 01: Computer Forensics Fundamentals
• Module 02: Computer Forensics Investigation Process
• Module 03: Understanding Hard Disks and File Systems
• Module 04: Data Acquisition and Duplication
• Module 05: Defeating Anti-forensics Techniques
• Module 06: Windows Forensics
• Module 07: Linux and Mac Forensics
• Module 08: Network Forensics
• Module 09: Investigating Web Attacks
• Module 10: Dark Web Forensics
• Module 11: Database Forensics
• Module 12: Cloud Forensics
• Module 13: Investigating Email Crimes
• Module 14: Malware Forensics
• Module 15: Mobile Forensics
• Module 16: IoT Forensics

Understanding Computer Forensics

• A part of digital forensics focusing on crimes involving computing devices like networks, computers, and digital storage media
• Involves methodological procedures and techniques
• Identifies, gathers, preserves, extracts, interprets, documents, and presents evidence
• Ensures evidence is admissible in legal or administrative proceedings

Need for Computer Forensics

• Ensures the integrity and existence of an organization's computer system and network infrastructure
• Captures important information when computer systems or networks are compromised
• Helps prosecute cybercrime perpetrators
• Extracts, processes, and interprets evidence to prove attacker actions and guilt or innocence
• Efficiently tracks perpetrators/terrorists globally, using IP addresses to pinpoint locations of terrorists
• Saves money and time, as managers allocate significant IT budgets to computer and network security
• Tracks complex cases, including email spamming and other nefarious activities

Why and When To Use Computer Forensics

• Computer forensics should be used to prepare for incidents, ensuring integrity and continuity of network infrastructure
• Helps identify and gather cybercrime evidence for a forensically sound manner
• Aids in protecting data resources and ensuring regulatory compliance
• Protects organizations from similar incidents in the future
• Used to counteract online crimes like abuse, bullying, and reputation damage
• Minimizes intangible and tangible losses organizations or individuals endure
• Supports cybercrime prosecution
• Used to prepare for incidents by strengthening defense mechanisms and closing security loopholes
• Provides knowledge of cyber law regulations for compliance
• Used to report cybersecurity breaches, identify incident response actions, and address copyright/intellectual property theft
• Settles disputes among employees or between employers and employees
• Estimates and minimizes damage to resources in a corporate setting
• Sets security parameters and formulates security norms for forensic readiness

Understand Cybercrimes and Investigation Procedures

• Cybercrime is any illegal act involving computing systems, applications, or networks, generally intentional
• Cybercrime types includes:
• Internal/Insider attacks originate from within an organization
  • Attacks may be from disgruntled, current or terminated employees, business associates, contractors, and undertrained staff
• External attacks originate from outside sources
  • Frequently occurs when proper information security policies and procedures are absent or inadequate

Examples of Cybercrimes

• Espionage
• Theft of Intellectual Property
• Manipulation of Data
• Trojan Horse Attack
• Structured Query Language Attack
• Brute-force Attack
• Phishing/Spoofing
• Privilege Escalation Attacks
• Denial of Service Attack
• Cyber Defamation
• Cyberterrorism
• Cyberwarfare

Impact of Cybercrimes at the Organizational Level

• Loss of confidentiality, integrity, and availability of stored information in an organization's systems
• Theft of sensitive data causing compromise
• Disruption of business activities stopping operations
• Loss of trust from customers and stakeholders impacting business confidence
• Reputational damage
• Huge financial losses
• Penalties for failure to comply with regulations

Cybercrime Investigation

• Study the crime's impact and details to identify the source, perpetrators, and their guilt
• Involves meticulous collection of clues and forensic evidence
• Analysis of evidence, reconstruction of incident, and presentation of evidence admissible in court
• Approaches to manage cybercrime investigation include civil, criminal, and administrative

Civil vs. Criminal Investigation

• Civil cases involve disputes between two parties and lawsuits with verdicts, generally resulting in monetary damages
• Criminal cases involve crimes considered harmful to society
• Law enforcement agencies take action against a company, individual, or group
• Results in monetary damages, imprisonment, or both

Administrative Investigation

• Internal investigation by a company to see if employees, clients, and partners comply with policy
• Organizations often limit these investigations to staff, though they can include partners, corporations, and individuals linked to the organization

Understand Digital Evidence

• Probative information stored on/transmitted through an electronic device
• Must be acquired and examined in a forensically sound manner
• Digital evidence is defined as "any information of probative value that is either stored or transmitted in a digital form"
• Information is from digital storage media, monitoring network traffic, or making duplicate copies of digital data during a forensics investigation

Types of Digital Evidence

• Volatile data refers to temporary information on a digital device needing constant power which is deleted if the power is interrupted
• Volatile data includes system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc
• Non-volatile data refers to permanent data stored on secondary storage devices
• Examples include hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, and event logs

Rules of Digital Evidence

• Examples of cases where digital evidence may help the forensic investigator include:
• Identity theft
• Malicious attacks on the computer systems themselves
• Information leakage
• Unauthorized transmission of information
• Theft of commercial secrets
• Internet use/abuse
• Production of false documents and accounts
• Unauthorized encryption/password protection of documents
• Abuse of systems
• Email communication between suspects/conspirators

Sources of Potential Evidence

• User-Created Files
• Address books
• Database files
• Media files
• Documents
• Internet bookmarks, favorites, etc
• User-Protected Files
• Compressed files
• Password-protected files
• Misnamed files
• Hidden files
• Encrypted files
• Steganography
• Computer-Created Files
• Backup files
• Swap files
• Log files
• System files
• Configuration files
• History files
• Printer spool files
• Temporary files
• Cookies

Rules of Evidence

• Before a legal proceeding, the evidence to be presented must comply to five basic rules:
• Understandable: Evidence must be presented clearly
• Admissible: Evidence must be presented in an admissible form
• Authentic: Authenticity should be clear, with supporting documents authenticating the evidence with detail such as source and relevance
• Reliable: Forensic investigators should extract and handle the evidence carefully
• Complete: Completeness of evidence with the aim to prove or disprove claims
• Best evidence rule
• Requires original evidential documentation - copies are not permitted

Federal Rules of Evidence (US)

• Rule 105: Limited Admissibility
• Rule 801: Hearsay Rule
• Rule 801: Statements That Are Not Hearsay
• Rule 803: Hearsay Exceptions - Availability of Declarant Immaterial
• Rule 804: Hearsay Exceptions; Declarant Unavailable
• Rule 1002: Requirement of Original
• To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress
• Rule 1003: Admissibility of Duplicates
• Rule 1004: Admissibility of Other Evidence of Contents

Scientific Working Group on Digital Evidence (SWGDE)

• https://www.swgde.org/
• Law enforcement and forensics organizations must have an effective quality system

The Association of Chief Police Officers (ACPO) Principles of Digital Evidence

• Principle 1: No data should be changed by agencies or their agents
• Principle 2: Access to original data requires competence to explain the implications of actions
• Principle 3: An audit trail should be created and preserved
• Principle 4: The investigator in charge is responsible for ensuring that law and these principles are followed

Forensic Readiness

• An organization's ability to use digital evidence in a limited time with minimal investigation costs
• Involves technical and non-technical actions for maximizing competence in using digital evidence

Forensic Readiness Planning

• A set of processes to follow to acheive readiness
• Includes the following activities
• Identifying/determining potential evidence required for an incident by defining the purpose of evidence collection and to gather information
• Determining evidence sources of potential evidence
• Defining a policy that allows you to legally extract electronic evidence with minimal disruption
• Establishing a policy of securely handling and storing collected evidence for future retreival
• Identifying if the incident requires a fill of formal investigation
• Creating a documented process
• Establishing a legal advisory board to guide the investigation
• Keeping an incident response team ready

Role of SOC in Computer Forensics

• Security operations are handled and managed with the help of the Security Operations Center (SOC)
• SOC is a centralized unit that continuously monitors, manages, and analyzes ongoing activities on information systems
• Goal is to maintain functionality of an organization by determining, preventing, detecting, and responding to intrusion events
• Referred to as Security Defense Center (SDC), Security Analytics Center (SAC), Cyber Security Center (NSOC), Threat Defense Center, and Security Intelligence and Operations Center (SIOC)

SOC Workflow

• Includes the following activities
• Security logs collected and forwarded to Security Information and Event Management (SIEM)
• SIEM ingests log data, threat information, indicators of compromise, and asset inventory for machine-based correlation and find out activity detection
• SOC analysts identify indicators of compromise, triage alerts, and validate incidents
• Incidents are submitted to the incident response teams through a ticketing system
• The SOC team reviews incidents and conducts response activities, including detailed forensics
• Incidents are documented for business audit purposes

Need for a Forensic Investigator

• Forensic investigators use their skills and experience to find cybercrime perpetrators
• If technically inexperienced people examine evidence, it may become inadmissible in a court of law
• Investigators help with organization and maintaing readiness, and incident response

Roles and Responsibilities of a Forensics Investigator

• Evaluates the damages of a security breach
• Identifies and recovers data required for investigation
• Extracts evidence forensically
• Ensures appropriate handling of evidence
• Is a guide to the investigation team
• Creates reports and documents for presenting in a court of law
• Reconstructs damaged storage devices and uncovers hidden information
• Updates the organization about various methods of attack and data recovery techniques
• Represents issues in a court of law to attempt to win the case by testifying

What Makes a Good Computer Forensics Investigator?

• Interviewing skills to extract information
• Researching skills relating to client, victim, witnesses and suspects
• Maintains Accuracy
• Patience to work long hours
• Excellent writing skills
• Analytical skills
• Communication skills
• Updates with new tech
• Knowledge of platforms and languages
• Knowledge of technologies, hardware and software
• Network with Professionals

Understand the Challenges Faced in Investigating Cybercrimes

• Computer forensic investigators need to identify, extract, preserve, and document digital evidence
• Presents as difficult tasks
• Cybercrimes face new challenges and issues
• categorized into general, legal, and privacy issues

Understand Legal Compliance in Computer Forensics

• Gramm-Leach-Bliley Act (GLBA)
• Requires financial institutions to explain information-sharing practices and safeguard sensitive data
• Federal Information Security Modernization Act of 2014 (FISMA)
• Amendment to FISM Act of 2002
• Implemented a framework for federal information systems to have more effective information security controls
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Provides federal protections for an indivudally identifiable health information held by covered businesses and offers rights to the patients
• Payment Card Industry Data Security Standard (PCI DSS)
• Proprietary information security standard to protect cardholder data
• Sarbanes-Oxley Act (SOX) of 2002
• Protects investors from accounting fraud