Computer Forensics and Cyber Crime

Questions and Answers

What is the primary aim of computer forensics?

• To socialize with cybercriminals
• To prevent all computer-related crimes
• To create and modify digital media
• To collect, analyze, and report digital data legally (correct)

Which category is NOT included in the goals of computer forensics?

• Modifying digital evidence for better clarity (correct)
• Preserving digital media
• Identifying facts about digital information
• Recovering lost data

What does FAT stand for in computer forensics?

• Fast Analysis Technology
• File Allocation Table (correct)
• Failure Alert Threshold
• Formatted Allocation Timing

Which aspect is NOT part of the data recovery methods used by agencies?

Searching for hidden physical evidence (A)

Which of the following describes a function of computer forensics?

To present facts and opinions about digital information (D)

Which element is crucial for maintaining the integrity of evidence?

Creating a chain of custody (D)

What traditional problem is related to the adequacy of law enforcement resources?

Decreased budget leading to inadequate resources (A)

What issue exacerbates the lack of reporting in cybercrime cases?

The perception of incompetence by law enforcement (C)

What is a common issue in computer investigations regarding expert assistance?

Dependence on self-proclaimed experts (C)

What is a primary cardinal rule in computer investigations?

Leave the original hard drive unaltered. (A)

Which type of storage is referred to as nonvolatile?

Floppy disks (B)

What does 'logical file size' refer to?

The size of a file measured in bytes. (C)

Which of the following is NOT considered a type of computer storage?

Dynamic memory (D)

What is the importance of maintaining the chain of custody in computer investigations?

To document the transfer of evidence between individuals. (D)

What is the maximum number of primary partitions that a hard disk can have?

4 (A)

What is the role of the partition table on a hard disk?

To identify the locations of partitions. (C)

Which of the following file systems is NOT associated with Microsoft?

ext4 (A)

What is the significance of the master boot record (MBR)?

It indicates which partition is bootable. (A)

How does partitioning benefit forensic investigations?

It enables users to hide entire partitions. (C)

Computer forensics is solely concerned with the prevention of crime.

False (B)

The goal of computer forensics includes analyzing digital media in a forensically sound manner.

True (A)

FAT is unimportant in the context of computer investigations.

False (B)

Computer forensics can only be performed by law enforcement agencies.

False (B)

One of the roles of computer forensics is to present facts and opinions about digital information.

True (A)

Sectors are the largest physical storage unit on a disk.

False (B)

Clusters represent the minimum space allocated to an individual file in DOS.

True (A)

Logical file size and physical file size refer to the same measurement.

False (B)

File slack space is the portion of unused space between the logical end of a file and the physical end of a sector.

False (B)

Magnetic disks formatted for Windows contain a standard sector size of 1024 bytes.

False (B)

A hard disk can have a maximum of four primary partitions.

True (A)

A master boot record can have multiple bootable partitions at the same time.

False (B)

The partition table contains information on the file system used by the operating system.

False (B)

The file system allows data to be stored in continuous sectors on a hard disk.

False (B)

Extended partitions can be subdivided into a maximum of 23 additional logical disks.

True (A)

Data recovery tools provide both physical and logical extraction phases.

True (A)

Physical extraction phase ignores the entire physical drive.

False (B)

File carving is a process similar to keyword searching for recovering files.

True (A)

Data reduction during logical extraction eliminates unknown files.

False (B)

Hidden files are files that are intentionally obscured.

True (A)

What is one of the categories of software tools used in computer forensics?

Data recovery/extraction tools (D)

Which of the following is a critical aspect of the standard operating procedure (SOP) in computer forensics?

They should consist of appropriate software and hardware. (B)

What must imaging programs do according to the National Institute of Standards and Technology (NIST)?

Make a bitstream duplicate without altering the original disk. (C)

Which of the following is NOT a minimum hardware requirement for computer forensics?

User-friendly software (A)

What is a recommended frequency for reviewing Standard Operating Procedures in computer forensics?

Annually (A)

What is a vital consideration for protecting digital evidence during analysis?

Ensuring evidence remains in an unaltered state (C)

Which issue significantly affects the reporting of cybercrime incidents?

Perception of incompetence among law enforcement (B)

What challenge do local law enforcement agencies face in computer investigations?

Dwindling budgets with increased responsibilities (B)

What is the primary purpose of computer forensics?

To analyze digital data for legal admissibility (D)

What is the primary goal of maintaining a chain of custody in digital forensics?

To track evidence and prevent tampering (A)

Which of the following best describes the role of FAT in computer forensics?

It plays a crucial role in organizing and accessing data on disks (A)

What misconception about law enforcement and cybercrime is commonly held by corporate advisors?

Law enforcement lacks sufficient resources for effective investigations (D)

What are the five categories of software used in computer investigation primarily intended for?

To assist in evidence collection and analysis (B)

Which method is typically NOT associated with data recovery in computer forensics?

Software installation (B)

What is a significant challenge computer forensics faces concerning criminal behavior?

Constant evolution of technology and techniques (A)

What is one key advantage of NTFS over FAT?

Enables larger file sizes and provides better security (B)

What does the Master File Table (MFT) contain in an NTFS system?

Descriptions of files, including their attributes and allocation information (D)

Which validation method uses a Cyclical Redundancy Check (CRC)?

For ensuring data integrity during transfers (C)

What does the term 'slack space' refer to in the context of NTFS?

Unused space in a cluster that is not occupied by a file (D)

Which of the following statements accurately describes the function of a BIOS?

It initializes hardware components and runs a self-test during boot-up (C)

Flashcards

Computer Forensics

Collecting, analyzing, and reporting digital data in a legally acceptable way, used in crime detection and disputes.

Digital Data Collection

Gathering digital evidence in a way that maintains its integrity and admissibility in a court of law.

Computer Forensics Goal

Examining digital media to uncover facts and opinions about the digital information, in a forensically sound manner.

Legal Admissibility

Digital evidence that holds up in a court of law.

Data Recovery

The process of retrieving lost or inaccessible digital data from storage devices.

Chain of Custody (CoC)

A documented history of evidence, showing who possessed it, when, and how it was handled. This ensures its integrity and legal admissibility.

Traditional Computer Forensics Challenges

Limited resources, poor communication, and reliance on automated tools and unqualified experts are some recurring hurdles.

Low Reporting Rates

Victims often hesitate to report cybercrimes due to distrust in investigative capabilities or potential consequences.

Corporate Advisors' Influence

Corporate advisors may discourage reporting cybercrimes to protect their clients, even if it hampers justice.

What is the difference between physical and logical drives?

A physical drive refers to the actual hardware device and the data stored at the electronic level, while a logical drive refers to software-defined partitions of a physical drive that are managed as independent units. It is the logical drive organization that is most crucial for computer forensics.

What is a 'logical file size'?

The exact size of a file, measured in bytes, as it appears to the operating system.

What is 'physical file size'?

The actual space a file occupies on a physical drive.

What is Non-volatile Storage?

Storage that retains data even when power is off. Examples include hard disks, CDs, DVDs, flash drives.

What is Volatile Memory?

Data is lost when the power is off. Examples include RAM, cache.

Partition

A section of a hard disk that the operating system treats as a single unit. Typically, a hard drive can have up to four partitions.

Extended Partition

A specific type of partition that can be further subdivided into multiple logical disks. It allows for more flexible storage organization.

Partition Table

A table containing information about each partition on a hard disk. It identifies the partition's location, bootable status, and other details.

File System

The way a computer organizes data on a hard disk. It's responsible for managing file storage and retrieval.

Master Boot Record (MBR)

A special sector on a hard disk that contains information about disk partitions, including the location of the operating system's boot loader. It's crucial for launching the operating system.

What is computer forensics?

It's the practice of gathering, analyzing, and presenting digital evidence in a legally acceptable way, used for investigating crimes or disputes.

Why is computer forensics important?

It helps investigators uncover digital evidence, track down criminals, and resolve disputes involving digital information.

What's the challenge with digital evidence?

It's easily altered, making it crucial to collect and preserve it in a way that maintains its integrity and admissibility in court.

How does a computer store data?

Data is stored on a hard drive, which is divided into sections called partitions. These partitions are then organized into files and folders using a file system.

What is the Master Boot Record (MBR)?

It's a special section on a hard drive that contains information about the disk's partitions and the location of the operating system's boot loader.

What is a Sector?

The smallest physical storage unit on a disk. It's like a tiny slice of a track containing data. Operating systems determine the size of each sector.

What is a Cluster?

A group of one or more adjacent sectors that make up the basic storage unit for files on a disk. It's the minimum space allocated to a file.

What is Logical File Size?

The actual size of a file in bytes, as seen by the operating system.

What is File Slack Space?

The unused space between the end of a file and the end of the cluster it's stored in. It can potentially hide deleted data.

What is a Partition?

It's a section of a hard drive that the operating system considers as a single unit. It allows for organizing storage space efficiently and can have a maximum of four partitions.

What's an Extended Partition?

A special partition that can be further divided into multiple logical disks. It offers flexibility in organizing and managing storage space on a hard drive.

What is a Partition Table?

A table that holds information about each partition on a hard drive. It identifies the partition's location, bootable status, and other essential details.

What is a File System?

It's the structure that a computer uses to organize data on a hard drive. It manages file storage and retrieval, ensuring efficient access to information.

Physical Extraction

The process of extracting data directly from the physical drive without relying on the file system. This method examines every sector of the drive, including areas outside the file system, to identify and recover data.

Logical Extraction

The process of extracting data based on the file system structure and operating system information. This method focuses on files, folders, and the organization of data within the file system.

Keyword Searching

A physical extraction technique that searches for specific words or phrases across all sectors of the drive, regardless of file system organization. This can uncover hidden or deleted data.

File Carving

A physical extraction technique that recovers files based on their unique file signatures instead of relying on file system metadata. This allows for recovery of deleted or fragmented files.

Data Reduction

A logical extraction technique that eliminates known or irrelevant files to focus on the most important data for the investigation.

What are the challenges of computer forensics?

Digital evidence is easily altered, so maintaining its integrity and legal admissibility is crucial. This involves carefully handling, preserving, and analyzing the evidence.

Traditional Problems in Computer Investigations

Challenges like limited resources, poor communication between agencies, overreliance on automated tools, and underreporting of cybercrimes.

Why Reporting Cybercrimes is Low?

Victims often don't report cybercrimes due to mistrust in law enforcement, fear of repercussions, or believing the process is too complex.

FAT (File Allocation Table)

A directory that maps a drive, identifying the location of each file's data and its size. It allows for efficient access to stored files.

NTFS (New Technology File System)

A more advanced file system developed by Microsoft, offering enhanced security, performance, and larger file sizes.

Master File Table (MFT)

A key component of NTFS, it contains records describing each and every file on the drive, like a detailed inventory.

BIOS (Basic Input/Output System)

The initial set of instructions that load when your computer starts up, including boot sector information.

POST (Power-on Self-test)

A self-diagnostic routine that runs after your computer powers on, checking for hardware problems.

SOP

Standard Operating Procedure, a set of guidelines for conducting computer forensics investigations. They ensure consistency, accuracy, and legal admissibility of findings.

Minimum Housing Requirements

Specific environmental needs for a computer forensics lab, ensuring optimal conditions for evidence storage and analysis, maintaining chain of custody.

MinimumHardware Requirements

Essential hardware components needed for a computer forensic lab, including storage, processing, and security.

Data Preservation Tools

Software designed to create exact copies of digital evidence (images) without altering the original source, crucial for maintaining integrity.

Network Utilities

Software tools used in computer forensics to analyze network traffic, identify suspicious activity, and track data flow.

Study Notes

Computer Forensics and Cyber Crime

• Computer forensics is the practice of collecting, analyzing, and reporting on digital data legally.
• It's used to detect and prevent crime and resolve disputes involving digital evidence.
• The goal is to examine digital media forensically, identify, preserve, recover, analyze, and present facts and opinions about the digital information.

Learning Objectives

• Understand challenges in computer investigations.
• Learn about computer disk structures.
• Explore data storage methods.
• Examine data recovery techniques.
• Understand FAT and its significance in computer investigations.
• Identify software categories used in computer investigations.

Computer Forensics – An Emerging Discipline

• New technologies and criminal behaviors drive the field.

• Law enforcement needs new techniques and strategies.

• Maintaining evidence integrity is crucial.

• Chain of Custody (CoC): A chronological record of evidence handling; from seizure to disposal.

• Goal: Protect digital evidence from alterations, damage, data corruption, or infection.

Traditional Problems in Computer Investigations

• Inadequate resources: Law enforcement agencies often face budget constraints and increased responsibilities.
• Lack of Communication and Cooperation: Collaboration between agencies is insufficient.
• Overreliance on automated tools and self-proclaimed experts.
• Lack of reporting: Victims may not report crimes due to low confidence in their ability to investigate.
• Evidence Corruption: Always work from an image of the hard drive to prevent altering the original. Maintain accurate records of every step.

Disk Structure and Digital Evidence

• Terms:
  • Nonvolatile storage
  • Computer storage
  • Primary storage
  • Secondary storage
  • Floppy disks/diskettes
  • CD-ROMS
  • CD-RWs
  • Hard/fixed disks
• Operating systems
• Hardware
• Software
• Firmware
• Computer
• Static memory
• Volatile memory (cache, RAM)
• Drives (Physical and Logical)
• Physical File Size: Actual storage space used.
• Logical File Size: Exact file size in bytes.
• (Other terms for hardware components):
  • Spindle, ASCII, Binary/Hexadecimal systems, Clusters (file allocation units), Compressed files
• Illustration of drive structure: Platters, tracks, sectors, heads, cylinder, and actuator arm

Data Storage Scheme

• Sectors: Smallest physical data units on a disk, arc-shaped.
• Clusters: Groups of adjacent sectors, units of magnetic storage.
• Logical File Size: Exact size of a file.
• Physical File Size: Actual space the file occupies on the disk.
• File Slack: Space between logical and physical end of a file.
• Partitions: Parts of a hard drive labeled as separate units.
• Master Boot Record (MBR): Essential part of partitioning.
• Partition Table: Contains locations of partitions, indicates bootable partitions, contains MBR.
• File Systems: Structures used by operating systems to manage data on a hard drive.
• FAT(File Allocation Table): Directory, maps files to their allocated sectors.
• NTFS (New Technology File System): Improved system with security and larger files.
  • Master File Table (MFT): Contains information about every file in NTFS.
  • Fragmentation: Means that data is broken down into multiple fragments.

Disk Structure and Digital Evidence - Firmware, Data Integrity

• Firmware: Operating instructions for hardware.

  • BIOS(Basic Input/Output System): Initial commands, bootstrap loader.
  • POST(Power-on self-test): Starts up computer hardware.

• Data Integrity:

  • Cyclical Redundancy Checksum (CRC): Aids in data validation
  • MD5-Hash: Verification tool for files
  • Hashkeeper: Software to catalog known file identifiers

Developing Computer Forensic Science Capabilities

• Standard Operating Procedures (SOP) are vital in forensic investigations.

Minimum Housing Requirements

• SOP defines necessary environment for investigations.

Minimum Hardware Requirements

• Important considerations for hardware in forensic investigations:
• Evidence storage drive, operating system, write blocker, battery.

Minimum Software Requirements

• Five broad categories: preservation, duplication, verification tools, recovery/extraction tools, analysis tools, reporting tools, network utilities.

1- Data preservation, duplication, and verification tools

• National Institute of Standards and Technology (NIST) defines imaging programs: Creates bitstream duplicates and does not alter the original.

2- Data recovery/extraction tools

• Physical extraction: Records data across the entire physical disk.

• Logical extraction: Collects files based on operating system, applications, and potentially deleted/hidden files.

• Keyword searching.

• File Carving . Extraction of partition Table.

3- Data analysis tools

• Tools for indexing, text searching, file viewers and other methods for analyzing data.

4- Data reporting tools

• Required aspects of reporting on the investigation findings

5- Other required software

• Presentation, word processing, spreadsheet, wiping, antivirus, network tools.

A Sampling of Popular Forensic Software

• Guidance or EnCase (has imaging, verification, hardware devices and password crackers)
• Access Data (compatible with EnCase, Snapback, Safeback)

Other forensic utilities

• Imaging and Verification: ByteBack, SafeBack, Maresware's DECLASFY, Access Data's WipeDrive
• Unix: Data Dumper (dd), Grep, The Coroner's Toolkit

Conclusions

• Poorly run investigations are often due to administrative apathy, insufficient resources, and lack of training.
• Forensic capabilities must be met.
• Collaboration with civilian and corporate entities is helpful.
• Minimum requirements for equipment and housing need to be met.