Computer Forensics and Cyber Crime

Questions and Answers

What is the primary aim of computer forensics?

To socialize with cybercriminals

To prevent all computer-related crimes

To create and modify digital media

To collect, analyze, and report digital data legally (correct)

Which category is NOT included in the goals of computer forensics?

Modifying digital evidence for better clarity (correct)

Preserving digital media

Identifying facts about digital information

Recovering lost data

What does FAT stand for in computer forensics?

Fast Analysis Technology

File Allocation Table (correct)

Failure Alert Threshold

Formatted Allocation Timing

Which aspect is NOT part of the data recovery methods used by agencies?

Searching for hidden physical evidence

Which of the following describes a function of computer forensics?

To present facts and opinions about digital information

Which element is crucial for maintaining the integrity of evidence?

Creating a chain of custody

What traditional problem is related to the adequacy of law enforcement resources?

Decreased budget leading to inadequate resources

What issue exacerbates the lack of reporting in cybercrime cases?

The perception of incompetence by law enforcement

What is a common issue in computer investigations regarding expert assistance?

Dependence on self-proclaimed experts

What is a primary cardinal rule in computer investigations?

Leave the original hard drive unaltered.

Which type of storage is referred to as nonvolatile?

Floppy disks

What does 'logical file size' refer to?

The size of a file measured in bytes.

Which of the following is NOT considered a type of computer storage?

Dynamic memory

What is the importance of maintaining the chain of custody in computer investigations?

To document the transfer of evidence between individuals.

What is the maximum number of primary partitions that a hard disk can have?

4

What is the role of the partition table on a hard disk?

To identify the locations of partitions.

Which of the following file systems is NOT associated with Microsoft?

ext4

What is the significance of the master boot record (MBR)?

It indicates which partition is bootable.

How does partitioning benefit forensic investigations?

It enables users to hide entire partitions.

Computer forensics is solely concerned with the prevention of crime.

False

The goal of computer forensics includes analyzing digital media in a forensically sound manner.

True

FAT is unimportant in the context of computer investigations.

False

Computer forensics can only be performed by law enforcement agencies.

False

One of the roles of computer forensics is to present facts and opinions about digital information.

True

Sectors are the largest physical storage unit on a disk.

False

Clusters represent the minimum space allocated to an individual file in DOS.

True

Logical file size and physical file size refer to the same measurement.

False

File slack space is the portion of unused space between the logical end of a file and the physical end of a sector.

False

Magnetic disks formatted for Windows contain a standard sector size of 1024 bytes.

False

A hard disk can have a maximum of four primary partitions.

True

A master boot record can have multiple bootable partitions at the same time.

False

The partition table contains information on the file system used by the operating system.

False

The file system allows data to be stored in continuous sectors on a hard disk.

False

Extended partitions can be subdivided into a maximum of 23 additional logical disks.

True

Data recovery tools provide both physical and logical extraction phases.

True

Physical extraction phase ignores the entire physical drive.

False

File carving is a process similar to keyword searching for recovering files.

True

Data reduction during logical extraction eliminates unknown files.

False

Hidden files are files that are intentionally obscured.

True

What is one of the categories of software tools used in computer forensics?

Data recovery/extraction tools

Which of the following is a critical aspect of the standard operating procedure (SOP) in computer forensics?

They should consist of appropriate software and hardware.

What must imaging programs do according to the National Institute of Standards and Technology (NIST)?

Make a bitstream duplicate without altering the original disk.

Which of the following is NOT a minimum hardware requirement for computer forensics?

User-friendly software

What is a recommended frequency for reviewing Standard Operating Procedures in computer forensics?

Annually

What is a vital consideration for protecting digital evidence during analysis?

Ensuring evidence remains in an unaltered state

Which issue significantly affects the reporting of cybercrime incidents?

Perception of incompetence among law enforcement

What challenge do local law enforcement agencies face in computer investigations?

Dwindling budgets with increased responsibilities

What is the primary purpose of computer forensics?

To analyze digital data for legal admissibility

What is the primary goal of maintaining a chain of custody in digital forensics?

To track evidence and prevent tampering

Which of the following best describes the role of FAT in computer forensics?

It plays a crucial role in organizing and accessing data on disks

What misconception about law enforcement and cybercrime is commonly held by corporate advisors?

Law enforcement lacks sufficient resources for effective investigations

What are the five categories of software used in computer investigation primarily intended for?

To assist in evidence collection and analysis

Which method is typically NOT associated with data recovery in computer forensics?

Software installation

What is a significant challenge computer forensics faces concerning criminal behavior?

Constant evolution of technology and techniques

What is one key advantage of NTFS over FAT?

Enables larger file sizes and provides better security

What does the Master File Table (MFT) contain in an NTFS system?

Descriptions of files, including their attributes and allocation information

Which validation method uses a Cyclical Redundancy Check (CRC)?

For ensuring data integrity during transfers

What does the term 'slack space' refer to in the context of NTFS?

Unused space in a cluster that is not occupied by a file

Which of the following statements accurately describes the function of a BIOS?

It initializes hardware components and runs a self-test during boot-up

Study Notes

Computer Forensics and Cyber Crime

• Computer forensics is the practice of collecting, analyzing, and reporting on digital data legally.
• It's used to detect and prevent crime and resolve disputes involving digital evidence.
• The goal is to examine digital media forensically, identify, preserve, recover, analyze, and present facts and opinions about the digital information.

Learning Objectives

• Understand challenges in computer investigations.
• Learn about computer disk structures.
• Explore data storage methods.
• Examine data recovery techniques.
• Understand FAT and its significance in computer investigations.
• Identify software categories used in computer investigations.

Computer Forensics – An Emerging Discipline

• New technologies and criminal behaviors drive the field.

• Law enforcement needs new techniques and strategies.

• Maintaining evidence integrity is crucial.

• Chain of Custody (CoC): A chronological record of evidence handling; from seizure to disposal.

• Goal: Protect digital evidence from alterations, damage, data corruption, or infection.

Traditional Problems in Computer Investigations

• Inadequate resources: Law enforcement agencies often face budget constraints and increased responsibilities.
• Lack of Communication and Cooperation: Collaboration between agencies is insufficient.
• Overreliance on automated tools and self-proclaimed experts.
• Lack of reporting: Victims may not report crimes due to low confidence in their ability to investigate.
• Evidence Corruption: Always work from an image of the hard drive to prevent altering the original. Maintain accurate records of every step.

Disk Structure and Digital Evidence

• Terms:
  • Nonvolatile storage
  • Computer storage
  • Primary storage
  • Secondary storage
  • Floppy disks/diskettes
  • CD-ROMS
  • CD-RWs
  • Hard/fixed disks
• Operating systems
• Hardware
• Software
• Firmware
• Computer
• Static memory
• Volatile memory (cache, RAM)
• Drives (Physical and Logical)
• Physical File Size: Actual storage space used.
• Logical File Size: Exact file size in bytes.
• (Other terms for hardware components):
  • Spindle, ASCII, Binary/Hexadecimal systems, Clusters (file allocation units), Compressed files
• Illustration of drive structure: Platters, tracks, sectors, heads, cylinder, and actuator arm

Data Storage Scheme

• Sectors: Smallest physical data units on a disk, arc-shaped.
• Clusters: Groups of adjacent sectors, units of magnetic storage.
• Logical File Size: Exact size of a file.
• Physical File Size: Actual space the file occupies on the disk.
• File Slack: Space between logical and physical end of a file.
• Partitions: Parts of a hard drive labeled as separate units.
• Master Boot Record (MBR): Essential part of partitioning.
• Partition Table: Contains locations of partitions, indicates bootable partitions, contains MBR.
• File Systems: Structures used by operating systems to manage data on a hard drive.
• FAT(File Allocation Table): Directory, maps files to their allocated sectors.
• NTFS (New Technology File System): Improved system with security and larger files.
  • Master File Table (MFT): Contains information about every file in NTFS.
  • Fragmentation: Means that data is broken down into multiple fragments.

Disk Structure and Digital Evidence - Firmware, Data Integrity

• Firmware: Operating instructions for hardware.

  • BIOS(Basic Input/Output System): Initial commands, bootstrap loader.
  • POST(Power-on self-test): Starts up computer hardware.

• Data Integrity:

  • Cyclical Redundancy Checksum (CRC): Aids in data validation
  • MD5-Hash: Verification tool for files
  • Hashkeeper: Software to catalog known file identifiers

Developing Computer Forensic Science Capabilities

• Standard Operating Procedures (SOP) are vital in forensic investigations.

Minimum Housing Requirements

• SOP defines necessary environment for investigations.

Minimum Hardware Requirements

• Important considerations for hardware in forensic investigations:
• Evidence storage drive, operating system, write blocker, battery.

Minimum Software Requirements

• Five broad categories: preservation, duplication, verification tools, recovery/extraction tools, analysis tools, reporting tools, network utilities.

1- Data preservation, duplication, and verification tools

• National Institute of Standards and Technology (NIST) defines imaging programs: Creates bitstream duplicates and does not alter the original.

2- Data recovery/extraction tools

• Physical extraction: Records data across the entire physical disk.

• Logical extraction: Collects files based on operating system, applications, and potentially deleted/hidden files.

• Keyword searching.

• File Carving . Extraction of partition Table.

3- Data analysis tools

• Tools for indexing, text searching, file viewers and other methods for analyzing data.

4- Data reporting tools

• Required aspects of reporting on the investigation findings

5- Other required software

• Presentation, word processing, spreadsheet, wiping, antivirus, network tools.

A Sampling of Popular Forensic Software

• Guidance or EnCase (has imaging, verification, hardware devices and password crackers)
• Access Data (compatible with EnCase, Snapback, Safeback)

Other forensic utilities

• Imaging and Verification: ByteBack, SafeBack, Maresware's DECLASFY, Access Data's WipeDrive
• Unix: Data Dumper (dd), Grep, The Coroner's Toolkit

Conclusions

• Poorly run investigations are often due to administrative apathy, insufficient resources, and lack of training.
• Forensic capabilities must be met.
• Collaboration with civilian and corporate entities is helpful.
• Minimum requirements for equipment and housing need to be met.

Description

This quiz covers the fundamentals of computer forensics and its role in investigating cyber crimes. Explore key concepts such as data recovery techniques, disk structures, and the importance of evidence integrity. Test your knowledge of the challenges faced in digital investigations and the software used in this emerging discipline.