Computer Forensics and Digital Investigation

Questions and Answers

Which of the following best describes the role of computer forensics?

• Scientifically investigating and analyzing digital devices to gather evidence. (correct)
• Designing secure computer networks to prevent cyber attacks.
• Developing software applications for law enforcement agencies.
• Creating policies for data protection and privacy.

Digital forensics is LEAST likely to be applied in which of the following scenarios?

• Setting up a home Wi-Fi network with a strong password. (correct)
• Investigating intellectual property theft within a corporation.
• Recovering deleted files from a computer used in a criminal activity.
• Analyzing network traffic to identify the source of a data breach.

How did the increase in the use of personal computers in the 1980s influence the emergence of computer forensics?

• It led to a decrease in computer-related crime, reducing the need for forensic investigations.
• It resulted in the recognition of new 'computer crimes', increasing the need for specialized investigations. (correct)
• It shifted the focus of law enforcement away from traditional crimes.
• It had no significant impact on the field of forensics.

How does computer forensics differ from cyber security?

Cyber security focuses on prevention and protection, while computer forensics is more reactionary, involving tracking and exposing activities. (C)

Which of the following is the MOST accurate description of the relationship between cyber security and computer forensics teams in system security?

Cyber security focuses on prevention, while computer forensics takes over if prevention fails, recovering data and investigating intrusions. (D)

Why is following forensic practices, ethical principles, and legal processes important in computer forensics?

To guarantee the reliability and admissibility of digital evidence in court. (D)

Which activity is LEAST relevant to the objectives of computer forensics?

Developing new encryption algorithms to protect sensitive data. (B)

What is the PRIMARY goal of the 'identification' phase in digital forensics?

Determining what evidence is present, where it is stored, and in what format. (B)

Why is documentation critically important in digital forensics?

It creates a record of all visible data and findings from the investigation. (B)

Which action is MOST important during the 'preservation' stage of a digital forensics investigation?

Isolating and securing data to prevent alteration or corruption. (A)

What is the main purpose of the 'presentation' phase in digital forensics?

Producing the documented findings for use in legal proceedings. (D)

Which of the following is an advantage of computer forensics?

It can extract, process, and interpret factual evidence to prove cybercriminal actions in court. (A)

What is a primary limitation of digital forensic investigations?

The cost of producing and preserving digital evidence can be very high. (B)

Why is it important for a computer forensic investigator to have complete knowledge of the law?

To ensure that the evidence handling and documentation procedures comply with legal requirements. (A)

In what situation is digital forensics LIKELY to be used in a private investigation?

When a company wants to ensure their employees are using company computers appropriately. (A)

Which of the following cases is MOST likely to be categorized as intellectual property theft?

A competitor reverse engineers a product and releases a similar version. (A)

Which of the following activities is directly part of the computer forensics process?

Collecting, acquiring, analyzing, and preserving digital evidence. (B)

Digital evidence MUST be authenticated to:

Ensure its admissibility in a court of law. (B)

What is the focus of disk forensics?

Extracting raw data from primary or secondary storage of the device. (C)

What is the purpose of hashing source and destination media in disk forensics?

To verify the integrity of the copied data. (C)

Why is documentation very important in every step of the Cyber Forensics process?

To ensure accuracy, reliability, and repeatability of the investigation. (B)

The overarching network forensics method categorized as 'catch it as you can' refers to what activity?

Capturing all network traffic for later analysis. (D)

Which one is NOT a step involved in network forensics investigation?

Speculation. (B)

What is the first step in the 'Examinations of Network Forensics' process?

Recognizing the incident. (D)

What does the 'safeguarding' step in network forensics primarily involve?

Isolating the data for preservation and security purposes. (D)

In the context of network forensics, what does the term 'documentation' refer to?

Summarizing and explaining conclusions for court. (C)

What is the focus of database forensics?

Investigating breaches related to database and metadata. (A)

What is the purpose of investigating timestamps in a database forensic examination?

To verify the actions of a database user by tracing update times. (B)

Which scenario would MOST likely require the intervention of a database forensic specialist?

There are inconsistencies of the data in the database. (B)

Why does a database forensics expert normally use a read-only method?

To avoid modifying or compromising the original data. (B)

What kind of diagnostic tool will database forensic specialist run?

Diagnostic tools to create a forensic copy of the database. (E)

What is the primary goal of malware forensics?

To find, analyze, and investigate properties of malware. (C)

Which of the following is least likely to be investigated during malware forensics?

The brand of antivirus software installed on the system when the infection happened. (A)

A type of malware that restricts access to a computer system or data, and demands a ransom payment from the victim is called

Ransomware (C)

What is a key characteristic of a Ryuk ransomware attack?

It targets large organizations for high-ransom returns. (B)

What is a botnet?

A network of infected devices controlled by an attacker. (A)

What is a symptom of a computer infected with malware?

Unexpected new executables. (D)

Which scenario is MOST likely to introduce malware into a system?

Downloading files from untrusted websites and from freeware software. (C)

Flashcards

Computer Forensics

A scientific method of investigation and analysis to gather evidence from digital devices, computer networks, and components, suitable for presentation in a court of law.

Cyber Security

Focuses on prevention and protection of computer systems and networks.

Computer Forensics History

Emerged in the 1980s with the rise of personal computers and increased criminal activity; now includes corporate investigations, civil litigation, and more.

Definition of Computer Forensics

Also known as computer forensic science, it extracts data and information from computer systems for use as digital evidence in court.

Objectives of Computer Forensics

Recover, analyze, and preserve computer-related materials; identify crime motives, design procedures at crime scenes, and preserve evidence.

Characteristics of Digital Forensics

Identification, preservation, analysis, documentation, and presentation of digital evidence.

Digital Forensics Procedure

Identification, preservation, analysis, documentation, and presentation.

Advantages of Computer Forensics

Producing court evidence, tracking cybercriminals, protecting organizations' assets, and proving cybercriminal actions.

Disadvantages of Computer Forensics

High costs, need for expert knowledge, and potential for evidence to be rejected if standards aren't met.

Limitations of Digital Forensic Investigation

The examiner must comply with standards, have complete legal knowledge, and the cost of producing and preserving digital evidence.

Applications of Digital Forensics

Used in criminal law to investigate hypothesis and in private investigation to investigate employees.

Intellectual Property Theft

Stealing an idea, expression, or invention from an individual or company. Most intellectual property theft cases are federal cases (federal crimes).

Digital Forensics Process

Digital forensics involves identifying, collecting, acquiring, preserving, analyzing, and presenting digital evidence.

Digital Forensics

Analyzing a device before law enforcement takes over.

Disk Forensics

Extracting raw data from storage by searching active, modified or deleted files.

Identify Digital Evidence

To find storage devices at a crime scene and to check if the values of the original data are the same as the data that was backed up.

Preserve the evidence

Might get hacked, original evidence should be placed somewhere safe.

Analyzing the Evidence

Collecting digital evidence from the storage media.

Network Forensics

The investigation and analysis of all traffic on a network, particularly when cybercrime.

" Catch it as you can "

Involves capturing all network traffic for analysis, but might take a long time.

"Stop, look and listen"

Analyzing each data packet in the network on what's deemed as suspicious.

Examinations of Network Forensics

Recognition, safeguarding, accumulating, observation, investigation, documentation, Incident Response.

Safeguarding

isolating the data for preservation and security purposes.

Database Forensics

The branch of digital forensic science related to the study of databases and their related metadata.

Database Forensics

Helps reconstruct missing data and decipher data.

Malware Forensics

Finding, analyzing & investigating various properties of malware.

Malware

Backdoor, Botnet, Downloader, Launcher, Ransomware & rootkit.

Ransomware

Disables victim's access to data until ransom is paid.

Botnet

Infects multiple internet-connected devices, turning them into a network of bots.

Infected Systems

System could be unstable, unknown executables, network traffic to sites.

Ways malware is spread

Instant messager applications, Internet chat, links and attachments in emails.

Study Notes

Computer Forensics and Digital Investigation

• Computer forensics uses scientific investigation and analysis to gather evidence from digital devices or networks.
• The evidence obtained is suitable for presentation in a court of law.
• Digital forensics is applied to devices like cell phones, tablets, gaming consoles, and computers.
• Digital forensics is used to fight computer crimes, and originated in law enforcement, computer security, and national defense.
• Digital forensics is valuable to legal professionals, law enforcement, policymakers, business community, education, and government.
• It is used in both criminal law and private investigations.

Computer Forensics History

• Computer forensics traces back to the 1980s with the increase in personal computers and their use in criminal activity.
• New 'computer crimes’ were recognized during that time.
• Computer crimes and related crimes have since grown.
• Internet crimes increased by 69% in 2020 compared to 2019.
• Initially, computer forensics was used primarily in law enforcement investigations
• Computer forensics expanded to include corporate investigations, civil litigation, cyber stalking, murder, fraud, etc.

Cyber Security

• Computer forensics is sometimes confused with cyber security.
• Cyber security focuses on prevention and protection.
• Computer forensics is more reactionary and involves tracking and exposing threats.
• System security usually encompasses both cyber security and computer forensics teams, which work together.
• Cyber security teams create systems and programs to protect data.
• Computer forensics teams recover data, investigate intrusion and theft.
• Information security focuses on protecting information and assets.
• Both computer forensics and cyber security require knowledge of computer science.

Definition of Computer Forensics

• Computer forensics is also known as computer forensic science.
• Computer forensics is a branch of digital forensic science.
• It involves extracting data and information from computer systems to function as digital evidence.
• Computer forensics provides forensic practices, legal processes, and ethical principles.
• These ensure reliable and detailed digital evidence that can be used for courtroom needs.
• Computer forensics guarantees a well-structured investigation and follow-up processes.
• This serves the purpose of resolving incidents and malfunctions in an organization.

Objectives of Computer Forensics

• Recover, analyze, and preserve computer and related materials.
• Postulate the motive behind the crime and identity of the main culprit.
• Design procedures at crime scenes to prevent digital evidence from being corrupted.
• Data acquisition and duplication: Recover deleted files and partitions to extract and validate evidence.
• Identify evidence quickly to estimate the potential impact of malicious activity on the victim.
• Produce a comprehensive computer forensic report.
• Preserve evidence by following the chain of custody.

Characteristics of Digital Forensics

• Identification: Identifying what evidence is present, where it is stored, and how it is stored.
• Preservation: Data is isolated, secured, and preserved.
• Analysis: Forensic lab personnel reconstruct data fragments and draw conclusions based on evidence.
• Documentation: Create a record of all visible data and findings from investigations.
• Presentation: Produce documented findings in court for further investigations.

Digital Forensics Procedure

• Identification: Determine the purpose of investigation & resources needed.
• Preservation: Isolate, secure and preserve data.
• Analysis: Identify tools and techniques, process data, and interpret results.
• Documentation: Document the crime scene, including photographs, sketches, and crime-scene mapping.
• Presentation: Summarize and explain conclusions based on gathered facts.

Advantages of Computer Forensics

• Produce evidence that can lead to the punishment of the culprit.
• Helps companies gather important information on their computer systems and networks.
• Efficiently tracks down cyber criminals globally.
• Protects an organization's money and time.
• Extracts, processes, and interprets factual evidence, proving cybercriminal actions in court.

Disadvantages of Computer Forensics

• Before digital evidence is accepted in court, it must be proved that it has not been tampered.
• Producing and keeping electronic records safe is expensive.
• Legal practitioners must have extensive computer knowledge.
• It is necessary to produce authentic and convincing evidence.
• If the tool used for digital forensics does not meet specified standards, the evidence can be rejected.
• Lack of technical knowledge by the investigating officer may not produce the desired result.

Limitations of Digital Forensic Investigation

• Need to produce convincing evidence:
• The examiner must comply with standards required for evidence in court.
• The investigator needs complete knowledge of legal requirements, evidence handling, and procedures.
• Lack of technical knowledge among the audience:
• Some are not familiar with computer forensics.
• Investigators must communicate findings clearly so that everyone understands.
• Cost: Producing and preserving digital evidence is costly.

Applications of Digital Forensics

• Criminal Law
• Evidence is collected to support or oppose a hypothesis in court.
• Procedures used are similar to those in criminal investigations but with different legal requirements.
• Private Investigation
• The corporate world uses digital forensics for private investigations.
• Digital forensics can be used if there is suspicion that employees are performing illegal activities that are against company policy.

Digital Forensics Application

• Commonly Used in Commercial Applications:
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Inappropriate use of the Internet and email in the workplace

Case 1: Intellectual Property Theft

• It is based on stealing an idea, creative expression, or invention from a person or company.
• Most intellectual property theft cases are federal crimes.
• Copyrighted material is covered under this.
• Trademarks consist of "words, phrases, symbols, or designs.”

Digital Forensics

• It is a process of conducting an analysis on a doubtful device before giving it to law enforcement.
• It is conducted across several media or devices, such as mobile phones, computers, servers, and networks.
• Types of forensics are categorized by device being investigated.

Disk Forensics

• Involves extracting raw data from primary or secondary storage.
• Data extraction focuses on active, modified, or deleted files.
• Disk forensics is a science of extracting forensic information from digital storage media.
• Examples of digital storage media include: Hard disks, USB devices, Firewire devices, CDs, DVDs, Flash drives, and Floppy disks.

Process of Disk Forensics

• Identify Digital Evidence
• Identify storage devices at the scene of crime: IDE/ SATA,/SCSI, CD, DVD, Floppy disk, Mobiles.
• Authenticate the evidence
• Occurs in cyber forensics labs.
• Hash values of both source and destination media is compared to ensure they match.
• Seize & Acquire the evidence
• The hash value is a unique signature generated by hashing algorithms based on storage media content.
• The storage media is then secured and taken for processing after the hash value is computed.
• Preserve the evidence
• Original evidence is stored in a secure storage to avoid tampered electronic evidence.
• Analyze the evidence
• The important step of verification comes before the forensics process
• Analysis is done by collecting digital evidence from storage media
• Report the findings
• the report must be prepared bason the nature of the exam that’s being requested by the court or an investigation.
• Documenting
• It’s important to perform documentations for every step in the forensics process

Network Forensics

• Investigation and analysis of all traffic across a network.
• Can be applied to a spread of data-stealing malware or the analysis of cyber attacks.
• Falls under the digital forensics umbrella.
• Network forensics is related to the investigation of evidence left behind on a network after a cyber attack.
• Catch it as you can method
• Captures all network traffic for analysis, but requires a long process and a lot of storage.
• Stop, look and listen method
• Analyzing each data packet flowing across the network.
• This method Only captures what's deemed suspicious and worthy, requires high processing but less storage.

Examination of Network Forensics

• Recognition identification process has a vital effect on subsequent steps identifying and assessing an incident based on network indicators and this is covered in these steps
• Safeguarding Examiners must isolate the data for preservation and security, to prevent from accessing tampering
• Accumulating Documenting the physical scene and duplicating evidence by using standardization.
• Observation Keeping track of visible data.
• Investigation Investigation Agents can reconstruct data
• Documentation Forensic is a legal term: brings forensics to the court Procedure summarizes the overall conclusion.
• Incident Response Information is gathered to validate and assess incidents to intrusion detection

Database Forensics

• Refers to the branch of digital forensic science.
• Specifically related to the study of databases and their related metadata.
• Examines database access and actions performed.
• Criminal investigators examine large data security breaches for related information.
• A forensic examination of a database may investigate the timestamps.
• It helps relating to the update time of the row.
• This verifies, actions of a particular action user.
• Intervention of a database forensics specialist is required if there has been failure or corrupted information
• Also if there are inconsistencies on database related activities

Database Forensics (Continued)

• Use a read-only method or an identical forensic copy of data.
• Copy provides no data compromises when interfacing with a regular database. Diagnostic tools must be setup in a certain range
• Create a forensic replica to start analysis
• Reconstruct the data logs and files that are associated with the damage
• Decipher data in order to assess what caused corruption
• A forensic examination of a database may investigate the timestamps.
• Audit trails which are associated with user behavior, actions and the process, will isolate suspicious and illegal transactions

Malware Forensics

• Finding, analyzing, and investigating various properties of malware.
• Purpose: determine culprits and reason for attack.
• Method also includes checking out malicious code.
• Determining the entry, method of propagation, affect the system
• Tools and investigation are used to conduct investigations.

Types of Malware

• Backdoor
• Botnet
• Downloader
• Launcher
• Ransomware
• Rootkit

Ransomware

• Disables victim's access to data until ransom is paid.
• Ryuk ransomware has been targeting organizations with sophisticated ecime operations.
• This has been going on since August 2018
• Ryuk signals that large organizations have to pay if they use and operate with WIZARD SPIDER’S systems

Botnet

• Is a type of malicious that infects multiple internet connected devices.
• Turns them into networks or bots.
• A single attacker will perform large scale malicious actions, such as spam etc.
• Every infected device must be called as "bot"
• It's the same as an compromised computer acting as a remote controller agent.
• Common activities includes ddos attacks.
• With the use of overwhelming traffic targets they harvest personal information, log in and control it.
• They must receive harvesting through personal information like login and credentials.
• They will also use cryptojacking compute power to compromise users

Symptoms of Infected Systems

• The system will become unstable, so there will be utilization that affects data.
• Unknown new files or executables
• Unexpected and corrupted traffic to the site that is not expected.
• Alter the homepage with the approval of the user.
• Pop up randomly

Ways Malware Invades

• Instant Messaging Applications
• Chats like Internet Chat Relay (IRC)
• Devices such as External or Flash drives
• Attachments and Links in the emails
• Through file sharing (NeTBios)
• Fake programs
• Unstrusted websites

Conclusion

• Digital investigations and analyses should include: disk forensics, network forensics, database forensics and malware forensics.