Computer Forensics and Evidence Integrity

Questions and Answers

What is the smallest physical storage unit on a disk?

Track

Cluster

Cylinder

Sector (correct)

Which of the following best describes logical drives in computer forensics?

Allocated parts of a physical drive managed as independent units (correct)

Actual space occupied by files on a disk

Temporary storage used during computation

Physical layout of a disk's surface

Which piece of hardware is responsible for reading and writing data on a disk?

Head (correct)

Platter

Actuator arm

Spindle

What type of memory is referred to as volatile memory?

Cache and RAM

In the context of data storage, what does a track refer to?

An arc-shaped portion of a disk's surface

What does the File Allocation Table (FAT) do?

Creates a map of the drive identifying file locations

Which file system is known for providing security and larger file size capabilities?

NTFS

What happens to a file's data when it is deleted by a user in a file system?

The data remains but is marked as available for use.

What is the primary function of a file system?

To organize data on a hard disk

Which of the following is NOT a file system available from Microsoft?

ext4

What is a requirement for an imaging program as defined by NIST?

It must log I/O errors.

During the physical extraction phase, what does keyword searching accomplish?

It identifies data that the file system may not account for.

Which characteristic is NOT identified during logical extraction?

Physical location on the disk

What is the primary goal of computer forensics?

To protect digital evidence from alterations

Which of the following is NOT a traditional problem in computer investigations?

High rates of victim reporting

What is the main purpose of data reduction in the logical extraction process?

To eliminate duplicate and known files.

What is the role of file carving during physical extraction?

To reconstruct files even when the file system is not intact.

What is a major reason for the low reporting rate of cyber crimes by victims?

Perceived incompetence of law enforcement

Which of the following is one of the cardinal rules of computer investigations?

Document every step of the process

What challenge arises from excessive dependence on automated programs in investigations?

Great expectations may not be met

What best describes the logical file size on a disk?

The exact size of the file in bytes

Which term refers to arc-shaped portions of a disk track used for data storage?

Sectors

Which storage type retains data without requiring power?

Nonvolatile storage

What component in a disk drive is responsible for moving the read/write head across the platters?

Actuator arm

Which of the following represents a system for encoding information in electronic devices?

Binary system

What is the standard size of each sector on magnetic disks formatted for Windows?

512 bytes

Which of the following accurately describes file slack space?

It is the unused space between the logical end of a file and the physical end of a cluster.

What is the maximum number of primary partitions that can be created on a fixed disk?

4

What does the partition table NOT indicate?

Total disk space available

Which statement is true regarding clusters in magnetic disk storage?

Clusters represent the basic allocation units of magnetic disk storage.

What is one tool used for verifying data integrity?

MD5-Hash

Which category of software tools would you use for extracting deleted files?

Data recovery/extraction tools

Why should Standard Operating Procedures (SOP) be reviewed annually in forensic investigations?

Technology evolves, impacting investigation methods

What impact does the Encrypting File System (EFS) have on investigations?

It adds complexity to the investigative process

What is NOT one of the five categories of minimum software requirements for forensic investigations?

Programming languages

What is a primary feature of the New Technology File System (NTFS)?

It uses a Master File Table to manage files.

Which statement accurately describes the purpose of the File Allocation Table (FAT)?

It creates a map that identifies the location of each piece of a file.

What significant change did the introduction of disk operating systems bring to data management?

They reduced the data management burden for applications.

Which characteristic of NTFS makes it more advantageous than FAT in terms of storage efficiency?

It manages files through clusters that can be of variable sizes.

Why might investigators become confused when analyzing a logical drive's size?

They could overlook hidden partitions that are not readily visible.

Study Notes

Computer Forensics and Cyber Crime

• Computer forensics is the practice of collecting, analyzing, and reporting digital data legally. It aids in crime detection and prevention, resolving disputes
• Its purpose is to examine digital media, identify, preserve, recover, analyze, and report facts and opinions about the digital information
• Computer forensics is an emerging discipline, affected by new technologies, evolving criminal behavior, and changing police strategies
• Maintaining the integrity of evidence is crucial to computer forensic investigations. This involves maintaining a chain of custody, protecting the evidence from contamination, and ensuring any analysis preserves the original state

Evidence Integrity

• Chain of Custody (CoC) documents the seizure, handling, analysis, and disposition of evidence, ensuring its integrity. It involves detailed records of every stage
• Employing a chain of custody is crucial for legal admissibility
• The process requires procedures for maintaining accurate records at every stage
• Avoiding contamination or alteration of digital evidence is paramount

Traditional Problems in Computer Investigations

• Local law enforcement faces increasing responsibilities and dwindling budgets, limiting educational opportunities
• Cooperation and communication among agencies is frequently weak
• Overreliance on automated programs and self-proclaimed experts can be detrimental in computer investigations
• Insufficient reporting of crimes due to victims' perceptions of law enforcement's capabilities, self-serving behavior of corporate advisors and inadequate resources, hindering effective investigations

Evidence Corruption – Cardinal Rules of Computer Investigations

• Always work from a duplicate image, leaving the original hard drive unharmed
• Thorough documentation is essential in every step
• Maintain a meticulous chain of custody

Disk Structure and Digital Evidence

• Terms: Nonvolatile storage, computer storage, primary storage, secondary storage, floppy disks, CD-ROMs, CD-RWs, hard disks, operating systems, hardware, software, firmware, static memory, volatile memory
• Drives: Physical drives at the machine level; physical file size (actual space); logical drives (independent units) in forensic analysis, crucial for computer forensics.
  • Logical file size, exact size of a file in bytes
• Data Storage Scheme: Sectors: smallest physical unit, arc-shaped portion of a track. Sectors are sequentially numbered.
  • Magnetic disks formatted for Windows use 512 bytes per sector
  • Clusters grouped adjacent sectors, minimum space allocation for individual files
  • File slack space, unused area between a file's end and the cluster's end
• Partitions: Disk partitions that operating systems divide the disk into (maximum four).
  • Partition of the "boot" drive that the operating system resides on has to be bootable
  • Extended partitions can be subdivided into logical drives. A master boot record and partition table are created for the hard drive to track partitions
• Partition table: identifies locations of partitions and indicates which partition is bootable. Also contains MBR and partition data at specific locations on the disk
• File systems: Underlying structure for computer data organization on a hard disk. Examples are FAT16, FAT32, and NTFS. The file system structure greatly impacts how data is retrieved after crimes occur
• FAT (File Allocation Table): Map or directory of each part of a file
  • File stored in a nonphysical space until the clusters are used
  • Deleting a file does not delete its data on the disk, just marks the cluster as available
• NTFS (New Technology File System): developed by Microsoft, provides security, performance, and larger file sizes.
  • Data is structured using a table-based system where data is indexed
  • Fragmentation means that data is stored in different locations on the disk, which can impact forensics but is a feature of the file system itself

Firmware – Operating Instructions

• BIOS (Basic Input/Output System): initial commands concerning the bootstrap loader
• POST (Power-on Self-Test): process verifying devices after power on

Data Integrity

• Cyclical redundancy checksum (CRC): tool for data validation
• MD5 Hash: data verification tool
• Hashkeeper: software listing known files

Developing Computer Forensic Science Capabilities

• SOPs must be clear and easily accessible, current, and include different software, hardware, and specific investigative procedures
• SOPs should undergo annual review due to the field's dynamic nature

Minimum Software Requirements

• Categories: Data preservation, duplication, and verification; Data recovery/extraction; Data analysis; Data reporting; Network utilities

Data Preservation, Duplication and Verification Tools

• NIST defines imaging programs as tools that create a bit-by-bit copy of a disk or partition, onto a fixed or removable media. The tool must not alter the original disk and must be able to access IDE and SCSI devices. It must verify the integrity of the image file and log all errors, providing extensive documentation.

Data Recovery/Extraction Tools

• Physical Extraction: identifying data across the entire physical hard drive without regard to file system structure
• Logical Extraction: identifying data based on the installed file system(s) and application(s), including active files, deleted files, slack space, and unallocated file space. Includes keyword searching, file carving, or the analysis of unused space on the disk partitions.

Data Analysis Tools

• Categories: Indexing, text searching, viewers, time frame analysis, and application analysis
• Examples: analyzing file names, identifying different operating systems, correlating data to applications, assessing relations between files (such as emails), and determining the value of unknown file types to investigations. One can examine where files were stored in the OS or the disk structure

Data Reporting Tools

• Reports must include lab name, address, report date, investigating officer name, agency, case number, case details, case information, lab case identifier, evidence log, and the physical description of any evidence.

Other Required Software

• Miscellaneous software needed includes presentation software (like PowerPoint), word processors, spreadsheet software, wiping software, antivirus software, and networking tools.

Conclusions

• Poor investigations usually stem from inadequate resources, inadequate training, and lack of administrative initiative
• Need for sufficient training and tools for forensic computer science
• Collaboration between forensic investigators and civilian or corporate experts is frequently important.
• Meeting minimum requirements like appropriate equipment and housing is important

Description

This quiz covers the fundamentals of computer forensics, focusing on the techniques used for collecting and analyzing digital data. It also emphasizes the importance of maintaining evidence integrity through proper chain of custody procedures. Test your knowledge on how these practices aid in crime detection and legal processes.