Computer Forensics: Terminology and Practices

Questions and Answers

What is the primary goal of computer forensics?

To protect digital evidence from alterations (correct)

To utilize automated programs for analysis

To increase cooperation among agencies

To ensure law enforcement gains more resources

Which is a traditional problem faced in computer investigations?

High levels of victim reporting

Advanced communication tools

Excessive funding for resources

Lack of cooperation among agencies (correct)

Which practice is NOT considered a cardinal rule of computer investigations?

Work from a live environment (correct)

Use an image of the original media

Always document procedures

Maintain the chain of custody

What hinders victims from reporting incidents of cyber crime?

Perception of incompetence of law enforcement

The excessive dependence on which of the following is highlighted as a problem in computer investigations?

Automated programs and self-proclaimed experts

What is the primary purpose of using a Cyclical Redundancy Check (CRC) in forensic investigations?

To validate data integrity

Which of the following best describes the Encrypting File System (EFS) in the context of forensic investigations?

It may create additional steps in the investigative process.

What is NOT a category of software tools required for computer forensic investigations?

Project management tools

How often should Standard Operating Procedures (SOP) for forensic investigations be reviewed?

Annually

What is one role of the BIOS in a computer system?

To provide initial commands for the bootstrap loader

What is the standard sector size for magnetic disks formatted for Windows?

512 bytes

Which term describes the portion of unused space between the logical end of a file and the physical end of a cluster?

File slack space

How many maximum partitions can a fixed disk have?

Four

What information does the partition table contain?

Bootable partition identification and master boot record

In DoS, what does the term 'clusters' refer to?

Basic allocation units of storage made of multiple sectors

What distinguishes NTFS from FAT file systems?

NTFS includes a Master File Table for file management.

What happens to the data of a file when it is deleted in a FAT file system?

The data remains on the disk but is marked as available.

Which of the following file systems is NOT mentioned in the content as used by Microsoft?

EXT4

What is a primary benefit of using NTFS over FAT file systems?

NTFS supports larger file sizes and provides better security.

What role does the File Allocation Table (FAT) serve in a file system?

It maintains a map of the drive and locates file pieces.

Firmware refers only to hardware functioning in a computer system.

False

The Encrypting File System (EFS) simplifies the investigative process for forensic investigators.

False

Data integrity can be validated using tools like MD5-Hash.

True

Computer forensics aims to examine digital media in a manner that is forensically unsound.

False

Standard Operating Procedures (SOP) in forensic investigations should be updated every five years.

False

Data recovery/extraction tools are one of the five categories of software tools necessary for computer forensic investigations.

True

Maintaining a chain of custody is necessary to preserve the integrity of evidence in computer forensics.

True

The introduction of viruses during analysis is a safe practice in computer forensics.

False

The chain of custody documents the entire process of handling physical or electronic evidence.

True

Computer forensics can be applied only in criminal cases and not in disputes involving digital evidence.

False

Imaging programs must be able to alter the original disk during the duplication process.

False

The physical extraction phase of data recovery identifies and records data without considering the file system.

True

File carving is a technique used for extracting keywords from the operating system.

False

Logical extraction includes recovery of deleted files from the disk.

True

Data reduction in logical extraction is used to identify and eliminate unknown files.

False

NTFS was developed to improve security and provide for smaller file sizes.

False

FAT file systems allow data to be stored in continuous sectors only.

False

The Master File Table (MFT) in NTFS describes every file with records.

True

When a file is deleted in a FAT file system, the data is completely erased.

False

The introduction of disk operating systems has increased the data management burden of applications.

False

Study Notes

Computer Forensics: Terminology and Requirements

• Computer forensics is the practice of collecting, analyzing, and reporting digital data in a legally sound manner.
• It is used for detecting and preventing crime, and resolving disputes where digital evidence exists.
• The goal of computer forensics is to examine digital media, identify pertinent information, preserve and recover digital evidence, analyze the information, and present the facts and opinions.

Computer Forensics – An Emerging Discipline

• Computer forensics is an emerging discipline because of new technologies, criminal behaviors, and police techniques.
• Maintaining the integrity of evidence is crucial to computer forensics.
• A chain of custody (CoC) documents the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
• Maintaining a chain of custody is imperative to maintaining the integrity of evidence.
• Viruses must not be introduced to the suspect machine during analysis.
• The evidence must remain in its unaltered state throughout the process.

Traditional Problems in Computer Investigations

• Local law enforcement agencies often face inadequate resources, dwindling budgets, and increased responsibilities.
• Lack of communication and cooperation among agencies can hinder successful investigations.
• Over-reliance on automated programs and self-proclaimed experts may not be sufficient.
• The perception of incompetence can lead to victims not reporting the crime.
• Victims (and corporations) are sometimes discouraged from reporting due to their advisors' self-serving opinions.
• Lack of sufficient resources at law enforcement agencies can be a problem.

Evidence Corruption – Cardinal Rules of Computer Investigations

• Always work from an image of the original hard drive to avoid altering the original data.
• Thoroughly document each step of the investigation.
• Maintaining a chain of custody is essential.

Disk Structure and Digital Evidence: Terms to Know

• Non-volatile storage: Computer storage that retains data even after the power is off.
• Computer storage: Refers to the entire storage system, not individual pieces of hardware.
• Primary storage: RAM.
• Secondary storage: Drives like hard drives, etc.
• Floppy disks, CD-ROMs, CD-RWs, hard/fixed disks are examples of secondary storage.
• Operating Systems: software that manages the computer's hardware and software resources.
• Hardware: The physical components of a computer.
• Software: Programs that instruct the computer.
• Firmware: Instructions embedded in hardware that control specific hardware functions.
• Computer: The overall device.
• Static memory: Retains data even without power.
• Volatile memory: (RAM) Data is lost without power.

Disk Structure and Data Storage

• Drives: Physical devices for storing data.
• Physical file size: The actual space a file takes up on a hard drive.
• Logical file size: The size of a file in bytes as represented in the file system.
• Logical partitions: Independent units of a physical drive important for computer forensics.

Disk Structure and Data Storage Terms

• Bits are the smallest unit of digital data.
• Tracks are concentric circles on a hard drive.
• Cylinders are a group of tracks in a hard drive
• Sectors are subdivisions of tracks.
• Shaft
• Head
• Actuator arm
• Platters
• Spindle
• ASCII (American Standard Code for Information Interchange) is a character encoding standard.
• Binary system (base-2).
• Hexadecimal system (base-16)
• Clusters (aka file allocation units): One or more sectors that collectively represent the basic allocation units of magnetic disk storage.

Data Storage Scheme

• Sectors: Fixed units where data is stored. The smallest physical unit on a hard drive.
• Clusters: One or more adjacent sectors that the computer allocates to a file/data.
• Logical file size: The size of the file as recorded by the computer's OS.
• Physical file size: The actual amount of space the file takes up on the drive.
• File slack: Unused space between the logical and physical end of a file within a cluster.
• Partitions: Portions of a disk that are identified as independently managed units by the operating system. The maximum is four partitions on a disk (with one considered "bootable").
• Master boot record and partition table: Created during partitioning to manage the hard drive.

Data Storage Scheme: File Systems

• File system (FFS) is the structure used to manage the data on the disk. DOS, FAT16, FAT32, and NTFS are examples of FFS used in Windows operating systems.
• FAT (File Allocation Table): Contains the location of each piece of a file, and details its size and the starting location of the file's data in the drive's sector regions. Deleted files remain until the drive is reformatted.
• NTFS (New Technology File System) was developed by Microsoft in the 1990s for security, performance, and support of larger file sizes. Contains a Master File Table that describes each file by recording information like size and the starting location or cluster. More efficient than older file systems, especially for storage efficiency.

Disk Structure and Digital Evidence: Firmware

• Firmware controls certain hardware functions.
• BIOS (Basic Input/Output System) contains the initial commands used to load the operating system.
• POST (Power-on self-test) checks that the computer and its hardware components are working correctly.

Disk Structure and Digital Evidence: Data Integrity

• Data integrity refers to how correctly data is recorded on the disk, and how easily errors might occur during transmission.
• CRC (Cyclical Redundancy Checksum) a checksum algorithm to validate data integrity.

Developing Computer Forensic Science Capabilities

• SOP (Standard Operating Procedures) are constantly updated. Should be readily available and contain the process, appropriate software and hardware, and details of special procedures. SOPs should be reviewed annually.

Minimum Software Requirements

• Five kinds of software tools are needed and grouped broadly.
  • Data preservation, duplication, and verification tools: create image copies or bitstream copies of disks without alteration.
  • Data recovery/extraction tools: recover data from a drive.
  • Data analysis tools: review and analyze digital exhibits.
  • Data reporting tools: to present information and details.
  • Network utilities: to manage data communications across network devices.

Conclusions

• Computer forensics investigations need proper resources, training, and appropriate SOPs to be successful. Collaborative efforts with civilian and corporate entities may be needed. Investigative team should meet minimum equipment standards.

Description

Explore the essential concepts and requirements of computer forensics in this quiz. Test your knowledge on digital evidence collection, analysis, and the importance of maintaining the integrity of information. Understand the emerging trends and techniques that shape this critical field today.