Computer Forensics: Terminology and Practices

Questions and Answers

What is the primary goal of computer forensics?

• To protect digital evidence from alterations (correct)
• To utilize automated programs for analysis
• To increase cooperation among agencies
• To ensure law enforcement gains more resources

Which is a traditional problem faced in computer investigations?

• High levels of victim reporting
• Advanced communication tools
• Excessive funding for resources
• Lack of cooperation among agencies (correct)

Which practice is NOT considered a cardinal rule of computer investigations?

• Work from a live environment (correct)
• Use an image of the original media
• Always document procedures
• Maintain the chain of custody

What hinders victims from reporting incidents of cyber crime?

Perception of incompetence of law enforcement (D)

The excessive dependence on which of the following is highlighted as a problem in computer investigations?

Automated programs and self-proclaimed experts (A)

What is the primary purpose of using a Cyclical Redundancy Check (CRC) in forensic investigations?

To validate data integrity (C)

Which of the following best describes the Encrypting File System (EFS) in the context of forensic investigations?

It may create additional steps in the investigative process. (C)

What is NOT a category of software tools required for computer forensic investigations?

Project management tools (C)

How often should Standard Operating Procedures (SOP) for forensic investigations be reviewed?

Annually (C)

What is one role of the BIOS in a computer system?

To provide initial commands for the bootstrap loader (A)

What is the standard sector size for magnetic disks formatted for Windows?

512 bytes (C)

Which term describes the portion of unused space between the logical end of a file and the physical end of a cluster?

File slack space (B)

How many maximum partitions can a fixed disk have?

Four (A)

What information does the partition table contain?

Bootable partition identification and master boot record (B)

In DoS, what does the term 'clusters' refer to?

Basic allocation units of storage made of multiple sectors (C)

What distinguishes NTFS from FAT file systems?

NTFS includes a Master File Table for file management. (A)

What happens to the data of a file when it is deleted in a FAT file system?

The data remains on the disk but is marked as available. (A)

Which of the following file systems is NOT mentioned in the content as used by Microsoft?

EXT4 (B)

What is a primary benefit of using NTFS over FAT file systems?

NTFS supports larger file sizes and provides better security. (B)

What role does the File Allocation Table (FAT) serve in a file system?

It maintains a map of the drive and locates file pieces. (D)

Firmware refers only to hardware functioning in a computer system.

False (B)

The Encrypting File System (EFS) simplifies the investigative process for forensic investigators.

False (B)

Data integrity can be validated using tools like MD5-Hash.

True (A)

Computer forensics aims to examine digital media in a manner that is forensically unsound.

False (B)

Standard Operating Procedures (SOP) in forensic investigations should be updated every five years.

False (B)

Data recovery/extraction tools are one of the five categories of software tools necessary for computer forensic investigations.

True (A)

Maintaining a chain of custody is necessary to preserve the integrity of evidence in computer forensics.

True (A)

The introduction of viruses during analysis is a safe practice in computer forensics.

False (B)

The chain of custody documents the entire process of handling physical or electronic evidence.

True (A)

Computer forensics can be applied only in criminal cases and not in disputes involving digital evidence.

False (B)

Imaging programs must be able to alter the original disk during the duplication process.

False (B)

The physical extraction phase of data recovery identifies and records data without considering the file system.

True (A)

File carving is a technique used for extracting keywords from the operating system.

False (B)

Logical extraction includes recovery of deleted files from the disk.

True (A)

Data reduction in logical extraction is used to identify and eliminate unknown files.

False (B)

NTFS was developed to improve security and provide for smaller file sizes.

False (B)

FAT file systems allow data to be stored in continuous sectors only.

False (B)

The Master File Table (MFT) in NTFS describes every file with records.

True (A)

When a file is deleted in a FAT file system, the data is completely erased.

False (B)

The introduction of disk operating systems has increased the data management burden of applications.

False (B)

Flashcards

Computer Forensics Goal

To protect digital evidence from alterations, damage, data corruption, or infection, intentionally or unintentionally.

Inadequate Resources (Investigations)

Limited funds, staff, and training hinder local law enforcement's ability to investigate cybercrimes effectively.

Lack of Communication (Investigations)

Poor communication and cooperation between agencies make investigating cybercrimes more challenging.

Evidence Corruption (Rule)

Always create a copy of the original data (image) instead of working directly on the original hard drive to avoid alterations.

Chain of Custody

Maintaining a detailed record of who handled evidence and when, ensuring evidence integrity.

Sector Size

The amount of data a sector can hold on a magnetic disk.

Cluster

The smallest allocatable unit of disk space for a file.

Logical File Size

The size of a file as seen by the user.

File Slack Space

Unused space between the end of a file and the end of its allocated cluster.

Partition

A section of a hard disk recognised as a single unit by the OS.

File System

The disk management system used by an operating system to organize data on a hard disk.

FAT

File Allocation Table; a file system that maps file locations on a drive.

FAT File system details

Tracks file names, sizes, cluster numbers, and file locations.

NTFS

New Technology File System; a file system improving performance and security in Windows.

Deleted File in FAT

A deleted file doesn't erase data; the system only marks its cluster space as available for reuse

NTFS fragmentation

Even in NTFS file systems, fragmentation still happens, leading to unused space (slack space) where forensic investigators can find information.

EFS encryption

Encrypting File System (EFS) adds steps to the forensic investigation process, as encrypted data requires specific decryption procedures.

Data Integrity tools

Tools like Cyclic Redundancy Checksum (CRC) and MD5 Hash are used to validate and verify data integrity ensuring data hasn't been tampered with.

Standard Operating Procedures (SOP)

Formal guidelines that outline forensic investigation procedures, using appropriate tools and steps, must be updated regularly.

Forensic software categories

Forensic software tools are grouped into preservation, recovery, analysis, reporting, and network utilities.

What is Computer Forensics?

The process of collecting, analyzing, and presenting digital evidence in a legally admissible way. It's used to solve crimes, investigate disputes, and uncover digital evidence.

Why is Computer Forensics Important?

Computer forensics is essential for maintaining the integrity of digital evidence, ensuring it hasn't been altered or contaminated.

Computer Forensics: New Challenges

As technology evolves, so do criminal behaviors and the techniques used to investigate them. New technologies necessitate new forensic methods and strategies.

What is the goal of Computer Forensics?

The goal is to gather and analyze digital information to uncover facts, opinions, and evidence that can be used in legal proceedings.

FAT (File Allocation Table)

A file system that creates a map or directory on a drive, showing the location of each file.

NTFS (New Technology File System)

A file system designed by Microsoft, focusing on security, performance, and larger file sizes.

Master File Table (MFT)

In NTFS, it's a central table containing information about every file, such as its name, size, and location.

Slack Space

Unused space in a file's allocated space on a hard drive, between the end of the file and the end of its allocated cluster.

What is a Forensic Investigator's use of Slack Space?

Forensic investigators can examine data stored in slack space since even NTFS file systems still create fragmentation, as it may contain remnants of deleted files or other valuable information.

What is EFS?

EFS (Encrypting File System) is designed to protect data by encrypting it, offering a layer of security that complicates the forensic process.

What is BIOS?

The Basic Input/Output System (BIOS) is a set of instructions that are loaded when a computer boots up, controlling the hardware and allowing the operating system to load.

What is POST?

POST (Power-On Self-Test) is a series of diagnostic checks that the computer performs when it's powered on, ensuring that all the components are working correctly.

Disk Imaging Tool

A software tool that creates an exact copy of a hard drive or partition without altering the original data.

Physical Extraction

The process of retrieving all data from a hard drive, regardless of file system structure.

Logical Extraction

The process of recovering data based on the operating system, file system, and applications.

File Carving

A technique used in physical extraction to recover files based on their unique file header and footer signatures, even if missing file system information.

Keyword Searching

A technique used in physical extraction to find specific data by searching for keywords across the entire hard drive.

Study Notes

Computer Forensics: Terminology and Requirements

• Computer forensics is the practice of collecting, analyzing, and reporting digital data in a legally sound manner.
• It is used for detecting and preventing crime, and resolving disputes where digital evidence exists.
• The goal of computer forensics is to examine digital media, identify pertinent information, preserve and recover digital evidence, analyze the information, and present the facts and opinions.

Computer Forensics – An Emerging Discipline

• Computer forensics is an emerging discipline because of new technologies, criminal behaviors, and police techniques.
• Maintaining the integrity of evidence is crucial to computer forensics.
• A chain of custody (CoC) documents the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
• Maintaining a chain of custody is imperative to maintaining the integrity of evidence.
• Viruses must not be introduced to the suspect machine during analysis.
• The evidence must remain in its unaltered state throughout the process.

Traditional Problems in Computer Investigations

• Local law enforcement agencies often face inadequate resources, dwindling budgets, and increased responsibilities.
• Lack of communication and cooperation among agencies can hinder successful investigations.
• Over-reliance on automated programs and self-proclaimed experts may not be sufficient.
• The perception of incompetence can lead to victims not reporting the crime.
• Victims (and corporations) are sometimes discouraged from reporting due to their advisors' self-serving opinions.
• Lack of sufficient resources at law enforcement agencies can be a problem.

Evidence Corruption – Cardinal Rules of Computer Investigations

• Always work from an image of the original hard drive to avoid altering the original data.
• Thoroughly document each step of the investigation.
• Maintaining a chain of custody is essential.

Disk Structure and Digital Evidence: Terms to Know

• Non-volatile storage: Computer storage that retains data even after the power is off.
• Computer storage: Refers to the entire storage system, not individual pieces of hardware.
• Primary storage: RAM.
• Secondary storage: Drives like hard drives, etc.
• Floppy disks, CD-ROMs, CD-RWs, hard/fixed disks are examples of secondary storage.
• Operating Systems: software that manages the computer's hardware and software resources.
• Hardware: The physical components of a computer.
• Software: Programs that instruct the computer.
• Firmware: Instructions embedded in hardware that control specific hardware functions.
• Computer: The overall device.
• Static memory: Retains data even without power.
• Volatile memory: (RAM) Data is lost without power.

Disk Structure and Data Storage

• Drives: Physical devices for storing data.
• Physical file size: The actual space a file takes up on a hard drive.
• Logical file size: The size of a file in bytes as represented in the file system.
• Logical partitions: Independent units of a physical drive important for computer forensics.

Disk Structure and Data Storage Terms

• Bits are the smallest unit of digital data.
• Tracks are concentric circles on a hard drive.
• Cylinders are a group of tracks in a hard drive
• Sectors are subdivisions of tracks.
• Shaft
• Head
• Actuator arm
• Platters
• Spindle
• ASCII (American Standard Code for Information Interchange) is a character encoding standard.
• Binary system (base-2).
• Hexadecimal system (base-16)
• Clusters (aka file allocation units): One or more sectors that collectively represent the basic allocation units of magnetic disk storage.

Data Storage Scheme

• Sectors: Fixed units where data is stored. The smallest physical unit on a hard drive.
• Clusters: One or more adjacent sectors that the computer allocates to a file/data.
• Logical file size: The size of the file as recorded by the computer's OS.
• Physical file size: The actual amount of space the file takes up on the drive.
• File slack: Unused space between the logical and physical end of a file within a cluster.
• Partitions: Portions of a disk that are identified as independently managed units by the operating system. The maximum is four partitions on a disk (with one considered "bootable").
• Master boot record and partition table: Created during partitioning to manage the hard drive.

Data Storage Scheme: File Systems

• File system (FFS) is the structure used to manage the data on the disk. DOS, FAT16, FAT32, and NTFS are examples of FFS used in Windows operating systems.
• FAT (File Allocation Table): Contains the location of each piece of a file, and details its size and the starting location of the file's data in the drive's sector regions. Deleted files remain until the drive is reformatted.
• NTFS (New Technology File System) was developed by Microsoft in the 1990s for security, performance, and support of larger file sizes. Contains a Master File Table that describes each file by recording information like size and the starting location or cluster. More efficient than older file systems, especially for storage efficiency.

Disk Structure and Digital Evidence: Firmware

• Firmware controls certain hardware functions.
• BIOS (Basic Input/Output System) contains the initial commands used to load the operating system.
• POST (Power-on self-test) checks that the computer and its hardware components are working correctly.

Disk Structure and Digital Evidence: Data Integrity

• Data integrity refers to how correctly data is recorded on the disk, and how easily errors might occur during transmission.
• CRC (Cyclical Redundancy Checksum) a checksum algorithm to validate data integrity.

Developing Computer Forensic Science Capabilities

• SOP (Standard Operating Procedures) are constantly updated. Should be readily available and contain the process, appropriate software and hardware, and details of special procedures. SOPs should be reviewed annually.

Minimum Software Requirements

• Five kinds of software tools are needed and grouped broadly.
  • Data preservation, duplication, and verification tools: create image copies or bitstream copies of disks without alteration.
  • Data recovery/extraction tools: recover data from a drive.
  • Data analysis tools: review and analyze digital exhibits.
  • Data reporting tools: to present information and details.
  • Network utilities: to manage data communications across network devices.

Conclusions

• Computer forensics investigations need proper resources, training, and appropriate SOPs to be successful. Collaborative efforts with civilian and corporate entities may be needed. Investigative team should meet minimum equipment standards.

Description

Explore the essential concepts and requirements of computer forensics in this quiz. Test your knowledge on digital evidence collection, analysis, and the importance of maintaining the integrity of information. Understand the emerging trends and techniques that shape this critical field today.