Computer Forensics: Terminology and Requirements

Questions and Answers

What is the primary goal of computer forensics?

To ensure evidence is stored permanently

To analyze digital media for legal purposes (correct)

To collect evidence in a digital format

To prevent unauthorized access to digital systems

Which of the following is NOT a component of maintaining the integrity of evidence in computer forensics?

Ensuring the evidence remains unaltered

Maintaining a chain of custody

Preventing viruses on suspect machines

Conducting public accessibility of the evidence (correct)

What does the chain of custody (CoC) refer to in computer forensics?

The documentation of evidence handling procedures (correct)

The analysis of stored digital evidence

The software used for data encryption

The process of recovering lost digital information

Why is it critical to ensure that viruses are not introduced during the analysis of a suspect machine?

To maintain the evidence in an unaltered state

How can computer forensics assist in crime prevention?

By analyzing behavioral patterns of criminals

Which aspect of computer forensics deals specifically with the legal admissibility of digital evidence?

Forensically sound examination

Which of the following technologies is likely to influence emerging patterns of criminal behavior in computer forensics?

Cloud computing technology

In what way does computer forensics support dispute resolution?

By providing evidence stored digitally

Which term refers to the actual space a file occupies on a disk?

Physical file size

What are sectors in relation to disk storage?

Fixed units where data is stored

In computer forensics, which file size is most important for analysis?

Logical file size

Which of the following is not a type of memory?

Dynamic memory

What is the smallest physical storage unit on a disk?

Sector

Which of the following best describes a 'track' in disk structure?

A circular path on the disk for data storage

Which system uses a base-16 numeral system?

Hexadecimal system

What is the function of the actuator arm in a disk drive?

To read and write data on the disk surface

Which of the following is a traditional problem faced in computer investigations?

Excessive dependence on automated programs

What is a common misconception that may lead to low reporting rates of cyber crimes?

Victims perceive law enforcement as incompetent

What cardinal rule should be followed in computer investigations to avoid evidence corruption?

Always work from an image of the hard drive

How does inadequate resources impact local law enforcement in computer forensics?

It decreases their ability to respond to cyber crimes

Why might forced alliances among agencies in computer investigations be unsuccessful?

Due to a lack of communication and cooperation

What is a suggested approach to maintain the integrity of digital evidence?

Keep an accurate chain of custody

Which factor might discourage victims from reporting cyber crimes?

Encouragement from corporate advisors

What is the standard size of sectors on magnetic disks formatted for Windows?

512 bytes

Which of the following best defines 'logical file size'?

The exact size of a file in bytes

What is file slack space?

The portion of unused space in a cluster

What does the partition table not identify?

The size of each partition

How many partitions can a single fixed disk have at maximum?

4

What is the primary function of a cluster in magnetic disk storage?

To represent the minimum space allocated to an individual file

Which statement about disk partitions is correct?

Only one partition can be bootable at a time

Where is partition data stored on a hard disk?

At physical cylinder 0; head 0; sector 1

Which of the following is NOT listed as part of the data reporting tools required for a report?

Investigator's photo

Which software type is specifically mentioned as necessary for cleaning data in the context of computer forensics?

Wiping software

What is emphasized as a significant requirement for conducting effective investigations in computer forensics?

Sufficient training for personnel

In computer forensics, why is collaboration with civilian experts and corporate entities important?

It enhances forensic capabilities.

What is highlighted as a critical factor in preventing poorly managed investigations?

Administrative support

What does the Encrypting File System (EFS) potentially introduce to the investigative process?

Additional steps

Which tool is used for validation in data integrity?

Cyclical Redundancy Check (CRC)

Why should Standard Operating Procedures (SOP) be reviewed annually?

Due to the changing nature of technology

Which of the following is NOT one of the five broad categories of software tools in computer forensics?

Data visualization tools

What is the purpose of the initial commands given by BIOS?

To load the operating system

Which of the following is a verification tool used in computer forensics?

Cyclical Redundancy Check (CRC)

What does slack space allow forensic investigators to evaluate?

Information contained in fragmented files

What might complicate the forensic investigation regarding NTFS systems?

Creating fragmentation

Computer forensics is only used in the cases of digital crime.

False

The primary goal of computer forensics is to recover and analyze digital data in a manner that can be legally presented.

True

Maintaining a chain of custody is not critical when analyzing evidence in computer forensics.

False

Computer forensics helps in both the detection and prevention of cyber crimes.

True

Introducing a virus to a suspect machine can help in analyzing potential evidence.

False

Evidence in computer forensics must remain in an altered state to ensure accurate analysis.

False

Documentation of the custody and transfer of evidence is referred to as the chain of investigation.

False

Computer forensics encompasses examining digital media to present facts about information.

True

The maximum number of basic disk partitions that an operating system can identify is three.

False

File slack space is the portion of unused space between the physical end of a file and the logical end of a cluster.

False

Each sector on magnetic disks formatted for Windows has a standard size of 1024 bytes.

False

Clusters, the basic allocation units of magnetic disk storage, can only consist of a single sector.

False

The partition table contains information about which partition is bootable.

True

Magnetic disks can only have logical file sizes that are larger than their physical file sizes.

False

The physical file size reflects the actual amount of space that a file occupies on disk.

True

Disk partitions can contain multiple master boot records.

False

A file system organizes data on a hard disk in a linear fashion without discontinuities.

False

When a file is deleted on a FAT file system, the data is completely erased from the disk.

False

NTFS is considered more efficient in storage space utilization compared to FAT.

True

The Master File Table (MFT) is a key component of the NTFS file system.

True

FAT32 allows for larger file sizes than NTFS.

False

Disk Operating Systems (DOS) simplified the data management burden of applications.

True

File Allocation Table (FAT) uses a binary system to identify file locations.

False

Partitions on a hard disk contribute to data security and organization.

True

Slack space is the area on a disk that is not allocated to any file and cannot be used for storage.

False

Steganography is a technique used to hide data from view, making it undetectable during analysis.

True

Compressed files cannot be examined with data analysis tools in computer forensics.

False

Hidden files are intentionally manipulated files designed to obscure their original contents.

True

The Encrypting File System (EFS) simplifies the investigative process for forensic investigators.

False

Data analysis tools are primarily used for data recovery and not for examining relationships between different files.

False

Imaging programs must alter the original disk to create a bitstream duplicate.

False

Password-protected files can be accessed freely by forensic investigators without requiring any permissions.

False

Cyclical redundancy checksum (CRC) is a tool used for data verification in computer forensics.

True

Logical extraction evaluates and recovers data based exclusively on the physical structure of the drive.

False

Standard Operating Procedures (SOP) in computer forensics should be static and not reviewed.

False

Text searching is a category of data analysis tools used to find specific phrases or keywords within files.

True

Operating system identification is not a consideration in data analysis of forensic investigations.

False

Data recovery tools can include methods for extracting password-protected data.

True

Data extraction tools are part of the five broad categories of software used in computer forensics.

True

MD5-Hash is not used in computer forensics to verify data integrity.

False

The extraction of the partition table is unnecessary in the data recovery process.

False

NTFS systems do not create fragmentation that can be evaluated in slack space.

False

Keyword searching is useful during the physical extraction phase for data recovery.

True

Firmware refers only to the hardware instructions in a computer.

False

File carving is a technique that focuses on identifying and recovering entire files instead of fragments.

False

Data verification tools must include logging for any I/O errors encountered.

True

Network utilities are not considered a category of software in computer forensics.

False

The integrity of a disk image file cannot be verified by imaging programs.

False

Study Notes

Computer Forensics: Terminology and Requirements

• Computer forensics is the practice of collecting, analyzing, and reporting digital data legally.
• It's used for crime detection and prevention, and disputes with digital evidence.
• Computer forensics aims to examine digital media, identify, preserve, recover, analyze, and present facts and opinions about digital information in a methodical way.

Computer Forensics - An Emerging Discipline

• New technologies affect criminal behavior, requiring adaptations in police techniques and strategies.
• Maintaining evidence integrity requires a meticulous chain of custody (CoC).
• CoC is the chronological documentation of evidence's seizure, custody, control, transfer, analysis, and disposition.
• The goal is to protect digital evidence from alteration, damage, corruption, or infection.

Traditional Problems in Computer Investigations

• Inadequate resources for law enforcement.
• Diminishing budgets and increased responsibilities limit opportunities.
• Insufficient communication and co-operation between agencies hinders investigations.
• Excessive reliance on automated tools and unverified experts contributes to less effective outcomes.
• Limited reporting by victims due to a perception of law enforcement incompetence.
• Corporate reluctance to engage with law enforcement.
• Insufficient resources within law enforcement hinder investigations.

Evidence Corruption - Cardinal Rules

• Always work from an image, keeping the original data unaltered.
• Maintain detailed documentation.
• Maintain a strict chain of custody.

Disk Structure and Digital Evidence

• Terms include: operating systems, hardware, software, firmware, computer, static memory, volatile memory (cache, RAM),
• Nonvolatile storage, computer storage, primary storage, secondary storage, floppy disks, diskettes, CD-ROMS, CD-RWs, hard/fixed disks.
• Drives: physical devices; physical and logical file sizes.
• Logical units are more significant in forensics; logical and physical sizes of files are different;
• Terms also include: spindle, ASCII, binary system, hexadecimal, clusters (file allocation units), and compressed files.
• Data is stored in fixed units, called sectors.
• Sectors are arc-shaped parts of tracks; their sizes are determined by operating systems.
• Magnetic disks formatted for Windows typically contain 512-byte sectors.
• Sectors are numbered sequentially on each track.
• Clusters comprise one or more adjacent sectors; cluster size varies based on the disk capacity.
• The minimum space allocated to an individual is the file cluster (physical space taken).
• Logical sizes are sizes of files in bytes, as they appear on a computer.
• Physical file sizes are the amount of data a file occupies (often differs from logical).
• File slack space is unused between a file's logical end and a cluster's physical end.
• Partition: Sections of hard drives the OS treats as individual units. maximum 4.
• Boot drive partition is essential for the OS to load.
• Extended partitions allow sub-divisions into logical hard-drives.
• Partitioning creates a master boot record and partition table.
• Partition table: identifies partitions, and their locations, and which partition is bootable (only one at a time).
• Partition tables contain MBR, data is stored at physical cylinder = 0; head = 0; sector = 1.
• File systems: the way an operating system organizes data on a hard drive.
• FAT (File Allocation Table) is a map of file locations.
• Data in a deleted file remains; only its allocation is freed.
• FAT size determines the amount of files.
• NTFS (New Technology File System) is more efficient and secure than FAT.
• NTFS still uses slack space.

Data Storage Scheme (continued)

• NTFS (New Technology File System) was developed by Microsoft to improve performance, security, and handle larger files.
• NTFS contains a Master File Table (MFT), describing every file.
• NTFS is more efficient in storage use and more secure compared to FAT.
• NTFS creates fragmentation in slack space useful for forensic investigation.

Disk Structure and Digital Evidence (continued)

• Firmware: operating instructions for hardware; not only hardware.
• BIOS (Basic Input/Output System): a set of initial commands, bootstrap loader (uses boot sector/absolute sector 0), POST (Power-on self-test).
• Data integrity: Techniques validate data accuracy. CRC (Cyclical redundancy checksum), MD5-Hash, or Hashkeeper software.

Developing Computer Forensic Science Capabilities

• SOPs (Standard Operating Procedures) constantly evolve with technology advancements.
• SOPs must be clearly documented and accessible.
• SOPs must include appropriate software, hardware, and procedures.
• SOPs should be reviewed annually due to ongoing technology changes.

Minimum Software Requirements

Five broad categories of required software:

• Data preservation, duplication, and verification tools.
• Data recovery/extraction tools.
• Data analysis tools.
• Data reporting tools.
• Network utilities.

Data Preservation, Duplication, and Verification Tools

• National Institute of Standards and Technology (NIST) define imaging programs.
• Imaging programs must create a bitstream or image of an original disk/partition on a fixed/removable media.
• Must not alter the original disk.
• Must handle IDE and SCSI disks
• Must verify integrity of a disk image, log I/O errors, provide substantial documentation.

Data Recovery/Extraction Tools

• Physical extraction identifies data on physical drives without file system consideration
• Logical extraction identifies based on OS, file and application context, and includes active/deleted files, file slack, unallocated space.
• Physical Extraction includes keyword searching (identifies data not accounted for by OS/file system) and file carving (file recovery similar to keyword searching).
• Logical extraction recovers file info (attributes, names, times, sizes, locations); data reduction identifies and eliminates known files; recoveries deleted files; extractions from password-protected, encrypted, compressed data and file slack + unallocated space.

Data Analysis Tools

• Data analysis tools address five categories: indexing, text searching, viewers, time/application analysis.
• Examples include examining file names, systems, applications, correlations, relationships(emails/attachments), and unknown file types.

Data Reporting Tools

• Report must include lab info(address, contact), date, investigator, agency, case #, case info (suspects, victims, offenses), case identifier, evidence details, physical description of evaluated items.

Other Required Software

• Miscellaneous software(e.g., PowerPoint, word processing programs, spreadsheet apps).
• Wiping software.
• Antivirus software
• Network tools

Conclusions

• Poorly run investigations are often due to limited resources, lack of admin cooperation, or appropriate training.
• Expertise is vital; collaboration with civilian/corporate experts is beneficial.
• Minimum requirements for investigations include equipment and housing.

Description

This quiz covers the fundamental concepts and terminology in computer forensics, including the collection and analysis of digital data for legal purposes. It also addresses the challenges faced by law enforcement and the importance of maintaining the integrity of digital evidence. Test your knowledge on the emerging discipline of computer forensics!