Computer Forensics: Terminology and Requirements

Questions and Answers

What is the primary goal of computer forensics?

• To ensure evidence is stored permanently
• To analyze digital media for legal purposes (correct)
• To collect evidence in a digital format
• To prevent unauthorized access to digital systems

Which of the following is NOT a component of maintaining the integrity of evidence in computer forensics?

• Ensuring the evidence remains unaltered
• Maintaining a chain of custody
• Preventing viruses on suspect machines
• Conducting public accessibility of the evidence (correct)

What does the chain of custody (CoC) refer to in computer forensics?

• The documentation of evidence handling procedures (correct)
• The analysis of stored digital evidence
• The software used for data encryption
• The process of recovering lost digital information

Why is it critical to ensure that viruses are not introduced during the analysis of a suspect machine?

To maintain the evidence in an unaltered state (D)

How can computer forensics assist in crime prevention?

By analyzing behavioral patterns of criminals (B)

Which aspect of computer forensics deals specifically with the legal admissibility of digital evidence?

Forensically sound examination (A)

Which of the following technologies is likely to influence emerging patterns of criminal behavior in computer forensics?

Cloud computing technology (C)

In what way does computer forensics support dispute resolution?

By providing evidence stored digitally (A)

Which term refers to the actual space a file occupies on a disk?

Physical file size (D)

What are sectors in relation to disk storage?

Fixed units where data is stored (C)

In computer forensics, which file size is most important for analysis?

Logical file size (D)

Which of the following is not a type of memory?

Dynamic memory (D)

What is the smallest physical storage unit on a disk?

Sector (A)

Which of the following best describes a 'track' in disk structure?

A circular path on the disk for data storage (D)

Which system uses a base-16 numeral system?

Hexadecimal system (B)

What is the function of the actuator arm in a disk drive?

To read and write data on the disk surface (A)

Which of the following is a traditional problem faced in computer investigations?

Excessive dependence on automated programs (D)

What is a common misconception that may lead to low reporting rates of cyber crimes?

Victims perceive law enforcement as incompetent (A)

What cardinal rule should be followed in computer investigations to avoid evidence corruption?

Always work from an image of the hard drive (B)

How does inadequate resources impact local law enforcement in computer forensics?

It decreases their ability to respond to cyber crimes (C)

Why might forced alliances among agencies in computer investigations be unsuccessful?

Due to a lack of communication and cooperation (C)

What is a suggested approach to maintain the integrity of digital evidence?

Keep an accurate chain of custody (A)

Which factor might discourage victims from reporting cyber crimes?

Encouragement from corporate advisors (D)

What is the standard size of sectors on magnetic disks formatted for Windows?

512 bytes (C)

Which of the following best defines 'logical file size'?

The exact size of a file in bytes (A)

What is file slack space?

The portion of unused space in a cluster (D)

What does the partition table not identify?

The size of each partition (B)

How many partitions can a single fixed disk have at maximum?

4 (D)

What is the primary function of a cluster in magnetic disk storage?

To represent the minimum space allocated to an individual file (C)

Which statement about disk partitions is correct?

Only one partition can be bootable at a time (C)

Where is partition data stored on a hard disk?

At physical cylinder 0; head 0; sector 1 (B)

Which of the following is NOT listed as part of the data reporting tools required for a report?

Investigator's photo (B)

Which software type is specifically mentioned as necessary for cleaning data in the context of computer forensics?

Wiping software (C)

What is emphasized as a significant requirement for conducting effective investigations in computer forensics?

Sufficient training for personnel (A)

In computer forensics, why is collaboration with civilian experts and corporate entities important?

It enhances forensic capabilities. (D)

What is highlighted as a critical factor in preventing poorly managed investigations?

Administrative support (A)

What does the Encrypting File System (EFS) potentially introduce to the investigative process?

Additional steps (C)

Which tool is used for validation in data integrity?

Cyclical Redundancy Check (CRC) (D)

Why should Standard Operating Procedures (SOP) be reviewed annually?

Due to the changing nature of technology (B)

Which of the following is NOT one of the five broad categories of software tools in computer forensics?

Data visualization tools (C)

What is the purpose of the initial commands given by BIOS?

To load the operating system (D)

Which of the following is a verification tool used in computer forensics?

Cyclical Redundancy Check (CRC) (A)

What does slack space allow forensic investigators to evaluate?

Information contained in fragmented files (B)

What might complicate the forensic investigation regarding NTFS systems?

Creating fragmentation (C)

Computer forensics is only used in the cases of digital crime.

False (B)

The primary goal of computer forensics is to recover and analyze digital data in a manner that can be legally presented.

True (A)

Maintaining a chain of custody is not critical when analyzing evidence in computer forensics.

False (B)

Computer forensics helps in both the detection and prevention of cyber crimes.

True (A)

Introducing a virus to a suspect machine can help in analyzing potential evidence.

False (B)

Evidence in computer forensics must remain in an altered state to ensure accurate analysis.

False (B)

Documentation of the custody and transfer of evidence is referred to as the chain of investigation.

False (B)

Computer forensics encompasses examining digital media to present facts about information.

True (A)

The maximum number of basic disk partitions that an operating system can identify is three.

False (B)

File slack space is the portion of unused space between the physical end of a file and the logical end of a cluster.

False (B)

Each sector on magnetic disks formatted for Windows has a standard size of 1024 bytes.

False (B)

Clusters, the basic allocation units of magnetic disk storage, can only consist of a single sector.

False (B)

The partition table contains information about which partition is bootable.

True (A)

Magnetic disks can only have logical file sizes that are larger than their physical file sizes.

False (B)

The physical file size reflects the actual amount of space that a file occupies on disk.

True (A)

Disk partitions can contain multiple master boot records.

False (B)

A file system organizes data on a hard disk in a linear fashion without discontinuities.

False (B)

When a file is deleted on a FAT file system, the data is completely erased from the disk.

False (B)

NTFS is considered more efficient in storage space utilization compared to FAT.

True (A)

The Master File Table (MFT) is a key component of the NTFS file system.

True (A)

FAT32 allows for larger file sizes than NTFS.

False (B)

Disk Operating Systems (DOS) simplified the data management burden of applications.

True (A)

File Allocation Table (FAT) uses a binary system to identify file locations.

False (B)

Partitions on a hard disk contribute to data security and organization.

True (A)

Slack space is the area on a disk that is not allocated to any file and cannot be used for storage.

False (B)

Steganography is a technique used to hide data from view, making it undetectable during analysis.

True (A)

Compressed files cannot be examined with data analysis tools in computer forensics.

False (B)

Hidden files are intentionally manipulated files designed to obscure their original contents.

True (A)

The Encrypting File System (EFS) simplifies the investigative process for forensic investigators.

False (B)

Data analysis tools are primarily used for data recovery and not for examining relationships between different files.

False (B)

Imaging programs must alter the original disk to create a bitstream duplicate.

False (B)

Password-protected files can be accessed freely by forensic investigators without requiring any permissions.

False (B)

Cyclical redundancy checksum (CRC) is a tool used for data verification in computer forensics.

True (A)

Logical extraction evaluates and recovers data based exclusively on the physical structure of the drive.

False (B)

Standard Operating Procedures (SOP) in computer forensics should be static and not reviewed.

False (B)

Text searching is a category of data analysis tools used to find specific phrases or keywords within files.

True (A)

Operating system identification is not a consideration in data analysis of forensic investigations.

False (B)

Data recovery tools can include methods for extracting password-protected data.

True (A)

Data extraction tools are part of the five broad categories of software used in computer forensics.

True (A)

MD5-Hash is not used in computer forensics to verify data integrity.

False (B)

The extraction of the partition table is unnecessary in the data recovery process.

False (B)

NTFS systems do not create fragmentation that can be evaluated in slack space.

False (B)

Keyword searching is useful during the physical extraction phase for data recovery.

True (A)

Firmware refers only to the hardware instructions in a computer.

False (B)

File carving is a technique that focuses on identifying and recovering entire files instead of fragments.

False (B)

Data verification tools must include logging for any I/O errors encountered.

True (A)

Network utilities are not considered a category of software in computer forensics.

False (B)

The integrity of a disk image file cannot be verified by imaging programs.

False (B)

Flashcards

Computer Forensics

The practice of collecting, analyzing, and reporting digital data legally.

Chain of Custody

A detailed record of evidence's handling, from gathering to disposal, ensuring integrity.

Digital Evidence

Data stored electronically, used in criminal investigations or disputes.

Forensically Sound

Methods to handle and examine digital data, ensuring integrity and admissibility in court.

Crime Detection

Using computer forensics to discover and pinpoint criminal activities.

Preventing Crimes

Employing computer forensics to help prevent future crimes.

Evidence Integrity

The state where data is uncorrupted while analysing digital evidence, crucial for admissibility in Court.

Data Analysis

The process of methodically examining digital data to uncover pertinent information.

Computer Forensics Goal

To protect digital evidence from changes, damage, or infection, whether accidental or intentional.

Inadequate Resources

Local law enforcement often faces budget limitations and lack of resources, potentially hindering effective investigations.

Lack of Cooperation

Different agencies struggle to effectively communicate and work together on computer investigations.

Automated Dependence

Reliance on programs or experts without proper verification can lead to issues during computer investigations.

Low Reporting Rates

Victims often do not report cybercrimes due to concerns about law enforcement efficacy or corporate pressure.

Evidence Corruption

Hard drive data can get damaged or altered, making it unreliable for investigations if not handled correctly.

Documenting Evidence

Thorough written records are critical to prevent losing crucial information during computer investigations; detailed documentation is required.

Logical file size

The exact size of a file in bytes, as seen by the operating system.

Physical file size

The actual space a file takes up on a disk's physical sectors.

Sectors

Fixed, arc-shaped units on a disk track where data is stored; the smallest physical storage unit.

Logical drive

Designated portion of a physical drive, managed as a separate unit by the operating system.

Physical drive

A physical device on a computer that holds and accesses data.

Clusters

Groups of sectors; file allocation units grouped together used to store files on disk.

Binary system

Number system that uses only two digits (0 and 1) to represent data.

Track

A concentric circle on a disk where data is stored.

Sector Size

The amount of storage space in a sector, determined by the operating system.

Sector Numbering

Sectors are numbered sequentially, track by track, starting from sector 1.

File Slack Space

The unused space between a file's logical end and the physical end of its allocated cluster.

Partition

A section of a hard drive, identified by the OS as a unit.

Partition Table

A table containing information about hard drive partitions, including bootable information and locations.

Lab Report Contents

A comprehensive lab report includes details like the lab's information, date, investigator's identity, case number, case details, evidence log, and a description of the items examined.

Essential Software for Computer Forensics

Beyond specialized forensic tools, other software like presentation applications, word processors, spreadsheets, wiping tools, antivirus programs, and network tools are crucial for analysis and reporting.

Collaboration in Forensics

Effective computer forensics often requires cooperation between law enforcement, civilian experts, and corporate entities to share knowledge and resources.

Forensic Minimum Requirements

To conduct effective investigations, law enforcement organizations need to meet minimum standards including equipment, facilities, and training.

Challenges in Computer Forensics

Obstacles to successful computer forensics investigations include administrative apathy, inadequate resources, lack of training, limited forensic capabilities, and insufficient collaboration with outside experts.

What is a bootstrap loader?

A program stored in the boot sector (sector 0) of a hard drive, responsible for loading the operating system.

What does BIOS stand for?

Basic Input/Output System. It's a firmware that manages essential hardware interactions during the boot process.

What is POST?

Power-On Self-Test. A series of checks performed by the BIOS to ensure hardware components are working correctly.

What is a CRC?

Cyclical Redundancy Check. An algorithm used to detect errors in data transmission or storage by calculating a checksum.

What is MD5-Hash?

A cryptographic hash function used for data integrity verification. It generates a unique hash value for a given file.

What is Hashkeeper?

Software that maintains a database of known files and their corresponding hash values, used for file integrity verification.

Why are Standard Operating Procedures (SOPs) important in computer forensics?

SOPs provide a standardized framework for handling digital evidence, ensuring consistency, accuracy, and legal admissibility.

What are the 5 broad categories of software tools used in computer forensics?

Data Preservation/Duplication/Verification Tools, Data Recovery/Extraction Tools, Data Analysis Tools, Data Reporting Tools, Network Utilities.

What is a Forensically Sound Method?

A procedure or technique for handling digital data that maintains its integrity and ensures it is admissible in court, preventing changes or contamination.

What is the Goal of Computer Forensics?

To examine digital media in a way that preserves the evidence, reveals the facts, and presents opinions about the information found.

What are the Challenges in Computer Forensics?

Obstacles faced in conducting successful investigations include things like inadequate resources, lack of training, and limited forensic capabilities.

Why is Collaboration Important in Computer Forensics?

Effective computer forensics requires cooperation between law enforcement, civilian experts, and corporations to share knowledge and resources.

What are sectors on a disk?

Sectors are the smallest physical units of storage on a disk, like tiny boxes holding data. They are organized in circles called tracks.

What is a cluster?

A cluster is a group of adjacent sectors, like a small storage bin made of multiple boxes. It's the basic unit for allocating space to files.

What is file slack space?

File slack space is the unused space at the end of a cluster, like the extra room in a storage bin after you've put your things in. It can contain leftover data.

What is the difference between logical and physical file sizes?

Logical file size is the actual size of the file as seen by the operating system. Physical file size is the actual space occupied by the file on the disk, including any file slack.

What is a partition?

A partition is a section of a hard drive that the operating system sees as a separate storage unit, like a separate room in a house.

What is the purpose of a partition table?

A partition table stores information about the partitions on a hard drive, including which one is bootable, their locations, and other details.

What is the master boot record (MBR)?

The master boot record (MBR) is a special sector at the beginning of a hard drive that contains important information about the partitions, including where to find the operating system.

Why is partitioning important for forensics?

Partitioning allows forensic investigators to examine specific sections of a hard drive, like examining specific rooms in a building, making it easier to isolate evidence.

What is fragmentation?

The process of storing file data in non-contiguous sectors on a hard drive, potentially leaving unused space.

What is slack space?

Unused space within a cluster allocated to a file after the file's actual data ends.

File System

The organizational framework used by an operating system to manage and store data on a hard drive.

Data preservation tools

Tools that create exact duplicates of digital evidence, ensuring the original data remains untouched.

Data recovery tools

Tools that extract information from digital devices, even if deleted or corrupted.

FAT (File Allocation Table)

A directory that maps the location of each file's data on a storage device, allowing the operating system to access and retrieve files efficiently.

Physical extraction

The process of copying data from a drive, regardless of file systems or operating systems.

NTFS (New Technology File System)

A file system designed for improved security, performance, and larger file sizes compared to FAT.

MFT (Master File Table)

A central database within NTFS that stores metadata about every file and folder on a hard drive, providing crucial information for accessing and managing files.

Logical extraction

The process of recovering data based on the operating system, file system, and applications.

Keyword searching

A technique to find specific text or data within a drive, even if it wasn't explicitly indexed.

Hidden Partition

A partition on a hard drive that is intentionally concealed from normal operating system access, potentially used for data hiding or security purposes.

Deleted File Recovery

The retrieval of data that has been deleted from a storage device, potentially revealing valuable information in forensic investigations.

File carving

Recovering deleted files by searching for file headers and footers.

Data analysis tools

Software used to examine and interpret recovered data to find evidence.

What makes NTFS more efficient than FAT?

NTFS utilizes storage space more efficiently and provides better security features compared to FAT, making it a preferred choice for modern operating systems.

Data reporting tools

Software used to organize and present the findings of the investigation.

Why is understanding file systems crucial in forensic investigations?

Knowledge of file systems allows investigators to interpret and analyze data patterns, detect potential evidence hiding, and uncover crucial information hidden within the structure of a storage device.

Hidden Files

Files intentionally altered to hide their original content. They may be modified to appear as regular files, making it difficult to detect the changes.

Slack Space

Unused space between a file's logical end and the physical end of its allocated storage area. This space can contain remnants of deleted data.

Swap Files

Temporary files used by applications when they run out of memory. They are stored on the hard drive and can contain sensitive information.

Password-Protected Files

Files secured by password programs, restricting access to authorized users only.

Compressed Files

Files reduced in size using compression tools, which can be analyzed to reveal the original data.

Encrypted Files

Files converted into an indecipherable form using encryption algorithms, making it difficult to read without the decryption key.

Steganography

A technique used to hide data within other files or media, making it invisible to casual observation.

Study Notes

Computer Forensics: Terminology and Requirements

• Computer forensics is the practice of collecting, analyzing, and reporting digital data legally.
• It's used for crime detection and prevention, and disputes with digital evidence.
• Computer forensics aims to examine digital media, identify, preserve, recover, analyze, and present facts and opinions about digital information in a methodical way.

Computer Forensics - An Emerging Discipline

• New technologies affect criminal behavior, requiring adaptations in police techniques and strategies.
• Maintaining evidence integrity requires a meticulous chain of custody (CoC).
• CoC is the chronological documentation of evidence's seizure, custody, control, transfer, analysis, and disposition.
• The goal is to protect digital evidence from alteration, damage, corruption, or infection.

Traditional Problems in Computer Investigations

• Inadequate resources for law enforcement.
• Diminishing budgets and increased responsibilities limit opportunities.
• Insufficient communication and co-operation between agencies hinders investigations.
• Excessive reliance on automated tools and unverified experts contributes to less effective outcomes.
• Limited reporting by victims due to a perception of law enforcement incompetence.
• Corporate reluctance to engage with law enforcement.
• Insufficient resources within law enforcement hinder investigations.

Evidence Corruption - Cardinal Rules

• Always work from an image, keeping the original data unaltered.
• Maintain detailed documentation.
• Maintain a strict chain of custody.

Disk Structure and Digital Evidence

• Terms include: operating systems, hardware, software, firmware, computer, static memory, volatile memory (cache, RAM),
• Nonvolatile storage, computer storage, primary storage, secondary storage, floppy disks, diskettes, CD-ROMS, CD-RWs, hard/fixed disks.
• Drives: physical devices; physical and logical file sizes.
• Logical units are more significant in forensics; logical and physical sizes of files are different;
• Terms also include: spindle, ASCII, binary system, hexadecimal, clusters (file allocation units), and compressed files.
• Data is stored in fixed units, called sectors.
• Sectors are arc-shaped parts of tracks; their sizes are determined by operating systems.
• Magnetic disks formatted for Windows typically contain 512-byte sectors.
• Sectors are numbered sequentially on each track.
• Clusters comprise one or more adjacent sectors; cluster size varies based on the disk capacity.
• The minimum space allocated to an individual is the file cluster (physical space taken).
• Logical sizes are sizes of files in bytes, as they appear on a computer.
• Physical file sizes are the amount of data a file occupies (often differs from logical).
• File slack space is unused between a file's logical end and a cluster's physical end.
• Partition: Sections of hard drives the OS treats as individual units. maximum 4.
• Boot drive partition is essential for the OS to load.
• Extended partitions allow sub-divisions into logical hard-drives.
• Partitioning creates a master boot record and partition table.
• Partition table: identifies partitions, and their locations, and which partition is bootable (only one at a time).
• Partition tables contain MBR, data is stored at physical cylinder = 0; head = 0; sector = 1.
• File systems: the way an operating system organizes data on a hard drive.
• FAT (File Allocation Table) is a map of file locations.
• Data in a deleted file remains; only its allocation is freed.
• FAT size determines the amount of files.
• NTFS (New Technology File System) is more efficient and secure than FAT.
• NTFS still uses slack space.

Data Storage Scheme (continued)

• NTFS (New Technology File System) was developed by Microsoft to improve performance, security, and handle larger files.
• NTFS contains a Master File Table (MFT), describing every file.
• NTFS is more efficient in storage use and more secure compared to FAT.
• NTFS creates fragmentation in slack space useful for forensic investigation.

Disk Structure and Digital Evidence (continued)

• Firmware: operating instructions for hardware; not only hardware.
• BIOS (Basic Input/Output System): a set of initial commands, bootstrap loader (uses boot sector/absolute sector 0), POST (Power-on self-test).
• Data integrity: Techniques validate data accuracy. CRC (Cyclical redundancy checksum), MD5-Hash, or Hashkeeper software.

Developing Computer Forensic Science Capabilities

• SOPs (Standard Operating Procedures) constantly evolve with technology advancements.
• SOPs must be clearly documented and accessible.
• SOPs must include appropriate software, hardware, and procedures.
• SOPs should be reviewed annually due to ongoing technology changes.

Minimum Software Requirements

Five broad categories of required software:

• Data preservation, duplication, and verification tools.
• Data recovery/extraction tools.
• Data analysis tools.
• Data reporting tools.
• Network utilities.

Data Preservation, Duplication, and Verification Tools

• National Institute of Standards and Technology (NIST) define imaging programs.
• Imaging programs must create a bitstream or image of an original disk/partition on a fixed/removable media.
• Must not alter the original disk.
• Must handle IDE and SCSI disks
• Must verify integrity of a disk image, log I/O errors, provide substantial documentation.

Data Recovery/Extraction Tools

• Physical extraction identifies data on physical drives without file system consideration
• Logical extraction identifies based on OS, file and application context, and includes active/deleted files, file slack, unallocated space.
• Physical Extraction includes keyword searching (identifies data not accounted for by OS/file system) and file carving (file recovery similar to keyword searching).
• Logical extraction recovers file info (attributes, names, times, sizes, locations); data reduction identifies and eliminates known files; recoveries deleted files; extractions from password-protected, encrypted, compressed data and file slack + unallocated space.

Data Analysis Tools

• Data analysis tools address five categories: indexing, text searching, viewers, time/application analysis.
• Examples include examining file names, systems, applications, correlations, relationships(emails/attachments), and unknown file types.

Data Reporting Tools

• Report must include lab info(address, contact), date, investigator, agency, case #, case info (suspects, victims, offenses), case identifier, evidence details, physical description of evaluated items.

Other Required Software

• Miscellaneous software(e.g., PowerPoint, word processing programs, spreadsheet apps).
• Wiping software.
• Antivirus software
• Network tools

Conclusions

• Poorly run investigations are often due to limited resources, lack of admin cooperation, or appropriate training.
• Expertise is vital; collaboration with civilian/corporate experts is beneficial.
• Minimum requirements for investigations include equipment and housing.

Description

This quiz covers the fundamental concepts and terminology in computer forensics, including the collection and analysis of digital data for legal purposes. It also addresses the challenges faced by law enforcement and the importance of maintaining the integrity of digital evidence. Test your knowledge on the emerging discipline of computer forensics!