Digital Forensics Evolution and Trends chapter 15

Questions and Answers

Why is it important for a forensic examiner to keep up with changing trends in digital forensics?

• Because it is a relatively old field in comparison to other forensic disciplines
• Because the courts frequently sentence perpetrators to prison
• Because the field of digital forensics is still growing and technology is constantly changing (correct)
• Because standards are already established in the field

What was one of the earliest uses of digital systems?

• To analyze DNA
• To process fingerprints
• To compute payroll (correct)
• To examine digital crimes

What was the modus operandi of the perpetrator in one of the earliest digital crimes?

• To hack into the payroll system
• To send fake emails
• To steal large amounts of money at once
• To move the round-off to his or her own account (correct)

Why did digital crime become relatively easy to commit?

Because digital technology provided many benefits and reduced costs (D)

What was the consequence for digital criminals who got caught?

They faced relatively minor consequences (B)

What is a characteristic of digital forensics as a scientific discipline?

It is still growing and evolving (C)

What is one of the challenges that increasing computing power poses to forensic investigations?

The need for more storage on forensics servers (B)

Why is it recommended to use high-capacity cabling in forensics labs?

To increase the efficiency of future forensics investigations (D)

What is the main difference between a bundled product and software as a service (SaaS)?

The way the software is licensed (B)

What is one of the challenges of investigating software obtained as a shared service?

Obtaining access to the program code (B)

What is infrastructure as a service (IaaS)?

Virtualization of an entire network infrastructure (C)

What is the main advantage of platform as a service (PaaS)?

It provides individual operating systems as a service (B)

What is one of the challenges of investigating cloud-based systems?

Determining the physical location of the data (D)

Why is it important to know how software is obtained in a forensic investigation?

To determine the functionality and patch levels of the software (A)

What is the cloud?

A model for delivering computing services over the internet (C)

What is the impact of larger hard drive sizes on forensic imaging?

Slower imaging processes (A)

What is the main challenge in protecting digital systems and associated assets?

The growth of protection methods is not keeping pace with the growth of attacks (A)

What is the prediction made by Gordon E. Moore in 1965?

The number of components in integrated circuits would double every 18 to 24 months (D)

What is the implication of Moore's law on digital devices?

The capacity and capability of digital devices will double, and the cost will be halved (C)

What is the impact of Moore's law on digital forensics?

It makes digital forensics more complex and challenging (C)

What is the challenge in conducting digital forensic investigations?

Analyzing a large amount of data from multiple devices (C)

What is the expectation of the U.S. legal system regarding digital forensics?

It expects digital forensics to be unconstrained by time, money, and available technology (C)

What is the consequence of Moore's law on digital storage capacity?

It doubles digital storage capacity (A)

What is the approach used by investigators in digital forensic investigations?

Selectively evaluating data (C)

What is the challenge in developing new techniques for digital forensic investigations?

Developing techniques that can keep pace with the growth of digital devices (A)

What is the impact of Moore's law on the cost of digital devices?

It decreases the cost of digital devices (A)

What was the significance of the IBM sales rep's action of erasing the chalkboard?

It simplified the concept of connectivity (C)

What is the primary function of cloud providers like Microsoft Azure and Amazon cloud services?

To house valuable services (B)

What is the trend observed in Microsoft certifications as of 2020?

Increased emphasis on Azure-focused certifications (D)

What is the common use of cloud providers among individuals?

To store data in services like Google Drive, Microsoft One Drive, or Dropbox (C)

What is the significance of 'the cloud' in modern computing?

It is a simplified way of envisioning the connectivity (C)

What is the primary difference between the cloud's original function and its current use?

It has expanded from basic connectivity to housing valuable services (D)

What is the main advantage of having multiple redundant servers in a network?

To reduce the risk of hardware failure (A)

What is the primary concern in environments where there are only a few servers?

Hardware failure (C)

What is the main limitation of a Storage Area Network (SAN)?

It has a finite capacity (C)

What type of disaster can a redundant network server or SAN withstand?

Hardware failure or accidental data deletion (D)

What is the main advantage of cloud computing over traditional network redundancy?

It is more resilient to large-scale disasters (D)

What is the benefit of Storage as a Service (STaaS) in terms of data backup?

It automatically backs up data (A)

What is the concern for forensic examiners in the context of cloud computing?

Data tampering or chain of custody (A)

What is the origin of the term 'the cloud'?

An IBM sales representative's presentation in 1973 (A)

What is the main difference between a SAN and cloud computing?

A SAN is limited to a single geographic location (A)

What is the benefit of a cloud computing architecture?

It is highly resilient to large-scale disasters (D)

According to NIST, what is a characteristic of cloud computing?

Ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (A)

What is a consideration for a forensic investigator when collecting evidence from a cloud-based server?

The logs for the host server also need to be retrieved. (C)

What is the primary focus of the NIST document on cloud forensics?

Documenting the challenges of cloud forensics (B)

What is a challenge in cloud forensics due to the transnational nature of cloud computing?

Different laws and regulations in each country. (B)

What is a challenge in conducting cloud forensics, as compared to traditional computer forensics?

Imaging a cloud (A)

What is the purpose of the NISTIR 8006 document published by the U.S. National Institute of Standards and Technology?

To outline the challenges of cloud computing forensics. (C)

What is the importance of the chain of custody in cloud forensics?

To avoid allegations of evidence tampering or misconduct (D)

What is the purpose of hashing in cloud forensics?

To validate the integrity of the copy (B)

Why is it important for a forensic investigator to have knowledge of laws related to computer forensics in other countries?

To understand the laws of the country where the cloud provider is hosted. (D)

What is the process of collecting evidence from a cloud-based server similar to?

Imaging a virtual machine, just as you would image any other hard drive. (A)

What is the goal of repeatability and reproducibility in cloud forensics?

To ensure the procedures and conclusions are repeatable and reproducible by the same or other forensic analysts (D)

What is the impact of cloud computing on digital forensics?

It makes data acquisition more complicated. (B)

What is a significant challenge facing forensics, apart from increasing computing power?

The emergence of new devices (B)

What is a potential use of GPS data in forensic investigations?

To track a suspect's location at a crime scene (C)

What is a potential repository of forensic evidence in cars?

Hard drives for storing music (B)

What is a concern related to the increasing use of technology in daily life?

The potential for decreased privacy (C)

What is a hypothetical scenario that highlights the importance of forensic evidence in cars?

A person is watching a pay-per-view movie and someone they have a conflict with is murdered (A)

What is a potential consequence of the increasing use of technology in daily life?

The loss of all vestige of privacy (D)

What is the purpose of using digital forensics in a scenario where someone is accused of a crime they did not commit?

To prove the accused's whereabouts at the time of the crime (A)

What is the operating system used in some vehicle infotainment systems?

Android Automotive OS (A)

What is a potential risk of medical devices with wireless communication capabilities?

They can be hacked to dispense fatal doses of medication (C)

What is the implication of increasing complexity of medical devices on digital forensics?

It will become easier to forensically examine devices in cases of foul play (D)

What is the significance of the FDA's warning related to the essential programming functions of pacemakers?

It highlights the potential for unauthorized access and modification of pacemakers (D)

What is the focus of digital forensics in the context of medical devices?

To analyze the device's software and potential vulnerabilities (B)

What is a limitation of using cell site analysis to locate individuals?

It can only provide a general location, not an exact location (D)

What is the typical range of a cell phone tower?

5 to 10 kilometers (A)

What can affect the range of a cell phone tower?

Terrain, including mountains and urban constructions (C)

What happens when a cell phone is in range of multiple cell towers?

The cell phone will be handed off to another tower. (A)

What is the purpose of extracting data from cell phone usage records in forensic investigations?

To attempt to locate individuals in criminal and civil investigations (C)

What is the primary reason why cell site analysis is scientifically invalid?

The latitude and longitude records from cell phone towers are for the cell, not for the individual phone. (B)

What is the maximum range of a cell tower's coverage according to the 2014 NIST Guidelines on Mobile Device Forensics?

35 kilometers (A)

What is the primary limitation of using cell phone records to determine a device's location?

The records can only give a general area and direction of motion (B)

What is the operating system used by the majority of smart televisions as of 2020?

Android (B)

What is the primary benefit of using an Android-based approach for forensic analysis of smart televisions?

It is applicable to a wide array of televisions (B)

What is the name of the command-line tool used for communicating with an Android device?

Android Debugging Bridge (B)

What is the primary advantage of using ADB for forensic analysis of smart televisions?

It is scientifically sound and widely accepted (A)

What is the purpose of using ADB via a network for forensic analysis of smart televisions?

It is the only way to access devices that do not allow a USB connection (B)

What is the primary challenge of using historical cell phone records to geolocate a particular phone?

The cell towers can service phones at distances of up to 35 kilometers (C)

What is the primary benefit of examining smart televisions in digital forensics investigations?

It can provide valuable evidence that may be missed (D)

What is the name of the operating system used by some LG televisions?

webOS (C)

What is the purpose of the command 'adb devices' in the context of Android TV forensics?

To verify the connection to the Android TV device (A)

What is the goal of using the 'adb shell getprop' command during Android TV forensics?

To gather details about the Android TV device (C)

What is the purpose of the 'adb backup' command during Android TV forensics?

To back up the Android TV device (C)

What is the purpose of the 'adb shell' command during Android TV forensics?

To execute Linux commands on the Android TV device (C)

What is the first step in the process of using ADB to obtain forensically relevant information from a smart TV?

Turn on USB debugging on the target device (B)

What is the purpose of the 'adb pull' command during Android TV forensics?

To copy relevant data from the Android TV device to the forensic workstation (A)

What led to the creation of the Electronic Crimes Task Force?

The establishment of regional computer forensic laboratories (B)

What is the purpose of private forensics labs in civil litigation?

To process evidence and produce reports (D)

Why do defense attorneys often want their own lab to examine evidence?

To challenge the findings of the prosecution or find flaws in the methodology (C)

What is a reason why smaller police departments outsource their computer forensics to private labs?

It is more cost-effective (B)

What is a requirement for a private citizen in some states to practice digital forensics?

A valid private investigator's license (D)

What is a challenge in international digital forensics cases?

Different laws and jurisdictions (A)

What is the purpose of the Daubert Standard in digital forensics?

To verify that new techniques are generally accepted (D)

Why is it important for forensic investigators to be aware of emerging technologies and techniques?

To be aware of new tools and techniques (A)

What is a common use of private forensics labs in criminal cases?

To challenge the findings of the state's lab (A)

What is the focus of digital forensics in transnational cases?

To follow the laws of the most restrictive jurisdiction (D)

What was the primary purpose of the USA PATRIOT Act of 2001?

To combat terrorism (B)

How has the USA PATRIOT Act affected computer crime?

It has allowed internet service providers to share information with law enforcement without a warrant (D)

What is the impact of changes in the law on evidence examination?

It affects the collection of evidence, but not the analysis (D)

What is the focus of Section 816 of the USA PATRIOT Act?

Cybersecurity forensic capabilities (C)

What is the significance of the U.S. Supreme Court's 2013 ruling on DNA evidence?

It allows law enforcement to collect DNA evidence without consent in certain cases (B)

How do changes in the law affect warrant requirements and consent to search?

They can alter the requirements for a warrant and exceptions to warrant requirements (C)

Study Notes

Network Redundancy and Disaster Recovery

• Network redundancy is having multiple servers to ensure continued operation in case of a failure
• A simple configuration involves two servers that are identical mirrors of each other, so if one fails, the other can take over
• This setup works well for small environments with few servers, but has limitations in larger environments with massive data storage needs

Storage Area Network (SAN)

• A SAN is a high-speed network that connects multiple servers and storage devices
• It appears as a single storage device to the user, but provides redundancy and increased storage capacity
• If one server fails, the others can continue operating without interruption to the user

Cloud Computing

• Cloud computing combines the ideas of SAN and off-site backup networks
• It involves multiple servers in diverse geographic locations, with data redundantly stored in several servers
• The user accesses "the cloud" without knowing the location of the data

Impact on Forensic Investigations

• Cloud computing makes data acquisition more complicated, as data may be stored in multiple locations
• It is important for forensic investigators to have familiarity with laws related to computer forensics, including those in other countries
• NIST has outlined forensic challenges and procedures for cloud forensics, including the importance of legal authority, chain of custody, and validated tools

Digital Forensics

• Digital forensics is a relatively new field that is still evolving
• It involves the investigation of digital crimes, including fraud and identity theft
• The field is dynamic, and forensic examiners must keep up with changing trends and technology

Moore's Law

• Gordon E. Moore predicted that the number of components in integrated circuits would double every 18-24 months, leading to exponential growth in computing power and reduction in cost
• This prediction, known as Moore's Law, has held true for over 50 years and has driven the development of modern computing and digital forensics### Digital Forensics

Vehicles with Infotainment Systems

• Many modern vehicles have infotainment systems with operating systems like Android Automotive OS.
• These systems can be a source of forensic evidence, including GPS data and other electronic records.

Medical Devices

• Medical devices, such as insulin pumps and pacemakers, can be compromised by hackers, posing a significant threat to users.
• These devices can be hacked to dispense lethal doses of insulin or alter pacemaker settings.
• The U.S. Food and Drug Administration (FDA) has issued warnings about the potential for unauthorized access to these devices.

New Devices

• The increasing sophistication of devices, such as smartphones and tablets, presents new challenges for digital forensics.
• New devices, like cars, can contain forensic evidence, including GPS data, that can be used in investigations.

Legal and Procedural Trends

• The legal environment for digital forensics is constantly evolving, with changes in laws affecting how evidence is seized and analyzed.
• The USA PATRIOT Act, for example, has had a significant impact on digital forensics, allowing internet service providers to share data with law enforcement without a warrant.

Private Laboratories

• Private forensic laboratories are becoming more common, handling forensic examinations for private companies, attorneys, and law enforcement agencies.
• These laboratories can gather evidence, analyze it, and produce reports that can be used in civil litigation or criminal investigations.

International Issues

• Digital forensics often involves international legal issues, particularly in cases of transnational crime.
• Investigators must be aware of the laws in each country involved and ensure they comply with the most restrictive laws.

Techniques

• New techniques and tools are constantly evolving, but must be verified before being used in court.
• Investigators must stay up to date with emerging technologies and techniques to ensure the validity of their findings.

GPS Forensics

• GPS forensic analysis is a common practice in criminal and civil investigations, but it has limitations.
• Cell tower logs can only provide a general area of where a phone was located, not a precise location.

Smart Televisions

• Smart televisions are essentially computers with internet connectivity, applications, and internal storage, making them a subject of digital forensics investigations.
• Android operating systems are commonly used in smart TVs, and Android Debugging Bridge (ADB) can be used to access and analyze data on these devices.

Description

Test your knowledge on the development of digital forensics as a scientific discipline, its evolution, and the importance of staying up-to-date with changing technology trends. Explore the history of digital systems and their applications. Assess your understanding of digital forensics in a dynamic environment.