Digital Forensics Fundamentals

Questions and Answers

Which element significantly contributes to criminal justice when leveraging digital information?

• Forensic science
• Digital evidence (correct)
• Volatile evidence
• All of the above

The Federal Bureau of Investigation (FBI) program that aids in investigating computer-related crimes is known as what?

• Magnet Media Program
• Computer Forensic Laboratory
• Computer Analysis and Response Team (CART) (correct)
• INTERPOL

Which activity falls outside the scope of legitimate digital forensics practices?

• Extraction of computer data
• Interpretation of computer data
• Manipulation of computer data (correct)
• Preservation of computer data

Which tenet is crucial to maintain the integrity and reliability of digital forensic investigations?

Any examination should prevent modification of evidence (A)

Which action should NOT be part of a sound digital forensic process?

An examination should be performed on the original data (D)

In the realm of digital forensics, what does IDIP represent?

Integrated Digital Investigation Process (C)

Who is recognized as the pioneering figure in computer forensics?

G. Palmar (D)

Which group is credited with proposing the Abstract Digital Forensic Model (ADFM)?

Reith, Carr, Gunsh (A)

Which investigative model is associated with S. Ciardhuain?

Extended Model of Cybercrime Investigation (EMCI) (A)

Which digital forensics model offers the most encompassing approach to date?

Extended Model of Cybercrime Investigation (EMCI) (B)

In digital forensics, which phase involves meticulous recording of the physical scene and creating standardized duplicates of digital evidence?

Collection (A)

In a digital investigation, which phase is designed to detect and confirm a security incident?

Readiness phase (D)

During which phase of a digital investigation would an investigator piece together fragmented evidence to formulate investigative hypotheses?

Reconstruction phase (D)

What is the primary activity during the survey phase of a digital forensic investigation?

Survey phase (E)

In the context of an investigation, when does a review phase most commonly occur?

Review phase. (A)

Which element is critical in maintaining integrity of digital evidence and promoting ethical decision-making?

All of the Above (D)

Which of the following is a standard ethical guideline for digital investigators?

All of above (C)

Which action compromises ethical standards for a digital investigator?

Distort or falsify education, training, credentials. (D)

Which of the following is NOT a general ethical norm for investigators?

To express an opinion on the guilt or innocence belonging to any party (B)

Which of the following is NOT an unethical norm for digital forensics investigations?

Should be fair and take action not to discriminate. (B)

What type of question is framed based on available factual evidence to express an opinion?

Hypothetical (C)

What type of security risk is characterized as subtle and often spread through email, where users are unaware they are running macros?

Danger of macro viruses (C)

In the field of computer forensics, what term is used to describe one of the core elements?

Chains (D)

Which explanation defines digital forensics?

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation (C)

In digital forensics, what encompasses all the necessary processes related to digital evidence?

The identification, preservation, recovery, restoration and presentation of digital evidence from systems and devices (D)

Flashcards

Digital Forensics

The application of computer science and investigative procedures for legal purposes, involving analysis of digital evidence.

CART

A program within the FBI focused on computer crime investigation.

Locard's Exchange Principle

A principle stating criminals leave and take traces at a crime scene.

Digital Evidence

Information stored, transmitted, or received via electronic devices that is valuable for investigations.

Chain of Custody

Ensuring integrity by documenting evidence's handling, from collection to presentation.

Ethical Hacking

Testing security by thinking like a malicious attacker. Also known as penetration testing and intrusion testing.

Black Hat Hackers

Hackers with unlawful intentions

Ethical Hacker

Hackers who discover system vulnerabilities to protect against unauthorized access, abuse, and misuse

Hacktivists

Hackers who use hacking to send social, religious, and political messages.

Main Goal of Ethical Hacking

To find and fix security vulnerabilities

Snapshots

A complete image of a protected system

Authorization

Ensuring user privileges are applied correctly.

Data Security

Strategies and processes for securing privacy, availability, and integrity of data.

Data Lifecycle Management

Automated transfer of critical data to offline and online storage

Ethical Hacking Principles

Obtain written consent, protect privacy.

Section 66B

Cyber security act: Receiving stolen computer or communication device.

Section 69

Cyber security act: Failure/refusal to decrypt data.

NetCat

Tool used for network testing and port scanning.

Denial of Service (DoS)

Overloading a system, making it inoperable.

Ping Sweep

Tool that identifies live systems.

ARP Poisoning Attack

Attack where excessive ARP requests flood a network.

Google Dorking

Technique to find information exposed accidentally to the Internet

Heap-based buffer-overflow attack

Attack corrupts data within the heap and forces the system to overwrite important data

Database Management Systems

Complex software to organize and manage databases

Aggregation

Combining data about citizens from various sources into a data warehouse

Study Notes

Digital Forensics

• Digital evidences play a vital role in criminal justice systems.
• The Federal Bureau of Investigation program is currently referred to as Computer Analysis and Response Team (CART).
• Digital forensics involves extraction, preservation, and interpretation of computer data, but not manipulation.
• Rules of digital forensics include not performing examinations on original data, ensuring exact bit-by-bit copies, maintaining chain of custody, and preventing evidence modification.
• Performing an examination on the original data is not a rule of digital forensics.
• IDIP stands for Integrated Digital Investigation Process.
• G. Palmar is considered the father of Computer Forensics.
• Reith, Carr, Gunsh proposed the Abstract Digital Forensic model (ADFM).
• S.Ciardhuain proposed the Extended Model of Cybercrime Investigation (EMCI).
• The Extended Model of Cybercrime Investigation (EMCI) is considered the most comprehensive Forensic Model.
• The collection phase involves recording the physical scene and duplicating digital evidence using standardized procedures.
• The readiness phase provides a mechanism for detecting and confirming an incident.
• The reconstruction phase includes putting together pieces of a digital puzzle and developing investigative hypotheses.
• The presentation phase involves transferring relevant data from a venue out of physical/administrative control to a controlled location.
• The review phase entails a review of the whole investigation, identifying areas for improvement.
• Ethical decision-making in digital forensic work includes honesty, prudence in handling digital evidence, and compliance with laws and professional norms.
• General ethical norms for investigators include contributing to society, avoiding harm, and being honest and trustworthy.
• Unethical norms for investigators include distorting education, training, and credentials.
• Expressing an opinion on someone's guilt or innocence is not a general ethical norm for investigators.
• An action that should be fair and not discriminate is not an unethical norm for Digital Forensics Investigation.
• Expressing an opinion has been to frame a hypothetical question based on available factual evidence.
• Macro viruses can be subtle and spread via email, running automatically when a document opens.
• Chains is one of the three C's in computer forensics.
• Digital forensic is the application of computer science and investigative procedures for legal purposes, which involves analysis of digital evidence after proper search authority is given.
• Digital Forensics entails the identification, preservation, recovery, restoration, and presentation of digital evidence from systems and devices.
• A digital forensic investigator's job is not to determine someone’s guilt or innocence.
• The admissibility of evidence is a significant legal issue in computer forensics.
• An example of something that is not a property of computer evidence is whether the evidence conforms and is human readable.
• Crime can break an investigation.
• Digital evidence is used to establish a credible link between the attacker, victim, and the crime scene.
• Digital evidence must follow the requirements of the Best Evidence rule.
• The true/real copy of the evidence media given by a victim/client is original evidence.
• Admissibility defines whether evidence can be used in court.
• The statement that original media can be used to carry out a digital investigation process is false. It is also true that by default, every part of a victim’s computer is considered unreliable.
• Digital evidence sources include Internet-based sources, stand-alone computers, and mobile devices.
• Locard’s Exchange Principle states that anyone entering a crime scene takes something and leaves something behind.
• When an incident takes place, a criminal will leave hint evidence at the scene and remove a hint from the scene which is called as Locard's Exchange principle.
• Evidence transfer in physical and digital dimensions helps investigators establish connections between victims, offenders, and crime scenes.
• Digital evidence is defined as information and data of value to an investigation stored on, transmitted by, or received by an electronic device.
• Evidence or proof from an electronic source is called digital evidence.
• Photos, videos, sound recordings, graphs, and charts are examples of demonstrative evidence.
• Dried blood, fingerprints, DNA samples, and footprints are examples of substantial evidence.
• The evidence spoken by the spectator under oath is testimonial evidence.
• For evidence to be admissible, it should be authenticated.
• Establishing a chain of custody requires saving original materials, taking photos, screenshots of digital evidence, and documenting date, time, and receipt information.
• Working with original evidence to develop procedures is not related to digital evidence.
• Evidence authentication is a process of ensuring that collected data is similar to data presented in court.
• Registers and cache are the most volatile evidence source.
• Log files are not a type of volatile evidence.
• Computers can be involved in homicide, sexual assault, computer intrusion, intellectual property theft, and civil disputes.

Basics of Hacking

• Ethical Hacking is also known as White Hat Hacking.
• Ethical hackers use tools such as scanners, decoders, and proxies.
• Vulnerability scanning in Ethical hacking finds weaknesses.
• Ethical hacking can measure all the massive security breaches.
• The sequential steps a hacker uses are: Reconnaissance, Scanning, Gaining Access, and Maintaining Access.
• Social engineering involves manipulating people into giving up sensitive information.
• A cracker is a black hat hacker.
• Raymond described a dissertation on the fundamentals of a hacker’s attitude.
• Black Hat Hackers have unlawful intentions.
• Ethical Hackers discover vulnerabilities in systems to protect against unauthorized access, abuse, and misuse.
• Hacktivists use hacking to send social, religious, and political messages.
• Gray Hat Hackers hack into computer systems without authority to identify weaknesses and reveal them to the system owner.
• The intent of an ethical hacker is to discover vulnerabilities from an attacker's point of view to better secure the system.
• Security audits are usually based on checklists.
• Ethical hacking is also known as penetration testing.
• The main goal of ethical hacking is to identify and fix security vulnerabilities.
• A hacker is a person who finds and exploits weaknesses in computer systems.
• Snapshots are similar to a backup, providing a complete image of a protected system, including data and system files.
• Authorization assures that user privileges are applied correctly.
• Data subjects' right to erasure allows them to ask data controllers to "forget" their personal data.
• A GDPR Data Processor is an entity that holds or processes personnel data on behalf of another organization.
• Data security is a set of strategies and processes to secure data privacy, availability, and integrity.
• Data lifecycle management involves automating the transmission of critical data to offline and online storage.
• The goals of ethical hacking include hacking systems non-destructively, enumerating vulnerabilities, and applying results to improve security.
• A firewall can create a false feeling of safety.
• An ethical hacker must get written permission, protect privacy, report weaknesses transparently, and inform vendors of those weaknesses.
• Connecting to a network through a rogue modem behind a firewall is a network infrastructure attack.
• Breaking file system security is an example of an operating system attack.
• Malicious software includes viruses, worms, and Trojan horses.
• Planning should be done before the ethical hacking process.
• Written permission is necessary before ethical hacking.
• Ethical hackers must obey ethical principles such as working ethically, respecting privacy, and avoiding system crashes.
• The LC4 tool is used to crack passwords.
• Whisker is a tool used for depth analysis of web applications.
• PGP (pretty good privacy) is used to encrypt emails.
• A vulnerability scanner identifies weaknesses in a system or network.
• The Information Technology Act 2000 of India was notified on October 17, 2000.
• The offense of "Receiving stolen computer or communication device" falls under Section 66B of the Cyber Security Act 2000.
• The offense of "Failure/refusal to decrypt data" falls under Section 69 of the Cyber Security Act 2000.
• Section 66A penalized sending "offensive messages".

Types of Hacking

• SNMP stands for Simple Network Management Protocol.
• NetCat is a tool used for network testing and port scanning.
• Banner grabbing is mostly used for White Hat Hacking.
• An attacker can create an attachment overloading attack by sending numerous emails with large attachments.
• Sam Spade is used for Windows for network queries from DNS lookups to trace routes.
• Netcat can be used for ping sweeps and port scanning.
• Netcat is used for security checks in port scanning and firewall testing.
• Cracking passwords is the most important activity in Windows vulnerabilities.
• Denial of Service attacks overload a system so it is no longer operational.
• A ping sweep is used to identify live systems.
• Telnet uses port 23.
• Excessive ARP requests can indicate an ARP poisoning attack.
• ARP spoofing is often referred to as a Man-in-the-Middle attack.
• Rogue networks watch out for unauthorized Access Points and wireless clients attached to your network that are running in ad-hoc mode.
• DOS attacks can take down an Internet connection or an entire network.
• Port states determined by Nmap include open, closed, and filtered.
• Network infrastructure vulnerabilities include phishing, SQL injection, hacking, social engineering, spamming, denial of service attacks, Trojans, virus, and worm attacks.
• Examples of hacker attacks against messaging systems include transmitting malware, crashing servers, and obtaining remote control of workstations.
• The ARP protocol plays an important role in a MAC daddy attack.
• Potential problems from a compromised WLAN include loss of network access, confidential information, and legal liabilities.
• allintitle Google dork operator returns results for pages that meet all keyword criteria.
• Google Dorking is a technique to find information exposed accidentally to the internet.
• Heap-based attacks involve corrupting data within the heap, forcing the system to overwrite important data.
• ARP poisoning or spoofing is a type of man-in-the-middle (MITM) attack.
• Hackers can modify ARP tables by running a program like dsniff or Cain & Abel.
• When a program places more data in a buffer than allocated, the extra data overflows and corrupts/overwrites data in adjacent buffers.
• A buffer-overflow attack sends extra data to a program's buffer to corrupt or overwrite adjacent data.
• Two methods attackers use to take over a program's buffer and initiate a buffer-overflow attack are stack-based and heap-based attacks.
• A stack-based buffer-overflow attack involves sending data to a small stack buffer, inserting malicious code using "push" or "pop" functions.
• A heap-based buffer-overflow attack corrupts data within the heap, forcing the system to overwrite important data.
• Database management systems are complex software systems for managing databases.
• A security professional's role is to assess and manage potential security problems in database management systems.
• Loose access permissions are a vulnerability in database management systems.
• Excessive retention of sensitive data increases the impact of a security breach.
• Aggregation means combining data regarding citizens from multiple sources into a data warehouse.
• SQL injection exploits vulnerabilities in a system or network.
• An email bomb can crash a server and provide unauthorized administrator access.
• Hackers attack insecure Web Applications via HTTP.
• SQL Injection is a security vulnerability.
• Google Dorking is also known as Google Hacking.
• intitle, allintitle, and inurl are Google Dork operators.
• The intitle operator searches for specific text in the HTML title of a page in Google Dorks.
• The inurl operator allows a hacker to search for pages based on the text contained in the URL in Google Dorks.
• The filetype operator in Google Dorks helps narrow down search results to specific file types.
• The ext operator can be used to search for files based on their file extension.
• The intext operator searches the entire content of a page for keywords supplied by the hacker.
• The inurl operator allows searching of pages based on text contained in the URL.
• The intext operator searches the entire content of a given page for keywords supplied by the hacker.
• The allintext operator requires the page to match all keywords.
• The site operator limits a query to a single website.
• Common vulnerabilities in all versions of Windows include DoS, Remote Code Execution, SQL Injection, Buffer Overflow, Cross-site Scripting, and Directory Traversal.
• Microsoft Windows OS is the most widely hacked because it is the most widely used OS worldwide.
• Hackers drive better security by exposing vulnerabilities in operating systems.
• Gaining privileges has the maximum impact on confidentiality and integrity.
• Remote Procedure Call was the type of vulnerability used by the Blaster worm in UNIX and Linux systems.
• The primary purpose of email attacks is to violate the privacy of email users.
• Email has become a major vulnerability due to its universal usage.
• Basic hacking methodologies used in email attacks include gathering public information, scanning, enumerating systems, capturing network traffic, exploiting vulnerabilities, cracking passwords, and phishing.