Digital Forensics Overview

Questions and Answers

What is the first step when a digital forensic examination is required?

• A warrant is executed
• A lead investigator is appointed
• An incident is reported (correct)
• Digital devices are seized

What role does the Procurator Fiscal play in the digital forensic process?

• Decides if the evidence is sufficient for trial (correct)
• Juries the case
• Secures the site of the incident
• Conducts the forensic examination

Which document summarizes the findings of the digital forensic examination?

• The jury's verdict
• The lead investigator's report
• The warrant
• The forensic report (correct)

At what stage is the security of the site established in the digital forensics process?

When the warrant is executed (C)

What must the examiner be prepared to do during the trial?

Explain the forensic examination and findings (D)

What happens after the forensic examination is completed?

The results are included in the forensic report (A)

What determines if the case proceeds to trial?

The Procurator Fiscal's assessment of evidence (C)

Who ultimately decides on the punishment if the defendant is found guilty?

The judge (A)

What is the primary function of a Write Blocker?

To prevent data from being altered during examination (A)

Which software is commonly used by professional Digital Forensics examiners?

EnCase (B)

What capability does EnCase have that is significant in a legal context?

It produces court-accepted reports. (C)

Which of the following can FTK Imager do?

Clone a memory device (C)

What type of files can be recovered using Digital Forensics software?

Files that have been lost after formatting (D)

What is the main difference between EnCase and Autopsy?

EnCase requires a paid license, while Autopsy is free. (D)

What additional devices can specialist Digital Forensics software typically analyze?

All types of digital storage devices (A)

Which feature allows examiners to identify fragments of files?

Digital Forensics software functionality (A)

What is one of the criminal offenses created by the Computer Misuse Act, 1990?

Accessing computer materials without permission (A)

Which law specifically prohibits passing information on how to hack computers?

The Computer Misuse Act, 1990 (C)

What potential penalty is associated with the first offense of the Computer Misuse Act?

Unlimited fine or imprisonment (C)

What does the Human Rights Act, 1998 primarily address?

Personal freedoms and rights (A)

Which Act was created specifically in response to the rise of personal computers and related crimes?

The Computer Misuse Act, 1990 (C)

Which option is NOT one of the offenses outlined in the Computer Misuse Act, 1990?

Making authorized modifications to computer material (B)

Which of the following laws is NOT mentioned as relevant for Digital Forensics examinations?

Civic Government (Scotland) Act, 1982 (C)

Which of these actions could result in a breach of the Computer Misuse Act, 1990?

Accessing someone's computer without permission (A)

What will happen if the first letter of the string 'A quick brown fox jumps over the lazy dog.' is changed to lowercase?

The MD5 hash code will be different. (D)

What basic details should be included in the System Information before an examination?

Make, Model, and Serial Number of the device. (C)

If the input command is changed to use SHA1 instead of MD5, what is expected?

The hashing outcome will differ from that of MD5. (D)

What is indicated by the term 'System Information' in the context of examinations?

Basic device specifications needed for examination. (D)

What will happen if a different single letter in the input name is modified before computing the hash?

A different hash code will be generated. (D)

What type of file is commonly used to gather information about network traffic?

Pcap file (D)

What records do phone service providers typically maintain?

Detailed call history (D)

Which of the following pieces of information is NOT typically found in mobile device call records?

Transcription of the call (A)

What challenge does encryption present to forensic examiners?

It complicates the extraction of data (B)

What is the primary purpose of using TOR by criminals?

To conceal their online activities (A)

How does a VPN (Virtual Private Network) affect online communication?

It hides the sender and receiver and encrypts the communication (C)

What additional information can smartphones record even when not actively used?

Location history (A)

What is a possible consequence of data encryption in mobile devices?

Examiners may require advanced methods and tools to access data (C)

What is the purpose of user profiles in modern computer operating systems?

To store personalized settings and data for each user. (D)

Where can user profiles be found on a Windows 10-based computer?

In the Users folder. (D)

What type of account provides very limited access to the computer?

Public account. (C)

Which folder contains information about applications that have been used on the computer?

AppData folder. (C)

What is commonly stored on the Desktop folder of a user profile?

Shortcuts to applications and documents. (A)

How can the hidden 'AppData' folder be revealed in Windows 10?

By checking the Hidden Items option in the View ribbon. (D)

Which of the following statements about the Recycling or Trash folder is true?

It contains files that have been deleted by the user but can be recovered. (B)

What characteristic distinguishes the Contacts folder in a user profile?

It holds the details of contacts saved by the user. (A)

Flashcards

Digital Forensics Process

A sequence of events from incident reporting to trial, involving digital evidence examination and legal procedures.

Incident Report

Formal notification of a digital crime/incident, initiating the forensic process.

Warrant Execution

Legal authorization to seize digital devices, ensuring proper preservation of evidence.

Digital Device Seizure

Safely taking possession of digital devices and preserving their data for examination.

Forensic Examination

Detailed analysis of digital devices to extract relevant information from digital data.

Forensic Report

A document with the findings of a digital forensic examination and explanation of the process.

Procurator Fiscal

A legal officer who decides if digital evidence is strong enough for a trial.

Trial Evidence

Digital evidence used to prove a case in court, with proper explanation by the examiner.

Computer Misuse Act, 1990

UK law creating criminal offenses related to unauthorized computer access and modification.

Unauthorized Computer Access

Accessing computer materials without the owner's permission, a criminal offense under the Computer Misuse Act.

Illegal Modification

Unauthorized changes to computer materials, a criminal offense under the Computer Misuse Act.

Criminal Offenses, Computer Misuse Act

Unauthorized access, access for other crimes, and unauthorized modification are the 3 offences of the Computer Misuse Act.

Sharing Hacking Information

Providing information on how to hack computers or make unauthorized modifications is illegal.

Encouraging Illegal Hacking

Encouraging others to break the law that prohibits unauthorized computer access or modification is illegal.

Computer Malware

Software designed to damage or disable a computer system.

Consequences of Computer Misuse Act Violation

Violating the Act can result in imprisonment and/or fines.

Write Blocker

A hardware device that prevents data from being written to a storage device, ensuring the original data remains untouched during forensic analysis.

FTK Imager

Software used to create an exact copy (clone) of a storage device, preserving its data for analysis. It's often used for Windows-based computers.

Digital Forensics Software

Specialized software used to examine digital devices for evidence, uncovering hidden files, deleted files, and even fragments.

EnCase

A professional digital forensics software package producing reports that are widely accepted in courts as reliable evidence.

Autopsy

A free digital forensics software package, offering basic analysis capabilities. Not as powerful as EnCase.

Deleted Files

Files that have been removed from a device but often still reside on its storage, recoverable by digital forensics software.

Formatted Storage Device

A storage device that has been cleared of data (often accidentally), potentially losing valuable information. Digital forensics can sometimes recover it.

File Fragments

Partial pieces of files that may be scattered across a storage device. Digital forensics can try to reconstruct them.

Network Traffic Data

Information about the flow of data on a network, like the source and destination of data packets, the time of transmission, and the type of data being sent.

Packet Capture File

A file that contains a record of all network traffic intercepted and saved for analysis, often used in digital investigations.

Mobile Device Records

Data stored by mobile service providers that can be accessed with legal authorization, including call history, location data, and contact information.

Encrypted Mobile Devices

Mobile devices with data protection measures that make accessing information more challenging for investigators.

MD5 Hash

A unique digital fingerprint created from a piece of data, like a text message or file. It's used to verify data integrity and detect changes.

TOR Network

A network designed to anonymize online communications and make it difficult to identify the source of data.

SHA1 Hash

Another type of hash function, similar to MD5, but considered more secure. It also creates a unique digital fingerprint for data.

VPN (Virtual Private Network)

A service that encrypts network traffic and hides the sender and receiver's locations, making it difficult to trace communications.

Data Encryption

A method used to protect information by converting it into a form that is only accessible with a decryption key.

System Information

A record of the device's details, like its Make, Model, and Serial Number, used to identify the specific device being examined.

Forensic Challenges with Encryption

Encrypted data presents a challenge for digital forensic investigations since investigators need the decryption key to access the information.

Make, Model, Serial Number

These details uniquely identify a device, like its manufacturer, specific model, and individual serial number.

User Profile

A collection of data about a user on a computer, including settings, files, and preferences.

AppData Folder

Holds information about applications used on a computer, even after the application is deleted.

Contacts Folder

Stores the details of contacts saved by the user.

Desktop Folder

The main screen where users see files and shortcuts, used for quick access.

Recycling/Trash Folder

Holds files that have been deleted by the user, waiting for final deletion or recovery.

Hidden Files

Files that are not normally visible, but can be shown by enabling the 'Hidden Items' option.

Public Account

An account with limited access to a computer, often used for guests.

User Profile Location

The specific folder on a computer where user profiles are stored.

Study Notes

NPA Cyber Security - Digital Forensics

• This learner guide covers Digital Forensics for the National Progression Award in Cyber Security
• The content is split into three levels: National 4, National 5 and Higher
• Practical tasks are recommended to aid learning and improve practical skills
• The study material is designed for use with the guidance of a teacher
• It is funded by the Scottish Government and in partnership with the National Cyber Resilience Leaders' Board

Contents

• Introduction: Covers the four principles of digital evidence and how to use the notes
  • Four Principles of Digital Evidence:
    • No action taken should change data that may be relied upon in court
    • Persons accessing original data must be competent and able to explain actions
    • All actions applied to digital evidence should be recorded and preserved
    • Overall responsibility rests with the person in charge of the investigation
• The Digital Forensics Process: Covers the stages of an investigation
  • Incident: An incident triggering the need for a Digital Forensics investigation
  • Investigation Starts: Lead investigator appointment, warrant application, device seizure
    • Computer Misuse Act 1990, Human Rights Act 1998, Regulation of Investigatory Powers (Scotland) Act 2000: Laws underpinning investigations
  • Seizure: Either by warrant or voluntary surrender
    • By Warrant: Secure the crime scene, identify devices, and record the 'chain of custody'
    • By Voluntary Surrender: The owner gives permission to examine; maintaining records
  • Digital Forensic Examination: This is split into acquisition, analysis and reporting.
    • Acquisition: Collecting digital information while preserving the originals
      • Capturing Digital Evidence: Imaging memory, imaging drives, verification, system information
      • Chain of Custody: Detailed recording of actions taken with evidence
    • Analysis: Putting evidence in chronological order, examining trends, and searching for correlations
    • Reporting: Creating a forensic report and submitting to Procurator Fiscal
  • Trial: The forensic report is used as evidence in court; examiner must be able to explain findings to the jury
  • Verdict: Jury decides on guilt or innocence, Judge imposes any penalties if found guilty

Data Acquisition

• At the Crime Scene: First responders secure the scene, preserve evidence, and provide records including photographs and video
• Digital examination: This is a thorough looking at the entire systems. This is done to preserve the original state to enable repeatability to be confirmed.
• Imaging Memory: Creating a copy of the device's memory, while the device is 'on'. This is to preserve the memory's contents. A 'working copy' and a 'prime copy' are created
• Imaging Drives: Copying all storage media to preserve their contents. A 'working copy' and a 'prime copy' are created
• Verification: Using 'Hashing' to verify the accuracy of copies. This process ensures the copy is a precise reproduction of the original
• System Information: Gathering details like make, model, serial number, operating system, and applications on the device

Analysing Digital Evidence

• Timeline: Creating a timeline of events, linking them to specific users, and correlating them with other evidence
• Relationships: Identifying relationships between users, devices, and files.
• Network Analysis (Level 6): Investigating network traffic and connections for evidence
• Reporting Findings: Summarizing the findings, remaining objective, and using 'likelihood' based conclusions to present them

Further Study

• The use of smartphones, social media, cloud computing and 'Internet of Things' devices, along with the rise of digital assistants, require new techniques and tools