Digital Forensics Overview

Questions and Answers

What is the first step when a digital forensic examination is required?

A warrant is executed

A lead investigator is appointed

An incident is reported (correct)

Digital devices are seized

What role does the Procurator Fiscal play in the digital forensic process?

Decides if the evidence is sufficient for trial (correct)

Juries the case

Secures the site of the incident

Conducts the forensic examination

Which document summarizes the findings of the digital forensic examination?

The jury's verdict

The lead investigator's report

The warrant

The forensic report (correct)

At what stage is the security of the site established in the digital forensics process?

When the warrant is executed

What must the examiner be prepared to do during the trial?

Explain the forensic examination and findings

What happens after the forensic examination is completed?

The results are included in the forensic report

What determines if the case proceeds to trial?

The Procurator Fiscal's assessment of evidence

Who ultimately decides on the punishment if the defendant is found guilty?

The judge

What is the primary function of a Write Blocker?

To prevent data from being altered during examination

Which software is commonly used by professional Digital Forensics examiners?

EnCase

What capability does EnCase have that is significant in a legal context?

It produces court-accepted reports.

Which of the following can FTK Imager do?

Clone a memory device

What type of files can be recovered using Digital Forensics software?

Files that have been lost after formatting

What is the main difference between EnCase and Autopsy?

EnCase requires a paid license, while Autopsy is free.

What additional devices can specialist Digital Forensics software typically analyze?

All types of digital storage devices

Which feature allows examiners to identify fragments of files?

Digital Forensics software functionality

What is one of the criminal offenses created by the Computer Misuse Act, 1990?

Accessing computer materials without permission

Which law specifically prohibits passing information on how to hack computers?

The Computer Misuse Act, 1990

What potential penalty is associated with the first offense of the Computer Misuse Act?

Unlimited fine or imprisonment

What does the Human Rights Act, 1998 primarily address?

Personal freedoms and rights

Which Act was created specifically in response to the rise of personal computers and related crimes?

The Computer Misuse Act, 1990

Which option is NOT one of the offenses outlined in the Computer Misuse Act, 1990?

Making authorized modifications to computer material

Which of the following laws is NOT mentioned as relevant for Digital Forensics examinations?

Civic Government (Scotland) Act, 1982

Which of these actions could result in a breach of the Computer Misuse Act, 1990?

Accessing someone's computer without permission

What will happen if the first letter of the string 'A quick brown fox jumps over the lazy dog.' is changed to lowercase?

The MD5 hash code will be different.

What basic details should be included in the System Information before an examination?

Make, Model, and Serial Number of the device.

If the input command is changed to use SHA1 instead of MD5, what is expected?

The hashing outcome will differ from that of MD5.

What is indicated by the term 'System Information' in the context of examinations?

Basic device specifications needed for examination.

What will happen if a different single letter in the input name is modified before computing the hash?

A different hash code will be generated.

What type of file is commonly used to gather information about network traffic?

Pcap file

What records do phone service providers typically maintain?

Detailed call history

Which of the following pieces of information is NOT typically found in mobile device call records?

Transcription of the call

What challenge does encryption present to forensic examiners?

It complicates the extraction of data

What is the primary purpose of using TOR by criminals?

To conceal their online activities

How does a VPN (Virtual Private Network) affect online communication?

It hides the sender and receiver and encrypts the communication

What additional information can smartphones record even when not actively used?

Location history

What is a possible consequence of data encryption in mobile devices?

Examiners may require advanced methods and tools to access data

What is the purpose of user profiles in modern computer operating systems?

To store personalized settings and data for each user.

Where can user profiles be found on a Windows 10-based computer?

In the Users folder.

What type of account provides very limited access to the computer?

Public account.

Which folder contains information about applications that have been used on the computer?

AppData folder.

What is commonly stored on the Desktop folder of a user profile?

Shortcuts to applications and documents.

How can the hidden 'AppData' folder be revealed in Windows 10?

By checking the Hidden Items option in the View ribbon.

Which of the following statements about the Recycling or Trash folder is true?

It contains files that have been deleted by the user but can be recovered.

What characteristic distinguishes the Contacts folder in a user profile?

It holds the details of contacts saved by the user.

Study Notes

NPA Cyber Security - Digital Forensics

• This learner guide covers Digital Forensics for the National Progression Award in Cyber Security
• The content is split into three levels: National 4, National 5 and Higher
• Practical tasks are recommended to aid learning and improve practical skills
• The study material is designed for use with the guidance of a teacher
• It is funded by the Scottish Government and in partnership with the National Cyber Resilience Leaders' Board

Contents

• Introduction: Covers the four principles of digital evidence and how to use the notes
  • Four Principles of Digital Evidence:
    • No action taken should change data that may be relied upon in court
    • Persons accessing original data must be competent and able to explain actions
    • All actions applied to digital evidence should be recorded and preserved
    • Overall responsibility rests with the person in charge of the investigation
• The Digital Forensics Process: Covers the stages of an investigation
  • Incident: An incident triggering the need for a Digital Forensics investigation
  • Investigation Starts: Lead investigator appointment, warrant application, device seizure
    • Computer Misuse Act 1990, Human Rights Act 1998, Regulation of Investigatory Powers (Scotland) Act 2000: Laws underpinning investigations
  • Seizure: Either by warrant or voluntary surrender
    • By Warrant: Secure the crime scene, identify devices, and record the 'chain of custody'
    • By Voluntary Surrender: The owner gives permission to examine; maintaining records
  • Digital Forensic Examination: This is split into acquisition, analysis and reporting.
    • Acquisition: Collecting digital information while preserving the originals
      • Capturing Digital Evidence: Imaging memory, imaging drives, verification, system information
      • Chain of Custody: Detailed recording of actions taken with evidence
    • Analysis: Putting evidence in chronological order, examining trends, and searching for correlations
    • Reporting: Creating a forensic report and submitting to Procurator Fiscal
  • Trial: The forensic report is used as evidence in court; examiner must be able to explain findings to the jury
  • Verdict: Jury decides on guilt or innocence, Judge imposes any penalties if found guilty

Data Acquisition

• At the Crime Scene: First responders secure the scene, preserve evidence, and provide records including photographs and video
• Digital examination: This is a thorough looking at the entire systems. This is done to preserve the original state to enable repeatability to be confirmed.
• Imaging Memory: Creating a copy of the device's memory, while the device is 'on'. This is to preserve the memory's contents. A 'working copy' and a 'prime copy' are created
• Imaging Drives: Copying all storage media to preserve their contents. A 'working copy' and a 'prime copy' are created
• Verification: Using 'Hashing' to verify the accuracy of copies. This process ensures the copy is a precise reproduction of the original
• System Information: Gathering details like make, model, serial number, operating system, and applications on the device

Analysing Digital Evidence

• Timeline: Creating a timeline of events, linking them to specific users, and correlating them with other evidence
• Relationships: Identifying relationships between users, devices, and files.
• Network Analysis (Level 6): Investigating network traffic and connections for evidence
• Reporting Findings: Summarizing the findings, remaining objective, and using 'likelihood' based conclusions to present them

Further Study

• The use of smartphones, social media, cloud computing and 'Internet of Things' devices, along with the rise of digital assistants, require new techniques and tools

Description

Explore the fundamental aspects of digital forensics in this quiz. From the initial steps in a digital forensic examination to the roles of key players in the legal process, test your knowledge on how digital evidence is handled and presented in court. Whether you're a beginner or looking to refresh your skills, this quiz covers essential concepts in digital forensic analysis.