Digital Forensics Quiz

Questions and Answers

What is the best description of volatile data?

Data that is lost when the system is used, such as the swap file and state of network connections

What is digital evidence?

Information that has been processed and assembled to be relevant to an investigation

What is the purpose of a swap file on a Windows system?

To act as a 'scratch pad' for writing data when additional RAM is needed

Where would Justin find the swap file on a Windows system?

In the pagefile.sys file

What type of file is a swap file?

A temporary file

What is the purpose of examining the system configuration in a digital forensic investigation?

To identify potential sources of digital evidence

What type of attack is likely underway when an email approving a request for funds to be moved from a corporate account to a personal account is sent from a domain not affiliated with the company?

Phishing

How is cyberterrorism different from other cybercrimes?

It is investigated by federal law enforcement.

What is the process of searching memory in real-time, typically for working with compromised hosts or to identify system abuse?

Live system forensics

What refers to how long digital evidence is valid?

Life span

What type of data changes rapidly and may be lost when a machine is powered down?

Volatile data

What type of evidence is an expert witness using when they explain a technical concept to the judge and jury using a high-tech computer animation?

Demonstrative evidence

According to the order of volatility in RFC 3227, what evidence should you collect first on a typical system?

Volatile data, then file slack

Where are Windows passwords hashed and stored on the local machine?

SAM file

What type of phishing attack targets a high-value target, such as a senior company executive?

Whaling

What is the best definition of 'forensics'?

The collection and analysis of digital evidence

What is the third task of a system forensics specialist in handling evidence?

Analyze evidence

What should Devaki do before removing the hard drive from the suspect machine?

Document the machine's current state

What is an example of volatile data?

The state of network connections

What is the primary purpose of a Denial of Service (DoS) attack?

To prevent legitimate users from accessing a system

What is the Digital Forensic Research Workshop (DFRWS) framework?

A framework for digital forensics research

What should Joey do when investigating a remotely compromised computer that is still running?

Capture the current memory, running tasks, and live connections, and then shut the computer down

What is the primary goal of criminals when committing identity theft?

To perpetrate financial fraud

What is an attack vector that cannot be investigated on the victim's machine?

Dumpster diving

What is the definition of chain of custody?

The continuity of control of evidence from collection to court

What is the best approach for a forensic examiner with experience in Windows and Linux to take when extracting data from a Mac OS computer?

Rely on experience with Windows and Linux to extract data

How can attackers leveraging SQL injection be thwarted?

By disallowing the use of additional characters

What are the three specific steps to follow when handling computer evidence?

Find, preserve, prepare

What is the definition of a hash?

A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions

What mistake did Jiang make during the seizure of a suspect computer?

He stopped to purchase supplies on the way to the lab

What is the concept that holds that you cannot interact in an environment without altering it in some way?

The concept of Locard's Exchange Principle

What is the purpose of developing a plan of action as a forensic investigator?

To determine which tools are most appropriate for a specific investigation

Study Notes

Digital Forensics

• Volatile data refers to information that is lost when the system is powered down, such as the state of network connections and swap files.

Digital Evidence

• Digital evidence is information that has been processed and assembled to support a specific finding or determination in an investigation.

Swap Files

• Windows uses a swap file, also known as a pagefile, as a "scratch pad" to write data when additional RAM is needed.

Phishing

• Phishing is a type of attack where an attacker sends a fake email or message to trick the victim into revealing sensitive information.
• Phishing attacks are often motivated by financial gain.

Cyberterrorism

• Cyberterrorism is a type of cybercrime that is investigated by federal law enforcement agencies.
• Cyberterrorism attacks are motivated by ideological or political goals, rather than financial gain.

Live System Forensics

• Live system forensics is the process of searching memory in real-time, typically to identify system abuse or to work with compromised hosts.

Information Lifespan

• The lifespan of information refers to how long it remains valid and can be used as evidence.

Volatile Data

• Volatile data changes rapidly and may be lost when the machine that holds it is powered down.
• Examples of volatile data include the state of network connections, swap files, and running processes.

Digital Forensic Investigation

• The order of volatility in digital forensic investigations is:
  1. Volatile data
  2. File system data
  3. System state backup
  4. The registry
  5. Internet traces
• Forensic investigators should collect evidence in the order of volatility to preserve the most fragile data first.

Expert Witness

• An expert witness is a specialist who provides testimony in court to explain technical concepts.
• Expert witnesses may use high-tech computer animations to explain complex technical concepts.

Evidence Handling

• Forensic investigators have three basic tasks related to handling evidence:
  1. Find evidence
  2. Preserve evidence
  3. Analyze evidence
• The chain of custody is a record of the handling and storage of evidence, including who had access to it and when.

Network Forensics

• Network forensics is the process of examining data traffic, including transaction logs and real-time monitoring using sniffers and tracing.

Rules of Evidence

• The rules of evidence govern whether, when, how, and why proof of a legal case can be presented in court.

Forensic Research

• The Digital Forensic Research Workshop (DFRWS) is a nonprofit organization that aims to enhance the sharing of knowledge and ideas about digital forensics research.

Identity Theft

• Identity theft is a type of fraud where criminals steal personal data to impersonate victims.

Computer Forensics

• Computer forensics is the process of examining digital data to gather evidence and support investigations.

Digital Forensic Analysis

• Digital forensic analysis involves the examination of digital data to identify evidence, reconstruct events, and support investigations.
• Digital forensic analysts should develop a plan of action that covers how to gather evidence and which tools are most appropriate for a specific investigation.

Locard's Principle

• Locard's Principle holds that you cannot interact in an environment without altering it in some way, without leaving some trace.

Chain of Custody

• The chain of custody is a record of the handling and storage of evidence, including who had access to it and when.
• The chain of custody is used to establish the authenticity and integrity of evidence.