Forensic Analysis for Computer Systems - Evolution

Questions and Answers

The field of computer forensics is believed to have developed more than 40 years ago.

True

During the 1970s, computer crimes were primarily targeted at the healthcare sector.

False

White-collar fraud in the mainframe era involved manipulating computer data for personal gain.

True

The 'one-half cent crime' involved manipulating bank accounts to a single decimal place.

False

Some computer programmers opened accounts to illegally redirect fractional monies into their accounts.

True

The history of forensic science only dates back to the advent of computer technology.

False

Most computers during the 1970s were personal computers used by everyday users.

False

A computer forensics team is responsible for analyzing and investigating electronic crimes.

True

Phishing attacks are designed to secure financial information from users.

False

The survival of a company's network infrastructure depends on the application of computer forensics.

True

Companies face no legal consequences if they fail to protect customer data.

False

Creating duplicates of original evidence is essential to ensure data integrity during investigations.

True

New laws regarding customer data protection are only occasionally developed.

False

Knowledge of forensic principles is not beneficial for companies in legal matters.

False

Forensic science can help save costs for companies that experience data loss incidents.

True

Investigating original evidence is the preferred approach in computer forensics.

False

The ancient Chinese utilized fingerprints to identify personal documents.

False

The FBI Magnetic Media program was established in 1984.

True

Specialized tools for computer forensics were available by the late 1980s.

False

EnCase was developed by a team from ASR Data who left to form their own company.

True

The International Organization on Computer Evidence (IOCE) was formed in 1990.

False

The G8 nations recognized the significance of computer forensics due to rising cybercrime in 1997.

True

ICE was established to handle financial crimes specifically.

False

The INTERPOL Forensic Science Symposium took place in 1999.

False

An organization cannot hire experts from small or mid-size computer investigation firms.

False

Establishing a forensics lab requires government permission.

True

Photographers in a computer forensics team are unnecessary for documenting evidence.

False

Incident handlers are only needed in large organizations.

False

Investigators in a forensics firm do not require specialized tools to find evidence.

False

The size and nature of a business determine the necessity for computer forensic abilities.

True

Incident handlers are responsible for monitoring and acting on computer security incidents.

True

Immediate action is not crucial for investigators after a suspected criminal activity occurs.

False

Investigators should proceed with their investigation even if they encounter a knowledge barrier.

False

Consulting an experienced person can help during a forensic investigation.

True

The rules of evidence are not crucial for the acceptance of evidence in court.

False

Documenting any changes in evidence is unnecessary during a forensic investigation.

False

Written permission is required before initiating an investigation.

True

Restarting a machine has no effect on its temporary files.

False

ILook is a Cyber forensic tool available for personal use by anyone.

False

Access Data Forensic Toolkit (FTK) is used in both law enforcement and civilian markets.

True

Additional training is advised when investigators encounter challenges in their knowledge.

True

Breach of IT security policy is unlikely if written permission is not obtained.

False

The development of data storage and transfer capabilities is unrelated to the evolution of forensic tools.

False

Phishing is a type of cyber attack that primarily targets government organizations.

False

The global nature of digital technology has led to an increase in cybercrimes.

True

Network administrators do not need to be familiar with laws related to cyber security.

False

The tools and techniques of computer forensics have remained static despite advancements in technology.

False

Digital devices and the internet are essential for daily life and can be found in workplaces, homes, and public areas.

True

Study Notes

Course Plan

• Forensic Analysis for Computer Systems
• Introduction
• Evolution of Computer Forensics
• Computer Forensics process
• Computer Forensics techniques and tools
• Types of Computer Forensics
• Forensics Readiness

Evolution of Computer Forensics

• Computer forensics began to develop more than 40 years ago.
• In the 1970s, electronic crimes, particularly in finance, increased. 
• Early computers were mainframes used by skilled personnel in finance, engineering, and academia.
• White-collar fraud emerged as methods to make money through computer manipulation were developed.
• One notable early crime was the "one-half cent crime," involving banks tracking money to the third decimal place.
• Computer programmers exploited this by diverting fractional amounts into their accounts.
• Forensic science has a long history, with fingerprinting being an early application.
•  In the 1980s, the FBI created a Magnetic media program (later renamed CART) which is considered the start of computer forensics.
• Specialized computer forensics tools became available in the early 1990s.
• The International Association of Computer Investigative Specialists (IACIS) provided training in 1988.
• Commercial GUI software for computer forensics (e.g., Expert Witness) became available in the mid-1990s.
• ASR Data had a role in developing software to recover deleted files.
• EnCase was developed, later becoming a popular tool.
• The International Organization on Computer Evidence (IOCE) was formed in 1995 to bring together organizations for consistency. 

The Need for Computer Forensics

• The world has evolved, becoming a global village through computers, digital devices, and the internet.
• Life has become impossible without computers and related technologies.
• Information can be stored and moved with diverse devices (desktops, laptops, routers, printers, CD/DVDs, flash drives).
• Data storage and transfer variations have driven the development of forensic tools, techniques, procedures, and investigators.
• Cybercrimes like phishing and hacking create a need for forensic expertise.
• The increase in cybercrimes requires broad access to expertise.
• Forensic expertise is needed in public and private organizations.

Rules of Computer Forensics

• (1) Minimizing Original Evidence Examination:*
• Make accurate copies of evidence to avoid damage or alterations. 
• Investigate the duplicates, maintaining data integrity. 
• (2) Knowledge Limits:*
• If an investigation encounters roadblocks beyond current knowledge, stop, consult experts, and seek additional training.
• (3) Adherence to Evidence Rules:*
• Follow the specific rules of evidence to ensure evidence admissibility in court.
• (4) Documenting Changes:*
• Record any changes to evidence (e.g., machine restarts affecting temporary files).
• (5) Written Permission and Local Security Procedures:*
• Secure written permission before accessing or copying data to prevent IT security policy breaches.
• (6) Readiness for Testimony:*
• Prepare for the possibility of testifying in court regarding collected evidence.
• (7) Repeatable Actions:*
• Maintain consistent procedures to ensure evidence authenticity.
• (8) Preventing Data Loss:*
• Work quickly to avoid losing volatile data (data that may disappear).
• Use automated tools cautiously to avoid rushing the process, allowing for flexibility.
• Utilize resources (people) to eliminate data loss in fast-paced investigations.
• Conduct work on original data from volatile evidence.
• (9) Maintaining Original Evidence Before Collection:*
• Do not shut down the device while collecting data to preserve volatile data 
• Data and evidence collection is essential for investigations
• Powering down systems can harm data integrity.
• (10) Avoidance of System Interference:*
• Avoid running programs on the affected system to maintain data integrity.
• Copies should be made of evidence and work on duplicates to preserve the original evidence.
• Beware of malicious programs such as Trojans.

Computer Forensics Team

• Law enforcement and security agencies are responsible for major computer crime investigations. 
• Every organization should handle basic investigations internally.
• Organizations can hire experts from specialized firms.
• Organizations can also create their own computer forensic units.
• Need for a forensics lab, government permission, proper tools, and personnel.
• Difficulties in identifying fraud, illegal activities, and policy breaches.
• Necessary abilities can vary based on business type, threats, and potential loss.
• Teams should include specialists who handle case details and can find evidence (investigators).
• Photographers who document scenes are essential for evidence recording.
• Incident handlers monitor and respond to IT security incidents.
• IT engineers and technicians manage daily operations.
• Attorneys are needed to assist in cases and court processes.

Description

This quiz explores the evolution of computer forensics over the past 40 years. Learn about early electronic crimes, the development of forensic techniques, and the significant milestones in the field. Discover how computer forensics has transformed in response to technological advancements and societal needs.