Introduction to Digital Forensics

Questions and Answers

Although the field has evolved, who is widely regarded as the 'Father of Computer Forensics'?

• Seymour Papert
• Michael Anderson (correct)
• Nicklaus Wirth
• John McCarthy

Which of the following is NOT typically considered a core process within digital forensics?

• Extraction of computer data
• Interpretation of computer data
• Preservation of computer data
• Manipulation of computer data (correct)

In what year was the Federal Bureau of Investigation program dedicated to computer crime investigation reportedly created?

• 1980
• 1967
• 1978
• 1984 (correct)

Which statement accurately describes digital forensics?

A branch of forensic science encompassing the recovery and investigation of material found in digital devices. (C)

Which of the following actions violates a core rule of digital forensics?

An examination should be performed on the original data. (C)

Which statement is FALSE regarding the role and responsibilities of a digital forensic investigator?

It is the investigator's job to determine someone's guilt or innocence. (D)

Digital forensics is BEST described as the:

Identification, preservation, recovery, restoration and presentation of digital evidence from systems and devices (B)

In which decade did the field of PC forensics begin to emerge as a distinct discipline?

1980 (D)

In which year was the first FBI Regional Computer Forensic Laboratory recognized?

2000 (B)

Which of the following activities is LEAST likely to be categorized as a computer crime?

Identification of data (D)

Which type of file is commonly used to store user password information on a system?

.sam (A)

What general process involves recording as much data as possible to create opportunities for further analysis on user input?

Data mining (C)

What is the term used to describe searching through raw data on a hard drive without relying on the file system?

Data carving (A)

When handling data retrieval from an encrypted hard drive, what is typically the initial critical step an investigator should take?

Finding configuration files (A)

Consider the rules of digital forensics. Which statement is the MOST encompassing guideline?

All of above (C)

What is the primary goal of digital forensics investigations?

To duplicate original data and preserve original evidence and then performing the series of investigation by collecting, identifying and validating digital information for the purpose of restructuring past events. (A)

In the context of digital forensics, what does the acronym 'DFI' stand for?

Digital forensic investigation (A)

What is the main objective of a digital forensic investigation?

To examine digital evidence and to ensure that they have not been tampered in any manner. (A)

Why is it crucial to protect digital data from being modified during a forensic investigation?

All of above. (B)

Why is it a Major Obstacle for digital forensic investigators that each case is different?

All of above. (C)

Flashcards

Digital Forensics

Recovery and investigation of material found in digital devices.

Digital Forensic Rule

The investigator must maintain absolute objectivity.

Digital Forensics Defined

Identification, preservation, recovery, restoration, and presentation of digital evidence.

Digital Forensics?

Accessing systems directories to locate and recover lost files.

What is Data mining?

Recording as much data as possible for analysis on user input.

Data carving

Searches through raw data on a hard drive without using a file system.

Major goal of Digital Forensics

To duplicate original data and preserve original evidence.

Digital Forensic Obstacle

Handle and locate valid data from large numbers of files.

Reporting Phase

Writing a report outlining the process and pertinent data recovered.

Examination Stage

A systematic search of evidence relating to a suspected crime.

What does Firewall do?

Block unauthorized users from connecting to your computer.

What is acquisition?

A duplicate of digital media for examination.

Computer Forensics

Read deleted or damaged files from a criminal's computer

Survey phase

Transfers data from the source to a controlled location.

Reconstruction phase

Putting the pieces of a digital puzzle together.

Ethical norm for investigator

Should be fair and take action not to discriminate.

What is typically lost

Data in RAM memory, running processes, & network connections

Study Notes

• Michael Anderson is known as the Father of Computer Forensics.
• Digital forensics includes extraction, preservation, and interpretation of computer data.
• Manipulation of computer data is not part of digital forensics.
• The Federal Bureau of Investigation program was created in 1984.
• Digital forensics encompasses the recovery and investigation of material found in digital devices.
• Digital forensics involves developing and testing hypotheses to answer questions about digital events.
• It is a use of science or technology to establish facts or evidence in court.
• Digital forensics employs scientific knowledge in analysis and presentation of evidence.
• An examination of data should be performed on the original data
• A copy should be made onto forensically sterile media
• New media should always be used if available
• the copy of the evidence done should be bit-by-bit
• Prevent any modification of the evidence
• An investigator should maintain absolute objectivity
• The investigator's role is not to determine someone's guilt or innocence
• An investigator is responsible for accurately reporting relevant facts.
• An investigator must maintain confidentiality, only sharing on a need-to-know basis.
• Digital forensics involves identifying, preserving, recovering, restoring, and presenting digital evidence.
• Digital forensics involves accessing system directories to view and navigate system files, un-deleting/recovering files, and solving computer crimes.
• PC forensics began in 1980.
• The first FBI Regional Computer Forensic Laboratory was recognized in 2000.
• Identification of data is not a computer crime.
• Email harassment, falsification of data, and sabotage are considered a computer crime.
• The .sam file is used to store user-entered passwords.
• Data mining records as much data as possible to create reports and analyze user input.
• Data carving searches raw data on a hard drive without a file system.
• Finding configuration files is the first step in retrieving data from an encrypted hard drive.
• A rule of digital forensics is that an examination should never be performed on the original media
• It is a rule of digital forensics that a copy should be made on to forensically sterile media
• It is a rule of digital forensics that the computer and data be protected during media acquisition
• The major goal of digital forensics is to duplicate original data to preserve original evidence
• To perform a series of investigation, collecting, identifying and validating digital information for the purpose of restructuring past events.
• DFI stands for Digital Forensic Investigation.
• The main objective of digital forensic investigation is to examine digital evidence and ensure integrity.
• Damaged devices may contain data, but the investigator searches the data in working devices.
• The Digital Forensic Investigation process must handle handling and locating valid data from numerous files
• The Digital Forensic Investigation process must handle files secured by passwords
• Deletion of the data and searching inside the file may be non-viable
• The Digital Forensic investigation process must handle data stored in damaged devices
• The Digital Forensic investigation process must handle the fact that each and every case is different
• The Digital Forensic investigation process must handle protecting digital data from being modified
• RMDFR stands for Road map for Digital Forensic Research.
• Reith designed the RMDFR framework.
• The RMDFR framework has six phases.
• Identification recognizes an incident from indicators and determines its type.
• Preservation involves preventing people from using computers, stopping deletion processes, and safely collecting information.
• Collection involves finding and collecting digital information relevant to the investigation.
• Examination consists of "in-depth systematic search of evidence" relating to the incident being investigated.
• The output of the examination stage includes log files, data files with specific phrases, and timestamps
• Analysis aims to draw conclusions based on evidence found"
• Reporting entails writing a report on the examination and data recovered from the overall investigation.
• Steganography is used for data hiding in encrypted images.
• IDIP stands for Integrated Digital Investigation Process.
• Admissibility of Evidence is the most significant legal issue in computer forensics.
• SIM, RAM, ROM and EMMC chips are important parts of mobile devices used in digital forensics
• ADFM stands for Abstract Digital Forensic Model
• Reith, Carr, and Gunsh developed the Abstract Digital Forensic Model (ADFC).
• Preservation involves isolating, securing, and preserving the state of physical and digital evidence.
• Examination is an in-depth systematic search of evidence relating to the suspected crime.
• Analysis includes summarizing and explaining the conclusion.
• Carrier and Safford proposed the IDIP model.
• Readiness, Deployment Physical Crime, Investigation Digital Crime, Investigation and Review are the five groups of the IDIP model
• Operations Readiness phase and Infrastructure Readiness phase are part of the Readiness phase of IDIP
• Detection and Notification phase and Confirmation and Authorization phase are part of the Deployment phase of IDIP
• Physical Crime Investigation phase collects and analyses physical evidence and reconstruct the actions during the incident
• Deployment requires an investigator to walk the physical crime scene and identify pieces of physical evidence
• EEDIP stands for End to End Digital Investigation Process.
• Stephenson proposed the EEDIP model.
• UMDFPM stands for UML modelling of digital forensic process model
• Kohn, Eloff, and Oliver are the ones who proposed the UMDFPM model
• Live analysis is a term used to codify a way to compute run away which was not originally intended to view information.
• Computer Forensics is the law enforcement specialty that recovers and reads deleted or damaged files from a criminal's computer
• Survey phase, the investigator transfers relevant data from outside physical/administrative control to a controlled location.
• Reconstruction phase includes putting the pieces in a digital puzzle together and developing investigative hypotheses
• Computer forensics does not include manipulation of computer data.
• Human Readable is not a property of computer evidence.
• Evidence can make or break investigations.
• Firewall is software that blocks unauthorized users from connecting to your computer.
• Upholding any relevant evidence is not an ethical norm for investigators
• The Ethical norms for an investigator are fairness, non-discrimination, honor property rights, provide proper credit
• All of the following are the ethical norms that should be satisfied by an investigator as well as contribute to society
• Acquisition creates a duplicate of digital media for examination.
• Declaring Confidential Matters or Knowledge is a an unethical norm
• Declaring Confidential Matters or Knowledge is not an unethical norm for Digital Forensics Investigation.
• Respecting Privacy is a not unethical norm for Digital Forensics Investigation.
• If the Internet History file has been deleted it may still provide information about what Web sites the user has visited
• When shutting down a computer, the data lost is the data in RAM memory, running processes and current network connections.