Introduction to Digital Forensics

Questions and Answers

Which of the following best describes Non-Cyber Crime as defined in the context of digital forensics?

• Crimes that occur in an environment where digital technologies are present but not central to the crime. (correct)
• Crimes investigated by digital forensic experts, regardless of the method used.
• Crimes that do not involve computers or digital devices.
• Crimes committed using digital technology as the primary tool.

Hacking exclusively refers to the act of illegally breaking into computer systems.

False (B)

Briefly describe what Software Piracy entails.

Software piracy involves the unauthorized copying, distribution, or use of software, often violating the terms of the End User License Agreement (EULA).

A ______ is a type of malicious software that disguises itself as a legitimate program to trick users into installing it.

trojan

Match the following types of malware with their primary function:

Ransomware = Threatens to publish a victim's data unless a ransom is paid. Adware = Displays advertisements and collects marketing-type data. Spyware = Collects a computer user's private information without their knowledge. Worm = Propagates itself across networks, causing harm without user intervention.

Which of the following is a key characteristic of an Advanced Persistent Threat (APT)?

It is a stealthy network intrusion where an unauthorized user gains and maintains undetected access for a prolonged period. (C)

Static analysis of malware involves executing the malware to observe its behavior.

False (B)

Name three types of information that can be revealed through dynamic analysis of malware.

Domain names, IP addresses, and Registry keys.

Telecommunications Fraud involves the theft of ________ service for unauthorized purposes.

telecommunication

Match the following concepts with their descriptions regarding digital forensics:

Forensic Science = The study of any field as it pertains to legal matters. Forensic Evidence = Evidence meeting stringent standards of reliability and scientific integrity for admissibility in court. Digital Forensics = Forensic science related to computer operations, software, and digital files.

What is the significance of establishing a chain of custody in digital forensics?

It documents the chronological sequence of custody, control, transfer, analysis, and disposition of evidence. (C)

According to the general principles of forensics, the scene of a crime can be altered before evidence collection if it is necessary for safety reasons.

False (B)

Explain the meaning of auditable in the context of forensic procedures.

Auditable means that all procedures used in examination should be trackable and replicable by a qualified independent expert.

The ACPO principles state that any action taken by law enforcement should not __________ data, which may subsequently relied upon in court.

change

Match the following ACPO principles of digital forensics with their descriptions:

Principle 1 = No action taken by law enforcement agencies should change data that may be relied upon in court. Principle 2 = A person accessing original data must be competent and able to give evidence explaining their actions and implications. Principle 3 = An audit trail of all processes applied to digital evidence should be created and preserved. Principle 4 = The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

Why is digital forensics increasingly important?

Because technology is increasingly involved in crime. (D)

White-collar computer crimes generally result in higher rates of incarceration compared to armed bank robbery.

False (B)

List three parties that might want access to evidence at a crime scene.

Journalists, Criminals, and Defense Lawyers

_____ refers to world's first crime lab was built by Edmond Locard in Lyon, France in 1910.

Locard

Match the following admissibility of evidence standards with their descriptions:

LOCARD's Exchange Principle = every contact leaves a trace. Frye v. U.S. = set first standard for acceptance of scientific evidence in U.S. courts. Daubert v. Merrell Dow = set a new standard for accepting scientific evidence: evidentiary reliability.

Which of the following is a guideline that judges use to determine the admissibility of evidence under the Daubert Test?

Whether the procedure has been tested. (B)

Under Daubert Test, evidence is admissible if it guaranteed to be 100% error-free.

False (B)

Name the 7 stages of Digital Forensics Process, as mentioned in the context.

Identification, Preservation, Collection, Examination, Analysis, Presentation.

The Digital Forensics Process is as follows: Identification, Preservation, Collection, [Blank], Analysis, Presentation.

examination

Match the following stages of the digital forensics process with their descriptions:

Identification = An incident has occurred. Preservation = Maintain evidentiary chain. Collection = Create forensically correct copy of media (mirror image). Examination = Gather pertinent data from files, deleted files, unallocated space, file slack, logs Analysis = Interpret findings. Presentation = Report the results.

Which of the following is an important consideration in digital forensics examinations?

Looking for both incriminating and exculpatory evidence. (C)

Digital forensics examiners should focus solely on using tools.

False (B)

What should digital forensics examiners know what to look for in a device?

Pictures, Keywords, E-mail addresses, browser history.

Forensic analysis can also help counter __________.

false defenses

Match the descriptions to the type of malware:

Virus = A computer program that is designed to replicate itself by copying itself into other programs stored in a computer. Worm = A malicious computer program that propagates itself, but even without one it can cause considerable harm to the network as it propagates itself. Trojan = A piece of malicious that masquerades as a legitimate and desirable piece of software in order to entice the user into installing it.

Flashcards

Non-Cyber Crime

Crimes that occur in an environment surrounded with digital technologies.

Cyber Crime

Crimes that use digital technology to commit the crime.

Malware

Malicious code including viruses, logic bombs, and worms.

Virus

A computer program that replicates by copying itself into other programs.

Trojan

Malicious software that masquerades as legitimate software.

Worm

Malicious program that propagates itself across networks.

Rootkit

Software designed to hide the fact that an operating system has been compromised.

Backdoor

Method of bypassing normal authentication to gain remote access.

Spyware

Malware installed without the owner's knowledge to collect information.

Adware

Programs designed to display advertisements and collect marketing data.

Scareware

Malware that tricks users into purchasing useless or dangerous software.

Ransomware

Malicious software that threatens to publish or block access to data unless ransom is paid.

Rogue security software

Malware that deceives users into paying for fake removal of malware.

Advanced Persistent Threat (APT)

Network attack where an unauthorized person gains access and stays undetected.

Botnets

Number of Internet-connected devices running bots, used to perform attacks.

Denial of Service

Disrupting authorized access to computer resources.

zero day attack

A zero day attack use Al to detect APT.

Software Piracy

Illegal copying, distribution, or use of software.

Hacking

Breaking into computer systems.

Forensic Science

Study of any field as it pertains to legal matters.

Forensic Evidence

Evidence that meets stringent standards for admissibility in court.

Digital Forensics

The forensic science related to computer operations, software and digital files.

Frozen crime scene

The scene of crime needs to be preserved in its state

Chain of Custody

The continuity of evidence.

Auditable

All procedures should be examined

Study Notes

Digital Forensics

• Digital forensics is the application of forensic science to legal matters, focusing on computer operations, software, files (digital and electronic), and technology-based appliances/storage devices.
• Forensic evidence adheres to stringent standards of reliability and scientific integrity to be admissible in court.

Crime Context

• Crimes can be categorized into non-cyber and cyber crimes.
• Non-cyber crimes occur in environments with digital technologies.
• Cyber crimes use digital technology to commit the crime.
• Several examples of non-cybercrimes: sexual abuse of children, fraud, murder, stalking, ID theft, and extortion.

Cyber Crimes

• Cyber crimes arise from computer use
• Malware is malicious code that includes viruses, logic bombs, and worms.
• Hacking/Cracking, two forms of internet and computer privacy/copyright breaches, are usually malicious.
• Software Piracy - the illegal copying, distribution, or use of software.
• Telecommunications Fraud involves theft of telecommunication services or using them to commit other kinds of fraud.
• Victims include consumers, businesses, and communication service providers.
• Online Stalking is cyberstalking through the internet or electronic means to stalk or harass.
• Online Auction Fraud schemes misrepresent products advertised for sale via internet auction sites or non-delivery after purchase.

Indicators as Evidence Sources

• Evidence of a crime varies based on the type.
• Common evidence sources: address book, chat logs, cheques, credit card data, databases, diaries and calendars, digital camera/image editing software, disk and traffic encryption software, email, encrypted, file sequences, financial records, hacking tools, internet history, or multiple accounts.

Malware Types

• A virus replicates by inserting itself into other computer programs and may carry a malicious payload.
• A trojan masquerades as legitimate software to trick users into installing it.
• A worm propagates itself across a network with or without a payload, potentially causing significant harm.

Additional Malware Types

• A rootkit hides that an operating system has been comprised, sometimes replacing executes.
• Backdoors bypass authentication for remote access to a system, which is normally undetected.
• It can take the form of installed programs like Back Orifice.
• Spyware is installed without the owner's knowledge to collect private data.
• Adware displays unwanted ads, redirects search requests, and collects marketing data.
• Scareware tricks users into buying useless or dangerous software.
• Ransomware threatens to publish or block access to a victim's data until a ransom is paid.
• Rogue security software deceives users into paying for fake malware removal.
• Advanced Persistent Threat (APT) is a prolonged, undetected network attack to gain unauthorized access.
• Botnets, networks of infected devices running bots, are used for DDoS attacks, data theft, spam, and unauthorized device access.

Malware Analysis Techniques

• Malware analysis involves static and dynamic techniques.
• Static analysis examines inactive malware and is basic and quick.
• It is mostly ineffective against sophisticated malware and may miss behaviors.
• Dynamic analysis executes the malware to analyze real-time activities.
• It understands functionality and can detect technical indicators to reveal signatures, domain names, IP addresses, file paths, registry keys etc.

Hacking Definitions

• The word "hacking" can refer to hobbyist work with how computer systems work at a basic level.
• It can refer to breaking into computer systems, a definition commonly used over the first definition.

Denial of Service (DoS)

• A DoS attack deprives users or organizations of expected resource services via distributed systems.
• DoS attack methods include bandwidth or processor exhaustion, resource unavailability, and network exclusion.

Software Piracy

• Virtually all software programs now use an end-user license agreement, which needs to be agreed to by the user.
• Software piracy is violating the EULA agreement.
• Copyright infringement, occurs in unauthorized copies of music/movies.
• P2P file-sharing, while legal, is mostly used to distribute copyrighted material.
• High-quality versions of media become available shortly after release.

General Forensics Principles

• Crime scene must be "frozen" to prevent contamination when collected.
• There must be a chain of custody.
• All examination procedures must be auditable for expert review.

ACPO Principles of Digital Forensics

• Principle 1: Do not alter data that may be relied upon in court.
• Principle 2: Accessing original data must be performed by a competent person giving evidence explaining relevance.
• Principle 3: An audit trail of all processes of digital evidence needs to be created and maintained.
• An independent third party should be able to reexamine and achieve the same results.
• Principle 4: The investigator is responsible for law adherence.

Why Digital Forensics is needed

• Technology increases, so crimes involving technology with evidence will continue to do the same.
• The average bank robbery nets $7,500, and 80% of offenders get jailed.
• White-collar crimes annually earn about $10 billion with less than 5% of offenders in jail.
• Digital access is ubiquitous as non-violent crimes are considered by juries.

Securing the Crime Scene

• A scene, in the event of digital evidence, may lead to crimes such as: murder, gambling, kidnapping, bond scams, rape, confidence games, web defacement, auto theft, child exploitation etc.
• Forensic investigators can operate in a hostile environment with access to the evidence.
• It is clear to protect the physical evidence in electronic environments.

Admissibility of Evidence

• Edmond Locard built the first crime lab in 1910.
• LOCARD's Exchange Principle is that every contact leaves a trace.
• The Frye v. U.S. (1923) case set the first acceptance of scientific evidence meaning expert testimony is is admissible if underlying, scientific principles have general acceptance.
• The Daubert v. Merrell Dow (1993) case set a new standard for evidentiary reliability on accepting scientific evidence

Daubert Test

• A judge determines evidence admissibility based on testing, error rate, publication, and acceptance.

Digital Forensics Process

• The digital forensic process uses multiple techniques to analyze and report information.
• Identification focuses on what incident has occurred.
• Preservation maintains the evidentiary chain.
• Collection has the forensically correct copy of a media, creating a mirror image
• Examination is a gathering or pertinent data from files, deleted files, etc.
• Analysis interprets the findings and reconstructs a picture of relevant information.
• Presentation involves reporting the results.

Digital Forensics Examinations

• Computer and network evidence alone doesn't convict a suspect, but it can solidify a behavior pattern.
• Computer and forensic analysis can counter false defenses.
• Digital forensic analysis must be tied to the investigation.
• You can’t ignore both incriminating and exculpatory evidence.
• As part of the investigating team, examiners need to know what the investigator needs like pictures/browser history.
• Digital forensic examiners must bring knowledge to the investigation but are note private investigators.