NPA Cyber Security: Digital Forensics Levels 4-6

Questions and Answers

What triggers the need for an investigation in the context of Digital Forensics?

• A law enforcement agency receives a report of a suspected crime (correct)
• A digital device is found in a compromised state
• A citizen anonymously reports a crime
• A crime is confirmed to have occurred

Which of the following best defines Digital Forensics?

• The recovery and interpretation of electronic data to solve a crime (correct)
• The assessment of physical evidence at a crime scene
• The analysis of social media activity to detect crimes
• The use of psychological profiling in criminal investigations

Which agency is NOT mentioned as a potential source for reporting an incident?

• A children's charity
• The local community center (correct)
• The Police
• Interpol

What is the primary goal of Digital Forensics investigations?

To preserve evidence in its original form (B)

Which type of evidence does Digital Forensics focus on?

Electronic data from digital devices (C)

How has the evolution of digital devices affected law enforcement?

It has necessitated the use of Digital Forensics in investigations. (C)

What does applying Computer Scientific tests involve in Digital Forensics?

Recovering and interpreting electronic data (C)

Who can initiate the reporting of an incident that may require Digital Forensics?

Any private citizen or organization (C)

What determines whether a case will be tried in the Sheriff Court or the High Court?

The seriousness of the charges (B)

Who typically presents the prosecution case in the Sheriff Court?

The Depute Procurator Fiscal or Procurator Fiscal (B)

Which of the following is a reason the Procurator Fiscal might not proceed to trial?

Insufficient evidence (D)

What is required of a Digital Forensic Examiner when giving evidence in a trial?

To explain their examination in straightforward language (C)

What title is used to refer to all cases presented by The Crown?

The Crown versus ... (B)

What must the evidence provided by a Digital Forensic Examiner be in order to withstand questioning?

Clear, unambiguous, and unbiased (B)

Which office handles cases that are deemed too serious for the Sheriff Court?

Office of the Lord Advocate (C)

What principle of Scots law requires evidence to be disclosed?

Disclosure (D)

What type of file is typically used to gather information about network traffic?

pcap file (A)

What information may be included in a mobile device's call history?

Locations of calls made (C)

What method do criminals commonly use to hide their communications online?

TOR (B)

What challenge does encryption in mobile devices pose for examiners?

It requires advanced techniques to access data. (A)

Which of the following records can be retrieved from a smartphone even when it is not in use?

Location data (A)

What is a significant characteristic of Virtual Private Networks (VPNs) used by criminals?

They conceal both sender and receiver. (B)

Which aspect of mobile devices is NOT mentioned as retrievable during forensic examination?

Application usage (B)

What potentially makes the retrieval of encrypted data time-consuming for examiners?

Powerful processing requirements (C)

What is the primary purpose of using a Write Blocker during forensic examinations?

To prevent any alterations to the original data (C)

What should occur if the working copy is accidentally altered?

The examiner should document the alterations (D)

Which of the following accurately describes the relationship between the prime copy and the working copy?

Both should be exactly the same at all times. (B)

What is primarily required when making a copy of a storage medium?

Ensuring the original data cannot be altered during the process (B)

How is the storage medium connected during the imaging process using a Write Blocker?

To the Write Blocker first, then to another storage device (A)

What type of copy is created alongside the working copy during forensic imaging?

The prime copy (D)

What action must be taken with the prime copy when it is not in use?

It should be stored securely in a fireproof safe. (A)

What application can be used to create an exact image of a device’s storage when it cannot be easily removed?

FTK Imager (A)

What is the primary purpose of Hashing in digital forensics?

To create a unique identifier for data copies (B)

Which hashing technique is NOT mentioned as commonly used in digital forensics?

SHA 256 (D)

Why is it essential to use copies of original data in forensic examinations?

To maintain the original data's integrity (D)

What does a Hash Code indicate about the data?

If the copy matches the original (B)

What is often referred to as the 'DNA Fingerprint' of data?

Hash Codes (D)

What is the consequence of not demonstrating that a copy is an exact reproduction of the original?

The evidence may be considered worthless in court (B)

How is the reliability of data copies ensured in forensic examinations?

Through the application of hashing techniques (C)

What type of evidence is preferred in a criminal case?

Best Evidence (D)

What is the primary role of a Digital Forensic Examiner in relation to evidence?

To gather evidence and report facts neutrally. (A)

What must be included in the report produced by Digital Forensic Examiners?

A detailed timeline of evidence. (B)

Who decides if there is enough evidence to proceed to trial in Scotland?

The Procurator Fiscal. (A)

Why is the chain of custody important in forensic evidence?

It helps establish the authenticity and reliability of the evidence. (A)

What should a Digital Forensic Examiner do if evidence suggests someone is innocent?

Report it to the lead investigator for further consideration. (B)

What is one responsibility of the Digital Forensic Examiner when testifying in court?

To explain technical findings in an understandable manner. (C)

What is the outcome if a Digital Forensic Examiner is biased in their examination?

The evidence may be deemed inadmissible in court. (C)

What does the timeline created by a Digital Forensic Examiner indicate?

The sequence of events related to the suspect and potential evidence. (D)

Flashcards

Digital Forensics

Applying computer scientific tests and techniques to solve a crime, involving recovering and interpreting electronic data while preserving evidence in its original form.

Incident

An event that might trigger an investigation into a suspected crime.

Digital Forensics Investigation

Systematic process to collect, identify, and validate digital data to recreate past events.

Suspected Crime

A crime for which there's a reasonable cause to believe it occurred.

Law Enforcement Agency

A government organization responsible for upholding the law.

Evidence Preservation

Maintaining digital data in its original state to avoid altering any information.

Incident Reporting

The process of reporting a suspected crime event.

Digital Device

Electronic devices like smartphones, computers, and tablets used to store data.

Network Traffic Data

Information about network activity, typically stored in pcap files, collected by network analysis software.

Mobile Device Records

Detailed call history, location data, and timestamps from mobile devices maintained by phone service providers.

Deleted Files (Mobile)

Previously deleted files on mobile devices that can be retrieved and looked at by investigators.

Mobile Device Location Data

Records of a phone's location and times when it was turned on, even if not used for calls.

Encrypted Data (Mobile)

Data protected by encryption on modern devices (smartphones, tablets, laptops), potentially making examination harder.

TOR Network

An online network that hides user identities and makes tracing communications difficult for investigators.

VPN (Virtual Private Network)

A network that conceals sender and receiver identities and encrypts communications, making them challenging to decrypt and trace.

Digital Forensic Examiner's Role

A Digital Forensic Examiner interprets technical information and explains it in court, remaining neutral and gathering evidence, not proving guilt or innocence.

Forensic Timeline

A chronological record of digital activity reconstructed by the examiner to help determine a suspect's actions.

Report Submission

The Digital Forensic Examiner's report, along with the lead investigator's report, is submitted to the Procurator Fiscal in Scotland.

Procurator Fiscal's Role

The Procurator Fiscal, in Scotland, reviews the evidence and decides if there's enough to proceed to a trial.

Chain of Custody

The documented and unbroken trail of evidence, showing its origin, handling, and storage, ensuring its integrity.

Neutral Evidence

Digital forensic evidence should be interpreted without bias, showing what happened, not drawing conclusions about guilt.

Innocence Implications

If evidence points to someone's innocence, the lead investigator should consider it and possibly re-evaluate the investigation.

Real Culprit

If evidence suggests innocence, the lead investigator should consider whether the real perpetrator is still at large.

Prime Copy

A secure, tamper-proof copy of digital evidence kept for reference, typically stored in a locked safe.

Working Copy

A copy of digital evidence used for examination and analysis, allowing the original to remain untouched.

Write Blocker

A device that prevents any new data from being written to a storage device while making a copy, ensuring a perfect replica.

Bit-by-bit Copy

A perfect copy of every single bit of data on a storage device, ensuring no information is lost or altered.

What is the purpose of using a Write Blocker in digital forensics?

Write Blockers are used to prevent alteration of evidence by stopping any new data from being written to the original storage device while making a copy.

Why are two copies of evidence usually made?

Having a prime copy (the original) and a working copy (for analysis) ensures that the original evidence remains untouched and unaltered throughout the investigation.

FTK Imager

A software application used to create exact images of the contents of a storage medium when the device cannot be easily removed.

Why is it important to document any changes to the working copy in digital forensics?

Documenting all changes to the working copy ensures the integrity of the evidence and allows for a clear audit trail of any actions taken on the data.

Hashing

A method used to generate a unique 'fingerprint' (Hash Code) for digital data, ensuring that any copy can be verified as identical to the original.

Hash Code

A long string of letters and digits produced by applying a mathematical process (Hashing) to data. It uniquely identifies the data and verifies its integrity.

MD5 & SHA1

Common hashing techniques used in digital forensics to verify the integrity of data copies. MD5 (Message Digest 5) and SHA1 (Secure Hashing Algorithm 1) are often used together for double-checking.

Best Evidence

In legal cases, this refers to the original or most reliable source of evidence. In digital forensics, verified copies of data obtained through hashing are considered 'Best Evidence'.

Why is verifying copies important?

It ensures that any investigation findings based on the copy are admissible in court. If the copy is not identical to the original, the evidence might be considered unreliable.

What happens if the hash codes don't match?

It means the copy is not an exact replica of the original data. This could indicate tampering, corruption, or accidental changes. The copy cannot be used as evidence.

What is WolframAlpha?

A website that allows you to see Hashing Codes being created. It provides a tool for understanding how hashing works and generating hash codes for different data.

Why is hashing used in Digital Forensics?

To ensure the admissibility of digital evidence in court by verifying that copies of data are identical to the originals, preserving the integrity of the evidence.

Procurator Fiscal

A Scottish legal professional who investigates and prosecutes crimes in Sheriff Court, representing 'The Crown'.

High Court

The court in Scotland where the most serious crimes are tried, cases reaching it are handled by the Office of the Lord Advocate.

The Crown

The term used in Scotland to refer to the prosecution side in a criminal trial, represented by Procurator Fiscal or Lord Advocate.

'Not in the public interest'

A reason why the Procurator Fiscal may decide not to prosecute a crime, even if there is enough evidence, if they believe it wouldn't benefit society.

Disclosure

A principle in Scots Law where both the prosecution (Crown) and defense have to share evidence with each other before a trial.

Forensic Examiner in Court

The Digital Forensic Examiner may be called to court to explain their findings. They must present their evidence using clear and unbiased language.

Examiner's Evidence in Court

The examiner must explain the how they conducted their investigation using clear, unambiguous, and unbiased language, ready for questioning.

Questioning by Lawyers

Both the defense and Crown lawyers can question the Digital Forensic Examiner's findings and testimony.

Study Notes

NPA Cyber Security - Digital Forensics

• This document is learner notes for the National Progression Award in Cyber Security, specifically focusing on Digital Forensics.
• The notes are for Levels 4, 5, and 6 (National 4, 5, and Higher).
• Sections are clearly marked with the relevant level.
• Notes include practical tasks to aid in understanding the theory and enhancing practical skills in cybersecurity.
• The material is best used with guidance from a teacher.
• Funding by the Scottish Government, through the National Cyber Security Programme, in partnership with the National Cyber Resilience Leaders' Board.

Introduction to Digital Forensics

• The notes cover Data Security, Digital Forensics, and Ethical Hacking.
• The material covers all three levels (Level 4, Level 5, and Level 6).
• Students can choose to read specific level sections, or the entire document.
• Practical tasks are recommended to aid understanding and practical skill development.
• Teacher guidance and supplementary information are beneficial for enhanced learning.

Contents

• Introduction: Four Principles of Digital Evidence
• Data Acquisition: Data acquisition, at the crime scene, capturing digital evidence, imaging memory and drives, verification of data.
• The Digital Forensics Process: The process from incident to verdict; incident, investigation start (the Computer Misuse Act, 1990, the Regulation of Investigatory Powers (Scotland), Act 2000, the Human Rights Act, 1998, seizure (by warrant and voluntary surrender)), digital forensic examination, acquisition, analysis, reporting and trial.
• Analysing Digital Evidence: Timeline Analysis, Relationships, Network Analysis (Level 6), Reporting findings.
• Further Study: Topics for further research into Cyber Security, including the use of smartphones and social media, internet of things devices, and digital assistant technologies.