CSF 3403 - WKs 1,2

39 Questions

What are digital forensics? (detailed)

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

What ISO digital forensics standard was ratified in October 2012?

ISO 27037 Information technology - Security techniques

What does computer forensics, which involves investigating digital devices, include?

Securely collecting data
Examining suspect data to determine details such as origin and content
Presenting digital information to courts
Applying laws to digital device practices

What does the network forensics field attempt to do? What does it use? and what does it determine?

attempts to get info about how someone accessed the network.
uses log files to determine when users logged on, which URLs they accessed, how they logged on to the network, and from where.
determines what tracks or new files were left behind on a victims' computers and what changes were made.

What are digital forensics? (brief).

the task of recovering data that users have hidden or deleted and using it as evidence. This evidence can be Inculpatory (“incriminating”) or exculpatory.

What does data recovery involve?

retrieving information that was deleted by mistake or lost during a power surge or server crash

What is evidence?

the collection of facts or information indicating whether a belief or proposition is true

What is inculpatory evidence? Provide an example.

evidence that proves the suspect isn't innocent. example: When it is proven that the e-mail sent containing verbal abuse was by the suspect.

What is exculpatory evidence? Provide an example.

evidence that could prove the innocence of the suspect. example: we might discover that the email was sent by another user on that computer.

What does the investigations triad consist of in an enterprise network environment?

risk management and vulnerability assessment
network intrusion detection and incident response
digital investigations

What is the purpose of digital forensics and what tools can be used?

Purpose: manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime. Tools: FTK, ProDiscover, EnCase, Oxygen Forensics.

What is the purpose of vulnerability/threat assessments and risk management, and what tools can be used?

Purpose: tests and verifies the integrity of stand-along workstations and network servers. Tools: Nessus.

What is the purpose of network intrusion detection and incident response, and what tools can be used?

Purpose: detects intruder attacks by using automated tools and monitoring network firewall logs. Tools: Firewall.

When is case law used and why?

case law is used when statutes don't exist, because existing laws can't keep up with the rate of technological change.

What is the purpose of case law?

It allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws.

How can one supplement their knowledge when developing digital forensics resources?

by developing and maintaining contact with computing, network, and investigative professionals.
by joining computer groups in both public and private sectors (eg: CTIN meets to discuss problems encountered by digital forensics examiners).
by consulting outside experts.

What are the two categories of digital investigations?

Public and private sector investigations.

What do public sector investigations involve?

government agencies responsible for criminal investigations and prosecution.

What do private sector investigations deal with and what do they involve?

deal with private companies, non-law-enforcement government agencies, and lawyers.
not directly governed by criminal law/fourth amendment issues.
governed by internal policies that define expected employee behavior and conduct in the workplace.
involve litigation disputes.
usually conducted in civil cases.

What kinds of computer related crime laws should you understand when conducting public sector investigations?

Standard legal processes
Guidelines on search and seizure
How to build a criminal case

What do legal processes depend on?

local custom, legislative standards, and rules of evidence.

What are the three stages of a criminal case?

complaint
investigation
prosecution

Who is involved in private sector investigations?

private companies and lawyers who address company policy violations and litigation disputes.

What can corporate computer crimes include?

E-mail harassment
Falsification of data
Gender and age discrimination
Embezzlement
Sabotage
Industrial espionage

How can private organizations avoid litigation?

Publish and maintain policies that employees find easy to read and follow.
Published company policies provide a “line of authority” for a business to conduct internal investigations
well-defined policies give computer investigators and forensic examiners the authority to conduct an investigation.
by displaying a warning banner on computer screens (informs end users that the organization reserves the right to inspect computer systems and network traffic at will).

What does a line of authority state?

who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

What are some examples of text that can be used in internal warning banners?

Use of this system and network is for official business only
Systems and networks are subject to monitoring at any time by the owner
Using this system implies consent to monitoring by the owner
Unauthorized or illegal users of this system or network will be subject to discipline or prosecution

Businesses are advised to specify an authorized requester who ___________________

has the power to initiate investigations.

What are some examples of groups with authority?

Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department

What do you search for during private investigations?

evidence to support allegations of violations of a company’s rules or an attack on its assets

What are the three common types of situations in private sector investigations?

Abuse or misuse of computing assets
E-mail abuse
Internet abuse

What is it a private-sector investigator's job to do?

minimize risk to the company

Why can the distinction between personal and company computer property be difficult in private sector investigations.

Due to the BYOD environment.
Some companies state that if you connect a personal device to the business network, it falls under the same rules as company property

Why is professional conduct critical as digital investigations and forensics analysts?

because it determines your credibility. It includes ethics, morals, and standards of behavior

What does maintaining objectivity mean?

you must form and sustain unbiased opinions of your cases.

What does it mean to maintain credibility?

to keep the case confidential

how can a digital investigator maintain professional conduct?

by maintaining objectivity and credibility

How can you enhance your professional conduct?

Continuing your training.
Attending workshops, conferences, and vendor courses.
Membership in professional organizations.

Why are digital investigators expected to achieve a high public and private standing and maintain honesty and integrity?

because their corporate cases might turn into criminal cases as serious as murder.

Study Notes

Digital Forensics

Digital forensics involves the collection, preservation, analysis, and presentation of digital evidence to investigate cybercrimes and other digital incidents.
In October 2012, the ISO 27037 digital forensics standard was ratified, providing guidelines for the handling and analysis of digital evidence.

Computer Forensics

Computer forensics involves investigating digital devices, such as computers, laptops, and mobile phones, to gather digital evidence.
It includes the analysis of data storage devices, network traffic, and system logs.

Network Forensics

Network forensics attempts to capture, record, and analyze network traffic and communication patterns to identify potential security threats.
It uses network traffic capture tools, such as tcpdump and Wireshark, to determine the source and destination of malicious traffic.

Digital Forensics (Brief)

Digital forensics involves the analysis of digital evidence to investigate cybercrimes and other digital incidents.

Data Recovery

Data recovery involves restoring deleted, corrupted, or damaged data from digital devices.

Evidence and Types of Evidence

Evidence is any digital data that can be used to support or refute a claim or allegation.
Inculpatory evidence is digital evidence that implicates an individual or organization in a crime or wrongdoing.
- Example: A log file showing unauthorized access to a system.
Exculpatory evidence is digital evidence that clears an individual or organization of wrongdoing.
- Example: A log file showing authorized access to a system.

Investigations Triad

The investigations triad in an enterprise network environment consists of people, process, and technology.

Purpose of Digital Forensics and Tools

The purpose of digital forensics is to investigate cybercrimes and other digital incidents, and to gather digital evidence for legal proceedings.
Tools used in digital forensics include disk imaging software, such as FTK Imager, and analysis software, such as EnCase.

Purpose of Vulnerability/Threat Assessments and Risk Management

The purpose of vulnerability/threat assessments and risk management is to identify and mitigate potential security risks in an organization.
Tools used in vulnerability/threat assessments and risk management include Nessus and OpenVAS.

Purpose of Network Intrusion Detection and Incident Response

The purpose of network intrusion detection and incident response is to detect and respond to security incidents in real-time.
Tools used in network intrusion detection and incident response include Snort and Splunk.

Case Law

Case law is used to establish legal precedents and guidelines for digital investigations and forensics.
The purpose of case law is to provide a framework for legal proceedings involving digital evidence.

Developing Digital Forensics Resources

To supplement their knowledge, digital forensics professionals can attend training and conferences, and participate in online forums and communities.

Categories of Digital Investigations

Digital investigations can be categorized into two types: public sector investigations and private sector investigations.
Public sector investigations involve government agencies and law enforcement, and typically involve criminal investigations.
Private sector investigations involve private organizations and companies, and typically involve internal investigations and incident response.

Public Sector Investigations

Public sector investigations involve government agencies and law enforcement, and typically involve criminal investigations.
Computer-related crime laws that should be understood when conducting public sector investigations include the Computer Fraud and Abuse Act (CFAA).

Private Sector Investigations

Private sector investigations involve private organizations and companies, and typically involve internal investigations and incident response.
Private sector investigations may involve employee misconduct, intellectual property theft, and data breaches.

Corporate Computer Crimes

Corporate computer crimes can include insider threats, data breaches, and intellectual property theft.

Avoiding Litigation

Private organizations can avoid litigation by establishing clear policies and procedures for digital investigations and incident response.

Line of Authority

A line of authority states that an individual or organization has the authority to access and investigate digital evidence.

Warning Banners

Examples of text that can be used in internal warning banners include: "This system is for authorized use only" and "All activities on this system are monitored and recorded."

Authorized Requester

Businesses are advised to specify an authorized requester who can request access to digital evidence.

Groups with Authority

Examples of groups with authority include law enforcement, government agencies, and internal security teams.

Private Investigations

During private investigations, digital investigators search for digital evidence, such as log files, email messages, and system logs.

Types of Situations in Private Sector Investigations

The three common types of situations in private sector investigations are: employee misconduct, intellectual property theft, and data breaches.

Job of a Private-Sector Investigator

A private-sector investigator's job is to gather and analyze digital evidence to support internal investigations and incident response.

Distinction between Personal and Company Computer Property

The distinction between personal and company computer property can be difficult in private sector investigations, as employees may use company devices for personal activities.

Professional Conduct

Maintaining objectivity means remaining impartial and unbiased during digital investigations.
Maintaining credibility means ensuring that digital evidence is handled and analyzed in a professional and reliable manner.
Digital investigators can maintain professional conduct by adhering to established guidelines and protocols, and by continuously updating their knowledge and skills.
Enhancing professional conduct can be achieved by participating in training and certification programs, and by engaging in peer review and quality assurance activities.
Digital investigators are expected to achieve a high public and private standing and maintain honesty and integrity, as they play a critical role in ensuring that digital evidence is handled and analyzed in a professional and reliable manner.

Make Your Own Quizzes and Flashcards

Convert your notes into interactive study material.