Certified Cybersecurity Technician Computer Forensics PDF Exam 212-82
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Certified Cybersecurity Technician Computer Forensics PDF
- Certified Cybersecurity Technician Computer Forensics PDF
- Computer Forensics - Certified Cybersecurity Technician - Exam 212-82 PDF
- Computer Forensics Exam 212-82 PDF
- Certified Cybersecurity Technician Computer Forensics PDF
- Computer Forensics Fundamentals PDF
Summary
This document provides an introduction to digital evidence, a crucial aspect of computer forensics. It describes digital evidence as probative information stored or transmitted digitally. This section elaborates on the importance of digital evidence in cybercrime investigations and the various principles related to its collection.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow ’+ @ Understand the Fundamentals of Computer Forensics ‘ Digital Evidence Sources Forensic to Support Forensis Investigation = ‘ Understand Digital Evidence o /“'—N /——N @9 @D Collecting the Evidence Identify the Roles and /—\ /\ Responsibilities of a Forensic () @ O (@) Securing the Evidence Investigator Understand the Forensic - / Overview of Data @4) @4) Investigationn Process and Investigatio and @ Q \__/ \__ / ‘ Q Acquisiti Kcquisiti its Importance O4S PSS.- Discuss Various Forensic Performing Evidence Investigation Phases Analysis H. Copyright © by | cll. I. AllAll Rights Reserved. Reproduction ReproductionIs Strictly Prohibited. Understand Digital Evidence Digital evidence refers to probative information stored on or transmitted through an electronic device. Digital evidence should be acquired and examined in a forensically sound manner while investigating cybercrimes. This section outlines the fundamentals of digital evidence and discusses the various rules and standards pertaining to digital evidence collection. Module 20 Page 2177 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Introduction to Digital Evidence 0 Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form” @R Digital evidence is circumstantial and fragile in nature, a which makes it difficult for a forensic investigator to trace criminal activities According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave” jon Is Strictly Prohibited Introduction to Digital Evidence Digital devices used in cyberattacks and other security breaches may store some data about the session, such as login user, time, type of connection, and IP addresses, which can offer evidence for prosecuting the attacker. Digital evidence includes all such information that is either stored or transmitted in digital form and has probative value, thus helping investigators find the perpetrator. Digital evidence can be found across computing devices, servers, routers, etc. It is revealed during forensics investigation while examining digital storage media, monitoring the network traffic, or making duplicate copies of digital data. Investigators should take utmost care while gathering and extracting the digital evidence as such evidence is fragile. This makes it difficult for a forensic investigator to trace criminal activities. Investigators should be trained and skilled to extract, handle, and analyze such fragile evidence. According to Locard's Exchange Principle, “anyone or anything entering a crime scene takes something of the scene with them and leaves something of themselves behind when they leave.” For example, if information from a victim’s computer is stored on the server or system itself at the time of the crime, the investigator can easily obtain this information by examining log files, Internet browsing history, and so on. Similarly, if an individual sends an intimidating message via an Internet-based e-mail service such as Hotmail, Gmail, or Yahoo Mail, both the victim and the actor’s systems may store files, links, and other information that forensic investigators can extract and analyze. Module 20 Page 2178 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Types of Digital Evidence Volatile Data Non-volatile Data O Data that are lost as soon as the O Permanent data stored on device is powered off; examples secondary storage devices such include system time, logged-on as hard disks and memory cards; user(s), open files, network examples include hidden files, information, process information, slack space, swap file, index.dat process-to-port mapping, process files, unallocated clusters, memory, clipboard contents, unused partitions, hidden service/driver information, partitions, registry settings, command history, etc. event logs, etc. Types of Digital Evidence Cybercriminals directly depend on technology and digital devices to engage with the targeted system or network. Therefore, most of the evidence is present on the devices used by an attacker to connect to a network or the computing devices of the victim. Digital evidence can be any type of file stored on a device including a text file, image, document, executable file, and application data. Most such evidence is located in the storage media of the devices. Based on the storage style and lifespan, digital evidence is categorized into two types: volatile data and non-volatile data. = Volatile data: This refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. For example, the Random-Access Memory stores the most volatile data and discards it when the device is switched off. Important volatile data include system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc. = Non-volatile data: This refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards. Non-volatile data do not depend on the power supply and remain intact even when the device is switched off. Examples include hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, and event logs. Module 20 Page 2179 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Roles of Digital Evidence 0O Examples of cases where the forensic investigator in the prosecution or defense of a suspect: Identity theft Malicious attacks on Information Unauthorized Theft of commercial the computer systems leakage transmission of secrets themselves information Use/abuse of the Production of Unauthorized Abuse of systems Email communication Internet false documents encryption/ password between suspects/ and accounts protection of conspirators documents Roles of Digital Evidence Examples of cases where digital evidence may assist the forensic investigator in the prosecution or defense of a suspect: 1. Identity theft Malicious attacks on the computer systems themselves s~ WN Information leakage NN Unauthorized transmission of information A~ Theft of commercial secrets Use/abuse of the Internet Production of false documents and accounts Unauthorized encryption/ password protection of documents 0 Abuse of systems W 10. Email communication between suspects/conspirators Module 20 Page 2180 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
