Forensic Science Methodology: Preparation and Identification PDF

Summary

This document is a knowledge check for forensic science methodology. It includes questions and answers on topics such as preparation and identification of digital evidence, preservation of digital evidence, analysis and examination of digital evidence, and reporting of digital evidence.

Full Transcript

Forensic Science Methodology: Preparation and Identification
1. What should computer security professionals do before gathering digital
evidence within their organization?
Answer: Obtain instructions and written authorization from their attorneys.

2. When is a search warrant usually required in an investigation involving an
employee’s computer?
Answer: To access areas an employee would consider personal or private.

3. What are the two requirements for a valid search warrant?
Answer: It must describe the property to be seized and establish probable
cause.

4. Which of the following is NOT a step to be taken when planning a digital evidence
search?
Answer: Immediately starting with digital evidence collection without
preparation.

5. What is an example of digital evidence related to cyberstalking?
Answer: E-mails used to harass victims.

Forensic Science Methodology: Collection and Preservation
1. What is a major aspect of preserving digital evidence?
Answer: Collecting evidence in a way that does not alter it.

2. Why is care required when preserving the contents of a computer that was used
to commit a digital crime?
Answer: It may be necessary to ensure the integrity of the contents.

3. Which of the following could indicate that a suspect used encryption
technology?
Answer: Finding a book describing encryption software.

4. What should be avoided when handling disks to prevent data loss?
Answer: Leaving them in a hot car or near a strong magnetic field.

5. What is the best way to power down a computer during an investigation,
according to the ACPO Good Practice Guide?
 Answer: Unplug the power cable from the computer.

Forensic Science Methodology: Analysis and Examination
1. Which of the following is a step in the Filtering/Reduction process?
Answer: Eliminating valid system files irrelevant to the investigation.

2. What are the two fundamental questions when evaluating a piece of digital
evidence?
Answer: What is it, and where did it come from.

3. What does it mean if two files from different computers have the same MD5
value?
Answer: They have identical content.

4. When a deleted file is partially overwritten, where might its fragments be found?
Answer: Slack space or unallocated space.

5. Which of the following is a method to recover encrypted data?
Answer: Finding the encrypted data in unencrypted form.

Forensic Science Methodology: Reporting
1. What is the purpose of the final report in a digital evidence examination?
Answer: To integrate findings and conclusions for presentation in court.

2. What should be included in the Evidence Summary section of the report?
Answer: Laboratory submission numbers and condition of evidence.

3. Which section of the report describes the tools used and how important data
were recovered?
Answer: Examination Summary.

4. What is the purpose of the Glossary of Terms in the report?
Answer: To provide explanations of technical terms used in the report.

5. How should an investigator express their level of certainty in a written report?
Answer: By using degrees of likelihood such as “Most probably” or “Very
possibly”.
Digital Data
1. What is the maximum number of characters Unicode can represent with two
bytes?
Answer: 65,536.

2. In computing, which of the following statements is true about Little Endian?
Answer: It stores the least significant bit first, read from right to left.

3. How many different values can a nibble represent?
Answer: 16.

4. Which of the following is true about Binary?
Answer: It stores data as 1s and 0s, 1: the bit is on, 0: the bit is off.

5. Which of the following is the standard character encoding used on the Web and
preferred by software programmers?
Answer: UTF-8

6. How does UTF-8 typically represent common English characters?
Answer: Using 1 byte per character.

7. In hexadecimal notation, how many binary digits make up one nibble?
Answer: 4 binary digits.

8. What is the main advantage of the 7-bit PDU encoding format for SMS
messages?
Answer: It allows users to send more characters in fewer bytes.

9. What is the difference between Big Endian and Little Endian formats in terms of
data storage?
Answer: Big Endian stores data left to right; Little Endian stores data from right to
left.

Cookie Analysis
1. Where are cookies stored in a Windows system?
Answer: C:\User[User Name]\AppData\Local\Google\Chrome\User
Data\Default\
 2. What is the purpose of the ‘Secure’ parameter in a cookie?
Answer: The cookie should only be accessed via a secure server condition.

3. What is the primary function of the hash table in the index.dat file?
Answer: To act as an index containing pointers to the actual records.

4. In the hash table entries, what does a value of 1 in the first 4 bytes and a pointer
in the second 4 bytes indicate?
Answer: The record is invalid but still points to a file offset.

5. What is the length of each hash table entry in bytes?
Answer: 8 bytes.

Smart Phone Profiles
1. Which is NOT a commonly extracted feature from smartphones in forensic
investigations?
Answer: User’s bank account details

2. What is the significance of acquiring a smartphone’s metadata?
Answer: It provides detailed information about file attributes.

3. What does an IMEI number uniquely identify?
Answer: The phone itself.

4. What type of analysis can be performed with SMS/MMS data from a
smartphone?
Answer: Social Network analysis.

5. What is the typical purpose of examining smartphone profiles in forensic
investigations?
Answer: To reconstruct evidence and reconstruct activities.

Apple iDevices v10
1. What is the function of an Apple ID?
Answer: Provides access to Apple services.

2. What is a significant feature of iOS updates?
Answer: Improve security and functionality.
 3. Which app is primarily used for syncing iOS devices with computers?
Answer: iTunes.

4. What distinguishes Apple iDevices in terms of security?
Answer: Proprietary encryption.

5. What type of data can iCloud store?
Answer: Contacts, notes, and app data.

Android Devices v10
1. What does the term “rooting” refer to in Android devices?
Answer: Gaining administrator privileges.

2. What is the primary programming language used for Android applications?
Answer: Java.

3. Which file type is associated with Android installation packages?
Answer:.apk

4. What is the purpose of ADB (Android Debug Bridge)?
Answer: Facilitates device communication and debugging.

5. What does the Google Play Protect feature do?
Answer: Protects against malware.

XRY Cloud
1. What does XRY Cloud specialize in retrieving?
Answer: Data storage in cloud accounts.

2. Which authentication method is typically required to access cloud data in XRY
Cloud?
Answer: Username and password.

3. What is a major challenge in cloud-based forensic investigations?
Answer: Cloud storage encryption.

4. What types of data can often be retrieved from cloud storage in investigations?
Answer: Social media interactions.
 5. What benefit does XRY Cloud provide over traditional forensic tools?
Answer: Access to remote data.

Log Files
1. What is the primary purpose of logging the XRY extraction process?
Answer: To save the extraction process in case of issues.

2. Where can the log file for a specific exhibit in XRY can be found?
Answer: Beside “CASE INFO” on the left.

3. Which term would identify if an iOS device were jailbroken in the log file?
Answer: Root.

4. What types of log files are identified in XRY?
Answer:.xrycase and individual device log files.

5. What types of search reveals if a device is locked with a pattern?
Answer: Pattern lock search.

Drone Data
1. Which of the following is NOT a major drone manufacturer?
Answer: Boeing.

2. What feature is provided by ATTI mode on a drone?
Answer: Remains at the same height but drifts.

3. What is the most likely reason to remove drone propellers before USB
connection?
Answer: To avoid accidental activation.

4. What is included in drone flight path data?
Answer: Altitude and Attitude.

5. What can GPS location data extracted from a drone be used to determine?
Answer: Last flown area.
Reporting
1. What does “Save Subset” function create in XRY?
Answer: A replica of the original file with user-selected artifacts.

2. Which field is NOT typically included in a forensic report?
Answer: Device storage type.

3. What does XAMN allow users to do?
Answer: View XRY files.

4. How can examiners add notes in XAMN?
Answer: By tagging multiple items with the same note and timestamp.

5. What is the purpose of filtered data export in XRY?
Answer: To generate an evidence report.

Location Data v10.0

1. What is the primary use of location data in smartphones?
Answer: Navigation and tracking
2. What does GPS stand for?
Answer: Global Positioning System.
3. Which data type is crucial for mapping location history?
Answer: Latitude and longitude
4. What is one way location data can be manipulated?
Answer: Using VPN services.
5. What kind of apps heavily rely on location data?
Answer: Navigation and delivery apps.

Smartphones Introduction V10.0

1. What defines a smartphone compared to feature phone?
Answer: Integration of advanced computing capabilities.
2. Which operating system is commonly used in smartphones?
Answer: Android
3. What is one key feature of smartphones?
Answer: Advanced user interface.
4. Which component is critical for running applications on smartphones?
Answer: RAM
5. What drives the popularity of smartphones?
Answer: Access to app ecosystems.
SIM Card Extraction

1. Which communication technology standard utilizes SIM cards within devices?
Answer: GSM
2. What type of data does a SIM card typically contain?
Answer: Text based date
3. Which of the following best describes the purpose of an ICCID?
Answer: The unique serial number of the SIM card
4. It is possible to retrieve deleted SMS from a SIM card, if it hasn’t been
overwritten. Answer: True
5. Some network and location information data can be retrieved from SIM card
extractions by. Answer: TMSI & LAC

Reconstruct

1. What is the purpose of investigate reconstruction in digital forensics?
Answer: To gain a complete understanding of what happened, who caused it,
and why
2. Which type of analysis is used to determine if the digital evidence was tampered
with? Answer: Functional Analysis
3. Which type of analysis involves creating nodes that represent places, email
addresses, and financial transactions?
Answer: Relational Analysis
4. What is the primary focus of Temporal Analysis in a digital forensics
investigation? Answer: Determining the time and sequence of events
5. What do operating systems often keep track of, which is useful for temporal
analysis? Answer: File creation, modification, and access times.