• Chapter Three Projects
• Chapter Four Projects
• Chapter Five Projects
• Chapter Six Projects
• Chapter Seven Projects
• Chapter Eight Projects
• Chapter Nine Projects
• Chapter Ten Projects
• Core-it Conference
• Cyber Skyline Website
• Digital Forensics: Getting Started with File Systems
• Getting Started with Windows Memory Forensics

Assignment and Study Guide for CISS360

Chapter One

Terms

affidavit

A notarized document. Under the penalty of perjury. Can be a declaration when the document in not notarized.

allegation

charge made before proof

approved secure container

A fireproof container locked by a key or combination

attorney-client privilege(ACP)

client information divulged to an attorney is confidential

authorized requester

Private domain: has the right to request an investigation.

bit-stream copy

A bit by bit duplicate of data on the original storage medium. Known as acquiring an image or making a forensic copy

chain of custody

The path that evidence takes from the start of an investigation until closed.

Computer Technology Investigators Network(CTIN)

Pacific Northwest group of investigators that collaborate on better investigative techniques

data recovery

recovering deleted files

Digitial Evidence Specialist(DES)

One who collects and protects the integrity of the data/evidence

digital foresnics

providing evidence through investigative procedures for legal purposes

evidence bags

Non static bags used to transport any computer components or digit devices

evidence custody form

A hard copy form showing who checked evidence in/out

exculpatory evidence

Evidence that indicates suspect in innocent

exhibits

Evidence used in court to prove a case

forensic workstation

A work station that copies evidence

Fourth Admendment

Ensures probable cause for search

hostile work environment

A workplace that prevents employees from doing their job due to hostile interaction from others

inculpatory evidence

Evidence that indicates suspect is guilty

industrial espionage

Theft of valuable proprietory information/data/ or products from a company that is

International Association of Computer Investigative Specialist(IACIS)

Software creators for digital forensics

interrrogation

Attempting to get a confession for a specific incident or crime

interview

Conversation conducted to collect information from a witness or suspect to verify related facts

line of authority

Order by which a problem in elevated through ranks. Each rank has the legal right to investigate and possess/control/access evidence

multi-evidence form

Evidence custody form used to list all items associated with a case

network intrusion detection and incident response

Detecting attacks from intruders by using automated tools and manual processes.

professional conduct

Expected behavior of a professional supporting ethical behavior and integrity.

repeatable findings

Duplicating a result continually to insure accuracy

search and seizure

Obtaining evidence legally

search warrants

Legal document providing the investigators the right to examine private property to support or prove an allegation

single-evidence from verdict

Form attached to each piece of evidence. Provides a log of evidence handling to ensure integrity of the evidence

vulnerability/threat assessment and risk management

Weakest points of an attack surface. Covers all types of security

warning banner

Provides instruction to the user for the proper use of the company computer

white-collar crimes

Financially motivated non violent crime. Typical white-collar crimes could include wage theft, fraud, bribery, Ponzi schemes, insider trading, labor racketeering, embezzlement, cybercrime, copyright infringement, money laundering, identity theft, and forgery

Review Questions

1. Digital forensics and data recovery refer to the same activities. True or False?

False

2. Police in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment

b. Fourth Amendment

3. The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation d. Vulnerability assessment, intrusion response, and monitoring

4. What's the purpose of maintaining a network of digital forensics specialists?

5. Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or can’t access c. The amount of personal e-mail you can send d. Any of the above

d. Any of the above

6. List two items that should appear on a warning banner

7. Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False

8. List two types of digital investigations typically conducted in a business environment.

Private and Public

9. What is professional conduct, and why is it important?

Professional conduct infers ethical behavior and integrity.

10. What's the purpose of an affidavit

Ties the evidence to a source with a level of creditability

11. What are the necessary components of a search warrant?

Case number, Investigating organization, Investigator

12. What are some ways to determine the resources needed for an investigation?

To define the objectives of the investigation

13. List three items that should be on an evidence custody form.

Date, case number, investigators organization and investigator's name name

14. Why should you do a standard risk assessment to prepare for an investigation?

To understand risk associated with investigation.

15. You should always prove the allegations made by the person who hired you.

False

16. For digital evidence, an evidence bag is typically made of antistatic material. True or False?

true

17. Why should evidence media be write-protected?

To protect the data from accidental deletion.

18. List three items that should be in your case report.

The process addressed, steps you took and description of findings

19. Why should you critique your case after it's finished

To improve your technique and provide a log to review for future cases

20. What do you call a list of people who have had physical possession of the evidence?

chain of custody

21. Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?

True

Chapter One notes from Power Point Slides

ISO standard for digital forensics was ratified in October 2012

To insure a standard for Security techniques.

Federal Rules of Evidence (FRE)

Ensured consistency in federal proceedings

FBI Computer Annalysis and Response Team (CART) was formed to handle cases involving digital evidence

was formed to handle cases involving digital evidence

CART

teamed up with the Department of Defense Computer Forensics Laboratory

Fourth amendment protects everyone' right to be secure from search and seizure

Every U.S. Jurisdcition has case law regarding evidence recovered from computers and other digital devices

This ensures the legality of the process

In terms of forensics investigating digital devices means:

Collecting data securely

investigating suspect data for origin and content

Presentation of forensic data to courts

Applying laws to digital device practices

Digital forensics is differrent from data recovery.

Data recovery is retrieving information that was deleted by mistake or lost

Forensics investigators often work as part of a team, know as an investion _____________?

Triand

A triand is three sides of a triangle...name them?

1. Vulnerability and threat assessment and risk management.

2. Network intrusion detection and incident response

3. Digital Investigations

History of Digital Forensics

1990's International Association of Computer Invertigative Specialist (IACIS)

IRS created search-warrant programs

ASR Data created Expert Witness for Macintosh

ILOOK maintained IRS Criminal Investigation Division

AccessData Forensic Toolkit (FTK) is a popular commercial product

When statue's don't exist, case law is used

Allow legal counsel to determine if "Case law can be presuade"

Examiners must be familiar with recent court rulings on search and seizure in the electronic environment

How can I "To supplement your knowledge"

Develop and maintain contact with computing, network, and investigative professionals

Join computer user groups in both the pubic and private sectors

TRY: Computer Technology Investigators Network (CTIN)

Consult outside experts

Public-sector investigations involve government agencies responsible for criminal investigations and prosecution

Fourth Amendment to the U.S. Constitution•Restrict government search and seizure

When conducting public-sector investigations, you must understand laws on computer-related crimes including

Standard legal processes•Guidelines on search and seizure•How to build a criminal case

The Computer Fraud and Abuse Act was passed in 1986

Specific state laws were generally developed later

How does a criminal investigation start?

1. Witness or victim makes an allegation to the police

2. Police interview the complainant and writes a report about the crime

3. Report is processed and management decides to start an investigation or log the information in a police blotter

4. Blotter is a historical database of previous crimes

DEFR

First Responder, assesses, takes precaution and acquires and preserves evidence

DES Digital Evidence Specialist

Has the skill to analyze the data and determine when to use another specialist

Affidavit..sworn statement to support facts about or evidence of a crime and must include exhibits

Private sector uses legal means to address violations of company policies and litigation disputes. ie wrongful termination

Businesses strive to minimize litigation

Private sector crimes can involve harassement, email problems, falsification of data, gender and age discrimination, embezzelment, sabotage and industrial espionage

Businesses can publish policies to reduce risk of litigation

Post policies that define rules for computer and the network

What is a line of authority?

States who has the legal right to intiate an investigation.

How does a warning banner help?

A warning banner post a message stating company policy and divulges the r right to monitor use.

What are examples of an authorized requester?

Corporate Secuirty investigations

Corporate ethics office

Corporate equal employment opportunity office

internal auditing

General counsel or legal department

Private investigations search for What?

Evidence to support allegations of violation of company policy

What three common situations?

Abuse or misuse of computing assets

E-mail abuse

internet abuse

What positive outcome does a private investigator seek?

Minimizing risk to the company.

BYOD creates what kind of problem?

When it is attached to the network, one does not know who owns it.

What do some companies policies state when you connect a BYOD to your network?

They take ownership of the device.

What are characteristics of Professional conduct?

Ethical, maintains objectivity and confidentiality. Invest in continual education to stay current.

What is an investgators job?

To gather evidence in order to prove allegations of violation of company policy.

What is the purpose of collecting evidence?

Investigate the suspect's computer

Preserve the evidence to another computer

Make it available to the courts and corporate inquires.

Protect the chain of custody.

Why are computers so important to an investigator?

Computer both harbor evidence and contain evidence which can lead to conviction.

What is important when acquiring evidence?

Making sure evidence is not altered and or deleted

Potential evidence might be password protected

What are common misuses of computers?

surfing the internet

Sending personal emails

Using company computers for personal tasks.

What are the steps for problem solving?

What type of case is it?

Design the approach

Detailed checklist

Determine resourcs

Obtain and copy an evidence drive

identify the risks of losing the investigation

Minimize risk of compromising the investigation

Test the design you have for the investigation

Analyze and recover the digital evidence.

Investigate the data you recovered

Complete the case report

Critique the case

How do you systematically outline the case details?

Define the situation

Determine the nature of the case

List the specifics of the case

What type of evidence do you need.

Determine disk format

Locate the evidence

Based on these above factors you can determine the requirements for the case

What most a baics investigation plan include?

Acquire the evidence

Complete the evidence form and establish chain of custody

Transport the evidence to a computer forensics lab

Secure evidence in an [approved secure container]

Prepare your [forensics workstation]

retrieve the evidence from the secure container

Make a forensic copy of the evidence

Return the evidence to a secure container

Process the copied evidence with computer forensics tools

What are two types of [evidence custody form] also known as:?

chain of evidence form

[Single evidence form]

[Multi-evidence form]

What is an example of a [multi-evidence form]. This form is missing a signature line at the bottom.

What are important steps to take when securing evidence?

Use evidence bags

Computer safe products when collecting evidence like antistatic bags and pads

Use padded containers

Use tape to seal containers

Use CD drive bays

Use insertion slots for power supply electrical cords and usb cables

write intials on tape to prove "no tampering"

Make sure you have a safe environment for transporting and storing

What is a general overview of procedures you need to develop as an investigator?

Informal checklists

Make sure you know all the issues

ensure the correct techniques are used in an investigation

Employee Termination Cases

Employee termination is usually due to?

Abuse of corporate assest

Creating a hostile workplace

Viewing pornography

Sending inappropriate emails

In an organization what ensures or minimizes inappropriate conduct?

Posted policies

Internet Abuse Investigations

For internet abuse cases what does a investigator need to processs a case?

Organization's internet proxy server logs

Suspect computer's ip address

Your preferred computer forensics analysis tool

Internet Abuse Investigations

What are the recommended steps for an Internet Abuse investigation

Use standard forensic analysis techniques and procedures

Use appropriate tools to extract all Web page URL information

Contact the netowrk firewall administrator and request a proxy server log

Compare the data recovered from the forensic analysis to the proxy server log

Continue anlyzing the computer's disk drive data

Email Abuse Investigations

How do you conduct an email abuse investigation?

Electronic copy of the offending email that contains the message header

email server logs

access local email server if messages stored there

Access the computer so you can perform an forensic analysis on it

Use your preferred computer forensics analysis tool

What are the recommended steps?

Use the standard forensic analysis

Obtain an electronic copy

Use FTK Internet Keyword Search option to extract all related email address information

examine header data of all messages

Attorney-client Privilege

What are the rules for ACP or Attorney Client Privelege?

You must keep findings confidential

Have printouts of data you recovered

Attorneys must follow the rules for examining digital evidence

Make sure you understand the format the data.

What are the steps for an ACP investigation?

Obtain permission from [line of request]

List keywords of interest to investigation

Initiate the investigation with a plan

Make two bit stream images using different tools for each image

Compare hash signatures on all files to the original and re-created disks

Methodically examine every portion of the disk drive and extract all data

Run keyword searches on allocated and unallocated disk space

Windows OS's extract relevant registry entries

For binary data files such as CAD drawings, locate the correct software product

For unallocated data recovery, use a tool that removes or replaces nonpritable data

Attorney-client Privelege

What are the steps for conducting an ACP case?

Consolidate all recovered data from the evidence bit-stream image into folders and subfolders

Minimize written communications with the attorney

Any communication written to the attorney must contain a header stating that it is "Priveleged Legal Communication-Confidential Work Product

Assist the attorney and paralegal in analyzing the data

Industrial Espionage Investigations

Industrial espionage should be treated as criminal investigation

Staff needed

Digital investigator who is responsible for disk forensic examination

Technology specialist who is knowledgeable of the suspected compromised technical data

Network specialist who can perform log analysis and set up network sniffers

threat assessment specialist (typically an attorney

Guidelines when initiating an investigation

Determine whether this investigation involve a possible industrial espionage incident

Consult with legal advice/upper management

How to substantiate the allegation

Create list of keywords for disk forensics and sniffer monitoring

List and collect Resources for the investigation

Determine goal and scope of investigation

Planning considerations:

Examine all e-mail of suspected employees

Search internet newsgroups or message boards

Initiate physical surveillance

Examine facility physical access log for sensitive areas

Determine suspect location relative to asset

Study suspects work habits

Collect outgoing and ingoing phone logs

Steps to conducting an industrial espionage case

Brief personnel on the plan

Gather resources to conduct the investigation

Place surveillance systems at key locations

Discreetly gather any additional evidence

Collect all log data from networks and email servers

Report regulary to management and corporate attorneys

Review the inestigation's scope with management and corporate attorneys

Become a skilled interviewer and interrogator

Interview witness or suspect

Interrogation to get a suspect to confess.

Role as a digital Investigator

To instruct the investigator conducting the interview on what questions to ask and what the answers should be

Ingredients for a successful interview or interrogation

Being patient throughout the session

repeating or rephrasing the question to zero in on specific facts

Being tenacious

Understanding Data Recovery Workstations and Software

forensics lab or data-recovery lab

In data recovery, the customer or your company just wants the data back

Computer forensics workstation

A specially configured PC

Loaded with additionals bays and forensics softwar

To avoid altering the evidence use:

write-blockers devices

enable you to boot to windows without writing data to the evidence drive

Basic Requirements

A workstation running Windows 7 or later

a write-blocker device

Digital forensics acquistion tool

Target drive to receive the source or supect disk data

Spare PATA or SATA ports

USB ports

Additional useful itmes

Network interface card (NIC)

extra usb ports

firewire 400/800 ports

SCSI card

Disk editor tool

Text editor tool

Graphic viewer program

other specialized viewing tools

gather resources indentified in investigation plan

Items needed

Original storage media

evidence custody form

evidence container for the storage media

Bit-stream imaging tool

forensic workstation to copy and examine your evidence

Securagle evidence locker, cabinet, or safe.

Avoid damaging the evidence

Bit-stream copy

Difference gets all bits on the disk, not just a backup. All slack and out of sector information

Bit-streams image

Known as an image and copies all data on a partition.

Important: Use a duplicate storage medium that matches manufactur's size and model

Acquiring an Image of evidence media

First rule: Preserve the original evidence

Conduct your analysis only on a copy of the data

Vendors provide acquisition tools

Windows tools require a write-blocking device when accquiring FAT or NTFS

What rates a good a complete job to get data?

Deleted files

File fragments

complete files

Process name for deleted files?

Autopsy

Steps to analyze a USB drive

Start Autopsy

Create a new case

Type the case name

Select the working folder

Steps to add source data

Select data source type

Select image file

Keep the default setting in the configure Ingest Module window...

Steps to display the contents of the acquired data

Click to expand Views, File types, By Extension, and Documents

Select the file to display

tag and comment

New Tag Name

What is the goal in analyzing the data

Search for information related to the complaint

Data analysis can be time-consuming task

Autopsy

Search for keywords

Display results

Click each file in the search results

export data

Search for specific filenames

Generate a report of all your activities

Additional features of autopsy

Display binary (nonprintable) data in the content viewer

Learn how to use Autopsy to build a report

Make sure you include the Autopsy program finding in your report

Why is "repeatability so important"

Proves that it is not a intermittent result.

Why use a template?

Standarizes report and give you a form log that you can critique or edit over time.

Report objectives are findings of conclusive evidence.

Suspect did or did not commit crime.

Important: Keep a written journal of everything

Remember your notes can be used in court

Answer the six W's...yotnew

Requirement: You must also be able to explain the workings of the computer and network processes

Autopsy Report Generator:

html

excel

Text

Steps for Industrial Espionage

Gather all personnel and brief

Organize resources

Place surveillance systems at key locations

Discreetly gather any additional evidence

Colloect all log data

Report regularly to management

Review investigation's scope and report.

Skilled interviewer and interrogator

Interview: get facts to support

Interrogation: Process of trying to get a suspect to confess

Interview and interrogations in High-Tech Investigations

Role as digital investigator

To instruct the investigator on what to ask and what the answers should be.

What are the ingredients for an investigations?

Patience

Repeating or rephrasing question to zero in on specific facts.

Tenacity

Understanding Data Recovery using Workstations and Software

Data Recovery

Just want their data back vs Forensic for evidence

Forensic workstations

Specifically configured Pc or Apple

Has special bays and forensic software

How do you protect the evidence?

Write blockers are used which protects data during boot

What are the basic requirements for a Digital workstation

Win 7 or later

write blocker

Digital evidence software to capture data

Digital forensics analysis tool

Target drives

Spare PATA and SATA ports

extra usb ports

Important Step Critiquing the Case Questions

What questions should you ask?

Performance: improve your overall techniques?

Did the case develop the way you wanted it...bias!!s

Documentation: was it thorough?

Requesting source...did you get any feedback? postive/negative

New enlightening problems that can be logged and discussed.

Did you introduce new techniques and if so how did it work out?

Summary

• Digital forensics involves systematically accumulating and analyzing digital information for use as evidence in civil, criminal, and administrative cases
• Investigators need specialized workstations to examine digital evidence
• Public-sector and private-sector investigations differ; public-sector typically require search warrants before seizing digital evidence
• Digital forensics involves systematically accumulating and analyzing digital information for use as evidence in civil, criminal, and administrative cases
• Investigators need specialized workstations to examine digital evidence
• Public-sector and private-sector investigations differ; public-sector typically require search warrants before seizing digital evidence
• Internet abuse investigations require examining server log data
• For attorney-client privilege cases, all written communication should remain confidential
• A bit-stream copy is a bit-by-bit duplicate of the original disk
• Always maintain a journal to keep notes on exactly what you did
• You should always critique your own work

Chapter Two Lab Download and try autopsy March 20, 2020

I created a lab on using Autopsy

• https://www.autopsy.com/download/ and downloaded Autopsy msi for 64 bit windows
• Autopsy file types



• You need to create a case before you can analyze data in Autopsy. A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers. Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has an ".aut" extension.
• Companion Web site address for Lab Files
• Finish Chapter one lab for George Montgomery investigation using Autopsy: George Montgomery Report

Chapter Two

Terms

AANSI-ASQ National Accreditation Board (ANAB)

Provides accreditation of crime and foensics labs world wide

accreditation includes forensics labs that analyae digital evidence

Audits lab function and procedures

business case

Is the process of documenting a plan to meet the needs of management or the public. The goal of the business case is to acquire newer and better resources to investigate digital forensic cases. Public agencies don't always have to prove cost recovery.

Certified Computer Examiner (CCE)

Sponsored by the International Society of Forensic Computer Examiners.

Certified Cyber Forensics Professional (CCFP)

Program sponsored by ISC which requires knowledge of digital forensics, malware analysi, incident response and e-discovery

Certified Forensic computer Examiner (CFCE)

Candidates who complete the IACIs sponsored test successfully are designated as a Certified Forensic computer Examiner. Requires re certification every three years

configuration management

digital forensics lab

High Tech Crime Network (HTCN)

Offers several levels of certification. HTCN requires a review of all related training including training in one of its approved courses and a review of the candidate's work history. Certification includes Certified Computer crime Investigator, Basic and Advanced. Certified Computer forensic Technician Basic and Advanced

risk management

Risk management involves determining how much risk is acceptable for any process or operation. On the other hand a criminal forensic lab is at higher risk then a coroporate forensic lab. A regional lab might require more security to manage risk then a local small lab.

secure facility

TEMPEST

Uniform Crime Report

Chapter Two

Review Question

1. An employer can be held liable for e-mail harassment?

True

2. Building a business case can involve which of the following?

b. All of the above which is Procedures for gathering evidence. Test software. Protecting trade secrets.

3. The ANAB mandates the procedures established for a digital forensics lab.

True, ANAB audits lab functions and procedures

4. The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply.) a. Making necessary changes in lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives d. None of the above

d none of the above

6. What items should your business plan include?

7. List two popular certification programs for digital forensics.

8. Why is physical security so critical for digital forensics labs?

To protect the integrity of the evidence and prevent destruction and the losing evidence.

9. If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log.

False

10. What three items should you research before enlisting in a certification program?

11. Large digital forensics labs should have at least ________ exits.

2

12. Typically, a(n) ________ lab has a separate storage area or room for evidence.

regional Forensics labs

13. Digital forensics facilities always have windows. True or False?

False

14. Evidence storage containers should have several master keys. True or False?

False

15. A forensic workstation should always have a direct broadband connection to the Internet. True or False?

false

16. Which organization provides good information on safe storage containers?

NISPOM

17. Which organization has guidelines on how to operate a digital forensics lab?

18. What term refers to labs constructed to shield EMR emissions?

TEMPEST

What is the prefered workstation for a forensic investigation?

State of art processors speced with cache, at least 32 gb of ram or more and secondard sd drives, usb 3 and SATA hard disks. Slower workstation can be used more mundane task.

What resource is important to recovering unusual systems?

Online resources such as blogs and forums. You can subcontract the work to larger forensic labs who have more resources.

What is a key resource for forecasting workloads?

Criminal statistics collected that is related to population variables and census. Crimes can be quantified by ratios drawn from known population studies and counts.

Are Laptops are now powerful enough to aid in forensic investigations?

Yes and provide a tool that can be used outside of the lab. Laptops can get images in the field.

Does the use of laptops increase the attack surface of a forensic lab?

Yes, laptops can be easily stolen when they are outside of the lab.

What facilitates a workstation crack passwords?

Multiple graphics processing units (GPU's)

Why is it important to plan for a Disaster recovery?

You are exposed the physical problems like lightening strikes, water damage and fires. A good offsite backup policy is important. Also the ability to deal with viruses introduced to your network from external devices you are examining.

What is configuration management?

This provides the status of your system configurations. Confguration management also provides versioning control. Documenting changes is essential. You could use a program to capture system state and configuration status. Belarc is suggested by the author which inventories applications, hardware, and system configurations. A database can help or at least a handwritten log

Chapter Three

Key Terms

Advanced Forensic Format (AFF)_

This is an open source format that has many desireable options such as compression, segment volumes, entensibility, file extension for metadata and authentication routines.

host protected area (HPA)

live acquisitions

Live acquisitions, file metadata, such as data and time values changes when read by an acquisition tool. With live acquisition, file metadata, such as data and time values, changes when read by a aquisition tool

Logical acquisition

raw format

Is a bit by bit copy from one disk to another disk of the same size or larger. The copy technique creates simple sequential flat files to a suspect drive or data set.

redundant array of independent disk (RAID)

sparse acquisition

static acquistions

a static acquisition is not accessed by other processes that can change. When you make a second static acquisition you produce the same results.

whole disk encryption

Review Questions

1. What's the main goal of a static acquisition?

Your goal is to preserve the digital evidence and that it can be verified.

2. Name the three formats for digital forensics data acquisitions.

3. What are two advantages and disadvantages of the raw format?

The advantages of raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. The majority of tools read raw data making it the standard capturing technique.

Some disadvantages: Raw format takes a lot of disk space. Marginal data that is not easy to read without multiple passes is not read well by cheaper freeware software. Commercial products reread bad sectors and data which give the investigator more data to work with. That data could of been deleted or intentionally compromise in an attempt to hide it.

4. List two features common with proprietary format acquisition files.

Analysis tool can be programmed with more options to work with the format. Proprietary formats are usually programed to retrieve weakly read data with more proficiency.

Is it wise to verify reads from several different vendors to ensure you are getting all the data possible in raw format?

Yes testing and reverifying reads support the integrity of your data.

How do commercial products work to give the investigator a higher level of confidence?

They perform cyclic redundancy Checks (CRC32) and use Message Digest 5 (MD5, and Secure Hash algorithm (SHA-1 or later) hashing functions. A separate file is created containing the hash value along side other files which alters the whole image if you are trying to make an exact duplicate on a duplicate drive or oversized storage device.

What is a Proprietary format and why would it be used when you can use a standard raw format?

Propretary formats allow the vendor to extend or facilitate other analysis tools that might be packaged with the specific vendors suite of software.

What are some of the features or options that a Proprietary format can offer?

1. Options to compress

2. Option to split images and provide data integrity checks between the splits.

3. The oppurtunity to add or integrate metadata into the image file

What is another disadvantage of proprietary format acquistions?

Proprietary software does not talk to other software tools because of the proprietary file extension or format used.

Expert Witness Compression format is currently the unofficial standar. What kind of file extension does it use for the segmanets or files/volumes that it produces?

.e01 with increments for each additional segment image volume.

What is the "Advanced Forensic Format"?

It is open source format for data copying.

It can produce compressed and uncompressed image files

No size restriction for disk to image file

Simple design but can be extended

Compatible with multiple computing platfors

Has a consistency checking process for verification

How are file extensions different for segmented files and metadata using the "Advanced Forensic Format"

.afd for segmented and .afm for metadata.

What is the preferred way to acquire data?

Static acquisitions is preferred live acquistions. If a computer has an encryted drive then a live aquistion is the only way to acquire the data since a password has to use a process to work before the data is accessible.

What are the four methods of data acquisition?

Creating a disk to image file

disk to disk copy

logical disk to disk or disk to data file

creating a sparse copy of a folder or file

What is the most common method for duplicating data?

Disk to Disk image file which provides the most options for your investigation. These bit to bit replications

How are older drives a problem for disk to image files?

The target disk's geometry (its cylinder, head, and track configuration) might have to be adjusted

Copying Data from a large drive can take a long time and might not be feasible. What might you do to mitigate the problem?

You can use a logical acquistion where you choose specific files of interest.

a sparse qcquistion is similar but also collects fragments of unallocated space and deleted data.

Lossless compression versus lossy compression.

Lossy compression can change data. Lossless compression does not change data.

What is a good way to confirm lossless compression?

Use a hash on the file before and after it is compressed. It is advisable to use two different hashes

What is a drive's HPA?

It is the Host Protected Area of the disk.

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. Check the vendor's documentation to see whether its tool can copy a drive's HPA. If not, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as Belkasoft or ILookIX IXImager, with a write-blocker Image MASSter Solo' or X-Ways Replica. These tools can read a disk's HPA.

A note about copying data from an HPA.

Although many digital forensics vendors have improved their acquisition tools' some older Windows and Linux tools (such as the dd or dcfldd commands) can't acquire data from a disk's HPA.

What problems arise with newer operating systems in copying disk?

Newer operating systems (windows) use whole disk encryption with bitlocker.

Describe Mini-WinFE Boot CDs and USB drives and how they function.

Mini-WinFE allows you to write block with a registry hack.

Linux provides some Live CD's for Digital forensics

Chapter Four

Key Terms

computer-generated records

Not hearsay. Computer-generated records are data the system maintains, such as system log files and proxy server logs. They are output generated from a computer process or algorithm, not usually data a person creates.

computer-stored records

These are records that a person creates. Computer-generated and computer-stored records must also be shown to be authentic and trustworthy to be admitted into evidence. Computer-generated records are considered authentic if the program that created the output is functioning correctly. These records are usually considered exceptions to the hearsay rule. For computerstored records to be admitted into court, they must also satisfy an exception to the hearsay rule, usually the business-record exception, so they must be authentic records of regularly conducted business activity. To show that computer-stored records are authentic, the person offering the records must demonstrate that a person created the data and the data is reliable and trustworthy—in other words, it wasn’t altered when it was acquired or afterward.

covert surveillance

cyclic Redundancy Check (CRC)

digital evidence

Information stored or transmited in digital form. Digital digital data is treated as a tangible object.

evidence-response field kit

hash value

According to work done by Wang Xiaoyun and her associates from Beijing's Tsinghua University and Shandong University of Technology, there are three rules for forensic hashes: You can’t predict the hash value of a file or device. No two hash values can be the same. (Note that collisions have occurred in research using supercomputers.) If anything changes in the file or device, the hash value must change.

hazardous material (HAZMAT)

initial-response field kit

See above

limiting phrase

low-level investigations

Most cases in the private sector are considered low-level investigations, or noncriminal cases. This doesn't mean private-sector investigations are less important; it means they require less effort than a major criminal case.

Message Digest 5 (MD5)

National Institue of Standards and Technology (NIST)

nonkeyed hash set

Unique hash number generated by a software tool

person of interest

plain view doctrine

probable cause

professional curiosity

Evidence is commonly lost or corrupted because of professional curiosity, which involves the presence of police officers and other professionals who aren't part of the crime scene–processing team. They just have a compelling interest in seeing what happened, but their presence could contaminate the scene directly or indirectly. Keep in mind that even those authorized and trained to search crime scenes can alter the scene or evidence inadvertently.

Scientific Working Group on Digital Evidence (SWGDE)

Set standards for recovering, preserving, and examining evidence.

Secure Hash Algorithm version 1 (SHA-1)

sniffing

Real-time surveillance requires sniffing data transmissions between a suspect's computer and a network server. Network sniffer tools, such as Wireshark, allow network administrators and others to determine what data is being transmitted over the network.

Chapter four review questions

1. Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?

b. The investigator doesn't have to get a warrant

2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a privatesector investigator can conduct covert surveillance on an employee with little cause.

True

3. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private sector investigator can conduct covert surveillance on an employee with little cause.

4. As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.)

After you discover illegal activity and document and report the crime, stop your investigation to make sure you don’t violate Fourth Amendment restrictions on obtaining evidence. If the information you supply is specific enough to meet the criteria for a search warrant, the police are responsible for obtaining a warrant that requests any new evidence. If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. Instead, consult with your organization’s attorney on how to respond to a police request for information. The police and prosecutor should issue a subpoena for any additional new evidence, which minimizes your exposure to potential civil liability. In addition, you should keep all documentation of evidence collected to investigate an internal company policy violation. Later in this section, you learn more about using affidavits in an internal investigation.

5. The plain view doctrine in computer searches is well-established law.

6. If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following?

Some cases involve dangerous settings, such as a drug bust of a methamphetamine lab or a terrorist attack using biological, chemical, or nuclear contaminants. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.

7. What are the three rules for a forensic hash?

8. In forensic hashes, when does a collision occur?

9. List three items that should be in an initial-response field kit.

To manage your tools' consider creating an initial-response field kit and an extensive-response field kit. Using the right kit makes processing an incident or crime scene much easier and minimizes how much you have to carry from your vehicle to the scene. Your initial-response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need' and return to the lab as quickly as possible.

10. When you arrive at the scene, why should you extract only those items you need to acquire evidence?

11.Computer peripherals or attachments can contain DNA evidence. True or False?

12. If a suspect computer is running Windows 10, which of the following can you perform safely?

13. Describe what should be videotaped or sketched at a digital crime scene.

14. Which of the following techniques might be used in covert surveillance? (Choose all that apply.)

15. Commingling evidence means what in a private-sector setting?

protecting confidential business data that could be included with the criminal evidence (called "commingled data").

16. List two hashing algorithms commonly used for forensic purposes. True or False?

17. Small companies rarely need investigators. True or False?

18. If a company doesn't distribute a computing use policy stating an employer's right to inspect employees computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?

True

19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

20. You should always answer questions from onlookers at a crime scene. True or False?

My Questions for Chapter Four

What are the general tasks investigators perform when working with digital evidence?

Identify digital information or artifacts that can be used as evidence.

Collect, preserve, and document evidence

analyze, identify, and organize evidence

Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.

How do procedures for civil evidence compare to criminal evidence?

Apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime to comply with your state’s rules of evidence or with the Federal Rules of Evidence (FRE).

What is the difference between [computer-generated records] and [Computer-stored records]

cgr are what is created by the computer in lieu of what the user creates while csr is what the user creates like a letter or spreadsheet

How are cgr verified as an exception to hearsay?

CGR output must be functioning correctly or as intended and not altered to satisfy another illegal premise

How are cgs verified as an exception to hearsay?

An exception to hearsay rule, which is usually business-record exception that classifies these type of records as reliable, trustworthy and not altered.

What is the "plain view doctrine"?

The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be met: The officer is where he or she has a legal right to be. Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars. Any discovery must be by chance. For the officer to seize the item, he or she must have probable cause to believe the item is evidence of a crime or is contraband. In addition, the police aren't permitted to move objects to get a better view. In Arizona v. Hicks (480 U.S. 321, 1987), the officer was found to have acted unlawfully because he moved stereo equipment, without probable cause, to record the serial numbers. The plain view doctrine has also been expanded to include the subdoctrines of plain feel, plain smell, and plain hearing.

Steve Gibson Security Now

March 27, 2020, Adobe Font zero day

Phishing Help

Survey on TLS version usage

Testing SSL, TLS with browser. Browser test on the fly

SSL, TLS and browser checks

">

Survery on TLS version usage

Survery on TLS version usage

Chapter Five

Key Terms

alternate data streams

With alternate data streams you can attach to a file and have it talk to different apps from the disk...warned about obscuring data with alternative streams

american Standard Code for Information Interchange (ascii)

The code that constructed from the binary code that computers use to store information...example memory slots have a byte...one byte is a one or zero and the operating system has a standard code that the permutation of those 8 two toggle memory slots can translate to. The typicla ascii code table has come from memory segments of zeors and one to hex format addressing to translate to alpha, numeric and symbols which make up the ascii table..The extended character set or unicode standard allows for translations into any language and any characters in the english language such as a $ sign or an &, numbers, alphabet.

areal density

Density of the platters. Space between stored bytes. A thick areal would slow down the writes but be less prone to error. A shallow areal would be quicker writes but more prone to bit flopping or error.

attribute ID

Attribute of the system. An attribute would be a property of an instance or an type of an event. This attribute might be different for each event but the type would still be the same. In other words you can get into a thunderbird and choose to turn on the attribute air conditioning on a warm day or turn off the air conditioning and turn on the attribute heater.

Boot.ini

Is a file that list the boot sequence

BotSect.dos

a hidden file that points to boot sector location of each OS

bootstrap process

basic input and output commands intialize hardware to make sure it memory components are working..and that the hardware is ready for future instruction from the OS .. it has a sequence which is held in the cmos chip that is microcode. It talks to the complete computer system comprise of many components like keyboard mouse, display, ram, and checksums them for compatibility and functionality.

clusters

Clusters numbered starting at 0. Clusters store one or two sectors. Clusters can range to 512 bytes to 32000 bytes. The first sector contains the contains a system area, the boot record, and file structure database. Clusters are logical addresses while cluster are logical addresses

cylinder

Concentric

data runs

NTFS feature that for files larger then 512 bytes and are stored outside of the MFT. Provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called data runs.

device drivers

Device drivers allow the OS to manage the specific hardware. Device(hardware)(drive) which means the OS can now drive the hardware with it's specifically design program (device driver)

file slack

That unwritten to area within a file size or that unwritten part of a cluseter..Still could have data there that can be accessed with tools.

Encrypting File System(EFS)

Feature added to NTFS for security. Use a publec and private key. The public key is held by certificate authority. A EFS has a key that is used to develop a hash of the file which makes it unreadable. You use the key to decrypt and encrypt the hash. Decrypt so humans can read and encrypt so only the computer can read it to apply the alogrithm function from the key to make it readable.

File Allocation Table (FAT)

Directory of the Fat file system. The file allocation table provides a standard organize structure that the operating system can consistently use to organize files by addresses..of hex---binary--microcode

file system like fat16, fat32 and NTFS in windows

file format for unified structure to give consistency to read and write to memory ie fat32...also limits size and controls minimum file size and it addressed through memory segments..start and end of file size with start and end of address segment...There are operating systems that depend on file standards. A disk is written differently under different file systems and different file systems have different features that allow them to be protected differently. A NTFS (New Technology File System) allowed for a large capacity on disk and added many new features for security.

geometry

Logical organization of cylinders, heads and sectors on disk

Hal.dll

A dll is a versioned file that stands for dynamic link library. This file system is accessed by the operating system and provides applications a common set of instruction to deal with like redundant processes. Example: you have a keyboard dll that all apps and OSs can access for processing keyboard commands from the OS or Applications. That's why the word linked is used because it links processes together using the accessible library. Dll's cause problems because they are versioned and when versions are changed apps don't keep up and crash or don't install. That is why docker containers are becoming important because they keep up with the dlls and provide consistency between OS and Apps or operations on the computing platform..For instance an app is working...due to security reasons the app depends on that dll crashes because the dll got updated and the app can't function...therefore the comment "DLL from hell". Since the Operating system controls the DLL the OS controls the APs from proprietory software that is force to comply to the design of the operating system.

head

head write hardware and the head travels concentrically around the disk

head and cylinder skew

The head has to skew to as it tracks around the platter

High Performance File Sytem (HPFS)

Info2 file

ISO image

File system that we can boot from. ISO images are used for virtual machines

logical addresses

logical cluster numbers (LCNS)

OS assigns clusters to the drive. Assigned clusters are called logical cluster numbers (LCNS). They start from the value of 0. LCN's become the addresses that allow the MFT to link to nonresident file (files outside the MFT) on the disk partition. The LCN becoes the files virtual cluster number (VCN)

Master Boot Record (MBR)

Partition table is in the MBR located in sector 0 The [partition boot sector] is the first data set using NTFS. Next is the MFT.

Master File Table (MFT)

metadata

data attached to the folder or file and read from properties

NTBootdd.sys

Allow the system to communicate with the SCSI or ATA drives

NTDetect.com

16 bit real mode program that queries the device and configuration data and passes it to NTldr

NT File System (NTFS)

Journaling file sytem. Keeps track of transactions such as file deleteing or saving. Provides persistence or place marker if power failure or it can go back to the last setting. NTFS results in less file slack. NTFS use unicode 8, 16, 32 bit configuration instead of ascii 8 bit. UTF-8 is identical to ASCII. Records in the MFT are called metadata.

NT Loader (Ntldr)

Loads the operating system

Ntoskrnl.exe

Operating system kernel which the instruction sets talk to.

one-time passphrase

Pagefile.sys

partition

A partition is a logical drive. Windows partitions have three primary partitions followed by an extended partition that can contain one or more logical drives. Some one can hide data on a hard drive using hidden partitions. Resizing the hard drive smaller also provides a way to hide data. You can create a partition then remove the letter designation to it, thus hidding it.Partitions of the file system that allow you to logically partition off the OS system to a drive letter with a defined memory space. Also allows you to create other formatted partition designated by other drive letters like a,c,d,e,f,g ....b is never used and "A" is reserved for the legacy floppy disk platters.

Partition Boot Sector

Section of the partition that contains the boot instruction set for the computer. Hackers use to like to get to this area and corrupt it

personal identity information (PII)

Personal identity information is sometimes metadata attached to a file describing who created the file and other information like camera used, dates/times and geolocation and anything you want. PII is a vulnerabiltiy

physical addressses

The physical address the mac address of the hardware known as the mac address.

private key

Part of the public private key exchange. The private key is not available. The public key is available by Certs. There is asynchronous and synchronous

public key

Public keys are availble by both parties of the transactions.

ram slack

Clusters contain sectors. Sectors leave space between the end of the file in the sector it uses and the endo of the cluster. RAM slack is written to in zeros in this space on new systems. There is also file slack. Explanation: The data to fill the 120-byte void is pulled from RAM and placed in the area between the end of the file (EOF) and the end of the last sector used by the active file in cluster. Any information in RAM at that point, such as logon IDs or passwords, is placed in RAM slack on older Microsoft OSs when you save a file. File fragments, deleted e-mails, and passwords are often found in RAM and file slack. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright

recovery certificate

Registry

windows database for configuration

resilient file System (ReFS)

I an outgrouwth of NTFS designed to provide a large -scale data storage access capability. Added shadow paging.

sector

formed by concentric tracks

track density

Space between each track

tracks

concentric tracks along the round magnetic plates

unallocated disk space

That disk space that has not been partitioned or formatted with a file system

Unicode

Standard used as a character library that humans can read and write to and translate memory to human readable form. That format has been change over the years to extensible to foreign languagea and other types of characters.

UTF-8 (Unicode Transformation Format)

A Transformtion format used on the web

virtual cluster number (VCN)

Provides a logical number to identify a vitural collection of memory spaces or segments joined together for continous reads and writes

virtual hard disk (VHD)

Vitual harddisk are Disk boundaries describe from memory addresses which don't have to be contiguous. This give the virtual machine the ability to create partitions with the existing file system for writing and reading to memory

virtual machines

Virtual machines are created on demand within a memory space. This allows free formatted partitions to contain many virtual machines when you access them from the file system using a virtual machine manager. Each manager can store different virtual machine which equal a computer with many different Operating systems. Each virtual machine can boot on demand from the Virtual Machine manager.

wear-leveling

zone bit recording (ZBR)

ZBR is how "most" manufacturers deal with a platter's inner tracks which has a less space to store data. Grouping tracks by zones ensures that all tracks hold the same amount of data.

Review Questions

What size are sectors in bytes?

A sector is size on hardware as a continouse address space. A sector could be different sizes. Sectors are organized in clusters.

CHS?

What is zone bit recording?

Areal density?

Clusters in Windows always begin at what number?

How many sectors in a cluster?

Varies depending on drive size....sectors per cluster

List three items stored in the fat database

file names, directory names, date and time stamps, the starting cluster number and file attributes (archive, hidden, system, and read-only

Ntuser.dat file contain?

User-protected storage area; containsthe list of most recently used files and desktop configuration settings

In FAT32, 123 KB file uses how many sectors?

What is the space on a drive called when a file is delected?

slack

List two features NTFS has that FAT does not?

Encryption and accomodates larger size.

MFT?

Tracks NTFS file information

In NTFS, files smaller than 512 bytes are stored in the MFT?

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

Virtual cluster number?

Why was EFI boot firmware developed?

Provide user access from the operating system?

Device drivers contain what kind of information?

Instructions allowing the operating system to talk to Devices

Which of the following Windows 8 files contains user-specific information? user.dat, ntuser.dat, system.dat, sam.dat

Virtual machines have which of the following limitations when running on a host computer?

An image of a suspect drive can be loaded on a virtual machine. True or False?

EFS can encrypt which of the following?

NTFS file systems

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file decrypts.

What is a recovery certificate and how is it handle?

Provides a way to recover the certificate using the [EFS Recovery Key Agent] You can intiate a recovery two way, throught windows or from a command prompt using cipher or copy.

Whole Disk Encryption

Prevent divulging of data when device stolen.

What is a good third party tool accessing registry?

FTK Registry viewer

Downloaded to computer

Chapter Six

Terms

acquisition

brute-force attack

run on encrypted file if rainbow tables fail

Computer Forensics Tool Testing (CFTT)

NIST provides guidelines for testing new tools

extraction

keyword search

National Software Reference Library

list of known file hashes for a variety of OSs, applications and images. Also hash values for mobile apps, specifically IOS and Android

password dictionary attack

dictionary of passwords to use to break the system. Passwords are usually one way hashes...meaning you can not apply an algorithm to break them.

reconstruction

Recreates a suspect drive to show what happened during a crime or incident. Methods for reconstruction are disk to disk copy, partiiton to partition copy, image to disk copy, image to partition copy, disk to image copy and rebuilding files from data runs and carving.

validation

validates the tool

verification

verifies the data

write-blocker

Simplest write of disk

The simplest method of duplicating a drive is using a tool that makes a direct disk-to-image copy from the suspect disk to the target location.

Shadowing a Drive

Time critical...attach parrallel drive and all writes go to it when live. Useful in court to show evidence

Chapter six Review Questions

1. Forensics software tools are grouped into ______ and ____ applications.

2. According to ISO standard 27037, which of the following is an important factor in data acquisition? (choose all that apply)

Should use validated tools. Fuction categories to check: Acquisition, validation and verification, Extraction, Reconstruction and Reporting. Additional function are data acquistion, data extraction from modbil devices, file reconstruction, and string seaching.

3. An encrypted drive is one reason to choose a logical acquistion. True or False

4. Hashing, filtering, and file header analysis make up which function of digital forensics tools?

5. Hardware acquisition tools tyically have built-in software for data analysis? True or False

6. The reconstruction function is needed for whic of the following purpose?

7. List three subfunction of the extraction function?

8. Data can't be written to disk with a command-line tool? True or false True with nix dd but flat file same size as drive.

Tasks list explained:

1. Acquistion which includes subfunction: Physical data copy, Logical data copy, Data qcquistion format, command-line acquistion, GUI acquistion, Remote, live and memory acquistions.
Validation and Verification is a way to confirm that a tool is functioning as intended and verification proves that two sets of data are identical
3. Extraction: is the recovery tasks and the most challenging of all tasks to master..subfunctions of extraction are Data viewing, keyword searching, decompressing or uncompressing, carving, decrypting and bookmarking or tagging
4. Reconstruction: Recreates a suspect drive to show what happened during a crime or incident. Methods for reconstruction are disk to disk copy, partiiton to partition copy, image to disk copy, image to partition copy, disk to image copy and rebuilding files from data runs and carving.
5. Reporting: New forensics software can put all data formats into one format to make it easier to produce reports. Reporting mechanisms includ Bookmarking or tagging, log repors , timelines and report generator

Older version of software

Keep older versions...updates could be buggy

Chapter Seven

Terms

allocation block

Apple File System (APFS)

File system provides recovery by written meta data. A file consists of two parts: a data fork where data is stored and a resource fork where file metadata nd application information are stored.

B + - tree

File mapping information is stored in two location. It is also used to organize the direcotory hierarchy and file block mapping.

bad block inode

boot block, superblock, inode block and data block

boot block can be 512 bytes and up and it depends on how the disk block was intialize..it contains the bootstrap code, superblick contains is considered part of metadata. Inode blocks contain the first data after the superblock. An inode is assigned to every file allocation unit. Data blick is where directories and file are stored on a disk drie.

catalog

clumps

data block

data fork

Where Data is stored in the file system

double-indirect pointers

second inode layer pointer which points to 128 additional pointer inodes

Extended Format File System (HFS+)

HFS, HFS+ and APFS

extents overflow file

fourth extended file system (Ext4)

Add support for larger then 16 TB

hard link

header node

hierarchial File System (hfs)

index node

indirect pointers

inode blocks

inodes

keychains

used to manage passwords and can be useful to find what applications and files require passwords.

link count

logical block

logical end of file EOF

map node

Master Directory Block (MDB) in HFS+

All information about a volume is stored in the MDB and written to when the volume is initialized. A copy of the MDB is also written to the next-to-last block on the volume to support disk utility functions.

physical EOF

plist files

are preference files for installed applications on a system.

resource fork

Where meta data is stored

Second Extended File System (EXT2)

linux file system

superblock

symbolic links

tarball

Is a high compressed data file containing oneor more files or directories and their contents. Typically has .tar or .gz extention

Third Extended File system

add journaling which has built in file recovery to mitigate a crash

triple-indirect pointer

unified logging

Contains three logging utilities log, log collect and log show that are available for a forensics examiner

Volume Control Block (VCB)

Chapter seven Review Questions

1. Explain the differences in resource and data forks used in macOS.

2. Which of the following is the main challenge in acquiring an imag of system running macOS? (Choose all that apply.)

3. To recover a pasword in macOS, which tool do you use?

4. What are the major improvements in Linux Ext4 file system?

5. How does macOS reduce file fragmentation?

6. Linux is the only OS that has a kernel?

7. Hard links work in only one partition or volume?

8. Whico of the following Linux system files contains hashed passwords for the local system?

Which of the following describes the superblock's function in the Linux file system?

Chapter Eight Terms

bitmap images>

values are map to a small area on the sreen. Smaller areas = higher resolution. Bit one is 34f569da. It represents a color.

carving

Another term for salvaging. Finding corrupted or mask relevant data that identifies or describes the file

data compression

Two types lossless lossy. One deletes original data and one preserves it. Used to make files more manageable for email and available storage

demosaicing

Exchange

Exif exchangeable Image

Format of a image file

fair use

Can't resell it

false positives

Something reported as true that is false

LSB

bit in byte

losseless compression

Does not delete and uncompresses to original file

lossy compression

deletes and cannot become original file

metafile graphics

Graphics in metada

MSB

Most significant byte

nonstandard graphics file formats

File formats that are proprietory or changed to mask

pixels

One box on the screen that holds data.

raster images

jpeg ---> vector

raw file format

original hex file with values for each pixel

resolution

high resolution: most pixels per squrare inch, low resolution less pixels per square inch. If the data is not there you can't represent it.

salvaging

Another term for carving. To carve a graphics file’s data from file slack space and free space, you should be familiar with the data patterns of known graphics file types known graphics file types. Many digital forensics

standard graphics file formats

.tiff, .tif (trivial), .bmp (windows), .giff (lightweight), .png(web), .jpg, .jpeg, (joint photographers experts group), .tga

What is .tga format?

Truevision Targa (.tga): Developed by Truevision Inc. TGA files is a file format that will support images suitable for display on Targa hardware but is supported by many applications on a wide range of platforms.

vector formats

math equations

vector quantization VQ

Another form of lossy compression, vector quantization (VQ), uses complex algorithms to determine what data to discard based on vectors in the graphics file. In simple terms, VQ discards bits in much the same way rounding off decimal values discards numbers.

Chapter Eight Review Questions

Graphics file stored on a computer can't be recovered after they are deleted? False

When you carve a grahpics file, recovering the image depends on which of the following skills?

Reading header information and ctkg

Explain how to identify an unknown graphics file format that your digital forensics toll doesn't recognize

Carving header

What type of compression uses an algorithm that allow viewing the graphics file without losing any portion of the data?

lossless

When investigating graphics file, you should convert them into one standard format?

false

Digital pictures use data compression to accomplish which of the following goals?

email, smaller manageable files, less storage

The process of converting raw images to another format is called which of the following? raster?

In JPEG files, what's that starting offsett position for the JFIF label?

Each type of graphics file has a unique header containing information that distinguishes it from other types of grahpics file

true

Copyright laws don't apply to Web sites?

false

When viewing a file header, you need to include hexadeciaml information to view the image.

true?

When recovering a file with ProDiscover, you first objective is to recover cluster values?

yes in windows

Bitmap (.bmp) files use which of the following types of compression?

A JPEG file uses which type of compression?

lossy

Only one file format can compress graphics files?

false

A JPEG file is an example of a vector graphic?

false pixel description vs mathematical equations

Which of the following is true about JPEG and TIF files?

What methods do stegangraphy programs us to hide data in graphic files?

Some clues left on a drive that might indicate stagnography include which of the following?

duplicate files, same file different diff, change file ext, tool on computer

What methods are used for digital watermarking?>

layering

values are map to a small area on the sreen. Smaller areas = higher resolution. Bit one is 34f569da. It represents a color.

Why are data structures important to graphical files?f

How to find graphic files?

In a digital forensics investigation involving graphics files, you need to locate and recover all graphics files on the suspect drive and determine which ones are pertinent to your case. Because images aren’t always stored in standard graphics file formats, you should examine all files your forensics tools find, even if they aren’t identified as graphics files.

Chapter Nine Terms

bit shifting

move bits left or right

block-wise hashing

Using hashes of a sector in a file to look for sectors somewhere else to tie that file to suspects computer. Like in deleted files or on another memory device.

cover-media

key escrow

Holds key during transaction

Known File Filter (KFF)

Filters file

rainbow table

hashes of known passwords

salting passwords

adding an additional input to alter encryption of a password

scope creep

investigation finds outside of scope interesting activity

steganography

Hiding a message

stego-media

media that hides message

Chapter Nine Review Questions

Which of the following represents known files you can eliminate fom an investigation?

Redundant process files

Fow which of the following reasons should you wipe a target drive?

To begin new. To insure no viruses. To clean data X-Ways Security, Digital Intelligence PDWipe, or WhiteCanyon SecureClean.

The Known File Filter (KFF) can be used for which of the following purposes?

Password recovery is included in all forensics tools?

After you shift a file's bits, the hash value remains the same. false

Which forensic image file format creates or incorporates a validation hash value in the image file?

What happens when an investigation goes beyound the bounds of its original description.

beyound scope

Supports you're investigating an email harassement case. Generally, if collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?

hidden

Commercial encryption programs often rely on what technology to recover files if a password or pass phrase is lost?

Steganography is used for which of the following purposes?

Hide data

The National Software Reference Library provides what type of resource for digital forensics examiners?

known hashes

In steganalysis, cover-media is which of the following?

Rainbowtables serve what purpose for digital forensics examinations?

all password hashes

The likelihood that a brute-force attack can succed in cracking a password depends heavily on the password length?

T

If an application use salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?

Hard

Block-wise hashing has which of the following benefits for forensics examiners? One advantage of using hashes of sectors is that you can look for known file fragments. Once you have the hash you can look for other matches. If it is deleted you can use a sector to look for the file

New!! Theme and context

Validating and refining

Investigators goal and scope, the materials needed, and the tasks to perform.

Basic steps

1. wipe drive
2. Inventory hardware
3. rm sda and check cmos for date and time
4. tool to image drive, hash type
5. Process data methodically and logically
6. list hierarchy and note relationship to target evidence
7. Start at root and examine all evidence
8. attempt to break password/encryption
9. function of binary or .exe files. Note system files out of place.
10. Maintain control of all evidence nd findings. Document everything.
11. Advanced hexadecimal editors have many features not available in digital forensics tools, such as hashing specific files or sectors.

Chapter Ten Terms

Defense in depth (DID)

outer, middle, inner

Distributed denial-of-service (DD0S)

Continous requests from machine/machines that overflow the targets memory buffers

honeypot

A machine set up to be used for penetration testing. This allows the tester to control the source and the target for investigations

honeywalls

layered network defense strategy

Provide three barriers that become increasing difficult to penetrate starting with outer, then middle and inner. The inner layer is where the important data is secured.

network forensics

order of volatility

packet analyzers

Describes network traffic flow from

type 1 hypervisor

Sits on top bare metal

type 2 hypervisor

Is a client to a host Operating system that sits on bare metal

Virtualization Technology

Technology developed by Intel that allows for security and implementation of Virtual Machine disk that host operating systems

Virtual machine Extensions

zero day attacks

Malicious software that target application/OS that has not been patch to protect itself.

zombies

New!! Theme and context

Chapter Ten Review Questions

Virtual Machine Extensions are part of which of the following?

You can expect to find a type 2 hypervisor on what type of device?

Which of the follwoing file extensions are associated with VMware virtual machines?

.vmdk

In VirtualBox, an _________ file contains setting for virutal hard drives

The number of VMs that can be supported per host by a type 1 hypervisor is genrally determined by the amount of _____ and _______?

Harddrive space and ram

A forensic image of a VM includes all snapshots? t or f

Which registry key contains association for file extensions?

whic of the follwoing is a clue that a virtual machine has been installed on a host system?

Presence of VMs storage folder and VM software

To find network adapters, you use the ____ command in Windows and the ifconfig command nix.

ipconfig

What are the three modes of protection in the DID strategy?

Outer, Middle, Inner

A layered network defense strategy put the most valuable data where?

Inner layer

TCPslice can be used to retriev specific time frames of packet captures? t or f

Packet analyzers examine what layer of the OSI model?

2 and 3

When do zero day attacks occur?

Before Patches

Chapter Ten Terms

client/server architecture

many clients to one server. Servers can provide an email server.

electronic Communications Privacy Act

Enhanced/extended Simple Mail Transfer Protocol, ESMTP

Unique ESMTP number in the message header. Helps to authenticate email.

Forensic Linguistics

language of law, process, evidence and research/teaching. Forensic linguistics can determine a speakers dialect and sometimes where a person is from based on phrases. They cannto determine and author's veracity or gender.

Internet Message Access Protocol 4

mbox

Messaging Application Programming Interface

Multipurpose Internet Mail Extensions (MIME)

Onlin social Networks (OSNs)

Pharming

phishing

Post Office Protocol version 3 (POP3)

Simple Mail Transfer Protocol (SMTP)

SPOOFING

Stored Communications Act (SCA)

Make sure you know the applicable privacy laws in the US

Chapter Ten Review Questions

E-mail headers contain which of the following information?

What' the main piece of information you look for in an e-mail message your're investigating?

In Microsoft Outlook, e-mails are typically stored in which of the following?

When searching a victim's computer for a crime committed with a specific e-mail, whic of the following provides information for determining the e-mail's originator?

Phishing doee which of the following?

Which of the following is a current formatting standard for e-mail?

After examining e-mail headers to find an e-mail's orgination address, investigators use forward lookups to track an e-mail to a suspect?

When you access your e-mail, what type of computer architecture are you using?

To trace an IP address in an e-mail header, what type of lookup service an you use?

Router logs can be used to verify what types of e-mail data?

Logging option on e-mail servers ca be whic of the following?

On a UNIX-like system, whic file specifies where to save different types of e-mail log files?

What information is not in an e-mail header?

Which of the following types of files can provide useful information when your're examining an e-mail server?

E-mail accessed with a Web browser leaves file in a temporary folder?

When confronted with an e-mail server that no loger contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do?

You can view e-mail headers in Notepad with all popular e-mail clients?

To anlyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations?

Sendmail uses which file for instruction on processing an e-mail message?

A forensic linguist can determine an author's gender by analyzing chat logs and social media communications?