Understanding the Digital Forensics Profession and Investigations

White collar fraud

________ began when people in these industries saw a way to make money by manipulating computer data.

Digital images

________ are stored on hard disks, flash drives, removable hard drives, and the cloud and are circulated on the Internet.

Fourth Amendment

The ________ to the U.S. Constitution protects everyones right to be secure in their person, residence, and property from search and seizure.

private sector investigators job

A(n) ________ is to minimize risk to the company.

Forensics investigators

________ often work as part of a team to secure an organizations computers and networks.

Any documentation

________ written to the attorney must contain a header stating that its "Privileged Legal Communication- Confidential Work Product, "as defined under the attorney- work- product rule.

Examiners

________ must be familiar with recent court rulings on search and seizure in the electronic environment to avoid mistakes such as exceeding a search warrants authority.

Law enforcement

________ officers often find computers, smartphones, and other devices as theyre investigating crimes, gathering other evidence, or making arrests.

law enforcement agency

The ________ processes the report, and management decides to start an investigation or log the information into a police blotter, which provides a record of information about crimes that have been committed previously.

Forensic workstation

________ to copy and examine the evidence.

integrity check

This ________ covers the physical security of systems and the security of operating systems and applications.

Drug dealers

________, car theft rings, and other criminals often keep information about transactions on their computers, laptops, smartphones, and other devices.

ISO 27307

"Information technology- Security techniques, Guidelines for identification, collection, acquisition and preservation of digital evidence.”

criminal investigation

A(n) ________ generally begins when someone finds evidence of or witnesses an illegal act.

evidentiary artifacts

The method for locating ________ is to search for specific known data values.

Data values

________ can be unique words or non printable characters, such as hexadecimal codes.

former employees

Without defined policies, a business risks exposing itself to litigation from current or ________.

role of a digital forensics examiner

The ________ is to give management personnel complete and accurate information so that they can verify and correct abuse problems in an organization.

Executive management

________ should define a policy to avoid conflicts from competing interests in organizations.

Data Recovery

Involves retrieving information that was deleted by mistake or lost during a power surge or server crash.

Private sector computer crimes

________ can involve e- mail harassment; gender and age discrimination; white- collar crimes; such as falsification of data, embezzlement, and sabotage; and industrial espionage, which involves selling sensitive or confidential company information to a competitor.

intruder

If a(n) ________ launches an attack that causes damage or potential damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the ________ and to prevent future intrusions.

internal user

If a(n) ________ is engaged in illegal acts or policy violations, the network intrusion detection and incident response group might assist in locating the user.

acquisitions officer

The ________ gives you documentation of items the investigating officers collected with the computer, including a list of other storage media, such as removable disks and flash drives.

threat assessment specialist

The ________ (typically an attorney) whos familiar with federal and state laws and regulations related to ITAR or EAR and industrial espionage.

false allegations of misconduct

Competition for funding or management support can become so fierce that people might create ________ to prevent competing departments from delivering a proposal for the same source of funds.

Public sector investigations

________ involve government agencies responsible for criminal investigations and prosecution.

Data analysis

________ can be the most time- consuming task, even when you know exactly what to look for in the evidence.

external attack

When a(n) ________ is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network.

Digital Forensic Science

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting and possible expert presentation

International Organization for Standardization (ISO)

Standard for Digital Forensics

Federal Rules of Evidence (FRE)

Created to ensure consistency in federal proceedings

FBIs Computer Analysis and Response Team (CART)

Formed in 1984 to handle the increase in cases involving digital evidence

Digital Forensics

Used to investigate data that can be retrieved from a computers hard drive or other storage media

Data Recovery

Involves retrieving information that was deleted by mistake or lost during a power surge or server crash

Inculpatory Evidence

Evidence that shows, or tends to show, a persons involvement in an act, or evidence that can establish guilt

Exculpatory Evidence

Evidence that tends to clear the suspect

Penetration Testers

People who work in vulnerability/threat assessment and risk management group.

Xtree Gold

It recognized file types and retrieved lost or deleted files; a new tool that appeared in the mid 1980s

Mac SE

Produced by Apple in 1987; a Macintosh with an external EasyDrive hard disk with 60MB storage

International Association of Computer Investigative Specialists (IACIS)

Introduced training on software for digital forensics examinations, and the IRS created search warrant programs

ILook

Currently maintained by the IRS Criminal Investigation Division and limited to law enforcement, can analyze and read special files that are copies of a disk

AccessData Forensic Toolkit (FTK)

Has become a popular commercial product that performs similar tasks in the law enforcement and civilian markets

Computer Technology Investigators Network (CTIN)

Meets to discuss problems that digital forensics examiners encounter

Digital Evidence First Responder (DEFR)

Has the skill and training to arrive on an incident scene, assess the situation, and take precautions to acquire and preserve evidence

Digital Evidence Specialist (DES)

Has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis

Due Process

Refers to fairness under the law and is meant to protect all

Warning Banner

Appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will

End User

A person using a computer to perform routine tasks other than system administration

Abuse or misuse of digital assets

Often center on e-mail and Internet misuse by employees but could involve other digital resources

Internet abuse

Excessive viewing of contraband images;

Company Rules Violation

The misuse of rules

Chain of Custody

The route evidence takes from the time you find it until the case is closed or goes to court

Case number

The number your organization assigns when an investigation is initiated

Nature of case

A short description of the case

Vendor name

The name of the manufacturer of the computer component

Evidence recovered by

The name of the investigator who recovered the evidence

Interview

Conducted to collect information from a witness or suspect about specific facts related to an investigation

Interrogation

The process of trying to get a suspect to confess to a specific incident or crime

Forensic Workstation

A computer loaded with additional bays and forensics software

Bit-stream copy

A bit-by-bit copy or forensic copy of the original drive or storage medium and is an exact duplicate

Bit-stream image

The file containing the bit-stream copy of all data on a disk or disk partition

Vulnerability/threat assessment and risk management

• This integrity check covers the physical security of systems and the security of operating systems and applications.

• Their job is to poke holes in the network to help an organization be better prepared for a real attack.

Network intrusion detection and incident response.

This group detects intruder attacks by using automated tools and monitoring network firewall logs.

Digital investigations.

This group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime.

Expert Witness for Macintosh

No commercial GUI software for digital forensics was available until ASR Data created ______.

allegation

The witness or victim makes an _____ to the police, an accusation of fact that a crime has been committed.

police officer

A _______ interviews the complainant and writes a report about the crime.

police blotters

Criminals often repeat actions in their illegal activities, and these patterns can be discovered by examining _____.

affidavit

In a criminal or public-sector case, if the police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit an ______.

verdict

A judge or an administrative law judge then renders a judgment, or a jury hands down a ______ (after which a judge can enter a judgment).

risk of litigation

One way that businesses can reduce the _____ is to publish and maintain policies that employees find easy to read and follow.

acceptable use policy

The most important policies are those defining rules for using the company’s computers and networks; this type of policy is commonly known as an “__________.”

line of authority

Published company policies also provide a ______ for conducting internal investigations; it states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

antistatic

Make you use _______ bags when collecting computer evidence.

hostile work environment

Incidents that create a ________, such as viewing pornography in the workplace and sending inappropriate emails, are the predominant types of cases investigated.

Repeatable Findings

Repeating the steps that you took in any digital investigation producing the same results.

computer-based email data files

For _______, use the standard forensics analysis techniques and procedures described in this book for the drive examination.

server-based email data files

For ______, contact the e-mail server administrator and obtain an electronic copy of the suspect’s and victim’s email folder or data.

Web-based e-mail

For _____ (Gmail, for example) investigations, search for Internet keywords to extract all related e-mail address information.