Digital Evidence Exam 1

1. What are some examples of “footprints” we leave throughout our daily lives?

cell phone records, credit card history, social media use, and more

2. What is forensic science?

application of science to solve a legal problem

3. What is digital forensics according to Ken Zatyko?

• the application of computer science and investigative procedures for a legal purpose.

• involves the analysis of digital evidence after proper search authority

• must include chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation

4. What ultimately lead to the apprehension of the BTK Killer?

meta data found in a floppy disk sent by Raider to the police

NEED TO MAKE 3-4 paragraphs for Essay question

5. What is eDiscovery?

any process in which electronic data is sought, located, secured and searched with the intent of using it as evidence in a civil or criminal legal case

6. What is DOMEX?

Document and Media Exploration (DOMEX)

takes digital devices found on battlefield to analyze and gain intelligence

7. Can violations of policy and procedure result in a violation of the law?  Does it always?

violations of policy and procedure may not constitute violations of law, but may warrant a company investigation

Yes; no

8. What are the 8 phases of the digital forensic process?

1. Search Authority (always first)everything is dictated by 4th amendment

2. Chain of Custody (happens throughout entire process)(not just people also places)

3. Imaging and Hashing (forensic image - bit by bit copy so that the og evidence is not used)(hash value is like a serial number that ensures that the forensic evidence is a true duplicate)

4. Validated Tools (must ensure that tools acutally do what they say they are doing)

5. Repeatability (results should be able to be recreated)

6. Analysis (analysis of data or devices)

7. Reporting (all of the documentation throughout the process)

8. Possible Expert Presentation

9. What does search authority refer to?

legal permission to search typically a search warrant

search warrant, consent, subpoena

10. What is chain of custody?

the meticulous, chronological documentation of digital evidence's entire lifecycle, from collection to court presentation, proving it hasn't been altered and ensuring its integrity and legal admissibility.

11. What is imaging/processing about?

making a copy of the digital evidence in order to ensure an accurate copy and ensure the original evidence is not altered

a forensic image is made; all examinations are conducted using the image

12. What is the difference between a forensic image and a forensic clone?

They are not the same (thats all we need to know)

13. What does it mean to validate tools?

tool is working properly, reliable and accurate results

14. How often does validation need to be done?

hardware before every case

software everytime three is a update

15. What are some things examiners must take into account for their analysis?

type of case, type of evidence, skills of suspect

16. Why is repeatability important?

different examiners get the same results. quality assurance

17. When in the forensic process does reporting happen?

all throughout the process

18. What do examiners need to remember for expert presentation?

experts must be effective teachers- to effectively explain evidence to average person

19. What organization is the most widely used for accreditation?

ANSI-ASQ National Accreditation Board (ANAB)

Absorbed ASCLAD/LAB

20. What is the role of the examiner in the judicial system?

Expert witness

An expert is someone who can assist the judge/jury to understand and interpret evidence

21. What is a bit?

bit is a 0 or a 1

8 bits = 1 byte

What is a Byte?

8 bits = 1 byte

What is a Spector?

512 bytes = 1 sector

What is a Cluster?

2048 bytes = 1 cluster

25. What is Hexadecimal?

base 16 numbering system, starts with 0x, uses number 0-9 and A-F

28. What is an easy way to attempt to conceal data?

29. Why is this not a problem for forensic tools?

change the file extension

they look at the file header not the extension

30. What is the difference between storage and memory?

meory is short term storage, storage is premanent

31. Storage or memory - Which one is volatile?

memory

32. What are the three general ways data is created?

• Electromagnetism

• Microscopic electrical transistors (flash)

• Reflecting light (CDs, DVDs, etc)

33. What are the four categories of computing environments?

• Stand-alone computers(Laptops, data stored on device)can connect to network but don’t have to

• Networks (computerlabs on Campus)

• Mainframe

• Cloud

need to be able to list

34. What is active data?

• Data used every day on our computers

• Files reside in allocated space on the hard drive

• Computer tracks these files

What is latent data?

• Data that has been deleted or partially overwritten

• These files are no longer being tracked

• These files are more complicated to see by the examiner

• "free space" on drive

What is archival data?

• Commonly known as backups

• Acquisition of archival data can range from simple to extremely complex

37. What are the three file systems discussed in this class?

FAT
NTFS
HFS+

38. Which one(of the three file systems) is most often seen in flash media today?

FAT

39. What is the difference between allocated and unallocated space?

• Allocated space is the part of the drive being used by the active data

• Unallocated space is space on the drive not being used

• Important to note, not used does not always mean empty

40. How is slack space created?

• Slack space= sectors not touched by new data

Slack space is created as a byproduct of how file systems store data on a disk, specifically when a file's size is not a perfect multiple of the cluster (or block) size.

41. What are some concerns with virtual labs?

• Security

• Performance

• Startup cost

42. What are some things done to ensure lab security?

only authorized peronnel accuess, chain of custody, limited network access

43. What do we need to be concerned about when storing evidence?

• Evidence not currently being examined must be securely stored with limited access

• Storage locations must be locked at all times

• A log must be maintained of who all accesses the evidence storage

44. What do policies and procedures govern in forensic labs?

• Standard Operating Procedures should be in place to govern how the lab:

  • Handles evidence

  • Conducts examinations

  • Keeps records

  • Secures the facility

45. When is documentation done in the forensic process?

through out the whole forensic process

46. What are some examples of documentation?

chain of cutosty, examiners notes, ONE MORE

47. What is an open source tool?

Free tools

48. What is an example of a commercially produced product?

FTK and Cellbrite

49. Can examiner’s rely solely on their tools?

NO

Even if it is validated it will have weaknesses

50. What is the difference between accreditation and certification?

the lab is accredited while the individual examiner is certified