Block 2 Exam

What does the Judge do with evidence?

Decide if the evidence is legally admissible

What does the Prosecutor or Investigator do with evidence?

Explain why it should be admitted

What’s the difference between Traditional Forensic Evidence and Digital Forensic Evidence?

Traditional evidence remains unchanged when admitted into court while Digital evidence is often in a state of flux

Why is digital evidence in a state of “flux”

• RAM evidence is constantly changing

• Cell phones will constantly be changing while the phone is powered

• Evidence includes social networking, websites, mobile devices, and cloud computing

What are Federal Rules of evidence?

The set of rules that determine the admissibility of evidence in both civil and criminal cases in federal court

What do the Federal rules of evidence focus on?

the manner in which the evidence was seized, handled, and documented in accordance with the law

What is Discovery?

Pre-Trial Phase in which both parties must share evidence including: interrogation, depositions, documents, subpoenas, digital evidence images

What is Expert Witness Discovery?

Complete statement of all opinions and underling basis

What is Hearsay?

Statement made by someone other than the one made by the declaration while testifying at trial or hearing offered in evidence to prove the truth of the manner asserted

What is Not Hearsay?

Records of regularly conducted activity: Emails, spreadsheets, system logs, etc. are records created in the normal course of business and are therefore admissible

What is Best Evidence?

States that secondary evidence, or a copy, is inadmissible in court when the original exists. Printouts are necessary

What is Chain of Custody?

The master copy for who had control of evidence, when they had control, where they had control. Documents the life-cycle from seizure to court presentation

What is standard information for Documentation?

• Case information

  • Case number

  • Case name

  • Primary Investigators

• System/Evidence

  • Make

  • Model

  • Serial Number

• Tools Used

• Destination Media

• Any other agent notes

What are Limitations to Documentation?

Not all information will be accessible. Serial Numbers or other identifiers might be concealed in server rack setup

What is the goal of a forensic report?

to detail findings of analysis, not convey opinions or convince jury of guilt or innocence. Must be dependable and repeatable.

What are characteristic of a report?

• Technically precise

• Comprehensive

• Common Language (not just technical jargon)

• No ambiguity should surround anything stated in the report

• Should be detailed enough for someone to use the report to recreate the analysis and findings

What are Common Sections in a Report?

• Cover page

• Table of Contents

• Executive Summary

• Purpose of the Investigation

• Methodology

• Electronic Media Analyzed

• Report Findings

• Investigations Details Connected to the Case

• Exhibits/Appendices

• Conclusion

• Glossary

What is an Executive Summary?

• Synopsis of the purpose of the investigation and the investigator's findings

• Should convey the overall results of the analysis without the details

• Typically no more than one page

• Reader shouldn't need a technical understanding to understand the executive summary

What is Methodology?

• Science behind the examination, the approach the investigator took

• List of software and tools used

  • Be specific to include version numbers, model numbers, firmware versions where applicable

• If there are any deviations to traditional methodology, document reason for deviation

What is the Report Findings section?

• Should be related to the investigation within the scope

• Technical terms should be comprehensively explained

• State facts, be careful of interpretations

• States findings in a clear, factual manner where exhibits backup the statements

What should Exhibits/Appendices Include?

• Detailed exports that support findings

• Do not include any forensic reports/exports that are not explained in the Report Findings section of the report

• Imaging Forms

• Evidence List

• Warrants

• Subpoena

What is a Forensic Image?

An exact bit-by-bit copy of a piece of media without altering the original data.

What is sanitized evidence storage?

hard drive must be wiped

What is the only true hardware writeblocker?

Floppy Tab

What is firmware writeblocker?

Intermediate device between the evidence and the system that intercepts the write signal from the system and prevents any alteration of data

What is software writeblocker?

A Secure Linux environment, connecting file systems as "read only" to the system

What is a portable writeblocker?

Eternal device that is between the evidence and forensic workstation and can be moved from workstation to workstation or site to site

What is a Stand-alone Writeblocker?

Does not need a workstation, limited functionality, usually faster

What is a workstation writeblocker?

Installed into forensic workstation, cannot be moved without disassembly

What are forensic Image Formats?

• Raw Images: DD (Digital Disk Format)

• Specialized

  • E01 - Guidance software (locks down the format, only for forensic use)

  • Ghost Image (used to push out images all at once - administrative-type)

• Targeted - used to select a couple images rather than the larger amount of information

  • AD1 - Access Data (create an evidence-worthy zip file)

  • L01 - Guidance software

What are some common forensic imaging tools?

• FTK imager

• EnCase

• Lunix DD or DCFLDD

What does a Writeblocker do?

Preserves the integrity of the original evidence

What are Hash Values?

The Digital Fingerprint used to verify file and evidence integrity

What are common formats for Hash Values

• MD5 - Message Direct 5: 128-bit hash value

• SHA256 - Secure Hash Algorithm: 256-bit hash value

Where are hash values stored?

Depending on the program, hash value will be stored in metadata of image file or separate log file will be created

Why forensic images?

Do no harm to your evidence, locked containers, allowed analysis without altering the original

Internal Components of a Hard Drive

Platter, Spindle, Boom/Actuator Arm

What is a Platter?

A circular disk made from aluminum, ceramic, or glass that stores data magnetically. It contains sectors and tracks

What is a Spindle?

The center of the disk and powered by a motor that spins the platters

What is a Boom/Actuator Arm?

Contains a read/write head that modified the magnetism of the disk. Each bit is either on or off, "0" or "1"

What are Hard Drive connections?

SCSI, IDE, SATA, ZIF

What is a Byte?

Smallest addressable unit of memory, 8 bits, 0101 1010

What is a Sector?

512 bytes

What is a cluster?

A unit of storage that contains continuous sectors, determined by the partition

What is a track?

Concentric bands on the platter that contain sectors

What is a cylinder?

Same track number on each platter, spans all platters of a hard drive

What is Physical Storage?

the physical location of a sector where data is stored, typically identified as a drive number, cannot be directly accessed without a file system

What is Logical Storage?

A partition, identified as a letter, contains a file system that is usable by an operating system, must be formatted into a specific file system

What are components to logical storage?

Partition, File System, Allocated Storage, Unallocated Storage

What is file storage?

Files are stored in groups of full clusters.

Physical Size: Actual disk space required to store the file

Logical Size: Amount of data stored for file