cyber crime midterm

When were the first laws relating to digital evidence established?

1970s

Digital forensics

applies froensics procedures to digital evidence

Insider threat

a person who may be an employee, a contractor, or another person with access to the corporate network or computer system who commits malicious acts or who commits industrial espionage

Internet of Things

contains any physical device that can be connected to the internet

Public-sector investigation

abide by fourth amendment; you search for evidence to support criminal allegations

Private-sector investigation

you search for evidence to support allegations of policy violations, abuse of assets, and criminal complaints

Warning banners

should be used to remind employees and visitors of organization policy on computer, email, and Internet use

Companies should

define and limit the number of authorized requesters who can start an investigation

When planning a case

take into account the nature of the case, instructions from the requester, what additional tools and expertise you might need, and how you will acquire the evidence

Crimiinal cases and company policy violations

should be handled in much the same manner to ensure that quality evidence is presented; both can go to court

Internet abuse investigations

require examining server log data

For attorney-client privilege cases

all written communication should have a header label stating that it’s privileged communication and a confidential work product

Bit-stream copy

a bit-by-bit duplicate of the disk

Rule 26 of the Federal Rules of Civil Procedure

requires expert witnesses who anticipate that they will have to testify to submit written reports; must include their opinion and their basis for their opinion

Deposition banks

used by attorneys to research expert witnesses’ previous testimony and to learn more about expert witnesses hired by opposing counsel

A well-defined report structure

contributes to a reader’s ability to understand the information you’re communicating; clearly labeled secions and follows a numbering scheme

The report-writing process

1. analyzing the data and reviewing the examiner notes

2. writing the first draft

3. revising the draft and creating the final report

Fact witness

you’re providing only the facts you discovered in your investigation

Bona fides

a statement listing proof of your qualifications, credentials, and legitimacy as an expert in the form of a summary, resume, or curriculum vitae

Lay witness

a person whose testimony is based on personal observation or perception; not considered to be an expert in a particular field

Depostion

formal examination where the witness is questioned under oath, and a judge is not present, the purpose of this is to give the opposing counsel a chance to preview testimony before the trial

Examination plan

a document that lets a witness know what questions to expect when they are testifying

Discovery

process by which attorneys seek information from the other side before a trial

Voir dire

the qualification phase of testimony, in which an attorney asks questions to establish an expert witness’s credentials

Conflicting out

the practice of opposing attorneys trying to prevent a digital forensics examiner from testifying by claiming the examiner has discussed the case with them and, therefore, has a conflict of interest

Discovery deposition

a type of deposition during which the opposing attorney conducts the equivalent of both direct and cross-examination of the witness; it’s considered part of the discovery process

Testimony-preservation deposition

a deposition held to preserve testimony in case of schedule conflicts or health problems; usually videotaped as well as recorded

Digital forensics lab

a lab dedicated to digital investigations; typically, it has a variety of computers, OSs, and forensics software

Uniform Crime Report

information collected at the federal, state, and local levels to determine the types and frequencies of crimes committed

TEMPEST

a term describing facilities that have been hardened so that electrical signals from digital devices, computer networks, and telephone systems can’t be monitored or accessed easily by someone outside the facility

Change management

the process of reviewing and validating new methods or resources being used in a digital forensics lab

Configuration management

the process of keeping track of all upgrades and patches applied to a computer’s OS and applications

Business case

a document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading a facility

Acquisition

the process of creating a duplicate image of data; one of the required functions of digital forensics tools

Validation

the process of confirming that a tool is functioning as intended; one of the functions of digital forensics tools

Verification

the process of proving that two sets of data are identical by calculating hash values or using another similar method; one of the functions of digital forensics tools

Extraction

the process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools

Reconstruction

the process of rebuilding data files; one of the required functions of digital forensics tools

Command-line interface

can find file slack and free space, recover data, and search by keyword; they are designed to run in minimal configurations and can fit on a bootable disk

Static aquisition

a data acquisition method used when a suspect drive is write-protected and cannot be altered; if disk evidence is preserved correctly, static acquisitions are repeatable

Live aquisition

a data acquisition method used when a suspect computer cannot be shut down to perform a static acquisition; captured data might be altered during a live acquisition because it is not write-protected, not repeatable

Raw format

a data acquisition format that creates simple, sequential flat files of a suspect drive or data set

Cyclic redundancy check

a mathematical algorithm that translates a file into a unique hexadecimal value

MD5

an algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has been changed

AFF

an open-source data acquisition format that stores image data and metadata; file extensions include .afd for segmented image files and .afm for AFF metadata

Logical aquisition

a data acquisition method that captures only specific files of interest to the case, or specific types of files

Sparse aquisition

like logical acquisition but also captures fragments of allocated (deleted) data

Host protected area

an area of a disk drive reserved for booting utilities and diagnostic programs; not visible to the computer’s OS

Whole disk encryption

an encryption technique that performs sector-by-sector encryption of an entire drive; unreadable when copied with a static acquisition method

Wear leveling

in SSDs and flash drives, the utility that ensures that all memory cells get used and have the same number of reads, writes, and erases to maintain endurance of the SSD

TRIM utility

recoverable deleted data from an SSD’s free space will be automatically erased as part of routine maintenance of the memory cells; will alter the hash value

Mean time to failure

the average time that a part, component, or device will work before it might fail

Redundant array of independent disks (RAID)

a computer configuration in which two or more disks are combined into one large drive in several configurations for special needs

Four methods for acquiring data

disk-to-image, physical disk-to-disk, parition-to-partition, and partion-to-data

dc3dd

a computer configuration in which two or more disks are combined into one large drive in several configurations for special needs