Introduction to Forensics

Flashcards covering key concepts in computer forensics.

What is Computer Forensics?

The use of analytical and investigative techniques to identify, collect, examine, and preserve evidence/information which is magnetically stored or encoded.

What is the role of first responders in computer forensics?

First responders play a critical role; improper handling of evidence can render it unusable for prosecution.

What are the five principles outlined in the Council of Europe’s Electronic Evidence Guide?

Data integrity, Audit trail, Specialist support, Appropriate training, and Legality.

What are the four steps of examination according to the Scientific Working Group on Digital Evidence (SWGDE)?

Visual inspection, Forensic duplication, Media examination, and Evidence return.

What are the initial steps in the U.S. Secret Service Forensics Guidelines?

Secure the scene and make it safe, take immediate steps to preserve evidence, and determine whether you have a legal basis to seize the computer.

According to U.S Secret Service Forensics Guidelines, what action should be taken if a computer is believed to be destroying evidence?

Shut down the computer by pulling the power cord.

List three evidence gathering principles.

Touch as little as possible, leave a document trail, and secure the evidence.

What elements should be included in the chain of custody?

Discovery of the evidence, collection location, date and time of collection, names of everyone who had access, and names of everyone who “owned” the evidence.

What does the FBI recommend regarding the preservation of a computer's state by the first responder?

Making a backup copy of any logs, damaged or altered files, and files left by the intruder.

Name four locations where evidence can be found on a PC.

Browser history, index.dat file, system logs, and Windows Registry.

Name four examples of computer evidence beyond PCs and laptops.

Logs, portable storage devices, e-mails, and devices capable of storing data like iPods, iPads, and cell phones.

What information can be found in the Windows Registry regarding USB devices?

HKEYLOCALMACHINE\SYSTEM\ControlSet\Enum\USBSTOR lists USB devices that have been connected to the machine; MountPoints2 will indicate what user was logged onto the system when the USB device was connected.

What type of information can be gathered from a cell phone for forensics?

Photos, videos, text messages, call times and durations, and contact names and phone numbers.

What are some general rules for gathering evidence from a cell phone?

Document the cell phone make, model, and condition and photograph the initial screen of the phone. The SIM card will be the location of most of what you need to find.

What is Logical Acquisition of a cell phone?

Copying the active file system from the device into another file.

What is Physical Acquisition of a cell phone?

Creating a physical bit-by-bit copy of the phone's memory.

What is Chip-off Forensics?

The practice of removing a memory chip, or any chip, from a circuit board and reading it.

What is JTAG in cell phone forensics?

Joint Test Action Group is a less extreme method where JTAG ports can be used to retrieve a physical image of the data without removing the chip.

Name four common cellular network technologies.

GSM (2G), EDGE (Pre-3G), UMTS (3G), and LTE (4G).

What does SIM stand for in cell phone terminology?

Subscriber Identity Module.

What is an IMEI?

International Mobile Equipment Identity; unique ID for GSM, UMTS, LTE, and satellite phones; can be “blacklisted” even if the user changes the SIM card.

List four forensic tools.

AccessData Forensic Toolkit, EnCase, The Sleuth Kit, OSForensics.

What is the Daubert Standard?

Any scientific evidence presented in a trial must have been reviewed and tested by the relevant scientific community.

What is the initial step in the scientific method?

Formulating a hypothesis which is a question that can be tested.

Give three examples of Computer Forensics Certifications.

Computer Hacking Forensic Investigator (CHFI), Certified Forensic Computer Examiner (CFCE), SANS certifications.