Cybercrime Final

Review the Basic Process of Storage Forensics.

• Examiner's main job is to keep evidence consistent from the original source to the final analysis

• A forensic analyst must show a clear connection between the seized device (evidence device) and the final analysis

• Evidence remains unchanged on the original device

• Analysis helps create leads and summaries, but it is not the actual evidence

Review the Preparation for Forensic Analysis. 

• An analyst must ensure that analysis results come from real evidence, not contamination or mistakes

• The gold standard is that an analyst must be able to repeat results using procedure notes and the original seized data 

• Analysis steps must be recorded consistently and reproducibly in the analyst's Activity Log 

• Best practice is to follow standard procedures for evidence types and record any changes, explaining why they are needed

• These procedures help ensure analysis is reliable and can withstand legal scrutiny in court

Why do we wipe a drive that is used for Analysis?  

So the analysis can prove that the drive was not contaminated

Review the Acquisition of Data

• the source device should be imaged without using its built-in operating system

• Field acquisition is not ideal since losing control of the evidence device can make it harder to prove authenticity and maintain the chain of custody in court 

• Use a true read-only mount for the file system, though this is often difficult with Windows

• Analysis should be done with the evidence device mounted in read-only mode

Review the Authentication of Data.

• The prosecutor must prove that the court evidence is unchanged and directly from the defendant

• Digital forensic analyst has an easier job

• Forensic analysis results must be proven as genuine and directly from the seized evidence

• Digital evidence is easier to authenticate than physical evidence due to its unique properties

Review the Imaging of the evidence drive section.

• With any seized device, it is important to create a working copy for forensic analysis 

  • Best method is to create bit stream copy

Know the rule of best evidence in Court 

• Original evidence

Know what a FAT or File Allocation Table is and what useful artifacts can be obtained from it.

• Support older versions of Windows and are often less secure

  • the deleted files are not wiped from drive

Know what the NTFS file system is and the difference between FAT and NTFS

• Supports newer Windows versions and is more difficult to examine in latest incarnation

  • In FAT files data can sit intact for years 

  • NTFS DOS tools do not work

Know the seven steps of the analysis protocol or process.

• Understanding the problem

• Data collection

• Data cleaning

• Data analysis

• Data interpretation

• Visualization

• Deployment

Know what a hash is.

• Unique numerical value calculated from data in a digital data set 

Review the Computer Storage Systems section

• Two parts:

  • volatile 

  • nonvolatile storage 

• Experts cannot identify where information is physically found on the evidence device

• Volatile storage is lost when a device loses power 

Know what a processor is 

• The fastest part of the computer

Know what cache is

• Type of memory that supports processor

Know what RAM is and what it holds

• Large reserve of information storage that supplies data from processor through cache systems

What happens when you defragment a Disk?

• F A T de-allocates clusters and makes them available for new files

What is the difference between volatile and nonvolatile storage.

• Volatile

  • Loses data when device is powered off 

• Nonvolatile 

  • retains data even when off

What is Risk Analysis? 

Predict the most likely outcome and assign resources to handle it effectively

Know the steps of the principles of risk analysis

• Anticipating the most probable threats

• Calculating the likely impact of those threats

• Identifying appropriate controls and resources to reduce the likelihood and/or impact of those threats

What are the threats that risk analysis identifies

• External threats

• Internal threats 

• Natural disasters 

• Human made vents

Know security technologies, and Backups

• protecting individual components, such as software, hardware, and connected devices

• Backups = If data are lost, destroyed, or altered, a backup may provide the only way to recover the data

Know what firewalls are and do

• Device or software that acts as checkpoint between network or standalone computer and Internet

• Check all data coming in and going out

Know what encryption is and does

• Technique of securing data by scrambling data into apparent nonsense but doing so in such a way that message can be recovered by person possessing secret code called a key

Review password Discipline

password policy requirements for strength and expiration

Review the threats section

• Second important aspect is to identify the threats facing an organization

• The single-largest threat to an organization and its information security is from within

• Many times, organizations suffer from key individuals intentionally stealing information or corrupting files

Review the Home users section

• Cyberattacks have also focused on the home computer user or the remote worker

• Many computers and individuals can be victimized despite the presence and use of antivirus and other protective programs

What is packet filtering

assigns numbers to computers called Internet protocol addresses 

The number of police agencies with high tech or computer crime units has increased significantly over the last few years.

TRUE

Law enforcement is currently well trained in issues of cybercrime and investigation

FALSE