Guide to Computer Forensics and Investigations - Chapter 9

This set of flashcards covers key concepts from the Guide to Computer Forensics and Investigations, focusing on digital forensics analysis, investigation methods, and data validation techniques.

What is the purpose of defining the goal and scope in a digital forensics investigation?

To outline what the investigation aims to achieve and which materials and tasks are necessary.

What are the steps to follow in a digital forensics investigation?

1. Use recently wiped media, 2. Inventory hardware, 3. Remove original drive for static acquisitions, 4. Record data acquisition steps.

What is scope creep in a digital forensics investigation?

When an investigation expands beyond its original description due to unexpected evidence.

Why is it important for prosecution teams to analyze evidence exhaustively before trial?

To fend off attacks from defense attorneys and ensure all evidence is accounted for.

What is the importance of validating digital evidence?

To ensure the integrity of data collected for use in court.

What is a common issue that can occur when examining digital evidence before trial?

Scope creep can lead to increased time and resources needed for evidence extraction.

What is the significance of creating an investigation plan?

It helps in clearly defining the investigation's goals, required materials, and actions to take.

What are some techniques used to hide data in a digital forensics context?

Hiding partitions, changing file extensions, setting file attributes to hidden, encryption, and bit-shifting.

What is Autopsy in the context of digital forensics?

A tool that performs forensic analysis on various file systems.

What file systems can Autopsy analyze?

Microsoft FAT, NTFS, ExFAT, UFS1, UFS2, ISO 9660, YAFFS2, Mac HFS+, and various Linux Ext file systems.

What is the role of hashing in digital forensics?

Hashing is used to verify the integrity of data and check for alterations.

What does data hiding involve in digital forensics?

Changing or manipulating a file to conceal information.

How can one unassign a partition's letter to hide it in Windows?

Using the 'diskpart remove letter' command.

How do forensic investigators typically process a drive's contents?

Methodically and logically, listing all folders and files, examining data, and documenting findings.

What is steganography?

A method of concealing information within other non-suspicious files.

What is one disadvantage of using basic encryption programs?

They can be susceptible to password-cracking tools if users forget their passwords.

Which tools are noted for recovering passwords in forensic investigations?

Last Bit, AccessData PRTK, ophcrack, and John the Ripper.

What is a brute-force attack in password recovery?

An attack that attempts every possible combination of letters, numbers, and symbols.

What is the purpose of salting passwords in security?

To alter hash values and make cracking passwords more difficult.

How can hidden partitions be detected in a forensic analysis?

By accounting for all disk space and analyzing unaccounted disk areas.

What does bit-shifting accomplish in the context of data hiding?

It changes data from readable form to an altered form that appears as binary executable code.

What is the first step in examining encrypted files?

Users must supply a password or a passphrase to decode the files.

What are steganalysis methods?

Techniques used to detect and analyze files that use steganography.

Why are hashing tools essential in digital forensics?

They ensure the integrity of collected data and confirm that files have not been altered.

What can advanced hexadecimal editors do that standard forensic tools may not?

They can hash specific files or sectors for more granular analysis.

What describes a known-message attack in steganalysis?

An attack that uses a known piece of information to detect the presence of hidden data.

In what scenario is a dictionary attack more effective?

When users create passwords based on common words and phrases.

What is the primary function of the Known File Filter (KFF)?

To filter out known program files and detect illicit files during investigation.

What does a validation report list in digital forensics?

It lists hash values such as MD5 and SHA-1 for assessed data.

What strategies can prevent data from being altered post-collection?

Using hashes to confirm file integrity and leveraging advanced digital tools for validation.

What does ‘marking good clusters as bad’ accomplish in a digital forensics context?

It conceals sensitive data by preventing the operating system from accessing it directly.

Why is checking the date and time values in CMOS critical during investigations?

To confirm the accuracy of the timestamps related to evidence collection.

What are the implications of not validating forensic data collected?

It can lead to challenges in court regarding the authenticity of evidence.

What should a forensic investigator do if new evidence leads them in a new direction?

Refine and modify the investigation plan as necessary based on new findings.

What benefits do hexadecimal editors provide in analyzing digital evidence?

They offer direct visibility and manipulation capabilities for underlying data, enhancing forensic analysis.

What is the main challenge presented by encryption in digital forensics?

Decrypting files requires the correct password or key to access hidden information.

What common methods are employed in password recovery?

Brute-force attacks, dictionary attacks, and rainbow table attacks.

What role does hashing play in the forensic analysis of physical evidence?

It helps determine if the evidence has been tampered with or altered.

State one drawback of using file encryption in digital forensics?

It makes accessing the data legally more challenging without the proper credentials.

What is the significance of forensic tools having an indexed version of the NIST library?

It allows for faster identification of known files and enhances the efficiency of forensic investigations.

What type of files can Autopsy analyze apart from file systems?

Image files from other vendors, enhancing its versatility in data analysis.

Why is it vital to list all folders and files on the suspect drive?

To create a clear inventory of data for thorough examination and analysis.