Forensics

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/46

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 3:22 AM on 5/5/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

47 Terms

1
New cards

GIF sig

47 49 46 38

2
New cards

JPEG sig

FF D8 FF E0

3
New cards

PDF sig

25 50 44 46

4
New cards

PNG sig

89 50 4E 47

5
New cards

Forensic Computing

the application of scientific methods to the identification, preservation, collection, examination, analysis, and presentation of digital evidence in a legally admissible manner.

6
New cards

Core Evidence Requirements

Admissibility, Authenticity, Completeness, Reliability and Believability

7
New cards

Digital Forensics Process Model

Identification, Preservation, Collection, Examination, Analysis and Presentation

8
New cards

Chain of Custody

The documented chronological record of every person who has had possession of the evidence, from initial seizure to presentation in court

9
New cards

Legal Frameworks

Budapest Convention on Cybercrime, RFC 3227 and CARICOM Cybersecurity Framework

10
New cards

CIA Triad

Confidentiality, Integrity and Availability

11
New cards

2025 Cybercrim Cost projections

$10.5T

12
New cards

Number of new variants of malware per day

560K

13
New cards

Percentage of cyberattacks using fileless or memory-based techniques

77%

14
New cards

Most common cyberattack techniques

fileless or memory-based techniques

15
New cards

RAR Archive Hex signature

52 61 72 21

16
New cards

ZIP hex signature

50 4B 03 04

17
New cards

Windows EXE/DLL

4D 5A (= MZ)

18
New cards

Vonn Neumann vs Harvard

Shared bus for data and instructions and is for general purpose computers while Harvard uses separate buses for data and instructions and is for embedded systems

19
New cards

Order of Volatility (Most to Least)

  1. CPU Registers & Cache

  2. Routing Table

  3. System RAM

  4. Temporary File Systems

  5. Disk Storage (HDD/SSD)

  6. Remote Logging & Archival Media

20
New cards

IMEI

International Mobile Equipment Identity

21
New cards

ICCID

Integrated Circuit Card Identifier

22
New cards

IMSI

International Mobile Subscriber Identity

23
New cards

MSISDN

Mobile Station ISDN Number

24
New cards

ISDN

Integrated Services Digital Network

25
New cards

Write blocker

a forensic tool that allows access to a storage device without altering its data, ensuring evidence remains unchanged.

26
New cards

Anti-forensics

a set of techniques designed to obstruct, mislead, or prevent digital forensic investigations.

27
New cards

Metadata

data that describes, explains or provides context for other data (data about data)

28
New cards

Cache

A small, high-speed memory used to reduce the average time it takes a CPU to access data from RAM by storing frequently used instructions

29
New cards

Cache types

  • L1 - The fastest and smallest, built directly into the CPU core.

  • L2 - Slightly slower than L1 but larger; it can be shared or dedicated to cores.

  • L3 - The slowest and largest, typically shared across all cores of a processor.

30
New cards

types of storage media

  1. Magnetic (HDD)

  2. Solid State (SSD)

  3. Optical (DVD)

  4. Flash (USB Drive)

  5. Cloud Storage

31
New cards

RAID

Redundant Array of Independent Disks

32
New cards

RAID types

0 - Striping - split data across drives

1 - Mirroring - duplicates data on two or more drives

33
New cards

Physical vs Logical drives

the actual hardware unit while logical is a virtual partition created on a physical drive

34
New cards

Hard Disk Capacity Calculation

Cylinders x Heads x Sectors x Bytes per Sector

35
New cards

File system

a method used by an OS to organize, store, and retrieve files on a storage drive

36
New cards

NTFS

an 8 byte value located at offset 0×48 (72 decimal)

37
New cards

FAT12/16

0x27

38
New cards

FAT32

0x43

39
New cards

exFat

0x64

40
New cards

Retrieve IMEI

  1. Dial *#06#

  2. Check device settings

  3. Check physical label under battery or SIM tray

  4. Use forensic tools like Cellebrite UFED

  5. Request IMEI from telecommunications company records

41
New cards

BIOS Functions

  1. POST (Power-On Self Test) - tests all hardware components to ensure they work correctly before booting

  2. Bootstrap Loader - Locates the OS and loads it into RAM

  3. CMOS Setup - A configuration program that allows users to alter hardware and system settings

  4. Runtime Services - Low-level software that gives the computer basic control over hardware

42
New cards

Anti Forensic Techniques

  1. IMEI Spoofing

  2. File Signature Modification

  3. Steganography

  4. Timestomping

  5. Data wiping

  6. Log deletion

43
New cards

IMEI Spoofing

using a cloned or fake IMEI. Detected by Luhn validation or duplicates IMEIs on network

44
New cards

File Signature Modification

Changing the file header bytes to disguise the file type. Detected by comparing the file extension with the hex signature

45
New cards

Steganography

the practice of hiding information within ordinary digital files. Detected via mismatched file signatures or file size discrepancies

46
New cards

Timestomping

Altering file timestamps. Detected via filesystem journals, registry or memory artefacts

47
New cards

Data wiping

using software to completely overwrite data on a storage device with new, meaningless data. Detected by looking for overwrite patterns and unrecoverable sectors