Untitled Flashcards Set

Forensic Definitions

• Forensic: The use or application of scientific knowledge to a point of law, especially in crime investigations.

• Computer Forensics: A sub-discipline of Digital & Multimedia Evidence involving the scientific examination, analysis, and evaluation of digital evidence in legal matters.

• Acquisition: The process of duplicating, copying, or imaging digital evidence.

• Original Evidence: Physical items and associated data at the time of seizure.

• Examination: A technical review that makes evidence visible and suitable for analysis; tests performed to determine specific data presence.

• Data Extraction: Identifying and recovering information that may not be immediately apparent.

• Analysis: Reviewing examination results for significance and probative value.

• Data Analysis: Assessing the information within the media.

• Digital Evidence: Information stored or transmitted in binary form that may be used in court.

• Chain of Custody: Chronological documentation of evidence movement, location, and possession.

Storage & System Terms

• Basic Input/Output System (BIOS): Routines stored in ROM that enable a computer to start the OS and communicate with devices.

• Archiving: Storing data for long-term availability and retrieval.

• File Slack: Space between the logical end of a file and the last allocation unit.

• Free Space: Available data storage areas, possibly containing previously stored information (a.k.a. Unallocated Space).

• Unallocated Space: Storage units not assigned to active files, may contain remnants of deleted data.

Investigators' Office

• Accreditation: Labs can receive credit by following established forensic standards.

• Evidence Locker: Secure storage location for evidence.

• Disaster Recovery Plan: Ensures restoration of workstations and investigation files after catastrophic events (e.g., virus contamination, reconfiguration).

Legal Framework & Investigations

Federal & Legal Considerations

• Federal Rules of Evidence (FRE): Created for consistency in federal proceedings; do not apply uniformly to states.

• Fourth Amendment: Protects individuals from unlawful searches.

• Data Recovery: A different form of digital forensics.

• Search & Seizure: Examiners must be familiar with recent court rulings.

Types of Investigations

Public Sector Investigations

• Conducted by government agencies for criminal investigations and prosecutions.

Private Sector Investigations

• Focus: Company policy violations.

• Examples:

  • Email harassment

  • Data falsification

  • Discrimination (age, gender, etc.)

  • Embezzlement

  • Industrial espionage

• Policies: Defined by an “Acceptable Use Policy” regulating computer/network use.

• Line of Authority: Determines who can initiate an investigation, handle evidence, and access it.

• Warning Banners: Alerts users that organizations reserve the right to inspect systems and network traffic.

• Bring Your Own Device (BYOD): Some companies enforce the same rules on personal devices connected to business networks.

Roles in Digital Forensics

• First Responder: Assesses an incident/crime scene and identifies/preserves physical evidence.

• Digital Evidence First Responder: Assesses a crime scene, collects and preserves digital evidence.

• Digital Evidence Specialist: Analyzes acquired data within forensic and legal parameters.

Evidence Handling & Documentation

• Bit-Stream Copy: A bit-by-bit copy of the original storage medium.

• Bit-Stream Image: A forensic image of digital storage.

• Single Evidence Form: Lists each piece of evidence separately.

• Multi Evidence Form: Lists multiple evidence items related to the same case on one sheet.

Mobile Forensics

Key Concerns

1. Loss of power

2. Cloud synchronization

3. Remote wiping

Methods to Isolate Devices

• Airplane mode

• Paint can

• Turning off the device

• Paraben Wireless Stronghold Bag

Remote Wiping Challenge

• Removes personal information from phones, complicating forensic investigations.

Mobile Forensic Methods

1. Manual Review (May not be considered forensic)

File Systems & Storage

• File System: Provides an OS with a roadmap to data.

• Clusters: Groups of sectors forming storage allocation units.

• Partition: A logical drive.

• Hidden Partitions/Void Spaces: Areas in storage that may contain hidden data.

• Partition Gap: Unused space between partitions.

File Deletion in Microsoft OS

• Directory entry marked as deleted.

• First letter of filename replaced with hex E5.

• FAT chain set to 0.

• Data remains on disk until overwritten.

• Deleted file area becomes unallocated space.

Cybercrime & Online Threats

Phishing

• Email with links leading to fraudulent websites to steal personal information.

Pharming

• DNS poisoning that redirects users to fake sites (e.g., Whitehouse.com vs. Whitehouse.gov).

Legal Procedures & Witnesses

Expert Witness Roles

1. Lay Witness: Testifies about what they saw or heard.

2. Scientific/Technical Witness: Explains evidence and how it was obtained but does not form conclusions.

3. Expert Witness:

   • Provides opinions based on experience and reasoning.

   • Forms conclusions based on findings.

   • Four Conditions for Expert Witnesses:

     • Knowledge or skills

     • True expertise

     • Degree of certainty

     • Evidence-based facts

Key Legal Terms

• Spoliation: Destroying reports may be considered evidence tampering.

• Ethics: Internalized rules for performance measurement.

• Professional Conduct: External standards applied to forensic professionals.

• Rules of Evidence: Critical laws governing attorney and witness procedures.

Legal Proceedings & Testimony

1. Court Order of Events:

   1. Prosecution

   2. Defense

   3. Opening statements

   4. Plaintiff

   5. Defendant

   6. Rebuttal

   7. Closing arguments

   8. Jury instructions

2. Testimony Types

   • Direct Examination: Most important part of testimony.

   • Expert Witness Testimony: Most powerful.

   • Conflicting Out: Opposing attorneys preventing an expert from serving on a case.

   • Deposition:

     • No jury/judge, opposing attorneys preview testimony before trial.

     • Discovery Deposition: Part of the pre-trial discovery process.

     • Testimony Preservation Deposition: Records testimony for future use.

Search & Seizure in Digital Forensics

• Warrants Required for Law Enforcement: Private sector policy violations do not need warrants.

• Private Sector vs. Law Enforcement: Once police get involved, private-sector investigations must follow law enforcement protocols.

• Computer-Generated Records: Considered authentic if the program is functioning correctly.

• Digitally Stored Records: Must be authenticated and trustworthy before admission as evidence.

• Plain View Doctrine: Allows officers to seize objects in plain view without a warrant if they are lawfully present.