CHFI Certification Study Guide for CHFI Exam

Answer:

What IT infrastructure was attacked How the attack was implemented Time of the attack Response steps already taken Identity of possible suspect if known What evidence of the crime already exists

Answer:

Designate a single contact within the organization to whom employees can report possible cyber threats. This point of contact should be prepared with a list of law enforcement contacts with whom he or she has already made contact prior to any attack. The in-house point of contact will also compile a list of the company response team as well as outside vendors that need to be contacted immediately when a security incident occurs.

Answer:

Federal Bureau of Investigation U.S. Secret Service Bureau of Alcohol Tobacco and Firearms U.S. Postal Inspection Service U.S. Customs and Immigration Enforcement National Infrastructure Coordinating Center (Department of Homeland Security) National Association of Attorneys General (Computer Crime Point of Contact List) U.S. Computer Emergency Readiness Team (CERT) Internet Crime Complaint Center (IC3)

Answer:

Companies may be reluctant to report when their cyber security systems have failed. They may not want to release sensitive data about the company, and also may fear that their corporate image will suffer. But cyber crimes should be reported. Cyber criminals can be prosecuted only if the crime is reported. Prosecution of one crime can lead to prevention of other cyber attacks, including attacks on critical public facilities. The more individual incidents that are reported to law enforcement, the more likely officials are to uncover–and prevent–large scale attacks.

Answer:

Rather than view a criminal act as an isolated crime, law enforcement officials sometimes adopt the Enterprise Theory of Investigation (ETI). This means they view the individual criminal act as more likely to be part of a larger criminal enterprise. In prosecuting it, they seek to bring down a large criminal enterprise at once, rather than focus on a single crime. When forensic investigators are aware of this, they may cooperate with law enforcement officials to help prosecute the entire enterprise.

Answer:

It should summarize how the investigation was conducted and show how the data was collected and what business line was affected. It should include supporting data, references, acknowledgements and background necessary to support litigation. It should include the most important conclusions, key observations and all recommendations.

Answer:

Call in a forensic investigator when there has been: A breach of contract Theft of intellectual property Copyright violation Disputes with employees Damages to company property, including IT resources. A forensic investigator ensures that evidence will be collected properly, without tampering or accidental damage. The investigator will compile and process the evidence so that it can be presented in court. The investigator will also help the company prevent future incidents.

Answer:

A corporate investigation usually stems from a dispute between two companies. No laws may have been broken. The most common example is when a company suspects industrial espionage. The cyber investigator may be called on to present the evidence in the course of extensive litigation. At the same time, the company's operations should go on as normal during the investigation. After the investigation, the company should take steps to avoid future incidents and litigation.

Answer:

In taking on a case, a forensics investigator should be prepared to tackle a range of responsibilities, including: Assessing the legal and financial fallout from the incident Finding the culprit Prosecuting an outside criminal or punishing an inside violator Identifying any legal restrictions on the company response Protecting company reputation and dealing with public relations fallout Notifying officers, customers and investors about the incident Informing employees Advising on conflicts with other companies that result from the incident

Answer:

A cyber investigator can access several categories of resources for the latest information. Cyber investigators most frequently learn about the latest threats and trends in the field by participating in cyber discussion groups, joining networks of forensics experts and by following news and feeds of computer forensics. There are also journals of forensics investigators and other sources for case studies.

Answer:

These are examples of evidence that can be collected by a cyber investigator and used in an investigation and presented in court if necessary: Contacts on a suspect’s computer Records of movements Records of internet searches Encrypted files Stolen corporate secrets Emails with other suspects and accomplices

Answer:

Identify the crime and survey the preliminary evidence Obtain a search warrant, if needed Send first responders to protect any evidence Seize evidence and transport it to a forensic library Create copies of any evidence using a two bit stream Create a MD5 checksum Establish a chain of custody for evidence Store the evidence securely Analyze evidence and prepare a report Submit the report to company officials Be ready to testify in court

Answer:

If the computer crime is investigated by someone who is not technically experienced, it is almost guaranteed that the evidence will be damaged and therefore not usable in a court of law. As a result, the cyber criminal will go unpunished. Therefore, whenever possible, an experienced digital forensic investigator should be used.

Answer:

a large organized crime organization with a sophisticated hierarchy. The organization often creates botnets and sells or rents them. They can be hired to write malware, to hack into financial institutions, and engineer a denial of service effort against a target. Government national security officials are concerned about the involvement of organized crime organizations in cyber warfare.

Answer:

Identity theft Fraud Viruses, spam and malware Bringing down a network, or denial of service Hacking to steal personal confidential data Credit card fraud Child pornography Extortion Software theft

Answer:

security breaches of computer systems are an everyday occurrence resulting in huge economic losses. When the security of a corporate or government computer system is compromised, hard evidence is needed so that criminals responsible for breaking into the system can be identified and prosecuted in a court of law. Computer forensics investigators follow methods and procedures designed to collect, analyze and safeguard evidence before it can be destroyed.

Answer:

Establish in advance a process for detecting an incident Know the computer system Identify potential evidence Establish how evidence will be collected, handled and stored securely Train staff to handle and preserve evidence Document all investigative steps Establish procedures for reviewing the incident

Answer:

Early on, computer forensics investigators were often called in to investigate personal disputes, harassment charges or employee rule violations involving computers. Investigators also collected evidence to be used in lawsuits. More recently, with the increase in computer hacking, forensics investigators are needed to respond quickly by collecting, examining and safeguarding evidence so that criminals can be prosecuted.

Answer:

Decide if a security breach has occurred Look for clues at the site Do a quick examination of the available evidence Take custody of computers and other equipment Collect other evidence that will be analyzed in the case.

Answer:

Set up an investigative work station and a secure place to recover the data Put in place the investigative team Gathered the investigative tools Contacted with the local prosecutor Learned the laws and regulations that govern the conduct of the investigation Finalized the methodology for the investigation

Answer:

Duplicate computer drives, both those on site and in remote locations Validate the image and integrity of files Determine the date and time that files have been created, accessed or modified Identify files that have been deleted Work with media that has been removed from a computer Identify and examine free disk space

Answer:

Identify the members of the team and give each team member a specific responsibility. Make sure all team members have the necessary clearance and authorization to perform their roles. Choose one team member to be the initial responder to the incident. Designate one team member as the principal technical expert. NOTE: If your organization does not have staff members with the necessary technical skills, hire an experienced trusted investigative team from outside the company.

Answer:

Expert witness offers testimony in court Attorney advises team on laws Evidence Manager ensures evidence remains secure Evidence documenter tracks all evidence through the investigation Evidence Examiner/Investigator sorts through the useful evidence Photographer: Incident Responder first on the scene when incident occurs Decision Maker oversees the investigation Incident Analyst

Answer:

All computers and other electronic devices, including peripherals, removable media, cords, cables Publications Items from trash The evidence should be handled carefully to avoid damage, and all items should be tagged with detailed identifying information.

Answer:

Set up an investigative work station Established a secure place for the data Put in place the investigative team Gathered the investigative tools Contacted the local prosecutor Learned the laws and regulations governing the investigation Finalized the investigation’s methodology

Answer:

Duplicate computer drives, both those on site and in remote locations Validate the image and integrity of files Determine the date and time that files have been created, accessed or modified Identify files that have been deleted Work with media that has been removed from a computer Identify and examine free disk space

Answer:

Identify the members of the team and give each team member a specific responsibility. Make sure all team members have the necessary clearance and authorization to perform their roles. Choose one team member to be the initial responder to the incident. Designate one team member as the principal technical expert. NOTE: If your organization does not have staff members with the necessary technical skills, hire an experienced trusted investigative team from outside the company.

Answer:

Review beforehand the Federal and state laws that will apply to the investigation. You should know the legal authorities for conducting the investigation and the specific laws that give you the authority to search for evidence. You should also know your company’s rules and policies that apply to cyber investigations. Ask your legal counsel about any areas of concern that stand out–for example, what constitutes improper handling of the investigation? Pay particular attention to the Electronic Communications Privacy Act (EPCA) and the Privacy Protection Act (PPA).

Answer:

18 USC. Section 1029, prohibits fraudulent use of a credit card 18 USC Section 1030, prohibits unauthorized use of a computer to obtain credit card information 18 USC Sections 1361-62 prohibits malicious damage or intent to damage U.S. government property, including electronic equipment or transmissions Rule 402: relevant evidence is admissible in court unless prohibited elsewhere in laws or regulations Rule 901: covers the authentication and identification of evidence Rule 608: governs how evidence about a person’s truthfulness can be introduced into court. Rule 609: allows the admission of criminal history evidence to impeach a witness. Rule 502: governs attorney-client privilege and the protection of an attorney’s work product from being shared with the other side in litigation.

Answer:

Rule 614: a judge may call a witness in a trial or question any witness Rule 701: limits the scope of testimony by a non-expert witness Rule 705: relates to expert witness testimony Rule 1002: requires production of the original document at trial Rule 1003: allows duplicate document to be introduced into evidence

Answer:

First, make sure that you have sufficient authority. Identify the decision maker in your organization who is responsible for authorizing the response to a security incident. If there are no rules or policies for responding to an incident, and no designated decision maker, identify someone who can authorize the response. Once authorization is received, document all of the actions taken once the incident was reported.

Answer:

Describe the incident and the potential damage Rate the incident according to its severity Determine the data loss or damage to the computer system due to the incident Assess whether other devices and systems are threatened by the incident Seal off communications with other devices to keep the incident from spreading

Answer:

Laptop with functioning software Operating systems and patches Application software Back-up devices that are write-protected Blank media to download files Networking equipment and cables

Answer:

Know proper evidence-handling and chain-of-custody procedures Assess the crime scene Collect and secure evidence from the crime scene Turn off all processes that might damage the evidence Determine urgency of the investigation Identify investigative techniques to be used and data required Assemble all available data about the evidence collected, including operating environments and interdependencies

Answer:

Look for ways to unlock the files protected by password or encryption Collect email address and other data that might contribute to the investigation Examine users who accessed files before it was secured, looking at the files that were accessed, when and possible reasons Maintain a chain of custody for the seized material Search for relevant data on seized material through key words.

Answer:

Obtain a search warrant Assess the crime scene and secure it from tampering Gather the evidence including computers and other materials at the scene Protect the evidence from tampering Use computer toolkit to acquire data from devices Conduct analysis of the data Evaluate the data to develop the case Draft a final investigation report Prepare to testify as an expert in a trial or litigation

Answer:

The request must specify the area to be searched. Is it for an entire company, a floor of an office, a computer, a car, or a house? When a computer or other device is to be searched, will the search take place onsite or will it be brought to another site for the examination? If the computer is removed, will it be returned to the owner after material is removed? Or will it be held until after the trial?

Answer:

When the owner of the property consents to the search voluntarily. When law enforcement authorities believe evidence will be destroyed before a warrant can be obtained from a court.

Answer:

photographs are needed to establish the scene of the crime, the location and the nature of the evidence. All evidence must be labeled before it is photographed. A digital camera speeds the investigative process because the photographs can be labeled, stored and transmitted easily. Measurements can also be taken using digital images.

Answer:

Time of the incident Detailed location Whether memory on devices is volatile or non volatile Information on any persons at the scene Name and identification of potential witnesses

Answer:

Gathers and guards as much evidence as possible. Evidence on electronic devices should be gathered and protected. The first responder should follow all applicable laws in collecting and protecting evidence. As soon as possible, the first responder should contact a forensic investigator.

Answer:

Data Files: From desktop computers and workstations, notebooks, home computers, computers of all staff, handheld devices, file servers, mainframes and minicomputers Backup tapes: system-wide backups, disaster recovery backups, personal backups (diskettes and other portable media) Other media: tape archives, removed and replaced disk drives, portable media including CDs, Zip drives and diskettes

Answer:

Make a detailed list of the systems involved in the incident from which data can be collected Indicate the order of volatility for the systems Note systems’ clock drift Collect any evidence from persons who are involved in the incident Record the electronic serial number of drives and other identifying data in the system Write-protect and run virus scan all media to protect its integrity

Answer:

Date, time and location of the search Persons or Agency conducting the search Case number if available Victim’s full name, if applicable Description of evidence collected Type of offense if applicable Suspect’s name if known

Answer:

Keeping the evidence in a secure site where intruders cannot enter Installing an alarm system in the lab Proper handling and documenting of the evidence, including tagging the evidence with unique identification marks, so that it is preserved intact once it has been seized Careful documentation in the investigation log book whenever the evidence is transferred from one party to the other, including recording of date and time, and identification of parties who delivered and received the evidence. These measures will preserve the chain of custody so that the evidence can be presented in a court of law.

Answer:

It is used to officially document the collection, storage, handling, testing and disposition of evidence. Its purpose is to guard against tampering with or switching of evidence. It is a legal record certifying that these safeguards have been carried out, signed by those handling the evidence. For each piece of evidence, a chain of custody form lists: Piece of evidence, with brief description When it was collected, where and by whom Notation each time the evidence changes hands, with the person relinquishing it and the person receiving it signing and dating the form.

Answer:

The original data files are duplicated bit by bit, in a process called data imaging, which creates an exact copy of the original data. The original data is preserved intact and preserved in a secure facility. The duplicate data is sent to the forensic lab for analysis.

Answer:

The integrity of the duplicate file is demonstrated by subjecting both the original data file and the duplicate file to an MD5 Hash calculation. This is done before any analysis has been performed on the duplicate file. If the duplicate file has the same Hash value as the original evidence, it demonstrates that the files are the same. This certification has been accepted in Federal Rules of Evidence and is admissible in a court of law. There are several tools available for calculating hash value, including Hash Calc, MD5 Calculator, HashMyFiles and MD5sum.

Answer:

Several programs exist to recover data that has been lost or deleted from a computer. The recovered data can be used in an investigation. These programs include, Total Recall, Recover My Files, and Advanced Disk Recovery.

Answer:

The data must be analyzed to see whether it supports the overall theory of the investigation. The techniques for analyzing the data will vary depending on the type of investigation and the resources and needs of the client. Analysis should shed light on: File content Date and time of file creation and any modifications Identification of users who created, modified or had access to the files Storage location of file A timeline for the creation and any modification of the files The conclusions from the analysis should be presented in order or relevance to the investigation. Data analysis tools are available to sort through and analyze large quantities of data.

Answer:

Review of the search warrant or other authorization A careful examination of the digital evidence Review of the hardware and software seized in the investigation Analysis of the digital and factual evidence to determine its relevance to the investigation

Answer:

The number and types of operating systems examined Content of files The result of matching the files to the installed applications User configuration settings Check-in check-out list of every examination of the data Summaries of all interviews Reports and logs generated during data assessment phase Outcomes of all legal interactions

Answer:

Review the initial investigation request Identify the legal authority for the investigation Review the chain of custody Determine whether there are additional sources of evidence to be tapped Consider using other forensic tools to examine existing evidence Interview users, system administrators and other workers to seek new evidence

Answer:

Gather all notes from beginning to end of the investigation List all documentation that is relevant to the investigation List the proposed conclusions Highlight facts that support the investigation conclusions List the evidence that supports the conclusions

Answer:

A statement of the purpose of the report Information about the author(s) including background and contact information, and description of their positions and role in the investigation Full summary of the incident, including how it occurred and its impact Complete description of the evidence acquired during the investigation Full summary of the evidence that was analyzed, the procedures, methods or programs used to analyze the data, along with utility reports and log entries produced by the analysis Conclusion stating the findings of the investigation, noting specific evidence that supports the findings, Supporting documents mentioned in the report, including any network diagrams, descriptions of the investigation methodology and complete information about the technologies that used in the investigation

Answer:

the facts of the investigation and related issues, as well as the credentials to inspire trust in a judge or jury. As an expert, the witness must be knowledgeable enough about the technical aspects of the case to evaluate the evidence in the case independently. The expert witness’s role is to assist the attorneys, the judge and or the jury in understanding the investigation. The expert witness must be familiar with the legal procedures of the court in order to be comfortable in a courtroom setting. The expert witness must be prepared for questions from the opposing lawyers, who may try to discredit the expert witness’s testimony.

Answer:

Examining all of the facts present at the incident scene Discarding any bias in order to maintain the integrity of the investigative process Maintaining the confidentiality of the investigation Keeping current on changes in hardware, software, network technology and forensic applications Protecting the evidence chain of custody

Answer:

be educated about company policy. If the problem persists, the company may decide to take further action. Meanwhile, the investigator should ensure that disruptions to company operations are minimized during the investigation.

Answer:

“unreasonable searches and seizures” without “probable cause.” Later, U.S. courts ruled that a warrantless search could take place if a person did not have a “reasonable expectation of privacy.” A computer under a person’s control was considered private as if it were “a briefcase or a file cabinet.” Just as law enforcement could not search someone’s briefcase without a warrant, so they could not search their computer without one. However, individuals give up their right to privacy over the contents of their computer when they relinquish control of the computer to third parties. The Fourth Amendment does not apply to searches conducted by private parties who are not agents of the government, unless the private search is done with the knowledge or participation of a government official.

Answer:

Consent: when a person gives direct consent to have their files searched Lawful Arrest: police have a right to search the area around a suspect when they are lawfully arrested International searches: A warrant is not needed for government officials to search computer systems outside the United States, although U.S. law enforcement officials usually consult a law enforcement agency in the country where the search is being conducted. Inventory Searches: Searches that take place not to look for evidence but to ensure that there are no dangerous or harmful objects and to protect law enforcement from liability for lost or stolen items. The items found are inventoried. Border searches: Searches of persons coming into or leaving the United States do not require a warrant or a finding of probable cause. Exigent Conditions: Searches can be conducted without a warrant when there is a danger that evidence will disappear or be destroyed before a warrant can be secured from a court. In cases of computer crimes, there is a danger that data will be erased through normal maintenance, or will otherwise be lost.

Answer:

One key issue is whether a third party can give consent to a search of someone else’s files. Courts have ruled that a spouse may give consent to search all of a couple’s joint property. Also, parents may give consent to search their child’s property if the child is under 18 but not after that. In the case of computer systems, a system administrator may give permission to search an individual’s files on the system. Also, if a computer is in common use, another user may give consent to have the computer searched.

Answer:

When there is no written or even verbal consent for a search, government investigators may still have the right to search without a warrant. Signing on to a government or corporate computer systems, for example, often includes a notice that the user is waiving their right to privacy while using the system. This is implied consent to search the user’s files on the system.

Answer:

Federal privacy laws apply as well as the Fourth Amendment protection against unreasonable searches. For private workplaces, employees are afforded privacy protections as if they were in their homes. Employees can assume a reasonable expectation of privacy unless a company official with authority over the workforce consents to a search of the offices. Workers in public sector workplaces also enjoy a reasonable expectation of privacy, although there often is implied consent when employees log on to a government computer system. In addition, courts have said any warrantless search must be work-related.

Answer:

Put together a team that includes a technical expert, an agent overseeing the case, and the prosecutor who will handle the case in court. Research the target computer system thoroughly before drafting a warrant or even devising a strategy for the case. Draft the warrant request and background affidavit carefully, describing the object of the search, the strategy and any questions of law likely to come up. Formulate an overall plan for the search, as well as a backup plan, based on knowledge about the target computer system.

Answer:

a search warrant before investigators can access stored electronic information, such as emails. If the government incidentally collects the information of innocent parties in the course of its computer search, those parties whose information was seized can file civil actions against the government. Investigators who incidentally seize information belonging to innocent third parties should act to protect the integrity of the information in order to avoid violating the EPCA.

Answer:

it may be located on computer systems in another District. In instances where agents suspect data may be stored in more than one district, investigators should consider seeking warrants for several districts to ensure that the evidence collected in the search is admissible in court.

Answer:

the opportunity to examine and seize evidence on a suspect’s computer before the suspect has a chance to destroy it. Following the search, law enforcement officials are expected to provide notice of the search to the suspect within a “reasonable” period of time, although this can be extended by the court for good cause. Law enforcement officials should seek prior approval from the court if they plan to make copies of the seized files on the target computer without informing the suspect.

Answer:

Communications with clergy, as well as documents related to legal and medical issues are considered privileged and not subject to a search. So investigators should take precautions when conducting a search that might result in the seizure of files containing this information. Investigators should devise a strategy for reviewing seized files so that no privileged documents are compromised or breached.

Answer:

The draft warrant describes the area to be searched and the property to be seized. The warrant must accurately describe in detail any computer hardware that is to be seized. If the investigators are only seeking information likely to be found on the computer system, the warrant should describe the information being sought rather than the hardware. The second document, the Affidavit, presents “probable cause”—how the property or information to be seized is related to a crime or wrongdoing. The affidavit also presents the strategy for the search, including the techniques that will be used to search for the information, and how the investigators propose to protect unrelated documents that may coexist with the targeted documents. The Affidavit should also address how investigators propose to deal with any practical problems that may arise when searching the computer onsite, and include a plan for removing the computer from the site, if that is necessary.

Answer:

Electronic communications services, through which customers send and receive electronic communications. Remote computing services, which provide storage or processing services. Investigators seeking access to stored email, account records or subscriber information from these providers have to meet strict privacy requirements in the ECPA.

Answer:

Issue a subpoena Obtain a state court order Produce a search Federal warrant The act allows companies to voluntarily disclose privileged information under certain circumstances, such as when the information is requested by the National Center for Missing and Exploited Children, or when a government entity believes there is an “emergency involving danger of death or serious physical injury.”

Answer:

Examine the computer onsite and print out a hard copy of targeted files Create an electronic copy of the targeted files, still onsite Create a duplicate electronic copy of the entire storage disk while still onsite Remove the computer to an offsite secure location in order to create an electronic copy of the storage disk The key factor in choosing a strategy is whether the entire storage device is being used for commission of a crime, or only specific files stored on the device. If the entire device is suspect, investigators will likely detail that allegation in the search warrant request and propose removing the device to a secure location where it can be examined.

Answer:

The Privacy Protection Act prohibits search and seizure of materials under the control of a news organization unless the writer is suspected of a crime or there is a life-threatening circumstance. If investigators believe a journalist or news organization may have information in the computer system related to a crime, they may not seize the computer files to look for the evidence because it is protected by the First and Fourth Amendment. However, when investigators are searching a suspect’s computer and incidentally seize material protected by the Privacy Protection Act, they will not necessarily be subject to prosecution.

Answer:

Preserve the evidence that is being sought. Refrain from disclosing the evidence request to their customer, unless the government agency is otherwise required to give prior notice to the customer.

Answer:

seeking to intercept electronic communications, both incoming and outgoing, in connection with the target of an investigation. A warrant is required to obtain Pen/Trap and race Orders. Under most conditions, law enforcement officials are only allowed to capture the phone numbers or computer addresses of those sending and receiving the communication. To obtain the Pen/Trap and Trace order, law enforcement must show how the information sought is related to an ongoing criminal investigation. An additional warrant, with more stringent probable cause requirements, is required in order to intercept the body of the phone call or electronic communication.

Answer:

is designed to protect citizens against unauthorized government surveillance. Under the statute, it is illegal to intentionally, or purposefully, intercept, disclose, or use the contents of any wire, oral, or electronic communication, which includes email. Violating the statute can mean that any information gained from the illegal search can be kept out of any criminal proceeding. It also can result in civil or criminal penalties. However, government agents are usually protected from liability for “reasonable” decisions made in good faith.

Answer:

the files are what the government says they are. Authentication of computer records may be challenged on the grounds that they were altered or damaged after they were seized, or by questioning the validity of the computer program that generated the files. Challenges may also focus on the identity of the author of the records. Investigators need to consider these challenges when they initially seize the records by following strict procedures for imaging the files, analyzing them and documenting the chain of custody.

Answer:

as the Hearsay Rule does not usually apply to computer-generated records themselves. But if the files to be introduced contain statements by a person that are directly related to the investigation, the statements by the person can be subject to the Hearsay Rule. One exception to the hearsay rule often invoked in a computer investigation is the business records exception, which states that records generated during the normal course of business are considered reliable and can usually be entered into evidence.

Answer:

Digital evidence is evidence stored or transmitted in digital format. It can take the form of: Graphic, spreadsheet, word processing files Audio or video files, Server or other log files Emails Internet browser histories. Investigators can collect digital evidence from: Storage media Network traffic Computer files collected during an evidence search

Answer:

There are several ways digital evidence can be manipulated: Can be maliciously tampered with Is unstable if not handled carefully Cannot always be traced Can be lost if computer is turned off Can be erased remotely or overwritten

Answer:

Wiping by over-writing files numerous times Hiding data under other files Using malicious code to cause data recovery software to malfunction Obscuring data by user numerous remailers to wipe out email header information.

Answer:

The Rules of Evidence determines whether a piece of evidence can be considered by a judge or jury deliberating a case. Knowing beforehand whether certain evidence will be allowed in court could affect the conduct of the investigation, so it is better to know the rules in advance. The Federal Rules of Evidence are extensive and the product of years of legal decisions by courts. In addition, states may have their own rules. The final decision on whether a piece of evidence is within the Rules is made by a judge. It is made before the evidence is introduced into the case.

Answer:

Volatile memory: Needs power to remain in the system; disappears when computer is turned off. Includes logged-on users, open files, network information and command history. Non-volatile memory: Used for secondary storage and persists when power is turned off. Includes hidden files, swap files registry settings, unused partitions and events logs. Transient data: Lost when computer is turned off. Includes open network connection, user logout, programs in memory and cache data. Fragile data: Information temporarily saved on the hard disk, it can be altered or erased. Includes access dates on files and last-access timestamps. Temporarily accessible data: Stored on the hard drive and accessible for limited time. Includes encrypted file information Active data: Data used for daily operations. Accessible. Archival data: Manages long-term storage Backup data: Copy of system data that can be accessed at time of recovery after system crash or other disaster Residual data: When a file is deleted, computer tags the deleted space as residual data; file can be retrieved until space is reused. Metadata: Contains record for a document, including format, and information about the file’s creation and any modifications

Answer:

Was destroyed in a fire or flood Was destroyed in the normal course of business Is being held by a third party

Answer:

Admissibility: Rule determines whether testimony or evidence can be introduced into evidence Admissibility of duplicate evidence: when duplicates can be allowed as evidence Hearsay Rule: In general, a statement that was not made in court cannot be used in the trial Exceptions to the hearsay rule: When hearsay rules can be waived

Answer:

founded in 1995, provides a venue for law enforcement officials from around the world to share information on cyber threats and computer forensics. Members share information at conferences and can communicate directly with other member agencies. The organization also establishes global principles for the proper handling of computer evidence. This significantly increases the odds that evidence originating in another country will be admissible in U.S. courts.

Answer:

the Scientific Working Group on Digital Evidence (SWGDE). Its mission is to forge cooperation and discussion on digital evidence issues, share best practices and ensure quality and consistency in the forensic field. The organization has established standards it hopes will be adopted by all forensic organizations, including a recommendation that all law enforcement organizations adopt Standard Operating Procedures (SOPs) for the collection, handing, examination and transfer of digital evidence, and that these SOPs be reviewed annually.

Answer:

An agency must use the hardware and software for seizing and examining evidence Investigators must record in writing all actions related to evidence seizure, storage, examination and transfer. The log must be available for review and for use in any court testimony. If an action has the potential to alter, damage or destroy the original evidence, it must be undertaken by qualified technicians according to prescribed procedures.

Answer:

User-created files: Document or text files, address books, database and spreadsheets, image and graphic files, Internet bookmarks and favorites User–protected files: Compressed and encrypted files, password protected and hidden files, and files hidden within other files Computer-created files: Backup and log files, temporary files, swap files, system and configuration files, printer spool files, cookies and history files

Answer:

Hard Drive: Data stored magnetically in different file formats: Evidence can be in text, video, picture, database, multimedia and program files. Thumb Drive: Removable storage device connects using USB port. Evidence can be found in text, graphics image and 0picture files. Memory Card: Removable storage device used in cameras, PDAs and computers. Data preserved when power turned off. Evidence can be found in event and chat logs, text, picture and image files and Internet browsing history. Removable, portable storage devices: CDss, DVDs, Tapes and Blu-ray are all used to store digital information in text, praphics, multimedia and video files.

Answer:

evidence in the form of the information about the user, configurations and permissions. Smart Card: a device that contains an encryption key or password and electronic certificate. Dongle: Copy protection device that attaches to computers to control access to an application. Biometric scanner: Controls access by identifying physical characteristics of a user.

Answer:

Telephone answering machines Digital cameras Modems Handheld devices Pager Printer Telephone Copier Digital watches Scanners Global Positioning Systems (GPS) Fax machines Credit card skimmers

Answer:

LAN card and Network Interface Card (NIC): Evidence is found in the Media Access Control (MAC) address Routers, Hubs and Switches: These devices connect separate computers or networks. For routers, evidence is found in the configuration files. For hubs and switches, evidence is found embedded in the devices. Servers: Evidence is found in the computer. Network cables and connectors: Evidence is found on the devices.

Answer:

List evidence sources by priority: where it is to be found and how stable is it? and then, Decide whether the evidence will be documented in place by photographs or other means. Check for electromagnetic interference in areas where the evidence will be stored. Evaluate the condition of the evidence after it has been moved, packed or stored. Determine whether continuous power is needed to avoid data loss on electronic devices.

Answer:

Estimate the impact of the security incident and the investigation on the business and then, Create a detailed map of the computer network affected by the incident and include details of how it night be affected by the incident List possible outcomes for any legal actions and communication about the incident with outside parties Draft a proposed action plan Review and preserve any reports and logs produced during the assessment phase Prepare summaries of interviews with users and network administrators

Answer:

Does a crime involve counterfeit documents? Evidence might be found on a scanner or printer. A hacker might store hidden stolen files on his computer A dealer in illicit narcotics might store incriminating information in spreadsheets on a personal electronic device A person sending threatening letters might have copies on a computer.

Answer:

Confiscate storage media as well as computers Seize and books associated programs associated with the crime Prevent suspects from touching the devices to be seized. Take care not to turn off power to the device.

Answer:

Perform the operation on the investigator’s computer and then, Ensure that the investigator’s device recognizes the seized device when the two devices are attached Make sure that the investigator’s storage device is completely clean Use write protection software on both the hardware and software on the original computer and storage disks to preserve the evidence

Answer:

an exact replica of the files and hard drive being seized. The copying process transfers each bit from the original disk being seized to the same spot on a new storage medium, preserving any evidence intact. Bit-stream backups need to be made for all disks and hard drives seized as part of the evidence. The computers being seized should not be operated until these copies have been made.

Answer:

fragile and can be damaged or even destroyed if it is mishandled by investigators. Damaged evidence can be challenged in court and rendered unusable. Investigators must take possession of the evidence in a way that protects the original evidence from any damage or tampering.

Answer:

Remove the case from the computer to allow access to the storage devices or hard drives Make sure the devices are protected from magnetic fields and static electricity Identify the devices that are to be seized Make note of all characteristics and configuration of the drive, including make, model, location, geometry, jumper settings and drive interface. Inventory internal components including sound and video cards, network and personal computer memory cards access card Disconnect storage devices from the motherboard or by disconnecting the data cable to avoid damage to the data.

Answer:

Examine the storage device to determine whether all space is accounted for, including host-protected areas Acquire the electronic serial number of the drive and other accessible host-specific data Copy the evidence to the examiner’s storage device using either duplication software, forensic software or a dedicated hardware device Compare the original to the duplicated version sector-by-sector to verify that the original data has been successfully acquired.

Answer:

Decide whether to collect the evidence directly from the target computer or over a network. Collecting from the computer directly gives the examiner more control over the computer and the data. Other factors to consider are the need for secrecy, the time frame of the investigation and the nature of the evidence. Prepare accurate documentation of the evidence being collected. Decide whether the investigation will be online or offline. In an offline investigation, evidence is analyzed on a bitwise copy of the evidence. In an online investigation, analysis is performed on the original evidence.

Answer:

Logs from internal- and external-facing network devices Storage devices that need to seized, including disks, storage devices and removable media Internal hardware devices

Answer:

Determine whether to remove the storage device from the computer and use the examiner's system to acquire the data. If removing a storage device from a computer, first verify that volatile data has been captured from the disk, then turn off power to the computer before removing the storage device. Create a bitwise copy of the evidence on the storage disk, preserve it in a backup destination, and ensure that the original data is written –protected. Record information about the internal storage devices, including information about the configurations. Verify the data collected and create checksums and digital signatures when possible to establish that the original and the copied data are identical

Answer:

Search: Process register Virtual and physical memory, Network state Processes that are running Tapes, floppy disks, hard disks, CD-ROM Printouts Check: List of open files (lsof) ARP cache Active network connections (netstate). Suggested forensic tools for collecting data: Guidance Software’s EnCase AccessData’s Forensic Toolkit

Answer:

RAM stores files for an application when the application is running. When the application is closed, information stored in RAM is lost and the space is used to store other files When seeking to collect evidence from RAM do not turn power to the computer off Evidence can be collected from RAM even when the hard disk has been wiped clean: use a utility to copy the RAM contents to a separate storage disk Note: when no RAM space is available for an application, the RAM contents are moved to a temporary swap file. Swap files are frequently overwritten, but an examiner can trace the swap file by searching for a particular file through its headers and footers.

Answer:

Don’t use the target device to look for evidence Document all the devices connected to the computer using photographs If the system is off, do not turn it on If the unit is turned on, photograph the screen If he computer is on and the screen is blank, move the mouse and photograph the screen Unplug all devices from the unit and label them for later identification If he computer is connected to a modem and router, turn off the power to those devices

Answer:

It is a road map that provides details on exactly how the evidence was collected, analyzed and preserved It documents the original data evidence and the logs It documents the transfer of evidence from one person to another in the investigation

Answer:

Seize any floppy disks at the scene in case they contain evidence Place tape on drive slots and power connector to prevent tampering Label and photograph connecting cables and transport with the device Check internal memory in PDA’s and digital cameras Make sure portable devices are charged Hold onto memory sticks and compact flash Transfer fragile data to a non-volatile device Refrain from using on-site hard drive to store fragile data Use virtual memory sparingly to avoid data overwriting Use floppy disk to store small amounts of data Avoid using USB or a firewire drive to for data storage

Answer:

If victim’s computer is connected to the internet, duplicate the path used by the intruder to collect the data Disconnect the victim’s computer from the internet to prevent further damage When examining data, use a copy of the original data Do not use any program, including anti-virus program on the victim’s computer Take an image of the system if possible Document any changes in the system

Answer:

For CD’s and DVD’s, note the date, time and initials of examining officials Memory cards should be write protected For reel-to-reel tapes, remove the “write enable” Disk cartridges or removable hard drives should have tape over the notch For cassette tapes, remove the “record” tab For cartridge tapes, align arrows at safe mark

Answer:

Electronic evidence can be damaged by magnetic field, dust, and vibration Wear protective gloves when handling the evidence Store electronic evidence in secure, climate-controlled area Use protective bag to protect evidence from wireless signals Store magnetic evidence in anti-static bag

Answer:

Make at least two copies of the evidence and store one in a secure, tamper-free place Keep the chain of custody current and secure and create a check out-check-in list to document visitors to the evidence storage facility Ensure that no unauthorized person has access to the evidence, either in digital or physical form

Answer:

Ensure examiner of digital evidence is trained for this job Original evidence should not be used for examination Different types of investigations may call for different examination methods

Answer:

collects data from the physical drive without the structure of the file system. Logical extraction organizes the seized data based on operating systems, files systems and applications.

Answer:

Search by keyword allows examiner to see data not tied to the particular operating and file systems File carving may also identify files not accounted for by the file and operating system Examination of the partition structure can help identify files systems present and determine whether all of the space on the hard drive is accounted for

Answer:

Extract file system information to document directory structure, file attributes, names, date and time stamps, size and location. Extract files related to the examination Recover of deleted files Extract password-protected files, encrypted and compressed data Extract file slack Identify unallocated space

Answer:

Identify what you are looking for—search for what’s relevant. and then, Look carefully at operating system data, including clock drift, and signs that malicious applications or processes might be running or about to run. Study applications, processes and network connections. Use proper software tools

Answer:

Analyze the data using the bitwise copy of the original evidence and then, Use software to find out whether files are encrypted Uncompress compressed files Diagram the directory structure Identify files of interest Gather configuration data from the registry Search contents of targeted files Examine metadata of targeted files Use file viewer to view contents of the files without the original application

Answer:

Network service logs may reveal key events in the incident Examine packet sniffer or network monitor logs for clues about activities on the network Look at firewall, proxy server, intrusion detection system and remote access service logs

Answer:

Timeframe analysis Data hiding analysis Application and file analysis Ownership and possession To understand these results, it may be necessary to examine the request for service, review the legal authority for the search, and re-examine investigative and other leads.

Answer:

Review data and time stamps in the file system metadata Review system and application logs Match against user’s computer date and time as found in the BIOS

Answer:

Match file headers to file extensions to find any mismatches, which may indicate an intent to hide files Look for files that are encrypted, password protected and compressed; this may indicate intent to conceal data; Use software to search for files hidden within files—steganography

Answer:

Examine file names for patterns Examine individual files Identify operating systems Match files with applications on the system Examine relationships between files—internet searches with cache files, for example, and email files with attachments Scrutinize unknown file types Search users default storage location for files Examine users configuration files

Answer:

The key to an investigation may come from placing a user in the system at a time when other evidence presents proof of wrongdoing.

Answer:

Take notes when interviewing investigator Preserve copy of the search authority and chain of custody document Detail each action taken, including date, time, complete description of action and results Note operating system name software and patches.

Answer:

Files related to the original search Other files that support the findings Results of all searches of the system All internet evidence Analysis of any graphical evidence Registration data Data analysis Description of programs related to the investigation Hidden or masked data All supporting materials

Answer:

Account data at online auction sites Accounting or bookkeeping software Address books Customer information or credit card data Databases Internet browser history of cache files Digital camera software Email, correspondence, notes Financial records

Answer:

Chat logs Date and time stamps Digital camera software Email and other correspondence Games Graphic editing and viewing software Director and file names that describe images Internet logs Images Movie files

Answer:

Address books Configuration files Email and other correspondence Executable programs Internet activity logs IP addresses and usernames Internet relay chat logs Text files with usernames and passwords Source code

Answer:

Address books Diaries Email and other correspondence Financial records Images Internet activity logs Will and other legal documents Medical records Telephone records

Answer:

Database of customers and player records Customer credit card information Electronic currency Statistics on sports betting Image players

Answer:

Date and time stamps Email and other correspondence History log Internet activity log Temporary internet files User names

Answer:

Check, currency and money order images Credit card skimmers Images of signatures False financial forms Fraudulent Identification

Answer:

Internet activity logs Legal documents Telephone records Background research on victim Email and other correspondence Financial records

Answer:

Address book Calendar Databases Drug recipes False identification Email and other correspondence Financial records Prescription forms Internet activity log

Answer:

Address books and calendars Biographies Customer databases False identification Financial records Medical records Web advertising Internet activity log

Answer:

Chat logs Email and other correspondence Image files of software certificates Internet activity logs Serial numbers Software cracking utilities

Answer:

Cloning software and customer records Electronic serial number /Mobile identification pair records Email and other correspondence Financial records Manuals on how to Phreak Internet activity and telephone records

Answer:

Hardware and software tools, including digital cameras, credit card readers, credit card generators and scanners Internet activity, including email and newsgroup posting, online orders, online trading information, erased documents, system files and file slack, and activity at forgery sites ID templates, including birth certificates, check cashing cards, digital photo information, drivers license and fictitious vehicle registration,social security cards, electronic and scanned signatures Negotiable instruments, including business and cashiers checks, credit card numbers, counterfeit currency, fictitious court documents, loan documents and sales receipts.