INTRODUCTION – Digital Forensics
This module will cover the forensic process, different sources of forensic data, and the importance of the chain of custody during digital forensics.
Learning Objectives:
- Methods to identify a cyberattacker using network data
- Synthesize various sources of network data and data obtainable from each
- Describe the Layers of TCP/IP model and their relevance for digital forensics
- Meaningful forensic data provided by the different application components and types
- Recommended forensic methods of gathering log data in Windows, macOS, and Linux
- Contrast transient and persistent data with best practices for collecting each type
- Essential methods, tools, and considerations in the collection, preservation, and analysis of data files
- Language components of a forensic report and best practices in writing the same
Step of analysis in digital forensics - Inherent obstacles in forensic examination.
- The role that chain of custody plays in data collection.
- NIST’s three steps for data collection Investigate.
- Challenges presented by various data collection methods.
- Summary of digital forensic objectives.
- Cite standard data sources in digital forensics.
- What is Digital forensics?
FORENSIC COURSE OVERVIEW KNOWLEDGE CHECK
1. Digital forensics can be defined as the application of science to the identification, collection, examination, and analysis of what?
- Malware
- Data (CORRECT)
- Evidence
- Cybercriminals
2. According to NIST, the four (4) steps of the forensic process include which? (Select 4)
- Examination (CORRECT)
- Preserving
- Reporting (CORRECT)
- Investigating
- Analysis (CORRECT)
- Collection (CORRECT)
Partially correct!
THE FORENSICS PROCESS KNOWLEDGE CHECK
1. According to NIST, a forensic analysis should include four elements, Places, Items, Events and what?
- People (CORRECT)
- Methods
- Data
- Systems
2. True or False. Digital forensics report must contain details of every test conducted, the methods and tools used, and the results.
- True (CORRECT)
- False
3. Which section of a digital forensics report would contain a list of the steps you have taken to insure the integrity of the evidence?
- Overview & Case Summary
- Forensic Acquisition & Examination Preparation (CORRECT)
- Findings & Analysis
- Conclusion
4. Network activity, Application usage, Logs and Keystroke monitoring are all sources of what?
- Data (CORRECT)
- Malware
- Forensic dead-ends
- Leaks
5. What are the three (3) main hurdles that must be overcome when examining data? (Select 3)
- Dealing with a sea of data. A single hard drive will contains many thousands of files that are not relevant to our investigation. (CORRECT)
- Selecting the most effective tools to help with the searching and filtering of data. (CORRECT)
- Bypassing controls such as operating system and encryption passwords. (CORRECT)
- Not tripping malware booby traps that were setup to prevent examination of data.
Partially correct!
FORENSIC DATA KNOWLEDGE CHECK
1. True or False. Only data files can be effectively analyzed during a forensic analysis.
- True
- False (CORRECT)
2. Most data files are smaller than the number of blocks allocated to their storage by the file system, the unused spaces is known as what?
- Block buffer space
- Slack space (CORRECT)
- Free space
- Allocation overage space
3. What does file metadata known as “MAC” data stand for in the context of a forensic analysis?
- Machine Access Control
- Metadata associated with i/OS files
- Machine Allocated Content
- Modification, Access and Creation times (CORRECT)
4. Open files are considered which data type?
- Non-volatile
- Dynamic
- Volatile (CORRECT)
- Static
5. True or False. When collecting forensic data from a running system, you should always attempt to collect volatile data first.
- True (CORRECT)
- False
6. Which operating system has a “Target Disk Mode” that allows a forensic investigator to easily make a copy of the target hard drive?
- Mac OS X (CORRECT)
- Microsoft Window
- Linux
- UNIX
7. Which three (3) of the following are application components? (Select 3)
- Supporting files (CORRECT)
- Operating system DLLs
- Log files (CORRECT)
- Configuration settings (CORRECT)
Partially correct!
8. Which of these applications would likely be of the most interest in a forensic analysis?
- Email (CORRECT)
- OSI Application Layer protocols
- Patch files
- Operating system DLLs
9. What useful foresnsic data can be extracted from the Application layer of the TCP/IP protocol stack?
- HTTP addresses (CORRECT)
- TCP addresses
- UDP addresses
- ICMP addresses
10. Which device would you inspect if you were looking for failed attempts to penetrate your company’s network?
- Firewall (CORRECT)
- Intrusion detection system
- Packet sniffer
- Remote access server
DIGITAL FORENSICS ASSESSMENT
1. Digital forensics is commonly applied to which of the following activities?
- Criminal investigation
- Incident handling
- Data recovery
- All of the above (CORRECT)
2. NIST includes which three (3) as steps in collecting data? (Select 3)
- Develop a plan to aquire the data (CORRECT)
- Verify the integrity of the data (CORRECT)
- Acquire the data
- Normalize the data
Partially correct!
3. What is the primary purpose of maintaining a chain of custody?
- So a person in possession of evidence will know who they are allowed to give it to next
- To keep valuable hardware securely locked to tables or floors.
- To allow for accurate client billing
- To avoid allegations of mishandling or tampering of evidence. (CORRECT)
4. True or False. Digital forensics had been used to solve a number of high-profile violent crimes.
- True (CORRECT)
- False
5. True or False. Digital forensics report is a summary of your findings. If your case goes to trial, your testimony can, and usually does, involve far more detail than is in the report.
- True
- False (CORRECT)
6. Which section of a digital forensics report would include using the best practices of taking lots of screenshots, use built-in logging options of your digital forensics tools, and exporting key data items into a .csv or .txt file?
- Overview & Case Summary
- Forensic Acquisition & Examination Preparation
- Findings & Analysis (CORRECT)
- Conclusion
7. Which types of files are appropriate subjects for forensic analysis?
- Data files
- Image and video files
- Application files
- All of the above (CORRECT)
8. Deleting a file results in what action by most operating systems?
- The memory registers used by the file are erased and marked as available for new storage.
- The file is copied to a trash or recycle folder and the original memory registers are erased.
- The memory registers used by the file are marked as available for new storage but are otherwise not changed. (CORRECT)
- Random data is immediately copied into the memory registers used by the file to obfuscate the previous contents.
9. Forensic analysis should always be conducted on a copy of the original data. What type of copying is appropriate for getting data from a live system that cannot be taken offline?
- An incremental backup
- A logical backup (CORRECT)
- A disk-to-file backup
- A disk-to-disk backup
10. How does a forensic analysis use hash sets acquired from NIST’s Software Reference Library project?
- They can quickly eliminate known good operating system and application files from consideration. (CORRECT)
- They provide a record of known encrypted malware.
- Hashes will help you quickly zero in on deleted files.
- They are useful in identifying files that were created outside the United States.
11. Which three (3) of the following data types are considered non-volatile? (Select 3)
- Dump files (CORRECT)
- Swap files (CORRECT)
- Free space
- Logs (CORRECT)
Partially correct!
12. Configuration files are considered which data type?
- Static
- Volatile
- Dynamic
- Non-volatile (CORRECT)
13. True or False. When collecting forensic data from a running system, you should always attempt to collect non-volatile data first.
- True
- False (CORRECT)
14. Which three (3) of the following are application components? (Select 3)
- OSI Application Layer protocols
- Data files (CORRECT)
- Authentication mechanisms (CORRECT)
- Application architecture (CORRECT)Application architecture (CORRECT)
Partially correct!
15. Which of these applications would likely be of the least interest in a forensic analysis?
- Patch files (CORRECT)
- Chat
- Web host data
16. The Internet layer of the TCP/IP stack, also known as the Network layer in the OSI model, contains which two (2) protocols that are very useful to a forensic investigation? (Select 2)
- UDP
- IPv4 / IPv6 (CORRECT)
- LDAP
- ICMP (CORRECT)
Partially correct!
17. Which device would you inspect if you were looking for event data correlated across a number of different network devices?
- Firewall
- Remote access server (CORRECT)
- Packet sniffer
- Intrusion detection system
18. Which of these sources might require a court order in order to obtain the data for forensic analysis?
- Intrusion detection systems
- System Event Management systems
- ISP records (CORRECT)
- Firewalls
CONCLUSION – Digital Forensics
This module, in summary, has focused on outlining the forensic process and its various sources, while also emphasizing the importance of the chain of custody in forensic investigations.
Armed with this comprehension, you are now better prepared to traverse the complicated world of forensic analysis while safeguarding the integrity of whatever find during the investigatory voyage.