Welcome back to digital forensic concepts. This is our final project and these is the questions with the answers. Question number 1; what are the four phases in a complete computer forensic examination? The answer is collection and storage, the preservation process, analysis and testing, and reporting and testifying. Question number 2; what is the difference between criminal and civil offenses? Criminal law deals with offenses against the state. The burden of proof is proof beyond a reasonable doubt, and its punishment can include time in jail. Civil law deals with violations of contracts, lawsuits, divorces, and custody cases. Civil cases often have a financial aspect. The burden of proof is preponderance of the evidence. What does the Fourth Amendment guarantee people? Question 3. The Fourth Amendment guarantees people it's the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures, shall not be violated and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or thing to be seized. So it's the right of the people to be secure in their homes against unreasonable searches and seizures, and no warrant will be issued unless there is probable cause, and that probable cause has to include the place to be searched, and the person or thing to be seized. If you violate the Fourth Amendment, that will result in the evidence being thrown out. Question number 4; what is a consent search and can consent be withdrawn? A consent search is when a person gives permission for an official to seize and search their property. Consent should be given in writing; it must be given freely and without coercion, and yes, consent can be withdrawn at any time. Question 5; what is a preservation request? Preservation request is we may request providers to, for the time of 90 days, preserve records that it has in its possession pending the issuance of legal process, something like a search warrant. We can only ask for the information already in their possession, not future information. We must have a date and time with an IP address to request records, and we may need to provide an account number or other information. This would be when we're requesting records from an Internet service provider or some type of social media account. Question 6; what is a search warrant? A search warrant is a legal document and it authorizes the search and/or seizure of property. Search warrants are issued upon the legal standard of probable cause, and they are supported by oath. A search warrant authorizes the search of a place to look for evidence, contraband, or stolen property to be used as evidence in a criminal case. Question 7; explain the Daubert Rule. The Daubert Rule is a test regarding the admissibility of scientific evidence. The Daubert Rule requires that a technique used to obtain evidence has been tested and verified, has been subject to peer review and publication, it must have a known rate of error, and the method has been based on accepted by the scientific community. The method that we're using has been accepted by the scientific community. Question number 8; what are ethics and how do they relate to digital forensics? Well, ethics are a set of principles that guide a person's behavior. When we're in our profession, if we make poor ethical decisions, we can ruin a case or even our careers. Unethical behavior may also severely disrupt the lives or businesses of those being investigated. Unethical behavior can lead to civil action. We can be sued for unethical behavior. Question number 9; what is Locard's Principle? Locard's Principle has to do with the cross-transference of evidence. When a person or an object comes in contact with another person or an object, evidence is exchanged and this exchange can link the perpetrator of a crime to a particular place, victim, or another piece of evidence. Locard's principle applies to computer forensics also. Electronic activities produce artifacts. When we interact with a computer, we produce artifacts that are detectable through our digital forensic examinations. Question number 10, list the stages of the scientific method. Well, we have observation and we're going to make an observation. We're going to develop a hypothesis based on our observation. We're going to test that hypothesis to see if it is accurate or not, and then we're going to verify the hypothesis. If a hypothesis is true, then we make a conclusion. If not, we need to form another hypothesis. Question 11, what is the difference between a witness and an expert witness? A witness is a person who provides testimony under oath and is subject to perjury laws. You cannot lie under oath. That's perjury. A witness has a connection to the incident, or they have information about the incident that's being investigated. An expert witness is a witness with expert knowledge, skill, or experience, and training. They are considered an expert in a specific field, and they are usually paid. They do not necessarily have any connection to the crime itself. They are an expert in the field that is being talked about. Question number 12. What are the three V's of big data forensics? We have volume, and the volume refers to the complexity and size of the data. Velocity refers to the speed that modern data travels at. Variety refers to unstructured and/or multi-structured data. Those are the three V's of big data forensics. Question 13, give examples of how a crime scene can be documented. Well, we can document a crime scene with photographs, we could document it with videos. We could draw diagrams to document our crime scene. Question 14, what is digital evidence? Digital evidence is anything that can hold data, such as computer or a tablet, a cell phone, router, watch, camera, an internal, external drive, smart TVs, devices, refrigerators, TVs, Nest, Echo devices, etc. Anything that can hold data is considered digital evidence. Question 15, what facts should be documented when collecting evidence? Well, we wanted to document who collected the evidence, where the evidence was found, when was the evidence found? Referring to the date and time. What is the evidence? You want to describe it, make model, serial number. Why is the evidence being seized? Is it contained in a warrant? Is it obviously contraband or stolen property? Question 16. What does the preservation of digital evidence entail? Well, we want to prevent destruction of the original evidence. We want to make no changes to the original evidence. We want to maintain the integrity of the original evidence from the time of collection, from the time we collected it throughout the court proceedings. Question 17. If you find a device when you're searching for evidence that is turned off in general, you should do what? The answer to that is leave it off. Question 18. If you find the device that is turned on in general, you should do what? If we find a device that's turned on, we want to photograph all the open windows, whether it be a computer or a tablet or a phone. If the device has a screen, you want to photograph all the open windows. We want to know any running applications and processes. Any type of destructive processes or any type of encryption. Then we would collect the RAM. The volatile memory. If we encounter a destructive process, we would want to immediately pull the plug from the back of the device, or in the case of a laptop or a phone, remove the battery, and if you cannot remove the battery, hard shut the device. Question number 19. When should an examiner use write protection, and part two of that, and why would an examiner use write protection? We're going to always use write protection when we're working with the original evidence, when we're previewing or live imaging. That's when we're going to use write protection. Why we would use it is forensic examiners use write protection to prevent changes or destruction of the original evidence. Question 20, what is volatile data? Volatile data is data that is eradicated, data that goes away, when the device loses power. Data not written to a hard drive. Some examples are RAM, random access memory. Some malware will only be alive in RAM. Certain registry keys, running processes, and network connection, are some examples of data that we would find in RAM as volatile data. Question 21. What is encryption? What data types can encryption be applied to? Encryption is the process of randomizing data, making it unreadable. This is done to secure the data to prevent unauthorized access. Encryption can be applied to files, containers, volumes, and disks. Question 22. What would be some reasons to conduct live imaging? Well, if we find a computer turned on, and we see encryption running, we may want to do some live imaging, so we can capture an unencrypted logical image of that volume. If your system cannot be shut down you might be forced to do live imaging. If you're dealing with a server, or a network that cannot be shut down, or if we're collecting RAM. RAM has to be collected live because if it loses power, the RAM goes away, and then you can't collect it. Question 23. When and why do forensic examiners only use sterile media for evidence collection? Well, forensic examiners only use sterile media for evidence collection to ensure that no previously or pre-existing data, is on the target drive. We want to do this to avoid cross-contamination. Forensic examiners use sterile media when collecting evidence, and when copying evidence onto a storage device. Question 24. Why do forensic examiners validate their hardware and software tools? The answer, forensic examiners validate their hardware and software tools, to ensure accuracy of their findings, and conclusions. We want to become aware of any software issues. We want to avoid having our findings being called into question. Question 25. What does a full forensic image of a physical disk contain? We're talking about from sector zero to the end of the drive. It is a full forensic copy, commonly referred to as an image. It's going to contain allocated files, file slack, deleted files, unallocated space, unused space, that space prior to the volume, an HPA, host protected area, and a DOC. Question 26. What is a hash value? The answer, a hash value is a way to represent data with a unique numerical value, using a mathematical algorithm. It is like a fingerprint of a file. Question 27. Will the size of the data change the length of the hash value? The answer is no. Regardless of the size of the data, the result is a fixed length hexadecimal value. We have common hash types over MD5 hash, which is a 128-bit value. It's always going to be a 128 bits, 32 characters long. Whether you're hashing a one gigabyte folder, or you're hashing a 10 terabyte drive, it's a 128-bit value. It does not change based on the size of the data. We have SHA1, which is a 160 bit at 40 characters, and SHA256, which is 256-bit value at 64 characters. Question 28. List some of the common uses of hashing. Why do we use hashing? What can we use it for? Well, we can use it to ensure data integrity during transmission. If we know the hash value of the file that we're supposed to be receiving, once our transmission is done we can hash that file. If the hash value matches, then we know that we've gotten a good copy of that data. It can also be used for sector checking, file integrity, and we use it to validate a forensic copies of hard drives, by forensic images, to show that no changes were made to the original evidence. Question Number 29. Describe the TCP: Transmission Control Protocol handshake used to initiate data transfer. The device requesting the communication sends a packet with the SYN bit turned on. The receiving device sends back a packet with the SYN and the ACK bit turned on. The device requesting the communication, the first device that originally sent the SYN bit turned on requested the communication, then sends back a packet with the ACK bit turned on, and then communication starts. That is the TCP handshake. Question 30. What is the function of DNS: Domain Name Service? DNS translates our alphanumerical web addresses or URLs into IP addresses and vice versa. What is a MAC address? A MAC address is a hardware identification number that uniquely identifies each device on a network. It is burnt into the network card of the device and it is unique to that device and that device only. Question 32. What are case specific keywords? Case specific keywords are keywords that relate to one specific case, and some examples of this could be the names of the people involved in our case, some usernames for those people, addresses, whether they're email or physical addresses, phone numbers, a certain type of slang that maybe your particular suspect uses, URLs that they frequently visit, and filenames of interest, filenames that may be pertinent to that one specific case. Question 33. What would a forensic examiner be looking for using this grep search? Let's take a look at our grep search. The answer is an IP address, but we've got grep, so we know we're using grep and not extended grep. Here's our expression. We have our square brackets with a range of zero through nine, so we're looking for a number between zero and nine. It's going to occur either one or three times. This is in a range. Either it occurs once or it occurs three times. Then we're going to see a dot, and then it's going to repeat a numeric value of zero through nine occurring one or three times followed by a dot, numeric value of zero through nine occurring one or three times followed by a dot, a numeric value zero through nine occurring one or three times, and that would describe an IP address. Because this is grep and not egrep, you have to escape the brackets, special characters, so that they function as operators, special characters. Otherwise, it'll look for a literal square bracket or a literal curly bracket. If this were egrep, we would not have to use those escape characters, but we would have to use an escape character on the dot. Question 34. What are some of the limitations of a text-based keyword search? Now this is plaintext, you're searching for a word either in a file or you can search your entire drive, but some of the things that would impede your text-based searches would be bit shifting, and this is when a file is altered at the binary level, the bits are actually moved around using some type of hex editor. Encryption. Because we know with encryption, our text is not plaintext anymore, it's scrambled. Compression. We would have to decompress the files and then run the keyword search to get our hits, and using non-word characters. An example of that is if you had a character, you could replace it with a number, replace an O with a zero, replace an E with a three, and that will defeat your plain text keyword searching. Question Number 35. What are some of the considerations and qualities a forensic examiner must think about to produce a well written report? Well a well-written report, we must consider our target audience. Who are we writing this report for? Is it somebody who is highly technical? Is it our boss? Is it somebody who is going to be on a jury? Who is our audience? Who are we writing the report for? We want to make it clear and unambiguous. We want to make it detailed, but we want it to be concise. It has to be fact-based, unbiased, and the report should include any exculpatory findings. Exculpatory findings are findings that tend to prove somebody's innocence. End of final project. Questions and answers.
