Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
13 Cards in this Set
- Front
- Back
|
What is the Locard Exchange Principle and show how it would apply to computer forensics?
|
Locard's exchange principle states that "with contact between two items, there will be an exchange“.
Applied to crime scenes in which the perpetrator(s) of crime come into contact with the scene - they will bring something into the scene and leave with something from the scene. Every contact leaves a trace especially in an IT environment. |
|
|
Identify 8 different types of activities that would be investigated by a digital forensics investigator?
|
Only give 8 examples!!
1. Disloyal Employees 2. Murder 3. Theft 4. Assault 5. IP Theft 6. Computer Break-ins 7. Internet Abuse 8. Email Abuse |
|
|
What are the 4 types of disk duplication?
|
- Simple file copying
- Advanced file copying - Partition duplication - Forensic duplication |
|
|
Give 4 reasons for the growth in the demand for digital forensics?
|
- Computers are everywhere and people are dependent on their smart phones for constant communication or entertainment.
- Most disputes, civil or criminal, are between people who know each other and interact using technology including email, phones and text messaging. - Increase in Internet use and availability has created an increase in criminal activity like hacking, cyber-terrorism, identity theft, theft of intellectual property, fraud, and exploitation. - Significantly, criminals think they are anonymous online and won’t be caught. This has led to increased criminal activity. - Large companies those that are publicly traded or store large amounts of private customer data; fear the large-scale loss of that intellectual property. These companies fear the ramifications from regulatory agencies. There are fines and potential criminal penalties imposed for violations of various statutes designed to protect individuals and consumers. |
|
|
How are the hash functions MD5 & SHA1 useful in Digital Forensics and explain the difference between them?
|
- Hashing is creating a “fingerprint” identification code so that it can be compared to another copy of the file / data to determine if it has been altered.
- It is used to verify integrity of evidence as exactly matching the original. - MD5 creates a 16byte value to uniquely identify a file and SHA1 creates a 20byte value. SHA1 is newer. |
|
|
Honeypot Question – 1 of the long questions – you must do 2 out 3 questions...
|
- “A Honeypot is a resource whose value is being in attacked or compromised. This means that a Honeypot is expected to get probed, attacked and potentially exploited.
Honeypots do not fix anything. They provide us with additional, valuable information - Honeypots do not help directly in increasing a computer network’s security. - They attract intruders and can therefore attract some interest from the Blackhat community i.e. hackers. Honeypots often "entice" a Cracker to try and break into your system because it looks easy. |
|
|
Explain the different categories of honeypots and the type of involvement an attacker could have with each category?
|
Production Honeypots
- used to help transfer risk in an organization Research Honeypots - meant to gather as much information as possible Low involvement - only provides certain fake services - an attacker cannot gain real access on the machine - attacks can be identified and used to collect the identities of attackers High involvement - provides some real services with real vulnerabilities - expectation is that the Honeypot gets compromised and further information can be collected. If an attack slips by undetected, the attacker can use the compromised machine as a base for other attacks |
|
|
Why do attackers have many advantages over the digital forensic investigator?
|
- Mobility
- Intensity - Lack of assets therefore not worth companies time trying to sue - High level of knowledge sharing - No real concern for the consequences - Complacency of ISPs and s/w vendors |
|
|
List 4 types of s/w tools available for mobile phone examination?
|
• Open source tools
• Self-developed tools • Diagnostic tools • Hacker tools |
|
|
Explain the difference in acquiring evidence from a mobile phone through a cable interface against other methods?
|
- Acquisition through a cable interface generally yields superior results than other interfaces
- However, under certain conditions, a wireless interface such as infrared or Bluetooth can serve as a reasonable alternative |
|
|
What are the 3 specialist areas of Digital Forensics Investigation?
|
• Law enforcement and criminal investigations
• Corporate incident response activities • Civil / Private Investigations |
|
|
Describe in detail how to begin a Forensic Examination and the incident response Procedure?
|
• Forensics and Analysis tasks take place AFTER response
• Response could be carried out by an administrative assistant, network administrator, manager, investigator or incident response team • Initial response is critical to entire case • First person on scene may not be highly trained in security and evidence preservation |
|
|
Hardware & software Forensics investigations can involve time critical work. To find evidence of wrong doing (or not) what must be established?
|
Must establish:
• what happened • where - location • when - timeline • how – methods, tools, etc • who and why – if possible - Document all parts of analysis "Important" |
