Rules of Evidence
4 parts to Daubert Criteria
1. Must be Tested
2. Peer Reviewed
3. Error Rate Established
4. Accepted by Prof. Community
What does the Daubert Criteria provide:
Sets a standard for expert testimony
Ensures methods have been tested.
Allows evidence into court.
Name three ways to write info to a CD
1. Track at Once
2. Disc at Once
3. Packet Writing
Can call info on a CD be read by all OSs
No, it depends on how the file was written.
How do you verify the integrity of copied data
Compare hash values of the original to the copy. .
Why is it important to hash both the original and the copy?
This is important for ensuring you have an identical copy of the data to make it admissible in court.
Tell me about Raw Image Files
The image contains only the data from the source. Extra info (tags, details, etc) are not attached to the image itself.
Tell me about Embedded Image Files
Data is both of source and contains information about the acquisition like hash values, data, time, etc. There is compression so some data might be lost.
Do Floppy disks formatted for FAT12 have a partition table?
Does the USB storage token have partitions?
Does the Iomega zip disk have partitions?
Yes 1
Does RAID uses multiple disks to provide redundancy and performance?
Disk spanning uses multiple disks to form a larger single volume but not for redundancy or performance
What happens when disks are formatted quickly?
The file table on the the disk is cleared however the data remains behind.
How many partitions can be stored on a drive?
Up to 4 different partitions
Why is it benefitial to know how a suspect has paritioned his/her drive?
It allows you to get all the files on the system. It ensures you have copied the drive entirely.
How can a suspect hide a partition? (2 ways)
1. Change the partition type
2. Move the pointer of one partition and have it point to another.
Why do we need to image memory?
To get a copy of the exact state of the system. Includes things like running processes, encryption keys, decrypted data, network settings/sockets, user input, screen captures, copy/paste etc.
Describe the direct access method of acquiring a disk image.
Accessing and copying the data while the system is still running/on.
Describe the method of using the BIOS to access data and perform a disk image.
Accessing the data through the bios in order to avoid the host os (typically used at boot up).
What was Mathieu Orfila famous for?
Poison detection and it's effect on animals
What was Francis Galton famous for?
What was Leone Lattes famous for?
Blood groupings /types
A, AB, O etc.
What was Calvin Gooddard famous for?
Ballistics, Firearms
What was Edmond Locard famous for?
Locard's Principle of Exchange - someone always leaves something at a crime scene.
What was Hans Gross famous for?
He was the father of Criminilistics. He applied science to criminal investigations.
Who was Robert Morris Sr?
Worked for NSA
Who was Robert Morris Jr?
Invented 1st internet worm, 1st person to be tried for computer crime.
What was Sir Alex Jeffreys famous for?
Fingerprinting and DNA
What are core dump files useful for?
What can be extracted from them?
They are basically a recorded state of the computer. They can be useful in that they can provide evidence like encrypted passwords to files.