Digital Forensics in Cybersecurity - C840

Digital Forensics in Cybersecurity - C840 FAT Stores file locations by sector in a file called the file allocation table. This table contains information about which clusters are being used by which particular files and which clusters are free to be used. NTFS (New Technology File System) File system used by Windows NT 4, 2000, XP, Vista, 7, Server 2003, and Server 2008. One major improvement of this system was the increased volume sizes. Extended file system System created specifically for Linux. There have been many versions; the current version is 4. ReiserFS Popular journaling file system, used primarily with Linux. It was the first file system to be included with the standard Linux kernel, and first appeared in kernel version 2.4.1. The Berkeley Fast File System This is also known as the UNIX file system. Uses a bitmap to track free clusters, indicating which clusters are available and which are not. Data hiding Storage of data where an investigator is unlikely to find it. Data transformation Disguising the meaning of information. Data contraception Storage of data where a forensic specialist cannot analyze it. Data fabrication Uses false positives and false leads extensively. File system alteration Corruption of data structures and files that organize data. Daubert standard Any scientific evidence presented in a trial has to have been reviewed and tested by the relevant scientific community. For a computer forensics investigator, that means that any tools, techniques, or processes you utilize in your investigation should be ones that are widely accepted in the computer forensics community. You cannot simply make up new tests or procedures. (1) whether the theory or technique in question can be and has been tested; (2) whether it has been subjected to peer review and publication; (3) its known or potential error rate; (4) the existence and maintenance of standards controlling its operation; and (5) whether it has attracted widespread acceptance within a relevant scientific community. The Federal Privacy Act of 1974 Prohibits unauthorized disclosures of records( about people, citizens, individuals) maintained by Federal Agencies. Also allows individuals the ability to request to review their record. The Privacy Protection Act of 1980 (PPA) of 1980 protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public. Journalists who most need the protection of the PPA are those who are working on stories that are highly controversial or about criminal acts because the information gathered may also be useful to law enforcement. The Communications Assistance to Law Enforcement Act of 1994 a federal wiretap law for traditional wired telephony to allow cops to wiretap with a warrant. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata. The Electronic Communications Privacy Act of 1986 Prevents unauthorized government access to individuals' private electronic communications (things done on the computer or saved on the computer) The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information. The Foreign Intelligence Surveillance Act of 1978 (FISA) is a law that allows for collection of "foreign intelligence information" between foreign powers and agents of foreign powers using physical and electronic surveillance. A warrant is issued by the FISA court for actions under FISA. The Child Protection and Sexual Predator Punishment Act of 1998 requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement. The Children's Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by Web sites. It is noteworthy that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to be unconstitutional. The Communications Decency Act of 1996 was designed to protect persons 18 years of age and under from downloading or viewing material considered indecent. This act has been subject to court cases that subsequently changed some definitions and penalties. The Telecommunications Act of 1996 Allows anyone to enter the communication business and compete against other businesses. Prevents one business from dominating. (for example: Cox Cable, Charter Cable, Verizon Fios, etc..) The Wireless Communications and Public Safety Act of 1999 allows for collection and use of "empty" communications, which means nonverbal and nontext communications, such as GPS information. The USA Patriot Act Allows the use of certain tools to intercept and obstruct terrorism (such as money laundering and financing of terrorism through internet and telecommunication) The Sarbanes-Oxley Act of 2002 contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies. Real evidence a physical object that someone can touch, hold, or directly observe. Examples of real evidence are a laptop with a suspect's fingerprints on the keyboard, a hard drive, a universal serial bus (USB) drive, or a handwritten note. Documentary evidence data stored as written matter, on paper or in electronic files. THIS includes memory-resident data and computer files. Examples are e-mail messages, logs, databases, photographs, and telephone call-detail records. Investigators must authenticate documentary evidence. Testimonial evidence information that forensic specialists use to support or interpret real or documentary evidence. For example, they may employ THIS to demonstrate that the fingerprints found on a keyboard are those of a specific individual. Or system access controls might show that a particular user stored specific photographs on a desktop. Demonstrative evidence information that helps explain other evidence. An example is a chart that explains a technical concept to the judge and jury. Forensic specialists must often provide testimony to support the conclusions of their analyses. For example, a member of an incident response team might be required to testify that he or she identified the computer program that deleted customer records at a specified date and time. sector the basic unit of data storage on a hard disk, which is usually 512 bytes The premier federal agency tasked with combating cybercrime. The United States Secret Service Internet forensics the process of piecing together where and when a user has been on the Internet. For example, you can use THIS to determine whether inappropriate Internet content access and downloading were accidental. Malware forensics is also known as software forensics. Why should you note all cable connections for a computer you want to seize as evidence? In case other devices were connected. To reach a conclusion and turn raw information into supportable, actionable evidence, a forensic specialist must identify and analyze corroborating information, such as what devices or connections are involved with a computer in question. In other words, it is often the case that a single piece of information is not conclusive. It often takes the examination and correlation of multiple individual pieces of information to reach a conclusion. discarded information Any documents that are thrown out without first being shredded could potentially aid an identity thief. You can monitor employee activities, but only on company systems. Fraud any attempt to gain financial reward through deception is fraud _____ is a popular DoS tool. Trin00 is another popular DoS tool. It was originally available only for UNIX but is now available for Windows as well. It is an alternative to TFN. One common technique attackers use is to send the Trin00 client to machines via a Trojan horse. Then, the infected machines can all be used to launch a coordinated attack on the target system. cyberstalking The use of electronic communications to harass or threaten another person. While some conduct involving annoying or menacing behavior might fall short of illegal stalking, such behavior may be a prelude to stalking and violence and should be treated seriously. TFN Tribal Flood Network is a distributed denial of service tool. Which of the following crimes is most likely to leave e-mail evidence? Cyberstalking or harassment is using electronic communications to harass or threaten another person. What is the starting point for investigating denial of service attacks? Tracing the packets. When investigating denial of service attacks launched from a single machine, the obvious task is to trace the packets coming from that machine. It is common for attackers to spoof some other IP address, but not as common for them to spoof a MAC address, which is related to the underlying hardware. If the attacker is not savvy enough to spoof the MAC address, then each packet contains evidence of the actual machine that it was launched from. Where would you seek evidence that Ophcrack had been used on a Windows Server 2008 machine? In the logs of the server; look for the reboot of the system. If you see a reboot followed by a successful logon with an account like Administrator, it is an indication that a tool like Ophcrack might have been used. What is the primary reason to take cyberstalking seriously? It can be a prelude to real-world violence. While some conduct involving annoying or menacing behavior might fall short of illegal stalking, such behavior may be a prelude to stalking and violence and should be treated seriously. When investigating a virus, what is the first step? Document the virus. Viruses are remarkably easy to locate, but difficult to trace back to the creator. The first step is to document the particulars of the virus—for example, its behavior, the file characteristics, and so on. Then, you must see if there is some commonality among infected computers. For example, if all infected computers visited the same Web site, then it is likely that the Web site itself is infected. In addition, numerous sources of information about known viruses are available on the Internet from software publishers and virus researchers, which is very useful in doing forensic research. The first step in any investigation is to make a copy of the suspected storage device. It is a _____ practice to make _____ copies of the drive. This gives you one to work with and a backup in the event that you'll need it. Common, Two Another reason to make a copy of the suspected storage device is that another examiner will need to review the original information. Another reason to make a copy of the suspected storage device is that there may be a need for another investigator to do his or her own examination. There are many situations in which another examiner will need to review the original information. In the field of forensics, a forensic specialist's most valuable asset is ________________. Your reputation is the most important thing you have. If you overextend beyond your actual skills, it is likely to come out at trial. Even one occasion of being found to have been exaggerating, fabricating, or overextending yourself during testimony can ruin your reputation and your career. __________ of forensic processing methodologies and findings is critical. Documentation of forensic processing methodologies and findings is critical. Without proper documentation, a forensic specialist has difficulty presenting findings. When security or audit findings become the object of a lawsuit or a criminal investigation, the legal system requires proper documentation. A system forensics specialist has three basic tasks related to handling evidence: find evidence, preserve evidence, and prepare evidence. Slack space The unused space between the logical end of file and the physical end of file. It is also called file slack. File slack The unused space between the logical end of file and the physical end of file. It is also called slack space. Bob was asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend for or against using a disk-imaging tool? A simple DOS copy will not include deleted files, file slack, and other information. A disk-imaging tool is highly recommended to create an evidence copy of a disk. A simple DOS copy will not include deleted files, file slack, and other information that a disk-imaging tool will. BackTrack a Linux Live CD that you use to boot a system and then use the tools. Helix a customized Linux Live CD used for computer forensics. The suspect system is booted into Linux using the Helix CDs and then the tools provided with Helix are used to perform the analysis. This product is robust and full of features, but simply has not become as popular as AccessData's FTK and Guidance Software's EnCase. Life span how long information is valid. The term is related to volatility. More volatile information tends to have a shorter life span. Disk Investigator is a free utility that comes as a graphical user interface for use with Windows operating systems. There are three primary types of data that a forensic investigator must collect volatile data, temporary data, and persistent data. RAID 0 Disk striping. Distributes data across multiple disks in a way that gives improved speed for data retrieval. RAID 1 Mirrors the contents of the disks. The disk is completely mirrored so there is an identical copy of the drive running on the machine. RAID 3 or 4 Striped disks with dedicated parity. Combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storage capacity of the array is reduced by one disk. RAID 5 Striped disks with distributed parity. Combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3, but the parity is not stored on one dedicated drive; instead, parity information is interspersed across the drive array. The storage capacity of the array is a function of the number of drives minus the space needed to store parity. RAID 6 Striped disks with dual parity. Combines four or more disks in a way that protects data against loss of any two disks. RAID 1+0 or 10 Mirrored data set, which is then striped. Requires a minimum of four drives: two mirrored drives to hold half of the striped data, plus another two mirrored drives for the other half of the data. Logical analysis Analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. Physical analysis Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Physical analysis is looking for things that may have been overlooked, or are invisible, to the user. Scrubber Software that cleans unallocated space. Also called a sweeper. Sweeper A kind of software that cleans unallocated space. Also called a scrubber. Temporary data Data that an operating system creates and overwrites without the computer user taking a direct action to save this data. Unallocated space Free space, or the area of a hard drive that has never been allocated for file storage. What Linux command can be used to wipe a target drive? dd sweepers or scrubbers. The only way to clean unallocated space What Linux command can be used to create a hash? MD5sum. In Linux, the following command hashes a partition: md5sum /dev/hda1 (Steganography) Payload the information to be covertly communicated. In other words, it is the message you wan