CHAPTER 24
Digital Forensics
In this chapter, you will
• Study basic concepts of forensics
• Understand the legal basis behind forensic processes
• Understand the steps of digital forensics processes
Computer forensics is certainly a popular buzzword in computer security. The term forensics relates to the application of scientific knowledge to legal problems. Specifically, computer forensics involves the preservation, identification, documentation, and interpretation of computer data. In many cases, digital forensics is the technical side of developing proof as to what happened or didn’t happen as part of an incident response effort. Digital forensics specifically uses scientific principles to provide assurance in explaining what digital evidence tells you about what either has or hasn’t happened with a computer system.
Certification Objective This chapter covers CompTIA Security+ exam objective 5.5, Summarize basic concepts of forensics.
Order of Volatility
There are many sources of data in a computer system, and if the machine is running, some of these sources are volatile. Things such as the state of the CPU and its registers, RAM, and even storage are always changing, which can make the collection of electronic data a difficult and delicate task. These elements tend to change at different rates, and you should pay attention to the order of volatility, or lifetime of the data, so that you can prioritize your collection efforts after a security incident to ensure you don’t lose valuable forensic evidence. In some cases, you may have only one chance to collect volatile data, after which it becomes lost forever.
Following is the order of volatility of digital information in a system:
1. CPU, cache, and register contents (collect first)
2. Routing tables, ARP cache, process tables, kernel statistics
3. Live network connections and data flows
4. Memory (RAM)
5. Temporary file system/swap space
6. Data on hard disk
7. Remotely logged data
8. Data stored on archival media/backups (collect last)
EXAM TIP Understanding the order of volatility of digital information in a system is a testable item—commit it to memory.
When collecting digital evidence, it is important to use proper techniques and tools. Some of the key elements are the use of write blockers when making forensic copies, hashing and verifying hash matches, documenting handling and storage, and protecting media from environmental change factors. Of particular note is that the data present on a system can be a function of both the file system and the hardware being employed. A physical hard disk drive (HDD) will persist data longer than a solid state drive (SSD). And the newer file systems with journaling and shadow copies can have longer persistence of information than older systems such as File Allocation Table (FAT) based systems. Raw disk blocks can be recovered in some file systems long after data has been rewritten or erased, due to the nature of how the file systems manage the data.
EXAM TIP A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A record time offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. The offset between system time and true time can be lost if the system is powered down, so it is best to collect it while the system is still running.
Chain of Custody
After evidence is collected, it must be properly controlled to prevent tampering. The chain of custody accounts for all persons who handled or had access to the evidence. More specifically, the chain of custody shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained.
The following shows the critical steps in a chain of custody:
1. Record each item collected as evidence.
2. Record who collected the evidence along with the date and time it was collected or recorded.
3. Write a description of the evidence in the documentation.
4. Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container.
5. Record all message digest (hash) values in the documentation.
6. Securely transport the evidence to a protected storage facility.
7. Obtain a signature from the person who accepts the evidence at this storage facility.
8. Provide controls to prevent access to and compromise of the evidence while it is being stored.
9. Securely transport the evidence to court for proceedings.
EXAM TIP Never analyze the seized evidence directly. The original evidence must be secured and protected with a chain of custody. It should never be subjected to a forensic examination, because of the fragile nature of digital evidence. A forensic copy, however, can be examined and, if something goes wrong, discarded, and the copy process can be repeated. A good forensics process will prove that the forensic copy is identical to the original at the start and at the end of the examination. From a practical standpoint, investigators usually make multiple forensic copies and perform their analysis in parallel on the multiple copies.
Legal Hold
In the U.S. legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party “reasonably anticipates” litigation or another type of formal dispute. Although this sounds technical, it is fairly easy to grasp: once an organization is aware that it needs to preserve evidence for a court case, it must do it. The mechanism is fairly simple as well: once you realize your organization needs to preserve evidence, you must use a legal hold, or litigation hold, the process by which you properly preserve any and all digital evidence related to a potential case. This event is usually triggered by one organization issuing a litigation hold request to another. Once an organization receives this notice, it is required to maintain a complete set of unaltered data including metadata, of any and all information related to the issue causing the litigation hold. This means that ordinary data retention policies no longer are sufficient, and that even alterations to metadata can be considered to be a violation of the hold request. If a judge determines that a violation of a hold request may materially affect the ability of a jury to make a decision, the judge can instruct the jury to consider the act as hiding evidence. Major jury awards have been decided based on failure to retain information as failure to comply can be seen as negligence.
Where does the information subject to a legal hold reside? Everywhere, including e-mail, office documents (electronic and paper), network shares, mobile phones, tablets, databases—everywhere the information is shared, all copies need to be produced unaltered, even if relevant documents were created years ago. Finding and managing all of this information falls under a branch of digital forensics called e-discovery, which deals with the identification, management, and preservation of digital information that is subject to legal hold.
Data Acquisition
Evidence consists of the documents, verbal statements, and material objects admissible in a court of law. Evidence is critical to convincing management, juries, judges, or other authorities that some kind of violation has occurred. It is vitally important to document all the steps taken in the collection of evidence, as these may be challenged in court and the processes followed as evidenced by the documentation will be all that can be used to demonstrate the veracity of the processes.
The submission of evidence is challenging, but it is even more challenging when computers are used, because the people involved may not be technically educated and thus may not fully understand what’s happened. Keep these points in mind as you collect evidence:
• Who collected the evidence?
• How was it collected?
• Where was it collected?
• Who has had possession of the evidence?
• How was it protected and stored?
• When was it removed from storage? Why? Who took possession?
Computer evidence presents yet more challenges, because the data itself cannot be sensed with the physical senses—that is, you can see printed characters, but you can’t see the bits where that data is stored. Bits of data are merely magnetic pulses on a disk or some other storage technology. Therefore, data must always be evaluated through some kind of “filter” rather than sensed directly by human senses. This is often of concern to auditors, because good auditing techniques recommend accessing the original data or a version as close as possible to the original data.
The next three topics, standards for evidence, types of evidence, and three rules regarding evidence, are covered for topic completeness but are not specifically listed in the exam objectives. Also not specifically covered are the tools used in data acquisition. Because of the need to preserve, unaltered, the metadata of data being acquired, special tools are used to perform this task. Ordinary DOS or system utilities will not work for this task. Three main tool suites used are Encase, Forensic Toolkit (FTK), and the Sleuth Kit (TSK and open source).
Standards for Evidence
For evidence to be credible, especially if it will be used in court proceedings or in corporate disciplinary actions that could be challenged legally, it must meet three standards:
• Sufficient evidence The evidence must be convincing or measure up without question.
• Competent evidence The evidence must be legally qualified and reliable.
• Relevant evidence The evidence must be material to the case or have a bearing on the matter at hand.
Types of Evidence
All evidence is not created equal. Some evidence is stronger and better than other, weaker evidence. Several types of evidence can be germane:
• Direct evidence Oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions.
• Real evidence Also known as associative or physical evidence, this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime.
• Documentary evidence Evidence in the form of business records, printouts, manuals, and the like. Much of the evidence relating to computer crimes is documentary evidence.
• Demonstrative evidence Used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
Three Rules Regarding Evidence
An item officially becomes evidence in a legal proceeding when a judge determines that it is admissible. Three rules guide a judge’s determination of whether to admit an item into evidence:
• Best evidence rule Courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. In some instances, an evidence duplicate can be accepted, such as when the original is lost or destroyed by a natural disaster or in the normal course of business. A duplicate is also acceptable when a third party beyond the court’s subpoena power possesses the original. Copies of digital records, where proof of integrity is provided, can in many cases be used in court.
NOTE Evidence rules exist at the federal and state levels and vary. Digital evidence is not always considered a “writing” and is not always subject to the best evidence rule.
• Exclusionary rule The Fourth Amendment to the U.S. Constitution precludes unreasonable search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. Additionally, if evidence is collected in violation of the Electronic Communications Privacy Act (ECPA) or other related violations of the U.S. Code, or other statutes, it may not be admissible to a court. For example, if no policy exists regarding the company’s intent to monitor network traffic or systems electronically, or if such a policy exists but employees have not been asked to acknowledge it by signing an agreement, sniffing employees’ network traffic could be a violation of the ECPA.
• Hearsay rule Hearsay is second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. Hearsay is inadmissible unless it falls under one of the many recognized exceptions (such as those delineated in FRE 803). Typically, computer-generated evidence is considered hearsay evidence, as the maker of the evidence (the computer) cannot be interrogated. Exceptions are being made where items such as logs and headers (computer-generated materials) are being accepted in court. Computer evidence is typically brought into a case by an expert witness who can speak for the data and what it means.
NOTE The laws mentioned here are U.S. laws. Other countries and jurisdictions may have similar laws that would need to be considered in a similar manner.
Capture System Image
Imaging or dumping the physical memory of a computer system can help identify evidence not available on a hard drive. This is especially appropriate for rootkits, where evidence on the hard drive is hard to find. Once the memory is imaged, you can use a hex editor to analyze the image offline on another system. (Memory-dumping tools and hex editors are available on the Internet.) Note that dumping memory is more applicable for investigative work where court proceedings will not be pursued. If a case is likely to end up in court, do not dump memory without first seeking legal advice to confirm that live analysis of the memory is acceptable; otherwise, the defendant will be able to dispute easily the claim that evidence was not tampered with.
The other system image is that of the internal storage devices. Making forensic duplicates of all partitions is a key step in preserving evidence. A forensic copy is a bit-by-bit copy and has supporting integrity checks in the form of hashes. Hash functions are covered in Chapter 27. The proper practice is to use a write blocker when making a forensic copy of a drive. This device allows a disk to be read, but prevents any writing actions to the drive, guaranteeing that the copy operation does not change the original media. Once a forensic copy is created, working copies from the master forensic copy can be created for analysis and sharing with other investigators. The use of hash values provides a means of demonstrating that all of the copies are true to each other and the original.
EXAM TIP A digital forensic copy can only be made with specific methods designed to perform bit-by-bit copying of the files, free and slack space, making a verifiably true copy of the medium as demonstrated by hash values.
Network Traffic and Logs
An important source of information in an investigation can be the network activity associated with a device. There can be a lot of useful information in the network logs associated with network infrastructure. The level and breadth of this information is determined by the scope of the investigation. While the best data would be from that of a live network forensic collection process, in most cases this type of data will not be available. There are many other sources of network forensic data, including firewall and IDS logs, network flow data, and event logs on key servers and services.
Capture Video
A convenient method of capturing significant information at the time of collection is video capture. Videos allow high-bandwidth data collection that can show what was connected to what, how things were laid out, desktops, and so forth. A picture can be worth a thousand words, so take the time to document everything with pictures. Pictures of serial numbers and network and USB connections can prove invaluable later in the forensics process. Complete documentation is a must in every forensics process, and photographs can assist greatly in capturing details that would otherwise take a long time and be prone to transcription error.
Another source of video data is the CCTVs that are used for security, both in industry and, in growing numbers, homes. Like all other digital information, CCTV video can be copied and manipulated and needs to be preserved in the same manner as other digital information.
EXAM TIP A digital camera is great for recording a scene and information. Screenshots of active monitor images may be obtained as well. Pictures can detail elements such as serial number plates, machines, drives, cables connections, and more. Photographs are truly worth a thousand words.
Record Time Offset
Record time offset is the difference in time between the system clock and the actual time. To minimize record time offset, most computers sync their time over the Internet with an official time source. Files and events logged on a computer will have timestamp markings that are based on the clock time on the machine itself. It is a mistake to assume that this clock is accurate. To allow the correlation of timestamp data from records inside the computer with any external event, it is necessary to know any time offset between the machine clock and the actual time. When collecting forensic data it is vitally important to collect the record time offset so that local variations in time can be corrected.
Take Hashes
If files, logs, and other information are going to be captured and used for evidence, you need to ensure that the data isn’t modified. In most cases, a tool that implements a hashing algorithm to create message digests is used.
A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file). If a subsequent hash created on the same data stream results in a different hash value, it usually means that the data stream was changed.
The mathematics behind hashing algorithms has been researched extensively, and although it is possible that two different data streams could produce the same message digest, it is very improbable. This is an area of cryptography that has been rigorously reviewed, and the mathematics behind Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) is very sound. In 2005, weaknesses were discovered in the MD5 and SHA algorithms leading the National Institute of Standards and Technology (NIST) to announce a competition to find a new cryptographic hashing algorithm named SHA-3. Although MD5 is still used, best practice would be to use SHA-2 series, and SHA-3 once it becomes integrated into tools.
The hash tool is applied to each file or log and the message digest value is noted in the investigation documentation. It is a good practice to write the logs to a write-once media such as a CD-ROM. If the case actually goes to trial, the investigator may need to run the tool on the files or logs again to show that they have not been altered in any way.
NOTE The number of files stored on today’s hard drives can be very large, with literally hundreds of thousands of files. Obviously, this is far too many for the investigator to analyze. However, by matching the message digests for files installed by the most popular software products to the message digests of the files on the drive being analyzed, the investigator can avoid analyzing approximately 90 percent of the files because he can assume they are unmodified. The National Software Reference Library (NSRL) collects software from various sources and incorporates file profiles into a Reference Data Set (RDS) available for download as a service. See www.nsrl.nist.gov.
Screenshots
Pay particular attention to the state of what is on the screen at the time of evidence collection. The information on a video screen is lost once the system changes or power is removed. Take screenshots, using a digital camera or video camera, to provide documentation as to what was on the screen at the time of collection. Because you cannot trust the system internals themselves to be free of tampering, do not use internal screenshot capture methods.
Witness Interviews
Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness is asked “Did you lock the file system?” and can’t answer affirmatively. Or, when asked “When you imaged this disk drive, did you use a new system?” the witness can’t answer that the destination disk was new or had been completely formatted using a low-level format before data was copied to it. Witness preparation can be critical in a case, even for technical experts.
As human memory is not as long lasting as computer files, it is important to get witness testimony and collect that data as early as possible. Having them write down what they remember immediately is very helpful in preserving memory.
Preservation
When information or objects are presented to management or admitted to court to support a claim, that information or those objects can be considered as evidence or documentation supporting your investigative efforts. Senior management will always ask a lot of questions—second- and third-order questions that you need to be able to answer quickly. Likewise, in a court, credibility is critical. Therefore, evidence must be properly acquired, identified, protected against tampering, transported, and stored.
One of the key elements in preservation is to ensure nothing changes as a result of data collection. If a machine is off, do not turn it on—the disk drives can be imaged with the machine off. Turning on the machine causes a lot of processes to run and data elements to be changed. When making a forensic copy of a disk, always use a write blocker, this prevents any changes on the media being imaged. Normal copying leaves traces and changes behind, a write blocker prevents these alterations.
Digital evidence has one huge, glaring issue: it can change, and not leave a record of the change. The fact that the outcome of a case can hinge on information that can be argued as not static leads to the crucial element of preservation. From the initial step in the forensics process, the most important issue must always be preservation of the data. There is no recovery from data that has been changed, so from the beginning of the collection process, safeguards must be in place. There are several key steps that assist the forensic investigator in avoiding data spoilage. First, when data is collected, a solid chain of custody is maintained until the case is completed and the materials are released or destroyed. Second, when a forensic copy of the data is obtained, a hash is collected as well, to allow for the verification of integrity. All analysis is done on forensic copies of the original data collection, not the master copy itself. And each copy is verified before and after testing by comparing hash values to the original set to demonstrate integrity.
This process adds a lot of work, and time, to an investigation, but it yields one crucial element—repudiation of any claim that the data was changed, tampered, or damaged in any way. Should a hash value vary, the action is simple. Discard the copy, make a new copy, and begin again. This process shows the courts two key things: process rigor to protect the integrity of the data, and traceability via hash values to demonstrate the integrity of the data and the analysis results derived from the data.
EXAM TIP Understanding not only the importance of data preservation but the process of assuring it using hash values is a very testable concept.
Recovery
Recovery in a digital forensics sense is associated with determining the relevant information for the issue at hand—simply stated, recover the evidence associated with an act. But what if the act is not precisely known? For example, suppose a sales manager for a company quits and goes to work with a competitor. Because she is a sales manager, she has had access to sensitive information that would benefit the new employer. But how do you know whether she took sensitive information with her? And even if she did, how do you determine for purposes of recovery which information she took, and where to look for it? Since forensics software has yet to invent a “Find Evidence” button, and there is no field in any computer protocol to tell investigators this is the data you are looking for, the act of recovering the necessary information can be a significant challenge. With today’s multi-terabyte drives, the volumes of data can be daunting.
Handing a forensic investigator a 1TB drive and saying “Tell me everything that happened on this machine” is tantamount to giving the investigator a never-ending task. The number of events, files, and processes that occur as a normal part of computing leads to literally thousands of events for every logon–work–logoff cycle. This is not a problem of finding a needle in a haystack; it’s a problem of finding a needle in the hay fields of Kansas! There are ways to trim the work: establishing timelines within which the suspected activity occurred; identifying keywords to find strings of information that make a record relevant; and, perhaps the most powerful for building a solid dataset, pinpointing specific activities that have associated logs of their occurrence. The latter strategy is associated with the idea of active logging, discussed in the next section.
Strategic Intelligence/Counterintelligence Gathering
Strategic intelligence gathering is the use of all resources to make determinations. This can make a large difference in whether a firm is prepared for threats or not. The same idea fits into digital forensics. Strategic intelligence can provide information that limits the scope of an investigation to a manageable level. If we have an idea of specific acts for which we would like to have demonstrable evidence of either occurrence or nonoccurrence, we can build a strategic intelligence data set on the information. Where is it, what is it, and what is allowed/not allowed are all pieces of information that, when arranged and analyzed, can lead to a data-logging plan to help support forensic event capture. Consideration of other events, such as: What about things like adding data-wiping programs, then removing these programs, is important to consider. The list of possibilities is long, but just like strategic threat intelligence, it is manageable, and by working not in isolation but in concert with other firms and professionals, a meaningful plan can emerge.
Counterintelligence gathering is the gathering of information specifically targeting the strategic intelligence effort of another entity. Knowing what people are looking at and what information they are obtaining can provide information into their motives and potential future actions. Making and using a tool so that it does not leave specific traces of where, when, or on what it was used is a form of counterintelligence gathering in action.
Active Logging
Ideally, you should minimize the scope of logging so that when you have to search logs, the event you are interested in stands out without being hidden in a sea of irrelevant log items. Before a problem occurs, if as part of the preparation phase the organization limits logging to specific events, such as copying sensitive files, then later, if questions arise as to whether the event happened or not, a log file exists to provide the information. When you have an idea of what information you will want to be able to examine, you can make an active logging plan that assures the information is logged when it occurs, and if at all possible in a location that prevents alteration. Active logging is determined during preparation, and when it comes time for recovery, the advance planning pays off in the production of evidence. Strategic intelligence gathering provides the information necessary to build an effective active logging plan.
Track Man-Hours
Demonstrating the efforts and tasks performed in the forensics process may become an issue in court and other proceedings. Having the ability to demonstrate who did what, when they did it, and how long it took can provide information to establish that the steps were taken per the processes employed. Having solid accounting data on man-hours and other expenses can provide corroborating evidence as to the actions performed.
Chapter Review
In this chapter, you became acquainted with the application of digital forensics. The chapter opened with an explanation of the legal basis behind digital forensic work, and then progressed through the steps of data acquisition, preservation, and recovery. The chapter closed with a look at how strategic intelligence and active logging can greatly assist in making the desired digital artifacts available for use.
Questions
To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the list of correct answers at the end of the chapter.
1. Which of the following purposes for conducting computer forensics is also a description of what is referred to as incident response?
A. Investigating and analyzing computer systems as related to a violation of laws
B. Investigating computer systems that have been remotely attacked
C. Investigating and analyzing computer systems for compliance with an organization’s policies
D. None of the above
2. Volatile information locations such as the RAM change constantly and data collection should occur in the order of volatility or lifetime of the data. Order the following list from most volatile (which should be collected first) to least volatile.
A. Routing tables, ARP cache, process tables, kernel statistics
B. Memory (RAM)
C. CPU, cache, and register contents
D. Temporary file system/swap space
3. A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A record time offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. Which of the following must be considered relative to obtaining a record time offset?
A. The record time offset can be lost if the system is powered down, so it is best collected while the system is still running.
B. The internal clock may not be recorded to the same level of accuracy, so conversions may be necessary.
C. External clock times may vary as much as 2 to 3 seconds, so it is best to obtain the time from several NTP servers to gain a more accurate reading.
D. Recording time to track man-hours is a legal requirement.
4. What is the term used to describe the process that accounts for all persons who handled or had access to a piece of evidence?
A. Secure e-discovery
B. Chain of custody
C. Evidence accountability process
D. Evidence custodianship
5. In the U.S. legal system, at what point does legal precedent require that potentially relevant information must be preserved?
A. When the owner is provided with a warrant to seize the storage device
B. At the instant a party “reasonably anticipates” litigation or another type of formal dispute
C. The moment any investigation is begun
D. When a law enforcement official or officer of the court requests that the storage device be secured to ensure no data is modified or destroyed
6. Which standard of evidence states the evidence must be convincing or measure up without question?
A. Direct evidence
B. Competent evidence
C. Relevant evidence
D. Sufficient evidence
7. Which standard of evidence states the evidence must be material to the case or have a bearing on the matter at hand?
A. Direct evidence
B. Competent evidence
C. Relevant evidence
D. Sufficient evidence
8. Which type of evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement), where the knowledge of the fact is obtained through the recollection of five senses of the witness, with no inferences or presumptions?
A. Direct evidence
B. Real evidence
C. Documentary evidence
D. Demonstrative evidence
9. Which type of evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact?
A. Direct evidence
B. Real evidence
C. Documentary evidence
D. Demonstrative evidence
10. Which rule states that evidence is not admissible if it was collected in violation of the Fourth Amendment’s prohibition of unreasonable search and seizure?
A. Best evidence rule
B. Hearsay rule
C. Exclusionary rule
D. Legal hold rule
11. Which rule of evidence addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred?
A. Best evidence rule
B. Hearsay rule
C. Exclusionary rule
D. Direct evidence rule
12. Which of the following would a capture video not be used to collect?
A. Serial number plates
B. Cable connections
C. System image
D. Physical layout and existence of systems
13. Which of the following performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check?
A. Record offset
B. Cryptographic algorithm
C. Authentication code
D. Hashing algorithm
14. What type of plan is implemented when you have an idea of what information you will want to be able to examine and want to ensure the information is logged when it occurs, and if at all possible in a location that prevents alteration?
A. System logging plan
B. Forensic logging plan
C. Investigative logging plan
D. Active logging plan
15. From the initial step in the forensics process, the most important issue must always be which of the following?
A. Preservation of the data
B. Chain of custody
C. Documenting all actions taken
D. Witness preparation
Answers
1. B. Investigating computer systems that have been remotely attacked is often referred to as incident response and can be a subset of the other two points.
2. C, A, B, and D. The most volatile elements should be examined and collected first and in this order.
3. A. Record time offset will be lost if the system is powered down, so it is best collected while the system is still running.
4. B. The chain of custody accounts for all persons who handled or had access to the evidence.
5. B. In the U.S. legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party “reasonably anticipates” litigation or another type of formal dispute.
6. D. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand.
7. C. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable.
8. A. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Real evidence is also known as associative or physical evidence and this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
9. B. Real evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
10. C. The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. This is addressed by the exclusionary rule. The best evidence rule addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. Hearsay rule addesses second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. There was no discussion of a direct evidence rule.
11. A. The best evidence rule addresses the fact that courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. Hearsay rule addresses second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. This is addressed by the exclusionary rule. There was no discussion of a direct evidence rule.
12. C. A system image is a dump of the physical memory of a computer system and would not be captured in a video. All of the others are static sources of information that a capture video is valuable in recording.
13. D. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file).
14. D. When you have an idea of what information you will want to be able to examine, you can make an active logging plan that ensures the information is logged when it occurs, and if at all possible in a location that prevents alteration.
15. A. While all of these are important, from the initial step in the forensics process, the most important issue must always be preservation of the data.