Computer Forensics - CORRECT ANSWER A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret,
... [Show More] document, and present evidence from computers in a way that is legally admissible
Cyber Crime - CORRECT ANSWER Any illegal act involving a computing device, network, its systems, or its applications. Both internal and external
Enterprise Theory of Investigation (ETI) - CORRECT ANSWER Methodology for investigating criminal activity
Types of Cyber Crime - CORRECT ANSWER Civil, Criminal, Administrative
Civil Cases - CORRECT ANSWER Involve disputes between two parties. Brought for violation of contracts and lawsuits where a guilty outcome generally results in monetary damages to the plaintiff
Criminal Cases - CORRECT ANSWER Brought by law enforcement agencies in response to a suspected violation of law where a guilty outcome results in monetary damages, imprisonment, or both
Administrative Cases - CORRECT ANSWER An internal investigation by an organization to discover if its employees/clients/partners are abiding by the rules or policies (Violation of company policies). Non-criminal in nature and are related to misconduct or activities of an employee
Rules of Forensic Investigation - CORRECT ANSWER Safeguard the integrity of the evidence and render it acceptable in a court of law. The forensic examiner must make duplicate copies of the original evidence. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. Must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level.
Cyber Crime Investigation Methodology/Steps - CORRECT ANSWER 1.Identify the computer crime 2.Collect preliminary evidence 3.Obtain court warrant dor discovery/seizure of evidence 4.Perform first responder procedures 5.Seize evidence at the crime scene 6. Transport evidence to lab 7.Create two bitstream copies of the evidence 8. Generate MD5 checksum of the images 9. Maintain chain of custody 10. Store original evidence in secure location 11. Analyze the image copy for evidence 12. Prepare a forensic report 13. Submit a report to client 14. Testify in course as an expert witness
Locard's Exchange Principle - CORRECT ANSWER Anyone of anything, entering a crime scene takes something of the scene with them and leaves something of themselves behind when they leave.
Types of Digital Data - CORRECT ANSWER Volatile Data
Non-volatile Data
Volatile Data - CORRECT ANSWER Temporary information on a device that requires a constant power supply and is deleted if the power supply is interrupted
Non-Volatile Data - CORRECT ANSWER Secondary storage of data. Long-term, persistent data.
Permanent data stored on secondary storage devices, such as hard disks and memory cards.
Characteristics of Digital Evidence - CORRECT ANSWER 1. Be Relevant
2. Be probative
3. Be authentic
4. Be accurate
5. Be complete
6. Be convincing
7. Be admissible
Admissible evidence - CORRECT ANSWER Evidence that can be legally and properly introduced in a civil or criminal trial.
Evidence is relevant to the case
Authentic Evidence - CORRECT ANSWER Evidence that is in its original or genuine state.
Investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence
Complete Evidence - CORRECT ANSWER Evidence must either prove or disprove the fact
Reliable Evidence - CORRECT ANSWER evidence that possesses a sufficient degree of likelihood that it is true and accurate
Evidence must be proven dependable when the evidence was extracted
Believable Evidence - CORRECT ANSWER Evidence must be presented in a clear manner and expert opinions must be obtained where necessary
Rules of Evidence - CORRECT ANSWER Rules governing the admissibility of evidence in trial courts.
Best Evidence Rule - CORRECT ANSWER states that secondary evidence, or a copy, is inadmissible in court when the original exists.
Duplicate evidence will suffice under the following conditions:
-Original evidence is destroyed due to fire or flood
-Original evidence is destroyed in the normal course of business
-Original evidence is in possession of a third party
Forensic Readiness - CORRECT ANSWER An organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs.
Fourth Amendment - CORRECT ANSWER Protects against unreasonable search and seizure. Government agents may not search or seize areas or things in which a person has reasonable expectation of privacy, without a search warrant.
Chain of Custody - CORRECT ANSWER a written record of all people who have had possession of an item of evidence
Rule 101: Scope - CORRECT ANSWER These rules govern proceedings in the courts of the United States and before United States bankruptcy judges and United States magistrate judges, to the extent and with the exceptions stated in rule 1101.
Rule 102: Purpose and Construction - CORRECT ANSWER These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined.
Rule 105: Limited Admissibility - CORRECT ANSWER When evidence that is admissible as to one party or for one purpose but not admissible as to another party or for another purpose is admitted, the court, upon ITProTV Video Notes for CHFI v9 request, shall restrict the evidence to its proper scope and instruct the jury accordingly
Rule 801: Hearsay - CORRECT ANSWER "Hearsay" means a statement that:
(1) the declarant does not make while testifying at the current trial or hearing; and
(2) a party offers in evidence to prove the truth of the matter asserted in the statement.
Rule 1002. Requirement of the Original - CORRECT ANSWER An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise.
Rule 1003. Admissibility of Duplicates - CORRECT ANSWER A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original's authenticity or the circumstances make it unfair to admit the duplicate.
Rule 1004. Admissibility of Other Evidence of Content - CORRECT ANSWER Admissibility of Other Evidence of Content
Scientific Working Group on Digital Evidence (SWGDE) - CORRECT ANSWER brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as to ensure quality and consistency within the forensic community.
Computer Forensics Investigation Process - CORRECT ANSWER 1. Pre-Investigation
2. Investigation
3. Post-Investigation
Pre-Investigation - CORRECT ANSWER Tasks performed prior to investigation
Setting up a computer forensics lab, toolkit, and workstation
Investiagtion - CORRECT ANSWER Main phase in computer forensics investigation
Acquisition, preservation, and analysis of the data
Post-Investigation - CORRECT ANSWER Reporting and documentation of all the actions undertaken and the findings
Ensure that the target audience can easily understand the report
Ensure report provides adequate and acceptable evidence
Computer Forensics Laboratory - CORRECT ANSWER Work area considerations (50-63 sq. ft per station) no windows
ASCLD/Lab Accreditation
ISO/IEC 17025
Forensic Hardware Tools - CORRECT ANSWER FRED, Paraben's StrongHold, PC-3000 Data Extractor, Paraben's Chat Stick, RAPID IMAGE 7020 X2, RoadMASSter-3 X2, ZX-Tower, Data Recovery Stick, Tableau T8-R2 Forensic USB Bridge
FRED - CORRECT ANSWER Acquires data directly from hard drives and storage devices
Paraben's StrongHold - CORRECT ANSWER blocks out wireless signals
PC-3000 Data Extractor - CORRECT ANSWER Diagnoses and fixes file system issues, so data can be obtained
Paraben's Chat Stick - CORRECT ANSWER Thumb drive devices; searches the entire computer and scan for chat logs
RAPID IMAGE 7020 X2 - CORRECT ANSWER Copy one "Master" hard drive to up to 19 "Target" hard drives
RoadMASSter-3 X2 - CORRECT ANSWER Ruggedized portable lab for HDD data acquisition and analysis.
ZX-Tower - CORRECT ANSWER Secure sanitization of hard disk
Data Recovery Stick - CORRECT ANSWER Recovers deleted files [Show Less]