Exam 6 June 2018, questions and answers PDF

Preview

Summary

Download Exam 6 June 2018, questions and answers PDF

Description

AHMED

Exam 3 1. Briefly describe the triad that makes up computer security  Investigators often work as a team to make computers and networks secure in an organization. The computer investigations function is one of three in a triad that makes up computing security. In an enterprise network environment, the triad consists of the following parts: 

Vulnerability assessment and risk management



Network intrusion detection and incident response



Computer investigations

2. What is steganography? Briefly describe how it is used to protect copyrighted material.  Is a method of hiding data by using a host file to cover the contents of a secret message? The two major techniques are insertion and substitution.  Insertion places data from the secret file into the host file. When you view the host file in its associated program, the inserted data is hidden unless you analyze the data structure. Substitution replaces bits of the host file with other bits of data 3. Cell phones and mobile devices have often been used in committing crimes. A. What are the two main concerns in the search and seizure procedures for cell phones and mobile devices? Give reasons for these concerns. (4 Marks) The main concerns with mobile devices are loss of power, synchronization with cloud services, and remote wiping. •

Volatility refers to the loss of content in memory or storage when the power is turned off..this is a big issue from forensic point of view.

Reason 1

All mobile devices have volatile memory- Making sure they don’t lose power before you can retrieve RAM data is critical Mobile device attached to a PC via a USB cable should be disconnected from the PC immediately> Reason Helps prevent synchronization that might occur automatically and overwrite data B. Is necessary for the mobile equipment to function. Give 4 (four) uses or purposes that the SIM card provides.

4.

•

Identifies the subscriber to the network

•

Stores service-related information

•

Can be used to back up the device.

•

security authentication

It is important for companies to formally establish and publish their policies regarding forensic investigations.

A. Give 4 (four) aspects or areas where these policies should address. 1. Records Management Policy 2. Security Guidance 3. Digital Preservation Policy 4. ICT Acceptable Use Policy (b) Give 4 (four) benefits that the company can get from establishing these 1. Maintenance and monitoring of the log files 2. Authorization to provide forensic evidence 3. Digital evidence must be stored and handled securely. 4. Disciplinary issues: negligence, malpractice, abuse of acceptable use policy, grievance procedures. 5. Evidence integrity is essential in order for digital evidence to be admissible in court and to carry weight as evidence. a. What is CoC (Chain of Custody) and why is it important for evidence integrity?

2

b. Assuming that a forensic team follows the right steps for preserving evidence integrity and for keeping an unbroken CoC, what must they do in order to convince the court that they have done so? c. What is OOV (order of volatility), and how does it influence decisions regarding which evidence should be preserved first? d. List various data storage media as a function of their OOV. Answer a. Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Chain of custody is important in evidence handling and to preserve (protect) the integrity of the evidence. The collected evidence needs to be protected from any contamination. b. Document it. Take extensive notes, documents all details from start to the end in professional manner, according to the law & an order. c. Order of volatility (OOV ) –How long does data stick around? -Gather data in order from the most volatility to less volatility.

https://www.youtube.com/watch?v=WDOwYuRIY2E D. Data stored on media can be modified or erased due to various factors. The volatility expresses the rapidity and ease with which such factors can modify or erase data. The OOV expresses the relative ranking of media according to volatility. Volatile evidence?

3

i.

Routing Tables

ii.

Main Memory

iii.

Cached Data

6. Policies, Standards, and Guidelines for CSPs (Cloud Service Provider) Policies are detailed rules for a CSP’s internal operation and typically include personnel Responsibilities, management structure, delegation authority, contracting authority, expectations of protecting data, and the authorization to distribute information. Standards give guidance to staff for unique operations, hardware, and software and describe their obligations in daily operations and security of the CSP’s environment. Guidelines, describe best practices for cloud processes and give staff an example of what they should strive to achieve in their work. 2015 exam short questions 7. Discuss whether steganography is a good solution for image and movie piracy .Discuss how steganography can relate to digital rights management (DRM) solutions? Chapter 8  Steganography is the context of digital content piracy serves primarily as a method to track where digital assets are moving or who receiving them.  Yes steganography is a good solution for image and movie piracy as long as there is small number of copies .On the other it becomes less effective when distributing on a wide basis. DRM: Controlling the trade, protection, monitoring, and tracking of digital media.  Helps publishers limit the illegal circulation of copyrighted works.  Protects intellectual property by either encrypting the data or marking the content with a digital watermark. 4

 Is important to creators and publishers of electronic media since it helps ensure profits for their products.  Sometimes referred to as digital restriction management. 8. Describe some of the technologies used with hardware write-blocker devicesidentify some of the more commonly used vendors and their products? Chapter 6  Many vendors have developed write-blocking devices that connect to a computer through FireWire, USB 2.0 and 3.0, SATA, PATA, and SCSI controllers.  Most of these write-blockers enable you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive  Software write blocker: such as PDBlock run in shell mode -can run only in Dos mode not in windows CLI. PDBlock changes interrupt 13 of a workstation’s BIOS to prevent writing to the specified drive  Hardware write blocker: act as bridge between the suspect drive and the forensic workstation –ideal for GUI forensics tools. hey prevent Windows or Linux from writing data to the blocked drive. 9. Explain how hypothetical questions can be used to ensure that you as a witness are basing your opinion on facts expected to be supported by evidence? Ch14 Hypothetical question  Hypotheticals are possibly situations, statements or questions about something imaginary definition of hypothetical.  Hypothetical questions based on factual (accurate )evidence :o Guide and support your opinion o Can be abused and overly complex o The expression “alternative facts”. 5

10. Is easier to perform a computer forensic investigation if the suspect's computer is a Linux system instead of windows? Does the OS affect the process at all? 6  Different OS’s have different characteristics that influence certain specific steps in extracting and analyzing data.  The biggest differences between Windows and Linux OS are different approaches to system and data files, and user accounts.  Most of the examination of Linux is done in Command Line Interface (CLI), while in Windows is done using the Graphic User Interface (GUI).  File management system for two OS’s is different. Windows could have FAT (with its variations) or NTFS file system, while Linux could have EXT (with its variations) file system. But “Linux can accommodate many different file systems by enabling VFS (virtual file system) within the kernel itself.”  Both OS assign permissions for files, but the way of determining those permissions are different.  Determining the OS is important, but tools used for investigation could be based on any OS, Linux or Windows. 11. Explain in detail how digital forensics is different from data recovery and disaster recovery management. Chapter 1  Data Recovery: Data Recovery mainly involves retrieving information that was deleted by mistake or lost during power surge. In general (DR) consists from things that are broken: (i.e. hardware or software) or in other word Data recovery is a ‘macro’ process.  Digital Forensic is described as “the recovery and investigation of materials found in digital devices, so Data recovery may be (and in most cases is) a part of digital forensics process.

6

 A disaster recovery plan ensures that you can restore your workstations and file servers to their original condition or a lab-like building if a catastrophic failure occurs. 12. If you are going to investigate a case of an Internet abuse in an organisation, what fundamental items do you require for conducting this investigation? Chapter 2  To conduct an investigation involving Internet abuse, you need the following: 1. The organization’s Internet proxy server logs 2. Suspect computer’s IP address obtained from your organization’s network 3. administrator 4. Suspect computer’s disk drive. 5. Your preferred digital forensics analysis tool (ProDiscover, Forensic Toolkit, EnCase,X-Ways Forensics, and so forth) 13.

What are the four conditions required for an expert witness to testify to an opinion or a conclusion? Explain with suitable examples? - Chapter 14 1. The opinion, inferences, or a conclusion reached on the basis of evidence and reasoning 2. The witness must be shown to be qualified as a true expert in the field. 3. The witness must testify to a reasonable degree of certainty (probability) regarding his or her opinion, inference, or conclusion. At minimum, expert witnesses must know the relevant data (facts) on which their opinion, inference, or conclusion is based, and they must be prepared to testify in response to a hypothetical question that sets forth the underlying evidence.

7...