Networking 978-0123742681 Chapter 6 Quiz

Unlock access to all the studying documents.

View Full Document

Chapter 6

Conducting Digital Investigations

Objectives

On completion of this chapter, the student will:

– Be able to discuss various digital investigation process models.

o Physical model

o Staircase model

– Recognize that there are other activities inherent in conducting an investigation.

o A triggering event

o Authorization to precede

o Threshold considerations

– Recognize the application of the scientific method to digital investigations.

o Observation

o Hypothesis

Chapter Guide

Following the twelve steps described in this chapter increase the likelihood that an investigation

will lead to the truth and will serve justice. More specifically, the ultimate aim of the model

covered in this chapter is to help investigators ascend a sequence of steps that are generally

accepted, reliable, and repeatable, and lead to logical, well-documented conclusions of high

integrity. To fully appreciate the flexibility and power of this model, it is necessary to explore

The general discussions about remaining objective, overcoming preconceived theories, and the

differences between scientific and legal truths provide an important foundation for all

investigations. Exercises that challenge students to question assumptions and to construct logical

arguments are useful in the introductory level courses. Several other key concepts within the

investigative process should be emphasized:

ates that anyone or anything entering a crime scene leaves

something behind or takes something with him when he leaves. Although this principle was

developed nearly a century ago for investigations in the physical world, it applies to crime in the

digital realm. For example, a threatening e-mail

mail servers that handle the message and on the r e exchanges of digital

evidence and the resulting cybertrails enable investigators to establish the continuity of offense

and link online activities to a specific computer or individual.

Students often think of IP addresses in e-mail headers or network packets as an individual

characteristic. However, an IP address in an e-mail header is not necessarily unique to a specific

computer. E-mail messages from several computers will have the same source IP address when

they are connecting through a Web proxy or NAT device. Computers accessing the Internet via

dial-up (PPP) connections are assigned IP addresses within a certain

combined with other class characteristics in the e-mail header (i.e., date and time) or network

packet to determine which computer was involved.

As an investigation moves from one computer to another, the examiner should examine each

system to establish the path that data relating to the offense took in order to reach its destination.

evidence found. See page 99 for more information.

Many people incorrectly think of examination as synonymous with analysis when in fact these

are two very different processes. Examination is the process of extracting and preparing data for

A checklist is provided here as an example of what investigators look for when conducting a

digital investigation. This type of checklist helps digital investigators document important details

and contributes to case management by helping them keep track of what they have found.

Crime Scene Checklist Case Number:

Date: Investigator: Location:

Case Description:

COMPUTER

Type: rack/server desktop laptop Make/model:

PDA cell phone other:

OS: Linux Solaris Win NT/XP Mac OS X AIX

BSD HP-UX Win 95/98 Mac OS 8/9 other:

HDD 2: Make/model: S/N: Connection/jumpers:

MD5 hash value:

HDD 3: Make/model: S/N: Connection/jumpers:

MD5 hash value:

Acquisition: dd EnCase FTK ImageMaster other:

EXTERNAL STORAGE DEVICES

Type Internal External Type Internal External

3.5 Floppy DVD read or write

Zip/Jazz Backup tapes

Multiple Choice Questions

1. Standard operating procedures (SOPs) are important because they:

2. The goal of an investigation is to:

3. An investigation can be hindered by the following:

4. When you have developed a theory, what can you do to confirm that your hypothesis is

correct?

5. Which of the following is NOT a class characteristic of files on magnetic media:

6. Which of the following would be considered an individual characteristic?

7. When digital photographs containing child pornography are found on a home computer,

investigators can assert that:

8. Forensic examination involves which of the following:

9. Forensic analysis involves the following:

10. The first step in applying the scientific method to a digital investigation is to:

11. Which of the following should the digital investigator consider when arranging for the

transportation of evidence?

12. In the Staircase Model, why is case management shown spanning across all of the steps

in the process model?

13. Process models have their origins in the early theories of computer forensics which

defined the field in terms of a ______ process.

14. Generating a plan of action and obtaining supporting resources and materials falls under

which step in the digital investigation?

15. The process model whose goal is to completely describe the flow of information in a

digital investigation is known as:

True or False Questions

1. Not all incidents should be fully investigated nor do they all deserve the same priority

and attention.

2. The scientific method uses computers to verify findings in an investigation.

3. The legal truth is always in agreement with the scientific truth in an investigation.

4. Forensic examination and forensic analysis are separate processes.

5. When a network is involved in a crime, investigators must seize and preserve all systems

on the network.

6. When seizing a computer, it is always acceptable to lose the contents of RAM.

7. Case management is a critical part of digital investigations.

8. Beebe and Clark contend that most investigative process models are too low level.

9. The process model whose primary strength is a notion of a continuous flow of

information is known as the Subphase Model.

10. Of particular significance in the scientific method is the weight attached to finding

evidence which supports a particular hypothesis.

11. Evidential artifacts found in the experimentation and testing process of the scientific

method which are compatible with a particular hypothesis can be taken as proof of the

hypothesis.

11. Preparation for the preservation step ensures that the best evidence can be preserved

when the opportunity arises.

12. If alternative theories are suggested later, digital investigators have an obligation to

reevaluate their findings.

13. Forensic examination is the process of extracting, viewing, and analyzing information

from the evidence collected.

14. Survey/triage forensic inspection is the targeted review of all available media to determine which

items contain the most useful evidence and require additional processing.

Essay Questions

1. Why is it important to process digital evidence properly while conducting an investigation?

inciple? Give an example of how this principle applies to

computer crime.

3. How are class characteristics useful in an investigation? Give an example involving digital

evidence.

4. How would you search for all image files on a disk? Explain the rationale of your approach.