Short Answer Questions – Topic / Chapter 2 Investigator’s office and laboratory
- Why it is important to have a specific digital forensics laboratory? What are key purposes of a digital forensics lab? [2 x 2 = 5 marks] A Computer Forensics Lab [CFL] is a designated location for conducting computer-based investigations on collected evidence. It is an efficient computer forensics platform that is able to investigate any cybercrime event. We extract, analyses, record and report data found on computers, cell phones and other mobile devices. The benefit of using DFL is that we can also rebut computer forensics procedure conducted by Federal Police.
- Why it is important to get accreditation of a digital forensics lab? Name some of the accreditation bodies. [3 + 2 = 5 marks] Certified Computer Examiner [CCE] The need for CCE certification is widely acknowledged bmany other organizations. y government agencies as well as The CCE certification is completed in two rounds:
- Online written exam is conducted, in which a candidate has to complete 75 questions within 45 minutes. More important, the candidate must score 70% to qualify for the next round of practical examination.
- Practical examination also requires 70% marks. An overall average of 80% is required to earn CCE certification: The International Society of Forensic Computer Examiners [ISFCE] confers CCE certification. Pros: CCE certified professional has several benefits, including: The ISFCE is a member of “The Alliance Group of Associations,” therefore all CCE professionals are eligible to place insurance coverage through Insurance Tek Company. CCEs automatically subscribe to the CCE’s “list serve,” which allows all CCEs worldwide to share information among themselves regarding their computer forensics experiences. ISFCE members enjoy discounts on some specific software and hardware products. Cons: CCE certification is valid for only two years, while CFCE and GIAC certifications are valid for three and four years, respectively.
Global Information Assurance Certification [GIAC]
The GIAC awards over 30 certifications in forensics, saudit, and management. GIAC is widely trusted by govoftware security, security administration, legal, ernment organs and various organizations, including the U. National Security Agency are five GIAC certifications related to digital forensics and incident response.
GIAC Certified Forensic Analyst [GCFA]
GIAC Advanced Smartphone Forensics [GASF]
GIAC Certified Forensic Examiner [GCFE]
GIAC Network Forensic Analyst [GNFA]
GIAC Reverse Engineering Malware [GREM] Each exam has a different format. For example, the GCquestions and the candidate has three hours in which answer them. The minimum passing score is FE exam is a single exam that has 115 72%. The GNFA exam consists of 50 questions with a 70%. 2-hours time limit and a passing score of Vendor: The SysAdmin, Audit, Network, Security [SANS] Institute offers the GIAC certifications program: A GIAC certification ensures that the certified professional keeps his/her knowledge and skills current through the periodic recertification program and acGIAC has several benefits, such as: cess to up-to-date and latest information.
GIAC’s eleven certifications are accredited by ANSI/ISO/IEC 17024. GIAC’s exams are based on psychometric tests. The exam contents and the design of each question are reviewed by technical experts. The GIAC-certified can earn the “GIAC Gold Status.” In fact, the candidate works with an advisor to submit a peer-reviewed “gold paper” in his/her area of information security expertise. If the paper is approved, it will be published in the “SANS Reading Room” for industry reference. GIAC’s certified professionals are encouraged and authorized to use all GIAC Logo[s] for website, signature, resume, letterhead, bCons: GIAC credentials have some disadvantages, including:usiness cards, etc.
Since GIAC is an open book exam, it only tests candidates’ knowledge [analytical and logical reasoning] rather than testing their memory or memorizing abilities. The retaking policy is stricter than with other certifications. If the candidate fails the exam, he will have to wait for one month. After three failed attempts, the student must wait for one year to continue his/her attempt.
- How you will prepare a budget case for your digital forensics lab? List some of the key considerations. [5 marks]
Setting up a new digital forensics lab often involves high cost for companies, however,
and forecasting this cost is not always easy – especially for smaller companies. So, I
would like to share a few tips about how to build a lab on a low budget.
1. Research current trends, requirements, and what other companies in your sector
are doing. The infosec community is very open and, often, a request for help will
result in many replies. This should help you to identify the services you are
planning to provide, such as computer forensics, mobile forensics, e-discovery
and so on.
2. Do an overview of the proposed services you plan to provide. Evaluate your
capability and availability of resources. Do a SWOT analysis to determine your
strengths, weaknesses, opportunities and threats.
10 a development plan for your lab to enhance its capabilities over time.
Write down goals and targets with projected dates. Having this focus will help
you to improve the services you provide to the business [or to external clients]
over time. It also provides you with the opportunity to review new developments
in digital forensics investigation.
- List some of the key duties and responsibilities of a lab manager and lab staff. [5 marks] Lab manager duties: Set up processes for managing cases Promote group consensus in decision making Maintain
fiscal responsibility for lab needs Enforce ethical standards among lab staff members Plan updates for the lab Establish and promote quality-assurance processes Set reasonable production schedules Estimate how many cases an investigator can handle Estimate when to expect preliminary and final results Create and monitor lab policies for staff Provide a safe and secure workplace for staff and evidence Staff member duties:
- Knowledge and training:
- Hardware and software
- OS and file types
- Deductive reasoning
- Digital forensics
- Knowledge and training:
- Malware analysis
- Incident response
- E-discovery
- Work is reviewed regularly by the lab manager
List some of the important certifications and trainings that you think will be important for a digital forensics lab. [5 marks]
What are digital evidence storage containers and what care you should take with them? [5 marks] A digital evidence container can metaphorically mimic the familiar plastic evidence bag used by crime scene investigators to collect fibers, hair, blood, and other crime scene artifacts. ... A digital container can be duplicated, copied, shared, and manipulated unless the container itself is secure. Time is highly important in preserving digital evidence. – As a general rule, make sure you do not turn ON a device if it is turned OFF. For computers, make sure you do not change the current status of the device at all. If the device is OFF, it must be kept OFF.
What are some of the important physical requirements of a digital forensics lab? [5 marks] Scope of Lab Lab Location and Space Requirements Environmental Controls Software and Hardware Tools Storage Data Network Security Controls Accreditation Lab Management
A variety of hard drives [as many as you can afford and in as wide a variety as possible]
At least two 2-inch adapters from notebook IDE hard driveSATA drives, and so on s tc standard IDE,.'ATA drives.
Computer hand tools, such as Phillips and flathead scresmall flashlight wdrivers, a socket wrench, and a
What is disaster recovery plan and why it is important for your digital forensics lab? [5 marks] A disaster recovery plan ensures that you can restore your workstation and investigation files to their original condition o Recover from catastrophic situations, virus contamination, and reconfigurations Includes backup tools for single disks and RAID servers Configuration management o Keep track of software updates to your workstation
Why policies and procedures are important in the field of digital forensics investigation? [5 marks] A baseline or benchmark is set for all cases as needed for external audits Processes throughout the case lifecycle from first contact to release of evidence are clearly understood Technical procedures are well documented Integrity is automatically built into handling of the case Different forensics investigators can work or collaborate on the same case The final report has a standard format
What are 3C’s of digital evidence? Explain each briefly. [5 marks] Digital evidence handling a growing topic with increasing significance for investigations
- Care – make sure evidence is not altered, kept in safe place, if handed over to authorities, proper care is taken
- Control – make sure evidence is not affected by any external or internal means such as alteration of meta data or damage by electromagnetic fields etc
- Chain of Custody – make sure a proper chain of custody form is kept up to date when evidence is being handed over to some one else, use available chain of custody forms
What are the types of Australian legal system? Explain each briefly. [5 marks]
- Two legal systems: the federal legal system and the state / territory legal system
What are statue law and common law? Explain them briefly. [5 marks] Statute law – the legislation enacted by parliaments Common law – law derived from court judgments from historical cases [also known as case law]
- Two types of law: Criminal law – applies to criminal offences such as theft, burglary, murder etc, and any other offence that the state considers significant enough to warrant taking action against. Civil law – legal matters between individual or organisations
- International law Generally not enforceable, but many countries agree to observe by entering into international treaties or conventions