🐉 neospace ~

📝 Latest Posts

Lab 1 DFEH

Jan 17, 20255 min read

LAB Sheet Here >>

Questions

1.     There are five phases in the digital forensics process. List them, and explain what their key activities are.

2.     Provide examples of how errors, uncertainties, and doubt can impact the evidence integrity and forensic soundness.

3.     A murder has occurred. The victim is identified to be the national chief of defence. Not long afterwards, a security breach in the IT systems of the department of defence is detected. The suspected perpetrator appears to be an outside hacker. What would be your hypothesis, and how would you investigate the case?

4.     You are involved in the analysis phase of an investigation of a cyberattack. All potentially relevant data objects have been collected and examined. In order to proceed, what do you need to ensure with regard to the evidence integrity? How will you do this, and why?

Question 01

  1. Forensics Phases

    • IDENTIFICATION : first of all identify the digital evidence related to the incident

      • KEY ACTIVITIES :
        • recognize potential devices and that relevant to the case such as hard drives , mobile phones, logs, files, emails
        • determine which resources are more important to the case

    • COLLECTION : collect digital data by copying the source forensically imortant

      • KEY ACTIVITIES :
        • create a copy of data or image to avoid tampering with the original evidence
        • collecting the recognized digital evidences recognized on recognizing phase
        • Collect volatile data before the device is powered off, as this data can be lost once the device is turned off
        • Document all findings, noting timestamps, locations, and device specifics to ensure traceability

    • EXAMINE : Process and analyze data to find relevant information to the case

      • KEY ACTIVITIES :
        • File system analysis
        • Metadata Examination
        • Carve unstructured data
        • Recover deleted files and data to look hidden or encrypted information

    • ANALYSIS : conclusion based on examine and link evidence to the case

      • KEY ACTIVITIES
        • Use tools to establish TIMELINE and chain of events occured
        • determine relevant authenticity of data
        • Link analysis to produce structured presentation

    • PRESENT : communicate the findings of the investigation in a clear and concise and legal way

      • KEY ACTIVITIES
        • report writing
        • evidence presentation
        • visual aids and timelines
        • documented chain of custody supports the final evidence integrity

Question 02

  • Data Collection Errors: Errors in data collection, such as improper use of write blockers, can compromise evidence integrity by altering metadata or overwriting data.
  • Time Synchronization Uncertainties: Inaccurate time synchronization can lead to incorrect forensic timelines, causing confusion over the sequence of events.
  • Human Error in Analysis: Misinterpretation of data or overlooking significant information due to time constraints can introduce inaccuracies and undermine the credibility of the investigation.
  • Chain of Custody Breaks: Failure to document evidence transfers and accesses can lead to tampering claims and render evidence inadmissible.
  • Data Decryption Challenges: Inability to decrypt data raises doubts about missing information and can create gaps in case understanding.
  • Evidence Integrity Risks: Errors, uncertainties, and doubts in handling digital evidence can weaken credibility and admissibility, impacting case outcomes.

Question 03

Hypothesis

  • The murder of the national chief of defense and the subsequent IT security breach at the Department of Defense may be connected, potentially as part of a coordinated attack aimed at compromising national security. The hacker may have targeted the victim to gain access to critical systems or information within the department.

Investigation Steps

  1. Establish and Secure the Crime Scene:
  • Examine the actual murder scene for any hints that could connect it to the cyberattack.
  • Collect any digital devices (phones, laptops, USBs) from the victim’s home or workplace.
  1. Digital Forensics on the Victim’s Devices:
  • Examine the victim’s electronic devices for unauthorized access, malware, or other signs of digital intrusion.
  • Look for any communications, such as recent emails or messages, that might suggest blackmail, threats, or unauthorized access to secure information.
  1. Network Analysis of the Department’s IT Systems:
  • Analyze the network logs around the time of the breach to track the hacker’s actions, methods of entry, and any data or systems accessed.
  • Search for unusual or unauthorized access attempts, suspicious IP addresses, or use of privilege escalation techniques.
  1. Correlate Physical and Digital Evidence:
  • Link timestamps and access patterns from both the murder scene and the IT system breach.
  • Identify if there is any connection between the murder timeline and the breach, such as the hacker exploiting a distraction window created by the murder.
  1. Trace the Hacker:
  • Conduct a trace of the IP address(es) or other identifiers to locate the potential attacker.
  • Investigate if the hacker has any known ties to foreign intelligence, criminal networks, or motivations for targeting the Department of Defense.
  1. Check for Inside Help / Insider threats:
  • Investigate whether the hacker may have had assistance from someone within the Department, given the high level of access needed.
  • Conduct interviews and forensic audits on employees who had access to sensitive information related to the chief of defense or high-level clearance.
  1. Build a Timeline:
  • Construct a detailed timeline of events leading up to the murder and breach to examine possible connections.
  • Use this to determine if the murder was intended to coincide with or facilitate the breach.

Question 04

  1. Verify Hash Values
  • Recalculate hash values (e.g., MD5, SHA-256) for each piece of collected evidence and compare these with the original hash values taken at the time of collection.
  • This confirms that no modifications have occurred since the data was collected, ensuring that the evidence remains unaltered.
  1. Confirm Chain of Custody
  • Review the chain-of-custody documentation to ensure that all access and transfers of evidence were properly recorded and accounted for.
  1. Maintain Forensic Copies and Work on Duplicates
  • Use forensic images or duplicates of the original data during analysis, keeping the original evidence untouched in a secure location.
  1. Use Verified Forensic Tools
  • Perform the analysis with validated forensic tools and document the tool versions, methods, and processes used.
  1. Document Every Action Taken During Analysis
  • Record all actions performed on the data, including searches, filter applications, and extracted data items.

Graph View

Backlinks