Add to collection(s) Add to saved
  1. No category
Uploaded by S Flanigan

DigitalForensics Worksheets2019

advertisement 
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
NPA Cyber
Security Worksheets
Version 2.0 October 2019
DIGITAL FORENSICS
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
1
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Digital Forensics - Introduction
These worksheets are intended to support, extend and consolidate your learning of the Digital
Forensics unit that forms part of the SQA’s Cyber Security National Progression Award.
Many of the worksheets contain hyperlinks to websites and documents on the ‘Web’. You are,
therefore, expected to use the worksheets on a computer rather than as a printed document.
Similarly, it is expected that you will record your answers to the worksheets as a digital document
on a computer. If these worksheets have been supplied as an editable Word ‘.docx’ document,
then you can record your answers on the worksheet document itself. If these worksheets are
supplied as a ‘.pdf’ document, then you will need to create a new editable document with your
chosen word processor to record your answers.
The expected level (4, 5 or 6) is shown for each worksheet.
Where a worksheet indicates that it may be used with multiple levels, if you are aiming for the
higher level(s), you are expected to give answers with much more detail than if you are aiming
for a lower level.
2
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Contents
Worksheet 1
(Levels 4, 5 and 6)4
Worksheet 2
(Levels 5 and 6)5
Worksheet 3
(Levels 4 and 5)
6
Worksheet 4
(Level 6)
7
Worksheet 5
(Level 6)
8
Worksheet 6
(Level 4)
9
Worksheet 7
(Levels 5 and 6)
10
Worksheet 8
(Levels 4, 5 and 6)
11
Worksheet 9
(Levels 5 and 6)
12
Worksheet 10
(Levels 4, 5 and 6)
12
Worksheet 11
(Level 6)
13
Worksheet 12
(Levels 4, 5 and 6)
14
Worksheet 13
(Levels 5 and 6)
15
Worksheet 14
(Level 6)
15
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
3
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 1
(Levels 4, 5 and 6)
The learner notes listed three instances where a digital forensics examination may be used.
4
1.
Try to think of at least three other scenarios where a lead investigator might believe that a
Digital Forensics examination would help with an investigation.
2.
Justify why a digital forensic examination might be required in each of your choices
of scenario.
3.
In each scenario, what do you think the examiner might be looking for that would help
the investigation?
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 2
(Levels 5 and 6)
Consider this scenario:
A local politician has been accused of ‘electoral fraud’ – that is ‘rigging’ an election in their favour
to get them elected. It is alleged that, in the lead-up to the election, the politician had organised
a campaign of ‘disinformation’ about the other candidates. This had resulted in them spending
much more time trying to correct the disinformation than in putting forward their policies, with the
result that only one candidate ‘appeared’ to the voters as trustworthy and was duly elected.
An investigator is appointed and decides that the politician’s personal and work computers and
smartphones may hold evidence relating to the case.
1.
Draw up a list of the types of evidence that the investigator should look for.
2.
Read over the short descriptions of the three Acts that apply directly to conducting a digital
forensic examination. The examination must be conducted within a legal framework. Try to
draw up a simple framework listing what the examiner can, and cannot, do to keep within the
three Acts.
3.
It becomes public knowledge that the examination of the browser history on a computer in
the politician’s office revealed that the computer had been used to access ‘adult’ sites on a
regular basis.
(a.) Make an ethical case for this information becoming public knowledge.
(b) Make a legal case for this remaining private.
4.
Why would it be a mistake for the investigator to only have examined the digital devices
belonging to the politician?
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
5
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 3
(Levels 4 and 5)
The most commonly used digital devices are computers (desktop and laptop) and mobile devices
(tablets and smartphones).
Much information can be gathered from these devices without the need of using special software.
1.
Consider a computer running a ‘standard’ operating system. Think about where you might
look to find possible evidence on such a device.
(a) Draw up a table with two columns.
(b) In the left-hand column write down the name of the location (application or folder).
(c) In the right-hand column, opposite the location, write what type of possible evidence
you might find. For example:
Location
E-mail application
Possible Evidence
Incriminating e-mails
Try to think of as many locations as you can. A single location can provide more than one type of
possible evidence – try to list as many as you can think of.
2.
Now repeat the last exercise, but this time consider a mobile device, such as a tablet
or smartphone.
(a) Draw up a similar table, listing the ‘apps’ in the left-hand column and the possible
evidence in the right-hand column.
App
Map
Possible Evidence
Saved route to a crime scene
Try to think of as many apps and possible sources of evidence as you can. Similarly, a single app
can provide more than one type of possible evidence – try to think of as many as you can.
6
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 4
(Level 6)
1.
Create a table with two columns.
(a)
In the left-hand column, make a list of the different types of digital devices that you may find in your home. If you have more than one of a device, for example a smartphone, then only list it once. Remember to include any digital storage devices
and any digital devices that may be in a car or attached to a bike or a person!
(b)
In the right-hand column, for each type of device, make a list of the potential information that might be found on the device that could be useful to a Digital Forensic examiner.
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
7
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 5
(Level 6)
1.
Access the ACPO guidelines here. http://www.digital-detective.net/digital-forensics-
documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf
Read through pages 8 to 13, which describe what to do with digital equipment at a crime
scene.
The Learner Notes gave five examples of securing a crime scene.
(a) Try to think of three other examples (not mentioned in the notes) about what to do if
equipment is thought to be switched ‘off’.
(b) Similarly, make a note of three additional examples of what to do if equipment is thought to be switched ‘on’.
(c) The guidelines describe how to deal with Personal Organisers and Digital Assistants
(pages 10 and 11). These could, in large, be also applied to smartphones. How do each of the first three principles (page 4) of the ACPO guidelines apply to examining such devices?
2. Search online for ‘Write Blocker’.
(a) What is the purpose of this device?
(b) What is special about the copies it makes?
(c) Why is this important?
3. Search online for ‘Faraday Bags’.
(a) What is the purpose of a ‘Faraday Bag’?
(b) How are they made?
(c) What happens if a digital device is too big to be placed in a “Faraday Bag’?
8
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 6
(Level 4)
1.
You will find an online document from the International Journal of Digital Evidence about
Forensic Readiness here.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.65.6706&rep=rep1&type=pdf
Scroll to page 3.
(a) What are the two objectives of ‘forensic readiness’?
(b) What five factors affect how these two objects can be met?
Scroll to page 10.
(c) What are the 10 steps (page 9) described to implement forensic readiness?
(d) If possible, find out what steps have been taken to make the centre where you are studying ‘Forensic Ready’.
You could do this by asking the IT support technician at your centre how each of the
10 steps you noted above are met.
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
9
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 7
(Levels 5 and 6)
The Learner Notes talk about the use of ‘Artificial Intelligence’ being used in computer network
monitoring as part of Forensic Readiness.
Some companies that supply AI-based network monitoring software are:
Deep Instinct
https://www.deepinstinct.com/#/home
RedSeal
https://www.redseal.net/
Darktrace
https://www.darktrace.com/
Aruba Networks
http://www.arubanetworks.com/en-gb/solutions/security/?source=homepage
Alien Vault
https://www.alienvault.com/?utm_source=google&utm_medium=cpc&utm_term=kwd32078176676&utm_campaign=BRAND-EMEA-GGL-SE&gclid=EAIaIQobChMI676E7cSv2AIVAh
bTCh1mVwDwEAAYASAAEgLgIPD_BwE
1.
Choose two of the above companies and, from exploring their website, find out:
(a) How does each describe how their Artificial intelligence monitoring software works?
(b) Three similarities between the network monitoring software that they provide;
(c) Three differences in their provision.
Hint: you may find it helpful to watch any online demonstrations or videos of their software!
10
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 8
(Levels 4, 5 and 6)
A Digital Forensic Examiner must be qualified.
1.
Conduct an internet search to find out where you can study for a qualification in Digital Forensics in Scotland.
Find:
(a) The name of one college and one university that is offering a course;
(b) The qualification that they each offer;
(c) What the entry requirements are to be able to join each course;
(d) How long each course lasts;
(e) What progression to other further qualifications is offered by each course.
2.
Conduct another internet search, this time for any job vacancies that are available in
Digital Forensics.
(a) What company/organisation has the vacancy?
(b) What qualification are they looking for?
(c) What will the successful candidate be paid?
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
11
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 9
(Levels 5 and 6)
The FTK Imager application is capable of making forensic copies of the contents of a computer’s
memory while the computer is running.
(a) Why is it important to make a forensic copy of a running computer’s memory before it
is switched off?
(b) What is meant by a ‘forensic copy’?
(c) Why is this important?
(d) Make a list of at least four pieces of useful information that would be held in a computer’s memory while it is running.
(e) What must happen to the forensic image of the computer’s memory, once it has
been made?
(f) Why is this important?
Worksheet 10
(Levels 4, 5 and 6)
A list of the features provided by the software analysis tool Autopsy can be found here.
http://sleuthkit.org/autopsy/features.php
Similarly, an outline of the features of the professional software analysis tool EnCase can be found
here. https://www.guidancesoftware.com/encase-forensic
You should scroll down the page to the section titled ‘EnCase Forensics Across Your Investigation
Lifecycle’. Read about, and watch, each of the videos for each step of the investigation using
EnCase.
1.
From these two websites, briefly describe:
(a) Three features that both software analysis tools have in common;
(b) Three features where they differ.
(c) Why do you think professional Digital Forensic examiners prefer to use EnCase rather than Autopsy?
12
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 11
(Level 6)
1.
Details about the network Forensic analysis tool NetworkMiner are available here.
http://www.netresec.com/?page=NetworkMiner Scroll down the web page to the section
starting below the comparison of the features of the free with the paid-for versions.
Read through the text describing some of the features of NetworkMiner.
Draw up a list of three of the features described, giving a short description of each of them.
(You may find it helpful if you watch the video tutorials.)
http://www.netresec.com/?page=Blog&month=2011-02&post=NetworkMiner-Video-
Tutorials-on-the-Intertubes
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
13
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 12
(Levels 4, 5 and 6)
1.
Briefly describe each of the following and explain how each is raising new challenges for
Digital Forensic Examiners to acquire data:
(a) Encryption
(b) TOR
(c) VPN
(d) ‘cloud’ storage
(e) Steganography
(f) What do encryption and steganography have in common?
(g) How does steganography differ from encryption?
(h) Why should the cover file be at least 8 times bigger than the payload it is to contain?
(i) Steganalysis is the process of discovering if a file is a steganogram or not. What problems might arise in using steganalysis on suspect’s modern laptop?
(j) What additional problems will the use of social media pose when trying to
identify steganograms?
(k) What would a Digital Forensic Examiner look for on a suspect’s modern laptop that might indicate that the suspect was using steganography?
14
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Worksheet 13
(Levels 5 and 6)
1.
Why is it vitally important to maintain the ‘chain of custody’?
2.
Similarly, why is it also vitally important to maintain a contemporaneous record of all actions
by the Digital Forensic examiners throughout their examination?
3.
What is the purpose of the ‘Timeline’?
4.
Software such as Autopsy and Encase can automatically generate reports on the materials
that they have analysed.
(a) What important skill must the Digital Forensic examiner have when dealing with
these reports.
(b) Why is this skill important?
Worksheet 14
(Level 6)
Section 1 of the Learner Notes introduces at least eight different individuals or groups of people
that may be involved in the investigation: from the incident first being reported, to the point where
it is concluded.
1.
Read through Section 1 again, and as you do, try to identify each individual or
group mentioned.
2.
Draw up a table with two columns, with the individual or group on the left and a description
of the role(s) that they play in the investigation, on the right.
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
15
Downloaded by stephen.young@wled.org.uk from 185.58.166.52 on 04/11/2019 13:07
Scottish Qualifications Authority
computing@sqa.org.uk
www.sqa.org.uk
16
NPA Cyber Security | DIGITAL FORENSICS | Worksheets
Related documents
word-recognition-worksheet-colors1
word-recognition-worksheet-colors1
Kami Export - Emma Yanes - Goals Worksheet.rtf
Kami Export - Emma Yanes - Goals Worksheet.rtf
Download
advertisement