Old exam questions
1. Discuss and reason about the similarities and differences between the following:
A) Digital Forensics and Security?
- Security wants to preserve the digital system the way it is by observing the policy that has been
defined, meanwhile forensics attempt to explain how the policy came to be violated, which may
lead to finding flaws, making improvements in the future. Similarities could be recovery of
information.
B) Digital Forensics and Auditing?
- Similarities could be that both implies methodical and systematic examination or review of the
work, results, process and/or behaviour
2. With respect to content of this course; What is the definition of evidence on an overarching
level?
- Overarching is some principles that should be followed. Not change the evidence, only access
original evidence to a forensically competent person, seizure, access, storage, transfer of DE
should be documented, preserved and available for review.
3. With respect to the definition of evidence, what is the definition of the following:
A) e-Evidence or Digital evidence?
- Is evidence that is stored or transmitted in a digital form. It could be photos on a computer that is
showing something illegal, there could be any IM that are send to a perpetrator that could contains
valuable information or illegal act. There could be log files that contains digital evidence. Digital
evidence is a very broad word and can be almost everything in these days. But one fundamental is
that is evidence either transmitted or stored in digital form.
B) The seven major types of evidence that has been presented during this course?
Please list and briefly explain the various types of evidence.
- Real
- Hersey
- Document
- Testimony
- Direct
- Circumstantial
- Original
4. What is the major goal or purpose of a forensic examination process?
- To know what, when, how something happened and who did the crime. And also, to preserve,
analyse and present evidence in a structure way called chain-of-custody and could be used in
some sort of proceedings such as legal, institutional, organizational
A) Which are the important attributes of the gathered evidence in order to maintain the
forensic soundness of the evidence?
Based on primarily two BIG factors, trustworthiness and completeness of the digital evidence.
And could be divided to the four smaller attributes shown below:
- Documentation is key to forensic soundness
- Chain-of-custody and integrity
- Authentication
- Handling digital evidence
B) Why are these attributes so important?
- When the presentation of the evidence is strong, no one had altered the evidence, all evidence
was analysed in an independent way. If the forensic soundness is not maintained some people
could get an wrong sentence and could be very devastating.
5. Explain the processes of collection and examination of digital evidence in detail. Provide an
example for each phase from your lab work
- Collection of evidence should be done according to the set of predefined policies: Sensitivity to
humidity, temperature, pressure, static electricity.
- Examination is when a forensic examiner are doing a duplicate also called a image, and should
also follow the principle order of volatility, do the most volatile examinations first
6. Explain Locard’s principle. Give two examples of how Locard’s principle could be applied
in the context of a digital crime investigation
– Locard’s principle states that with contact between two items, there will be an exchange of
microscopic material. In a digital forensic context, it could mean that the preparator takes
something away from the criminal scene but also leave some traces. In one example the
preparator have done a hack, and took valuable information from the organization but he also
leaves traces in form of log files, the system could have captured some valuable data such as IPaddress, remote access trojan software (RATS) and so on. In another context there could be child
abusing material, where the preparator leaves digital evidence in form of GPS-coordinates,
camera model in the metadata of the pictures. Lochard’s principle is a good way of thinking that
the preparator will almost leave some digital track when he committing a crime.
7. Please provide an overarching description of the concept of data recovery. Also describe the
following in more detail:
- The first step would include to identify any potential data that has either been deleted,
manipulated, hidden. Some tools can be used or a forensic examiner could look in to MFT/link
files/prefetch files for any traces of data that had been deleted, moved. Next step is to do some
type of file carving either manually or with some tools. With the tools you get an automated way
of doing this and would save time, and also the tools in used are often more granular, when doing
it manually you could miss important evidence. In other hand if you only relay on tools you need
to have some understanding of what the tools are doing and how it’s work
A) What various actions or processes can cause the need of data recovery?
- Files/folders are deleted
- Files/folders are damaged or corrupted
- Files/folder are hidden
B) Is the process of data recovery always the same? Explain and
elaborate
- No it’s not always the same, because the preparator could use different types of process to either
hide, delete or corrupt evidence. There could also depends on the different nature of the incident,
it could involve network, computer etc.
8. What is residual data?
- Information/data that has been deleted from a computer but which persists and can be recovered
using different types of file carving tools. The information is in unallocated storage or in file slack
space, and the information came from files that have been deleted but not erased. Example if you
delete a picture, you are only deleting the file pointer to where the file is located on disk, so the
picture is still there until it’s overwritten with new data.
9. Is it possible to make digital evidence equivalent to scientific evidence? How? Explain in
detail and provide some examples. Illustrate the difficulties!
10. As an investigator you have found a Link File on a Windows system. This link file points to
a missing file. What could be the significance of this link file in your investigation? Explain
what information can be retrieved from it.
11. What is Hiberfil.sys and what information you can retrieve from it?
- Hiberfil.sys is a repository for the contents of RAM (in a compressed format) when a system is told
to hibernate (such as when the lid of a laptop is closed). You could retrieve valuable information
that’s are stored in RAM, such as password, unencrypted files that are in use, what programs is
running. I short it saves the current state from where the user last used the computer. So it could be
anything but depends on what the user had do.
12. What is a Spool File in the context of printer files and what does it contain?
– It is a file that save data for later processing or printing. An in short in holds data until it could
be printed. printer spool files on Windows and UNIX systems can contain data from files that have
been deleted or encrypted
13. What information can you find from the System logs in a Windows system?
- A forensic examiner could find different types of events that occurred on a system. It shows
informational, error and warning events related to the computer OS. It could be a violation when a
user tried to log in with wrong password, it could be that a user changed
14. In the context of the Windows $MFT, please answer the following questions:
A) What is the difference in the time stamps found in Standard Information Attribute and
File Name Attribute?
- Timestamps in FNA are only linked to the filename of that particular file and would often not
change. FNA timestamps would change when a user moves a file to another location, e.g., to a
USB-drive or to a different volume. Timestamps in SIA are linked to the file and the information
in that file. If a user changes the content of the file then the modified time stamp would change, if
the user reads the file then access timestamp would change. When a user created a file then
creation/birth would be created.
B) What is the importance of Data Attribute?
- Data attribute shows if a file is resident or non-resident and could be valuable for a forensic.
Data attribute either contains or refer to the actual content of a file. If the file size is small around
700K, the actual data is stored in $MFT (resident)
15. Please define what digital evidence is?
– Digital evidence is evidence that are stored or transmitted in a digital form. That could be a
picture that is of child abuse material and stored in a computer and then transmitted over internet
to a different user. Digital evidence could also be logfiles that’s is only stored on a computer.
16. Explain briefly the Locard’s principle?
Locard’s exchange principle state that with contact of two items, there will be exchange of
microscopic materials.
17. Provide at least two way how Locard’s principle would affect a digital event scene?
– With the principle in mind a forensic examiner could identify digital evidence that a preparator
could had leave behind, data in log files, pictures, software that had been in use when hacking a
system. The examiner should also identify what types of information that the preparator would
have taken away from a crime scene, e.g. valuable data, identifies, photos.
18. What are hypothesis formation and evaluation in the context of digital forensics
examination?
– A forensic examiner forms a hypothesis based on the observation and the evidence. It’s a
necessary start and it may be proved or disproved. The process of testing and validating (or
invalidating) the hypothesis commonly improves the understanding and hence the interpretation
of the digital evidence. Several hypothesis, vetting and integrating
- A forensic examiner then do a exhaustive evaluation of the physical and logical properties of
the retrieved data, the devices where data are stored • Controlled test base and the numbers that
provide statistical significance Sometimes there is a need to amend or modify the existing
methods and the ways tools are being used
19. What is the most significant legal issue in digital forensics?
- Admissibility of Evidence
20. What is steganography?
– Is a process of hide data or information in other types of information. It could be a picture with
a message to another user that something would occur in a specific time, that is a crime. It could
also be audio files, documents that contain data that’s is hidden for a regular user/forensic
investigator.
21. Why do we need a chain of custody?
- To be sure that the evidence has not been altered, and it will protect those people who had been
working with the evidence. Without chain of custody a preparator could argue that the evidence is
planted and altered. With chain of custody everything is documented and handle in a such way
that if something is altered it would be written down. You have some kind of tracking so that you
exactly would know what have been done with the evidence. A record of the chain of evidence
must be maintained and established in the court whenever presenting evidence as an exhibit.
Otherwise, the evidence may be inadmissible in the court leading to serious questions regarding
its legitimacy, integrity, and the examination rendered upon it
22. What implications, from a forensic perspective, does the mount functionality present in
Linux systems and its configuration files (e.g. /etc/fstab) brings?
- What drives that had been automatic mounted on a linux system.
23. What is meant by the term “Order of Volatility”? Why is it an important principle to apply
in a forensic acquisition?
- Order of volatility means that you should analyse the most volatile evidence first, if a computer
is on you would do a memory dump, that capture the data in the RAM, and then you would do a
frozen image of the hard drives. If you would not capture any RAM data and shutdown the
computer, some valuable information could be lost. And there for you should apply the process
that comes with order of volatility, which again means capture the most volatile (non-persistent)
data first that otherwise would be lost.
24. What are the most important files (and locations) where information about the user
accounts and groups present in a Linux system can be found? Briefly describe their contents
- I would say /etc/passwd, there are users, groups, which shell they uses, service accounts.
25. Where and what kind of information can a forensic investigator find in terms of the
command (shell) history
- All commands that a user have interpreted on that system. History is a very good command to
analyse what a user had done in a system.
26. What is the syslog and why is it an interesting evidence source from a forensic perspective?
27. Hashing is an identification method commonly used to catalogue and identify files. Explain
how hashing may be used in forensic investigations.
- Hashing could be used to show that original data has not been tampered/altered with if a forensic
examiner had done a copy of a hard drive/volume. With hashes you could see if the data has been
changed if the hashes don’t match the original data hash.
28. Explain the concept of the ‘prefetch’ folder in a Windows operating system and how it can
be used to infer user activity.
– Prefetch folder would store exe files and other importance files that had been use earlier and is a
process for make the operation system more efficient for loading files that had been used. It could
be very valuable for a forensic examiner to check prefetch folder for any information that a user
had been using.
29. Why there is a difference between Logical file size and Physical file size in the Windows
operating system? What is the rationale behind it?
30. What is the “Shadow Copy” process and why it is used?
31. What is the difference between the time stamps found in the Standard Information
Attribute and the File Name Attribute?
- The difference is that FNA stores timestamp about the filename itself, and the SIA store
timestamp about the information in the file.
32. What is a Reparse Point?
– A redirection capability in the Windows NTFS file system. Containing up to 16KB of data and a
tag indicating their purpose, reparse points are somewhat similar to Windows shortcuts and Unix
symbolic links. For example, a reparse point would allow a folder such as C:\DVD to point to E:,
the actual DVD drive. A reparse point may be used to point to a file that has been temporarily
relocated on a different drive
33. Differentiate between FILETIME and DOSTIME format.
- FILETIME is on NTFS, access time: up to 1hour, write time 100 nanoseconds, create time 100
nanoseconds (UTC)
- DOSTIME is on FAT, access time 1day, write time 2seconds, create time 10milliseceonds (local
time)
34. For an investigator what is the significance of the Last Modified time stamp of
NTUSER.DAT and the time encoded in the “ShutdownTime” registry key?
35. Please enumerate the three main computer crime categories and explain their
characteristics. Give an example for each one of the categories.
- Computer as repositories: Store data related to different crimes, example pictures, valuable data
- Computer as tool: for committing a crime, e.g. communicate crime related stuff, host a criminal
site, hack
- Computer as a target: some targets could be confidentially, authorization, availability of the
information and the services provided. Database, DDOS hacks etc.
36. Discuss the concept of quality assurance in the context of digital evidence and digital
forensic examination. What are the key components of QA.
Quality Assurance – QA
- DE and DF facilities should produce high-quality results and should be, Reliable, Accurate,
Reproducible, Legally acceptable and defensible
37. Explain briefly the Locard’s principle? Provide at least two ways how Locard’s principle
might affect a digital event scene?
38. What are hypothesis formation and evaluation in the context of DFI?
39. What are the essential characteristics of the CFSAP model?
- CFSAP stands for Computer Forensic Secure Analyze Present, and is the model with least
granularity and are abstract. CFSAP is a could framework to have and then develop some smaller
process in that framework for the particular case.
40. Contrast live vs. frozen system processing with respect to digital forensic examination. Pros
and cons. Provide examples.
41. What does the property of preimage resistance mean in a context of a hashing function?
42. What does it mean to forensically “wipe clean” an acquisition drive? Please explain the
ramifications of a forensically clean drive.
43. State the digital evidence extraction/acquisition hierarchy!
-
Micro-read
Chip-off
Physical
Logical
Manual
44. What is meant by the term “Order of Volatility”? Why is it an important principle to apply
in a forensic acquisition?
45. Explain the concept of a ‘file header’ and discuss to what extent it can be trusted as an
indicator of a file’s contents.
46. Why in the Windows operating system there is a difference between Logical file size and
Physical file size? What causes such a difference to appear?
47. Briefly describe the usage of $LogFile.
- All metadata changes to a file system are logged to ensure the consistent recovery of critical
filesystem structures after a system crash. The logged metadata is stored in the $LogFile which
are found in a root directory of an NTFS filesystem
48. What type of information can be retrieved from Standard Information Attribute? What
type of information can be retrieved from File Name Attribute?
- For SIA when a file or data in that particular file was change, created or modified.
- For FNA when a filename was last modified, created or changed. FNA is usually not updated,
only when a particular file is moved to another location, then FNA is updated according to the
SIA.
49. Differentiate between Metadata and File System Metadata?
- Metadata or application metadata is metadata about a particular file created in an application,
like an office document. Metadata associated with that office document is stored, how many
words, sentences, which user who created the document and MAC times for that file. Application
metadata is part of the software file itself.
- File system meta data is metadata about the file, when it was created, modified or accessed
- The difference is that there are either an application that creates the metadata (application
metadata) or the operating system that creates the metadata (file system metadata)
50. What is the importance of Thumbnail Cache in a Windows XP system for an investigator?
- Importance of Thumbnail cache is that the operating system store thumbnails of pictures, movie
files, PDF document etc in a database and if a user removes the picture, the thumbnail of that
picture or file could still be in the thumbnail database. If a forensic examiner analyze the
thumbnail database and find some interesting pictures or file that are not present on the computer,
then the file can still be seen and some metadata like date-time stamp can be analysed.
51. In operating systems using NTFS, a term “slack space“ is very well know phenomenon.
Explain what it is and how it can be used in the context of digital forensic investigations.
52. Name one important forensic artifact that is present in a Windows 10 system, and what
evidentiary value it could hold.
53. If a Unix user tends to use a command line interface how might a systems administrator
easily review what that user had been doing on the system recently
- history is a good command for checking for what command a user had interpreted earlier. You
could also check the bashrc-history file. There you have all the commands in a “text-file”
54. Briefly outline the first-tier and the second-tier phases of the Digital Forensics Investigation
Processing Framework
55. Please enumerate the three main computer crime categories and explain their
characteristics. Give an example for each one of the categories.
- Computer as a tool: e.g. doing some illegal like a hack, ddos, communicate.
- Computer as a target: Exploit the computer that is a target, gather valuable information/users.
- Computer as a repository: store illegal data on the computer, pictures, movies, documents.
56. What is the highest level in the hierarchical model for the examination of digital evidence?
- micro-read?!
57. Explain briefly the Locard’s principle? Provide at least two ways how Locard’s principle
might affect a digital event scene?
58. Who is the plaintiff and the accused in the case of a criminal investigation?
59. Discuss the concept of mutability in the context of digital evidence.
60. What are the five concerns that should be addressed by a Digital Forensic investigation
(DFI) according to the FBI handbook of Forensic services?
61. What is the property of second preimage resistance in the context of a hashing function?
62. What is the avalanche effect when it refers to a specific hashing function?
63. What is the principle of the “Order of Volatility? Please briefly outline its importance and
application in the process of a forensic acquisition?
64. Explain the concept of a ‘file header’ and discuss to what extent it can be trusted as an
indicator of a file’s contents.
65. What are the major differences between NTFS and FAT systems?
– FAT is an old file system and have limited volume/file size and also uses DOS-time. Filesize in
FAT is 4GB and in NTFS it’s 16tb, volume size in FAT is 2TB and in NTFS it’s 256TB.
66. What is time frame analysis and why it is important?
67. What is the significance of a Link file and what information can be retrieved for it in a
digital forensic investigation?
68. As a digital forensic investigator how can you differentiate between a manual, user
scheduled and Windows automatic defragmentation?
69. What is an Alternate Data Stream and how a malicious entity can use it?
70. While the file permissions of the files associated with the installed program can be
misleading (in a digital forensic investigation)?
71. Name one important forensic artifact that is present in the Windows 10 system and the
relevance of the evidentiary value it could hold.
- LNK files is an very important artifact. When a user open a file, program, the OS is creating a
LNK file to that particular usage of that file. If a user deletes the file there could be some evidence
of that particular file left e.g. a LNK files that points to the deleted file. Metadata that is included
could be when the file first was opened = when the LNK files was created. LNK files also points
to where the file was on the disk. Accessed time when the file was last opened.
72. What is the purpose and the content of a file descriptor in a Unix-like operating system file
systems?
73. In the context of Windows OS file systems, please answer the following questions:
A) What is the file size potential of FAT?
- 4GB
B) What is the volume size potential of FAT?
- FAT12 32MB
- FAT16 2GB
- FAT32 2TB
C) What is the file size potential of NTFS?
- 16TB
D) What is the volume size potential of NTFS?
- 256TB
74. What is the importance of Thumbnail Cache in a Windows system, for a forensic
investigator?
75. The Windows setup log files are useful and important in order to identify the version or
“flavor” of a Windows OS. In the context of Windows setup log files, please describe how
the “setuplog.txt” log file is used with one sentence.
76. Please explain and describe the concept of Logical file size and Physical file size in the
context of the Windows operating system. How can potential differences between the two
types of file sizes be explained?
77. What is meant by the term “Order of Volatility”? Why is it an important principle to apply
in a forensic acquisition?
78. What is spoliation?