CFE Exam Quiz 30

The following is a list of data lost with a graceful shutdown when a system is turned off:
· Files that are open are closed.
· Delete temporary files.
· The swap file is deleted in Windows.
. Malicious material (e.g. trojan horses, rootkits, or malware) may disappear or be removed.
Hard shutdowns retain swap files, temporary files and other information that may be changed or removed during a graceful shutdown.

The chain of custody is a record-keeping procedure to document who had the system and what that party did with it. The chain of custody shall be maintained. After taking possession of the device, the investigator must restrict access to the computer, except for a qualified forensic examiner.

If the laptop is also attached to an electrical source, first remove the battery and unplug the power supply from the laptop and wall outlet. If the battery can not be removed, unplug the power supply of the laptop from the computer and wall socket and press the power button for approximately 30 seconds to shutdown.

In particular, the fraud examiner must report when he receives an item and leaves his care, custody, or control to determine the chain of custody. A report file addresses it better when obtaining the evidence and handing it over to someone else. The report should at least:
-Identify that object containing relevant information.
-Record the item obtained from the person who allowed the removal of the item, the location of the item, and the date and time of receipt of the item.
-Keep a continuous custody record of the item as it changes hands.

A hardware write-blocking tool prevents any automated processes or accidental processes that may be used to communicate with a piece of digital media by an operating system or fraud examiner. That is, such devices trick the operating system into thinking that the communication or interaction has occurred so that an error is not produced and the acquisition process is thwarted.
However, a software write-blocking device denies media access by banning certain media requests by filtering them out. When a software write-blocking device is in place, only requests for reading are accepted, and all requests for writing are denied. Software write blockers must operate at a separate level than a standard graphical user’s interface.

A forensic image (also known as a forensic copy, mirror image, or ghost image) is a duplicate or exact copy of a hard drive or other digital media. The acquisition of a forensic image involves making a duplicate or exact copy of a hard drive or other digital media using a standalone hard drive duplicator or similar device. It can be examined for possible probative evidence, once a forensic picture of the data on digital media has been created.

Once the collection process is complete, large volumes of digital data that may contain important or irrelevant information will be left to fraud examiners. At this point, the fraud examiner must process and filter the digital information in order to reduce the amount of data collected (commonly known as data culling) by identifying relevant information and setting aside duplicates and other information not relevant due to its type, origin or date. The fraud examiner must maintain the integrity of the data while doing this.

Searches for keywords involve identifying relevant evidence by searching for words that are relevant to a particular case (e.g. names, dates, account numbers). This type of search will minimize the time spent completing an analysis and help protect the fraud examiner from allegations that his search was too broad. To conduct a keyword search, the fraud examiner should establish a list of relevant keywords that are based on the information known about the case. Furthermore, search terms can be devised to look for patterns in data.

One problem faced in most investigations is that as part of the investigative process, multiple copies of various files will be obtained. Since it is expensive and time-consuming to review these duplicative materials the fraud examiner must recognize and remove duplicates in the data collected. This method is referred to as filtering deduplication, and it is important to help reduce the vast amounts of information gathered during a fraud investigation.

In this step, a qualified expert may be asked to give an opinion on a computer system’s use or misuse. This is where expertise and qualifications are checked and where fraud examiners need to know with certainty that their opinion is based on their research, knowledge, and experience and that their findings will not be considered to be blameless by an opposing expert. In this phase, the fraud examiner also might provide witness testimony at a deposition, trial, or other legal proceedings.

Cloud customers usually do not have physical access to cloud-based data, and also do not have access to the log files or metadata for their cloud data.
Where the investigation files of a suspect are on the cloud investigators can not easily confiscate the suspect’s computer or access the relevant files.
Lack of information accessibility also means that often, cloud customers do not have much information about the physical locations of their data.

Cloud providers typically store data on servers at various locations around the world.
As a result, facts relating to persons within the same organization may be separated at different physical locations, thus complicating the ability of an investigator to assess jurisdiction.

Under the traditional model of computing, resources tend to be used solely by one user, but providers allocate resources on the same physical infrastructure to multiple customers in the cloud environment. This difference exists because cloud computing services use server virtualization, which involves partitioning an existing server so that it becomes several servers effectively.

Mobile phone forensics refers to procedures used to capture mobile data in order for the data to be admissible in court. Companies use forensics on the mobile phone to determine if a client system has been used in breach of its policies of use.

The main areas for recovering data on mobile devices are:
Logical: It involves the logical objects contained in a logical store (e.g. a partition of the file system). The actual data that can be retrieved using a logical exam will vary depending on the device type, but the retrievable information may include text messages, multi-media messages, call registers, contacts, tasks, images, audio, videos, calendar entries, etc.
File system: This includes information in the logical extraction and hidden information such as deleted information and operating system files.
Physical: This includes information on a physical store (e.g., flash memory or memory chip).

Such four rules are summarized as follows:
-Police should not take any action to alter information on digital devices or storage media that may potentially be used in court.
-Individuals who access original data must have the expertise to do so and the ability to explain their behavior.
-An audit trail or other records of applicable procedures, appropriate for an independent third party to replicate the results, must be generated and documented while investigating a mobile device in order to accurately track each investigative phase.
-The person in charge of the investigation should be responsible for ensuring that the aforementioned procedures are followed and in accordance with the laws regulating them.

A mobile forensic investigator shall prepare for the investigation, the following:
. Legal authority to investigate the device.
. Investigation goals.
. ̈Making, designing and defining the machine to be confiscated.
. ̈Any other sources of potential evidence.

The fraud investigator must seize and collect the devices, separate the equipment and record the device when it is confiscated.
If a computer is turned off, it should be left off by the fraud investigator to prevent any changes to its records.

The following considerations should be made:
. The fraud investigator should not move through the system quickly because this will probably change the information of the system.
. If a computer is secured by password or locked, it could be stopped from subsequent access.
. A computer that is switched on could connect with the network, which will cause data changes, should be disconnected from the network by the fraud examiner.

The isolation of a network device will also prevent:
. User of the device to destroy data from remote access to the device.
. Cross contamination.
. New data from old data overwriting.
. New data from contaminating the existing data.

Faraday’s container is a tank which shields equipment from electromagnetic signals, to avoid contact by the device. The device wrapped in several layers of aluminum foil will work as a Faraday container. If a device is put in a Faraday jar, it should not be connected to an external power supply, instead, investigator should use a portable power supply that can be connected to the system while the device remains secure inside the container.

The benefits of switching off a mobile include:
. Conservation of the call log
. Preservation of the last cell tower location information
. Prevention of overwriting of deleted data
. Prevention of contact from entering the phone and modifying data

Once the device is isolated from the network and ready to be analyzed forensically, the analyst should document the device by:
· Record all the details of the active device applications.
· Conduct a photo survey to show the condition of the device when it was found or received.
. Identify the model and type of the device and search for the user manuals and technical features of the device.

It is possible to check extracted information in different ways, including:
· Check that the data extracted is in line with the data presented by the system.
· Use more than one forensic method to extract data from the system and cross-check the results by comparing the data extracted from each tool.
· To validate individual files, test the hash values of the extracted information against the originals.

. EnCase Forensic provides investigators with the ability to copy a drive and preserve it forensically using the EnCase evidence file format (LEF or
E01), a digital evidence container that is validated by courts around the world.
. Forensic ToolKit has the features of sorting files and searching. Customizable filters from FTK enable researchers to sort thousands of files to find
evidence.
. Password Recovery Toolkit enables users to find and identify encrypted files on computer systems for handheld, desktop, and server. PRTK recovers
passwords that are lost, forgotten or unavailable.

ProDiscover Forensics is a computer security tool that allows computer experts to locate all the data on a computer disk while preserving evidence and generating evidence based quality reports that can be used in legal proceedings. It examines disk data at sector level, preventing data from being hidden. No data on the disk will be modified by ProDiscover Forensics.

XRY system attaches to the computer and the program stores data in a proprietary format that can not be modified, but data can still be exported.
XACT is a separate hex viewer software application that complements XRY and enables researchers to view the raw hexadecimal data collected during a mobile device physical dump. Deleted information from confiscated mobile phones can be recovered using XACT without compromising the quality and legal status of the information in court.

Tracing transactions investigation will usually include the following elements:
· Gather information.
· Profile the suspect.
· Review lead information and leads should be prioritized.
· Track transactions that are illicit.

Tracing refers to finding evidence to show what happened to the asset. Tracing includes tracking the transfer of assets to and from accounts. Tracing will involve identifying and connecting those individuals, organizations, and assets at issue, and it should include an analysis of assets and financial flows.

When a fraud examiner gets access to the subject’s financial records, he must analyze:
-Increase and decrease in account balance identification
-Develop a summary of checks written on the account
-Create a summary of deposits and withdrawals
– Identify money deposited into the accounts
-Establish a summary of wire transfers into or out of the account.

Despite limitations on the collection of financial records, fraud examiners may be able to obtain bank records from other sources, depending on their circumstances. For example, by contacting the former spouse of the subject, the fraud examiner may try to gain access to financial records. Former spouses may have bank records that are valuable for the fraud check. Similarly, the bank records of a defendant may be available as part of a divorce settlement or lawsuit.
The cost of obtaining bank records can be high. Banks generally charge both public and private entities to search and retrieve records, and they might charge additional costs for the reproduction of records.

Fraud examiners must set up a database for processing and evaluating financial data on patterns of operation and coding all documents. While dealing with large collections of raw data files, databases are more effective than spreadsheets.
The fraud examiner should create a profile for each bank account at issue when creating a database for financial data.
There are 17 primary elements that can be pulled from check records and can be used for almost all bank records.