CFE Exam Quiz 37

Digital devices are devices that process data in the form of numbers (digits). Digital devices can be used to communicate with others, create documents, access and enter data online, and store information.

Investigations that involve relevant digital data processed or stored by digital devices are known as digital investigations.

Digital forensics encompasses the preservation, identification, extraction, recovery, documentation and investigation of material found in digital devices. Digital forensic experts specialize in digital forensics.

Deleted files are recoverable until they are overwritten because data is not erased from a computer’s hard drive until it is overwritten. A deleted file will remain present on a hard drive until the operating system overwrites all or some part of the file. So, deleted files are generally no longer recoverable when they have been overwritten.

A digital forensic expert would not be able to recover a deleted file that has been overwritten by the operating system. A digital forensic expert can recover, among other things, the following types of information from computer systems:

– Deleted files and other data that have not been overwritten (e.g., deleted documents, images, links or shortcut files, and email messages).
– Files deleted through computer-automated processes.
– Temporary auto-save files.
– Print-spool files.
– Websites visited, even where the browser history and cache have been deleted.
– Communications sent via chat or instant messenger.
– Financial-based internet transactions.
– Documents, letters, and images created, modified, or accessed, even if the data was not saved on the computer in some situations.
– Data that has been copied, corrupted or moved.

Within the digital forensics field, there are several different types of special experts. These special experts include:

– Operating and file system experts
– Data recovery experts
– Forensic accounting experts
– Recording and archival extraction experts
– Intrusion and malicious code experts

Operating and file system experts are proficient in certain operating systems (e.g., Windows Vista, Windows 7, Windows 10, Linux) and the various file systems they employ (e.g., Joliet, NTFS, FAT, VFS, Ext2). Operating and file systems experts also have the ability to convey operational characteristics and observe artifacts.

Intrusion and malicious code experts specialize in investigating computer network intrusions. These experts can determine attack vectors, the tools employed, what occurred during access, and what, if anything, was taken.

Data recovery experts operate clean rooms designed to magnetically extract information from a damaged media source. With the use of special tools and equipment, data recovery experts can disassemble a hard disk, separate the platters, and extract and reassemble the information for subsequent examination.

Forensic accounting experts specialize in the use of professional accounting skills in matters involving potential or actual civil or criminal litigation. A forensic accountant can provide various services, including audits, accountant performance reviews, and examinations of financial documents for fraud, misconduct, or industry-standard violations.

Recording and archival extraction experts are experts in extracting information from tapes, digital media, or other system backups. Backup solutions archive data in proprietary formats, making extraction very cumbersome.

A fraud examiner must be diligent when deciding to hire a forensic expert. The best way to hire an expert is to follow a few simple guidelines. These guidelines include:

– Ask colleagues for referrals.
– Make sure the expert is properly licensed (if required) and insured.
– Ask the experts if they have worked on the type of case that is at issue, and if so, what they were retained for and the outcome.
– Set up a budget for the investigation.
– Make sure there is a comfortable relationship and good communication between the client and the expert.
– Listen to the expert because he might have new, unique ideas and suggestions that were not previously considered.

Digital evidence is information stored or transmitted in binary form (i.e., ones and zeroes) that can be used to prove something. Fraud examiners will gather some type of digital evidence in almost all fraud examinations.

Generally, when digital data is collected in an investigation, the facts at issue involved a computer, either as a target of a criminal act, an instrument of crime, or a repository of evidence associated with the crime.

Computers themselves can be the targets of crime. Computer and computer-component theft, system intrusions, denial of service, software piracy, and software theft are examples of crimes committed against computers.

Digital evidence is more volatile than tangible information because digital data can be altered or destroyed more easily than tangible information.

Digital evidence is more volatile than tangible information because data can be altered or destroyed more easily than tangible information. Digital data is, by design, fragile and short-lived in nature. It is easily manipulated, substituted, modified, and deleted.

Operating systems and programs frequently alter, delete, and modify digital data, and this might happen automatically. Digital information that is potentially relevant to an investigation can be altered by seemingly harmless actions, such as:

– Shutting down a running system.
– Starting up a system.
– Looking through files on a running computer.
– Using or interacting with a computer system.
– Visiting websites.
– Using software applications.
– Downloading or transferring files.
– Connecting a computer system to a network.

Spoliation is broadly defined as the act of intentionally or negligently destroying documents relevant to litigation.

Because digital evidence can be easily altered or destroyed, the integrity of digital evidence must be preserved. The failure to preserve the integrity of digital evidence could result in several adverse consequences. Consequences of not preserving the integrity of digital evidence include:

– The government’s questioning of the integrity of any evidence collected in a fraud investigation.
– Potential claims of spoliation of evidence.
– Evidence can be deemed inadmissible in a legal proceeding, or, even if admitted, it might not be given much weight because evidence of questionable authenticity does not provide reliable proof.

User-created files are digital files created under the user’s direction. User-created files include text-based documents, spreadsheets, databases, emails, address books, presentation slides, audio/video files, image files, and internet bookmarks.

Evidence might also be found in information generated by a computer’s operating system. This type of information is important because it can identify that a certain activity has taken place, and in most cases, the user is not aware that this information is being written. Some common examples of computer-generated data available for examination include metadata, registry, event logs, internet activity, temporary files, and deleted data.

Often, users hide files to prevent them from being found. There are a variety of techniques to hide files, but some of the most common methods include camouflaging, steganography, and encryption.

Camouflaging is the process of hiding certain files under a different name or a different file extension to prevent others from discovering them. For example, a suspect might change a file name from “evidence.doc” to “install.exe” and place the file in a directory that stores program files.

The file header is a region at the beginning of each file where bookkeeping information is kept. It contains the first bits of data in a file which includes data identifying the file format. When fraud examiners want to determine if a file has been camouflaged, they would normally analyze a target’s hard drive to determine whether the file has been camouflaged. This is done by analyzing the file header.

Steganography is the process of hiding one piece of information within an apparently innocent file. For example, a user can use the least significant bits of a bitmap image to hide a message. By hiding the message in the least significant bits of an image, there is almost no perceivable change in the bitmap image itself. It is practically impossible to tell that the image was altered without directly comparing the altered image to the original.

There are a number of tools that investigators can use to detect steganography. These tools use different methods to detect the use of steganography. The following are some common methods of detecting the use of steganography:

– Visual detection by looking for visual anomalies in jpeg, bmp, gif, and other image files.
– Audible detection by looking for audible anomalies in wav, mp3, mpeg, and other media files.
– Statistical detection by determining whether the statistical properties of files deviate from the expected norm.
– Structural detection by looking for structural oddities that suggest manipulation (e.g., size differences, date differences, time differences, or content modification).

Encryption refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable to anyone without the encryption key. A user can protect files by encrypting them.

A peripheral device is an auxiliary device that is connected to, but not part of, a host computer. Evidence might be stored on other forms of technology such as a peripheral device. As data moves to and from peripheral devices, it leaves evidence of its presence and sometimes leaves full copies of its contents.

A memory buffer is a temporary storage area of jobs waiting to be printed, which might also contain important information. Information contained in a memory buffer, however, is generally limited to recently created and stored data.