COURSE 5 – PENETRATION TESTING, INCIDENT RESPONSE AND FORENSICS

Module 3: Digital Forensics

IBM CYBERSECURITY ANALYST PROFESSIONAL CERTIFICATE

Complete Coursera Study Guide

Enroll in Coursera IBM Cybersecurity Analyst Professional Certificate Here

TABLE OF CONTENT

INTRODUCTION – Digital Forensics

This module will delve into the forensic process, various sources of forensic data, and the importance of the chain of custody within the realm of forensics.

Learning Objectives

  • Discuss methods for using network data to identify a cyberattacker
  • Summarize the various sources of network data and the value of data obtainable from each
  • Describe the four layers of the TCP/IP model and their relevance for digital forensics
  • Explain how different application components and types provide meaningful forensic data
  • Summarize recommended forensic methods for collecting log information from Windows, macOS, and Linux systems
  • Contrast volatile and non-volatile data and explain best practices for collecting each data type
  • Describe essential methods, tools, and considerations for collecting, preserving, and analyzing data files
  • Summarize the components of a forensic report and the best practices for writing them
  • Describe the analysis step in digital forensics
  • Summarize the obstacles inherent in forensic examination
  • Explain the role that chain of custody plays in data collection
  • Describe the National Institute for Standards and Technology’s (NIST’s) three steps for data collection
  • Discuss the challenges that various data collection methods present
  • Summarize the objectives of digital forensics
  • List standard data sources for digital forensics
  • Define digital forensics

FORENSIC COURSE OVERVIEW KNOWLEDGE CHECK

1. Digital forensics can be defined as the application of science to the identification, collection, examination, and analysis of what?

  • Malware
  • Data (CORRECT)
  • Evidence
  • Cybercriminals

2. According to NIST, the four (4) steps of the forensic process include which? (Select 4)

  • Examination (CORRECT)
  • Preserving
  • Reporting (CORRECT)
  • Investigating
  • Analysis (CORRECT)
  • Collection (CORRECT)

Partially correct!

THE FORENSICS PROCESS KNOWLEDGE CHECK

1. According to NIST, a forensic analysis should include four elements, Places, Items, Events and what?

  • People (CORRECT)
  • Methods
  • Data
  • Systems

2. True or False. Digital forensics report must contain details of every test conducted, the methods and tools used, and the results.

  • True (CORRECT)
  • False

3. Which section of a digital forensics report would contain a list of the steps you have taken to insure the integrity of the evidence?

  • Overview & Case Summary
  • Forensic Acquisition & Examination Preparation (CORRECT)
  • Findings & Analysis
  • Conclusion

4. Network activity, Application usage, Logs and Keystroke monitoring are all sources of what?

  • Data (CORRECT)
  • Malware
  • Forensic dead-ends
  • Leaks

5. What are the three (3) main hurdles that must be overcome when examining data? (Select 3)

  • Dealing with a sea of data. A single hard drive will contains many thousands of files that are not relevant to our investigation. (CORRECT)
  • Selecting the most effective tools to help with the searching and filtering of data. (CORRECT)
  • Bypassing controls such as operating system and encryption passwords. (CORRECT)
  • Not tripping malware booby traps that were setup to prevent examination of data.

Partially correct!

FORENSIC DATA KNOWLEDGE CHECK

1. True or False. Only data files can be effectively analyzed during a forensic analysis.

  • True
  • False (CORRECT)

2. Most data files are smaller than the number of blocks allocated to their storage by the file system, the unused spaces is known as what?

  • Block buffer space
  • Slack space (CORRECT)
  • Free space
  • Allocation overage space

3. What does file metadata known as “MAC” data stand for in the context of a forensic analysis?

  • Machine Access Control
  • Metadata associated with i/OS files
  • Machine Allocated Content
  • Modification, Access and Creation times (CORRECT)

4. Open files are considered which data type?

  • Non-volatile
  • Dynamic
  • Volatile (CORRECT)
  • Static

5. True or False. When collecting forensic data from a running system, you should always attempt to collect volatile data first.

  • True (CORRECT)
  • False

6. Which operating system has a “Target Disk Mode” that allows a forensic investigator to easily make a copy of the target hard drive?

  • Mac OS X (CORRECT)
  • Microsoft Window
  • Linux
  • UNIX

7. Which three (3) of the following are application components? (Select 3)

  • Supporting files (CORRECT)
  • Operating system DLLs
  • Log files (CORRECT)
  • Configuration settings (CORRECT)

Partially correct!

8. Which of these applications would likely be of the most interest in a forensic analysis?

  • Email (CORRECT)
  • OSI Application Layer protocols
  • Patch files
  • Operating system DLLs

9. What useful foresnsic data can be extracted from the Application layer of the TCP/IP protocol stack?

  • HTTP addresses (CORRECT)
  • TCP addresses
  • UDP addresses
  • ICMP addresses

10. Which device would you inspect if you were looking for failed attempts to penetrate your company’s network?

  • Firewall (CORRECT)
  • Intrusion detection system
  • Packet sniffer
  • Remote access server

DIGITAL FORENSICS ASSESSMENT

1. Digital forensics is commonly applied to which of the following activities?

  • Criminal investigation
  • Incident handling
  • Data recovery
  • All of the above (CORRECT)

2. NIST includes which three (3) as steps in collecting data? (Select 3)

  • Develop a plan to aquire the data (CORRECT)
  • Verify the integrity of the data (CORRECT)
  • Acquire the data
  • Normalize the data

Partially correct!

3. What is the primary purpose of maintaining a chain of custody?

  • So a person in possession of evidence will know who they are allowed to give it to next
  • To keep valuable hardware securely locked to tables or floors.
  • To allow for accurate client billing
  • To avoid allegations of mishandling or tampering of evidence. (CORRECT)

4. True or False. Digital forensics had been used to solve a number of high-profile violent crimes.

  • True (CORRECT)
  • False

5. True or False. Digital forensics report is a summary of your findings. If your case goes to trial, your testimony can, and usually does, involve far more detail than is in the report.

  • True
  • False (CORRECT)

6. Which section of a digital forensics report would include using the best practices of taking lots of screenshots, use built-in logging options of your digital forensics tools, and exporting key data items into a .csv or .txt file?

  • Overview & Case Summary
  • Forensic Acquisition & Examination Preparation
  • Findings & Analysis (CORRECT)
  • Conclusion

7. Which types of files are appropriate subjects for forensic analysis?

  • Data files
  • Image and video files
  • Application files
  • All of the above (CORRECT)

8. Deleting a file results in what action by most operating systems?

  • The memory registers used by the file are erased and marked as available for new storage.
  • The file is copied to a trash or recycle folder and the original memory registers are erased.
  • The memory registers used by the file are marked as available for new storage but are otherwise not changed. (CORRECT)
  • Random data is immediately copied into the memory registers used by the file to obfuscate the previous contents.

9. Forensic analysis should always be conducted on a copy of the original data. What type of copying is appropriate for getting data from a live system that cannot be taken offline?

  • An incremental backup
  • A logical backup (CORRECT)
  • A disk-to-file backup
  • A disk-to-disk backup

10. How does a forensic analysis use hash sets acquired from NIST’s Software Reference Library project?

  • They can quickly eliminate known good operating system and application files from consideration. (CORRECT)
  • They provide a record of known encrypted malware.
  • Hashes will help you quickly zero in on deleted files.
  • They are useful in identifying files that were created outside the United States.

11. Which three (3) of the following data types are considered non-volatile? (Select 3)

  • Dump files (CORRECT)
  • Swap files (CORRECT)
  • Free space
  • Logs (CORRECT)

Partially correct!

12. Configuration files are considered which data type?

  • Static
  • Volatile
  • Dynamic
  • Non-volatile (CORRECT)

13. True or False. When collecting forensic data from a running system, you should always attempt to collect non-volatile data first.

  • True
  • False (CORRECT)

14. Which three (3) of the following are application components? (Select 3)

  • OSI Application Layer protocols
  • Data files (CORRECT)
  • Authentication mechanisms (CORRECT)
  • Application architecture (CORRECT)Application architecture (CORRECT)

Partially correct!

15. Which of these applications would likely be of the least interest in a forensic analysis?

  • Patch files (CORRECT)
  • Chat
  • Email
  • Web host data

16. The Internet layer of the TCP/IP stack, also known as the Network layer in the OSI model, contains which two (2) protocols that are very useful to a forensic investigation? (Select 2)

  • UDP
  • IPv4 / IPv6 (CORRECT)
  • LDAP
  • ICMP (CORRECT)

Partially correct!

17. Which device would you inspect if you were looking for event data correlated across a number of different network devices?

  • Firewall
  • Remote access server (CORRECT)
  • Packet sniffer
  • Intrusion detection system

18. Which of these sources might require a court order in order to obtain the data for forensic analysis?

  • Intrusion detection systems
  • System Event Management systems
  • ISP records (CORRECT)
  • Firewalls

CONCLUSION – Digital Forensics

In conclusion, this module has provided an overview of the forensic process, explored different sources of forensic data, and emphasized the critical role of maintaining the chain of custody in forensic investigations.

By understanding these concepts, you are better equipped to navigate the complexities of forensic analysis and ensure the integrity of evidence throughout the investigative process.

Previous Week
Next Week

Subscribe to our site

Get new content delivered directly to your inbox.

Quiztudy Top Courses

Popular in Coursera

Liking our content? Then, don’t forget to ad us to your BOOKMARKS so you can find us easily!

Subscribe