CHFI Exam with complete solution

Computer Forensics - The process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. Objectives: Identify, gather and preserve the evidence of a cybercrime. Track and prosecute the perpetrators in a court of law. Interpret, document and present the evidence to be admissible during prosecution. Estimate the potential impact of a malicious activity on the victim and assess the intent of the perpetrator. Civil Law - Relates to violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to plaintiff. Criminal Law - Crimes that are considered harmful to the society and involve action by law enforcement agencies against a company, individual or group of individuals in response to a suspected violation of law. A guilty outcome may result in monetary damages, imprisonment, or both. Forensic Investigator Rules - Limited access and examination of the original evidence Record changes made to the evidence files Create a chain of custody document Set standards for investigating the evidence Comply with the standards Hire professionals for analysis of evidence Evidence should be strictly related to the incident The evidence should comply with the jurisdiction standards Document the procedures applied on the evidence Securely store the evidence Use recognized tools for analysis Enterprise Theory of Investigation (ETI) - Adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act. A good option if an investigator can identify the underlying motive as financial profit for most criminal enterprises.Locard's Exchange Principle - Anyone or anything, entering a crime scene takes something of the scene with them, and leave something of themselves behind when they leave Volatile Data - The temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. Important volatile data includes system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc. Non-volatile Data - The permanent data stored on secondary storage devices, such as hard disks and memory cards. Information stored in non-volatile form includes hidden files, slack space, swap file, files, unallocated clusters, unused partitions, hidden partitions, registry settings, and event logs. Characteristics of Digital Evidence - Admissible - relevant to the case, act in support of the client presenting it Authentic - supporting documents regarding the authenticity of the evidence with details such as source and its relevance to the case Complete - evidence must be complete, which means it must either prove or disprove the consensual fact in the litigation Reliable - extract and handle the evidence while maintaining a record of the tasks performed, only use duplicates Believable - present the evidence in a clear and comprehensible manner to the members of jury User-Created Files - - Address books - Database files - Media (images, graphics, audio, video, etc.) files - Documents (text, spreadsheet, presentation, etc.) files - Internet bookmarks, favorites, etc User-Protected Files - - Compressed files