CHFI Exam
3 Phases of the investigation process - ✅✅-i. Pre-investigation phase
1. The prep work
2. Build the team
3. Build the forensics lab
Administrative Law - ✅✅ -1. non-criminal in nature and are related to
misconduct or activities of an employee
2. Involves an agency or government performing inquiries to identify facts with
reference to its own management and performance
4. Any violation may result in disciplinary action such as demotion,
suspension, revocation, penalties, and dismissal
ASLR or ASR - ✅✅ -Address space layout randomization, randomizes
memory addresses in use, which can help ensure that an attacker cannot
predict where their shellcode will reside within memory in order to execute it.
Can be bypassed by using a technique known as egg-hunting. Which involves
executing a code stub that will ID where the attacker's malciouis payload is
located within memory.
Best Evidence Rule - ✅✅ -doctrine whereby only the original, or if not
available, the best available evidence should be presented in court
The duplicate will suffice as evidence under the following conditions
1. If the original was destroyed in fire, flood, or in the normal course of
business because of a retention policy
2. In possession of a third party
CFTT - ✅✅-Computer Forensic Tool Testing Project
ii. Launched by NIST
iii. Establishes a "methodology for testing computer forensic software tools by
development of general tool specifications, test procedures, test criteria, test
sets, and test hardware."
Challenges Cyber Crimes Present to Investigators - ✅✅ -i. Speed -
Advancing technology and the increasing speed of accessing data
ii. Anonymity - attackers hide their identity by masquerading
iii. Volatility - volatile data can be easily lost and requires special tools
, iv. Evidence Size and Complexity - results from diversity and distributed nature
of digital devices
Charactaristics of digital evidence - ✅✅ -i. authentic
ii. complete
iii. admissible
iv. Reliable
v. Believable
vi. Digital evidence has to be all of these things
✅✅
civil investigation - -1. involve disputes between two parties
2. brought for violation of contracts and lawsuits where a guilty outcome
generally results in monetary damages to the plaintiff
5. The initial reporting of the evidence is generally informal
Computer forensics - ✅✅ -A set of methodological procedures and
techniques that help identify, gather, preserve, extract, interpret, document,
and preserve evidence from computers in a way that is legally admissible
Computer Forensics Investigation Methodology - ✅✅-i. First Response
ii. Search and Seizure
iii. Collect the Evidence
iv. Secure the Evidence
v. Data Acquisition
vi. Data Analysis
vii. Evidence Assessment
viii. Documentation and Reporting
ix. Testify as an Expert Witness
Corporate Investigations / Enterprise Theory of Investigation (ETI) - ✅✅ -i.
Methodology for investigating criminal activity to identify criminals who have
escaped prosecution
ii. Adopts a holistic approach toward any criminal activity as a criminal
operation rather than as a single criminal act
iii. Standard investigative model used by the FBI when conducting
investigations against major criminal organizations
criminal case - ✅✅ -brought by law enforcement agencies in response to a
suspected violation of law where a guilty outcome may result in monetary
damages, imprisonment, or both
3 Phases of the investigation process - ✅✅-i. Pre-investigation phase
1. The prep work
2. Build the team
3. Build the forensics lab
Administrative Law - ✅✅ -1. non-criminal in nature and are related to
misconduct or activities of an employee
2. Involves an agency or government performing inquiries to identify facts with
reference to its own management and performance
4. Any violation may result in disciplinary action such as demotion,
suspension, revocation, penalties, and dismissal
ASLR or ASR - ✅✅ -Address space layout randomization, randomizes
memory addresses in use, which can help ensure that an attacker cannot
predict where their shellcode will reside within memory in order to execute it.
Can be bypassed by using a technique known as egg-hunting. Which involves
executing a code stub that will ID where the attacker's malciouis payload is
located within memory.
Best Evidence Rule - ✅✅ -doctrine whereby only the original, or if not
available, the best available evidence should be presented in court
The duplicate will suffice as evidence under the following conditions
1. If the original was destroyed in fire, flood, or in the normal course of
business because of a retention policy
2. In possession of a third party
CFTT - ✅✅-Computer Forensic Tool Testing Project
ii. Launched by NIST
iii. Establishes a "methodology for testing computer forensic software tools by
development of general tool specifications, test procedures, test criteria, test
sets, and test hardware."
Challenges Cyber Crimes Present to Investigators - ✅✅ -i. Speed -
Advancing technology and the increasing speed of accessing data
ii. Anonymity - attackers hide their identity by masquerading
iii. Volatility - volatile data can be easily lost and requires special tools
, iv. Evidence Size and Complexity - results from diversity and distributed nature
of digital devices
Charactaristics of digital evidence - ✅✅ -i. authentic
ii. complete
iii. admissible
iv. Reliable
v. Believable
vi. Digital evidence has to be all of these things
✅✅
civil investigation - -1. involve disputes between two parties
2. brought for violation of contracts and lawsuits where a guilty outcome
generally results in monetary damages to the plaintiff
5. The initial reporting of the evidence is generally informal
Computer forensics - ✅✅ -A set of methodological procedures and
techniques that help identify, gather, preserve, extract, interpret, document,
and preserve evidence from computers in a way that is legally admissible
Computer Forensics Investigation Methodology - ✅✅-i. First Response
ii. Search and Seizure
iii. Collect the Evidence
iv. Secure the Evidence
v. Data Acquisition
vi. Data Analysis
vii. Evidence Assessment
viii. Documentation and Reporting
ix. Testify as an Expert Witness
Corporate Investigations / Enterprise Theory of Investigation (ETI) - ✅✅ -i.
Methodology for investigating criminal activity to identify criminals who have
escaped prosecution
ii. Adopts a holistic approach toward any criminal activity as a criminal
operation rather than as a single criminal act
iii. Standard investigative model used by the FBI when conducting
investigations against major criminal organizations
criminal case - ✅✅ -brought by law enforcement agencies in response to a
suspected violation of law where a guilty outcome may result in monetary
damages, imprisonment, or both
