Certified Hacking Forensic Investigator (CHFI) - Exam Prep

¡Supera tus tareas y exámenes ahora con Quizwiz!

____ is when a person or program, acting on behalf of another person, performs an invalid action.

??

Which mode can make the iPod image inaccurate?

Disk Mode

____ is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data.

Intrusion detection

Hash Injection Attack

It's when the attacker injects a compromised hash into a local session and use that same hash to validate the network resources of that particular network

The first state of the PDA device when it is received from the manufacturer is the ____ state.

Nascent

What are options using dd in Helix?

Netbios/Local, Netcat, Split image

Which statements are true regarding NTP?

Network Time Protocol - internet standard protocol built on UDP Synchronizes clocks on client computers Fault tolerant and dynamically autoconfiguring Use UTC time

The fraggle attack is a UDP variant of the ____ attack.

Smurf

This type of DoS attack sends ICMP echo packets with spoofed source address.

Smurf

This type of DoS attack sends ICMP echo packets with spoofed source address. - Fraggle - Smurf - Land

Smurf attack sends ICMP packets with spoofed source addresses

Identify all required for setting up a forensics lab:

Office space, Storage for evidentiary materials, Interview facility, Operational laboratory.

What are the four critical fields?

Oldest event, Next event, Next event ID number, Oldest even ID number

____ is the use of influence and the art of manipulation to gain credentials.

Social engineering

Steganography clues

Software, -Steganophy tools, -Website references, -Cookie/ history files, -File names, -message logs, Multimedia files, Type of crime being investigated, Text files, -Text patterns, -unusual amount of blank spaces, Image Files, -Size changes, -file type changes, Statistical Analysis, Audio Files -Inaudible frequencies, -Odd distortions or patterns.

NAND -based flash memory

Solid state memory (flash chips) that retains memory without power

Disk Partition

Space defined on a hard drive, used to: Separate Operating system from the data files. Run Multiple Operating Systems. Logicvally organize Data

What is slack space?

Space left over between the last byte of a file and the first byte of the next cluster

What is a swap file?

Space on a hard disk used as virtual memory expansion for RAM

Unsolicited commercial e-mail (UCE), or junk e-mail, can be defined as ____.

Spam

Task List Commands: tasklist /v

Specifies that verbose task information be displayed in the output. Also list all process id's for application and services.

Task List Commands: tasklist /s

Specifies the name or IP address of a remote computer. The default is the local computer.

Data acquisition rules of thumb.

Produce 2 copies (1 working copy, 1 archive control). Use clean sterilized media. Verify integrity of copies to the original.

Safeboot

Program that encrypts drives and or Partitions

Transient Data

Programs that reside in memory and cache data. (i.e. network connection, user logout, ...)

18 USC 1361-2

Prohibit malicious mischief

FastBloc SE

Provides write protection only for devices attached to specific hard drive controller boards.

What are the three types of watermarks?

Semifragile, Fragile, Robust

Integrity Attack

Sending forged control, management or data frames over a wireless network. Injection attacks, Replay attacks

System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded?

System time, wall time and length of time the system has been running should be recorded.

System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded?

System time, wall time, time system has been running (Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time)

According to the current RFC's syslog uses ___________to transfer log messages in a clear text format.

TCP

Which ports does HotSync open during the HotSync process?

TCP 14237, TCP 14238, and UDP 14237

Task manager lists running processes. Why does Helix have a viewer for running processes?

Task manager may be corrupt. Helix runs from a CD so it cannot be modified; therefore, it should display an accurate list of current processes

What are two ways to view running processes on Windows?

TaskManager & Tasklist command

___ is a powerful tools that extracts network packets and performs statistical analsis on those dumps.

Tcpdump

Espionage is the use of spies to gather information about the activities of an organization.

True

True or False: A subdirectory is created for a user in the Recycle bin

True

True or False: Is a Vault needed in a Forensic lab?

True

True or False: The EProcess object is created along with KProcess, PEB, and initial address space

True

True or False: With a recycle bin, Subdirectory is named with user's SID

True

Network Forensics

"Network Forensics is the capturing, recording, and analysis of network events in order to discover the source, path and Intrusion techniques of security attacks."

Hashing Algorithm Lengths: SHA-1

160 Bits

Which law is applicable to theft of trade secrets?

18 U.S.C. 1832

802.11a

54 Mbps, 5GHz

802.11g

54Mbps, 2.4GHz -Greater Range

What term defines an event that threatens the security of a computer system or network in an organization?

??

What is the difference between big endian and little endian?

A big-endian machine stores the most significant byte first. A little-endian machine stores the least significant byte first.

Choose the volunteer organization focused on issues related to child exploitation, online predators and child pornography.

Anti-Child Porn.org (ACPO)

What causes an IIS log to be suspect?

Any modifications to the log

Electronic Communications Service (ECS)

Any service which provides the ability to send or receive electronic communications.

Rule-Based attack

Attacker has some information about the password.

Rule 608

Evidence of character and conduct of witness

Where are deleted files stored?

FAT - Drive:\Recycled NTFS- Drive:\Recycler\S-... (Prior to Vista C:\Recycle.bin\S... based on user SID.

What is a standard electronic interface used between a computer motherboard's data paths or bus and the computer's disk storage devices?

IDE

Modes of attack.

Internal External

____ forensics is the application of scientific and legally sound methods for the investigation of Internet crimes, whose focus ranges from an individual system to the Internet at large.

Internet

Which two were created by the Department of Justice to safeguard children?

Internet Crimes Against Children (ICAC) Project Safe Childhood (PSC)

What is an important consideration for complete memory dump analysis?

Pagefile.sys (The swap file, called pagefile.sys, is virtual memory. Information in the swapfile must also be considered when analyzing memory.)

What is a Windows-based tool for Palm OS memory imaging and forensic acquisition?

Palm dd (pdd)

Forensic recovery of most deleted partition can be achieved by:

Partition Table Doctor

Which port does SSL typically use? - 80 - 443 - 445

Secure Sockets layer typically runs on port 443 SMB on port 445

Which file system runs on UFS?

Unix

DMZ Protocol attack

Uses DNS or FTP vulnerabilities, to conduct an attack.

When making a forensic image, According to best practices, what should you do when making the second copy?

Utilize a different imaging tool to verify the integrity of the image, by 2 tools generating the same results.

Which type of cell holds a value?

Value cell

Which type of cell holds values of common key cell?

Value list cell

iPods use the standard ____ file format for storing contact information.

Vcard

The RunMRU registry key can be cleared by:

by clearing the Recent documents list in the Start Menu and Taskbar Properties.

What command can be used to view the process register?

ps

Lastcomm command

shows last command utilized, on a Linux system.

fport

shows open TCP and UDP ports

Netstat -o

shows processID of the network connection process.

Define Technical Steganography?

uses physical or chemical means to hide the existence of a message

What happens when a partition is deleted?

All data in the partition is lost. Data can be recovered using a tool to reestablish the partition parameters. Corrupt the disk, by deleting all dynamic volumes.

Application Log

All events logged by programs.

What is true about rule-based attack?

Attacker already has some information about the password and rule can be written so password-cracking software will generate only passwords meeting the rule

Email bombing

Attacker sends the target a flood of email messages, to it doesn't have space to accept emails.

____ is an Internet protocol designed for accessing e-mail on a mail server.

IMAP

____ is the U.K. hotline for reporting illegal content, specifically acting upon child sexual abuse hosted worldwide, and content, hosted in the U.K., that is criminally obscene or incites racial hatred.

IWF Internet watch foundation

What is the process of using natural written language as a carrier to hide a secret message, known as?

Linguistic Steganography.

Anti-Digital Forensic techniques:

Overwriting data (Wiping). Exploitation of bugs in forensic tools. Obfuscation. Hiding Data (Steganography, Cryptography, low-tech...)

What tool secures a PDA from theft, loss or corruption? This tool includes Trusted Mobility server software. If used with PocketPC this tool allows the administrator to set a time and date range to monitor login attempts, infrared transmission and use of applications. - DS Lite - Device Seizure - PDA secure

PDA Secure secures a PDA from theft, loss or corruption. It includes Trusted Mobility server software. If used with PocketPC PDA Secure allows the administrator to set a time and date range to monitor login attempts, infrared transmission and use of applications.

What is the most important element of EProcess?

PEB

What is the most important element of EProcess?

PEB - Process Environment Block

Syllable attack

Password attack. Combination Brute force and Dictionary attack.

Ping of Death and Teardrop are two types of DoS attacks. What is a main difference?

Ping of Death deals with IP fragmentation and Teardrop deals with overlapping fragments

What is the port for SMB?

Port 445 (137 - NetBIOS Name Service, 139 - NetBIOS Datagram Service)

What is the port for FTP?

Ports 20 and 21

In the USA, the 4th Amendment of the United States Constitution prevents unreasonable search and seizure. What is the basis of a search warrant?

Probable Cause

A(n) ____ is a suitor who desires a physical or intimate relationship with the victim.

.Incompetent suitor

Where are deleted files stored by Macintosh OS X?

.Trash off the root of the drive. the "." indicates it is a hidden file.

In 802.11 standards: Temporal Key Integrity Protocol (TKIP) keys are changed every____________.

10,000 packets

Which law is applicable to theft of trade secrets? (Choose one) - 18 U.S.C 1832 - 18 U.S.C 1833 - 18 U.S.C 1834

18 U.S.C. 1832 applies to theft of trade secrets 18 U.S.C. 1833 - exceptions to prohibitions 18 U.S.C. 1834 - criminal forfeiture

How many bit-stream copies are made of the original evidence?

2

How many keys does asymmetric encryption have?

2 a public key and a private key

Which range of HTTP Status Codes reveals successful status codes?

200 - 206

WEP

24 bit Initialization Vector. 64, 128, 256 bit RC4 Encryption (Subtract IV- 40, 104, 232). CRC-32 Integrity Check. Easy to crack IV.

An SMTP server listens on port ____ and handles all outgoing e-mail.

25

The Blackberry Serial Protocol contains what fields?

3 byte packet header, always D9 AE FB Command type Command-dependent packet data Footer, always BF EA 9D

Which range of HTTP Status Codes reveals redirection status codes?

300 - 307

Hashing Algorithm Lengths: CRC-32

32 Bits

On a GSM phone that is obstructed with a pin code, how many incorrect entries for the PUK will disable the phone?

8

dd command

A Linux command, that can be used to write image files to a device such as a USB flash memory drive or hard disk. Captures a bit for bit data from the original device, in a RAW format.

Evil Twin

A Rogue Access Point masquerades as a legitimate access point, using the same SSID and potentially other identical settings..

Password cracking methods: Syllable Attack

A Syllable attack is the combination of both brute-force attack and a dictionary attack. This attack is often used when the password is a nonexistent word.

What is the difference between big endian and little endian? - Big-endian boots faster than little endian - A big-endian machine stores the most significant byte first. A little-endian machine stores the least significant byte first. - Big endian and little endian yield the same hex structure

A big-endian machine stores the most significant byte first. A little-endian machine stores the least significant byte first.

Bit Stream copy

A bit by bit copy of the original storage medium and or evidence

When viewing the timeline tab of the EnCase program, what do each of the dots on the graph represent.

A file in relation to the time it was accessed.

Network-Based intrusion detection

A network-based ID system monitors the traffic on its network segment as a data source.

Raid Levels: RAID 5

A popular disk subsystem that increases safety by computing parity data among all drives and increasing speed by interleaving data across three or more drives (striping).

POP3

A protocol for receiving e-mail by downloading it to your computer from a mailbox on the server of an Internet service provider.

SMTP

A protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another. The messages can then be retrieved with an e-mail client using either POP3 or IMAP. SMTP is also generally used to send messages from a mail client to a mail server.

Syslog

A protocol for transmitting event messages and alerts across an IP network that uses TCP to communicate and log messages are sent in clear text.

How long can a search warrant be used? - 3 days - Amount of time designated in the search order - 1 week

A search warrant be used for the amount of time designated in the search order

What type of virus can redirect the disk head to read another sector? - Boot-sector - Multipartite - Stealth

A stealth virus is a virus that can redirect the disk head to read another sector

Wireless Attacks: Wardriving

A technique hackers use to locate insecure wireless networks while driving around.

Wireless Attacks: Warflying

A technique hackers use to locate insecure wireless networks while flying around

What does the law concerning digital evidence include: A. Adhere to Chain of Custody B. Know the applicable, governing law C. Present evidence that is authentic, accurate, whole and acceptable

A, B, C

What is the proper order of volatility: A. Registers and cache B. Routing tables C. ARP cache D. Process table E. Kernal statistics and modules

A, B, C, D, E

Which class of evidence file, does EnCase not Support?

AD1 images are sparse image files supported by FTK and not EnCase.

By default, Microsoft's IIS log files are in ____ format, meaning that they are easily openable and searchable.

ASCII

What is the size of a hard drive having the following: 16384 cylinders/disk 80 heads/cylinder 63 sectors/track 512 bytes/sector

About 39 GB

What best describes the legal issues related to computer forensic investigations?

Admissibility in court, meeting relevant evidence laws while dealing with practical aspects of computers

Rule 1003

Admissibility of duplicates

What are conceptual ways to write block removable media on the MacIntosh? - Prevent Mac OS from automatically mounting removable media - Prevent iTunes from loading when iPod is connected - All of the above

All of the above: Methods for write blocking MacIntosh are preventing the Mac OS from automatically mounting removable media, preventing iTunes from loading when iPod is connected and mounting iPods with read-only access

What functionality does the code meter software enable in the FTK program?

Allows the FTK program to run.

Bootstrapping

Also called booting up. Describes a computer when it is just turned on and initializes the operating system.

Which of the following is a measurement of electric current?

Amperage

Event ID 4904

An attempt was made to register a security event source

What can an investigator use to recover SIM card data?

An investigator can use SIM Analyzer, simcon, and SIM Card Data Recovery software to recover SIM card data

Integrity attack

Attackers send forged control, management or data frames, over a wireless network , to misdirect the wireless devices in order to perform another form of attack. data frame injection, WEP injection, bit flipping and various replay style attacks.

Confidentiality Attack

Attempt to intercept confidential information sent over wireless associations (ie. Eavesdropping, Man in the Middle, or Sniffing).

Rule 502

Attorney-Client privilege and work product; limitations on waiver

Echo Data Hiding

Audio Staganogrphy Technique, message embeded into a cover audio signal, below audible levels. by: Amplitude, Decay Rate. and Offset.

Types of images.

Bit Stream, Backups

Bit-Stream disk-to-image file

Bit for bit replication of the original drive.

How do you calculate disk capacity?

C x H x S x (Bytes/sector)

BlackBerry software development was originally based on ____, but the latest models support MDS and Java.

C++

How is Palm OS memory organized?

Chunks known as records

Digital evidence tends to be what kind of evidence?

Circumstantial Evidence

Netstat -o

Command to view which processes are responsible for OPEN Network Ports.

Prior to a judge issuing a search and seizure warrant, an investigator must determine the significance of the computer being searched. What are the two roles a computer can play?

Computers can be used as a tool to commit a crime or a repository for criminal content

Prior to a judge issuing a search and seizure warrant, an investigator must determine the significance of the computer being searched. What are the two roles a computer can play? - Research - Tool - Repository

Computers can be used as a tool to commit a crime or a repository for criminal content

What should be documented in an Expert Witness Resume.

Credentials and certifications. Training. Referrals.

How are tracks numbered?

Cylinder, HeadNumber, Sector

____ is the technique to garble a message in such a way that the meaning of the message is changed

Cyrptography

What tools can read CSI Stick and Device Seizure acquisition files?

DS Lite

Which tools calculate MD5 and SHA1 hash values?

DS Lite and SIM Card Seizure

RAW format

Data capture bit for bit from the original device.

Lossy (ee) File Compression

Data is compressed perminantly by removing imformation from the file.

Carving an image.

Data recovery process that uses the database of headers and footers to recover files from a raw disk image. Works even if metadata has been destroyed.

What file contains the name given to the iPod, username logged into computer and name of computer? - SysInfo file - DeviceInfo file - IPSW file

DeviceInfo file is located at \iPod_Control\iTunes\DeviceInfo. It houses the name given to the iPod, username logged into the computer and name of the computer.

Why must a forensic investigator identify the type of device being investigated? - Because devices can be modified by changing logos or modifying the OS - Because devices sync with different operating systems

Devices can be modified by changing logos or modifying the operating system. Clues to help identify devices are the cradle interface, manufacturer's serial number and power supply.

Rule 705

Disclosure of facts or data underlying expert opinion

Legal considerations must be taken into account while investigating computer crime. Who should investigators work with while dealing with computer crime?

District Attorney

Legal considerations must be taken into account while investigating computer crime. Who should investigators work with while dealing with computer crime? - District Attorney - FBI - Local Police

District Attorney

What is the best way to deal with powered-off computers?

Do not change the state of any electronic device. Leave the computer off

What is the best way to deal with powered-off computers? - Do not change the state of any electronic device. Leave the computer off - Turn the computer on

Do not change the state of any electronic device. Leave the computer off

What is the best way to deal with powered-on computers? - Leave the computer on and photograph the screen and document the programs - Turn the computer off

Do not change the state of any electronic device. Leave the computer on and photograph the screen

____ is a data duplication software tool that provides access to remote drives through serial cables or TCP/IP.

DriveLook

What is a disk-forensic DOS tool designed to emulate and extend the capabilities of DOS to meet forensic needs?

DriveSpy

What is the advantage of PMDump?

Dump contents of process memory without stopping the process

Imaging

Duplicate data (bit-stream) to preserve the original data

Audio Staganogrphy Techniques

Echo Data hiding. Spread Spectrum.

Which tool can be used for acquiring and imaging evidence? It allows recovery of deleted files and provides hash generation of individual files, data capture and documentation. This tool also has a bookmarking feature that saves bookmarks in case files.

EnCase

Which tool can process event logs that are reported as corrupt?

EnCase

____ is the method of wrapping data from one layer of the OSI model in a new data structure so that each layer of the OSI model will only see and deal with the information it needs in order to properly handle and deliver the data from one host to another on a computer network

Encapsulation

Which are true about FAT12? - When formatted, the Master File Table (MFT) is created - Has enhanced security and file encryption - Suitable for file servers - Designed for floppy disks

FAT12 was designed for floppy diskettes

Which are true about FAT16?

FAT16 is a 16-bit file system. Filenames are 8 characters long with a 3 character file extension. Uses a 64 KB allocation units that becomes less efficient on partitions larger than 32 MB. Not suitable for file servers.

Which are true about FAT16? - FAT16 - filenames limited to 8 characters with 3 character extension - 64 KB allocation units - Less efficient on partitions larger than 32 MB - Suitable for large file servers

FAT16 is a 16-bit file system. Filenames are 8 characters long with a 3 character file extension. Uses a 64 KB allocation units that becomes less efficient on partitions larger than 32 MB. Not suitable for file servers.

For an iPod that was initially set up on a windows based computer, what type of file system will it have?

FAT32

IsoBuster is a highly specialized, difficult-to-use, CD and DVD data recovery tool.

False

Transformation techniques

Fast fourier transformation, Descrete Cosine Transformation (DCT, JPEG images use for image compresion), Wavelet Transformation.

What are three types of logs that can be used together to provide more compelling evidence.

Firewall logs, IDS logs and TCPDump

BIOS

Firmware run by the system when first powered on (Boot Loader). Identifies and initializes system component hardware.

This type of DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses

Fraggle

What is the basis of a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

Frye

Which cipher specifies when a covert message can be revealed by overlaying a Template that will reaveal the message from the medium?

Grille cipher

Kidnappers often use chat rooms to turn children into victims. A kidnapper tries to build a relationship with children by showing them cartoons, interesting art clips, and offering them sweets. This is known as ____.

Grooming

What file system was developed by Apple Computer for Mac OS?

HFS

Which file system runs on Mac OS?

HFS

Which file system runs on Mac? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext

HFS - Mac OS

What are the main protocols for the Session, Presentation and Application Layers?

HTTP, SMTP, NNTP, Telnet

What are the types of IIS logging.

IIS standard logs, ODBC logging, Centralized binary logging, IISLogger tool

ARP table

IP address to MAC address

The ____ is the person responsible for the establishment and maintenance of security required for risk management.

ISSM Information system security manager

`____ is the U.K. hotline for reporting illegal content, specifically acting upon child sexual abuse hosted worldwide, and content, hosted in the U.K., that is criminally obscene or incites racial hatred.

IWF

This type of DoS attack does the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it. - Teardrop - Jolt - Reflective DDoS

In a Jolt attack the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it.

What is the Index.dat file used for?

Index.dat is used for redundant information such as AutoComplete information. Index.dat can be found in the History folder for Internet Explorer

How should evince be labeled?

Initials.date.Item#.sub-item# i.e. JSP.031712.001.2

Separator Injection attack.

Injecting a pipe( | ) character into log files toshift data to different columns. -Causes inconsistency. -Damages Integrity. -performed on pipe ( | ) character. -Difficult to find the defender.

Choose one answer naming what the FBI developed as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography.

Innocent Images National Initiative (IINI)

What are the two modes of attack?

Insider attack and External attack

Importance of case assessment

It makes the best use of the time and resources. It helps to clarify whether a person is likely to qualify. It avoids giving false hope to those who do not qualify. It allows people who do not qualify for the resettlement program to begin looking for other solutions.

In the Windows based Recycle bin, What happens to deleted files larger than 4 GB?

It will be stored. The 4GB limitation, only applies to Windows versions prior to Vista. Those larger cannot be stored in the Recycle bin

Jack, a forensic investigator, believes key evidence is on a PDA device. The PDA has one card in the expansion slot and several more lying on a table. The PDA is in it's cradle. What should Jack do? (Each answer is one solution) - Leave card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags. - Remove card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags. - Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags

Jack should leave the card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags.

What does the term jailbreaking mean? - Process of unlocking PC by cracking the SAM database - Process of unlocking the iPhone or iPod Touch to permit installation of third-party applications - Process of unlocking Linux by changing the root password

Jailbreaking is process of unlocking the iPhone and iPod Touch to permit the installation of third-party applications

A language that a special group of people can understand, but is meaningless to others is known as?

Jargon Code.

What is Kerberos?

Kerberos is a secure authentication mechanism available in Windows.

Computer investigation toolkit should contain:

Laptop computer with appropriate software. Operating systems at Patches. Application media. Write protected backup devices. Blank Media. Basic networking equipment and cables.

What is the best way to deal with powered-on computers?

Leave the computer on and photograph the screen

What are Linux PDA security features? - User authentication, access control, encryption, PPTP, IPSec, SSH - User identification, encryption, IPSec - User authentication, access control, encryption, SSL

Linux PDA security features include user authentication, access control, encryption, PPTP, IPSec, SSH. Point-to-Point Tunneling (PPTP) Internet Protocol Security (IPSec) Secure Shell (SSH)

JPEG

Lossy, divides image into separate blocks of 8x8 pixels. DCT transformation compression. Checks for image quality. Segment Marker 2 bytes. Segment size 2 bytes. (D8 start of image, D9 End of Image) Data can be stored between end of image and end of sector.

What tool can parse memory?

Lsproc.pl d:\dumps\test-mem.dmp

A(n) ____ address is a unique 48-bit serial number assigned to each network interface card, providing a physical address to the host machine.

MAC

LAN address

MAC address of a node.

BSSID

MAC address of an access point

What is true about MAC times?

MAC times are time stamps referring to the time at which the file was last modified in some way and MAC stands for modified, accessed and created

EnCase calculates a(n) ____ hash when it acquires a physical drive or logical drive.

MD5

What hashing files are utilized by the FTK program for image file integrity checks?

MD5 and SHA1

File System Intrusion

Malicious programs introduced from outside sources. Indicated by: -new files, -changes in file permissions, -unfamiliar file names, -missing files.

What techniques can be used to detect wireless access points?

Manual detection, active wireless scanning, passive wireless scanning, Nessus vulnerability scanning

What does a good investigative report include?

Methods of investigation, Litigation support reports, References, Error analysis, Adequate supporting data, Acknowledgments, Results and comments, Graphs and statistics, Description of data collection techniques, Calculations used, References

LogParser.exe -o:DATAGRID "select * from system" is what type of command?

Microsoft Log Parsing (Microsoft Log Parser accepts three arguments: i - input o - output query similar to SQL)

Entourage

Microsoft Office - Email client for Macintosh.

Microsoft Outlook / Express

Microsoft Outlook uses .pst and .ost data files. While Microsoft Outlook Express uses .idx and .dbx data files.

____ is a vulnerability-assessment product that scans Web servers to identify security problems and weaknesses.

N-Stealth

Which are true about NTFS? - When formatted, the Master File Table (MFT) is created - Has enhanced security and file encryption - Suitable for file servers - Designed for floppy disks

NTFS provides enhanced security, file-by-file compression, quotas and encryption. Designed for large hard disks. When a volume is formatted, the Master File Table (MFT) is created. MFT is the first file on the NTFS volume and contains information about all the files and folders on the volume.

Which are true about NTFS?

NTFS provides enhanced security, file-by-file compression, quotas and encrytion. Designed for large hard disks. When a volume is formatted, the Master File Table (MFT) is created. MFT is the first file on the NTFS volume and contains information about all the files and folders on the volume.

Where are deleted files from a NTFS system stored?

NTFS- Drive:\Recycler\S-... (Prior to Vista C:\Recycle.bin\S... based on user SID.

The most common way to use this command is with -ano switches or -r switch.

Netstat

____ forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks.

Network

Types of Intrusion Detection systems

Network Based. Host Based. Log File Monitoring. File Integrity Checking.

It appears the suspect's computer is connected to a network, what is one thing an investigator should look for?

Network Connections

What is capturing, recording, and analysis of network events in order to discover the source of security attacks?

Network forensics

Palm OS is an embedded operating system originally based on the Motorola DragonBall MC68328 family of microprocessors. Newer devices use what? - AMR architecture-based BigAMR and YScale microprocessors - ARM architecture-based StrongARM and XScale microprocessors - Intel microprocessors

Newer Palm OS devices use ARM architecture-based StrongARM and XScale microprocessors

Bit Depth

Number of colors available for each pixel.

DNS Cache Poisoning

One way to misdirect a host, is DNS cache poisoning. The DNS cache stores IP addresses of websites recently resolved. It is possible for a hacker to insert fake mappings into DNS server by using buffer overflow or other means. The SOA record tells how long the DNS cache poisoning will last. In order to make the DNS server secure from the DNS cache poisoning attack, enable DNS socket pool on the DNS server. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute the attack. The DNS socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks.

What steganography type hides the secret message in a specifically designed pattern on the document that is unclear to the average reader?

Open code

What three things does the Mac OS X depend on?

Open firmware, boot loader, typical Mac OS X boot sequence

FTK uses what database?

Oracle

What is forensic readiness?

Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation

What is forensic readiness? - Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation - Organization has trained personnel who work together to handle an investigation - Organization has specific incident response procedures

Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation

Which acts pertain to privacy?

PIPEDA and Data Protection Act 1998 Section 55

Which technology identifies attached devices as either Master of Slave devices?

PATA (3 position cable: One side attaches to the logic board the other 2 attach to either the slave device (Center of cable) or the Master Device (End of cable)

What tool secures a PDA from theft, loss or corruption? This tool includes Trusted Mobility server software. If used with PocketPC this tool allows the administrator to set a time and date range to monitor login attempts, infrared transmission and use of applications.

PDA Secure

What are two tools used to acquire information from a PDA?

PDA Seizure and Palm dd

What is a PDA? - Personal Digital Assistant - Professional Digital Assistant - Palm Digital Assistant

PDA stands for Personal Digital Assistant

A ____ is a property right granted to the inventor by the USPTO to keep others from making, using, or selling the invention without authorization.

Patent

____ is an e-mail fraud method in which the perpetrator sends out official-looking e-mail to the possible victims, pretending to be from their ISP, bank, or retail establishment, to collect personal and financial information.

Phishing

What does a good investigative report not include? - Calculations used - Litigation support reports - Methods of investigation - Adequate supporting data - Problem statement

Problem statement is not part of an investigative report. A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports

Running processes

Processes that are currently running on the computer.

Rule 1002

Requirement of original

Computer forensics includes what?

Rules of evidence Legal processes Integrity of evidence Factual reporting of information found Expert opinion about findings presented in a court of law, or other legal or administrative hearing

Common reasons for making multiple partitions.

Running multiple operating systems. Segregate the OS files from user data. Increased performance.

____ allows an investigator to synchronize and backup files from a source folder on one computer to a target folder on a second networked computer or local storage device.

Save N Sync

A ____ is an abusive environment where an employee is subjected to unwelcomed sexual advances from coworkers.

Sexual Harrasment

With a Blackberry device connected to a computer, what can be used to discover information on a phone obstructed by a pin number?

The computer can be used to unlock the phone by examining the .idp backup files, and then utilize tools to examine the backup files.

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the core iPhone OS layer provide?

The core layer provides the kernel, drivers and basic interfaces of the operating system.

What happens when you delete a file in windows?

The system marks the files name in the MFT with a special character that indicates the file has been deleted. The file name and path are stored in the hidden file Info (or Info2). The information only disappears once the space has been overwritten.

What are the steps recommended by EC Council for collecting evidence? - Find the evidence - Discover the relevant data - Prepare an order of volatility

There are three steps recommended by EC Council for collecting evidence including: - Find the evidence - Discover the relevant data - Prepare an order of volatility

Blackberry Attachment Service has a known vulnerability. What is it? - Text attachment can be used to generate a buffer overflow - WMF or EMF (known bug in GDI) - Arbitrary code

There is a known bug in GDI componenet of Windows while processing WMF or EMF (Enhanced Metafile) images

Which one is NOT an objective of computer forensics?

To recover and identify the evidence quickly

X-Ways tool

Tool used to scan virtual memory.

What are tools necessary for forensic analysis of an iPod or iPhone?

Tools necessary for forensic analysis of an iPod or iPhone include EnCase, Forensic Toolkit, Recover My iPod and iPod Data Recovery

What are the two categories of cybercrime?

Tools of crime and Target of crime

EnCase is divided into three panes. What are the names of these panes?

Tree - Case information Table - Timeline, Gallery View - text, hex, picture, fields

EnCase is divided into three panes. What are the names of these panes? - Tree - Table - View - Data

Tree - Case information Table, Timeline, Gallery View - text, hex, picture, fields...

____ are programs that contain or install malicious programs on targeted systems.

Trojan Horse

A forensic lab should have both forensic and non-forensic workstations for investigative purposes.

True

Capturing network traffic over a network is simple in theory, but relatively complex in practice.

True

When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected.

True

iPod Touch uses WiFi, Safari Web browser and wireless access to iTunes Store and YouTube.

True

The first eight digits of an IMEI number is also known as:

Type Allocation Code (TAC)

What are the main protocols for the Transport Layer?

UDP and TCP

Which file system runs on Unix? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext

UFS - Unix

Active@ ____ is a DOS-based solution designed for complete backup and restoration of the whole HDD, as well as the particular FAT/NTFS partitions and logical drives.

UNERASER

A(n) ____ is an identifier string that indicates where a resource is located and the mechanism needed to retrieve it.

URL

What is a NAND-type flash memory data storage device integrated with a USB 1.1 or 2.0 interface?

USB flash drive

What are two ways to unmount an iPod? - Drag to trash (Mac) - Click Safely Remove Hardware (Windows) - Unplug the iPhone

Unmount the iPod by either dragging the iPod icon to the trash (Mac) or clicking the Safely Remove Hardware button (Windows)

How do attackers blackjack a blackberry?

Use the BBProxy tool to attack the host of the network

___ use of geometrical shapes and primitives such as points, lines, curves and poloygons, based upon mathematical equations, in order to represent images in a computer

Vector images

2 categories of image files.

Vector images, Rastor images.

What statements reflect how time stamps are displayed or changed in the NTFS file system?

When a file is moved from one folder to another on the same file system, the file keeps the same modification and creation dates When a file is copied from one folder to another on the same file system, the file keeps the same modification date, but the creation date is updated to the current date and time

When would you conduct searches without a warrant?

When destruction of evidence is imminent

ActiveSync allows an unlimited number of password attempts. How can an attacker gain access to the password? Choose the easiest method. - Password sniffing and brute force/dictionary attack - Keylogger - Guessing

While an attacker can use password sniffing and a brute force or dictionary attack, it may be easier to install a keylogger on the desktop. Then, the attacker can record the password when the user syncs using ActiveSync.

Snow

Whitespace steganography tool. Hides messages in ASCII test by appending whitespace at the end of the lines.

Which file system runs on NTFS?

Windows

Which statements are true regarding EFS? - EFS can encrypt files stored on Windows 2000, Windows XP Pro, and Windows Server 2003 - EFT protects data in transit - EFS uses symmetric and asymmetric cryptography

YES! EFS encyrpts files stored on Windows 2000, XP Pro and Server 2003. It is NOT designed to protect data in transit from one system to another. EFS uses symmetric and asymmetric cryptography. EFS encyryption occurs at the file system level not the application level. It is transparent to the user and to the application. If a folder marked for encryption, then every file created in or moved to said folder will be encrypted. There is no back door. File encryption uses a symmetric key. This symmetric key is then encrypted with an asymmetric public key. EFS keys are protected by the user's password EFS-encrypted files do not remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext and if saved to a folder with encryption, re-encrypted.

Which file system runs on Sun Solaris?

ZFS

Which file system runs on Sun Solaris? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext

ZFS - Sun Solaris

____ is a method of compressing files designed by Phil Katz.

Zip

What registry key contains MRU list?

\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

What is a bit-stream copy?

a bit-for-bit copy of the original storage medium

ACR Data Recovery

a full-scale data recovery center. It provides computer forensic software and in-house services to corporations and individuals.

The Center for Computer Forensics (CCF)

a leading provider of services to law firms and corporations. It was established in the year 1997. It is uniquely qualified to offer a solution that is scaled to the requirement of the case, large or small. The CCF provides an inclusive list of data preservation, computer forensics, and e-discovery services to make sure that the case is handled economically. It also fulfills the data recovery requirements by working with the Data Recovery Group.

Metadata

data about a particular document.

What command can be used to view command history?

doskey /history and scroll up in the command window

____ is an attack based on the cryptanalytic time-memory trade-off technique.

hash table attack

What is the key concept of Enterprise Theory of Investigation (ETI)?

holistic approach used by FBI to look at any criminal activity as a piece of a criminal operation rather than a single criminal act.

A ____ works the same way as a honeypot, but instead of an entire system, it is done at the directory or file level.

honey token

What is built-in on many PDAs?

infrared, Bluetooth and WiFi

What is Encase's strongest attribute?

it is an all-in-one tool

What are signatures for the cells in the registry?

kn (key cell), kv (value cell), ks (security descriptor cell)

Why is iPod useful for information theft?

large storage capacity, small size and rapid data transfer

Hidden Partition

logical section of disk space, which is not accessible by the operating system.

DriveSpy

tool used to collect slack space in a partition, into a file.

FTK imager

tools to grab registry files.

LBA number:

total number of sectors on a disk.

On every hard disk, data is stored in thin, concentric bands, called ____.

tracks

The strength of passwords can be calculated mathematically by the length of time it would take for a brute force cracker to discover them.

true

UNIX and Linux use a tree, or hierarchical, structure for storing files and directories.

true

A forensic investigator wants to find some information on a computer running Linux. He wants to find the computer name and version of Linux. Then he wants to list the files in the root directory Finally, he wants to see protocol information. What commands should he use to accomplish these three tasks?

uname -a, ls -l, netstat -s

What command displays a list of the available event logs in Vista?

wevtutil el

When is a checksum performed on the evidence?

while you acquire the data

Older BlackBerry 950 and 957 had Intel 80386 processors. What type of processors do modern Blackberry devices have?

ARM7 of ARM9

What command can be used to display the mappings between different layers of the network architecture?

ARP

A forensic investigator types: file CopyInstall.log What is the response?

ASCII text (if the file is ASCII) and ELF 32-bit LSB executable... (if the file is actually an executable)

US accreditation association for forensic Laboratories.

ASCLD -American Association of Crime Lab Directors

The ____ tool attempts to confuse the connected wireless devices by sending deauthentication packets.

Aireplay

Who makes digital watermarks?

Digimarc

WEP Injection is used in what kind of wireless attack?

Integrity attack

Authentication Flood

Overloading the WAP with authentication requests, causing a DoS.

In today's digital world, reports are generally submitted electronically to the court. The standard format for reports is ____.

PDF

____ is a lossless image format intended to replace the GIF and TIFF formats.

PNG

A forensic investigator types sfdisk -l Part of the output lists four devices: /dev/hda1, /dev/hda2, /dev/hda3, and /dev/hda4 What is an hda device?

Primary master

What is an hdb device?

Primary slave

A(n) ____ is a person who wants to physically or sexually attack the victim.

predatory stalker

A(n) ____ attack uses spoofed IP addresses to send broadcast ping messages to a large number of hosts in a network to flood the system.

smurf

Bluetooth

1-3 Mbps, 10 Meters

Password cracking methods: Rainbow Table Attack

"A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters."

Hidden Field Manipulation Attack

"Hidden fields is a poor coding practice that has been known and publicized for some time, although it still continues. It's the practice of using hidden HTML fields as the sole mechanism for assigning price or obscuring a value. These fields can be manipulated by the attacker."

MAC Filtering

"In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network."

IP Spoofing

"Is the creation of Internet Protocol packets with a spoofed source IP address, with the purpose of concealing the identity of the sender or impersonating another person or computer system."

Common E-mail Headers: Content-Transfer-Encoding

"This header relates to MIME, a standard way of enclosing nontext content in e-mail. It has no direct relevance to the delivery of mail, but it affects how MIME-complainant mail programs intercept the content of the message."

Buffer Overflow:

"is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited."

Session Hijacking

"is the exploitation of a valid computer session, sometimes also called a session key, to gain unauthorized access to information or services in a computer system."

What is part of corporate investigation?

- Business must continue during the forensic investigation - Generally address policy violations or legal disputes - May address wrongful termination - Must carefully follow government regulations - May address industrial espionage

To obtain a search warrant, police or government agent must:

-Obtain signature by judge or magistrate -Present good reason for search

Which list contains some important PDA security issues?

-Password theft -Virus attack -Data corruption -Applicaton vulnerabilties -Data theft -Wireless vulnerabilties -Device theft

What are some standard /usr sub-directories? - bin - local - dev

/bin & /local: Typical /user sub-directories include: bin - support files for programs local - software (stuff you install) sbin - more commands for system adminstration and repair share - items common to multiple systems src - source code for nonlocal software

An e-mail client connects to an IMAP server via port ____.

143

Which law is applicable to exceptions to prohibitions?

18 U.S.C. 1833

Which law is applicable to criminal forfeiture?

18 U.S.C. 1834

Which other event was instrumental to the evolution of computer forensics?

1893: Hans Gross was first to apply science to criminal investigation.

Which event was instrumental to the evolution of computer forensics? - 1932: FBI set up forensic services laboratory for field agents and law authorities. - 2000: Computer Administration and Reconnaissance Team was developed - 1932: FBI set up computer hacking lab for field agents and law authorities

1932: FBI set up forensic services laboratory for field agents and law authorities.

How about another which event was instrumental to the evolution of computer forensics?

1984: Computer Analysis & Response Team (CART) was developed.

Which event was instrumental to the evolution of computer forensics? - 1984: Computer Administration & Response Team (CART) was developed. - 1984: Computer Analysis & Reconnaissance Team (CART) was developed - 1984: Computer Analysis & Response Team (CART) was developed.

1984: Computer Analysis & Response Team (CART) was developed.

Which event was instrumental to the evolution of computer forensics again again?

1993: first international conference on computer evidence was held in USA.

What type of security does the Blackberry use? RSA

3DES and AES

Wireless Standards: 802.11a

5 GHz and up to 54 Mbits per second

Which of the following ar ACMru subkeys?

5001: MRU list for Internet Search Assistant 5603: MRU list for WIndows XP files and folders search 5604: MRU list corresponding to searching for a word or phrase in a file 5647: MRU list corresponding for computers entered when searching for computers or people

What port does syslog run on?

514

What three different event IDs Windows access attempts?

560, 567, 562

If a file is 2575 bytes, what is it's size in sectors?

6

NTFS partioning rules start the first primary partition in the __sector

64th

What Event ID is recorded when a service is stopped in Windows?

7035

What Event ID is sent when the service actually stops?

7036

How long is a key cell?

76 bytes

What can an investigator use to recover SIM card data? - SIM Analyzer - simcon - SIM Card Data Recovery software

All of the above: An investigator can use SIM Analyzer, simcon, and SIM Card Data Recovery software to recover SIM card data

What type of wireless attack is a PSK cracking?

Authentication attack using a Dictionary attack to crack the password.

Which of these are NOT one of the four steps that the Blackberry uses to receive email? Blackberry Enterprise Server (BES) - BES monitors user mailbox. When new message arrives, BES picks it up. - Message is compressed and sent over internet to Blackberry server - Message is compressed, encrypted and sent over internet to Blackberry server - Message is decrypted on users Blackberry device. Message is unreadable by any other device, including other Blackberry - Server decrypts, decompresses and places email into Outbox. Copy of message put in Sent Items folder

Blackberry messages are encrypted

The ____ is a collection of Web page copies stored on the system's hard disk or in its volatile memory.

Browser Cache

IMAP - Internet Messaging Access protocol

Bulletin board and email messages on a mail server. Makes them act as if stored locally. Port 143

The ____ provides appropriate remedies for intentional discrimination and unlawful harassment in the workplace.

Civil rights act of 1991

The term ____ espionage is used to describe espionage for commercial purposes.

Corporate

The role of the forensic investigator is to:

Create an image backup of the original evidence without tampering with potential evidence

Types of password attacks.

Dictionary Attack Brute Force attack, Hybrid Attack, Syllable attack, Rule-Based attack.

Initial questioning by the council that calls the witness to testify.

Direct Examination.

Active@ ____ is a DOS-based solution designed for complete backup and restoration of the whole HDD, as well as the particular FAT/NTFS partitions and logical drives.

Disk Image

Netstat Commands: Netstat -r

Displays the routing table

The first step in preparing a computer for forensics investigation is:

Do not turn the computer off or on, run any programs, or attempt to access data on a computer

What is the Recycler file format for OS's older than Vista?

Dxy.ext. x= the drive. Y= Sequence Number (SID)

The report functionality of EnCase allows the report to be exported out in which formats?

Encase allows exporting of the report in ALL formats except PDF.

What are two popular tools used in computer forensic analysis?

Encase and FTK

SD cards usually come preformatted with what file system?

FAT32

Which are true about FAT32?

FAT32 is the 32-bit version of the FAT file system that uses smaller clusters which results in more efficient storage capacity. It supports drives up to 2 TB. It can relocate the root directory and use the backup copy rather than the default copy. It can dynamically resize a partition.

Which hexa-decimal characters define the location of the Start of a JPEG file?

FF D8

Analyzing phone Information

Identify individuals who created, modified or accessed a file. From call logs, determine dates and times and message content. Create timeline. Recover hidden information. Cryptanalysis to decrypt information. Password cracking tools (Hydra). geographical locations.

Entropy Test

If file cannot be compressed easily, it contains lots of random data. Meaning it is encrypted

What is the port for SSL?

Port 443

Steganography Techniques: Substitution Technique

Replaces redundant or unneeded bits of a cover with the bits from the secret message.

Rule 901

Requirement of authentication or identification

____ is a command-line network-debugging tool.

Tcpdump

What are the concentric circles on platters where all the information is stored?

Tracks

True or False: /var is used for system-specific data and configuration files.

True

True or False: Files are renamed with the original drive letter, a number and the original extension

True

When is a search warrant NOT required?

When law enforcement witnesses the crime

What are the file types for Linux?

d, -, c, b, s, p, l

Data Carving

extraction of embedded or deleted files

What format do iPods use to store contact information? - vCard - iCard - eCard

iPods use standard vCard file format to store contact information. This format exchanges electronic business cards.

The primary threat to computer systems has traditionally been the ____ attack.

insider

What is the best way to protect PDAs from wireless attacks?

install a VPN client on the PDA and encrypt the connection

R-Linux uses a unique ____ technology and a flexible parameter setting that gives the investigator control over the data recovery.

intellegentScan

What are two commands to obtain network information?

netstat -ano and netstat - r

Which nmap scan is a slow scan to avoid detection?

nmap -sS -PT -PI -O -T1 122.13.145.15

Hard drive Tracks

"Hard drive tracks are logical rather than a physical structure, and are established when the disk is low-level formatted. Track numbers start at 0, and track 0 is the outermost track of the disk. If the disk geometry is being translated, the highest numbered track would typically be 1023."

Technical Steganography

"In technical steganography, physical or chemical methods are used to hide the existence of a message. It can include two methods: Invisible ink and Microdots."

SQL Injection

"Is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (Web Application). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database."

Forensic Investigator

"Is an Investigator who helps organizations and law enforcement agencies in investigating cybercrimes and prosecuting the perpetrators of those crimes. He is responsible for the acquisition, identification, preservation, documentation and the creation of an image back-up (bit by bit) of the evidence without affecting or changing same."

Bit Depth

"Is either the number of bits used to indicate the color of a single pixel, in a bitmapped image or video frame buffer, or the number of bits used for each color component of a single pixel."

First Responder

"Is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene. The first responder must investigate the crime scene in a lawful matter so that any obtained evidence will be acceptable in a court of law."

Dumpster Diving

"Is the practice of sifting through commercial or residential waste to find items that have been discarded by their owners, but that may prove useful to the garbage picker or hacker. This can include any sensitive information related to computer systems."

Forensic Science

"It's the application of physical sciences to law in search for truth in civil, criminal, and social behavioral matters for the purpose of ensuring injustice shall not be done to any member of society."

Raid Levels: RAID 0

"RAID 0 (also known as a stripe set or striped volume) splits data evenly across two or more disks (striped), without parity information and with speed as the intended goal. RAID 0 was not one of the original RAID levels and provides no data redundancy."

Raster Image

"Raster image dimensions are measured in pixels. Because raster images cannot be enlarged without losing quality, different suppliers have specific size requirements for their processes. The amount of pixels within each inch in the image represents the image pixel resolution which also determines its quality."

Steganography

"Steganography (pronounced STEHG-uh-NAH-gruhf-ee, from Greeksteganos, or ""covered,"" and graphie, or ""writing"") is the hiding of a secret message within an ordinary message and the extraction of it at its destination to maintain the confidentiality of data."

Swap Space

"Swap space is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. The name of this file is the pagefile.sys (Swap file where evidence from RAM can be located) and is located in the root of the C:\."

Frye Standard

"The Frye standard, Frye test, or general acceptance test is a test to determine the admissibility of scientific evidence and examinations. It provides that expert opinion based on a scientific technique is admissible only where the technique is generally accepted as reliable in the relevant scientific community."

SCSI (Small Computer System Interface)

"The Small Computer System Interface (SCSI) is a set of parallel interface standards developed by the American National Standards Institute (ANSI) for attaching printers, disk drives, scanners and other peripherals to computers."

SAM (Security Accounts Manager)

"The System Account Manager (SAM) database stores user's passwords in a hashed format. Since a hash function is one-way, this provides some measure of security for the storage of the passwords. This file is located at C:\windows\system32\config\SAM"

Wireless Passive Scan

"The client radio listens on each channel for beacons sent periodically by an Access Point. A passive scan generally takes more time, since the client must listen and wait for a beacon."

Net Commands: Net Use

"The net use command is used to display information about shared resources on the network that you're currently connected to, as well as open sessions on other systems."

Lost Cluster

"The operating system assigns a unique number to each cluster and then keeps track of files according to which clusters they use. Occasionally, the operating system marks a cluster as being used even though it is not assigned to any file. This is called a lost cluster."

Slack Space

"The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the slack space"

Password cracking methods: Hybrid Attack

"This attack is based on the dictionary attack. In this attack, the program adds numbers and symbols to the words from the dictionary"

Password cracking methods: Brute-Force Attack

"This attack, the attacker tries every possible combination of characters until the correct password is found. It's a very slow method and takes a large amount of time for longer passwords."

Common E-mail Headers: Errors-To

"This header specifies an address for mailer-generated errors such as bounce messages, to go to (instead of the sender's address)."

Common E-mail Headers: Content-Type

"This is another MIME header, telling MIME-complainant mail programs what type of content to expect in the message."

ASCLD (American Society of Crime Laboratory Directors)

"To promote the effectiveness of crime laboratory leaders throughout the world by facilitating communication among members, sharing critical information, providing relevant training, promoting crime laboratory accreditation / certification, and encouraging scientific and managerial excellence in the global forensic community."

INFO2 File

"When a user deletes a file, it's not actually permanently deleted. Instead, the file is copied into the recycle bin's systems folder for further instructions in how to deal with the file. In this case it's the INFO2 file"

WPA

"Wi-Fi Protected Access (WPA) is a security standard for users of computers equipped with Wi-Fi wireless connection. It changes its TKIP (Temporal Key Integrity Protocol) keys every 10,000 packets."

Event Logs

"Windows event log is a record of a computer's alerts and notifications. Microsoft defines an event as ""any significant occurrence in the OS or in a program that requires users to be notified or an entry added to a log."""

Logical block addressing (LBA):

"is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disks. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on in a sequential matter."

DNS Poisoning: DNS spoofing (or DNS cache poisoning)

"is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer)."

When logged on as an administrative user in Linux shell, the command line prior to the prompt will be__.

#

DHCP Service Activity Logs are stored where?

%SystemRoot%\System32\DHCP

When logging is enabled, Windows Firewall logs are stored in ____.

%SystemRoot%\pfirewall.log

Windows Firewall logs are stored where?

%SystemRoot%\pfirewall.log

There are three Windows event log files, SysEvent.evt, SecEvent.evt, and AppEvent.evt. Where are they located?

%SystemRoot%\system32\config folder

Where are IIS Web server logs most often maintained?

%WinDir%\System32\LogFiles directory

Which range of HTTP Status Codes reveals server error status? - 100-101 - 200-206 - 300-307 - 400-416 - 500-505

**HTTP Status Codes 500-505 - Server Error Status Codes ** HTTP Status Codes 100-101 - Informational Status Codes HTTP Status Codes 200-206 - Successful Status Codes HTTP Status Codes 300-307 - Redirection Status Codes HTTP Status Codes 400-416 - Client Error Status Codes

Mac OS X boot process

- BootX initialized Open Firmware - BootX creates a pseudodevice called sl_words (secondary loader) - BootX looks up device options properties (little endian, real mode...) - BootX looks up the chosen device handles - BootX initialized handles to memory, keyboard, display - BootX checks the security mode - BootX finds the kernel and constructs the path to the kernel - BootX draws Apple logo splash screen - BootX decodes the kernel - BootX saves the file system cache data and sets up various boot arguments - Kernel executes - Kernel determines the root device - Kernel initializes BSD data structures, I/O kit - Kernel starts /sbin/mach_init which maintains mappings between service names and Mach ports that provide those services - Mac OS X desktop is loaded with login window by default

Before starting the investigation what are two important things to consider?

- Crime scene technician capable of analyzing and acquiring a variety of evidence should be on the team - A forensic lab should be equipped with forensic tools required for the investigation

What are the steps recommended by EC Council for collecting evidence?

- Find the evidence - Discover the relevant data - Prepare an order of volatility

Email, Instant Messaging password recovery tools

- Mail PassView - email - Messenger Key - instant messaging - MessenPass - Mail Recovery

Network Password Recovery - network passwords

- SniffPass - captures password that pass through the network adapter (POP3, IMAP4, SMTP, FTP, HTTP) - Asterisk Key - reveals asterisks that hide passwords - Asterisk Logger - reveals asterisks that hide passwords - Password Spectator - reveals asterisks that hide passwords

Lossy (ee)

- when copied, you lose part of the message every time it is copied.

EC-Council identified thirteen steps for evaluating a case. The first three are listed below. Choose the next two steps from the list below. 1 - Initially examine the investigator service request 2- Find the legal authority for the forensic examination report 3- Ensure that request for assistance is assigned 5- Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...) 4 - Provide complete chain of custody 4 - Send any preservation orders to ISP or other storage provider 5 - Identify any additional equipment needed

-4 Provide complete chain of custody -5 Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...) EC-Council identified 13 steps for evaluating a Case in order presented below: -1 Initially examine the investigator service request -2 Find the legal authority for the forensic examination report -3 Ensure that request for assistance is assigned -4 Provide complete chain of custody -5 Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...) -6 Send any preservation orders to ISP or other storage provider -7 Identify relevance of peripherals such as credit cards, check paper, scanners, cameras... -8 Establish potential evidence being sought -9 Obtain additional details such as emails addresses, usernames... -10 Assess skill levels of users to determine how they might delete or conceal evidence -11 Set the order of evidence examination -12 Identify any additional expertise needed -13 Identify any additional equipment needed

Best Practices for Foresic Image Analysis.

-Document Current condition of the evidence. -Forensically Sound and Verifiable evidence collection. -Images should be capture using hardware or software capable of capturing a bitstream image of the original. -Integrity of digital evidence should be maintained when submitted for examination. -Properly prepared media should be used when making forensic copies. -Foresic images should be archived and maintained. -Prevent exposure to contamination. -Use Write Blockers to prevent modification.

What are some PDA security countermeasures?

-Install a firewall -Disable HotSync and ActiveSync features not in use -use a strong password -Do not store passwords on the host PC -Install antivirus software -Encrypt critical data -Do not use untrusted WiFi access points

What is the X-mailer header file extension for Outlook Express archives?

.dbx

What regular expression is a way to detect XSS?

/((\%3C)|<)((\%2F)|\/)*(a-z0-9\%]+((\%3E)|>/ix

What directory is used to store critical startup and configuration files

/etc

Which of the following are true about Restore Point Registry settings? 1) HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore 2) Purpose of restore points is to take a snapshot of a system so it can be restored if something goes wrong 3) Restore points cannot be reset and disabled 4)\System Volume Information\ -restore (GUID)\RP## is the location of restore points

1,2,4 - Restore points can be reset and disabled.

What are the six stages of process creation?

1. Launch .exe: File Execution Options registry key is checked for debugger value. If yes, process starts over 2. EProcess object created along with KProcess, PEB, and initial address space 3. Initial thread created 4. Windows subsystem is notified of new process and thread 5. Execution of initial thread starts 6. Initialization of address space is complete for new process and thread

Exceptions to 4th amendment. Conditions required toSeize without a Warrant.

1. NO reasonable expectation of privacy. 2. Falls within an established exception to the warrant requirement.

IMEI - International Mobile Equipment Identifier.

15 digit number Indicates: Manufacturer, Model Type, Country of approval for GSM. First 8 digits- Type Allocation Code (TAC) - model and origin. Can be obtained by keying*#06#

Which law is applicable to fraudulent copyright notice? (Choose one) - 18 U.S.C 1832 - 18 U.S.C 1833 - 17 U.S.C. 506(c-d)

17 U.S.C. 506(c-d) applies to fraudulent copyright notice 18 U.S.C. 1832 applies to theft of trade secrets 18 U.S.C. 1833 - exceptions to prohibitions

Which law is applicable to cyberstalking? - 18 U.S.C 875 - 18 U.S.C. 2261A - 17 U.S.C. 506(c-d)

18 U.S.C 875 - interstate communications applies to transmitting any communication containing any demand for ransom, threat to kidnap or injure a person 18 U.S.C. 2261A - interstate stalking

Which of these statements are true regarding 18 U.S.C. 2319? - Unauthorized distribution of computer programs - Unauthorized distribution of video games - Unauthorized distribution of sound recordings and music videos of live musical performances

18 U.S.C. 2319 involves trafficking in unauthorized sound recordings and music video of live musical performances

Which of these statements are true regarding 18 U.S.C. 2320? - Unauthorized distribution of computer programs - Trafficking in counterfeit goods - Trafficking in counterfeit services

18 U.S.C. 2320 involves trafficking in counterfeit goods or services

Which statutes are used by the FBI to investigate computer-related crimes?

18 U.S.C. 875 18 U.S.C. 1029 and 1030 18 U.S.C. 1343, 1361, 1362 18 U.S.C. 1831 and 1832

Which statutes are used by the FBI to investigate computer-related crimes? - 18 U.S.C. 875 - 18 U.S.C. 1029 and 1030 - 18 U.S.C. 1343, 1361, 1362 - 18 U.S.C. 1831 and 1832 - FISMA - US Patriot Act

18 U.S.C. 875 18 U.S.C. 1029 and 1030 18 U.S.C. 1343, 1361, 1362 18 U.S.C. 1831 and 1832

What law is related to fraud and related activity in connection with computers?

18 USC 1030

How long is a value cell?

18 bytes

Which event was instrumental to the evolution of computer forensics?

1888: Francis Galton made first recorded study of fingerprints to catch potential criminals

Which event was instrumental to the evolution of computer forensics? - 1888: Francis Galton made first recorded study of bullet comparisons - 1993: First international conference on computer evidence was held in Europe - 1888: Francis Galton made first recorded study of fingerprints to catch potential criminals

1888: Francis Galton made first recorded study of fingerprints to catch potential criminals

Which event was instrumental to the evolution of computer forensics? - 1910: Albert Osbron was first to develop methodology for fingerprinting - 1893: Hans Gross was first to apply science to criminal investigation. - 2010: Leone Lattes was first to use blood groupings to connect criminal to crime.

1893: Hans Gross was first to apply science to criminal investigation.

Which event was instrumental to the evolution of computer forensics again?

1910: Albert Osbron was first to develop methodology for documenting evidence during examination process.

Which event was instrumental to the evolution of computer forensics? - 1910: Albert Osbron was first to develop methodology for documenting evidence during examination process. - 1925: FBI set up forensic services laboratory by Presidential order - 1910: Albert Osbron developed a methodology for use of blood groupings to connect criminal to crime

1910: Albert Osbron was first to develop methodology for documenting evidence during examination process.

Which event was instrumental to the evolution of computer forensics? - 1915: Leone Lattes was first to make use of bullet comparisons - 1915: Leone Lattes was first to set up a forensic services laboratory for the FBI - 1915: Leone Lattes was first to use blood groupings to connect criminal to crime.

1915: Leone Lattes was first to use blood groupings to connect criminal to crime.

Which is yet another event that was instrumental to the evolution of computer forensics?

1915: Leone Lattes was first to use blood groupings to connect criminal to crime.

Which (again) event was instrumental to the evolution of computer forensics?

1925: Calvin Goddard was first to make use of bullet comparisons.

Which event was instrumental to the evolution of computer forensics? - 1925: Calvin Goddard was first to use blood groupings to connect criminal to crime - 1925: Calvin Goddard was first to make use of bullet comparisons. - 1925: Calvin Goddard was first to apply science to criminal investigation

1925: Calvin Goddard was first to make use of bullet comparisons.

What year did the FBI establish the first forensic Laboratory?

1932

And again which event was instrumental to the evolution of computer forensics?

1932: FBI set up forensic services laboratory for field agents and law authorities.

Which event was instrumental to the evolution of computer forensics? - 1993: first international conference on computer evidence was held in Europe - 1993: first international conference on computer evidence was held in China - 1993: first international conference on computer evidence was held in USA.

1993: first international conference on computer evidence was held in USA.

EC-Council identified thirteen steps for evaluating a case. The first three are listed below. Choose the next two steps from the list below. 1 - Initially examine the investigator service request 2- Find the legal authority for the forensic examination report 3- Ensure that request for assistance is assigned

4 - Provide complete chain of custody 5- Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...)

Which range of HTTP Status Codes reveals server error status codes?

500 - 505

E-mail Spoofing

: Email spoofing is the creation of email messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN or from an external environment using Trojan horses. It can also be forged in the e-mail header.

A ____ is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activities.

??

Steganography Techniques: Cover Generation Technique

A cover generation method actually creates a cover for the sole purpose of hiding information.

What type of virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files. - Boot-sector - Multipartite - Stealth

A multipartite virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files.

When is a search warrant NOT required? - When law enforcement witnesses the crime - If no one gives permission to search - If it is late at night

A search warrent is not required when law enforcement witnesses the crime

Wireless Attacks: Warchalking

A technique involving using a chalk to place a symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access.

The law concerning digital evidence includes: A. Adhere to Chain of Custody B. Know the applicable, governing law C. Present evidence that is authentic, accurate, whole and acceptable - A - B - A,B - A, B, C - A, C - B, C

A, B, C are all correct The law concerning digital evidence includes: A. Adhere to Chain of Custody B. Know the applicable, governing law C. Present evidence that is authentic, accurate, whole and acceptable

Address Resolution Protocol (ARP) Spoofing

ARP spoofing is also known as ARP cache poisoning or ARP poison routing. It is a technique used to attack a local-area network. ARP spoofing can allow an attacker to intercept data and modify or halt network traffic. ARP spoofing can be used to attack an Ethernet wired or wireless network. During normal functioning, ARP sends a broadcast with the IP address asking for the associated MAC address. A host having said IP address replies with its MAC address. Thus the ARP cache gains an entry matching IP address with MAC address. During ARP spoofing or ARP poisoning, ARP sends the same broadcast but an attacker replies with fake MAC address. Now the ARP cache has a false entry and all communication from the host will go to the fake MAC address One defense against ARP spoofing is placing static ARP entries on servers, workstations, and routers using the ARPWALL system.

User Enumeration attack

After finding all the users who are already registered on the Web Application, the attacker uses this flaw to quickly find out the users who use the application. eg. Attacker can rotate the usernames and apply one password for all. And get unauthorized access to the user's account due to weak password.

____ detects wireless devices and calculates their signal strength. It implements a modular n-tier architecture with data collection at the bottom tier and a graphical user interface at the top.

Airfart

What are some PDA security countermeasures? - Install a firewall - Disable HotSync and Active Sync features not in use - Install anti-virus software

All of the above: PDA Security countermeasures include: -Install a firewall -Disable HotSync and ActiveSync features not in use -use a strong password -Do not store passwords on the host PC -Install antivirus software -Encrypt critical data -Do not use untrusted WiFi access points

Blackberry OS 4.7, the newest version, supports which of the following? - AJAX and CSS web standards - 1 GB onboard memory - 128 MB flash memory

All of the above: Blackberry OS 4.7 supports: AJAX and CSS 1 GB on board memory and 128 MB flash memory High-capacity slim 1500 mAh battery Tri-band UMTS: 2011/1900/850 3.6 Mbps HSDPA WiFi (802.11a/b/g) GPS Quad-band GSM/GPRS/EDGE Music synchronization Clock application

The Blackberry Serial Protocol contains what fields? - 3 byte packet header, always D9 AE FB - Command type - Command-dependent packet data - Footer, always BF EA 9D

All of the above: Blackberry Serial Protocol contains: -3 byte Packet header (always D9 AE FB) -Command type 40 - normal 60 - extended 41 - ACK CF - handshake challenge CE - handshake reply - 1 byte Command - 00 is normal and 02 is extended -Command dependent packet data -3 byte Packet footer (always BE EA 9D)

What data can be recovered from the SIM card? - Service-related information including unique identifiers - Phonebook and call information such as ADN and LND - SMS, EMS and multimedia messages - LAI and RAI - All the above

All of the above: SIM cards contain service-related information, phonebook and call information, messaging information, and location information. Service-related Integrated Circuit Card Identification - ICCID International Mobile Subscriber identity - IMSI Phonebook and call related Abbreviated Dialing Numbers - ADN Last Numbers Dialed - LND Location information Location Area Information - LAI - voice Routing Area Information - RAI - data

The architecture of Windows CE has four layers: - Application - OS - Original Equipment Manufacturer (OEM) - Hardware What is the purpose of the OEM? (Choose all that apply) OEM is between the OS and hardware layers OEM contains OAL, drivers and configuration files OEM handles system startup, interrupt handling, power management, profiling, timer and clock functions

All of the above: The OEM is between the OS and the hardware layer. It contains the OEM Adaptation Layer (OAL), drivers, and configuration files. It handles system startup, interrupt handling, power management, profiling, timer and clock.

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the core iPhone OS layer provide? - Kernel environment - Drivers - Basic interfaces of the OS

All of the above: The core layer provides the kernel, drivers and basic interfaces of the operating system.

What does the iPod System Partition contain? - iPod OS - Images - Games and other default applications - All of the above

All of the above: The iPod system partition includes iPod OS, images, and default applications.

What can criminals do with iPhones? - Steal data such as contact numbers, email address and SMS messages - Connect the iPhone to another system and steal data - Send threatening or offensive SMS or MMS messages - Manipulate or clone SIM data - Remove the SP-Lock in order to free the iPhone from its network - Send spam - All of the above

All of the above: iPhones can be used to steal data, send threatening or offensive SMS or MMS messages, change or clone SIM properties, remove the service provide lock (SP-Lock) to free iPhone from its network and send spam.

How does the investigator acquire data from a PDA? - Make an image of the device memory - Bitmap the device memory

An image is a bit-for-bit copy of the original. It is created to protect the original from alteration. Forensic tools such as EnCase can be used to image a PDA.

What does the Blackberry Attack Toolkit contain?

BBProxy and BBScan and Metasploit patches to exploit web site vulnerabilities

How do attackers blackjack a blackberry? - Use the BBProxy tool to attack the host of the network - Crack the Blackberry password - Use social engineering

BBProxy is often used to blackjack a Blackberry

Which copy is analyzed, the original or the bit-stream?

Bit-Stream

Data Acquisition Methods

Bit-Stream disk-to-image file. Bit-Stream disk-to-disk.

The ____ can wirelessly view and update database contents on BlackBerry devices.

Blackberry Database Viewer Plus

Blackberry OS is event-driven and supports multitasking and multithreading. - Yes - No

Blackberry OS is event-driven and supports multitasking and multithreading. When other tasks are not being performed, the Blackberry checks for new messages using the RimGetMessage() function.

Why Prefetch files?

Boot faster

According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the last five in random order. Choose the answer that puts these steps in the proper order. A- Compile list of names, email addresses, etc that may have communicated with the subject B- If computer was accessed before the forensic expert secured a mirror image, note who accessed it, what files and when C- Obtain passwords to encrypted or password-protected files (if possible) D- Create a list of key words relevant to the crime to be used while searching for evidence E- Maintain a chain of custody for each piece of original media

C, A, B, E, D

According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the last five in random order. Choose the answer that puts these steps in the proper order. A- Compile list of names, email addresses, etc that may have communicated with the subject B- If computer was accessed before the forensic expert secured a mirror image, note who accessed it, what files and when C- Obtain passwords to encrypted or password-protected files (if possible) D- Create a list of key words relevant to the crime to be used while searching for evidence E- Maintain a chain of custody for each piece of original media C, A, B, E, D A, C, E, B, D C, E, B, D, A

C, A, B, E, D According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. C- Obtain passwords to encrypted or password-protected files (if possible) A- Compile list of names, email addresses, etc that may have communicated with the subject B- If computer was accessed before the forensic expert secured a mirror image, note who accessed it, what files and when E- Maintain a chain of custody for each piece of original media D- Create a list of key words relevant to the crime to be used while searching for evidence

____ memory holds the system date, time, and setup parameters.

CMOS

____ is a type of function that takes a quantity of data of any size and produces an output of a fixed length, usually a 32-bit integer that is generally used to verify the integrity of the original data.

CRC

A(n) ____ is a record of the seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence.

Chain of Custody

The ____ is a written description created by individuals who are responsible for the evidence from the beginning until the end of the case.

Chain of custody

A ____ is a fixed-size integer resulting from the application of a CRC algorithm.

Checksum

Technical Steganography

Chemical or physical methods are used to hide or obscure a covert message. I.E. Invisible Ink, or Microdot.

____ is an obscene visual depiction of any kind involving a minor engaging in, or appearing to engage in, sexually explicit conduct, graphic bestiality, sadistic or masochistic abuse, or sexual intercourse of any kind.

Child pornography

Common Data acquisition mistakes, that can result in loss of critical evidence.

Choosing the wrong resolution for the data. Use the wrong cables and cabling techniques. Insufficient time for system development. Making the wrong connections. Poor Knowledge of the instrument.

There are many types of expert witnesses. Which are commonly used in trials?

Civil Litigation, Criminal Litigation, Computer forensics, Medical, Pyschological, Construction, and Architecture experts

There are many types of expert witnesses. Which are commonly used in trials? - Civil Litigation, Criminal Litigation, Computer forensics, Medical, - Pyschological, Construction, Architecture - Civil and criminal litigation - Tourist

Civil Litigation, Criminal Litigation, Computer forensics, Medical, Pyschological, Construction, and Architecture experts are common expert witnesses

Civil Litigation experts

Collect and analyze evidence. Explain realities of the process. Present DNA evidence.

What is true about file signatures?

Collect information from the first 20 bytes of a file and Look for the magic number.

Mobile Forensic Process

Collect the evidence. Document the scene and Preserve Evidence. Imaging and Profiling. Acquire Information. Generate Report.

Salvaging an image.

Collecting and regenerating the image from pieces of an image file dispersed over a disk.

What is cybercrime investigation?

Collecting clues and forensic evidence about a cybercrime

What is cybercrime investigation? - Collecting clues and forensic evidence about a cybercrime - Securing the crime scene - Disassembling a computer and carefully packaging the hard drive for further investigation

Collecting clues and forensic evidence about a cybercrime

According to the USPTO, a ____ mark is a trademark or service mark used or intended to be used, in commerce, by the members of a cooperative, an association, or other collective group or organization, including a mark, which indicates membership in a union, an association, or other organization.

Collective

Sparse acquisition

Collects fragments of unallocated, deleted data or slack space. Files already deleted.

Internet address

Combination of the Network address and the Node address.

Metafile Graphics

Combine Rastor and Vector graphics (bit-map and vector images). Loses resolution giving a shaded appearance, when enlarged.

NB Stat

Command used to view the NetBIOS name cache.

What are two ways to display Open Firmware?

Command-Option-O-F or telnet

What are two ways to display Open Firmware? - F8 or telnet - Command-Option-O-F or telnet - Apple key or telnet

Command-Option-O-F or telnet

According to the National Institute of Justice (2004), there are several steps to acquiring subject evidence. Which is NOT one of these steps? - Capture electronic serial number of the drive or other user-accessible, host-specific data - Account for all space on storage media - Compare evidence to standard evidence - Use appropriate tools to obtain evidence such as duplication software, forensic analysis software, and dedicated hardware devices - Correlate, sector-by-sector, the values in the evidence and the backup

Compare evidence to standard evidence is not one of the steps to acquiring subject evidence

Hash Analysis

Comparing file hash values with known file hash values

What are the requirements for evidence to be admissible in court?

Competent, Relevant, Material

What is CMOS?

Complementary Metal-Oxide Semiconductor

What is CMOS? - Computer Maintenance On System - Computer Metadata On Start - Complementary Metal-Oxide Semiconductor

Complementary Metal-Oxide Semiconductor (CMOS) is a chip powered by a CMOS battery inside computers that stores information such as the system time and date and system hardware settings.

There are two associations that can help forensics investigators. What are they?

Computer Technology Investigators Network (CTIN) and High Technology Crime Investigators Association (HTCIA)

Computer forensics includes which of the following? - Rules of evidence - Legal processes - Integrity of evidence - Factual reporting of information found - Expert opinion about findings presented in a court of law, or other legal or administrative hearing - All of the above

Computer forensics includes: - Rules of evidence - Legal processes - Integrity of evidence - Factual reporting of information found - Expert opinion about findings presented in a court of law, or other legal or administrative hearing

Computer Forensics or Forensic Computing

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Remote Computing Service (RCS)

Computer storage or processing services provided by electronic communications,

An Evil Twin access point is what kind of wireless attack?

Confidentiality attack.

What is programmed into the NIC during initial installation then becomes static?

Configurable address

What does HKEY_LOCAL_MACHINE hive contain?

Configuration information for the system including hardware and software settings

What does HKEY_CLASSES_ROOT hive contain?

Configuration information relating to which application is used to open various files on the system

Ad-hoc Association

Connecting directly to an unsecured station to bypass security.

According to the USPTO, a ____ is a form of protection provided to the authors of "original works of authorship" including literary, dramatic, musical, artistic, and certain other intellectual works, both published and unpublished.

Copyright

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What comprises the Cocoa Touch layer?

Core Audio and OpenAL, UI Kit

The iPhone OS ____ layer provides the kernel environment, drivers, and basic interfaces of the operating system.

Core OS

The iPhone OS ____ layer provides the fundamental services for applications such as Address Book, Core Location, CFNetwork, Security, and SQLite.

Core Services

____ is all about collecting information such as client lists to perpetrate frauds and scams in order to affect a rival financially.

Corporate espionage

_____ is the medium used to hide the message

Cover Medium

In an echo data hiding technique, the secret message is embedded into a __________as an echo.

Cover audio signal

System Software Password Cracking

Cracking the Operating System and other utilities, that allow the computer to function. -Bypass BIOS password. -Use tools to reset the admin password.

If a USB device does not have a serial number what does the PnP Manager do?

Create a unique instance ID such as 6&26c97b61&0

What else is part of the role of a forensics investigator?

Create images of original evidence, Guides officials in managing investigation, Reconstructs damaged media, Analyzes data and prepares report, Addresses the issues in court, if necessary. May act as expert witness.

iPods can be customized. They can be configured as an external hard drive or used to execute custom scripts. What can criminals do with an iPod?

Criminals can use iPods to spread viruses and Trojans, store and distribute illegal images, keep records of crimes and distribute contact information of other criminals.

Which item is NOT part of forensic readiness planning? - Develop a plan to investigate team members - Develop a plan to make sure investigative team members are properly trained - Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence

Developing a plan to investigate team members is NOT part of forensic readiness planning The following are part of forensic readiness planning: - Develop a plan to make sure investigative team members are properly trained - Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence

This tool examines cell phone and PDA data. It is capable of command-line acquisition, deleted data recovery, full data dumps, logical and physical acquisitions of PDAs, data cable access, and advanced reporting. - DS Lite - Device Seizure - PDA secure

Device Seizure examines cell phone and PDA data. It is capable of command-line acquisition, deleted data recovery, full data dumps, logical and physical acquisitions of PDAs, data cable access, and advanced reporting.

Where can network information be found? Network information includes: network interfaces (VPN, GPRS/EDGE/3G/WiFi), TCP/UDP connections, routing table, running processes, system info, memory and disk usage.

DeviceInfo

Where can network information be found? Network information includes: network interfaces (VPN, GPRS/EDGE/3G/WiFi), TCP/UDP connections, routing table, running processes, system info, memory and disk usage. - DeviceNetwork - DeviceInfo - NetworkInfo

DeviceInfo can be used to recover network information.

What file contains the name given to the iPod, username logged into computer and name of computer?

DeviceInfo file

A forensic investigator, believes key evidence is on a PDA device. He is not sure whether the PDA is communicating with another device. What should he do? - Turn off the PDA device - Take photographs of the current state of the PDA then turn it off for safekeeping - If connected to desktop, remove the connection. If communicating via WiFi, stop communications. Seize device and put it in a antistatic bag and isolation envelop to isolate it from further communication.

Devices can be modified by changing logos or modifying the operating system. Clues to help identify devices are the cradle interface, manufacturer's serial number and power supply.

Devices connect to Blackberry require built-in ___________. Applications developed for Blackberry must be ________________. - RIM wireless modem - Signed digitally in order to identify the developer - WiFi

Devices that connect to Blackberry require built-in RIM wireless modem. Applications developed for Blackberry must be signed digitally in order to identify the developer.

Hybrid Attack

Dictionary attack that substitutes numbers and symbols to the word.

Where should the FTK database be stored in relation to the FTK examination program?

Different machines.

What are some types of digital steganography?

Digital steganography includes injection, Least Significant Bit - LSB, transform-domain techniques, spread-spectrum encoding, perceptual masking, file generation, statistical method and distortion technique.

What would ../ indicate in a web address?

Directory Traversal

Which mode can make the iPod image inaccurate? - Disk mode - Image mode - User mode

Disk Mode: When an iPod is connected using USB interface, it automatically switches to Disk Mode giving the system direct access to the drive. But this can make imaging inaccurate. Stop Disk Mode by toggling the Hold switch on and off. Disk Mode can be acheived by pressing the Select and Menu buttons until the apple logo appears. Then release Menu and Select and hold down Select and Play buttons until the Disk Mode appears.

What is true about X-Ways Forensics?

Disk cloning and imaging Examining complete directory structure and disk space including slack space Viewing and dumping memory including virtual memory Support for FAT, NTFS, ext2/3

Bit-Stream disk-to-disk

Disk geometry is altered, such that the copied data matches to the original drive. Corrects software and hardware incompatibilities.

What are the round, flat, magnetic metal or ceramic disks in a hard disk that hold the actual data?

Disk platters

ARP Table Commands: arp -a

Display the current ARP entries. This includes the IP and MAC addresses

ARP Table Commands: arp -v

Display the information verbosely

Netstat Commands: Netstat -e

Displays Ethernet statistics

Netstat -ano option

Displays TCP and UDP connections.

Netstat Commands: Netstat -n

Displays addresses and port numbers in numerical form

Netstat Commands: Netstat -a

Displays all connections and listening ports.

Netstat Commands: Netstat -o

Displays the owning process ID associated with each connection

____ creates a change in the cover object in order to hide the information. An encoder performs a sequence of modifications to the cover that corresponds to a secret message.

Distortion

What is the best way to deal with powered-on computers connected to a network? - Leave the computer on, unplug network cable and photograph the screen and document the programs - Turn the computer off

Do not change the state of any electronic device. Leave the computer on, unplug the network cable and photograph the screen

What is a DoS? - Device operating system - Means of making a system unavailable to users - Operating system for PC prior to Windows

DoS stands for Denial of Service, a means for making a computer unavailable to users.

In ____ attacks, attackers attempt to prevent legitimate users of a service from using it by flooding the network with traffic or disrupting connections.

Dos

Which command provides a history of commands?

Doskey /history

Which command provides a history of commands? - Doskey /history - Dos - history - Ls - history

Doskey /history prints recent commands

____ is one of the features of most Internet browsers. It shows what files were downloaded and where the downloaded files were saved.

Download History

In Palm OS, ____ RAM is analogous to the RAM installed on desktop computers, and it is used as space for temporary allocation.

Dynamic

What does an E icon designate on the iPhone?

EDGE network

Which statements are true regarding EFS?

EFS can encrypt files stored on Windows 2000, Windows XP Pro, and Windows Server 2003 and EFS uses symmetric and asymmetric cryptography

What is the Electronic Serial Number for a CDMA phone known as?

ESN number.

What are types of search warrants? Select the most comprehensive answer. - Electronic storage device search warrant - Service provider search warrant and electronic storage device search warrant - Service provider search warrant

Electronic storage device search warrant allows for search and seizure of computer components such as hardware, software, storage devices and documentation Service provider search warrant allows the first responder to get information such as service records, billing records and subscriber information if the crime is committed through the internet.

What is generally part of corporate investigation?

Email harassment, Falsification of information, Embezzlement, Fraud, Corporate sabatage

A stegosystem is made up of which components?

Embedded message, Cover medium, Stego-key, Stego-medium

What are the severity levels of syslog?

Emer (gency), Alert, Crit, Err, Warning, Notice, Info, Debug

Which tool can be used for acquiring and imaging evidence? It allows recovery of deleted files and provides hash generation of individual files, data capture and documentation. This tool also has a bookmarking feature that saves bookmarks in case files. - EnCase - Device Seizure - SIM Card Seizure

EnCase can be used for acquiring and imaging evidence. It allows recovery of deleted files and provides hash generation of individual files, data capture and documentation. EnCase also has a bookmarking feature that saves bookmarks in case files.

What are two popular tools used in computer forensic analysis? - Wireshark - Encase - FTK

Encase and FTK are two popular tools used in computer forensic analysis

Dr. Nelson is a technical expert with a PhD in computer science along with several important computer certifications. she has spoken about computer science in many venues around the world and written a book on the subject. Suppose Dr. Nelson has been asked to be a witness, what type of witness is Dr. Nelson? - Lay - Evidentiary - Expert

Evidentiary witness is limited to presenting facts of the case Expert witness can testify as an evidentiary witness and also make opinons based on scientific, technical or other expert knowledge The Rules of Evidence provide a framework of what a witness can and cannot discuss

Computer Forensics Expert Roles

Examine personal computers and email. Find deleted files Examine Case documentation. Help court understand the report. Review all files. Decrypt encrypted files. Open password protected files. Determine author, dates and times of files. Prepare reports.

Each process of Windows is represented as an ____________________.

Executive Process

Each process of Windows is represented as an _______.

Executive process (Each process on a Windows system is represented as an executive process or EProcess. EProcess block is a data structure containing attributes of the process and pointers to threads and process environment blocks.)

Which are true about FAT32? - When formatted, the Master File Table (MFT) is created - Smaller clusters for more efficient storage capacity - 32-bit version of File Allocation Table - Designed for floppy diskettes

FAT32 is the 32-bit version of the FAT file system that uses smaller clusters which results in more efficient storage capacity. It supports drives up to 2 TB. It can relocate the root directory and use the backup copy rather than the default copy. It can dynamically resize a partition.

Which agency of the United States Department of Justice investigates both federal crimes and acts as internal intelligence agency?

FBI

Which hexa-decimal characters define the location of the End of a JPEG file?

FF D9

What type of scan sends FIN flag? - XMAS - FIN - Half-open

FIN scan sends the FIN flag

Which encryption algorithm is streaming?

FISH

Which encryption algorithm is streaming? - FISH - AES - DES

FISH - FISH (FIbonacci SHrinking) stream cipher [http://www.google.com/#hl=en&sclient=psy-ab&q=stream+cipher+fish&oq=stream+cipher+fish&gs_l=serp.3...2118.6551.0.6803.25.16.0.0.0.0.1123.3003.5-2j1j1.4.0.les%3B..0.0...1c.1.2.serp.2leYPHYeYtI&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=785d3bc0fb80a0d7&biw=708&bih=643] AES (Advanced Encryption Standard) is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard] DES predessor of AES

Which protocols generally are allowed in the DMZ?

FTP (TCP ports 20, 21), SMTP (TCP port 25), DNS (TCP port 53, UDP port 53), HTTP (TCP port 80), HTTPS (TCP port 443)

What is the port for SMTP? - 25 - 389 - 443

FTP - Ports 20 and 21 SSH - Port 22 SMTP - Port 25 SFTP - Port 115 (Simple File Transfer Protocol) LDAP - Port 389 SSL - Port 443 SMB - Port 445 (137 - NetBIOS Name Service, 139 - NetBIOS Datagram Service)

Rule 703 includes what?

Facts are disclosed to expert, Court decides whether probative value in assisting jury to evaluate expert opinion outweighs prejudicial nature of facts used by said expert.

The first responder does not need to have complete knowledge of computer forensic investigation procedures.

False

True or False: Only administrators have a subdirectory in the Recycle bin

False

Which pertains to federal information security? (Choose one) - CAN-SPAM - GLB - FISMA

Federal Information Security Management Act requires federal agencies to develop, document and implement an agency-wide program to provide information security Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act) includes provision to protect consumer's personal financial information CAN-SPAM Act of 2003 (controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirments for those sending commerical email and gives consumers the right to ask emailers to stop spamming them

What are the FRE Article VII rules of evidence? - Rule 701 - Opinion Testimony by Lay Witness - Rule 702 - Testimony by Experts - Rule 703 - Basis of Opinion Testimony by Experts - Rule 704 - opinon on Ultimate Issue - Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion - Rule 706 - Court Appointed Experts - Rule 707 - Self Appointed Experts

Federal Rules of Evidence Article VII rules of evidence includes: Rule 701 - Opinion Testimony by Lay Witness Rule 702 - Testimony by Experts Rule 703 - Basis of Opinion Testimony by Experts Rule 704 - Opinon on Ultimate Issue Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion Rule 706 - Court Appointed Experts

What are the FRE Article VII rules of evidence? - Rule 701 - Opinion Testimony by Lay Witness - Rule 702 - Testimony by Experts - Rule 703 - Basis of Opinion Testimony by Experts - Rule 704 - opinon on Ultimate Issue - Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion - Rule 706 - Court Appointed Experts - Rule 707 - Self Appointed Experts

Federal Rules of Evidence Article VII rules of evidence includes: Rule 701 - Opinion Testimony by Lay Witness Rule 702 - Testimony by Experts Rule 703 - Basis of Opinion Testimony by Experts Rule 704 - opinon on Ultimate Issue Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion Rule 706 - Court Appointed Experts

What are the file types for Linux? - 1,4,6,7 - d, -, c, b, s, p, l - r,w,x,s

File types for Linux are: d - directory - - regular file c - character b - block s - Unix domain socket p - named pipe l - symbolic link

Rastor Image

File/ structure representing a generally rectangular grid of pixels (points of color) on a monitor. Quality lost as you enlarge (Determined by the number of Pixels and the amount of information per pixel). Pixel is 8-bits (RGB), and each is individually defined.

Which files go into the Recycle bin?

Files with a system attribute. Files that have an ownership attribute assigned to someone other than the user deleting the file. Files deleted from an attached external firewire hard drive.

Which of the following is NOT part of corporate investigation? - Business must continue during the forensic investigation - Generally address policy violations or legal disputes - May address wrongful termination - Must carefully follow government regulations - May address industrial espionage

Following government regulations is NOT the primary part of corporate investigation although corporations must adhere to appropriate government regulations. Corporate investigation is generally looking into the following: - Business must continue during the forensic investigation - Generally address policy violations or legal disputes - May address wrongful termination - Must carefully follow government regulations - May address industrial espionage

evidence includes the date and time the investigator visited the incident site and with whom the investigator spoke.

General

What does HKEY_CURRENT_CONFIG?

Hardware profile at startup

Extreme cases of ____ include cyber stalking, in which electronic means are used to follow or intimidate the victim.

Harrasment

Fuzzy Hash

Hash values that can be compared, to determine how similar 2 pieces of data are.

Steganography

Hiding messages in other media.

Host-Based intrusion detection

Host based intrusion detection (HIDS) refers to intrusion detection that takes place on a single host system.

An intrusion detection systems that audits events on a single host is

Host-based intrusion detection

____ is the process of synchronizing elements between a Palm handheld device and a desktop PC.

HotSync

What are the two examples of mobile synchronization software? - ActiveSync - FastSync - Hotsync

HotSync Manager for Palm OS and ActiveSync for Windows Mobile devices are two examples of mobile synchronization software

____ is the entity that oversees global IP address allocation, DNS root zone management, media types, and other Internet protocol assignments.

IANA

Choose three places to look for evidence of SQL injection attacks.

IDS log files, Database log files and Web server log files

When an attacker changes their IP address it is called:

IP address spoofing

Role of the First Responder

Identify Crime scene Protect the Crime Scene Preserve evidence Collect complete information about incident. Document findings Package and Transport evidence.

Which item is NOT part of forensic readiness planning? - Define business scenarios that require collection of digital evidence - Identify potential available evidence - Identify crime scene - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence

Identifying a crime scene is NOT part of forensic readiness planning. Forensic readiness planning includes: - Define business scenarios that require collection of digital evidence - Identify potential available evidence - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence

A forensic investigator, believes key evidence is on a PDA device. He is not sure whether the PDA is communicating with another device. What should he do?

If connected to desktop, remove the connection. If communicating via WiFi, stop communications. Seize device and put it in a antistatic bag and isolation envelop to isolate it from further communication.

What are steps to removing the CMOS battery and why remove it? - Locate the battery on the motherboard and carefully lift it from the socket - To remove the battery, leave the computer on - To remove the battery, shut down the computer and disconnect the power plug - If the CMOS battery is removed and replaced after 20-30 minutes, the password will reset itself

If the CMOS battery is removed and replace after about 30 minutes, the password will reset itself. Turn the computer off and unplug the power cord Locate the battery on the motherboard Carefully lift the battery from the socket Wait 30 minutes and replace the battery Reboot the computer and enter BIOS Set the default settings, save the settings and start the computer

This type of DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses - Fraggle - Smurf - Land

In a fraggle DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses

What is a mosaic attack?

In a mosaic attack the image is split into multiple pieces. Then javascript is used to stitch them back together but the watermark is lost.

____________ is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs or audit data

Intrusion detection

What can be used to detect cookie poisoning?

Intrustion prevention tools

Cold Boot

It's turning the computer on from an off state.

____ is a lossless data compression algorithm that combines the string of same byte values into the single code word.

LZW

This type of DoS attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously

Land

This type of DoS attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously - Fraggle - Smurf - Land

Land attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously

With the ___ technique, the righmost bit in the binary notation is substituted with a bit from the embedded message

Least significant bit LSB

What is the best way to deal with powered-on computers connected to a network?

Leave the computer on, unplug network cable and photograph the screen and document the programs

Which answer best describes the legal issues related to computer forensic investigations? - Making sure the evidence is admissible in court - Admissibility in court, meeting relevant evidence laws while dealing with practical aspects of computers - Knowing the relevant evidence laws

Legal issues include the balance between meeting relevant evidence laws (ie. admissability in court) while dealing with practical aspects of computers

FTK KFF (Known File Folder)

Library of hash values for known good and bad files.

Helix 3 Pro

Live forensics tool that operates on Windows, Mac and Linux. Can boot into a customized Linux environment. Dedicated to incident response and forensics.

SYSTEM\CurrentControlSet\W32Time\Parameters is part of the registry key used for _______________

Loading NTP

____ are the primary recorders of a user's activity on a system and of network activities.

Log Files

New Line Injection Attack

Log injection attacks can be used to cover up log entries or insert misleading entries. Common attacks on logs include: -inserting additional entries with fake information, -truncating entries to cause information loss, or -using control characters to hide entries from certain file viewers. 0x0D - Carriage Return. 0x0A - Line feed.

Which acquisition type does NOT collect unallocated areas of the drive?

Logical

Tracking user logon activity via Audit Event ID's: 538

Logoff

Tracking user logon activity via Audit Event ID's: 528

Logon

PNG - Portable Network Graphics

Lossless data compression. Replaces GIF format. Contains: PNG signature, Chunk Layout (image is a series of chunks), CRC redundancy Check.

Where are private encrypted keys stored on the Blackberry?

Mailbox

Precautions to prepare for Mobile Investigation

Maintain fingerprints. Turn off wireless interfaces. Photograph scene. If on, photograph screen and record data. Collect other sources of evidence. Seize cradle or other connected devices. Remove battery if submerged in liquid. Isolate from radio traffic or EM fields. Isolate from other synchronizing devices. Replace alkaline batteries.

What is one best way to crack an EFS password?

Make a duplicate copy of the target hard drive and view the copy

How does the investigator acquire data from a PDA?

Make an image of the device memory

What tools can be used to view metadata?

Metaviewer, Metadata Analyzer and iScrub

In what format can music be stored on an iPod?

Music can be stored on an iPod as MP3, WAV, Apple Lossless, M4A/AAC, protected AAC, or AIFF formats

What are the four PDA generic states?

Nascent, Active, Quiescent, Semiactive

What can be used to detect buffer overflows?

Nebula

What tools can be used to see which files are open?

Net file, PsFile, Openfiles

What tools can be used to see which files are open?

Net file, PsFile, Openfiles (Net file reveals names of all open shared files and the number of file locks, PsFile shows list of files open remotely, openfiles can be used to list or disconnect all open files and folders)

Net Commands: Net Name

Net name is used to add or delete a messaging alias at a computer.

It appears the suspect's computer is connected to a network, what is one thing an investigator should look for?

Network connections (Information about network connections can expire over time so an investigator must collect evidence as soon as possible after an incident.)

The classic iPods use hard drives to store data, but newer versions, such as iPod Nano, iPod Shuffle, and iPod Touch store data differently. How do they store it? - ROM - Flash memory - RAM

Newer versions of the iPod use flash memory to store data.

Does UTC follow daylight savings time?

No

If the evidence is in plain view and a police officer can see it from a reasonable vantage point, is a search warrant necessary before the police officer can seize the evidence?

No

Jane, an IT Helpdesk tech is learning about steganography. She finds a collection of jpeg files on a folder in the file server that have corporate sales information hidden inside them. She contacts her manager. They make a copy of the files and call the police. Do the police need a search warrant to seize these files?

No

Police come to the computer lab of TechCo, Inc. because they received a plausible tip that someone is storing child pornography in the computer lab and selling it over the internet. The owner of TechCo, Inc. is very surprised to hear this and immediately gives permission for the police to search the computers In the lab. Is a search warrant necessary?

No

In the Windows based Recycle bin what is the size limited to?

No size limit, Except OS versions prior to Vista, which is: 4 GB

Police come to the computer lab of TechCo, Inc. because they received a plausible tip that someone is storing child pornography in the computer lab and selling it over the internet. The owner of TechCo, Inc. is very surprised to hear this and immediately gives permission for the police to search the computers In the lab. Is a search warrant necessary? - Yes - No

No, a search warrant is NOT necessary if the responsible person gives permission for the search

If the evidence is in plain view and a police officer can see it from a reasonable vantage point, is a search warrant necessary before the police officer can seize the evidence? - Yes - No

No, if the evidence is in plain view and a police officer can see it from a reasonable vantage point, is a search warrant is NOT necessary before the police officer can seize the evidence.

Jane, an IT Helpdesk tech is learning about steganography. She finds a collection of jpeg files on a folder in the file server that have corporate sales information hidden inside them. She contacts her manager. They make a copy of the files and call the police. Do the police need a search warrant to seize these files? - Yes - No

No, legal differences exist between how a private citizen and law enforcement can gather evidence

____ logging records a set of data fields in an ODBC-compliant database like Microsoft Access or Microsoft SQL Server.

ODBC

In Windows CE, the ____ layer contains the OEM adaptation layer (OAL), drivers, and configuration files.

OEM

____ is a link-state routing protocol used to manage router information based on the state (i.e., speed, bandwidth, congestion, and distance) of the various links between the source and destination.

OSPF

Objects in Windows CE are stored in three types of persistent storage. What are they? - File system, registry and property databases - Folders, registry and object store - File system and folders

Objects in Windows CE are stored in the file system, registry and property databases.

EC-Council identified thirteen steps for evaluating a case. Which of these listed is not one of these steps? - Obtain a network map - Identify relevance of peripherals such as credit cards, check paper, scanners, cameras... - Establish potential evidence being sought - Obtain additional details such as emails addresses, usernames... - Set the order of evidence examination - Identify any additional expertise or equipment needed

Obtain a network map is not one of the steps for evaluating a case

What is the first step to be carried out in an investigation of a computer crime?

Obtain a search warrant

Steps to investigate email

Obtain a warrant and seize computer and account. Bit by bit Image. Examine Complete Email Headers. Trace Origin. Acquire Email Archives. Recover Deleted Emails.

Plain View Policy

Officer or agent has the ability to seize objects without a warrant, when they are somewhere they have legal authority to be, and they immediately recognize the object as illegal.

Name one Windows software write blocker?

PDBLOCK

Name one Windows software write blocker? - WiebeTech Forensic SATADock - PDBLOCK - Mount iPod as a read-only drive

PDBLOCK is a software write blocker used on Windows

What is computer forensics? - Preservation, identification, extraction, interpretation and documentation of computer evidence. - Preservation, identification and interpretation of computer evidence - Extraction and documentation of computer evidence

PIEDI (Pied Eye) Preservation, identification, extraction, interpretation and documentation of computer evidence.

What does POST stand for? - Power On Self Test - Power Off Self Test - Power Only Startup Test

POST - Power On Self Test

What are the main protocols for the Data Link Layer?

PPP, SLIP, ARP

There are three types of records in the PFF. What are they?

Palm Database, Palm Resource and Palm Query Applications

What is a Windows-based tool for Palm OS memory imaging and forensic acquisition? - SIM Card Seizure - Palm dd (pdd) - DS Lite

Palm dd (pdd)is a Windows-based tool for Palm OS memory imaging and forensic acquisition

A(n) ____ attack is a type of attack where an unauthorized user monitors communications to gather information

Passive

Active Online Password attacks

Password Guessing, Trojan / Spyware/ Key logger, Hash Injection.

____ shows passwords hidden behind asterisks in Windows.

Password Spectator

____ is an architecture-independent PowerPC emulator that can run most PowerPC operating systems.

PearPC

Access Control attack

Penetrate a network by evading WLAN access control measures such as AP MAC Filters and Wi-Fi port access. DoS, Spoofing, dictionary, brute force, war-dialing

Pieces of evidence found at the crime scene should be first ____, identified within documents, and then properly gathered.

Photographed

Disks, tapes, and CD-ROMs

Physical media used for data storage

In the memtest.exe file, What does the PS value represent?

Physical sectors, counted from the very first sector of the disc.

The ____ tool uses brute force and dictionary attacks to recover passwords from ZIP files.

PicoZip Recovery

Pixel

Picture element that is a single point in a graphic image.

Null Cipher

Plain text mixed with a large amount of plain text material.

From largest to smallest what is the platter organization? - Platter, track, sector - Sector, track, Platter - Platter, track, cluster

Platter, Track, Sector: Each platter has two read-write heads - one on top and one on bottom. Platters are divided into tracks. Tracks are concentric circles that are divided into sectors. Each sector holds 512 bytes. Clusters are groups of sectors, eg. 128-sector cluster would have about 65536 bytes. Clusters are the smallest logical storage units on a hard disk.

From largest to smallest what is the platter organization?

Platter, track, sector

What files contains pool headers?

Pooltag.txt

What files contain pool headers?

Pooltag.txt (Windows memory manager generally allocates memory in 4KB pages. Sometimes, 4K would be too large and waste memory. So memory manager allocates several pages ahead of time thus keeping an available pool of memory.)

What is the port for SFTP?

Port 115 (Simple File Transfer Protocol)

IMAP Port

Port 143

What is the port for SSH?

Port 22

SMTP Port

Port 25

What is the port for SMTP?

Port 25

What is the port for LDAP?

Port 389

What does POST stand for?

Power On Self Test

Offline Password Attacks

Pre-Computed Hashes, Distributed Network attack, Rainbow Attack.

Daubert Standard

Precedent regarding the admissibility of expert testimony. Determined before or during the trial. Relevant and reliable. Based on facts of the case. Conclusions based on scientific method.

EC-Council identified thirteen steps for evaluating a case. One of these steps involves sending any ______________________ to ISP or other storage provider to make sure evidence is not destroyed.

Preservation Orders

What is computer forensics?

Preservation, identification, extraction, interpretation and documentation of computer evidence.

Construction and Architecture Experts

Pretrial assessment. Accident Investigations, Construction Defects. Estimating and analyzing schedule of construction. Claims

First responders should not

Prosecute a suspect

What is required for computer records to be admissible in court of law?

Prosecution must present appropriate testimony to show logs are accurate, reliable, fully intact and witness must authenticate computer records presented as evidence

Virtual and physical memory

Provide a complete address space for all processes and protect one process from others.

Choose the list of tools and commands used to determine logged-on users:

PsLoggedOn, Net Sessions, LogonSession

List the tools and commands used to determine logged-on users.

PsLoggedOn, Net Sessions, LogonSession

What registry data type indicates 32-bit integer?

REG_DWORD

What registry data type indicates variable length text string?

REG_EXPAND_SZ

What registry data type indicates series of nested arrays storing a resource list used by physical hardware device?

REG_FULL_RESOURCE_DESCRIPTOR

What registry data type indicates Unicode string naming a symbolic link?

REG_LINK

What registry data type indicates multiple strings separated by delimiter?

REG_MULTI_SZ

What registry data type indicates no data type?

REG_NONE

What registry data type indicates 64-bit integer?

REG_QWORD

What registry data type indicates series of nested arrays storing a resource list?

REG_RESOURCE_LIST

What registry data type indicates series of nested arrays storing a device driver's list?

REG_RESOURCE_REQUIREMENTS_LIST

What registry data type indicates fixed length text string?

REG_SZ

Devices connect to Blackberry require built-in ___________. Applications developed for Blackberry must be ________________.

RIM wireless modem Signed digitally in order to identify the developer

____ is a protocol used to manage router information within a self-contained network. It is limited in that it allows only 15 hops in the path from source to destination.

RIP

What kind of memory resides on a PDA?

ROM, RAM and Flash RAM

GIF

Rastorized 8-bit bitmap image. 256 disting colors. Can be animated.

Data Acquisition Formats

Raw, Proprietary, Advanced Forensics Format (AFF)

If the INF02 file is deleted, it is re-created when you___________.

Reboot the windows operating system

Which key is used to send an encrypted message when using asymmetric encryption?

Receiver Public Key

Which key is used to send an encrypted message when using asymmetric encryption? - Receiver Public Key - Receiver Private key - Sender Public Key

Receiver Public Key is used when sending an encrypted message when using asymmetric encryption

POP3 - Post Office Protocol

Receives email, that deletes on the server as soon as downloaded. Port 110

SMTP - Simple Mail Transfer Protocol

Receives outgoing mail and Validates source and destination addresses. Sends and receives email from other servers. Port 25

What is part of the role of a forensics investigator?

Recover data, Determine damage from crime, Gather evidence based on forensic guidelines, Protect evidence

Which one is NOT an objective of computer forensics? - To recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law - To identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator - To recover and identify the evidence quickly

Recovering and identifying evidence quickly is not a primary objective of computer forensics. Working too quickly can lead to mistakes that might compromise the evidence. There are two objectives of computer forensics: - Recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law - Identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator

Lossy Compression

Refers to data compression techniques in which some amount of data is lost. Lossy compression technologies attempt to eliminate redundant or unnecessary information. Some of the data is lost.

This type of DDoS do the attacks usually spoof the originating IP addresses and send the requests at reflectors.

Reflective DDoS

Header fields to look at.

Return Path. Recipient Email. Type of sending email Service. IP address of sending server. Name of email server. Unique message number. date and Time sent. Attached files.

____ allows parents to quickly evaluate the files on a system for the presence of child pornography.

Reveal

Choose tools used to combat child porn: - Anti-Child Porn.org - Reveal - iProtectYou - Child Exploitation Tracking System

Reveal is not a forensic tool. It was developed by Protect Your Family to identify objectionable material on hard disks so parents and other concerned parties can scan a computer using keywords to determine whether any files are illegal or offensive. iProtectYou is a parental control and filtering software intended to control what users on a computer are allowed to access on the internet Child Exploitation Tracking System (CETS) is a tool for law enforcement to organize, analyze, share and search information related to child exploitation cases.

Name tools used to combat child porn:

Reveal, iProtectYou, Child Exploitation Tracking System

4th Amendment

Right or expectation of Privacy Governs the lawful search of a person, place, or thing.

What does a good investigative report not include? - Description of data collection techniques - Adequate supporting data - Calculations used - Graphs and statistics - References - Risk Assessment

Risk Assessment is not part of the investigative report. A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports

A ____ is a network-layer device or software application that determines the next network point to which a data packet should be forwarded in a packet-switched network.

Router

____ logs provide information about the router's activities.

Router

What does a good investigative report NOT include? - Methods of investigation - Litigation support reports - References - Error analysis - Router settings

Router settings may be too detailed for an investigative report A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports

What should be in place to ensure compliance with procedures and policies?

Routine audits

A ____ is a database that stores the most efficient routes to particular network destinations.

Routing Table

What are the FRE Article VII rules of evidence?

Rule 701 - Opinion Testimony by Lay Witness Rule 702 - Testimony by Experts Rule 703 - Basis of Opinion Testimony by Experts Rule 704 - Opinon on Ultimate Issue Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion Rule 706 - Court Appointed Experts

Rule 702 includes which of the following? - Testimony based on sufficient facts - Testimony based on facts - Testimony is the product of reliable principles and methods - Testimony is the product of any known principles and methods - Witness has applied reliable principles and methods reliably to the facts of the case - Witness has applied reliable principles and methods to the facts of the case

Rule 702 includes: Testimony based on sufficient facts Testimony is the product of reliable principles and methods Witness has applied reliable principles and methods reliably to the facts of the case

Where is the running-configuration file for a Cisco router? - ROM - RAM - NVRAM

Running-configuration file is in RAM

Which registry key maintains the audit policy?

SECURITY\Policy\PolAdtEv

___ is an Internet protocol for transmitting e-mail over IP networks.

SMTP

Which registry key maintains the wireless SSID?

SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\(GUID)

A ___ attack occurs when an attacker passes malicious SQL code to a web application.

SQL injection

____ occurs when the intruder sends SYN packets (requests) to the host system faster than the system can handle them.

SYN Flooding

Where is the last time the system was shut down?

SYSTEM\ControlSet00x\Control\Windows

Where is the computer name located?

SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName

Where is the time zone listed?

SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Which registry key maintains the shares?

SYSTEM\CurrentControlSet\lanmanserver\parameters

Looking for pieces of a file is known as ____, and in some parts of North America it is called carving.

Salvaging

Sam, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered off. What should Sam do?

Sam should make sure the device remains powered off. He should also photograph the device to capture the current state of the device.

Sam, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered off. What should Sam do? - Turn the device on - Photograph the device showing the current state - Leave the device off

Sam should make sure the device remains powered off. He should also photograph the device to capture the current state of the device.

____ is a Linksys router log analyzer. It processes router log files, analyzes them, and then generates a report based on the analysis.

Sawmill

Computer forensics is:

Science of capturing, processing, and investigating computer security incidents and making it acceptable to a court of law.

Which are true about Evidor?

Search text on hard disks and retrieves the context of keyword occurrences on computer media Examines entire allocated space including swap space, hibernate files and unallocated space on hard drives

What is an hdc device?

Secondary master

What is an hdd device

Secondary slave

Non-Volatile data

Secondary storage of data. Long term, persistent data.

What type of cell holds security descriptor information for key cell

Security descriptor cell

Security Software Logs

Security or IDS logs- who, what, where, when. Router logs, Honey Pot log. Logon event, Application event log

Shane, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered on. What should Shane do? - Plug the device into a power supply or charge the battery to keep it on - Photograph the device showing the current state - Turn the device off for safekeeping

Shane should make sure the device remains powered on by plugging it into a power supply or charging the battery. She should also photograph the device to capture the current state of the device.

listdlls command

Shows modules and dlls in use. A tool & its parameters for seeing what DLLs are referenced by an EXE

handle command

Shows open files, ports, registry keys and threads.

doskey /history

Shows previously typed commands.

Network state

Shows the state of the network and contains the IP address and URL.

Obstructed Mobile device.

Shut off and requires authentication.

Tracking user logon activity via Audit Event ID's: 513

Shutdown

Which of the following is NOT generally part of corporate investigation? - Email harassment - Falsification of information - Embezzlement - Fraud - Corporate sabatage - Sick time

Sick time is not typically part of a corporate investigation

____ attacks apply techniques such as compression, filtering, resizing, printing, and scanning to remove the watermark.

Signal Processing attacks

attacks apply techniques such as compression, filtering, resizing, printing, and scanning to remove the watermark.

Signal processing

What is the ELF_LOG_SIGNATURE?

Signature of the Windows event log (The event log header is the first 48 bytes and the magic number appears as eLfL in ASCII.)

____ is a built-in Windows tool that searches for unsigned drivers on a system.

Sigverif

___________ is a built-in windows tool that searches for unsigned drivers on a system.

Sigverif

Which tool recovers deleted SMS/text messages?

Sim Card Seizure

Which tool recovers deleted SMS/text messages? - SIM Card Seizure - Device Seizure - DS Lite

Sim Card Seizure recovers deleted SMS/text messages. It can analyze SIM card data. It takes SIM card acquisition from Paraben's Device Seizure. Sim Card Seizure includes both software and a SIM card reader.

Raw data acquisition format creates ____________of a data set or suspect drive.

Simple sequential flat files

Dest Acquisition Method, factors.

Size of source disk. Whether you can retain the disk. When the drive is very large.

If the partition size Is 4 GB, each cluster will be 32 K. Even If a file needs only 10 K, the entire 32 K will be allocated, resulting In 22 K of___________.

Slack space

What is slack space? - Space left over between the last byte of a file and the first byte of the next cluster - White space used to hide information via steganography - White space in a digital photograph

Slack space is the space left over between the last byte of a file and the first byte of the next cluster

SCSI

Small Computer System Interface. circuit board that handles up to 15 peripheral devices

Cluster

Smallest allocation unit. Set of tracks and sectors from 2 to 32. inimizes fragmentation

Task List Commands: tasklist /p

Specifies the password of the user account that is specified in the /u parameter.

____ is a repeated, unwelcomed activity that involves gazing at, following, or harassing another person.

Stalking

When searching for evidence, what is the manner in which the search should be conducted?

Start from the computer and move outward in a circular manner.

Tracking user logon activity via Audit Event ID's: 512

Start-up

Where is the startup-configuration file for a Cisco router? - ROM - RAM - NVRAM

Startup-configuration file is in NVRAM

What is the 48-bit unique address programmed by the Ethernet board manufacturer?

Static address

What are two types of gathering information from an executable file?

Static analysis and Dynamic analysis Static analysis involves collecting information about and from the executable without launching it. Dynamic analysis involves running the executable in a monitored environment.

What type of virus can redirect the disk head to read another sector?

Stealth

What are steganography detection techniques?

StegDetect, StegBreak, Visible noise, Statistical tests, Appended spaces and invisible characters, Unique color palettes

___ is data hiding and is meant to conceal the true meaning of a message

Steganography

____ is the practice of embedding hidden messages within a carrier medium.

Steganography

What is NOT the difference between steganography and watermarking?

Steganography is not used to hide data so it can be watermarked.

What is the difference between steganography and cryptography?

Steganography is used to hide data within other data. Cryptography is used to scramble a message without hiding it.

What steganography methods are used in audio files? - Frequencies inaudible to human ear - White space - LSB - Substitution

Steganography methods for audio files: Substitution scheme For example, suppose note F = 0 and note C = 1. Using this scheme, music could be composed with a secret message. Low-Bit Encoding Artifacts such as bitmaps and audio files often contain redundant information DigSteg can replace redundant information with a message Phase Coding Original sound sequence is shortened into segments New phases are generated for each segment with the message The new phase is combined with the original magnitude to create the encoded output Echo Data Hiding Echo is introduced into the original signal Properties of echo are manipulated to hide data. Properties include initial amplitude, decay rate, and offset

What steganography methods are used in video files?

Steganography methods for video files includes discrete cosine transform manipulation used to add secret data at the time of transfomration process of the video

A stegosystem is made up of which components? - Embedded message - Cover medium - Stego-key - Stego-space - Stego-medium

Stegosystem is the mechanism used in performing steganography. It is comprised of the embedded message, the cover medium, the stego-key and the stego-medium. The stego-key is the secret key used to encrypt and decrypt the message. Stego-medium is the combined cover medium and embedded message.

In Palm OS, the ____ RAM acts like a hard drive on a desktop computer.

Storage

Temporarily-Accessible Data

Stored on hard disk and are accessible for a certain amount of time.

Which NTP stratum level is most accurate? Stratum-0 Stratum-1 Stratum-2

Stratum-0 Stratum levels reflect the distance from the reference clock. Stratum-0 is the reference clock so it is the most accurate and has little delay. Stratum-0 servers are not directly used on the network. They connect to computers in stratum-1.

What is one step to repairing a corrupt Windows event log?

Synchronize four critical fields in the header and footer

What file contains the model number of the iPod (ModelNumStr), serial number of iPod (pszSerialNumber), and serial number the iPod presents to the computer (FireWireGUID)?

SysInfo file

What file contains the model number of the iPod (ModelNumStr), serial number of iPod (pszSerialNumber), and serial number the iPod presents to the computer (FireWireGUID)? - SysInfo file - DeviceInfo file - IPSW file

SysInfo file contains model and serial numbers. The FireWireGUID identifies the connection of the iPod to a Windows computer while the ModelNumStr identifies which iPod is connected.

____ is a combined audit mechanism used by the Linux operating system

Syslog

____ metadata is stored outside the file and identifies the location of a file. It also includes information about filenames, dates, locations, sizes, and so on.

System

According to the National Industrial Security Program Operating Manual (NISPOM), what is an unclassified short name referring to investigations and studies of compromising emanations?

TEMPEST

Classes of Steganography

Technical Linguistic

Which items are examples of technical steganography? - Special characters - Microdots - Invisible inks

Technical steganography includes invisible inks, microdots, and other such technologies

PATA

Technology that identifies attached devices as Slave or Master.

WPA

Temporal Key (TKIP) 128 bit RC4 Temporal key (Actual value). 48 bit IV. CRC-32 and Michael Algorithm Integrity Check. Protects against forgery and Replay attacks.

Prefetch files

Temporary files containing information about application programs, which helps in quicker loading of programs. Each time you open a program, an associated prefetch file is created. That file is used for quicker loading of program, next time you try to run it.

Daubert Standard

The Daubert standard provides a rule of evidence regarding the admissibility of expert witnesses' testimony during United States federal legal proceedings.

Decipher the results of ls -l. (Choose all that apply) drwxr-xr-x 27 root root 4096 Apr 15 2012 /usr/include - This is a directory - Owner can read, write and execute files - This is a regular file

The file type is "d" meaning directory. The first group of rwx means the owner can read, write and execute files

What is part of the role of a forensics investigator? - Recover data - Determine damage from crime - Gather evidence based on forensic guidelines - Protect evidence - All of the above

The role of a forensics investigator is to: - Recover data - Determine damage from crime - Gather evidence based on forensic guidelines - Protect evidence - Create images of original evidence - Guide officials in managing investigation - Reconstruct damaged media - Analyze data and prepares report - Address the issues in court, if necessary. May act as expert witness.

To obtain a search warrant, police or government agent must provide what (select two)? - Opinion about location being searched - Sworn statement including location to search and type of property being sought - Written documentation about complaint initiating search and any supporting documentation

To obtain a search warrant, police or government agent must provide: Sworn statement including location to search and type of property being sought Written documentation about complaint initiating search and any supporting documentation

What are the two categories of cybercrime? - Tools of the crime - Perpetrator of the crime - Target of the crime

Tools of crime and Target of crime are two categories of cybercrime.

The area that is circumscribed 360 degrees on a platter of a disk, when the read/ write head is in a single fixed position.

Track

____ is the distinctive packaging of a product that differentiates it from other products of the same trade.

Trade Dress

What is true regarding 18 U.S.C. 2318?

Trafficking in counterfeit computer programs Trafficking in counterfeit motion pictures

What true regarding 18 U.S.C. 2320?

Trafficking in counterfeit goods Trafficking in counterfeit services

Descrete Cosine Transformation (DCT)

Tranformation technique used by JPEG images, for image compression.

In Palm OS, all the applications share the same dynamic RAM so that they can use each other's data.

True

Modern steganography works by replacing bits of useless or unused data in regular computer files with bits of different, invisible information.

True

Spread-spectrum encoding encodes a wide-band signal into a small-band cover.

True

IIS logs are recorded in what time format?

UTC

What is true regarding 18 U.S.C. 2319?

Unauthorized distribution of sound recordings and music videos of live musical performances

FRE 702

Under Rule 702, an expert is a person with "scientific, technical, or other specialized knowledge" who can "assist the trier of fact". A qualified expert can testify "in the form of an opinion or otherwise" so long as: The testimony is based upon sufficient facts or data. The testimony is the product of reliable principles and methods. The witness has applied the principles and methods reliably to the facts of the case.

Privacy Protection Act

Under the Privacy Protection Act, 42 U.S.C. 2000aa, law enforcement should take special steps while planning a search that agents have reason to believe may result in the seizure of certain materials that relate to the freedom of expression.

Net Commands: Net Config

Use the net config command to show information about the configuration of the Server or Workstation service.

How to recover a deleted partition.

Use the repair option of the Windows Install CD. Enter 'fixboot' and restart the system. or Remove the hard drive, and install it into another computer as a slave. Then attempt to recover the deleted partition. or Third party software. Copy recovered files to another drive, to prevent corruption.

Masking and Filtering

Used on 24 bit greyscale images.

What are Linux PDA security features?

User authentication, access control, encryption, PPTP, IPSec, SSH

Visual Semagrams

Using everyday objects to convey a message. Doodles. Placement of an item. Linguistic Steganography

Live Data Acquisition

Volatile data: RAM, Connections, Registry information, System Information, Cache, Running Processes, Passwords, Instant Messages, Who is logged on, Unencrypted data, Attached Devices, open ports and listening applications, Trojan Horses running in RAM.

18 U.S.C. 2702

Voluntary disclosure of customer communications or records

What are legal points an investigator should keep in mind? - State statutes and local laws - Federal statutes such as Electronic Communications Privacy Act of 1986 (ECPA), Cable Communications Policy Act (CCPA), Privacy Protection Act of 1980 (PPA) and US Patriot Act of 2001 - Scope of the search

What are legal points an investigator should keep in mind? - State statutes and local laws - Federal statutes such as Electronic Communications Privacy Act of 1986 (ECPA), Cable Communications Policy Act (CCPA), Privacy Protection Act of 1980 (PPA) and US Patriot Act of 2001 - Scope of the search

When do you optimize AccessData FTK?

When it is a 64 bit system.

When do you analyze Image file headers?

When new file extentions are present, that forensic tools cannot recognize. Files are accessed using a hexidecimal editor. Values can be used to determine a file type.

Microsoft handheld OS was first called Windows CE, then PocketPC then Windows Mobile. But Windows CE 5.2 powers Windows Mobile 6. What devices does Windows CE run on? - Devices with XScale processor - Devices with ARM processor - Devices with SHx processor

Windows CE runs on devices with XScale, ARM or SHx processors.

Where does Windows CE store data? - PIM and user data in RAM - PIM, user data, OS and application support in ROM - OS and application support in ROM

Windows CE stores PIM and user data in RAM and operating system and supporting applications in ROM. (PIM - Personal Information Management)

Windows CE has four types of memory. What are they? - RAM, temporary storage, expanded ROM, ROM - Consistent storage, RAM, ROM, extra RAM - RAM, Expansion RAM, ROM, Persistent storage

Windows CE supports RAM, Expansion RAM, ROM, and Persistent storage

What port does native Windows remote logging run on?

Windows does not support remote logging. Third-party utilites like NTsyslog are required to enable remote logging in Windows.

Windows password recovery tools

Windows password recovery tools - Windows XP/2000/NT Key Generator - resets the domain adminstrator password for Active Directory - ERD Commander 2005 - boots systems into a Windows-like repair environment giving complete control over the system - Active@ Password Changer - DOS-based solution for resetting local administrator and user passwords in XP, Vista, 2003, 2000 and NT - Cain & Abel - LCP - SID&USER - ophcrack - uses rainbow tables - RockXP - Magical Jelly Bean Keyfinder

What information is stored in the Windows registry if an iPod is connected to a Windows computer?

Windows registry contains the key created while connecting iPod to Windows, last time when registry keys were changed and serial number of iPod.

What information is stored in the Windows registry if an iPod is connected to a Windows computer? - Key created while connecting to iPod - Serial number of the iPod - Next time registry keys are changed

Windows registry contains the key created while connecting iPod to Windows, last time when registry keys were changed and serial number of iPod.

Are these steps the basic steps in PDA forensics? 1 - Secure and evaluate the crime scene 2 - Seize the evidence 3 - Identify the evidence 4 - Preserve the evidence 5 - Acquire information 6 - Examine and analyze the information 7 - Document 8 - Report

Yes

Is it possible to break the passcode on a locked iPhone?

Yes

Is this the proper order for response to a crime by first responders: 1. Begin investigation the moment a crime is suspected 2. Response to preliminary evidence by photographing the scene and marking evidence 3. Obtain search warrant, if needed 4. Follow first responder procedures 5. Seize evidence seized at crime scene then safely number and secure it 6. Transport evidence to forensic laboratory 7. Make two bit-stream copies of evidence 8. Generate a checksum (generally MD5) on the bit-stream images 9. Prepare chain of custody 10. Store the original disk so that time stamps and evidence remain intact 11. Use image copy to analyze the evidence 12. Prepare a forensic report describing the forensic method and recovery tools 13. Submit the forensic report 14. Testify as expert witness, if needed

Yes

It is critical that the crime scene be secure. Should computers be detached from the network in order to contain the crime scene?

Yes

Is a vault needed in a forensic lab? - Yes - No

Yes, a vault protects against flood, fire, theft...

It is critical that the crime scene be secure. Should computers be detached from the network in order to contain the crime scene? - Yes - No

Yes, computers should be disconnected from networks to thoroughly secure the crime scene

Is it possible to break the passcode on a locked iPhone? - Yes - No - Only with hacking tools

Yes, there is a series of steps to break the passcode on an iPhone. 1. Press Emergency Call button 2. Type *#301#, press green button 3. Delete previous entry 6 times 4. Type 0, press green button 5. Answer call by pressing green button 6. End call by pressing red button 7. Press Decline button 8. In Contacts tab, press + button to create a new contact 9. In the Add new URL, type prefs: and press Save 10. Touch No Name 11. Click on home page prefs: 12. Click on General tab in Settings menu 13. Click on passcode Lock 14. Click Turn Passcode Off 15. Return to General tab by clicking Cancel 16. Click Auto-Lock and reset it to Never

What are two imagers in Helix?

dd and FTK Imager

Which dd command is used to copy a floppy?

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc

Which dd command is used to copy a floppy? - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc - dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/mem of=/home/sam/mem.bin bs=1024

dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc Make a copy of a floppy disk

Which statement is used to partition an image on another machine?

dd if=/dev/hda bs=16065b | netcat targethost-IP 1234

Which statement is used to partition an image on another machine? - dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc

dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 used to partition an image on another machine. Run on the source machine

Which dd command is used to make a complete physical backup of a hard disk? - dd if=/dev/hda of=/dev/case5img1 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc

dd if=/dev/hda of=/dev/case5img1 make a complete backup of a hard disk

Which statement is used to see the contents of the MBR? - dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 - dd if=/dev/hda of=mbr.bin bs=512 count=1 - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc

dd if=/dev/hda of=mbr.bin bs=512 count=1 used to see contents of the master boot record. Must be run as root. Reads the first 512 bytes from /dev/hda (the first IDE drive) and writes them to a file named mbr.bin

Which dd command is used to make an image of a CD?

dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc

Which dd command is used to make an image of a CD? - dd if=/dev/hda of=/dev/case5img1 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc

dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc Make an image of a CD

Which dd command is used to copy RAM memory to a file?

dd if=/dev/mem of=/home/sam/mem.bin bs=1024

Which dd command is used to copy RAM memory to a file? - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc - dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/mem of=/home/sam/mem.bin bs=1024

dd if=/dev/mem of=/home/sam/mem.bin bs=1024 Used to copy RAM memory to a file

Which dd command is used to copy one hard disk partition to another hard disk?

dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror

Which dd command is used to copy one hard disk partition to another hard disk? - dd if=/dev/hda of=/dev/case5img1 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc

dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror Copy one hard disk partition to another hard disk

Which dd command is used to restore a disk partiiton from an image file?

dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror

Which dd command is used to restore a disk partiiton from an image file? - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc - dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/mem of=/home/sam/mem.bin bs=1024

dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror Used to restore a disk partition from an image file

What does the iPod System Partition contain?

iPod OS, images, and games and other default applications.

iPod Touch uses WiFi, Safari Web browser and wireless access to iTunes Store and YouTube. - True - False

iPod Touch is an iPod with Wi-FI, multitouch interface with Safari Web browser and wireless access to iTunes Store and YouTube. It uses the iPhone OS.

Why is it important to know with which type of system the iPod has been synchronized?

iPods sync'd with Mac computers use Apple's HFS+file system. iPods sync'd with Windows use FAT32.

____ is a wireless tool for Mac OS X that provides plug-ins for finding and discovering information about AirPort networks, Bluetooth devices, and Bonjour services.

iStumbler

What is the digital media player application most commonly used to interact with an iPod?

iTunes

What software is used to disable automatic syncing?

iTunes

A(n) ____ is a suitor who desires a physical or intimate relationship with the victim.

incompetent suitor

____ are the primary recorders of a user's activity on a system and of network activities.

log files

The most common way to use this command is with -ano switches or -r switch. - Netcat - Netstat - Nmap

netstat -ano displays TCP and UDP network connections, the listening ports and process identifiers (PID) using those network connections netstat - r displays the routing table

When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port?

netstat -o & fport (* netstat -o shows process to port mappings * netstat -b shows the executable involved in creating each connection (Windows XP) * fport shows process-to-port mappings but must be executed with administrator privileges)

When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port?

netstat -o and fport

What command can be used to display active TCP connections, Ethernet statistics and IP routing table? - netcat - netstat - nmap

netstat command can be used to display active TCp connections, Ethernet statistics and IP routing table

Which nmap scan is a slow scan to avoid detection? - nmap -sS -PT -PI -O -T1 122.13.145.15 - nmap -sP 10.1.2.0/24 - nmap -sS -O www.somewebsite.com/24

nmap -sS -PT -PI -O -T1 122.13.145.15

Computer records fall into what 3 categories?

1. Computer Generated. 2. Computer Stored. 3. Both Generated and Stored They require authentication.

Steps to recover image file.

1. Identify Image file fragments 2. Recover all the fragments from different disk areas. (Salvaging or Carving) 3. Restore the Fragments.

Key steps for Forensic Investigation

1. Identify the Computer Crime. 2. Collect Primary Evidence. 3. Obtain court warrant for seizure (if required). 4. Perform first responder Procedures. 5. Seize evidence at the crime scene. 6. Transport Evidence to the forensic laboratory. 7. Create 2-bit stream copies of the evidence. 8. Generate MD5 checksum on the images. 9. Chain of Custody. 10. Store the original evidence in a secure location. 11. Analyze the image copy for evidence. 12. Prepare a forensics report. 13. Submit the report to the client. 14. Attend Court and testify as an expert witness. (if necessary)

Which range of HTTP Status Codes reveals informational status codes?

100 - 101

802.11n

100+ Mbp,s MIMO - Multiple Input, Multiple Output.

Hashing Algorithm Lengths: MD5

128 Bits

Which law is applicable to fraudulent copyright notice?

17 U.S.C. 506(c-d)

What laws are applicable to cyberstalking?

18 U.S.C 875 18 U.S.C. 2261A

In a computer forensics laboratory, how many computers should be budgeted per examiner?

2

Wireless Standards: 802.11b

2.4 GHz and up to 11 Mbits per second

Wireless Standards: 802.11g

2.4 GHz and up to 54 Mbits per second

Wireless Standards: 802.11n

2.5 / 5 GHz and up to 54 / 600 Mbits per second

A accurate file signature analysis requires at least the first ____bytes of a file to determine type and function.

20

____ is a small, command-line utility for Windows that will break apart any JPEG file and generate the HTML code needed to reconstruct the picture

2Mosaic

On a GSM phone that is obstructed with a pin code, how many incorrect entries will block the SIM card?

3

Which range of HTTP Status Codes reveals client error status?

400 - 416

Which port does SSL typically use?

443

MAC filtering is based upon the ________ bit address

48

Hashing Algorithm Lengths: MD6

512 Bits

Hashing Algorithm Lengths: SHA-512

512 Bits

What Event ID is recorded for modification to the Windows audit policy?

612

An EnCase evidence file saves checksums for every block of ____ sectors of evidence.

64

What is true about the PE Header?

64-byte structure called IMAGE_DOS_HEADER First DWORD value refers to address of the new EXE file Value is defined in ntimage.h header file

In general, copyrights for works that are published after 1977 are valid for the life span of the author plus another ____ years

70 Years

Warm Boot

: Restarting the computer via the Operating System

Incident ____ involves not only responding to incidents but also triggering alerts to prevent potential risks and threats.

??

JPEG 2000 employs ____ technology so images can be better compressed without affecting quality of an image.

??

The ____ is the justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility.

??

What command displays the mappings between different layers of the network architecture?

??

____ evidence is data relevant to an investigation that is transferred by or stored on an electronic device.

??

Decipher the results of ls -l. (Choose all that apply) drwxr-xr-x 27 root root 4096 Apr 15 2012 /usr/include A) This is a directory B) Owner can read, write and execute files C) This is a regular file

A & B

How long can a search warrant be used?

A search warrant be used for the amount of time designated in the search order.

Modern BlackBerry devices have ARM7 or ____ processors

ARM9

What type of wireless attack is a Rogue Access Point?

Access control

____ play an important role in investigating routers and checking log messages. They count packets and log specific events.

Access control lists

Logical acquisition

Acquiring specific types of files or a specific area of the drive. Used to reduce a large amount of data or fit within the confines of a warrant. PDST an OST files. Does NOT collect unallocated areas of the drive.

Frye Standard

Admissibility of scientific examination. accepted by scientific community. Applied to procedures, principles and analysis. Number of experts should be provided.

Choose techniques commonly used to remove watermarks?

Algorithms, Transformations, Masking and filtering, LSB

Identify all required for setting up a forensics lab: - Office space - Storage for evidentiary materials - Interview facility - Operational laboratory - All of the Above

All of the Above: The forensics laboratory must have office space, storage for evidentiary materials, interview facility, and operational laboratory

What phone technology does the BitPim tool target for the recovery of data?

CDMA

____ Centre is a U.K.-based anti-child-pornography organization. It focuses on protecting children from sexual abuse.

CEOP Child exploitation and online protection

In ____ attacks, an attacker forces the victim to submit the attacker's form data to the victim's Web server.

CSRF Web

In ____, attackers illegally use another's credit card for purchasing goods and other services over the Internet.

Credit Crad Fraud

In ____, attackers illegally use another's credit card for purchasing goods and other services over the Internet.

Credit card fraud

____ is a Windows NT/2000/XP file undelete utility that can recover accidentally deleted files.

File Scavenger

Compound Files

Files containing multiple layers of other files.

____ is the willful act of stealing someone's identity for monetary benefits.

Identity Theft

Rule 609

Impeachment by evidence of conviction of crime

Net Commands: Net View

Net view is used to show a list of computers and network devices on the network.

Does Palm restrict access to code and data?

No

Office password recovery tools

Office - Advanced Office XP Password Recovery - Microsoft Office - Word Password Recovery Master - Office Password Recovery Toolbox - Passware Kit - 25 password recovery programs - PstPassword - Outlook - Access PassView - Microsoft Access

POP3 Port

Port 110

Enumeration

Process of extracting User and Group names, Machine names, Network Resources, Shares, and Services, from a system. Conducted in an IntrAnet environment.

Business Records Exception

RULE 803: an Exception to the Hearsay Rule. -The exception allows a business document, to be admitted into evidence, if a proper foundation is laid to show it is reliable.

Which is typically the largest list of password hashes?

Rainbow tables

Least Significant Bit (LSB)

Right-most bit of a pixel. Message is broken up and inserted into the least significant bit of each pixel in a deterministic sequence

Promiscuous Client

Rogue access point that forces user to connect to an unsecured network.

Client Mis-Association

Rogue access point that lures clients to connect, and bypasses network security

Task List Commands: tasklist /u

Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.

Steganogrphic tool used to hide multple applications in an image.

S-Tools

Where are Windows passwords stored?

SAM and Active Directory

Which of the following devices allow a forensic investigator to copy a suspect hard drive to a clean hard drive very quickly?

SATA ports

____ cards are used primarily in digital cameras, particularly those made by Olympus and Fujifilm, developers of the format.

SD

LinkMASSter-2 uses write protection and supports MD5, CRC-32, and ____ hashing to ensure data integrity.

SHA-1

Recycled files on the NTFS system are categorized into directories named as C:\RECYCLER\S-...., based on the user's Windows ____.

SID

Techniques to locate and recover image files

Salvaging. Carving.

HKEY_LOCAL_MACHINE\SAM supports what?

Sam, Sam.log, Sam.sav (SAM stands for Security Accounts Manager. It contains Windows passwords)

Authentication attack

Steal identity of Wi-Fi clients (login credentials, personal info, etc) and Spoofing authentication packets.

Methods to Bypassing BIOS passwords

Use the manufacturers backdoor password. Password cracking Software, Resetting CMOS using jumpers. Remove the CMOS battery for 10 minutes. Use a professional Service. Overload the keyboard buffer.

In what format can video be stored on an iPod? - MPEG-4 and H.264 - unprotected WMA - WAV

Video can be stored as .m4v (H.264), .mp4 (MPEG-4) and unprotected WMA on Windows.

Tracing Back

View Header. Find originating mail server. Obtain server log files. obtain Internet Domain Information.

What are two ways to view running processes on Windows?

View Windows processes in TaskManager or by typing tasklist from the command prompt

A ____ is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user.

Virus

What does Visual TimeAnalyzer do? - Automatically tracks computer usage - Manually tracks computer usage - Presents detailed reports

VisualAnalyzer automatically tracks all computer usage and presents detailed illustrated reports

____ evidence is evidence that can easily be lost during the course of a normal investigation.

Volatile

What are questions to consider before beginning a forensic investigation involving PDAs?

What kind of investigation needs to be done? How should the PDA be handled? Can critical data on the PDA remain secure during examination?

The Linux ____ command can make a bit-stream disk-to-disk copy or a disk-to-image file.

dd

Which dd command is used to make a complete physical backup of a hard disk?

dd if=/dev/hda of=/dev/case5img1

Which statement is used to see the contents of the MBR?

dd if=/dev/hda of=mbr.bin bs=512 count=1

Which file system runs on FAT32?

iPod sync'd to Windows

What are two commands to obtain network information?

netstat -ano & netstat -r (* netstat -ano shows active connections including protocol, local address, foreign address, state and PID * netstat -r shows the routing table * netstat -b displays the executable involved in creating the connection * netstat -v is used in conjunction with -b to show sequence of components involved)

When acquiring electronic evidence at scene of crime it is best not to:

shut down the computer

Chain of Custody

"Chain of custody (CoC), in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer between sender and receiver, analysis, and disposition of physical or electronic evidence."

Client mis-association

"Client Mis-association can be accidental, deliberate (for example, done to bypass corporate firewall) or it can result from deliberate attempts on wireless clients to lure them into connecting to attacker's Access Point."

Cross-Site Request Forgery (CSRF) Attack

"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. An end-user may want to log out of the site and clear their browsers cookies at the end of the session."

Cross-Site Scripting (XSS) Attack

"Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user."

DNS Redirection

"DNS redirection is the controversial practice of serving a Web page to a user that is different from either the one requested or one that might reasonably be expected, such as an error page."

Raid Levels: RAID 1

"Disk mirroring, also known as RAID 1, is the replication of data to two or more disks. Disk mirroring is a good choice for applications that require high performance and high availability such as transactional applications, email, and operating systems."

Ext3

"Ext3 or third extended file system, is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions."

Directory Traversal Attack

"Aims to access restricted files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. It can be identified by several forward slashes such as //////////////////."

Computer crimes include what?

- Fraud via manipulation of computer records - Performing vulnerability assessment for a client - Spam - Deliberate avoidance of computer security systems - Unauthorized access - Unauthorized modification of software

What else do computer crimes include?

- Intellectual property theft - Industrial espionage by means of access to the computer - Identify theft - Spreading viruses or worms - Authorized penetration testing - Denial of Service or DDoS

Linux password recovery tools

- John the Ripper - DJohn

LossLess

- no data loss when image is copied.

What directory is used to store commands needed for system operability?

/bin

In Linux, files that are deleted using the command ___ remain on the disk

/bin/rm

Order of Volitility

1. Registers, Cache. 2. Routing and Process tables, Kernel Statistics and memory. 3. Temporary File Systems. 4. Disk or other storage media. 5. Remote logging and monitoring data. 6. Physical configuration and topology. 7. Archival Media and Backups.

Tracks numbering on a hard disk begins at 0, typically reaching a value of ___________.

1023

How many bytes per kilobyte?

1024 bytes/kb

Unix password recovery tools

- Crack

802.11b

11Mbps, 2.4 GHz

What kind of keyboard does the Blackberry have?

QWERTY

What command can be used to examine patches in the computer? - /dev/mem or /dev/kmem - version - show patch

/dev/mem or /dev/kmem command can be used to examine patches

Bad Cluster

"Is a sector on a computer's disk drive or flash memory that is either inacessible or unwriteable due to permanent damage, such as physical damage to the disk surface or failed flash memory transistors."

Denial of Service (DOS) Attack

"A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet."

Chain of Custody

"A method for documenting the history and possession of a sample from the time of collection, though analysis and data reporting, to its final disposition."

Net Commands: Net File

"Displays the names of all open shared files on a server and the number of file locks, if any, on each file."

Steganography Techniques: Spread Spectrum Technique

"There are two types of spread spectrum techniques, direct sequence and frequency hopping. In direct sequence, the stream information to be transmitted is divided in small pieces, each of which is allocated to a frequency channel spread across the spectrum. Frequency hopping is when a broad slice of the bandwidth spectrum is divided into many possible broadcast frequencies."

Where is the startup-configuration file for a Cisco router?

NVRAM

SSID

Name of a wireless network.

How does the SAM file store the password?

Name, UserID, LM Hash, NTLM Hash.

During a Linux boot sequence, the file that controls initialization is ____.

/etc/inittab

What files must be changed for remote logging?

/etc/rc.d/init.d/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" /etc/sysconfig/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" /etc/services files. Syslog 514/udp After the three files have been changed, the administrator must run /sbin/service syslog restart

What directory is used to store libraries?

/lib

What directory is used to store commands for booting, repairing aor recovering the system?

/sbin

Default path for Apache Web Server Logs, on a Linux based machine?

/user/local/apache/logs

If the examiner wants to disable the auto save function in EnCase, what value would they place in the auto save field?

0 Placing a value of "0" in the auto save field in the options dialog will disable the auto save function of EnCase.

Once the scene has been secured, the next step should be:

Photograph the machine.

How many entrances should there be to a computer forensics laboratory?

1

Which of these statements are true regarding 18 U.S.C. 2318? - Trafficking in counterfeit computer programs - Trafficking in counterfeit motion pictures - Trafficking in child porn

1 & 2: 18 U.S.C. 2318 involves trafficking in counterfeit phone records, computer programs, motion pictures, audio visual works or computer program documentation

Which are true about EasyRecovery? - Repairs and restores corrupt or inaccessible Microsoft Office and Zip files - Includes EmailRepair - Disk imaging

1 & 2: EasyRecovery does not do disk imaging

What directory is used to store devices for terminals, disks...

/dev

What command can be used to examine patches in the computer?

/dev/mem or /dev/kmem

What are legal points an investigator should keep in mind?

- State statutes and local laws - Federal statutes such as Electronic Communications Privacy Act of 1986 (ECPA), Cable Communications Policy Act (CCPA), Privacy Protection Act of 1980 (PPA) and US Patriot Act of 2001 - Scope of the search

In order to recover the IMEI number of the device to establish the identity of the device owner. You would key in the following:

*#06#

The IEMI number for a GSM device can be obtained by pressing what key combination?

*#06#

What directory is used to store commands needed for system operability? - /bin - /dev - /etc

** /bin - commands needed for minimal system operability ** /dev - devices for terminals, disks... /etc - critical startup and configuration files /lib - libraries /sbin - commands for booting, repairing aor recovering the system

Which range of HTTP Status Codes reveals client error status? - 100-101 - 200-206 - 300-307 - 400-416 - 500-505

**HTTP Status Codes 400-416 - Client Error Status Codes ** HTTP Status Codes 100-101 - Informational Status Codes HTTP Status Codes 200-206 - Successful Status Codes HTTP Status Codes 300-307 - Redirection Status Codes HTTP Status Codes 500-505 - Server Error Status Codes

HTTP, POP3, FTP, Telnet password recovery tools

- Brutus

Which are true about Evidor? - Search text on hard disks and retrieves the context of keyword occurrences on computer media - Examines entire allocated space including swap space, hibernate files and unallocated space on hard drives - Local and remote hard disks

1 & 2: Evidor cannot access remote networked hard disks

4 reasons for increase of computers in criminal activity?

1. Expense 2. Speed. 3. Anonymity. 4. Fleeting nature of digital evidence.

Steps to Investigating a computer crime

1, Determine an incident has occurred. 2. Find/ Interpret clues. 3. Preliminary assessment and Search for evidence. 4. Search and Seize computer equipment. 5. Collect Evidence.

From this IIS log file, identify the service status code192.168.100.150, -, 03/6/11, 8:45:30, W3SVC2, SERVER, 172.15.10.30, 4210, 125, 3524, 100, 0, GET, /smile.gif,

100

The iPhone has a solid state NAND flash memory configured with two partitions by default. Choose the best description for these two default partitions.

300 MB root partition with OS, preloaded applications. Read-only and stays in the original factory state for the life of the iPhone, User partition mounted as /private/var

There are various types of Memory Sticks, with capacities ranging from 4 MB to ____ GB

32

ESN Number - Electronic Serial Number

32 bit hex identifier number. 8-14 bits Manufacturer. Remaining - Serial Number. CDMA

Resolution

Sharpness of image for printers, monitors and bit-maped images.

Sector

Smallest Physical storage unit. 512 bytes.

What is the proper order of volatility: A. Registers and cache B. Routing tables C. ARP cache D. Process table E. Kernal statistics and modules B, C, A, D, E A, B, C, D, E C, A, D, B, E

A, B, C, D, E The order of volatility is: A. Registers and cache B. Routing tables C. ARP cache D. Process table E. Kernal statistics and modules

According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the first five in random order. Choose the answer that puts these steps in the proper order. A- Do not turn off computer equipment, run programs or access data B- Identify type of data being sought and urgency of examination C- Secure relevant media D- Once machine is secured, obtain information about the machine, any peripherals and the network, if attached E- Suspend automated document destruction and recycling policies

A, C, E, B, D

According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the first five in random order. Choose the answer that puts these steps in the proper order. A- Do not turn off computer equipment, run programs or access data B- Identify type of data being sought and urgency of examination C- Secure relevant media D- Once machine is secured, obtain information about the machine, any peripherals and the network, if attached E- Suspend automated document destruction and recycling policies A, C, E, D, B A, C, E, B, D C, E, B, D, A

A, C, E, B, D According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. A- Do not turn off computer equipment, run programs or access data C- Secure relevant media E- Suspend automated document destruction and recycling policies B- Identify type of data being sought and urgency of examination D- Once machine is secured, obtain information about the machine, any peripherals and the network, if attached

Cellular phones with PDA functionality are called ____.

Smartphones

Blackberry OS 4.7, the newest version, supports which of the following?

AJAX and CSS 1 GB on board memory and 128 MB flash memory High-capacity slim 1500 mAh battery Tri-band UMTS: 2011/1900/850 3.6 Mbps HSDPA WiFi (802.11a/b/g) GPS Quad-band GSM/GPRS/EDGE Music synchronization Clock application

Palm OS is an embedded operating system originally based on the Motorola DragonBall MC68328 family of microprocessors. Newer devices use what?

ARM architecture-based StrongARM and XScale microprocessors

What command can be used to display the mappings between different layers of the network architecture? - RARP - MAC - ARP

ARP command can be used to display the mappings between different layers of network architecture

What kind of attack is a Key Logger?

Active Online Attack

What does HKEY_CURRENT_USER contain?

Active, loaded user profile for currently logged-on user

What are the two examples of mobile synchronization software?

ActiveSnyc and HotSync

A ____ is defined as the average packet rate of data packets with similar packet header information

Activity Profile

A(n) ____ is defined as the average packet rate of data packets with similar packet header information.

Activity Profile

ARP Table Commands: arp -s

Add the host and associates the IP Address with the physical address

Which registry key is NOT accessed and parsed when a user logs into a system? 1) HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Runonce 2) HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\PoliciesExplorer\Run 3) HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run 4) HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\Run 5) HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run 6) HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce 7) All of the above are parsed when a user logs into a system

All of the above are parsed when a user logs into a system. (Run means the values in this key execute at system startup Runonce means the values in this key execute once at system startup then they are deleted)

iPods can be customized. They can be configured as an external hard drive or used to execute custom scripts. What can criminals do with an iPod? - Spread viruses and Trojans - Store and distribute illegal images and videos - Distribute contact information of other criminals - Keep records of crimes including date and time - All of the above

All of the above: Criminals can use iPods to spread viruses and Trojans, store and distribute illegal images, keep records of crimes and distribute contact information of other criminals.

Which of the statements is true about the Mac OS? - Based on BSD Darwin engine - Startup items in /System/Library/StartupItems or /Library/StatupItems - uses .hidden to maintain a list of hidden files - All of the Above

All the above: The MAC OS is based on BSD Darwin engine Startup items in /System/Library/StartupItems or /Library/StatupItems Uses .hidden to maintain a list of hidden files

Which statements are true regarding EnCase? - Evidence can be viewed in table, gallery, timeline or report formats - Cases group information - Evidence data can be view as text, hex or picture

All the above: EnCase organizes evidence into cases. Evidence can be viewed in various formats.

What does HKEY_USERS hive contain?

All users profiles

What does an E icon designate on the iPhone? - third-generation network - WiFi - EDGE network

An E icon shows EDGE network connection. 3G shows third-generation network. Radiating signal bars show WiFi connectivity.

Real-Time Analysis

Analysis that is performed on a continuous basis; with results gained in time to alter the run-time system. Ongoing process.

Choose the volunteer organization focused on issues related to child exploitation, online predators and child pornography. - Innocent Images National Initiative (IINI) - Internet Crimes Against Children (ICAC) - Project Safe Childhood (PSC) - Anti-Child Porn.org (ACPO)

Anti-Child porn.org is a volunteer organization focused on issues related to child porn.

Email Client

Application that allows the user to send and receive email. Outlook (stand alone). Hotmail (Web based).

What are the layers of the OSI model?

Application, Presentation, Session, Transport, Network, Data Link, Physical

The ___ Attempts to eliminate driscrimination involving sexual harassment in the workplace, educational itstitutions and other public places

Australian Sex Discrimination Act of 1984

A(n) ____ is the use of the correct username and password for a particular site.

Authenticated cookie

Vulnerability analysis or ____ is the process of identifying technical vulnerabilities present in computers and networks.

Assesment

Roles of an expert witness in presenting evidence to court

Assist the court in understanding complex evidence. Help the attorney to get the truth. Honestly and fully express his or her expert opinion, without regard to any views.

NTP - Network Time Orotocol

Assures synchronization of clock times, to the millisecond, across a network. Built over TCP/IP.

How many keys does asymmetric encryption have? - 1 - 2 - 3

Asymmetric encryption has a public key and a private key

____ is the first line of defense for verifying and tracking the legitimate use of a Web application.

Authentication

Watermarking is used to facilitate which of the following?

Authentication of the author, Monitoring copyright material, Supporting fingerprint applications, Supporting data augmentation, Automatic audits of radio transmissions

How to maintain Log File authenticity.

Authenticity can be proven if they are Unaltered from the time they were recorded. -Move logs off of compromised server ASAP. -Move logs to Master Server and then to Secondary Secure storage (Archive) backup.

Computer crimes include all but which of the following? - Intellectual property theft - Industrial espionage by means of access to the computer - Identify theft - Spreading viruses or worms - Authorized penetration testing - Denial of Service or DDoS

Authorized penetration testing is NOT a computer crime. Computer crimes include: - Intellectual property theft - Industrial espionage by means of access to the computer - Identify theft - Spreading viruses or worms - Authorized penetration testing - Denial of Service or DDoS

What is the Index.dat file used for?

AutoComplete & Redundant information such as visited URLs, search queries, recently opened files (* Index.dat is used for redundant information such as AutoComplete information. * Index.dat can be found in the History folder for Internet Explorer)

From ECcouncil definitions: Which of the following approaches checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?

Automated field correlation approach

Residual Data

Data stored on a computer. in unassigned storage space, after it is deleted.

Electronic Communications Privacy act (ECPA) classes of information:

Basic subscriber information, Records or Information pertaining to customer or subscriber. Contents in USC 2510

E-mail is a term derived from the phrase electronic mail.

True

Why must a forensic investigator identify the type of device being investigated?

Because devices can be modified by changing logos or modifying the OS

What are the four steps that the Blackberry uses to receive email? Blackberry Enterprise Server (BES)

BES monitors user mailbox. When new message arrives, BES picks it up. Message is compressed, encrypted and sent over internet to Blackberry server Message is decrypted on users Blackberry device. Message is unreadable by any other device, including other Blackberry Server decrypts, decompresses and places email into Outbox. Copy of message put in Sent Items folder

Which statements are true regarding the BIOS password? - BIOS manufacturers do not provide a backup password in case the password is lost - BIOS will lock the system completely if the password is typed wrong three times - The BIOS password for Dell is Dell - The BIOS password for Compaq is central

BIOS manufacturers do provide backdoor passwords in case the BIOS password is lost. The Dell password is Dell and the Compaq password is Compaq. The Epox password is central. BIOS will lock after three invalid password attempts.

Which statements are true regarding the BIOS password?

BIOS will lock the system completely if the password is typed wrong three times, The BIOS password for Dell is Dell

____ is an application that helps in recovering corrupted or lost data fully from floppy disk, CD, CD-R, CD-RW, digital media, and Zip drives or disks.

BadCopy Pro

What refers to the width of the range of frequencies that an electronic signal uses on a given transmission medium?

Bandwidth

Which files are automatically displayed when a mail file is mounted?

Base 64, and UUE, encoded files

Before starting the investigation what are two important things to consider? - Crime scene technician capable of analyzing and acquiring a variety of evidence should be on the team - Crime scene analyst should be employed by the police or FBI - A forensic lab should be equipped with forensic tools required for the investigation

Before starting the investigation it is important to consider the following: - Crime scene technician capable of analyzing and acquiring a variety of evidence should be on the team - A forensic lab should be equipped with forensic tools required for the investigation

What does the Blackberry Attack Toolkit contain? - BBProxy and BBScan - Nmap port scanner - Metasploit patches to exploit web site vulnerabilities

Blackberry Attack Toolkit includes BBProxy, BBScan and Metasploit patches to exploit web site vulnerabilities. BBPRoxy allows the attacker to use a Blackberry as a proxy between the internet and the internal network. Attacker installs BBPRoxy on Blackberry or sends as email attachment. Once activated, it creates a covert channel between the attacker and the compromised host. BBScan is a port scanner that looks for open ports on the Blackberry.

Where are private encrypted keys stored on the Blackberry? - Object store - File system - Mailbox

Blackberry private encrypted keys are stored in the user's secure mailbox (Microsoft Exchange, IBM, Lotus, Domino, or Novell Groupwise)

What type of security does the Blackberry use? - RSA - 3DES - AES

Blackberry uses 3DES and AES. Blackberry security meets US military requirements.

What is the next-generation optical media patented by Sony?

Blu-ray

Disabling or Active Attacks against steganography.

Blur - Softens transitions and averages pixels, Noise- injects randome color pixels to an image. Noise Reduction-adjusting colors and averaging the pixel values. Sharpen- Increase contrast between adjacent pixels. Rotate- move image around a central point. Resample- raggedness while expanding image is reduced. Soften- uniform blur that softens edges and decreses contrast.

Sending large volumes of email to a single address in an attempt to overflow the mailbox, it is called:

Bombing

What item in a forensic lab holds all the reference books, articles, and magazines that an investigator would need in the course of an investigation?

Bookrack

What is true about BootX?

BootX is the default boot loader for Mac OS X

Which statement is true about BootX? - BootX is the default boot loader for Mac OS X - BootX cannot load kernals from HFS+, HFS, UFS, ext2 or TFTP - BootX is similar to BIOS

BootX is the default boot loader for Mac OS X. BootX can load kernals from HFS+, HFS, UFS, ext2 or TFTP

Windows Event Log will be reported as corrupt when what occurs?

Critical header and footer fields out of sync and file status is not 0x00 or 0x08

Phase of questioning by opposing counsil, following direct questioning.

Cross Examination.

Where are cookies housed in Internet Explorer and Mozilla Firefox?

C:\Documents and Settings\username\Cookies\ , ASCII file named history.dat , \Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\random text

Which folder are EnCase modules stored in?

C:\Program Files\Encase6\certs

On a FAT drive, deleted files are stored in the location

C:\RECYCLED

____ is a software solution that allows different law-enforcement agencies to collaborate. It also provides investigators with a set of software tools they can use when investigating child pornography.

CETS

Reg.exe

CMD tools for accessing and managing the registry

SafeBack ensures data integrity using ____.

CRC-32

Rule 614

Calling and interrogation of witnesses by court

Volatile Data

Can be modified, rapidly.

Laws pertaining to email

Can-Spam Act 18USC 2252A - Sending Child pornography 18USC 2252B - Obscene or offensive with misleading domain name. RCW 19.190.020- Washington state law for email crime.

According to the National Institute of Justice (2004), there are several steps to acquiring subject evidence.

Capture electronic serial number of the drive or other user-accessible, host-specific data, Account for all space on storage media, Use appropriate tools to obtain evidence such as duplication software, forensic analysis software, and dedicated hardware devices, Correlate, sector-by-sector, the values in the evidence and the backup

_________ is a process in which many web sites write binary log data.

Centralized binary logging

How does Lossy Compression work?

Certain amount of data is lost (integrity not maintained). Never used with Business data or Text files. Vector Quantization.

How is memory arranged on the Palm OS? - RAM and ROM are on the same memory module - RAM is on one module and ROM on another - PIM card

Certain applications are stored in ROM and user data and other applications are stored in RAM. There are add-on utilities available on ROM used to back up Personal Information Management (PIM) data. Both RAM and ROM are on the same memory module, known as a card.

What is a first step in repairing a corrupt Windows event log?

Change offset 36 to 0x08

What are two registry settings that could impact a forensic analysis and investigation?

ClearPageFileAtShutdown & DisableLastAccess (* ClearPageFileAtShutdown - tells the OS to clear the page file when the system is shut down. This will clear virtual memory in the swap file. * DisableLastAccess - disables updating of the last access times on files so the timestamp might not be accurate)

What are two registry settings that could impact a forensic analysis and investigation?

ClearPageFileAtShutdown and DisableLastAccess

IIS format

Client IP, Username, date, time, service/ instance, server name, server IP, Time taken, client bytes, Server bytes, SCV code, Windows code, request type, target of operation, parameters passed.

The iPhone OS ____ layer consists of UI Kit and Foundation frameworks, which provide the user with tools for implementing graphical and event-driven applications.

Cocoa Touch

In a(n) ____ attack, when a user sends any application to the server, an attacker hacks the application and adds malicious code.

Code Injection

What are the requirements for evidence to be admissible in court? - Competent - Relevant - Maternal - Material

Competent, Relevant & Material Federal Rules of Evidence Rule 402 states that all relevant evidence is admissible. Evidence must be competent and material. Rule 401 defines relevant as any evidence having a tendency to make the existence of any fact that is of consequence to the determination of the action more or less probable than it would be without the evidence. The Frye standard says that the scientific technique must be generally accepted in the field before the results of said technique can be admitted.

If you unsuccessfully tried three PIN numbers which blocked the SIM card. What can you do to reset the PIN and access SIM data?

Contact the network operator for Personal Unlock Number

Which statements are true about Word documents?

Contain past revisions and last 10 authors and Compound documents based on OLE

HKEY_LOCAL_MACHINE

Contains the majority of the configuration information for the software / hardware you have installed and for the OS itself.

What is true about syslog?

Controlled on per-machine basis with /etc/syslog.conf, Local and remote log collection, Facility, level and action are included, Audit mechanism used by Linux

UTC

Coordinated Universal Time. UTC is the standard used for all timekeeping applications, the reference time used for calculating all other time zones. In the United States, the national standard for time-of-day is UTC (NIST), the coordinated universal time maintained by the National Institute of Standards and Technology (NIST). See also GREENWICH MEAN TIME (GMT), ZULU TIME.

Backup Data

Copy of system data, used for the recovery process.

What issue might you encounter when recovering images?

Copyright laws.

Indications of a Web Based Attack.

Customers denied access to information or Services. Legitimate web page being redirected to an unknown website. Slow Network Performance. Anomalies found in Log Files.

Grill Cipher

Cutting holes in a template and lining them up with text.

____ is any ominous or improper behavior where cyber criminals use the Internet and other communication methods to victimize people.

Cyber STalking

____ is the use of information technology to tease or intimidate individuals, usually minors, causing them harm.

Cyberbullying

What is the definition of cybercrime? - Cybercrime means any illegal act that involves a computer or the systems and applications associated with it - Cybercrime is the same as identity theft - Cybercrime is any illegal act that involves a criminal using a computer

Cybercrime means any illegal act that involves a computer or the systems and applications associated with it

What is the definition of cybercrime?

Cybercrime means any illegal act that involves a computer or the systems and applications associated with it.

What best defines a Portable Executable (PE)?

Data structure for Windows OS loader to manage wrapped executable code Format for executables, object code and DLLs used in 32- and 64-bit versions of Windows

Fragile Data

Data temporarily saved to the hard disk and can be changed. (i.e. time stamps, access times...)

Static data.

Data that remains unchanged after shutting down.

Active Data

Data used for daily operations.

Difference between Frye & Daubert

Daubert provides a set of criteria for determining whether scientific testimony is admissible; Frye is more general

(../) sequences and their variations as an attack are referred to as

Directory traversal

Tracking user logon activity via Audit Event ID's: 531

Disabled Account

What tools can read CSI Stick and Device Seizure acquisition files? - DS Lite - Device Seizure - PDA secure

DS Lite can read CSI Stick and Device Seizure acquisition files. CSI Stick is a portable cell phone forensic and data gathering tool that looks like a USB memory stick.

Steganalysis

Discovering and Rendering covert messages, using steganography.

The ___ feature of the image MASSter Solo- 3 software can be used to hide and protect part of the drive from the operating system and file system

DCO

The ____ feature of the Image MASSter Solo-3 software can be used to hide and protect part of a drive from the operating system and file system.

DCO

A ____ attack is a DoS attack where a large number of compromised systems attack a single target.

DDos

The ____ is a semitrusted network zone that separates the untrusted Internet from the company's trusted internal network.

DMZ

____ is a service that translates domain names (e.g., www.eccouncil.org) into IP addresses (e.g., 208.66.172.56).

DNS Domaine Name Service

Which tools calculate MD5 and SHA1 hash values? - SIM Card Seizure - Hunt - DS Lite

DS Lite and SIM Card Seizure calculate MD5 and SHA1 hash values

ARP Table Commands: arp -d

Delete the host specified by the IP Address

Cybercrime

Deliberate acts, using a computer, to Commit or Facilitate a crime.

What is a DoS?

Denial of Service, a means for making a computer unavailable to users.

How many partitions does the iPod have?

Depends on the operating system used to sync

How many partitions does the iPod have? - 2 - 3 - Depends on the operating system used to sync

Depends: If the iPod syncs with Windows, the iPod file system has two partitions. However, if it syncs with MacIntosh then there will be three partitions. The extra partition in the MacIntosh version is necessary due to the HFS+ file system. This system has a resource fork and data fork.

Medical and Psychological Experts

Describe process of examining the victim. Physicians, PA's and nurses.

3 types of Metadata.

Descriptive. Structural. Administrative.

Which are true about FAT12?

Designed for floppy disks

Where should a forensic investigator look to find steganography?

Determine filenames and websites visited by viewing cookies or internet history. Look in the registry.Inspect the suspect's mailbox, chat or IMS logs. Check softare not normally used such as binary or hex editors, disk-wiping software... Multimedia files

What else is NOT part of forensic readiness planning?

Develop a plan to investigate team members

Choose the true statements about SIMPLE: - Developed by Australian university students using Linux Live CD - Customized kernal and OS so it is impossible to write to the hard disk - Will only launch on Windows

Developed by Aussies, live CD. Customized Kernal: SIMPLE launches from a CD

Choose the true statements about SIMPLE:

Developed by Australian university students using Linux Live CD, Customized kernal and OS so it is impossible to write to the hard disk

This tool examines cell phone and PDA data. It is capable of command-line acquisition, deleted data recovery, full data dumps, logical and physical acquisitions of PDAs, data cable access, and advanced reporting.

Device Seizure

TACC 1441

Device for cracking passwords using multiple GPU's.

UFED

Device for extracting data from mobile phones.

What is obtained when the computer is powered on? There may be a number of systems having the same address.

Dynamic address

What are types of MAC address?

Dynamic, Configurable, Static

The file De5.jpg is in the Recycler. What drive was the file deleted from.

E:\ Dxy.ext. x= the drive. Y= Sequence Number (SID)

EC-Council identified thirteen steps for evaluating a case. One of these steps involves assessing skill levels of users. Why is this important? - Because criminal always try to hide information - To determine how they might delete or conceal evidence - To profile them

EC-Council identified thirteen steps for evaluating a case. One of these steps involves assessing skill levels of users. Assessing skill levels is important to determine how users might delete or conceal evidence

EC-Council identified thirteen steps for evaluating a case. One of these steps involves sending any ______________________ to ISP or other storage provider to make sure evidence is not destroyed. - Chain of custody - Request for assistance - Preservation orders

EC-Council identified thirteen steps for evaluating a case. One of these steps involves sending any preservation orders to ISP or other storage provider to make sure evidence is not destroyed.

What is the key concept of Enterprise Theory of Investigation (ETI)? - Holistic approach used by FBI to look at any criminal activity as a piece of a criminal operation rather than a single criminal act. - Approach used by FBI where each crime is considered unique and isolated - Approach by FBI where criminal activity is investigated

Enterprise Theory of Investigation (ETI) is a holistic approach used by FBI to look at any criminal activity as a piece of a criminal operation rather than a single criminal act.

The process of discovering usernames, machine name, network resources, shares, and services available on a network is?

Enumeration

____ is the process of gathering information about a network that may help an intruder attack the network.

Enumeration

How does a network intruder enter a system?

Enumeration, Vulnerabilities, Viruses, Trojans, Email infection, Router attacks, Password cracking

Choose USA sexual harassment laws: - Equal Protection Clause of the 14th Amendment - Civil Rights Act of 2011 - Civil Rights Act of 1991 - 1964 Civil Rights Act, Title VII

Equal Protection Clause of the 14th Amendment Civil Rights Act of 1991 1964 Civil Rights Act, Title VII

What are the USA sexual harassment laws:

Equal Protection Clause of the 14th Amendment, Civil Rights Act of 1991, 1964 Civil Rights Act, Title VII

Which of the following are iPod and iPhone Forensics tools?

Erica and EnCase

Which of the following are iPod and iPhone Forensics tools? - Erica - EnCase - Wireshark

Erica and EnCase are iPod and iPhone forensics tools. Erica has some useful utilities: abquery - search address book by name appLoad appSearch - searchs App Store from command line using a simple query deviceInfo - queries iPod or iPhone for device attributes findme - returns physical location latitude and longitude in XML EnCase extract deleted information to devices that were restored to factory settings recover deleted files

_____ headers specify an address for mailer-generated errors?

Errors-To header

Operating System Log

Event Logs - operational actions. Audit Logs- Security Events. -used to identify or investigate suspicious activities.

Which statements are true regarding EnCase?

Evidence can be viewed in table, gallery, timeline or report formats, Cases group information, Evidence data can be view as text, hex or picture

Spectrum Analysis

Examination of a WiFi radio transmission to: Measure Amplitude or signals and RF pulses. Air Quality. Identify sources of interference. Wireless attack detection.

Dr. Nelson is a technical expert with a PhD in computer science along with several important computer certifications. She has spoken about computer science in many venues around the world and written a book on the subject. Suppose Dr. Nelson has been asked to be a witness, what type of witness is Dr. Nelson?

Expert

Witness who by virtue of Education, Training, or experience, has special knowledge beyond that of an average person, to the level that others may legally depend on his or her opinion.

Expert

In additional to special tools, what is another means of data acquisition from a PDA?

Exploit vulnerabilities such as weak authentication or buffer overflow (due to misconfigured network services or protocols) Use password cracking tools like Hydra or Cain and Abel Use backdoor's supplied by manufacturer Extract data from memory chips independently of the device Reverse engineer the OS

In additional to special tools, what is NOT another means of data acquisition from a PDA? - Exploit vulnerabilities such as weak authentication or buffer overflow (due to misconfigured network services or protocols) - Use password cracking tools like Hydra or Cain and Abel - Use backdoor's supplied by manufacturer - Extract data from memory chips independently of the device - Use a PDA sniffer - Reverse engineer the OS

Exploiting vulnerabilities or using manufacturer's backdoors may lead to access of a PDA device.

What is the table of functions called that DLLs maintain?

Export

Types of Wireless Networks

Extension, Multiple access points, LAN to LAN, 3G hotspots.

Where are deleted files from a FAT system stored?

FAT - Drive:\Recycled .

What type of scan sends FIN flag?

FIN

What pertains to federal information security?

FISMA (Federal Information Security Management Act)

Spread-spectrum encoding encodes a wide-band signal into a small-band cover

False

Master Boot Record (MBR

First sector of a data storage device. (Location, size, other important data)

The master boot record (MBR) resides at the ____ sector.

Fisrt

The classic iPods use hard drives to store data, but newer versions, such as iPod Nano, iPod Shuffle, and iPod Touch store data differently. How do they store it?

Flash Memory

TIFF - Tagged Imafe File Format

Flexible, Platform independent. Extendable to new image types. Portable. Revisable. If more than one IFD present, There is more than one image.

The goal of a(n) ____ attack is to degrade the performance of the network by directing unnecessary packets of data toward it.

Flooding

Postmortem Analysis

Forensic Analysis of logs, done for something that has already happened. Files have already been captured.

First response to an incident may not be a forensics expert. Of the people listed here which is best capable of collecting, preserving, and packaging electronic evidence?

Forensic staff

18 US Code 1029

Fraud and related activity in connection with access devices

18 USC 1029

Fraud and related activity in connection with access devices

18 US Code 1030

Fraud and related activity in connection with computers

18 USC 1030

Fraud and related activity in connection with computers

Slack Space

Free space on a cluster.

What steganography methods are used in audio files?

Frequencies inaudible to human ear, LSB, Substitution

The EnCase ____ search utility enables the investigator to search for information with a known general format, such as any telephone numbers, credit card numbers, network IDs, logon records, or IP addresses, even when the specific number is not known.

GREP

Windows CE OS contains GWES. What does GWES stand for? - Graphics Windows and Error Systems - Graphics, Windowing and Events Subsystem - Graphics, Windows and Entertainment Systems

GWES stands for Graphics, Windowing and Events Subsystem. it provides the interface between the user, application and OS. It has two components: GDI which draws graphics, text and images and user component for messaging events, keyboard input and mouse

What are some pitfalls of network evidence collection?

Gaps in evidence, Other nations may be involved creating legal and political challenges, Logs change rapidly and some information may be lost before permission is granted to analyze the log, Logs may be housed at ISP which requires special permission (such as a warrant) to view

Will record of failures or security breaches on the machine creating logs impeach the evidence?

Generally, yes

Vector image

Geometrical primitives (points, lines, curves, polygons) based on mathmatical equations, used to represent an image. Indefinitely zoomed without loss in quality. Moving, Scaling and rotating do not affect the quality of the image.

Windows CE OS contains GWES. What does GWES stand for?

Graphics, Windowing and Events Subsystem

For an iPod that was initially set up on a Macintosh based computer, what type of file system will it have?

HFS+

iPods formatted with Mac computers use Apple's ____ file system, while those formatted on Windows use the FAT32 file system.

HFS+

Which registry hive contains information about which applications are associated with various file extensions?

HKEY Classes Root

Which registry key or subkey does NOT identify a USB device?

HKEY_LOCAL_MACHINE\Hardware\USB

You can find the SIDs in Windows registry editor at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion \ProfileList

Some events are recorded by default. Others are recorded based on the audit configuration in the PolAdEvt registry key. Other aspects are maintained in what registry key?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Event Log

What Windows XP (or above) registry key can be changed to hex value 0x00000001 to block write access to any USB storage device?

HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies

What Windows XP (or above) registry key can be changed to hex value 0x00000001 to block write access to any USB storage device? - HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies - HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\USBPolicies - HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\WriteBlock

HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies can be changed to 0x00000001 to write block any USB device. To re-enable write access change this same key to 0x00000000.

When a USB removable storage device is connected to Windows, it is assigned a drive letter. Where does this drive letter show up in the registry?

HKEY_LOCAL_MACHINE\System\MountedDevices

____ is a practice used to obtain illegal access to computer systems owned by private corporations or government agencies in order to modify computer hardware and software.

Hacking

Parts of an email massage.

Header (email origin), Body (Mesage), Signature.

Which tool is a customized distribution of Knoppix Live Linux CD? This tool contains many application dedicated to incident response and forensics.

Helix

Which of the following is true about the swap file?

Hidden file in the root directory called pagefile.sys & Registry path is HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management (The swap file can be organized as a contiguous space so fewer I/O operations are required to read and write. It is a hidden file in the root directory called pagefile.sys.)

What is indicated if a TIFF image has more than one IFD (Image File Directory)?

If more than one IFD present, There is more than one image.

Which of the following is true about the swap file?

Hidden file in the root directory called pagefile.sys, Registry path is HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Folder Steganography

Hides data in folders. Invisible secrets4

Masking

Hides data using techniques similar to watermarks. Inside visible part of image. NOT hidden in noise of image.

Steganography Techniques: Transform Domain Technique

Hides the message data in the transform space of a signal. Can be commonly used in JPEG's photos.

Spam Steganography

Hiding data in spam or other emails.

____ attacks occur when an attacker injects a small number of bad packets into the router to exploit the network.

Hit and Run

What is the master boot record (MBR) used for?

Holding a Partition table. Bootstrapping an operating system. 32-bit disk signature (optional).

A ____ is a system that is put on a network that has no legitimate function.

Honeypot

What password cracking technique works most like a dictionary attack?

Hybrid attack

What does a good investigative report NOT include? - Adequate supporting data - Acknowledgments - Results and comments - Error analysis - Graphs and statistics - IDS/IPS

IDS/IPS may be too detailed for an investigative report. A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports

Which file contains software update data?

IPSW file

Which file contains software update data? - SysInfo file - DeviceInfo file - IPSW file

IPSW file contains software update data. It is stored in the Library/iTunes/iPhone Software Updates directory

What item is NOT part of forensic readiness planning?

Identifying a crime scene

What occurs immediately after the investigation begins? - Immediate response to preliminary evidence including photographing the scene and marking evidence - Immediately determine the damage from the crime - Immediately call the police

Immediately after the investigation begins, collect preliminary evidence including photographing the scene and marking evidence

GIF uses ____ data compression techniques, which maintain the visual quality of the image.

Lossless

In the USA, the 4th Amendment of the United States Constitution prevents unreasonable search and seizure. What is the basis of a search warrant? - Government regulation - Possible cause - Probable cause

In the USA, the 4th Amendment of the United States Constitution prevents unreasonable search and seizure therefore, probable cause is required to get a search warrant.

This type of DDoS do the attacks usually spoof the originating IP addresses and send the requests at reflectors. - Teardrop - Jolt - Reflective DDoS

In there Reflective DDoS, the attacks usually spoof the originating IP addresses and send the requests at reflectors.

AC Forensics

Inc. provides forensic collection, examination and analysis of electronic evidence as well as email conversion, extraction and document production in various standard review formats

Process register

Includes services, such as calibration inspection and testing, construction management, hardware, and software.

____ contains the colors in RGB, but only the colors used by the image.

Indexed Color

What is FTK's strongest attribute?

Indexing

Enterprise Theory of Investigation (ETI)

Individuals commit crime, to further the Criminal Enterprise (sindicate) itself. Law Enforcement targets and dismantles the entire criminal enterprise.

Jargon code

Information hidden in a special language.

Covered Cipher

Information hidden openly.

Digital Evidence is defined as:

Information of "probative value" that is stored or transmitted in digital form.

Choose one answer naming what the FBI developed as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography. - Innocent Images National Initiative (IINI) - Internet Crimes Against Children (ICAC) - Project Safe Childhood - Anti-Child Porn.org (ACPO)

Innocent Images National Initiative (IINI) was developed by the FBI as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography.

What are the two modes of attack? - Computer attack - Insider attack - External attack

Insider attack and External attack are two modes of attack

Lossless Compression

Is a class of data compression algorithms that allows the original data to be perfectly reconstructed from the compressed data that maintains data integrity.

Cookie Poisoning

Is a process in which an unauthorized person changes the content within a user's cookie file in order to gain access to sensitive information that may be stored in the cookie or on the server for the website that the user is browsing.

Man in the middle Attack

Is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

WPA2

Is more secured then WPA and uses AES-CCMP encryption algorithm

Cluster

Is the smallest logical unit on a hard drive.

A forensics report can be render inadmissible in a court of law if

It is based on logical assumptions about the incident timeline

Vector Quantization

Lossy compression technique. Replaces a block of information with an average value.

Jack, a forensic investigator, believes key evidence is on a PDA device. The PDA has one card in the expansion slot and several more lying on a table. The PDA is in it's cradle. What should Jack do?

Jack should leave the card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags.

This type of DoS attack does the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it.

Jolt

The Linux ____ consists of modular components and subsystems that include device drivers, protocols, scheduler, memory manager, virtual file system, and resource allocator.

Kernal

Which type of cell contains registry key information including offsets to other cells and LastWrite time for the key

Key cell

ActiveSync allows an unlimited number of password attempts. How can an attacker gain access to the password? Choose the easiest method.

Keylogger

____ is completely passive and is capable of detecting traffic from WAPs and wireless clients. It works on both open and closed networks.

Kismet

A ____ is a set of host machines in a relatively contiguous area, allowing for high data transfer rates among hosts on the same IP network.

LAN

Calculate disk capacity, in gigabytes, from LBA.

LBA * Density / 1024/ 1024 / 1024

Audio Steganography methods

LSB coding, Tone insertion, Phase Decoding

___ lossless data compression algorithim that combines the string of same Byte values into a single code word

LZW

What are two boot loaders for Linux?

Lilo and grub (details for each are found using more /etc/lilo.conf, more /etc/grub.conf)

Which file system runs on ext1, ext2, and ext3?

Linux

A ____ is a bootable version of an operating system that is loaded directly into RAM and functions outside and independently of the target computer's operating system.

LiveCD

Which devices can EnCase acquire data?

Local Device and Smartphones

From which devices can EnCase acquire data? - Evidence file (E01), raw image or dd image - Local Device - Smartphones

Local Device, Smartphones: Technically, EnCase would not acquire data from a raw image file or evidence file but these can be viewed in EnCase

In the memtest.exe file, What does the LS value represent?

Local Sector, counted from the start of the partion.

Computer Forensics Expert

Locate and recover information, through electronic discovery, while protecting evidentiary quality.

What are steps to removing the CMOS battery and why remove it?

Locate the battery on the motherboard and carefully lift it from the socket, To remove the battery, shut down the computer and disconnect the power plug, If the CMOS battery is removed and replaced after 20-30 minutes, the password will reset itself

What steps can be taken, to insure that log files accurately describe the activity on a system?

Log Everything. Use Multiple sensors. Synchronize times. Avoid missing logs.

Which are true about MD5?

MD5 produces 128-bit hash value (SHA-1 produces 160-bit has value). MD5 is used to check data integrity. MD5 is typically expressed as a 32-digit hexadecimal number

Which are true about MD5? - Produces 128-bit hash value (SHA-1 produces 160-bit has value) - Used to check data integrity - Typically expressed as a 32-digit hexadecimal number - suitable for SSL certificates and digital signatures

MD5 produces 128-bit hash value (SHA-1 produces 160-bit has value). MD5 is used to check data integrity. MD5 is typically expressed as a 32-digit hexadecimal number

____ is the intentional act of sending multiple copies of identical content to the same recipient.

Mail Bombing

MTA - Mail Transport Authority

Mail Server

When computers start communicating without human intervention they can create a flurry of junk mail, often sent by accident, called a ____.

Mail Storm

An e-mail client, also known as a ____, is a computer program for reading and sending e-mail.

Mail user agant (MUA)

What techniques can be used to detect wireless access points? - Manual detection, active wireless scanning, passive wireless scanning, Nessus vulnerability scanning - Manual detection, Nessus vulnerability scanning - Active and passive wireless scanning

Manual detection - physically visit the area where a WAP is likely to be and use wardriving techniques to attempt to detect the rogue access point Active wireless scanning technique - broadcasting a probe message and waiting for a response from devices in the range Passive wireless scanning technique - identifies the presence of any wireless communication to find identify active WAP connections Nessus vulnerability scanner

Which of these are built-in on many PDAs? - infrared - Bluetooth - WiFi

Many PDAs have built-in infrared, Bluetooth and WiFi

Psychological experts provide specialized assistance in which areas? - Dentistry - Prescription medication or illegal drugs - Mental illness, psychotropic drugs, standards of care, emotional distress

Medical experts provide expertise in dentistry, drugs, prescription medications and malpractise. Psychological experts provide expertise in diagnosis and treatment of mental illness, medications and psychotropic drugs, standards of care, emotional distress and effects of crime or event

Psychological experts provide specialized assistance in which areas?

Mental illness, psychotropic drugs, standards of care, emotional distress

What are some tools in Helix that are used for responding to incidents?

MessenPass, Putty SSH, Rootkit Revealer

____ is data about data, or more simply, embedded electronic data not necessarily seen on a printed document.

Metadata

Compression

Method of making a file smaller, in order to reduce disk space.

What are conceptual ways to write block removable media on the MacIntosh?

Methods for write blocking MacIntosh are preventing the Mac OS from automatically mounting removable media, preventing iTunes from loading when iPod is connected and mounting iPods with read-only access

In mobile device identification, what needs to be identified, for choosing the proper data acquisition tool?

Model. Operating System. Service Provider. Found in: Battery Cavity (Manufacturer Name, Model, IMEI, FCC-ID). Screen (Type of Phone, Service Provider, OS)

Older BlackBerry 950 and 957 had Intel 80386 processors. What type of processors due modern Blackberry devices have? - Intel 80386 - ARM7 of ARM9 - Intel PXA901 312 MHz

Modern Blackberry devices have ARM7 or ARM9. GSM Blackberry models (8100 and 8700) have Intel PXA901 312 MHz with 64 MB flash memory and 16 MG SDRAM. CDMA Blackberry smartphones have Qualcomm MSM6x00 chipsets.

Text Semagrams

Modifying the apprearance of the carrier test. Font size or type, extra spaces, flourashes in letters, handwritten text.

With ____, an administrator gives a piece of data to a person and if that information makes it out to the public domain, the administrator knows the organization has a mole.

Mole Detection

Windows CE has two types of device drivers?

Monolithic and Layered

What type of virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files.

Multipartite

In what format can music be stored on an iPod? - MP3, WAV, Apple Lossless - M4A/AAC, protected AAC, AIFF - MPEG

Music can be stored on an iPod as MP3, WAV, Apple Lossless, M4A/AAC, protected AAC, or AIFF formats

A(n) ____ is a piece of hardware used to provide an interface between a host machine and a computer network.

NIC

____ is the standard protocol for distributing and recovering Usenet messages.

NNTP

Does Palm restrict access to code and data? - Yes - No

NO: The architecture of Palm OS has four layers: - Application - OS - Software API and hardware drivers - Hardware The software API helps execute software on different hardware but developers can easily bypass the API and access the processor directly. Thus, malicious applications can be a security risk because Palm OS does not restrict access to the code and data. Anyone can modify it.

____ is an Internet standard protocol that is used to synchronize the clocks of client computers.

NTP

Where can registry keys be found for the user?

NTUSER.DAT

Code that is derived from mixing a cover message, within a large amount of plain text, to cover the message, is known as?

Null Cipher

Areal Density

Number of bits per square inch on a hard disk platter.

ICCID - Integrated Circuit Card Identification.

On the SIM and can be up to 20 digits long. -Industry Identifier Prefix (89 for telecommunications) -Country Code. -Issuer Identification number. -Account Identification Number. Helps to identify Country and Network Operator name.

dcfldd features

On-the-fly hashing of the transmitted data. Progress bar of how much data has already been sent. Wiping of disks with known patterns. Verification that the image is identical to the original drive, bit-for-bit. Simultaneous output to more than one file/disk is possible. The output can be split into multiple files. Logs and data can be piped into external applications

Where does Windows CE store data?

PIM and user data in RAM and operating system and supporting applications in ROM.

What kind of memory resides on a PDA? - ROM - RAM - Flash ROM

ROM, RAM and Flash RAM can reside on a PDA

What three things does the Mac OS X depend on? - Open firmware, boot loader, typical Mac OS X boot sequence - Proprietary firmware, boot loader, boot sequence - BIOS, boot loader, autoexec.bat

Open Firmware is a nonproprietary platform-independent boot firmware similar to PC BIOS. It is stored in ROM and is the first program executed at power up. Press Command-Option-O-F

Open Codes Steganography

Open codes make use of openly readable text. This text contains words or sentences that can be hidden in a reversed or vertical order. The letters should be in selected locations of the text in a specifically designed pattern. Open codes can be either jargon codes or covered ciphers.

What steganography methods are used in text files?

Open-space, Syntactic, Semantic

Rule 701

Opinion testimony by lay witnesses

Rules for allowing duplicate evidence.

Original evidence is not available, due to: -Evidence destroyed due to an uncontrollable event (Fire/ Flood). -Evidence destroyed in normal course of business. -Original evidence in possession of a third party.

other password recovery tools

Other - Advanced ZIP password recovery - zip file passwords - PicoZip Recovery - zip file passwords - PDF Password Crackers - pdf file passwords - Default Password Databases - Dialupass - dial-up passwords - Database Sleuth

What are two tools used to acquire information from a PDA? - PDA Seizure and Palm dd - Ghost and Hunt - Tripwire and Nmap

PDA Seizure and Palm dd are two tools to acquire information form a PDA.

Which list contains some important PDA security issues? - Password theft, virus attack, data corruption, application vulnerabilities - OS, hardware, battery - Sleep mode, nascent mode, quiescent mode

PDA security issues include the following: -Password theft -Virus attack -Data corruption -Applicaton vulnerabilties -Data theft -Wireless vulnerabilties -Device theft

What is needed to access the SIM

PIN code -3 attempts (if protected). 8-digit PUK (Personal Unlock Number), provided by network operator or Carrier. -10 attempts disables the phone.

What is the advantage of PMDump?

PMDump allows an investigator to dump contents of process memory WITHOUT stopping the process

____ is an Internet protocol used to retrieve e-mail from a mail server.

POP3

How is Palm OS memory organized? - Chunks known as data - Chunks known as records - Chunks known as folders

Palm OS memory is organized in chunks known as records. Records are grouped into a database called the Palm File Format (PFF). PFF has three types of files: Palm Database containing contact lists and application data Palm Resource with application code and user interface objects Palm Query Applications with World Wide Web contents

Which ports does HotSync open during the HotSync process? - TCP 12345, TCP 12346, UDP 12345 - TCP 139, TCP 445 - TCP 14237, TCP 14238, UDP 14237

Palm OS opens TCP 14237, TCP 14238, and UDP 14237 during the HotSync process.

____________________ helps devices interact with GPS receivers, wireless modems, keyboards and other peripheral devices using USB.

Palm Universal Connector System

____________________ helps devices interact with GPS receivers, wireless modems, keyboards and other peripheral devices using USB. - Palm Universal Connector System - Hotsync - Palm Expansion Card Slot

Palm Universal Connector System helps devices interact with GPS receivers, wireless modems, keyboards and other peripheral devices using USB.

Computer crimes include all but which of the following? - Fraud via manipulation of computer records - Performing vulnerability assessment for a client - Spam - Deliberate avoidance of computer security systems - Unauthorized access - Unauthorized modification of software

Performing vulnerability assessment for a client with permission is NOT a computer crime. Computer crimes include: - Fraud via manipulation of computer records - Performing vulnerability assessment for a client - Spam - Deliberate avoidance of computer security systems - Unauthorized access - Unauthorized modification of software

Mobile Switching Center- MSC

Performs switching of user calls, and provides functionality to handle mobile devices.

Technical witness

Person who does field work and only submits the results, without offering a view of their results.

WPA2

Personal - uses Shared Keys (PSK), 256 bit key Enterprise - uses EAP, RADIUS or Kerberos. -Multiple Authentication - Token cards, Certificates. -uses a central authentication server. Both use 128 bit AES-CCMP encryption (Actual value). 48 bit IV AES-CCMP Integrity Check Protects against forgery and Replay attacks.

What is a PDA?

Personal Digital Assistant

Which acts pertain to privacy? - CAN-SPAM - PIPEDA - Data Protection Act 1998 Section 55

Personal Information Protection and Electronic Documents Act Data Protection Act 1998 Section 55: Unlawful obtaining of personal data

____ is overhearing phone conversations while being physically present.

Phone Eavesdropping

____ is a direct form of harassment where an employee is expected to tolerate harassment in order to receive some benefit.

Quid pro quo

Raid Levels: RAID 3

RAID 3 is a RAID configuration that uses a parity disk to store the information generated by a RAID controller instead of striping it with the data.

Where is the running-configuration file for a Cisco router?

RAM

How is memory arranged on the Palm OS?

RAM and ROM are on the same memory module

Windows CE has four types of memory. What are they?

RAM, Expansion RAM, ROM, and Persistent storage

What are the main protocols for the Network Layer?

RARP, ICMP, IGMP, IP

What registry data type indicates raw binary data?

REG_BINARY

Rule 402

Relevant evidence generally admissible; irrelevant evidence inadmissible

In order to meet the Daubert standard, and be admissible in court, the testimony of an expert witness must be both relevant and __.

Reliable

A ____ party is an individual or business who used a particular work when the status of the work was in the public domain, prior to the URAA agreement.

Reliance

SIM - Subscriber Identity Module

Removable component, used to authenticate the user to the network, and contains subscriber information. Volatile and nonvolatile (file system) memory

Which are true about EasyRecovery?

Repairs and restores corrupt or inaccessible Microsoft Office and Zip files, Includes EmailRepair

Rule 703 includes which of the following? - Facts are disclosed to expert - Facts disclosed to the expert must also be disclosed to the jury - Court decides whether probative value in assisting jury to evaluate expert opinion outweighs prejudicial nature of facts used by said expert

Rule 703 allows the Court to determine whether facts disclosed to the expert are revealed to the jury based on whether the probative nature of said facts in assisting the jury to evaluate the expert opinion outweighs the prejudicial effect.

Forensic rule that sets requirements for original evidence.

Rule: 1002

Forensic rule that allows the admissibility of duplicates.

Rule: 1003

BlackBerry ____ Protocol backs up, restores, and synchronizes the data between BlackBerry devices and desktop systems.

Serial

Types of Data Acquisition.

Serial Communication, USB Data, Plug-in boards.

____ analyzes server logs by changing IP addresses into domain names with the help of httpdanalyse.c.

Server log analysis

Sources of data for digital evidence.

Server. Storage devices. Logs. Internal hardware.

According to the USPTO, a ____ mark is any word, name, symbol, device, or any combination, used, or intended to be used, in commerce, to identify and distinguish the services of one provider from services provided by others, and to indicate the source of the services.

Service

According to the USPTO, a ____ mark is any word, name, symbol, device, or any combination, used, or intended to be used, in commerce with the owner's permission by someone other than its owner, to certify regional or other geographic origin, material, mode of manufacture, quality, accuracy, or other characteristics of someone's goods or services, or that the work or labor on the goods or services was performed by members of a union or other organization.

Service Mark

What are types of search warrants?

Service provider search warrant and electronic storage device search warrant.

What data can be recovered from the SIM card?

Service-related information including unique identifiers Phonebook and call information such as ADN and LND SMS, EMS and multimedia messages LAI and RAI

In Linux every file has nine permission bits, choose all that apply.

Setuid, Sticky bit, Setgid (Setuid bits have an octal value of 4000 Setgid bits have an octal value of 2000 Sticky bits have an octal value of 1000 however, Linux silently ignores this type. Sticky bits were important as a modifier for executable files on early UNIX systems)

Shane, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered on. What should Shane do?

Shane should make sure the device remains powered on by plugging it into a power supply or charging the battery. She should also photograph the device to capture the current state of the device.

Non-Electronic Password Attacks

Shoulder Surfing, Social Engineering, Dumpster Diving.

Paper printout

Shows data that have been printed out from a live computer.

Which type of cell holds series of indexes pointing to parent key cells?

Subkey list cell

Steganalysis Challenges

Suspect information may not have encoded hidden data. Efficient and Accurate detection of hidden content withing digital images. Data encrypted before being inserted into file or signal. Suspect files may have irrelevant data or noise inserted.

When collecting evidence from the RAM, where do you look for data?

Swap file

What is a swap file?

Swap file is space on a hard disk (nonvolatile memory) used as a virtual memory extension for RAM.

Jumpers or Dip Switches

Switches on the mother board that clear the BIOS and CMOS settings, allowing them to reset. You can also cross pins 2 and 3.

To obtain a search warrant, police or government agent must provide what

Sworn statement including location to search and type of property being sought, Written documentation about complaint initiating search and any supporting documentation

____ manipulates punctuation to hide messages.

Syntactic Steganography

____ evidence is oral evidence, presented by a competent eyewitness to the incident, that is relevant and material to the case.

Testimonial

Rule 702 includes what?

Testimony based on sufficient facts, Testimony is the product of reliable principles and methods, Witness has applied reliable principles and methods reliably to the facts of the case.

What kind of keyboard does the Blackberry have? - QWERTY - CUTEY - LCD

The Blackberry has a QWERTY keyboard.

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What comprises the Cocoa Touch layer? - Core Audio and OpenAL - UI Kit - Foundation frameworks providing graphical and event-driven applications

The Cocoa touch layer consists of UI Kit and Foundation frameworks which provide the user with tools for graphical and event-driven applications

Which two were created by the Department of Justice to safeguard children? - Innocent Images National Initiative (IINI) - Internet Crimes Against Children (ICAC) - Project Safe Childhood (PSC) - Anti-Child Porn.org (ACPO)

The Department of Justice created ICAC and PSC. Internet Crimes Against Children (ICAC) is a network of regional task forces to provide federal assistance to state and local law enforcement so they could better investigate computer and internet-based crimes that sexually exploit children. Project Safe Childhood (PSC) is an initiative developed to provide a coordinated effort in combating child porn. It strives to help local communities create programs to investigate child exploitation and identify and rescue victims.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer.

Which agency of the United States Department of Justice investigates both federal crimes and acts as internal intelligence agency? - NIST - FBI - OSHA

The Federal Bureau of Investigation (FBI) investigates both federal crimes and acts as internal intelligence agency.

Fourth Amendment

The Fourth Amendment states, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supposed by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

How can you tell if a password dump is from a Windows Vista or Windows 7 based system?

The LM hash field will be blank. -Disabled on Windows 7 sand Vista.

What is true about the Mac OS?

The MAC OS is based on BSD Darwin engine Startup items in /System/Library/StartupItems or /Library/StatupItems Uses .hidden to maintain a list of hidden files

What happens when a file is deleted using Windows 7?

The MFT is marked with a special character that indicates that the file has been deleted

What area of a disk is changed when a primary partition is deleted?

The Master Boot Record (MBR)

The architecture of Windows CE has four layers: - Application - OS - Original Equipment Manufacturer (OEM) - Hardware What is the purpose of the OEM?

The OEM is between the OS and the hardware layer. It contains the OEM Adaptation Layer (OAL), drivers, and configuration files. It handles system startup, interrupt handling, power management, profiling, timer and clock.

There are three types of records in the PFF. Which is NOT one type? - Palm Database - Palm Folder - Palm Resource

The Palm File Format (PFF) has three types of files: Palm Database containing contact lists and application data Palm Resource with application code and user interface objects Palm Query Applications with World Wide Web contents

Event ID 4902

The Per-user audit policy table was created

What type of scan sends a SYN flag, receives an SYN/ACK then sends a RST? - XMAS - FIN - Half-open

The SYN scan creates a half-open TCP/IP connection

Network Forensics

The Sniffing, Recoding, Acquisition, and Analysis, of Network Traffic and Event Logs, in order to Investigate an Incident.

dcfldd

The ______ tool is a modified version of the dd tool that depicts the status as an image is being collected, hashed, and checked for integrity. Linux Defense Crime Forensic Lab dd

What is the best way to protect PDAs from wireless attacks? - Install wireless anti-virus for PDA - Install a VPN client on the PDA and encrypt the connection - Use port security

The best way to protect a PDA from wireless attacks is to install a VPN client on the PDA and encrypt the connection

Which copy is analyzed, the original or the bit-stream? - Original - Bit-stream

The bit-stream copy is analyzed. The original is stored in a safe location so no one can tamper with it. Initially, two copies are made. Then, if the first bit-stream copy is damaged, the second copy can be sued. If the second copy is damaged then another copy can be made from the original.

Wireless Active Scan

The client radio transmits or broadcasts a probe request and listens for a probe response from an Access Point.

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the Core Services Layer provide?

The core services layer provides the basic services for applications such as Address Book, Core Location, CFNetwork, Security and SQLite

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the Core Services Layer provide? - Basic Services for applications - Address Book, Core Location, CFNetwork, Security and SQLite - Graphics

The core services layer provides the basic services for applications such as Address Book, Core Location, CFNetwork, Security and SQLite

What is the "Best Evidence Rule"?

The court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy

Router Cache

The database of addresses and forwarding information of network traffic stored in a router. It can also provide information about attacks.

Why it is important to know with which type of system the iPod has been synchronized? - Need to know how much data has been transferred during sync - Different computers sync differently - iPods sync'd with Mac computers use Apple's HFS+file system. iPods sync'd with Windows use FAT32.

The file system on the iPod will be based on the computer used to sync the iPod. iPods sync'd with Mac will use Apple's HFS+ file system. iPods sync'd with Windows will use FAT32.

What are the four PDA generic states? - New, Active, Quiet, Selective - Configured, Active, Sleep, Semiactive - Nascent, Active, Quiescent, Semiactive

The generic PDA states include: -Nascent: device just received from manufacturer with factory configuration - Active: device powered on and performing tasks - Quiescent: sleep mode which conserves battery power while maintaining user data and background tasks - Semiactive: partway between active and quiescent and usually triggered by a timer to save battery life

Why is iPod useful for information theft? - Large storage capacity - Small size - Rapid data transfer

The iPod is useful for information theft because of its large storage capacity, small size and rapid data transfer

When does the investigation begin? - When the police arrive - When the crime scene technician arrives - When the crime is suspected

The investigation begins when the crime is suspected

Who should the expert witness face, while providing an answer?

The jury.

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the media layer provide?

The media layer provides graphics and media technologies such as Core Audio, OpenAL and video technologies

The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the media layer provide? - Graphics and media technologies such as Core Audit, OpenAL and video technologies - UI Kit and Foundation framework - Fundamental services such as Address Book, CFNetwork, SQLite

The media layer provides graphics and media technologies such as Core Audio, OpenAL and video technologies

The definition of chain of custody is

The movement and location of physical evidence from the time it is obtained until the time it is presented in court.

Net Commands: Net Sessions

The net session command is used to list or disconnect sessions between the computer and others on the network

Net Commands: Net Start

The net start command is used to start a network service or list running network services.

What are the two sections of Windows CE RAM? - Object store - Program Memory - Data Folders

The object store and program memory are two sections of Windows CE RAM. The object store is a permanent virtual RAM disk. Data is retained there by a backup power supply.

Data Acquisition

The process of imaging, or otherwise obtaining information, from a digital device and its peripheral equipment and media.

File Carving

The process of reassembling computer files from fragments in the absence of file system metadata.

What is part of the role of a forensics investigator? - Create images of original evidence - Guides officials in managing investigation - Reconstructs damaged media - Analyzes data and prepares report - Addresses the issues in court, if necessary. May act as expert witness. - All of the above

The role of a forensics investigator is to: - Recover data - Determine damage from crime - Gather evidence based on forensic guidelines - Protect evidence - Create images of original evidence - Guide officials in managing investigation - Reconstruct damaged media - Analyze data and prepares report - Address the issues in court, if necessary. May act as expert witness.

What is the role of digital evidence in forensic investigation? - Provide material for investigative report in lawsuit - Provide clues to identify the criminal - Support expert witness testimony

The role of digital evidence in forensic investigation is to provide clues to identify the criminal

Slack Space

The space that exists between the end of a file and the end of the cluster. Unused storage capacity.

When a file is deleted from a Windows OS on an NTFS filing system, the files will go into a folder in the recycler, with what?

The users SID (y). $Ry.ext The file name and path will be stored in the INFO file.

Voluntary disclosure

The voluntary disclosure provisions of the SCA appear in 18 U.S.C. 2702. These provisions govern when a provider of RCS or ECS can disclose contents and other information voluntarily, both to the government and non-government entities.

There are two associations that can help forensics investigators. Which is NOT one of these helpful associations? - NIST - Computer Technology Investigators Network - Technology Crime Investigators Association

There is much information on the internet to assist forensics investigators. Two helpful associations are: - Computer Technology Investigators Network http://www.ctin.org/ - High Technology Crime Investigators Association http://www.htcia.org/

What are questions to consider before beginning a forensic investigation involving PDAs? (Choose all that apply) - What kind of investigation needs to be done? - How should the PDA be handled? - Can critical data on the PDA remain secure during examination?

These questions should be considered before beginning a forensic investigation involving PDAs: What kind of investigation needs to be done? How should the PDA be handled? Can critical data on the PDA remain secure during examination?

The BlackBerry Enterprise Solution provides AES and ____ encryption techniques

Triple DES

Is this the proper order for response to a crime by first responders: 1. Begin investigation the moment a crime is suspected 2. Response to preliminary evidence by photographing the scene and marking evidence 3. Obtain search warrant, if needed 4. Follow first responder procedures 5. Seize evidence seized at crime scene then safely number and secure it 6. Transport evidence to forensic laboratory 7. Make two bit-stream copies of evidence 8. Generate a checksum (generally MD5) on the bit-stream images 9. Prepare chain of custody 10. Store the original disk so that time stamps and evidence remain intact 11. Use image copy to analyze the evidence 12. Prepare a forensic report describing the forensic method and recovery tools 13. Submit the forensic report 14. Testify as expert witness, if needed Yes No

This is the proper order for response to a crime by first responders: 1. Begin investigation the moment a crime is suspected 2. Response to preliminary evidence by photographing the scene and marking evidence 3. Obtain search warrant, if needed 4. Follow first responder procedures 5. Seize evidence seized at crime scene then safely number and secure it 6. Transport evidence to forensic laboratory 7. Make two bit-stream copies of evidence 8. Generate a checksum (generally MD5) on the bit-stream images 9. Prepare chain of custody 10. Store the original disk so that time stamps and evidence remain intact 11. Use image copy to analyze the evidence 12. Prepare a forensic report describing the forensic method and recovery tools 13. Submit the forensic report 14. Testify as expert witness, if needed

When building a forensic lab health and safety factors are critical because?

This is to protect the staff

EC-Council identified thirteen steps for evaluating a case. One of these steps involves assessing skill levels of users. Why is this important?

To determine how they might delete or conceal evidence.

The goal of forensic science is:

To determine the evidential value of the crime scene and related evidence

What software is used to disable automatic syncing? - iPod desync - iTunes - iPod manager

To disable automatic syncing, open iTunes, select Preferences, click Syncing tab, and check disable automatic syncing for all iPhones and iPods

Rule-Based Attack

This type of attack is when the attacker already has some information about the password. The attacker can then write a rule so that the password-cracking software will only generate passwords that meet that particular rule.

A ____ is a section or instance of an application or program that is being run sequentially.

Thread

What are three classifications of steganography? - Photographic steganography - Technical steganography - Analog steganography - Linguistic steganography - Digital steganography

Three categories of steganography: technical, linguistic and digital.

Stratum 0 device

Time Reference Server, on an Atomic Clock.

To obtain a search warrant, police or government agent must (check all that apply) - Obtain signature by judge or magistrate - Present good reason for search - Verbally tell why the search warrant is needed

To obtain a search warrant, police or government agent must do the following: -Obtain signature by judge or magistrate -Present good reason for search

What are tools necessary for forensic analysis of an iPod or iPhone? - EnCase and Forensic Toolkit - Device Seizure - Recover My iPod and iPod Data Recovery

Tools necessary for forensic analysis of an iPod or iPhone include EnCase, Forensic Toolkit, Recover My iPod and iPod Data Recovery

True or False: When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected.

True (A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to. nbtstat -c can be used to view the cache of NetBIOS names on the host operating system)

How many bit-stream copies are made of the original evidence? 1 2 3 4 5 6

Two copies are made of the original evidence using two different software packages.

Choose all true about the USA PATRIOT Act - Greater authority to track and intercept communications for law enforcement and foreign intelligence gathering - Made wiretapping illegal - Passed in response to 911 terrorist attack

USA PATRIOT Act gave greater authority to track and intercept communications for law enforcement and foreign intelligence gathering. It was passed in response to the 911 terrorist attack in the USA.

What does the SIM card contain?

Unique identifiers for the SIM. -ICCID, Subscriber, IMSI. -Phone book and call information (last numbers dialed, abbreviated Dialing Numbers). -Messages (SMS, EMS, Multimedia). -Location Information

What are two ways to unmount an iPod?

Unmount the iPod by either dragging the iPod icon to the trash (Mac) or clicking the Safely Remove Hardware button (Windows)

Signature Analysis

Verifies file signatures Identifies the difference between file extension and the file header. Make Hash Sets Used to verify accuracy of the resident file extension.

Criminal Litigation Experts

Victim Advocates. address behavior of the defendant. Do not expect to be paid. Reputation may tarnish testimony.

In what format can video be stored on an iPod?

Video can be stored as .m4v (H.264), .mp4 (MPEG-4) and unprotected WMA on Windows.

802.16

WIMAX, Microwave Wireless Metropolitan Area Network, MANs

802.11l

WLANs, and Improved Encryption.

Blackberry Attachment Service has a known vulnerability. What is it?

WMF or EMF (known bug in GDI)

Which wireless security protocol is most secure?

WPA2

Which wireless security protocol is most secure? - WEP - WPA - WPA2

WPA2

The following are examples of what? "Access to this system is restricted." "Systems and networks are subject to monitoring at any time by the owner" "Unauthorized use is prohibited and will be subject to discipline or prosecution"

Warning Banner

The following are examples of what? Access to this system is restricted. Systems and networks are subject to monitoring at any time by the owner Unauthorized use is prohibited and will be subject to discipline or prosecution - Banner grabbing - Warning banners - Warning messages

Warning Banner is designed to state the responsibility a user accepts while using the system.

____ is a parental control tool, developed specially for protecting children from forbidden materials such as pornography, online gambling, and online drug information.

Web control for parents

Mobile Operating Systems

WebOS (Linux Kernal). Symbian (Nokia, Object Oriented, Java). Android (Google, Linux, Virtual Machine, SQLite storage). Apple iOS. Windows Phone 7 (Microsoft. RIM Blackberry OS (Research In Motion).

____ is wireless hacking that is used to capture information passing through a wireless network.

Whacking

When does the investigation begin?

When the crime is suspected

BMP (Bitmap) file

Windows Black and White is 1 bit per pixel. 24 bit color up to 16.7 million colors (RGB).

Windows CE has two types of device drivers? - Monolithic and Layered - Monumental and Layered - Monolithic and Latent

Windows CE has two types of device drivers: monolithic and layered. Monolithic drivers apply their interfaces as an action directly on the device. Layered device drivers divide their implementation between upper and lower layers. The upper layer exposes the driver's native interface. The lower layer interacts with the hardware.

The LinkMASSter-2 ____ option provides a quick non-DoD method of sanitizing a drive of all previously stored data.

WipeOut Fast

Passive Online Password Attacks

Wire Sniffing, Man-in-the-Middle attack. Replay Attack.

How does lossless file compression work?

Words are numbered and repeated words are replaced with a number (thus saving space). Huffman Lemple-Ziv

Most important step of Data Acquisition?

Write Protect everything.

THe driveSpy ____ command is used to regenerate information acquired through the SaveSect command

WriteSect

Which are true about X-Ways Forensics? - Viewing and dumping RAM and virtual memory - Disk cloning and imaging - Advanced work environment

X-Ways Forensics is a work environment including: Disk cloning and imaging Examining complete directory structure and disk space including slack space Viewing and dumping memory including virtual memory Support for FAT, NTFS, ext2/3

What type of scan sends FIN, URG, PSH flags?

XMAS

What type of scan sends FIN, URG, PSH flags? - XMAS - FIN - Half-open

XMAS scan sends FIN, URG, PSH

What format does Vista use for event logs?

XML

____ is a general-purpose specification for markup programming languages that allows the user to define specific elements to aid in sharing structured data among different types of computers with different operating systems and applications.

XML

Microsoft handheld OS was first called Windows CE, then PocketPC then Windows Mobile. But Windows CE 5.2 powers Windows Mobile 6. What devices does Windows CE run on?

XScale, ARM or SHx processors.

Are these steps the basic steps in PDA forensics? 1 - Secure and evaluate the crime scene 2 - Seize the evidence 3 - Identify the evidence 4 - Preserve the evidence 5 - Acquire information 6 - Examine and analyze the information 7 - Document 8 - Report Yes No

YES: These are the basic steps in PDA forensics: 1 - Secure and evaluate the crime scene 2 - Seize the evidence 3 - Identify the evidence 4 - Preserve the evidence 5 - Acquire information 6 - Examine and analyze the information 7 - Document 8 - Report

/var is used for system-specific data and configuration files. - Yes - No

YES: /var is used for system-specific data and configuration files

Are these the six stages of process creation? 1. Launch .exe: File Execution Options registry key is checked for debugger value. If yes, process starts over 2. EProcess object created along with KProcess, PEB, and initial address space 3. Initial thread created 4. Windows subsystem is notified of new process and thread 5. Execution of initial thread starts 6. Initialization of address space is complete for new process and thread

Yes

Blackberry OS is event-driven and supports multitasking and multithreading.

Yes

All evidence collected should be marked as exhibits using this format: ____, where • aaa are the initials of the forensic analyst or law enforcement officer seizing the equipment • zz is the sequence number for parts of the same exhibit. • nnnn is the sequential number of the exhibits seized by the analyst, starting with 001 • ddmmyy is the date of the seizure

aaa/ddmmyy/nnnn/zz

A(n) ____ is defined as the average packet rate of data packets with similar packet header information.

activity profile

What does Visual TimeAnalyzer do?

automatically tracks all computer usage and presents detailed illustrated reports

What is true about the USA PATRIOT Act?

ave greater authority to track and intercept communications for law enforcement and foreign intelligence gathering. It was passed in response to the 911 terrorist attack in the USA.

What term defines an empirically proven set of methods for performing a task in the best and most efficient way?

best pratices

What are some standard /usr sub-directories?

bin and local

Creating a ____ is the most common method forensic investogators use to acquire digital evidence

bit stream disk to image file

The ____ is the set of steps a computer system takes after it has been powered on.

boot sequence

____ is the process of loading an operating system into a computer's main memory.

booting

In a DDoS attack, attackers first infect multiple systems, called ____, which are then used to attack a particular target.

bots

A(n) ____ attack is a type of attack that sends excessive data to an application that either brings down the application or forces the data being sent to the application to be run on the host system.

buffer overflow

A ____ is a set of duplicate data that is stored in a temporary location so that a computer system can rapidly access that data.

cache

A(n) ____ is a type of warning, like a "Beware" sign posted near a dangerous area.

caveat

____ is a procedure that handles or controls all authorized changes to assets such as software and hardware.

change control

PromiscDetect

checks to see if NIC is in promiscuous mode.

What term refers to the smallest logical storage units on a hard disk?

clusters

What occurs immediately after the investigation begins?

collect preliminary evidence including photographing the scene and marking evidence

Choose other techniques commonly used to remove watermarks?

collusion attack, Jitter attack and StirMark

Electronic Communications Privacy act (ECPA) applies to:

communications that include e-mail, text messaging, networking software, blogs, and video conferencing. Requires subpoena, warrant or court order in order to force disclosure.

The first step in cracking a password is:

create a word list

Promqry

determines active network interface status on remote systems.

Openfiles command

displays open files. Queries, Displays, and Disconnects files,

Netstat -r option

displays routing table and persistent routes.

pslist -x option

displays threads and memory used.

Random compliations of data are not admissible. Logs must be kept as a regular business practice. Logs instituted after an incident has commenced ______________ under the business records exception.

do not qualify

What command can be used to view command history?

doskey /history & scroll up in the command window (If a command window is open, the investigator can scroll up to see command history. But the attacker may have typed cls to clear the screen. Then, the investigator can use the doskey /history command to see the history.)

What command is used to view EProcess block?

dt -a -b -v _EPROCESS

Spread Spectrum - Audio steganography

encodes data as a binary sequence, that sounds like noise. -Direct Sequence (Spread by chip rate - constant. -Frequency Hopping.

A(n) ____ investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked.

end to end

Something that is ____ is transient or short lived in nature.

ephemeral

A(n) ____ stalker is a stalker who believes that the victim is in love with him or her, even though the victim has not made any such statement.

erotomaniac and morbidly infatuated

What are names of the two Apache logs?

error log and access log

A(n) ____ file is a proprietary file created by EnCase to compress and preserve bit-stream images of acquired media.

evidence

Which file system runs on Linux? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext

ext1, ext2, ext3 - Linux

What represents the space that exists between the end of the file and the end of the last cluster used by that file?

file slack

Objects in Windows CE are stored in three types of persistent storage. What are they?

file system, registry and property databases.

Huffman Coding Algorithm

fixed to variable length code. Takes a fixed length block of input and produces a variable length output. Assigns a codeword to each block with high and low probability. Merges least probable characters together, and reeated until there is only one character. (1110)

What term refers to a small, portable magnetic disk that is used to store and transfer computer data?

floppy disk

How does the OSI layer 'Data link' exchange data?

frames

How does the OSI layer 'Physical' exchange data?

frames

What is Event ID 642

gives information about changes to an account

What type of scan sends a SYN flag, receives an SYN/ACK then sends a RST?

half-open

What does HKEY_CURRENT_CONFIG?

hardware profile at startup

A ____ is an area of the drive where a certain portion of the drive's contents is hidden from the operating system and file system.

host protected area HPA

THe ipod touch uses the ____ OS as it's operating system

iPhone

The iPhone has a solid state NAND flash memory configured with two partitions by default. Choose the best description for these two default partitions. - Root partition is a 300 MB FAT32 drive - Root partition is a 300 MB, read-only partition housing the OS, preloaded applications - User partition mounted as /private/var

iPhone has two default disk partitions: 300 MB root partition with OS, preloaded applications. Read-only and stays in the original factory state for the life of the iPhone User partition mounted as /private/var

What can criminals do with iPhones?

iPhones can be used to steal data, send threatening or offensive SMS or MMS messages, change or clone SIM properties, remove the service provide lock (SP-Lock) to free iPhone from its network and send spam.

Which file system runs on HFS+?

iPod sync'd to MAC

GIF has a web-specific feature known as

interlacing

____ addressing is used in a network where a number of LANs or other networks are connected with the help of routers.

internetwork

Which items are examples of technical steganography?

invisible inks, microdots, and other such technologies

Session Poisoning

is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.

MRU list

list that contains a history of recent activity on a computer. Shows the last four opened registry files

psfile command

lists and closes remotely opened files.

Archival Data

long term storage of data.

What command can be used to display a list of open files?

lsof

What command can be used to display a list of open files? - dir - ls - lsof

lsof command can be used to retrieve a list of open files

What is Event ID 632

member added to global security group

What is Event ID 636

member added to local security group

What is Event ID 633

member removed from global security group

What is Event ID 637

member removed from local security group

How does the OSI layer 'Application' exchange data?

messages

How does the OSI layer 'Presentation' exchange data?

messages

How does the OSI layer 'Session' exchange data?

messages

Which netcat command is an example of port scanning?

nc -l -p port_number > /test/outfile.txt

Which netcat command is an example of port scanning? - nc -l -p port_number > /test/outfile.txt - nc www.targethost.com 80 - nc -v -z target port-range

nc -l -p port_number > /test/outfile.txt slow scan to avoid detection

Which statement is used to partition an image on another machine? - netcat -l -p 1234 | dd of=/dev/hdc bs=16065b - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc

netcat -l -p 1234 | dd of=/dev/hdc bs=16065b used to partition an image on another machine. Run on the target machine

___ is a network-enabled espionage, in which an attacker uses the internet to perform corporate espionage.

netspionage

The ____ Linux command displays active TCP connections, Ethernet statistics, and the IP routing table.

netstat

The ____ command allows a user to collect information regarding network connections on a Windows system.

netstat

What command can be used to display active TCP connections, Ethernet statistics and IP routing table?

netstat

What are the two sections of Windows CE RAM?

object store and program memory

Burgess Forensics

offers computer forensic, electronic discovery, and expert witness and testimony since 1985. Burgess Forensics uses various tools, such as EnCase, SMART Forensics, Paraben, FTK, etc., to provide Macintosh Digital Forensics, Windows Digital Forensics, and Cell Phone/Mobile/PDA Forensics.

What are two main techniques of linguistic steganography?

open codes and semagrams

How does the OSI layer 'Network' exchange data?

packets

What is an important consideration for complete memory dump analysis?

pagefile.sys

LDAP injection

passing LDAP filters, used for searching Directory Services, through web application input, to obtain direct access to the database. =, >=, <=, ~=, * And(&), Or (|), NOT (!).

A ____ is a program that is used to identify an unknown or forgotten password to a computer or network resource.

password cracker

The term ____ refers to the process of taking a password hash and attempting to determine the associated password that generated that password hash.

password cracking

A ____ is a property right granted to the inventor by the USPTO to keep others from making, using, or selling the invention without authorization.

patent

A ____ attack consists of sending a malformed or otherwise malicious ping to a computer.

ping of death

____ is the standard for the transport of IP traffic over point-to-point links.

point to point protocaol PPP

A ____ virus is one that produces varied but operational copies of itself.

polomorphic

A ____ is a noninteractive program that helps the operating system and applications perform their tasks.

process

Association

process of connecting a device to a wireless access point.

Authentication

process of identifying prior to allowing access.

____ involves a perpetrator changing existing computer programs by either modifying them or inserting new programs and routines.

program manipulation fraud

____ mode is the mode of a network interface card in which the card passes all network traffic it receives to the host computer, rather than only the traffic specifically addressed to it.

promiscuos

____ mode refers to the state of a network interface card where it will register all network traffic, rather than only the traffic arriving with the card's own MAC address as the destination.

promiscuos mode

What is the role of digital evidence in forensic investigation?

provide clues to identify the criminal

Computer Forensics Services (CFS)

provides a complete suite of computer forensics, electronic evidence, and data recovery services.

Elluma Discovery

provides computer forensics, electronic discovery, forensic data recovery, forensic analysis, and computer expert witness services.

CyberControls

provides litigation consultancy and computer forensic services on a nationwide basis. It maintains a secured forensics lab along with a team of litigation consultants who provide a blending of technical and legal advice about e-discovery specifics.

What command can be used to view the process register? - ps - dir - ls

ps command can be used to view the process register

The ____ state is the sleep mode of the PDA device, which conserves battery power to maintain the user's data and perform other background activities.

quiescent

A ____ table is a table of password hashes created by hashing every possible password and variation thereof to be used in a rainbow attack to recover a plaintext password from a captured ciphertext.

rainbow

What is Event ID 624?

recorded when an account is created

Memory in Palm OS is arranged in chunks known as ____.

records

The term first ____ refers to a person who first arrives at a crime scene and accesses the victim's computer system once the incident has been reported.

responder

What is a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location?

search warrent

How does the OSI layer 'Transport' exchange data?

segments

____ hide information through the use of signs or symbols.

semagrams

What does the 'Apparently-To: ' in header, indicate?

sign of a mailing list. One per recipient. Unusual in legitimate emails.

____ is also called pattern analysis because the administrator is looking for a pattern that is indicative of a problem or issue.

signature analysis

____ is a steganography tool that exploits the nature of white space.

snow

Swap file

space on a hard disk, used as the virtual memory extension of a computer's real memory (RAM).

Evidence storage containers or cabinets should be made of what material?

steel

A ____ is the mechanism that is used in performing steganography.

stegosystem

What are two tools used for keyword searching in Linux?

string and grep

The ____ event log records events relating to system behavior, including changes to the operating system, changes to the hardware configuration, device driver installation, the starting and stopping of services, and a host of other items of potential investigative interest.

system

Improper use of resources may create a DoS attack.

tRUE

What are three classifications of steganography?

technical, linguistic and digital

Swap File

the disk space that is set aside for virtual memory.

The process of file ___ involves locating the data on the disk particitions and allowing the OS to access the file

undeletion

The process of file ____ involves locating the data on the disk partitions and allowing the operating system to access the file.

undeletion

What does the term jailbreaking mean?

unlocking the iPhone and iPod Touch to permit the installation of third-party applications

Linguistic Steganography

uses written natural language to hide the message in the carrier in non-obvious ways. Jargon code (special language), Covered Ciphers (hidden openly), Null Ciphers - (Encryption where plaintext is mixed with non-cipher material), Grille Ciphers (cutting holes and lining up text).

What format do iPods use to store contact information?

vCard

____ uses an algorithm to find out if the data can be disregarded based on vectors that are present in the image file.

vector quamtization

Forensic laboratory imaging system will have these qualities

very low image capture rate

____ is the measure of how perishable electronically stored data are.

volatility

____ information is information that is lost the moment a system is powered down or loses power.

volitile

A ____ boot is the restart of a system that is already on.

warm

What does a user usually read before signing on to a system in which the user's responsibilities while using the system are stated?

warning banner

The forensic investigator made a copy of the CopyInstall.log in the root directory and wants to see the contents in hex because he believes this file may not be what it seems. What Linux command line tool could he use?

xxd -l CopyInstall.log and xxd -l CopyInstall.log HexOutput.log


Conjuntos de estudio relacionados

IGCSE: Atomic Structure: protons, neutrons, electrons and electronic structure

View Set

Physics Final: Sounds Waves and Music

View Set

HRTM 450 FINAL- SOMANG plus more

View Set

Advanced Networking, Chapter 4 - Quiz - Study Guide

View Set

BIOL 1408 - Photosynthesis lab review

View Set

Cultural geography: Canada chapter 8

View Set

Marketing Chapter 15 - Supply Chain and Channel Management

View Set

CH 14: Sales and Lease Contracts

View Set

Compucram: MLO - Things I need to study...

View Set