Certified Hacking Forensic Investigator (CHFI) - Exam Prep
____ is when a person or program, acting on behalf of another person, performs an invalid action.
??
Which mode can make the iPod image inaccurate?
Disk Mode
____ is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data.
Intrusion detection
Hash Injection Attack
It's when the attacker injects a compromised hash into a local session and use that same hash to validate the network resources of that particular network
The first state of the PDA device when it is received from the manufacturer is the ____ state.
Nascent
What are options using dd in Helix?
Netbios/Local, Netcat, Split image
Which statements are true regarding NTP?
Network Time Protocol - internet standard protocol built on UDP Synchronizes clocks on client computers Fault tolerant and dynamically autoconfiguring Use UTC time
The fraggle attack is a UDP variant of the ____ attack.
Smurf
This type of DoS attack sends ICMP echo packets with spoofed source address.
Smurf
This type of DoS attack sends ICMP echo packets with spoofed source address. - Fraggle - Smurf - Land
Smurf attack sends ICMP packets with spoofed source addresses
Identify all required for setting up a forensics lab:
Office space, Storage for evidentiary materials, Interview facility, Operational laboratory.
What are the four critical fields?
Oldest event, Next event, Next event ID number, Oldest even ID number
____ is the use of influence and the art of manipulation to gain credentials.
Social engineering
Steganography clues
Software, -Steganophy tools, -Website references, -Cookie/ history files, -File names, -message logs, Multimedia files, Type of crime being investigated, Text files, -Text patterns, -unusual amount of blank spaces, Image Files, -Size changes, -file type changes, Statistical Analysis, Audio Files -Inaudible frequencies, -Odd distortions or patterns.
NAND -based flash memory
Solid state memory (flash chips) that retains memory without power
Disk Partition
Space defined on a hard drive, used to: Separate Operating system from the data files. Run Multiple Operating Systems. Logicvally organize Data
What is slack space?
Space left over between the last byte of a file and the first byte of the next cluster
What is a swap file?
Space on a hard disk used as virtual memory expansion for RAM
Unsolicited commercial e-mail (UCE), or junk e-mail, can be defined as ____.
Spam
Task List Commands: tasklist /v
Specifies that verbose task information be displayed in the output. Also list all process id's for application and services.
Task List Commands: tasklist /s
Specifies the name or IP address of a remote computer. The default is the local computer.
Data acquisition rules of thumb.
Produce 2 copies (1 working copy, 1 archive control). Use clean sterilized media. Verify integrity of copies to the original.
Safeboot
Program that encrypts drives and or Partitions
Transient Data
Programs that reside in memory and cache data. (i.e. network connection, user logout, ...)
18 USC 1361-2
Prohibit malicious mischief
FastBloc SE
Provides write protection only for devices attached to specific hard drive controller boards.
What are the three types of watermarks?
Semifragile, Fragile, Robust
Integrity Attack
Sending forged control, management or data frames over a wireless network. Injection attacks, Replay attacks
System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded?
System time, wall time and length of time the system has been running should be recorded.
System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded?
System time, wall time, time system has been running (Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time)
According to the current RFC's syslog uses ___________to transfer log messages in a clear text format.
TCP
Which ports does HotSync open during the HotSync process?
TCP 14237, TCP 14238, and UDP 14237
Task manager lists running processes. Why does Helix have a viewer for running processes?
Task manager may be corrupt. Helix runs from a CD so it cannot be modified; therefore, it should display an accurate list of current processes
What are two ways to view running processes on Windows?
TaskManager & Tasklist command
___ is a powerful tools that extracts network packets and performs statistical analsis on those dumps.
Tcpdump
Espionage is the use of spies to gather information about the activities of an organization.
True
True or False: A subdirectory is created for a user in the Recycle bin
True
True or False: Is a Vault needed in a Forensic lab?
True
True or False: The EProcess object is created along with KProcess, PEB, and initial address space
True
True or False: With a recycle bin, Subdirectory is named with user's SID
True
Network Forensics
"Network Forensics is the capturing, recording, and analysis of network events in order to discover the source, path and Intrusion techniques of security attacks."
Hashing Algorithm Lengths: SHA-1
160 Bits
Which law is applicable to theft of trade secrets?
18 U.S.C. 1832
802.11a
54 Mbps, 5GHz
802.11g
54Mbps, 2.4GHz -Greater Range
What term defines an event that threatens the security of a computer system or network in an organization?
??
What is the difference between big endian and little endian?
A big-endian machine stores the most significant byte first. A little-endian machine stores the least significant byte first.
Choose the volunteer organization focused on issues related to child exploitation, online predators and child pornography.
Anti-Child Porn.org (ACPO)
What causes an IIS log to be suspect?
Any modifications to the log
Electronic Communications Service (ECS)
Any service which provides the ability to send or receive electronic communications.
Rule-Based attack
Attacker has some information about the password.
Rule 608
Evidence of character and conduct of witness
Where are deleted files stored?
FAT - Drive:\Recycled NTFS- Drive:\Recycler\S-... (Prior to Vista C:\Recycle.bin\S... based on user SID.
What is a standard electronic interface used between a computer motherboard's data paths or bus and the computer's disk storage devices?
IDE
Modes of attack.
Internal External
____ forensics is the application of scientific and legally sound methods for the investigation of Internet crimes, whose focus ranges from an individual system to the Internet at large.
Internet
Which two were created by the Department of Justice to safeguard children?
Internet Crimes Against Children (ICAC) Project Safe Childhood (PSC)
What is an important consideration for complete memory dump analysis?
Pagefile.sys (The swap file, called pagefile.sys, is virtual memory. Information in the swapfile must also be considered when analyzing memory.)
What is a Windows-based tool for Palm OS memory imaging and forensic acquisition?
Palm dd (pdd)
Forensic recovery of most deleted partition can be achieved by:
Partition Table Doctor
Which port does SSL typically use? - 80 - 443 - 445
Secure Sockets layer typically runs on port 443 SMB on port 445
Which file system runs on UFS?
Unix
DMZ Protocol attack
Uses DNS or FTP vulnerabilities, to conduct an attack.
When making a forensic image, According to best practices, what should you do when making the second copy?
Utilize a different imaging tool to verify the integrity of the image, by 2 tools generating the same results.
Which type of cell holds a value?
Value cell
Which type of cell holds values of common key cell?
Value list cell
iPods use the standard ____ file format for storing contact information.
Vcard
The RunMRU registry key can be cleared by:
by clearing the Recent documents list in the Start Menu and Taskbar Properties.
What command can be used to view the process register?
ps
Lastcomm command
shows last command utilized, on a Linux system.
fport
shows open TCP and UDP ports
Netstat -o
shows processID of the network connection process.
Define Technical Steganography?
uses physical or chemical means to hide the existence of a message
What happens when a partition is deleted?
All data in the partition is lost. Data can be recovered using a tool to reestablish the partition parameters. Corrupt the disk, by deleting all dynamic volumes.
Application Log
All events logged by programs.
What is true about rule-based attack?
Attacker already has some information about the password and rule can be written so password-cracking software will generate only passwords meeting the rule
Email bombing
Attacker sends the target a flood of email messages, to it doesn't have space to accept emails.
____ is an Internet protocol designed for accessing e-mail on a mail server.
IMAP
____ is the U.K. hotline for reporting illegal content, specifically acting upon child sexual abuse hosted worldwide, and content, hosted in the U.K., that is criminally obscene or incites racial hatred.
IWF Internet watch foundation
What is the process of using natural written language as a carrier to hide a secret message, known as?
Linguistic Steganography.
Anti-Digital Forensic techniques:
Overwriting data (Wiping). Exploitation of bugs in forensic tools. Obfuscation. Hiding Data (Steganography, Cryptography, low-tech...)
What tool secures a PDA from theft, loss or corruption? This tool includes Trusted Mobility server software. If used with PocketPC this tool allows the administrator to set a time and date range to monitor login attempts, infrared transmission and use of applications. - DS Lite - Device Seizure - PDA secure
PDA Secure secures a PDA from theft, loss or corruption. It includes Trusted Mobility server software. If used with PocketPC PDA Secure allows the administrator to set a time and date range to monitor login attempts, infrared transmission and use of applications.
What is the most important element of EProcess?
PEB
What is the most important element of EProcess?
PEB - Process Environment Block
Syllable attack
Password attack. Combination Brute force and Dictionary attack.
Ping of Death and Teardrop are two types of DoS attacks. What is a main difference?
Ping of Death deals with IP fragmentation and Teardrop deals with overlapping fragments
What is the port for SMB?
Port 445 (137 - NetBIOS Name Service, 139 - NetBIOS Datagram Service)
What is the port for FTP?
Ports 20 and 21
In the USA, the 4th Amendment of the United States Constitution prevents unreasonable search and seizure. What is the basis of a search warrant?
Probable Cause
A(n) ____ is a suitor who desires a physical or intimate relationship with the victim.
.Incompetent suitor
Where are deleted files stored by Macintosh OS X?
.Trash off the root of the drive. the "." indicates it is a hidden file.
In 802.11 standards: Temporal Key Integrity Protocol (TKIP) keys are changed every____________.
10,000 packets
Which law is applicable to theft of trade secrets? (Choose one) - 18 U.S.C 1832 - 18 U.S.C 1833 - 18 U.S.C 1834
18 U.S.C. 1832 applies to theft of trade secrets 18 U.S.C. 1833 - exceptions to prohibitions 18 U.S.C. 1834 - criminal forfeiture
How many bit-stream copies are made of the original evidence?
2
How many keys does asymmetric encryption have?
2 a public key and a private key
Which range of HTTP Status Codes reveals successful status codes?
200 - 206
WEP
24 bit Initialization Vector. 64, 128, 256 bit RC4 Encryption (Subtract IV- 40, 104, 232). CRC-32 Integrity Check. Easy to crack IV.
An SMTP server listens on port ____ and handles all outgoing e-mail.
25
The Blackberry Serial Protocol contains what fields?
3 byte packet header, always D9 AE FB Command type Command-dependent packet data Footer, always BF EA 9D
Which range of HTTP Status Codes reveals redirection status codes?
300 - 307
Hashing Algorithm Lengths: CRC-32
32 Bits
On a GSM phone that is obstructed with a pin code, how many incorrect entries for the PUK will disable the phone?
8
dd command
A Linux command, that can be used to write image files to a device such as a USB flash memory drive or hard disk. Captures a bit for bit data from the original device, in a RAW format.
Evil Twin
A Rogue Access Point masquerades as a legitimate access point, using the same SSID and potentially other identical settings..
Password cracking methods: Syllable Attack
A Syllable attack is the combination of both brute-force attack and a dictionary attack. This attack is often used when the password is a nonexistent word.
What is the difference between big endian and little endian? - Big-endian boots faster than little endian - A big-endian machine stores the most significant byte first. A little-endian machine stores the least significant byte first. - Big endian and little endian yield the same hex structure
A big-endian machine stores the most significant byte first. A little-endian machine stores the least significant byte first.
Bit Stream copy
A bit by bit copy of the original storage medium and or evidence
When viewing the timeline tab of the EnCase program, what do each of the dots on the graph represent.
A file in relation to the time it was accessed.
Network-Based intrusion detection
A network-based ID system monitors the traffic on its network segment as a data source.
Raid Levels: RAID 5
A popular disk subsystem that increases safety by computing parity data among all drives and increasing speed by interleaving data across three or more drives (striping).
POP3
A protocol for receiving e-mail by downloading it to your computer from a mailbox on the server of an Internet service provider.
SMTP
A protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another. The messages can then be retrieved with an e-mail client using either POP3 or IMAP. SMTP is also generally used to send messages from a mail client to a mail server.
Syslog
A protocol for transmitting event messages and alerts across an IP network that uses TCP to communicate and log messages are sent in clear text.
How long can a search warrant be used? - 3 days - Amount of time designated in the search order - 1 week
A search warrant be used for the amount of time designated in the search order
What type of virus can redirect the disk head to read another sector? - Boot-sector - Multipartite - Stealth
A stealth virus is a virus that can redirect the disk head to read another sector
Wireless Attacks: Wardriving
A technique hackers use to locate insecure wireless networks while driving around.
Wireless Attacks: Warflying
A technique hackers use to locate insecure wireless networks while flying around
What does the law concerning digital evidence include: A. Adhere to Chain of Custody B. Know the applicable, governing law C. Present evidence that is authentic, accurate, whole and acceptable
A, B, C
What is the proper order of volatility: A. Registers and cache B. Routing tables C. ARP cache D. Process table E. Kernal statistics and modules
A, B, C, D, E
Which class of evidence file, does EnCase not Support?
AD1 images are sparse image files supported by FTK and not EnCase.
By default, Microsoft's IIS log files are in ____ format, meaning that they are easily openable and searchable.
ASCII
What is the size of a hard drive having the following: 16384 cylinders/disk 80 heads/cylinder 63 sectors/track 512 bytes/sector
About 39 GB
What best describes the legal issues related to computer forensic investigations?
Admissibility in court, meeting relevant evidence laws while dealing with practical aspects of computers
Rule 1003
Admissibility of duplicates
What are conceptual ways to write block removable media on the MacIntosh? - Prevent Mac OS from automatically mounting removable media - Prevent iTunes from loading when iPod is connected - All of the above
All of the above: Methods for write blocking MacIntosh are preventing the Mac OS from automatically mounting removable media, preventing iTunes from loading when iPod is connected and mounting iPods with read-only access
What functionality does the code meter software enable in the FTK program?
Allows the FTK program to run.
Bootstrapping
Also called booting up. Describes a computer when it is just turned on and initializes the operating system.
Which of the following is a measurement of electric current?
Amperage
Event ID 4904
An attempt was made to register a security event source
What can an investigator use to recover SIM card data?
An investigator can use SIM Analyzer, simcon, and SIM Card Data Recovery software to recover SIM card data
Integrity attack
Attackers send forged control, management or data frames, over a wireless network , to misdirect the wireless devices in order to perform another form of attack. data frame injection, WEP injection, bit flipping and various replay style attacks.
Confidentiality Attack
Attempt to intercept confidential information sent over wireless associations (ie. Eavesdropping, Man in the Middle, or Sniffing).
Rule 502
Attorney-Client privilege and work product; limitations on waiver
Echo Data Hiding
Audio Staganogrphy Technique, message embeded into a cover audio signal, below audible levels. by: Amplitude, Decay Rate. and Offset.
Types of images.
Bit Stream, Backups
Bit-Stream disk-to-image file
Bit for bit replication of the original drive.
How do you calculate disk capacity?
C x H x S x (Bytes/sector)
BlackBerry software development was originally based on ____, but the latest models support MDS and Java.
C++
How is Palm OS memory organized?
Chunks known as records
Digital evidence tends to be what kind of evidence?
Circumstantial Evidence
Netstat -o
Command to view which processes are responsible for OPEN Network Ports.
Prior to a judge issuing a search and seizure warrant, an investigator must determine the significance of the computer being searched. What are the two roles a computer can play?
Computers can be used as a tool to commit a crime or a repository for criminal content
Prior to a judge issuing a search and seizure warrant, an investigator must determine the significance of the computer being searched. What are the two roles a computer can play? - Research - Tool - Repository
Computers can be used as a tool to commit a crime or a repository for criminal content
What should be documented in an Expert Witness Resume.
Credentials and certifications. Training. Referrals.
How are tracks numbered?
Cylinder, HeadNumber, Sector
____ is the technique to garble a message in such a way that the meaning of the message is changed
Cyrptography
What tools can read CSI Stick and Device Seizure acquisition files?
DS Lite
Which tools calculate MD5 and SHA1 hash values?
DS Lite and SIM Card Seizure
RAW format
Data capture bit for bit from the original device.
Lossy (ee) File Compression
Data is compressed perminantly by removing imformation from the file.
Carving an image.
Data recovery process that uses the database of headers and footers to recover files from a raw disk image. Works even if metadata has been destroyed.
What file contains the name given to the iPod, username logged into computer and name of computer? - SysInfo file - DeviceInfo file - IPSW file
DeviceInfo file is located at \iPod_Control\iTunes\DeviceInfo. It houses the name given to the iPod, username logged into the computer and name of the computer.
Why must a forensic investigator identify the type of device being investigated? - Because devices can be modified by changing logos or modifying the OS - Because devices sync with different operating systems
Devices can be modified by changing logos or modifying the operating system. Clues to help identify devices are the cradle interface, manufacturer's serial number and power supply.
Rule 705
Disclosure of facts or data underlying expert opinion
Legal considerations must be taken into account while investigating computer crime. Who should investigators work with while dealing with computer crime?
District Attorney
Legal considerations must be taken into account while investigating computer crime. Who should investigators work with while dealing with computer crime? - District Attorney - FBI - Local Police
District Attorney
What is the best way to deal with powered-off computers?
Do not change the state of any electronic device. Leave the computer off
What is the best way to deal with powered-off computers? - Do not change the state of any electronic device. Leave the computer off - Turn the computer on
Do not change the state of any electronic device. Leave the computer off
What is the best way to deal with powered-on computers? - Leave the computer on and photograph the screen and document the programs - Turn the computer off
Do not change the state of any electronic device. Leave the computer on and photograph the screen
____ is a data duplication software tool that provides access to remote drives through serial cables or TCP/IP.
DriveLook
What is a disk-forensic DOS tool designed to emulate and extend the capabilities of DOS to meet forensic needs?
DriveSpy
What is the advantage of PMDump?
Dump contents of process memory without stopping the process
Imaging
Duplicate data (bit-stream) to preserve the original data
Audio Staganogrphy Techniques
Echo Data hiding. Spread Spectrum.
Which tool can be used for acquiring and imaging evidence? It allows recovery of deleted files and provides hash generation of individual files, data capture and documentation. This tool also has a bookmarking feature that saves bookmarks in case files.
EnCase
Which tool can process event logs that are reported as corrupt?
EnCase
____ is the method of wrapping data from one layer of the OSI model in a new data structure so that each layer of the OSI model will only see and deal with the information it needs in order to properly handle and deliver the data from one host to another on a computer network
Encapsulation
Which are true about FAT12? - When formatted, the Master File Table (MFT) is created - Has enhanced security and file encryption - Suitable for file servers - Designed for floppy disks
FAT12 was designed for floppy diskettes
Which are true about FAT16?
FAT16 is a 16-bit file system. Filenames are 8 characters long with a 3 character file extension. Uses a 64 KB allocation units that becomes less efficient on partitions larger than 32 MB. Not suitable for file servers.
Which are true about FAT16? - FAT16 - filenames limited to 8 characters with 3 character extension - 64 KB allocation units - Less efficient on partitions larger than 32 MB - Suitable for large file servers
FAT16 is a 16-bit file system. Filenames are 8 characters long with a 3 character file extension. Uses a 64 KB allocation units that becomes less efficient on partitions larger than 32 MB. Not suitable for file servers.
For an iPod that was initially set up on a windows based computer, what type of file system will it have?
FAT32
IsoBuster is a highly specialized, difficult-to-use, CD and DVD data recovery tool.
False
Transformation techniques
Fast fourier transformation, Descrete Cosine Transformation (DCT, JPEG images use for image compresion), Wavelet Transformation.
What are three types of logs that can be used together to provide more compelling evidence.
Firewall logs, IDS logs and TCPDump
BIOS
Firmware run by the system when first powered on (Boot Loader). Identifies and initializes system component hardware.
This type of DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses
Fraggle
What is the basis of a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?
Frye
Which cipher specifies when a covert message can be revealed by overlaying a Template that will reaveal the message from the medium?
Grille cipher
Kidnappers often use chat rooms to turn children into victims. A kidnapper tries to build a relationship with children by showing them cartoons, interesting art clips, and offering them sweets. This is known as ____.
Grooming
What file system was developed by Apple Computer for Mac OS?
HFS
Which file system runs on Mac OS?
HFS
Which file system runs on Mac? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext
HFS - Mac OS
What are the main protocols for the Session, Presentation and Application Layers?
HTTP, SMTP, NNTP, Telnet
What are the types of IIS logging.
IIS standard logs, ODBC logging, Centralized binary logging, IISLogger tool
ARP table
IP address to MAC address
The ____ is the person responsible for the establishment and maintenance of security required for risk management.
ISSM Information system security manager
`____ is the U.K. hotline for reporting illegal content, specifically acting upon child sexual abuse hosted worldwide, and content, hosted in the U.K., that is criminally obscene or incites racial hatred.
IWF
This type of DoS attack does the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it. - Teardrop - Jolt - Reflective DDoS
In a Jolt attack the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it.
What is the Index.dat file used for?
Index.dat is used for redundant information such as AutoComplete information. Index.dat can be found in the History folder for Internet Explorer
How should evince be labeled?
Initials.date.Item#.sub-item# i.e. JSP.031712.001.2
Separator Injection attack.
Injecting a pipe( | ) character into log files toshift data to different columns. -Causes inconsistency. -Damages Integrity. -performed on pipe ( | ) character. -Difficult to find the defender.
Choose one answer naming what the FBI developed as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography.
Innocent Images National Initiative (IINI)
What are the two modes of attack?
Insider attack and External attack
Importance of case assessment
It makes the best use of the time and resources. It helps to clarify whether a person is likely to qualify. It avoids giving false hope to those who do not qualify. It allows people who do not qualify for the resettlement program to begin looking for other solutions.
In the Windows based Recycle bin, What happens to deleted files larger than 4 GB?
It will be stored. The 4GB limitation, only applies to Windows versions prior to Vista. Those larger cannot be stored in the Recycle bin
Jack, a forensic investigator, believes key evidence is on a PDA device. The PDA has one card in the expansion slot and several more lying on a table. The PDA is in it's cradle. What should Jack do? (Each answer is one solution) - Leave card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags. - Remove card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags. - Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags
Jack should leave the card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags.
What does the term jailbreaking mean? - Process of unlocking PC by cracking the SAM database - Process of unlocking the iPhone or iPod Touch to permit installation of third-party applications - Process of unlocking Linux by changing the root password
Jailbreaking is process of unlocking the iPhone and iPod Touch to permit the installation of third-party applications
A language that a special group of people can understand, but is meaningless to others is known as?
Jargon Code.
What is Kerberos?
Kerberos is a secure authentication mechanism available in Windows.
Computer investigation toolkit should contain:
Laptop computer with appropriate software. Operating systems at Patches. Application media. Write protected backup devices. Blank Media. Basic networking equipment and cables.
What is the best way to deal with powered-on computers?
Leave the computer on and photograph the screen
What are Linux PDA security features? - User authentication, access control, encryption, PPTP, IPSec, SSH - User identification, encryption, IPSec - User authentication, access control, encryption, SSL
Linux PDA security features include user authentication, access control, encryption, PPTP, IPSec, SSH. Point-to-Point Tunneling (PPTP) Internet Protocol Security (IPSec) Secure Shell (SSH)
JPEG
Lossy, divides image into separate blocks of 8x8 pixels. DCT transformation compression. Checks for image quality. Segment Marker 2 bytes. Segment size 2 bytes. (D8 start of image, D9 End of Image) Data can be stored between end of image and end of sector.
What tool can parse memory?
Lsproc.pl d:\dumps\test-mem.dmp
A(n) ____ address is a unique 48-bit serial number assigned to each network interface card, providing a physical address to the host machine.
MAC
LAN address
MAC address of a node.
BSSID
MAC address of an access point
What is true about MAC times?
MAC times are time stamps referring to the time at which the file was last modified in some way and MAC stands for modified, accessed and created
EnCase calculates a(n) ____ hash when it acquires a physical drive or logical drive.
MD5
What hashing files are utilized by the FTK program for image file integrity checks?
MD5 and SHA1
File System Intrusion
Malicious programs introduced from outside sources. Indicated by: -new files, -changes in file permissions, -unfamiliar file names, -missing files.
What techniques can be used to detect wireless access points?
Manual detection, active wireless scanning, passive wireless scanning, Nessus vulnerability scanning
What does a good investigative report include?
Methods of investigation, Litigation support reports, References, Error analysis, Adequate supporting data, Acknowledgments, Results and comments, Graphs and statistics, Description of data collection techniques, Calculations used, References
LogParser.exe -o:DATAGRID "select * from system" is what type of command?
Microsoft Log Parsing (Microsoft Log Parser accepts three arguments: i - input o - output query similar to SQL)
Entourage
Microsoft Office - Email client for Macintosh.
Microsoft Outlook / Express
Microsoft Outlook uses .pst and .ost data files. While Microsoft Outlook Express uses .idx and .dbx data files.
____ is a vulnerability-assessment product that scans Web servers to identify security problems and weaknesses.
N-Stealth
Which are true about NTFS? - When formatted, the Master File Table (MFT) is created - Has enhanced security and file encryption - Suitable for file servers - Designed for floppy disks
NTFS provides enhanced security, file-by-file compression, quotas and encryption. Designed for large hard disks. When a volume is formatted, the Master File Table (MFT) is created. MFT is the first file on the NTFS volume and contains information about all the files and folders on the volume.
Which are true about NTFS?
NTFS provides enhanced security, file-by-file compression, quotas and encrytion. Designed for large hard disks. When a volume is formatted, the Master File Table (MFT) is created. MFT is the first file on the NTFS volume and contains information about all the files and folders on the volume.
Where are deleted files from a NTFS system stored?
NTFS- Drive:\Recycler\S-... (Prior to Vista C:\Recycle.bin\S... based on user SID.
The most common way to use this command is with -ano switches or -r switch.
Netstat
____ forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks.
Network
Types of Intrusion Detection systems
Network Based. Host Based. Log File Monitoring. File Integrity Checking.
It appears the suspect's computer is connected to a network, what is one thing an investigator should look for?
Network Connections
What is capturing, recording, and analysis of network events in order to discover the source of security attacks?
Network forensics
Palm OS is an embedded operating system originally based on the Motorola DragonBall MC68328 family of microprocessors. Newer devices use what? - AMR architecture-based BigAMR and YScale microprocessors - ARM architecture-based StrongARM and XScale microprocessors - Intel microprocessors
Newer Palm OS devices use ARM architecture-based StrongARM and XScale microprocessors
Bit Depth
Number of colors available for each pixel.
DNS Cache Poisoning
One way to misdirect a host, is DNS cache poisoning. The DNS cache stores IP addresses of websites recently resolved. It is possible for a hacker to insert fake mappings into DNS server by using buffer overflow or other means. The SOA record tells how long the DNS cache poisoning will last. In order to make the DNS server secure from the DNS cache poisoning attack, enable DNS socket pool on the DNS server. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute the attack. The DNS socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks.
What steganography type hides the secret message in a specifically designed pattern on the document that is unclear to the average reader?
Open code
What three things does the Mac OS X depend on?
Open firmware, boot loader, typical Mac OS X boot sequence
FTK uses what database?
Oracle
What is forensic readiness?
Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation
What is forensic readiness? - Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation - Organization has trained personnel who work together to handle an investigation - Organization has specific incident response procedures
Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation
Which acts pertain to privacy?
PIPEDA and Data Protection Act 1998 Section 55
Which technology identifies attached devices as either Master of Slave devices?
PATA (3 position cable: One side attaches to the logic board the other 2 attach to either the slave device (Center of cable) or the Master Device (End of cable)
What tool secures a PDA from theft, loss or corruption? This tool includes Trusted Mobility server software. If used with PocketPC this tool allows the administrator to set a time and date range to monitor login attempts, infrared transmission and use of applications.
PDA Secure
What are two tools used to acquire information from a PDA?
PDA Seizure and Palm dd
What is a PDA? - Personal Digital Assistant - Professional Digital Assistant - Palm Digital Assistant
PDA stands for Personal Digital Assistant
A ____ is a property right granted to the inventor by the USPTO to keep others from making, using, or selling the invention without authorization.
Patent
____ is an e-mail fraud method in which the perpetrator sends out official-looking e-mail to the possible victims, pretending to be from their ISP, bank, or retail establishment, to collect personal and financial information.
Phishing
What does a good investigative report not include? - Calculations used - Litigation support reports - Methods of investigation - Adequate supporting data - Problem statement
Problem statement is not part of an investigative report. A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports
Running processes
Processes that are currently running on the computer.
Rule 1002
Requirement of original
Computer forensics includes what?
Rules of evidence Legal processes Integrity of evidence Factual reporting of information found Expert opinion about findings presented in a court of law, or other legal or administrative hearing
Common reasons for making multiple partitions.
Running multiple operating systems. Segregate the OS files from user data. Increased performance.
____ allows an investigator to synchronize and backup files from a source folder on one computer to a target folder on a second networked computer or local storage device.
Save N Sync
A ____ is an abusive environment where an employee is subjected to unwelcomed sexual advances from coworkers.
Sexual Harrasment
With a Blackberry device connected to a computer, what can be used to discover information on a phone obstructed by a pin number?
The computer can be used to unlock the phone by examining the .idp backup files, and then utilize tools to examine the backup files.
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the core iPhone OS layer provide?
The core layer provides the kernel, drivers and basic interfaces of the operating system.
What happens when you delete a file in windows?
The system marks the files name in the MFT with a special character that indicates the file has been deleted. The file name and path are stored in the hidden file Info (or Info2). The information only disappears once the space has been overwritten.
What are the steps recommended by EC Council for collecting evidence? - Find the evidence - Discover the relevant data - Prepare an order of volatility
There are three steps recommended by EC Council for collecting evidence including: - Find the evidence - Discover the relevant data - Prepare an order of volatility
Blackberry Attachment Service has a known vulnerability. What is it? - Text attachment can be used to generate a buffer overflow - WMF or EMF (known bug in GDI) - Arbitrary code
There is a known bug in GDI componenet of Windows while processing WMF or EMF (Enhanced Metafile) images
Which one is NOT an objective of computer forensics?
To recover and identify the evidence quickly
X-Ways tool
Tool used to scan virtual memory.
What are tools necessary for forensic analysis of an iPod or iPhone?
Tools necessary for forensic analysis of an iPod or iPhone include EnCase, Forensic Toolkit, Recover My iPod and iPod Data Recovery
What are the two categories of cybercrime?
Tools of crime and Target of crime
EnCase is divided into three panes. What are the names of these panes?
Tree - Case information Table - Timeline, Gallery View - text, hex, picture, fields
EnCase is divided into three panes. What are the names of these panes? - Tree - Table - View - Data
Tree - Case information Table, Timeline, Gallery View - text, hex, picture, fields...
____ are programs that contain or install malicious programs on targeted systems.
Trojan Horse
A forensic lab should have both forensic and non-forensic workstations for investigative purposes.
True
Capturing network traffic over a network is simple in theory, but relatively complex in practice.
True
When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected.
True
iPod Touch uses WiFi, Safari Web browser and wireless access to iTunes Store and YouTube.
True
The first eight digits of an IMEI number is also known as:
Type Allocation Code (TAC)
What are the main protocols for the Transport Layer?
UDP and TCP
Which file system runs on Unix? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext
UFS - Unix
Active@ ____ is a DOS-based solution designed for complete backup and restoration of the whole HDD, as well as the particular FAT/NTFS partitions and logical drives.
UNERASER
A(n) ____ is an identifier string that indicates where a resource is located and the mechanism needed to retrieve it.
URL
What is a NAND-type flash memory data storage device integrated with a USB 1.1 or 2.0 interface?
USB flash drive
What are two ways to unmount an iPod? - Drag to trash (Mac) - Click Safely Remove Hardware (Windows) - Unplug the iPhone
Unmount the iPod by either dragging the iPod icon to the trash (Mac) or clicking the Safely Remove Hardware button (Windows)
How do attackers blackjack a blackberry?
Use the BBProxy tool to attack the host of the network
___ use of geometrical shapes and primitives such as points, lines, curves and poloygons, based upon mathematical equations, in order to represent images in a computer
Vector images
2 categories of image files.
Vector images, Rastor images.
What statements reflect how time stamps are displayed or changed in the NTFS file system?
When a file is moved from one folder to another on the same file system, the file keeps the same modification and creation dates When a file is copied from one folder to another on the same file system, the file keeps the same modification date, but the creation date is updated to the current date and time
When would you conduct searches without a warrant?
When destruction of evidence is imminent
ActiveSync allows an unlimited number of password attempts. How can an attacker gain access to the password? Choose the easiest method. - Password sniffing and brute force/dictionary attack - Keylogger - Guessing
While an attacker can use password sniffing and a brute force or dictionary attack, it may be easier to install a keylogger on the desktop. Then, the attacker can record the password when the user syncs using ActiveSync.
Snow
Whitespace steganography tool. Hides messages in ASCII test by appending whitespace at the end of the lines.
Which file system runs on NTFS?
Windows
Which statements are true regarding EFS? - EFS can encrypt files stored on Windows 2000, Windows XP Pro, and Windows Server 2003 - EFT protects data in transit - EFS uses symmetric and asymmetric cryptography
YES! EFS encyrpts files stored on Windows 2000, XP Pro and Server 2003. It is NOT designed to protect data in transit from one system to another. EFS uses symmetric and asymmetric cryptography. EFS encyryption occurs at the file system level not the application level. It is transparent to the user and to the application. If a folder marked for encryption, then every file created in or moved to said folder will be encrypted. There is no back door. File encryption uses a symmetric key. This symmetric key is then encrypted with an asymmetric public key. EFS keys are protected by the user's password EFS-encrypted files do not remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext and if saved to a folder with encryption, re-encrypted.
Which file system runs on Sun Solaris?
ZFS
Which file system runs on Sun Solaris? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext
ZFS - Sun Solaris
____ is a method of compressing files designed by Phil Katz.
Zip
What registry key contains MRU list?
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
What is a bit-stream copy?
a bit-for-bit copy of the original storage medium
ACR Data Recovery
a full-scale data recovery center. It provides computer forensic software and in-house services to corporations and individuals.
The Center for Computer Forensics (CCF)
a leading provider of services to law firms and corporations. It was established in the year 1997. It is uniquely qualified to offer a solution that is scaled to the requirement of the case, large or small. The CCF provides an inclusive list of data preservation, computer forensics, and e-discovery services to make sure that the case is handled economically. It also fulfills the data recovery requirements by working with the Data Recovery Group.
Metadata
data about a particular document.
What command can be used to view command history?
doskey /history and scroll up in the command window
____ is an attack based on the cryptanalytic time-memory trade-off technique.
hash table attack
What is the key concept of Enterprise Theory of Investigation (ETI)?
holistic approach used by FBI to look at any criminal activity as a piece of a criminal operation rather than a single criminal act.
A ____ works the same way as a honeypot, but instead of an entire system, it is done at the directory or file level.
honey token
What is built-in on many PDAs?
infrared, Bluetooth and WiFi
What is Encase's strongest attribute?
it is an all-in-one tool
What are signatures for the cells in the registry?
kn (key cell), kv (value cell), ks (security descriptor cell)
Why is iPod useful for information theft?
large storage capacity, small size and rapid data transfer
Hidden Partition
logical section of disk space, which is not accessible by the operating system.
DriveSpy
tool used to collect slack space in a partition, into a file.
FTK imager
tools to grab registry files.
LBA number:
total number of sectors on a disk.
On every hard disk, data is stored in thin, concentric bands, called ____.
tracks
The strength of passwords can be calculated mathematically by the length of time it would take for a brute force cracker to discover them.
true
UNIX and Linux use a tree, or hierarchical, structure for storing files and directories.
true
A forensic investigator wants to find some information on a computer running Linux. He wants to find the computer name and version of Linux. Then he wants to list the files in the root directory Finally, he wants to see protocol information. What commands should he use to accomplish these three tasks?
uname -a, ls -l, netstat -s
What command displays a list of the available event logs in Vista?
wevtutil el
When is a checksum performed on the evidence?
while you acquire the data
Older BlackBerry 950 and 957 had Intel 80386 processors. What type of processors do modern Blackberry devices have?
ARM7 of ARM9
What command can be used to display the mappings between different layers of the network architecture?
ARP
A forensic investigator types: file CopyInstall.log What is the response?
ASCII text (if the file is ASCII) and ELF 32-bit LSB executable... (if the file is actually an executable)
US accreditation association for forensic Laboratories.
ASCLD -American Association of Crime Lab Directors
The ____ tool attempts to confuse the connected wireless devices by sending deauthentication packets.
Aireplay
Who makes digital watermarks?
Digimarc
WEP Injection is used in what kind of wireless attack?
Integrity attack
Authentication Flood
Overloading the WAP with authentication requests, causing a DoS.
In today's digital world, reports are generally submitted electronically to the court. The standard format for reports is ____.
____ is a lossless image format intended to replace the GIF and TIFF formats.
PNG
A forensic investigator types sfdisk -l Part of the output lists four devices: /dev/hda1, /dev/hda2, /dev/hda3, and /dev/hda4 What is an hda device?
Primary master
What is an hdb device?
Primary slave
A(n) ____ is a person who wants to physically or sexually attack the victim.
predatory stalker
A(n) ____ attack uses spoofed IP addresses to send broadcast ping messages to a large number of hosts in a network to flood the system.
smurf
Bluetooth
1-3 Mbps, 10 Meters
Password cracking methods: Rainbow Table Attack
"A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters."
Hidden Field Manipulation Attack
"Hidden fields is a poor coding practice that has been known and publicized for some time, although it still continues. It's the practice of using hidden HTML fields as the sole mechanism for assigning price or obscuring a value. These fields can be manipulated by the attacker."
MAC Filtering
"In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network."
IP Spoofing
"Is the creation of Internet Protocol packets with a spoofed source IP address, with the purpose of concealing the identity of the sender or impersonating another person or computer system."
Common E-mail Headers: Content-Transfer-Encoding
"This header relates to MIME, a standard way of enclosing nontext content in e-mail. It has no direct relevance to the delivery of mail, but it affects how MIME-complainant mail programs intercept the content of the message."
Buffer Overflow:
"is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited."
Session Hijacking
"is the exploitation of a valid computer session, sometimes also called a session key, to gain unauthorized access to information or services in a computer system."
What is part of corporate investigation?
- Business must continue during the forensic investigation - Generally address policy violations or legal disputes - May address wrongful termination - Must carefully follow government regulations - May address industrial espionage
To obtain a search warrant, police or government agent must:
-Obtain signature by judge or magistrate -Present good reason for search
Which list contains some important PDA security issues?
-Password theft -Virus attack -Data corruption -Applicaton vulnerabilties -Data theft -Wireless vulnerabilties -Device theft
What are some standard /usr sub-directories? - bin - local - dev
/bin & /local: Typical /user sub-directories include: bin - support files for programs local - software (stuff you install) sbin - more commands for system adminstration and repair share - items common to multiple systems src - source code for nonlocal software
An e-mail client connects to an IMAP server via port ____.
143
Which law is applicable to exceptions to prohibitions?
18 U.S.C. 1833
Which law is applicable to criminal forfeiture?
18 U.S.C. 1834
Which other event was instrumental to the evolution of computer forensics?
1893: Hans Gross was first to apply science to criminal investigation.
Which event was instrumental to the evolution of computer forensics? - 1932: FBI set up forensic services laboratory for field agents and law authorities. - 2000: Computer Administration and Reconnaissance Team was developed - 1932: FBI set up computer hacking lab for field agents and law authorities
1932: FBI set up forensic services laboratory for field agents and law authorities.
How about another which event was instrumental to the evolution of computer forensics?
1984: Computer Analysis & Response Team (CART) was developed.
Which event was instrumental to the evolution of computer forensics? - 1984: Computer Administration & Response Team (CART) was developed. - 1984: Computer Analysis & Reconnaissance Team (CART) was developed - 1984: Computer Analysis & Response Team (CART) was developed.
1984: Computer Analysis & Response Team (CART) was developed.
Which event was instrumental to the evolution of computer forensics again again?
1993: first international conference on computer evidence was held in USA.
What type of security does the Blackberry use? RSA
3DES and AES
Wireless Standards: 802.11a
5 GHz and up to 54 Mbits per second
Which of the following ar ACMru subkeys?
5001: MRU list for Internet Search Assistant 5603: MRU list for WIndows XP files and folders search 5604: MRU list corresponding to searching for a word or phrase in a file 5647: MRU list corresponding for computers entered when searching for computers or people
What port does syslog run on?
514
What three different event IDs Windows access attempts?
560, 567, 562
If a file is 2575 bytes, what is it's size in sectors?
6
NTFS partioning rules start the first primary partition in the __sector
64th
What Event ID is recorded when a service is stopped in Windows?
7035
What Event ID is sent when the service actually stops?
7036
How long is a key cell?
76 bytes
What can an investigator use to recover SIM card data? - SIM Analyzer - simcon - SIM Card Data Recovery software
All of the above: An investigator can use SIM Analyzer, simcon, and SIM Card Data Recovery software to recover SIM card data
What type of wireless attack is a PSK cracking?
Authentication attack using a Dictionary attack to crack the password.
Which of these are NOT one of the four steps that the Blackberry uses to receive email? Blackberry Enterprise Server (BES) - BES monitors user mailbox. When new message arrives, BES picks it up. - Message is compressed and sent over internet to Blackberry server - Message is compressed, encrypted and sent over internet to Blackberry server - Message is decrypted on users Blackberry device. Message is unreadable by any other device, including other Blackberry - Server decrypts, decompresses and places email into Outbox. Copy of message put in Sent Items folder
Blackberry messages are encrypted
The ____ is a collection of Web page copies stored on the system's hard disk or in its volatile memory.
Browser Cache
IMAP - Internet Messaging Access protocol
Bulletin board and email messages on a mail server. Makes them act as if stored locally. Port 143
The ____ provides appropriate remedies for intentional discrimination and unlawful harassment in the workplace.
Civil rights act of 1991
The term ____ espionage is used to describe espionage for commercial purposes.
Corporate
The role of the forensic investigator is to:
Create an image backup of the original evidence without tampering with potential evidence
Types of password attacks.
Dictionary Attack Brute Force attack, Hybrid Attack, Syllable attack, Rule-Based attack.
Initial questioning by the council that calls the witness to testify.
Direct Examination.
Active@ ____ is a DOS-based solution designed for complete backup and restoration of the whole HDD, as well as the particular FAT/NTFS partitions and logical drives.
Disk Image
Netstat Commands: Netstat -r
Displays the routing table
The first step in preparing a computer for forensics investigation is:
Do not turn the computer off or on, run any programs, or attempt to access data on a computer
What is the Recycler file format for OS's older than Vista?
Dxy.ext. x= the drive. Y= Sequence Number (SID)
The report functionality of EnCase allows the report to be exported out in which formats?
Encase allows exporting of the report in ALL formats except PDF.
What are two popular tools used in computer forensic analysis?
Encase and FTK
SD cards usually come preformatted with what file system?
FAT32
Which are true about FAT32?
FAT32 is the 32-bit version of the FAT file system that uses smaller clusters which results in more efficient storage capacity. It supports drives up to 2 TB. It can relocate the root directory and use the backup copy rather than the default copy. It can dynamically resize a partition.
Which hexa-decimal characters define the location of the Start of a JPEG file?
FF D8
Analyzing phone Information
Identify individuals who created, modified or accessed a file. From call logs, determine dates and times and message content. Create timeline. Recover hidden information. Cryptanalysis to decrypt information. Password cracking tools (Hydra). geographical locations.
Entropy Test
If file cannot be compressed easily, it contains lots of random data. Meaning it is encrypted
What is the port for SSL?
Port 443
Steganography Techniques: Substitution Technique
Replaces redundant or unneeded bits of a cover with the bits from the secret message.
Rule 901
Requirement of authentication or identification
____ is a command-line network-debugging tool.
Tcpdump
What are the concentric circles on platters where all the information is stored?
Tracks
True or False: /var is used for system-specific data and configuration files.
True
True or False: Files are renamed with the original drive letter, a number and the original extension
True
When is a search warrant NOT required?
When law enforcement witnesses the crime
What are the file types for Linux?
d, -, c, b, s, p, l
Data Carving
extraction of embedded or deleted files
What format do iPods use to store contact information? - vCard - iCard - eCard
iPods use standard vCard file format to store contact information. This format exchanges electronic business cards.
The primary threat to computer systems has traditionally been the ____ attack.
insider
What is the best way to protect PDAs from wireless attacks?
install a VPN client on the PDA and encrypt the connection
R-Linux uses a unique ____ technology and a flexible parameter setting that gives the investigator control over the data recovery.
intellegentScan
What are two commands to obtain network information?
netstat -ano and netstat - r
Which nmap scan is a slow scan to avoid detection?
nmap -sS -PT -PI -O -T1 122.13.145.15
Hard drive Tracks
"Hard drive tracks are logical rather than a physical structure, and are established when the disk is low-level formatted. Track numbers start at 0, and track 0 is the outermost track of the disk. If the disk geometry is being translated, the highest numbered track would typically be 1023."
Technical Steganography
"In technical steganography, physical or chemical methods are used to hide the existence of a message. It can include two methods: Invisible ink and Microdots."
SQL Injection
"Is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (Web Application). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database."
Forensic Investigator
"Is an Investigator who helps organizations and law enforcement agencies in investigating cybercrimes and prosecuting the perpetrators of those crimes. He is responsible for the acquisition, identification, preservation, documentation and the creation of an image back-up (bit by bit) of the evidence without affecting or changing same."
Bit Depth
"Is either the number of bits used to indicate the color of a single pixel, in a bitmapped image or video frame buffer, or the number of bits used for each color component of a single pixel."
First Responder
"Is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene. The first responder must investigate the crime scene in a lawful matter so that any obtained evidence will be acceptable in a court of law."
Dumpster Diving
"Is the practice of sifting through commercial or residential waste to find items that have been discarded by their owners, but that may prove useful to the garbage picker or hacker. This can include any sensitive information related to computer systems."
Forensic Science
"It's the application of physical sciences to law in search for truth in civil, criminal, and social behavioral matters for the purpose of ensuring injustice shall not be done to any member of society."
Raid Levels: RAID 0
"RAID 0 (also known as a stripe set or striped volume) splits data evenly across two or more disks (striped), without parity information and with speed as the intended goal. RAID 0 was not one of the original RAID levels and provides no data redundancy."
Raster Image
"Raster image dimensions are measured in pixels. Because raster images cannot be enlarged without losing quality, different suppliers have specific size requirements for their processes. The amount of pixels within each inch in the image represents the image pixel resolution which also determines its quality."
Steganography
"Steganography (pronounced STEHG-uh-NAH-gruhf-ee, from Greeksteganos, or ""covered,"" and graphie, or ""writing"") is the hiding of a secret message within an ordinary message and the extraction of it at its destination to maintain the confidentiality of data."
Swap Space
"Swap space is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. The name of this file is the pagefile.sys (Swap file where evidence from RAM can be located) and is located in the root of the C:\."
Frye Standard
"The Frye standard, Frye test, or general acceptance test is a test to determine the admissibility of scientific evidence and examinations. It provides that expert opinion based on a scientific technique is admissible only where the technique is generally accepted as reliable in the relevant scientific community."
SCSI (Small Computer System Interface)
"The Small Computer System Interface (SCSI) is a set of parallel interface standards developed by the American National Standards Institute (ANSI) for attaching printers, disk drives, scanners and other peripherals to computers."
SAM (Security Accounts Manager)
"The System Account Manager (SAM) database stores user's passwords in a hashed format. Since a hash function is one-way, this provides some measure of security for the storage of the passwords. This file is located at C:\windows\system32\config\SAM"
Wireless Passive Scan
"The client radio listens on each channel for beacons sent periodically by an Access Point. A passive scan generally takes more time, since the client must listen and wait for a beacon."
Net Commands: Net Use
"The net use command is used to display information about shared resources on the network that you're currently connected to, as well as open sessions on other systems."
Lost Cluster
"The operating system assigns a unique number to each cluster and then keeps track of files according to which clusters they use. Occasionally, the operating system marks a cluster as being used even though it is not assigned to any file. This is called a lost cluster."
Slack Space
"The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the slack space"
Password cracking methods: Hybrid Attack
"This attack is based on the dictionary attack. In this attack, the program adds numbers and symbols to the words from the dictionary"
Password cracking methods: Brute-Force Attack
"This attack, the attacker tries every possible combination of characters until the correct password is found. It's a very slow method and takes a large amount of time for longer passwords."
Common E-mail Headers: Errors-To
"This header specifies an address for mailer-generated errors such as bounce messages, to go to (instead of the sender's address)."
Common E-mail Headers: Content-Type
"This is another MIME header, telling MIME-complainant mail programs what type of content to expect in the message."
ASCLD (American Society of Crime Laboratory Directors)
"To promote the effectiveness of crime laboratory leaders throughout the world by facilitating communication among members, sharing critical information, providing relevant training, promoting crime laboratory accreditation / certification, and encouraging scientific and managerial excellence in the global forensic community."
INFO2 File
"When a user deletes a file, it's not actually permanently deleted. Instead, the file is copied into the recycle bin's systems folder for further instructions in how to deal with the file. In this case it's the INFO2 file"
WPA
"Wi-Fi Protected Access (WPA) is a security standard for users of computers equipped with Wi-Fi wireless connection. It changes its TKIP (Temporal Key Integrity Protocol) keys every 10,000 packets."
Event Logs
"Windows event log is a record of a computer's alerts and notifications. Microsoft defines an event as ""any significant occurrence in the OS or in a program that requires users to be notified or an entry added to a log."""
Logical block addressing (LBA):
"is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disks. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on in a sequential matter."
DNS Poisoning: DNS spoofing (or DNS cache poisoning)
"is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer)."
When logged on as an administrative user in Linux shell, the command line prior to the prompt will be__.
#
DHCP Service Activity Logs are stored where?
%SystemRoot%\System32\DHCP
When logging is enabled, Windows Firewall logs are stored in ____.
%SystemRoot%\pfirewall.log
Windows Firewall logs are stored where?
%SystemRoot%\pfirewall.log
There are three Windows event log files, SysEvent.evt, SecEvent.evt, and AppEvent.evt. Where are they located?
%SystemRoot%\system32\config folder
Where are IIS Web server logs most often maintained?
%WinDir%\System32\LogFiles directory
Which range of HTTP Status Codes reveals server error status? - 100-101 - 200-206 - 300-307 - 400-416 - 500-505
**HTTP Status Codes 500-505 - Server Error Status Codes ** HTTP Status Codes 100-101 - Informational Status Codes HTTP Status Codes 200-206 - Successful Status Codes HTTP Status Codes 300-307 - Redirection Status Codes HTTP Status Codes 400-416 - Client Error Status Codes
Mac OS X boot process
- BootX initialized Open Firmware - BootX creates a pseudodevice called sl_words (secondary loader) - BootX looks up device options properties (little endian, real mode...) - BootX looks up the chosen device handles - BootX initialized handles to memory, keyboard, display - BootX checks the security mode - BootX finds the kernel and constructs the path to the kernel - BootX draws Apple logo splash screen - BootX decodes the kernel - BootX saves the file system cache data and sets up various boot arguments - Kernel executes - Kernel determines the root device - Kernel initializes BSD data structures, I/O kit - Kernel starts /sbin/mach_init which maintains mappings between service names and Mach ports that provide those services - Mac OS X desktop is loaded with login window by default
Before starting the investigation what are two important things to consider?
- Crime scene technician capable of analyzing and acquiring a variety of evidence should be on the team - A forensic lab should be equipped with forensic tools required for the investigation
What are the steps recommended by EC Council for collecting evidence?
- Find the evidence - Discover the relevant data - Prepare an order of volatility
Email, Instant Messaging password recovery tools
- Mail PassView - email - Messenger Key - instant messaging - MessenPass - Mail Recovery
Network Password Recovery - network passwords
- SniffPass - captures password that pass through the network adapter (POP3, IMAP4, SMTP, FTP, HTTP) - Asterisk Key - reveals asterisks that hide passwords - Asterisk Logger - reveals asterisks that hide passwords - Password Spectator - reveals asterisks that hide passwords
Lossy (ee)
- when copied, you lose part of the message every time it is copied.
EC-Council identified thirteen steps for evaluating a case. The first three are listed below. Choose the next two steps from the list below. 1 - Initially examine the investigator service request 2- Find the legal authority for the forensic examination report 3- Ensure that request for assistance is assigned 5- Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...) 4 - Provide complete chain of custody 4 - Send any preservation orders to ISP or other storage provider 5 - Identify any additional equipment needed
-4 Provide complete chain of custody -5 Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...) EC-Council identified 13 steps for evaluating a Case in order presented below: -1 Initially examine the investigator service request -2 Find the legal authority for the forensic examination report -3 Ensure that request for assistance is assigned -4 Provide complete chain of custody -5 Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...) -6 Send any preservation orders to ISP or other storage provider -7 Identify relevance of peripherals such as credit cards, check paper, scanners, cameras... -8 Establish potential evidence being sought -9 Obtain additional details such as emails addresses, usernames... -10 Assess skill levels of users to determine how they might delete or conceal evidence -11 Set the order of evidence examination -12 Identify any additional expertise needed -13 Identify any additional equipment needed
Best Practices for Foresic Image Analysis.
-Document Current condition of the evidence. -Forensically Sound and Verifiable evidence collection. -Images should be capture using hardware or software capable of capturing a bitstream image of the original. -Integrity of digital evidence should be maintained when submitted for examination. -Properly prepared media should be used when making forensic copies. -Foresic images should be archived and maintained. -Prevent exposure to contamination. -Use Write Blockers to prevent modification.
What are some PDA security countermeasures?
-Install a firewall -Disable HotSync and ActiveSync features not in use -use a strong password -Do not store passwords on the host PC -Install antivirus software -Encrypt critical data -Do not use untrusted WiFi access points
What is the X-mailer header file extension for Outlook Express archives?
.dbx
What regular expression is a way to detect XSS?
/((\%3C)|<)((\%2F)|\/)*(a-z0-9\%]+((\%3E)|>/ix
What directory is used to store critical startup and configuration files
/etc
Which of the following are true about Restore Point Registry settings? 1) HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore 2) Purpose of restore points is to take a snapshot of a system so it can be restored if something goes wrong 3) Restore points cannot be reset and disabled 4)\System Volume Information\ -restore (GUID)\RP## is the location of restore points
1,2,4 - Restore points can be reset and disabled.
What are the six stages of process creation?
1. Launch .exe: File Execution Options registry key is checked for debugger value. If yes, process starts over 2. EProcess object created along with KProcess, PEB, and initial address space 3. Initial thread created 4. Windows subsystem is notified of new process and thread 5. Execution of initial thread starts 6. Initialization of address space is complete for new process and thread
Exceptions to 4th amendment. Conditions required toSeize without a Warrant.
1. NO reasonable expectation of privacy. 2. Falls within an established exception to the warrant requirement.
IMEI - International Mobile Equipment Identifier.
15 digit number Indicates: Manufacturer, Model Type, Country of approval for GSM. First 8 digits- Type Allocation Code (TAC) - model and origin. Can be obtained by keying*#06#
Which law is applicable to fraudulent copyright notice? (Choose one) - 18 U.S.C 1832 - 18 U.S.C 1833 - 17 U.S.C. 506(c-d)
17 U.S.C. 506(c-d) applies to fraudulent copyright notice 18 U.S.C. 1832 applies to theft of trade secrets 18 U.S.C. 1833 - exceptions to prohibitions
Which law is applicable to cyberstalking? - 18 U.S.C 875 - 18 U.S.C. 2261A - 17 U.S.C. 506(c-d)
18 U.S.C 875 - interstate communications applies to transmitting any communication containing any demand for ransom, threat to kidnap or injure a person 18 U.S.C. 2261A - interstate stalking
Which of these statements are true regarding 18 U.S.C. 2319? - Unauthorized distribution of computer programs - Unauthorized distribution of video games - Unauthorized distribution of sound recordings and music videos of live musical performances
18 U.S.C. 2319 involves trafficking in unauthorized sound recordings and music video of live musical performances
Which of these statements are true regarding 18 U.S.C. 2320? - Unauthorized distribution of computer programs - Trafficking in counterfeit goods - Trafficking in counterfeit services
18 U.S.C. 2320 involves trafficking in counterfeit goods or services
Which statutes are used by the FBI to investigate computer-related crimes?
18 U.S.C. 875 18 U.S.C. 1029 and 1030 18 U.S.C. 1343, 1361, 1362 18 U.S.C. 1831 and 1832
Which statutes are used by the FBI to investigate computer-related crimes? - 18 U.S.C. 875 - 18 U.S.C. 1029 and 1030 - 18 U.S.C. 1343, 1361, 1362 - 18 U.S.C. 1831 and 1832 - FISMA - US Patriot Act
18 U.S.C. 875 18 U.S.C. 1029 and 1030 18 U.S.C. 1343, 1361, 1362 18 U.S.C. 1831 and 1832
What law is related to fraud and related activity in connection with computers?
18 USC 1030
How long is a value cell?
18 bytes
Which event was instrumental to the evolution of computer forensics?
1888: Francis Galton made first recorded study of fingerprints to catch potential criminals
Which event was instrumental to the evolution of computer forensics? - 1888: Francis Galton made first recorded study of bullet comparisons - 1993: First international conference on computer evidence was held in Europe - 1888: Francis Galton made first recorded study of fingerprints to catch potential criminals
1888: Francis Galton made first recorded study of fingerprints to catch potential criminals
Which event was instrumental to the evolution of computer forensics? - 1910: Albert Osbron was first to develop methodology for fingerprinting - 1893: Hans Gross was first to apply science to criminal investigation. - 2010: Leone Lattes was first to use blood groupings to connect criminal to crime.
1893: Hans Gross was first to apply science to criminal investigation.
Which event was instrumental to the evolution of computer forensics again?
1910: Albert Osbron was first to develop methodology for documenting evidence during examination process.
Which event was instrumental to the evolution of computer forensics? - 1910: Albert Osbron was first to develop methodology for documenting evidence during examination process. - 1925: FBI set up forensic services laboratory by Presidential order - 1910: Albert Osbron developed a methodology for use of blood groupings to connect criminal to crime
1910: Albert Osbron was first to develop methodology for documenting evidence during examination process.
Which event was instrumental to the evolution of computer forensics? - 1915: Leone Lattes was first to make use of bullet comparisons - 1915: Leone Lattes was first to set up a forensic services laboratory for the FBI - 1915: Leone Lattes was first to use blood groupings to connect criminal to crime.
1915: Leone Lattes was first to use blood groupings to connect criminal to crime.
Which is yet another event that was instrumental to the evolution of computer forensics?
1915: Leone Lattes was first to use blood groupings to connect criminal to crime.
Which (again) event was instrumental to the evolution of computer forensics?
1925: Calvin Goddard was first to make use of bullet comparisons.
Which event was instrumental to the evolution of computer forensics? - 1925: Calvin Goddard was first to use blood groupings to connect criminal to crime - 1925: Calvin Goddard was first to make use of bullet comparisons. - 1925: Calvin Goddard was first to apply science to criminal investigation
1925: Calvin Goddard was first to make use of bullet comparisons.
What year did the FBI establish the first forensic Laboratory?
1932
And again which event was instrumental to the evolution of computer forensics?
1932: FBI set up forensic services laboratory for field agents and law authorities.
Which event was instrumental to the evolution of computer forensics? - 1993: first international conference on computer evidence was held in Europe - 1993: first international conference on computer evidence was held in China - 1993: first international conference on computer evidence was held in USA.
1993: first international conference on computer evidence was held in USA.
EC-Council identified thirteen steps for evaluating a case. The first three are listed below. Choose the next two steps from the list below. 1 - Initially examine the investigator service request 2- Find the legal authority for the forensic examination report 3- Ensure that request for assistance is assigned
4 - Provide complete chain of custody 5- Check forensic processes needing to be performed (such as analysis of DNA, fingerprint, tool marks, traces, questioned documents...)
Which range of HTTP Status Codes reveals server error status codes?
500 - 505
E-mail Spoofing
: Email spoofing is the creation of email messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN or from an external environment using Trojan horses. It can also be forged in the e-mail header.
A ____ is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activities.
??
Steganography Techniques: Cover Generation Technique
A cover generation method actually creates a cover for the sole purpose of hiding information.
What type of virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files. - Boot-sector - Multipartite - Stealth
A multipartite virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files.
When is a search warrant NOT required? - When law enforcement witnesses the crime - If no one gives permission to search - If it is late at night
A search warrent is not required when law enforcement witnesses the crime
Wireless Attacks: Warchalking
A technique involving using a chalk to place a symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access.
The law concerning digital evidence includes: A. Adhere to Chain of Custody B. Know the applicable, governing law C. Present evidence that is authentic, accurate, whole and acceptable - A - B - A,B - A, B, C - A, C - B, C
A, B, C are all correct The law concerning digital evidence includes: A. Adhere to Chain of Custody B. Know the applicable, governing law C. Present evidence that is authentic, accurate, whole and acceptable
Address Resolution Protocol (ARP) Spoofing
ARP spoofing is also known as ARP cache poisoning or ARP poison routing. It is a technique used to attack a local-area network. ARP spoofing can allow an attacker to intercept data and modify or halt network traffic. ARP spoofing can be used to attack an Ethernet wired or wireless network. During normal functioning, ARP sends a broadcast with the IP address asking for the associated MAC address. A host having said IP address replies with its MAC address. Thus the ARP cache gains an entry matching IP address with MAC address. During ARP spoofing or ARP poisoning, ARP sends the same broadcast but an attacker replies with fake MAC address. Now the ARP cache has a false entry and all communication from the host will go to the fake MAC address One defense against ARP spoofing is placing static ARP entries on servers, workstations, and routers using the ARPWALL system.
User Enumeration attack
After finding all the users who are already registered on the Web Application, the attacker uses this flaw to quickly find out the users who use the application. eg. Attacker can rotate the usernames and apply one password for all. And get unauthorized access to the user's account due to weak password.
____ detects wireless devices and calculates their signal strength. It implements a modular n-tier architecture with data collection at the bottom tier and a graphical user interface at the top.
Airfart
What are some PDA security countermeasures? - Install a firewall - Disable HotSync and Active Sync features not in use - Install anti-virus software
All of the above: PDA Security countermeasures include: -Install a firewall -Disable HotSync and ActiveSync features not in use -use a strong password -Do not store passwords on the host PC -Install antivirus software -Encrypt critical data -Do not use untrusted WiFi access points
Blackberry OS 4.7, the newest version, supports which of the following? - AJAX and CSS web standards - 1 GB onboard memory - 128 MB flash memory
All of the above: Blackberry OS 4.7 supports: AJAX and CSS 1 GB on board memory and 128 MB flash memory High-capacity slim 1500 mAh battery Tri-band UMTS: 2011/1900/850 3.6 Mbps HSDPA WiFi (802.11a/b/g) GPS Quad-band GSM/GPRS/EDGE Music synchronization Clock application
The Blackberry Serial Protocol contains what fields? - 3 byte packet header, always D9 AE FB - Command type - Command-dependent packet data - Footer, always BF EA 9D
All of the above: Blackberry Serial Protocol contains: -3 byte Packet header (always D9 AE FB) -Command type 40 - normal 60 - extended 41 - ACK CF - handshake challenge CE - handshake reply - 1 byte Command - 00 is normal and 02 is extended -Command dependent packet data -3 byte Packet footer (always BE EA 9D)
What data can be recovered from the SIM card? - Service-related information including unique identifiers - Phonebook and call information such as ADN and LND - SMS, EMS and multimedia messages - LAI and RAI - All the above
All of the above: SIM cards contain service-related information, phonebook and call information, messaging information, and location information. Service-related Integrated Circuit Card Identification - ICCID International Mobile Subscriber identity - IMSI Phonebook and call related Abbreviated Dialing Numbers - ADN Last Numbers Dialed - LND Location information Location Area Information - LAI - voice Routing Area Information - RAI - data
The architecture of Windows CE has four layers: - Application - OS - Original Equipment Manufacturer (OEM) - Hardware What is the purpose of the OEM? (Choose all that apply) OEM is between the OS and hardware layers OEM contains OAL, drivers and configuration files OEM handles system startup, interrupt handling, power management, profiling, timer and clock functions
All of the above: The OEM is between the OS and the hardware layer. It contains the OEM Adaptation Layer (OAL), drivers, and configuration files. It handles system startup, interrupt handling, power management, profiling, timer and clock.
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the core iPhone OS layer provide? - Kernel environment - Drivers - Basic interfaces of the OS
All of the above: The core layer provides the kernel, drivers and basic interfaces of the operating system.
What does the iPod System Partition contain? - iPod OS - Images - Games and other default applications - All of the above
All of the above: The iPod system partition includes iPod OS, images, and default applications.
What can criminals do with iPhones? - Steal data such as contact numbers, email address and SMS messages - Connect the iPhone to another system and steal data - Send threatening or offensive SMS or MMS messages - Manipulate or clone SIM data - Remove the SP-Lock in order to free the iPhone from its network - Send spam - All of the above
All of the above: iPhones can be used to steal data, send threatening or offensive SMS or MMS messages, change or clone SIM properties, remove the service provide lock (SP-Lock) to free iPhone from its network and send spam.
How does the investigator acquire data from a PDA? - Make an image of the device memory - Bitmap the device memory
An image is a bit-for-bit copy of the original. It is created to protect the original from alteration. Forensic tools such as EnCase can be used to image a PDA.
What does the Blackberry Attack Toolkit contain?
BBProxy and BBScan and Metasploit patches to exploit web site vulnerabilities
How do attackers blackjack a blackberry? - Use the BBProxy tool to attack the host of the network - Crack the Blackberry password - Use social engineering
BBProxy is often used to blackjack a Blackberry
Which copy is analyzed, the original or the bit-stream?
Bit-Stream
Data Acquisition Methods
Bit-Stream disk-to-image file. Bit-Stream disk-to-disk.
The ____ can wirelessly view and update database contents on BlackBerry devices.
Blackberry Database Viewer Plus
Blackberry OS is event-driven and supports multitasking and multithreading. - Yes - No
Blackberry OS is event-driven and supports multitasking and multithreading. When other tasks are not being performed, the Blackberry checks for new messages using the RimGetMessage() function.
Why Prefetch files?
Boot faster
According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the last five in random order. Choose the answer that puts these steps in the proper order. A- Compile list of names, email addresses, etc that may have communicated with the subject B- If computer was accessed before the forensic expert secured a mirror image, note who accessed it, what files and when C- Obtain passwords to encrypted or password-protected files (if possible) D- Create a list of key words relevant to the crime to be used while searching for evidence E- Maintain a chain of custody for each piece of original media
C, A, B, E, D
According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the last five in random order. Choose the answer that puts these steps in the proper order. A- Compile list of names, email addresses, etc that may have communicated with the subject B- If computer was accessed before the forensic expert secured a mirror image, note who accessed it, what files and when C- Obtain passwords to encrypted or password-protected files (if possible) D- Create a list of key words relevant to the crime to be used while searching for evidence E- Maintain a chain of custody for each piece of original media C, A, B, E, D A, C, E, B, D C, E, B, D, A
C, A, B, E, D According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. C- Obtain passwords to encrypted or password-protected files (if possible) A- Compile list of names, email addresses, etc that may have communicated with the subject B- If computer was accessed before the forensic expert secured a mirror image, note who accessed it, what files and when E- Maintain a chain of custody for each piece of original media D- Create a list of key words relevant to the crime to be used while searching for evidence
____ memory holds the system date, time, and setup parameters.
CMOS
____ is a type of function that takes a quantity of data of any size and produces an output of a fixed length, usually a 32-bit integer that is generally used to verify the integrity of the original data.
CRC
A(n) ____ is a record of the seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence.
Chain of Custody
The ____ is a written description created by individuals who are responsible for the evidence from the beginning until the end of the case.
Chain of custody
A ____ is a fixed-size integer resulting from the application of a CRC algorithm.
Checksum
Technical Steganography
Chemical or physical methods are used to hide or obscure a covert message. I.E. Invisible Ink, or Microdot.
____ is an obscene visual depiction of any kind involving a minor engaging in, or appearing to engage in, sexually explicit conduct, graphic bestiality, sadistic or masochistic abuse, or sexual intercourse of any kind.
Child pornography
Common Data acquisition mistakes, that can result in loss of critical evidence.
Choosing the wrong resolution for the data. Use the wrong cables and cabling techniques. Insufficient time for system development. Making the wrong connections. Poor Knowledge of the instrument.
There are many types of expert witnesses. Which are commonly used in trials?
Civil Litigation, Criminal Litigation, Computer forensics, Medical, Pyschological, Construction, and Architecture experts
There are many types of expert witnesses. Which are commonly used in trials? - Civil Litigation, Criminal Litigation, Computer forensics, Medical, - Pyschological, Construction, Architecture - Civil and criminal litigation - Tourist
Civil Litigation, Criminal Litigation, Computer forensics, Medical, Pyschological, Construction, and Architecture experts are common expert witnesses
Civil Litigation experts
Collect and analyze evidence. Explain realities of the process. Present DNA evidence.
What is true about file signatures?
Collect information from the first 20 bytes of a file and Look for the magic number.
Mobile Forensic Process
Collect the evidence. Document the scene and Preserve Evidence. Imaging and Profiling. Acquire Information. Generate Report.
Salvaging an image.
Collecting and regenerating the image from pieces of an image file dispersed over a disk.
What is cybercrime investigation?
Collecting clues and forensic evidence about a cybercrime
What is cybercrime investigation? - Collecting clues and forensic evidence about a cybercrime - Securing the crime scene - Disassembling a computer and carefully packaging the hard drive for further investigation
Collecting clues and forensic evidence about a cybercrime
According to the USPTO, a ____ mark is a trademark or service mark used or intended to be used, in commerce, by the members of a cooperative, an association, or other collective group or organization, including a mark, which indicates membership in a union, an association, or other organization.
Collective
Sparse acquisition
Collects fragments of unallocated, deleted data or slack space. Files already deleted.
Internet address
Combination of the Network address and the Node address.
Metafile Graphics
Combine Rastor and Vector graphics (bit-map and vector images). Loses resolution giving a shaded appearance, when enlarged.
NB Stat
Command used to view the NetBIOS name cache.
What are two ways to display Open Firmware?
Command-Option-O-F or telnet
What are two ways to display Open Firmware? - F8 or telnet - Command-Option-O-F or telnet - Apple key or telnet
Command-Option-O-F or telnet
According to the National Institute of Justice (2004), there are several steps to acquiring subject evidence. Which is NOT one of these steps? - Capture electronic serial number of the drive or other user-accessible, host-specific data - Account for all space on storage media - Compare evidence to standard evidence - Use appropriate tools to obtain evidence such as duplication software, forensic analysis software, and dedicated hardware devices - Correlate, sector-by-sector, the values in the evidence and the backup
Compare evidence to standard evidence is not one of the steps to acquiring subject evidence
Hash Analysis
Comparing file hash values with known file hash values
What are the requirements for evidence to be admissible in court?
Competent, Relevant, Material
What is CMOS?
Complementary Metal-Oxide Semiconductor
What is CMOS? - Computer Maintenance On System - Computer Metadata On Start - Complementary Metal-Oxide Semiconductor
Complementary Metal-Oxide Semiconductor (CMOS) is a chip powered by a CMOS battery inside computers that stores information such as the system time and date and system hardware settings.
There are two associations that can help forensics investigators. What are they?
Computer Technology Investigators Network (CTIN) and High Technology Crime Investigators Association (HTCIA)
Computer forensics includes which of the following? - Rules of evidence - Legal processes - Integrity of evidence - Factual reporting of information found - Expert opinion about findings presented in a court of law, or other legal or administrative hearing - All of the above
Computer forensics includes: - Rules of evidence - Legal processes - Integrity of evidence - Factual reporting of information found - Expert opinion about findings presented in a court of law, or other legal or administrative hearing
Computer Forensics or Forensic Computing
Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.
Remote Computing Service (RCS)
Computer storage or processing services provided by electronic communications,
An Evil Twin access point is what kind of wireless attack?
Confidentiality attack.
What is programmed into the NIC during initial installation then becomes static?
Configurable address
What does HKEY_LOCAL_MACHINE hive contain?
Configuration information for the system including hardware and software settings
What does HKEY_CLASSES_ROOT hive contain?
Configuration information relating to which application is used to open various files on the system
Ad-hoc Association
Connecting directly to an unsecured station to bypass security.
According to the USPTO, a ____ is a form of protection provided to the authors of "original works of authorship" including literary, dramatic, musical, artistic, and certain other intellectual works, both published and unpublished.
Copyright
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What comprises the Cocoa Touch layer?
Core Audio and OpenAL, UI Kit
The iPhone OS ____ layer provides the kernel environment, drivers, and basic interfaces of the operating system.
Core OS
The iPhone OS ____ layer provides the fundamental services for applications such as Address Book, Core Location, CFNetwork, Security, and SQLite.
Core Services
____ is all about collecting information such as client lists to perpetrate frauds and scams in order to affect a rival financially.
Corporate espionage
_____ is the medium used to hide the message
Cover Medium
In an echo data hiding technique, the secret message is embedded into a __________as an echo.
Cover audio signal
System Software Password Cracking
Cracking the Operating System and other utilities, that allow the computer to function. -Bypass BIOS password. -Use tools to reset the admin password.
If a USB device does not have a serial number what does the PnP Manager do?
Create a unique instance ID such as 6&26c97b61&0
What else is part of the role of a forensics investigator?
Create images of original evidence, Guides officials in managing investigation, Reconstructs damaged media, Analyzes data and prepares report, Addresses the issues in court, if necessary. May act as expert witness.
iPods can be customized. They can be configured as an external hard drive or used to execute custom scripts. What can criminals do with an iPod?
Criminals can use iPods to spread viruses and Trojans, store and distribute illegal images, keep records of crimes and distribute contact information of other criminals.
Which item is NOT part of forensic readiness planning? - Develop a plan to investigate team members - Develop a plan to make sure investigative team members are properly trained - Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence
Developing a plan to investigate team members is NOT part of forensic readiness planning The following are part of forensic readiness planning: - Develop a plan to make sure investigative team members are properly trained - Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence
This tool examines cell phone and PDA data. It is capable of command-line acquisition, deleted data recovery, full data dumps, logical and physical acquisitions of PDAs, data cable access, and advanced reporting. - DS Lite - Device Seizure - PDA secure
Device Seizure examines cell phone and PDA data. It is capable of command-line acquisition, deleted data recovery, full data dumps, logical and physical acquisitions of PDAs, data cable access, and advanced reporting.
Where can network information be found? Network information includes: network interfaces (VPN, GPRS/EDGE/3G/WiFi), TCP/UDP connections, routing table, running processes, system info, memory and disk usage.
DeviceInfo
Where can network information be found? Network information includes: network interfaces (VPN, GPRS/EDGE/3G/WiFi), TCP/UDP connections, routing table, running processes, system info, memory and disk usage. - DeviceNetwork - DeviceInfo - NetworkInfo
DeviceInfo can be used to recover network information.
What file contains the name given to the iPod, username logged into computer and name of computer?
DeviceInfo file
A forensic investigator, believes key evidence is on a PDA device. He is not sure whether the PDA is communicating with another device. What should he do? - Turn off the PDA device - Take photographs of the current state of the PDA then turn it off for safekeeping - If connected to desktop, remove the connection. If communicating via WiFi, stop communications. Seize device and put it in a antistatic bag and isolation envelop to isolate it from further communication.
Devices can be modified by changing logos or modifying the operating system. Clues to help identify devices are the cradle interface, manufacturer's serial number and power supply.
Devices connect to Blackberry require built-in ___________. Applications developed for Blackberry must be ________________. - RIM wireless modem - Signed digitally in order to identify the developer - WiFi
Devices that connect to Blackberry require built-in RIM wireless modem. Applications developed for Blackberry must be signed digitally in order to identify the developer.
Hybrid Attack
Dictionary attack that substitutes numbers and symbols to the word.
Where should the FTK database be stored in relation to the FTK examination program?
Different machines.
What are some types of digital steganography?
Digital steganography includes injection, Least Significant Bit - LSB, transform-domain techniques, spread-spectrum encoding, perceptual masking, file generation, statistical method and distortion technique.
What would ../ indicate in a web address?
Directory Traversal
Which mode can make the iPod image inaccurate? - Disk mode - Image mode - User mode
Disk Mode: When an iPod is connected using USB interface, it automatically switches to Disk Mode giving the system direct access to the drive. But this can make imaging inaccurate. Stop Disk Mode by toggling the Hold switch on and off. Disk Mode can be acheived by pressing the Select and Menu buttons until the apple logo appears. Then release Menu and Select and hold down Select and Play buttons until the Disk Mode appears.
What is true about X-Ways Forensics?
Disk cloning and imaging Examining complete directory structure and disk space including slack space Viewing and dumping memory including virtual memory Support for FAT, NTFS, ext2/3
Bit-Stream disk-to-disk
Disk geometry is altered, such that the copied data matches to the original drive. Corrects software and hardware incompatibilities.
What are the round, flat, magnetic metal or ceramic disks in a hard disk that hold the actual data?
Disk platters
ARP Table Commands: arp -a
Display the current ARP entries. This includes the IP and MAC addresses
ARP Table Commands: arp -v
Display the information verbosely
Netstat Commands: Netstat -e
Displays Ethernet statistics
Netstat -ano option
Displays TCP and UDP connections.
Netstat Commands: Netstat -n
Displays addresses and port numbers in numerical form
Netstat Commands: Netstat -a
Displays all connections and listening ports.
Netstat Commands: Netstat -o
Displays the owning process ID associated with each connection
____ creates a change in the cover object in order to hide the information. An encoder performs a sequence of modifications to the cover that corresponds to a secret message.
Distortion
What is the best way to deal with powered-on computers connected to a network? - Leave the computer on, unplug network cable and photograph the screen and document the programs - Turn the computer off
Do not change the state of any electronic device. Leave the computer on, unplug the network cable and photograph the screen
What is a DoS? - Device operating system - Means of making a system unavailable to users - Operating system for PC prior to Windows
DoS stands for Denial of Service, a means for making a computer unavailable to users.
In ____ attacks, attackers attempt to prevent legitimate users of a service from using it by flooding the network with traffic or disrupting connections.
Dos
Which command provides a history of commands?
Doskey /history
Which command provides a history of commands? - Doskey /history - Dos - history - Ls - history
Doskey /history prints recent commands
____ is one of the features of most Internet browsers. It shows what files were downloaded and where the downloaded files were saved.
Download History
In Palm OS, ____ RAM is analogous to the RAM installed on desktop computers, and it is used as space for temporary allocation.
Dynamic
What does an E icon designate on the iPhone?
EDGE network
Which statements are true regarding EFS?
EFS can encrypt files stored on Windows 2000, Windows XP Pro, and Windows Server 2003 and EFS uses symmetric and asymmetric cryptography
What is the Electronic Serial Number for a CDMA phone known as?
ESN number.
What are types of search warrants? Select the most comprehensive answer. - Electronic storage device search warrant - Service provider search warrant and electronic storage device search warrant - Service provider search warrant
Electronic storage device search warrant allows for search and seizure of computer components such as hardware, software, storage devices and documentation Service provider search warrant allows the first responder to get information such as service records, billing records and subscriber information if the crime is committed through the internet.
What is generally part of corporate investigation?
Email harassment, Falsification of information, Embezzlement, Fraud, Corporate sabatage
A stegosystem is made up of which components?
Embedded message, Cover medium, Stego-key, Stego-medium
What are the severity levels of syslog?
Emer (gency), Alert, Crit, Err, Warning, Notice, Info, Debug
Which tool can be used for acquiring and imaging evidence? It allows recovery of deleted files and provides hash generation of individual files, data capture and documentation. This tool also has a bookmarking feature that saves bookmarks in case files. - EnCase - Device Seizure - SIM Card Seizure
EnCase can be used for acquiring and imaging evidence. It allows recovery of deleted files and provides hash generation of individual files, data capture and documentation. EnCase also has a bookmarking feature that saves bookmarks in case files.
What are two popular tools used in computer forensic analysis? - Wireshark - Encase - FTK
Encase and FTK are two popular tools used in computer forensic analysis
Dr. Nelson is a technical expert with a PhD in computer science along with several important computer certifications. she has spoken about computer science in many venues around the world and written a book on the subject. Suppose Dr. Nelson has been asked to be a witness, what type of witness is Dr. Nelson? - Lay - Evidentiary - Expert
Evidentiary witness is limited to presenting facts of the case Expert witness can testify as an evidentiary witness and also make opinons based on scientific, technical or other expert knowledge The Rules of Evidence provide a framework of what a witness can and cannot discuss
Computer Forensics Expert Roles
Examine personal computers and email. Find deleted files Examine Case documentation. Help court understand the report. Review all files. Decrypt encrypted files. Open password protected files. Determine author, dates and times of files. Prepare reports.
Each process of Windows is represented as an ____________________.
Executive Process
Each process of Windows is represented as an _______.
Executive process (Each process on a Windows system is represented as an executive process or EProcess. EProcess block is a data structure containing attributes of the process and pointers to threads and process environment blocks.)
Which are true about FAT32? - When formatted, the Master File Table (MFT) is created - Smaller clusters for more efficient storage capacity - 32-bit version of File Allocation Table - Designed for floppy diskettes
FAT32 is the 32-bit version of the FAT file system that uses smaller clusters which results in more efficient storage capacity. It supports drives up to 2 TB. It can relocate the root directory and use the backup copy rather than the default copy. It can dynamically resize a partition.
Which agency of the United States Department of Justice investigates both federal crimes and acts as internal intelligence agency?
FBI
Which hexa-decimal characters define the location of the End of a JPEG file?
FF D9
What type of scan sends FIN flag? - XMAS - FIN - Half-open
FIN scan sends the FIN flag
Which encryption algorithm is streaming?
FISH
Which encryption algorithm is streaming? - FISH - AES - DES
FISH - FISH (FIbonacci SHrinking) stream cipher [http://www.google.com/#hl=en&sclient=psy-ab&q=stream+cipher+fish&oq=stream+cipher+fish&gs_l=serp.3...2118.6551.0.6803.25.16.0.0.0.0.1123.3003.5-2j1j1.4.0.les%3B..0.0...1c.1.2.serp.2leYPHYeYtI&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=785d3bc0fb80a0d7&biw=708&bih=643] AES (Advanced Encryption Standard) is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard] DES predessor of AES
Which protocols generally are allowed in the DMZ?
FTP (TCP ports 20, 21), SMTP (TCP port 25), DNS (TCP port 53, UDP port 53), HTTP (TCP port 80), HTTPS (TCP port 443)
What is the port for SMTP? - 25 - 389 - 443
FTP - Ports 20 and 21 SSH - Port 22 SMTP - Port 25 SFTP - Port 115 (Simple File Transfer Protocol) LDAP - Port 389 SSL - Port 443 SMB - Port 445 (137 - NetBIOS Name Service, 139 - NetBIOS Datagram Service)
Rule 703 includes what?
Facts are disclosed to expert, Court decides whether probative value in assisting jury to evaluate expert opinion outweighs prejudicial nature of facts used by said expert.
The first responder does not need to have complete knowledge of computer forensic investigation procedures.
False
True or False: Only administrators have a subdirectory in the Recycle bin
False
Which pertains to federal information security? (Choose one) - CAN-SPAM - GLB - FISMA
Federal Information Security Management Act requires federal agencies to develop, document and implement an agency-wide program to provide information security Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act) includes provision to protect consumer's personal financial information CAN-SPAM Act of 2003 (controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirments for those sending commerical email and gives consumers the right to ask emailers to stop spamming them
What are the FRE Article VII rules of evidence? - Rule 701 - Opinion Testimony by Lay Witness - Rule 702 - Testimony by Experts - Rule 703 - Basis of Opinion Testimony by Experts - Rule 704 - opinon on Ultimate Issue - Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion - Rule 706 - Court Appointed Experts - Rule 707 - Self Appointed Experts
Federal Rules of Evidence Article VII rules of evidence includes: Rule 701 - Opinion Testimony by Lay Witness Rule 702 - Testimony by Experts Rule 703 - Basis of Opinion Testimony by Experts Rule 704 - Opinon on Ultimate Issue Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion Rule 706 - Court Appointed Experts
What are the FRE Article VII rules of evidence? - Rule 701 - Opinion Testimony by Lay Witness - Rule 702 - Testimony by Experts - Rule 703 - Basis of Opinion Testimony by Experts - Rule 704 - opinon on Ultimate Issue - Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion - Rule 706 - Court Appointed Experts - Rule 707 - Self Appointed Experts
Federal Rules of Evidence Article VII rules of evidence includes: Rule 701 - Opinion Testimony by Lay Witness Rule 702 - Testimony by Experts Rule 703 - Basis of Opinion Testimony by Experts Rule 704 - opinon on Ultimate Issue Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion Rule 706 - Court Appointed Experts
What are the file types for Linux? - 1,4,6,7 - d, -, c, b, s, p, l - r,w,x,s
File types for Linux are: d - directory - - regular file c - character b - block s - Unix domain socket p - named pipe l - symbolic link
Rastor Image
File/ structure representing a generally rectangular grid of pixels (points of color) on a monitor. Quality lost as you enlarge (Determined by the number of Pixels and the amount of information per pixel). Pixel is 8-bits (RGB), and each is individually defined.
Which files go into the Recycle bin?
Files with a system attribute. Files that have an ownership attribute assigned to someone other than the user deleting the file. Files deleted from an attached external firewire hard drive.
Which of the following is NOT part of corporate investigation? - Business must continue during the forensic investigation - Generally address policy violations or legal disputes - May address wrongful termination - Must carefully follow government regulations - May address industrial espionage
Following government regulations is NOT the primary part of corporate investigation although corporations must adhere to appropriate government regulations. Corporate investigation is generally looking into the following: - Business must continue during the forensic investigation - Generally address policy violations or legal disputes - May address wrongful termination - Must carefully follow government regulations - May address industrial espionage
evidence includes the date and time the investigator visited the incident site and with whom the investigator spoke.
General
What does HKEY_CURRENT_CONFIG?
Hardware profile at startup
Extreme cases of ____ include cyber stalking, in which electronic means are used to follow or intimidate the victim.
Harrasment
Fuzzy Hash
Hash values that can be compared, to determine how similar 2 pieces of data are.
Steganography
Hiding messages in other media.
Host-Based intrusion detection
Host based intrusion detection (HIDS) refers to intrusion detection that takes place on a single host system.
An intrusion detection systems that audits events on a single host is
Host-based intrusion detection
____ is the process of synchronizing elements between a Palm handheld device and a desktop PC.
HotSync
What are the two examples of mobile synchronization software? - ActiveSync - FastSync - Hotsync
HotSync Manager for Palm OS and ActiveSync for Windows Mobile devices are two examples of mobile synchronization software
____ is the entity that oversees global IP address allocation, DNS root zone management, media types, and other Internet protocol assignments.
IANA
Choose three places to look for evidence of SQL injection attacks.
IDS log files, Database log files and Web server log files
When an attacker changes their IP address it is called:
IP address spoofing
Role of the First Responder
Identify Crime scene Protect the Crime Scene Preserve evidence Collect complete information about incident. Document findings Package and Transport evidence.
Which item is NOT part of forensic readiness planning? - Define business scenarios that require collection of digital evidence - Identify potential available evidence - Identify crime scene - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence
Identifying a crime scene is NOT part of forensic readiness planning. Forensic readiness planning includes: - Define business scenarios that require collection of digital evidence - Identify potential available evidence - Determine evidence collection requirements - Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice - Establish a policy for securely handling and storing collected evidence
A forensic investigator, believes key evidence is on a PDA device. He is not sure whether the PDA is communicating with another device. What should he do?
If connected to desktop, remove the connection. If communicating via WiFi, stop communications. Seize device and put it in a antistatic bag and isolation envelop to isolate it from further communication.
What are steps to removing the CMOS battery and why remove it? - Locate the battery on the motherboard and carefully lift it from the socket - To remove the battery, leave the computer on - To remove the battery, shut down the computer and disconnect the power plug - If the CMOS battery is removed and replaced after 20-30 minutes, the password will reset itself
If the CMOS battery is removed and replace after about 30 minutes, the password will reset itself. Turn the computer off and unplug the power cord Locate the battery on the motherboard Carefully lift the battery from the socket Wait 30 minutes and replace the battery Reboot the computer and enter BIOS Set the default settings, save the settings and start the computer
This type of DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses - Fraggle - Smurf - Land
In a fraggle DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses
What is a mosaic attack?
In a mosaic attack the image is split into multiple pieces. Then javascript is used to stitch them back together but the watermark is lost.
____________ is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs or audit data
Intrusion detection
What can be used to detect cookie poisoning?
Intrustion prevention tools
Cold Boot
It's turning the computer on from an off state.
____ is a lossless data compression algorithm that combines the string of same byte values into the single code word.
LZW
This type of DoS attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously
Land
This type of DoS attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously - Fraggle - Smurf - Land
Land attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously
With the ___ technique, the righmost bit in the binary notation is substituted with a bit from the embedded message
Least significant bit LSB
What is the best way to deal with powered-on computers connected to a network?
Leave the computer on, unplug network cable and photograph the screen and document the programs
Which answer best describes the legal issues related to computer forensic investigations? - Making sure the evidence is admissible in court - Admissibility in court, meeting relevant evidence laws while dealing with practical aspects of computers - Knowing the relevant evidence laws
Legal issues include the balance between meeting relevant evidence laws (ie. admissability in court) while dealing with practical aspects of computers
FTK KFF (Known File Folder)
Library of hash values for known good and bad files.
Helix 3 Pro
Live forensics tool that operates on Windows, Mac and Linux. Can boot into a customized Linux environment. Dedicated to incident response and forensics.
SYSTEM\CurrentControlSet\W32Time\Parameters is part of the registry key used for _______________
Loading NTP
____ are the primary recorders of a user's activity on a system and of network activities.
Log Files
New Line Injection Attack
Log injection attacks can be used to cover up log entries or insert misleading entries. Common attacks on logs include: -inserting additional entries with fake information, -truncating entries to cause information loss, or -using control characters to hide entries from certain file viewers. 0x0D - Carriage Return. 0x0A - Line feed.
Which acquisition type does NOT collect unallocated areas of the drive?
Logical
Tracking user logon activity via Audit Event ID's: 538
Logoff
Tracking user logon activity via Audit Event ID's: 528
Logon
PNG - Portable Network Graphics
Lossless data compression. Replaces GIF format. Contains: PNG signature, Chunk Layout (image is a series of chunks), CRC redundancy Check.
Where are private encrypted keys stored on the Blackberry?
Mailbox
Precautions to prepare for Mobile Investigation
Maintain fingerprints. Turn off wireless interfaces. Photograph scene. If on, photograph screen and record data. Collect other sources of evidence. Seize cradle or other connected devices. Remove battery if submerged in liquid. Isolate from radio traffic or EM fields. Isolate from other synchronizing devices. Replace alkaline batteries.
What is one best way to crack an EFS password?
Make a duplicate copy of the target hard drive and view the copy
How does the investigator acquire data from a PDA?
Make an image of the device memory
What tools can be used to view metadata?
Metaviewer, Metadata Analyzer and iScrub
In what format can music be stored on an iPod?
Music can be stored on an iPod as MP3, WAV, Apple Lossless, M4A/AAC, protected AAC, or AIFF formats
What are the four PDA generic states?
Nascent, Active, Quiescent, Semiactive
What can be used to detect buffer overflows?
Nebula
What tools can be used to see which files are open?
Net file, PsFile, Openfiles
What tools can be used to see which files are open?
Net file, PsFile, Openfiles (Net file reveals names of all open shared files and the number of file locks, PsFile shows list of files open remotely, openfiles can be used to list or disconnect all open files and folders)
Net Commands: Net Name
Net name is used to add or delete a messaging alias at a computer.
It appears the suspect's computer is connected to a network, what is one thing an investigator should look for?
Network connections (Information about network connections can expire over time so an investigator must collect evidence as soon as possible after an incident.)
The classic iPods use hard drives to store data, but newer versions, such as iPod Nano, iPod Shuffle, and iPod Touch store data differently. How do they store it? - ROM - Flash memory - RAM
Newer versions of the iPod use flash memory to store data.
Does UTC follow daylight savings time?
No
If the evidence is in plain view and a police officer can see it from a reasonable vantage point, is a search warrant necessary before the police officer can seize the evidence?
No
Jane, an IT Helpdesk tech is learning about steganography. She finds a collection of jpeg files on a folder in the file server that have corporate sales information hidden inside them. She contacts her manager. They make a copy of the files and call the police. Do the police need a search warrant to seize these files?
No
Police come to the computer lab of TechCo, Inc. because they received a plausible tip that someone is storing child pornography in the computer lab and selling it over the internet. The owner of TechCo, Inc. is very surprised to hear this and immediately gives permission for the police to search the computers In the lab. Is a search warrant necessary?
No
In the Windows based Recycle bin what is the size limited to?
No size limit, Except OS versions prior to Vista, which is: 4 GB
Police come to the computer lab of TechCo, Inc. because they received a plausible tip that someone is storing child pornography in the computer lab and selling it over the internet. The owner of TechCo, Inc. is very surprised to hear this and immediately gives permission for the police to search the computers In the lab. Is a search warrant necessary? - Yes - No
No, a search warrant is NOT necessary if the responsible person gives permission for the search
If the evidence is in plain view and a police officer can see it from a reasonable vantage point, is a search warrant necessary before the police officer can seize the evidence? - Yes - No
No, if the evidence is in plain view and a police officer can see it from a reasonable vantage point, is a search warrant is NOT necessary before the police officer can seize the evidence.
Jane, an IT Helpdesk tech is learning about steganography. She finds a collection of jpeg files on a folder in the file server that have corporate sales information hidden inside them. She contacts her manager. They make a copy of the files and call the police. Do the police need a search warrant to seize these files? - Yes - No
No, legal differences exist between how a private citizen and law enforcement can gather evidence
____ logging records a set of data fields in an ODBC-compliant database like Microsoft Access or Microsoft SQL Server.
ODBC
In Windows CE, the ____ layer contains the OEM adaptation layer (OAL), drivers, and configuration files.
OEM
____ is a link-state routing protocol used to manage router information based on the state (i.e., speed, bandwidth, congestion, and distance) of the various links between the source and destination.
OSPF
Objects in Windows CE are stored in three types of persistent storage. What are they? - File system, registry and property databases - Folders, registry and object store - File system and folders
Objects in Windows CE are stored in the file system, registry and property databases.
EC-Council identified thirteen steps for evaluating a case. Which of these listed is not one of these steps? - Obtain a network map - Identify relevance of peripherals such as credit cards, check paper, scanners, cameras... - Establish potential evidence being sought - Obtain additional details such as emails addresses, usernames... - Set the order of evidence examination - Identify any additional expertise or equipment needed
Obtain a network map is not one of the steps for evaluating a case
What is the first step to be carried out in an investigation of a computer crime?
Obtain a search warrant
Steps to investigate email
Obtain a warrant and seize computer and account. Bit by bit Image. Examine Complete Email Headers. Trace Origin. Acquire Email Archives. Recover Deleted Emails.
Plain View Policy
Officer or agent has the ability to seize objects without a warrant, when they are somewhere they have legal authority to be, and they immediately recognize the object as illegal.
Name one Windows software write blocker?
PDBLOCK
Name one Windows software write blocker? - WiebeTech Forensic SATADock - PDBLOCK - Mount iPod as a read-only drive
PDBLOCK is a software write blocker used on Windows
What is computer forensics? - Preservation, identification, extraction, interpretation and documentation of computer evidence. - Preservation, identification and interpretation of computer evidence - Extraction and documentation of computer evidence
PIEDI (Pied Eye) Preservation, identification, extraction, interpretation and documentation of computer evidence.
What does POST stand for? - Power On Self Test - Power Off Self Test - Power Only Startup Test
POST - Power On Self Test
What are the main protocols for the Data Link Layer?
PPP, SLIP, ARP
There are three types of records in the PFF. What are they?
Palm Database, Palm Resource and Palm Query Applications
What is a Windows-based tool for Palm OS memory imaging and forensic acquisition? - SIM Card Seizure - Palm dd (pdd) - DS Lite
Palm dd (pdd)is a Windows-based tool for Palm OS memory imaging and forensic acquisition
A(n) ____ attack is a type of attack where an unauthorized user monitors communications to gather information
Passive
Active Online Password attacks
Password Guessing, Trojan / Spyware/ Key logger, Hash Injection.
____ shows passwords hidden behind asterisks in Windows.
Password Spectator
____ is an architecture-independent PowerPC emulator that can run most PowerPC operating systems.
PearPC
Access Control attack
Penetrate a network by evading WLAN access control measures such as AP MAC Filters and Wi-Fi port access. DoS, Spoofing, dictionary, brute force, war-dialing
Pieces of evidence found at the crime scene should be first ____, identified within documents, and then properly gathered.
Photographed
Disks, tapes, and CD-ROMs
Physical media used for data storage
In the memtest.exe file, What does the PS value represent?
Physical sectors, counted from the very first sector of the disc.
The ____ tool uses brute force and dictionary attacks to recover passwords from ZIP files.
PicoZip Recovery
Pixel
Picture element that is a single point in a graphic image.
Null Cipher
Plain text mixed with a large amount of plain text material.
From largest to smallest what is the platter organization? - Platter, track, sector - Sector, track, Platter - Platter, track, cluster
Platter, Track, Sector: Each platter has two read-write heads - one on top and one on bottom. Platters are divided into tracks. Tracks are concentric circles that are divided into sectors. Each sector holds 512 bytes. Clusters are groups of sectors, eg. 128-sector cluster would have about 65536 bytes. Clusters are the smallest logical storage units on a hard disk.
From largest to smallest what is the platter organization?
Platter, track, sector
What files contains pool headers?
Pooltag.txt
What files contain pool headers?
Pooltag.txt (Windows memory manager generally allocates memory in 4KB pages. Sometimes, 4K would be too large and waste memory. So memory manager allocates several pages ahead of time thus keeping an available pool of memory.)
What is the port for SFTP?
Port 115 (Simple File Transfer Protocol)
IMAP Port
Port 143
What is the port for SSH?
Port 22
SMTP Port
Port 25
What is the port for SMTP?
Port 25
What is the port for LDAP?
Port 389
What does POST stand for?
Power On Self Test
Offline Password Attacks
Pre-Computed Hashes, Distributed Network attack, Rainbow Attack.
Daubert Standard
Precedent regarding the admissibility of expert testimony. Determined before or during the trial. Relevant and reliable. Based on facts of the case. Conclusions based on scientific method.
EC-Council identified thirteen steps for evaluating a case. One of these steps involves sending any ______________________ to ISP or other storage provider to make sure evidence is not destroyed.
Preservation Orders
What is computer forensics?
Preservation, identification, extraction, interpretation and documentation of computer evidence.
Construction and Architecture Experts
Pretrial assessment. Accident Investigations, Construction Defects. Estimating and analyzing schedule of construction. Claims
First responders should not
Prosecute a suspect
What is required for computer records to be admissible in court of law?
Prosecution must present appropriate testimony to show logs are accurate, reliable, fully intact and witness must authenticate computer records presented as evidence
Virtual and physical memory
Provide a complete address space for all processes and protect one process from others.
Choose the list of tools and commands used to determine logged-on users:
PsLoggedOn, Net Sessions, LogonSession
List the tools and commands used to determine logged-on users.
PsLoggedOn, Net Sessions, LogonSession
What registry data type indicates 32-bit integer?
REG_DWORD
What registry data type indicates variable length text string?
REG_EXPAND_SZ
What registry data type indicates series of nested arrays storing a resource list used by physical hardware device?
REG_FULL_RESOURCE_DESCRIPTOR
What registry data type indicates Unicode string naming a symbolic link?
REG_LINK
What registry data type indicates multiple strings separated by delimiter?
REG_MULTI_SZ
What registry data type indicates no data type?
REG_NONE
What registry data type indicates 64-bit integer?
REG_QWORD
What registry data type indicates series of nested arrays storing a resource list?
REG_RESOURCE_LIST
What registry data type indicates series of nested arrays storing a device driver's list?
REG_RESOURCE_REQUIREMENTS_LIST
What registry data type indicates fixed length text string?
REG_SZ
Devices connect to Blackberry require built-in ___________. Applications developed for Blackberry must be ________________.
RIM wireless modem Signed digitally in order to identify the developer
____ is a protocol used to manage router information within a self-contained network. It is limited in that it allows only 15 hops in the path from source to destination.
RIP
What kind of memory resides on a PDA?
ROM, RAM and Flash RAM
GIF
Rastorized 8-bit bitmap image. 256 disting colors. Can be animated.
Data Acquisition Formats
Raw, Proprietary, Advanced Forensics Format (AFF)
If the INF02 file is deleted, it is re-created when you___________.
Reboot the windows operating system
Which key is used to send an encrypted message when using asymmetric encryption?
Receiver Public Key
Which key is used to send an encrypted message when using asymmetric encryption? - Receiver Public Key - Receiver Private key - Sender Public Key
Receiver Public Key is used when sending an encrypted message when using asymmetric encryption
POP3 - Post Office Protocol
Receives email, that deletes on the server as soon as downloaded. Port 110
SMTP - Simple Mail Transfer Protocol
Receives outgoing mail and Validates source and destination addresses. Sends and receives email from other servers. Port 25
What is part of the role of a forensics investigator?
Recover data, Determine damage from crime, Gather evidence based on forensic guidelines, Protect evidence
Which one is NOT an objective of computer forensics? - To recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law - To identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator - To recover and identify the evidence quickly
Recovering and identifying evidence quickly is not a primary objective of computer forensics. Working too quickly can lead to mistakes that might compromise the evidence. There are two objectives of computer forensics: - Recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law - Identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator
Lossy Compression
Refers to data compression techniques in which some amount of data is lost. Lossy compression technologies attempt to eliminate redundant or unnecessary information. Some of the data is lost.
This type of DDoS do the attacks usually spoof the originating IP addresses and send the requests at reflectors.
Reflective DDoS
Header fields to look at.
Return Path. Recipient Email. Type of sending email Service. IP address of sending server. Name of email server. Unique message number. date and Time sent. Attached files.
____ allows parents to quickly evaluate the files on a system for the presence of child pornography.
Reveal
Choose tools used to combat child porn: - Anti-Child Porn.org - Reveal - iProtectYou - Child Exploitation Tracking System
Reveal is not a forensic tool. It was developed by Protect Your Family to identify objectionable material on hard disks so parents and other concerned parties can scan a computer using keywords to determine whether any files are illegal or offensive. iProtectYou is a parental control and filtering software intended to control what users on a computer are allowed to access on the internet Child Exploitation Tracking System (CETS) is a tool for law enforcement to organize, analyze, share and search information related to child exploitation cases.
Name tools used to combat child porn:
Reveal, iProtectYou, Child Exploitation Tracking System
4th Amendment
Right or expectation of Privacy Governs the lawful search of a person, place, or thing.
What does a good investigative report not include? - Description of data collection techniques - Adequate supporting data - Calculations used - Graphs and statistics - References - Risk Assessment
Risk Assessment is not part of the investigative report. A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports
A ____ is a network-layer device or software application that determines the next network point to which a data packet should be forwarded in a packet-switched network.
Router
____ logs provide information about the router's activities.
Router
What does a good investigative report NOT include? - Methods of investigation - Litigation support reports - References - Error analysis - Router settings
Router settings may be too detailed for an investigative report A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports
What should be in place to ensure compliance with procedures and policies?
Routine audits
A ____ is a database that stores the most efficient routes to particular network destinations.
Routing Table
What are the FRE Article VII rules of evidence?
Rule 701 - Opinion Testimony by Lay Witness Rule 702 - Testimony by Experts Rule 703 - Basis of Opinion Testimony by Experts Rule 704 - Opinon on Ultimate Issue Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion Rule 706 - Court Appointed Experts
Rule 702 includes which of the following? - Testimony based on sufficient facts - Testimony based on facts - Testimony is the product of reliable principles and methods - Testimony is the product of any known principles and methods - Witness has applied reliable principles and methods reliably to the facts of the case - Witness has applied reliable principles and methods to the facts of the case
Rule 702 includes: Testimony based on sufficient facts Testimony is the product of reliable principles and methods Witness has applied reliable principles and methods reliably to the facts of the case
Where is the running-configuration file for a Cisco router? - ROM - RAM - NVRAM
Running-configuration file is in RAM
Which registry key maintains the audit policy?
SECURITY\Policy\PolAdtEv
___ is an Internet protocol for transmitting e-mail over IP networks.
SMTP
Which registry key maintains the wireless SSID?
SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\(GUID)
A ___ attack occurs when an attacker passes malicious SQL code to a web application.
SQL injection
____ occurs when the intruder sends SYN packets (requests) to the host system faster than the system can handle them.
SYN Flooding
Where is the last time the system was shut down?
SYSTEM\ControlSet00x\Control\Windows
Where is the computer name located?
SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName
Where is the time zone listed?
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Which registry key maintains the shares?
SYSTEM\CurrentControlSet\lanmanserver\parameters
Looking for pieces of a file is known as ____, and in some parts of North America it is called carving.
Salvaging
Sam, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered off. What should Sam do?
Sam should make sure the device remains powered off. He should also photograph the device to capture the current state of the device.
Sam, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered off. What should Sam do? - Turn the device on - Photograph the device showing the current state - Leave the device off
Sam should make sure the device remains powered off. He should also photograph the device to capture the current state of the device.
____ is a Linksys router log analyzer. It processes router log files, analyzes them, and then generates a report based on the analysis.
Sawmill
Computer forensics is:
Science of capturing, processing, and investigating computer security incidents and making it acceptable to a court of law.
Which are true about Evidor?
Search text on hard disks and retrieves the context of keyword occurrences on computer media Examines entire allocated space including swap space, hibernate files and unallocated space on hard drives
What is an hdc device?
Secondary master
What is an hdd device
Secondary slave
Non-Volatile data
Secondary storage of data. Long term, persistent data.
What type of cell holds security descriptor information for key cell
Security descriptor cell
Security Software Logs
Security or IDS logs- who, what, where, when. Router logs, Honey Pot log. Logon event, Application event log
Shane, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered on. What should Shane do? - Plug the device into a power supply or charge the battery to keep it on - Photograph the device showing the current state - Turn the device off for safekeeping
Shane should make sure the device remains powered on by plugging it into a power supply or charging the battery. She should also photograph the device to capture the current state of the device.
listdlls command
Shows modules and dlls in use. A tool & its parameters for seeing what DLLs are referenced by an EXE
handle command
Shows open files, ports, registry keys and threads.
doskey /history
Shows previously typed commands.
Network state
Shows the state of the network and contains the IP address and URL.
Obstructed Mobile device.
Shut off and requires authentication.
Tracking user logon activity via Audit Event ID's: 513
Shutdown
Which of the following is NOT generally part of corporate investigation? - Email harassment - Falsification of information - Embezzlement - Fraud - Corporate sabatage - Sick time
Sick time is not typically part of a corporate investigation
____ attacks apply techniques such as compression, filtering, resizing, printing, and scanning to remove the watermark.
Signal Processing attacks
attacks apply techniques such as compression, filtering, resizing, printing, and scanning to remove the watermark.
Signal processing
What is the ELF_LOG_SIGNATURE?
Signature of the Windows event log (The event log header is the first 48 bytes and the magic number appears as eLfL in ASCII.)
____ is a built-in Windows tool that searches for unsigned drivers on a system.
Sigverif
___________ is a built-in windows tool that searches for unsigned drivers on a system.
Sigverif
Which tool recovers deleted SMS/text messages?
Sim Card Seizure
Which tool recovers deleted SMS/text messages? - SIM Card Seizure - Device Seizure - DS Lite
Sim Card Seizure recovers deleted SMS/text messages. It can analyze SIM card data. It takes SIM card acquisition from Paraben's Device Seizure. Sim Card Seizure includes both software and a SIM card reader.
Raw data acquisition format creates ____________of a data set or suspect drive.
Simple sequential flat files
Dest Acquisition Method, factors.
Size of source disk. Whether you can retain the disk. When the drive is very large.
If the partition size Is 4 GB, each cluster will be 32 K. Even If a file needs only 10 K, the entire 32 K will be allocated, resulting In 22 K of___________.
Slack space
What is slack space? - Space left over between the last byte of a file and the first byte of the next cluster - White space used to hide information via steganography - White space in a digital photograph
Slack space is the space left over between the last byte of a file and the first byte of the next cluster
SCSI
Small Computer System Interface. circuit board that handles up to 15 peripheral devices
Cluster
Smallest allocation unit. Set of tracks and sectors from 2 to 32. inimizes fragmentation
Task List Commands: tasklist /p
Specifies the password of the user account that is specified in the /u parameter.
____ is a repeated, unwelcomed activity that involves gazing at, following, or harassing another person.
Stalking
When searching for evidence, what is the manner in which the search should be conducted?
Start from the computer and move outward in a circular manner.
Tracking user logon activity via Audit Event ID's: 512
Start-up
Where is the startup-configuration file for a Cisco router? - ROM - RAM - NVRAM
Startup-configuration file is in NVRAM
What is the 48-bit unique address programmed by the Ethernet board manufacturer?
Static address
What are two types of gathering information from an executable file?
Static analysis and Dynamic analysis Static analysis involves collecting information about and from the executable without launching it. Dynamic analysis involves running the executable in a monitored environment.
What type of virus can redirect the disk head to read another sector?
Stealth
What are steganography detection techniques?
StegDetect, StegBreak, Visible noise, Statistical tests, Appended spaces and invisible characters, Unique color palettes
___ is data hiding and is meant to conceal the true meaning of a message
Steganography
____ is the practice of embedding hidden messages within a carrier medium.
Steganography
What is NOT the difference between steganography and watermarking?
Steganography is not used to hide data so it can be watermarked.
What is the difference between steganography and cryptography?
Steganography is used to hide data within other data. Cryptography is used to scramble a message without hiding it.
What steganography methods are used in audio files? - Frequencies inaudible to human ear - White space - LSB - Substitution
Steganography methods for audio files: Substitution scheme For example, suppose note F = 0 and note C = 1. Using this scheme, music could be composed with a secret message. Low-Bit Encoding Artifacts such as bitmaps and audio files often contain redundant information DigSteg can replace redundant information with a message Phase Coding Original sound sequence is shortened into segments New phases are generated for each segment with the message The new phase is combined with the original magnitude to create the encoded output Echo Data Hiding Echo is introduced into the original signal Properties of echo are manipulated to hide data. Properties include initial amplitude, decay rate, and offset
What steganography methods are used in video files?
Steganography methods for video files includes discrete cosine transform manipulation used to add secret data at the time of transfomration process of the video
A stegosystem is made up of which components? - Embedded message - Cover medium - Stego-key - Stego-space - Stego-medium
Stegosystem is the mechanism used in performing steganography. It is comprised of the embedded message, the cover medium, the stego-key and the stego-medium. The stego-key is the secret key used to encrypt and decrypt the message. Stego-medium is the combined cover medium and embedded message.
In Palm OS, the ____ RAM acts like a hard drive on a desktop computer.
Storage
Temporarily-Accessible Data
Stored on hard disk and are accessible for a certain amount of time.
Which NTP stratum level is most accurate? Stratum-0 Stratum-1 Stratum-2
Stratum-0 Stratum levels reflect the distance from the reference clock. Stratum-0 is the reference clock so it is the most accurate and has little delay. Stratum-0 servers are not directly used on the network. They connect to computers in stratum-1.
What is one step to repairing a corrupt Windows event log?
Synchronize four critical fields in the header and footer
What file contains the model number of the iPod (ModelNumStr), serial number of iPod (pszSerialNumber), and serial number the iPod presents to the computer (FireWireGUID)?
SysInfo file
What file contains the model number of the iPod (ModelNumStr), serial number of iPod (pszSerialNumber), and serial number the iPod presents to the computer (FireWireGUID)? - SysInfo file - DeviceInfo file - IPSW file
SysInfo file contains model and serial numbers. The FireWireGUID identifies the connection of the iPod to a Windows computer while the ModelNumStr identifies which iPod is connected.
____ is a combined audit mechanism used by the Linux operating system
Syslog
____ metadata is stored outside the file and identifies the location of a file. It also includes information about filenames, dates, locations, sizes, and so on.
System
According to the National Industrial Security Program Operating Manual (NISPOM), what is an unclassified short name referring to investigations and studies of compromising emanations?
TEMPEST
Classes of Steganography
Technical Linguistic
Which items are examples of technical steganography? - Special characters - Microdots - Invisible inks
Technical steganography includes invisible inks, microdots, and other such technologies
PATA
Technology that identifies attached devices as Slave or Master.
WPA
Temporal Key (TKIP) 128 bit RC4 Temporal key (Actual value). 48 bit IV. CRC-32 and Michael Algorithm Integrity Check. Protects against forgery and Replay attacks.
Prefetch files
Temporary files containing information about application programs, which helps in quicker loading of programs. Each time you open a program, an associated prefetch file is created. That file is used for quicker loading of program, next time you try to run it.
Daubert Standard
The Daubert standard provides a rule of evidence regarding the admissibility of expert witnesses' testimony during United States federal legal proceedings.
Decipher the results of ls -l. (Choose all that apply) drwxr-xr-x 27 root root 4096 Apr 15 2012 /usr/include - This is a directory - Owner can read, write and execute files - This is a regular file
The file type is "d" meaning directory. The first group of rwx means the owner can read, write and execute files
What is part of the role of a forensics investigator? - Recover data - Determine damage from crime - Gather evidence based on forensic guidelines - Protect evidence - All of the above
The role of a forensics investigator is to: - Recover data - Determine damage from crime - Gather evidence based on forensic guidelines - Protect evidence - Create images of original evidence - Guide officials in managing investigation - Reconstruct damaged media - Analyze data and prepares report - Address the issues in court, if necessary. May act as expert witness.
To obtain a search warrant, police or government agent must provide what (select two)? - Opinion about location being searched - Sworn statement including location to search and type of property being sought - Written documentation about complaint initiating search and any supporting documentation
To obtain a search warrant, police or government agent must provide: Sworn statement including location to search and type of property being sought Written documentation about complaint initiating search and any supporting documentation
What are the two categories of cybercrime? - Tools of the crime - Perpetrator of the crime - Target of the crime
Tools of crime and Target of crime are two categories of cybercrime.
The area that is circumscribed 360 degrees on a platter of a disk, when the read/ write head is in a single fixed position.
Track
____ is the distinctive packaging of a product that differentiates it from other products of the same trade.
Trade Dress
What is true regarding 18 U.S.C. 2318?
Trafficking in counterfeit computer programs Trafficking in counterfeit motion pictures
What true regarding 18 U.S.C. 2320?
Trafficking in counterfeit goods Trafficking in counterfeit services
Descrete Cosine Transformation (DCT)
Tranformation technique used by JPEG images, for image compression.
In Palm OS, all the applications share the same dynamic RAM so that they can use each other's data.
True
Modern steganography works by replacing bits of useless or unused data in regular computer files with bits of different, invisible information.
True
Spread-spectrum encoding encodes a wide-band signal into a small-band cover.
True
IIS logs are recorded in what time format?
UTC
What is true regarding 18 U.S.C. 2319?
Unauthorized distribution of sound recordings and music videos of live musical performances
FRE 702
Under Rule 702, an expert is a person with "scientific, technical, or other specialized knowledge" who can "assist the trier of fact". A qualified expert can testify "in the form of an opinion or otherwise" so long as: The testimony is based upon sufficient facts or data. The testimony is the product of reliable principles and methods. The witness has applied the principles and methods reliably to the facts of the case.
Privacy Protection Act
Under the Privacy Protection Act, 42 U.S.C. 2000aa, law enforcement should take special steps while planning a search that agents have reason to believe may result in the seizure of certain materials that relate to the freedom of expression.
Net Commands: Net Config
Use the net config command to show information about the configuration of the Server or Workstation service.
How to recover a deleted partition.
Use the repair option of the Windows Install CD. Enter 'fixboot' and restart the system. or Remove the hard drive, and install it into another computer as a slave. Then attempt to recover the deleted partition. or Third party software. Copy recovered files to another drive, to prevent corruption.
Masking and Filtering
Used on 24 bit greyscale images.
What are Linux PDA security features?
User authentication, access control, encryption, PPTP, IPSec, SSH
Visual Semagrams
Using everyday objects to convey a message. Doodles. Placement of an item. Linguistic Steganography
Live Data Acquisition
Volatile data: RAM, Connections, Registry information, System Information, Cache, Running Processes, Passwords, Instant Messages, Who is logged on, Unencrypted data, Attached Devices, open ports and listening applications, Trojan Horses running in RAM.
18 U.S.C. 2702
Voluntary disclosure of customer communications or records
What are legal points an investigator should keep in mind? - State statutes and local laws - Federal statutes such as Electronic Communications Privacy Act of 1986 (ECPA), Cable Communications Policy Act (CCPA), Privacy Protection Act of 1980 (PPA) and US Patriot Act of 2001 - Scope of the search
What are legal points an investigator should keep in mind? - State statutes and local laws - Federal statutes such as Electronic Communications Privacy Act of 1986 (ECPA), Cable Communications Policy Act (CCPA), Privacy Protection Act of 1980 (PPA) and US Patriot Act of 2001 - Scope of the search
When do you optimize AccessData FTK?
When it is a 64 bit system.
When do you analyze Image file headers?
When new file extentions are present, that forensic tools cannot recognize. Files are accessed using a hexidecimal editor. Values can be used to determine a file type.
Microsoft handheld OS was first called Windows CE, then PocketPC then Windows Mobile. But Windows CE 5.2 powers Windows Mobile 6. What devices does Windows CE run on? - Devices with XScale processor - Devices with ARM processor - Devices with SHx processor
Windows CE runs on devices with XScale, ARM or SHx processors.
Where does Windows CE store data? - PIM and user data in RAM - PIM, user data, OS and application support in ROM - OS and application support in ROM
Windows CE stores PIM and user data in RAM and operating system and supporting applications in ROM. (PIM - Personal Information Management)
Windows CE has four types of memory. What are they? - RAM, temporary storage, expanded ROM, ROM - Consistent storage, RAM, ROM, extra RAM - RAM, Expansion RAM, ROM, Persistent storage
Windows CE supports RAM, Expansion RAM, ROM, and Persistent storage
What port does native Windows remote logging run on?
Windows does not support remote logging. Third-party utilites like NTsyslog are required to enable remote logging in Windows.
Windows password recovery tools
Windows password recovery tools - Windows XP/2000/NT Key Generator - resets the domain adminstrator password for Active Directory - ERD Commander 2005 - boots systems into a Windows-like repair environment giving complete control over the system - Active@ Password Changer - DOS-based solution for resetting local administrator and user passwords in XP, Vista, 2003, 2000 and NT - Cain & Abel - LCP - SID&USER - ophcrack - uses rainbow tables - RockXP - Magical Jelly Bean Keyfinder
What information is stored in the Windows registry if an iPod is connected to a Windows computer?
Windows registry contains the key created while connecting iPod to Windows, last time when registry keys were changed and serial number of iPod.
What information is stored in the Windows registry if an iPod is connected to a Windows computer? - Key created while connecting to iPod - Serial number of the iPod - Next time registry keys are changed
Windows registry contains the key created while connecting iPod to Windows, last time when registry keys were changed and serial number of iPod.
Are these steps the basic steps in PDA forensics? 1 - Secure and evaluate the crime scene 2 - Seize the evidence 3 - Identify the evidence 4 - Preserve the evidence 5 - Acquire information 6 - Examine and analyze the information 7 - Document 8 - Report
Yes
Is it possible to break the passcode on a locked iPhone?
Yes
Is this the proper order for response to a crime by first responders: 1. Begin investigation the moment a crime is suspected 2. Response to preliminary evidence by photographing the scene and marking evidence 3. Obtain search warrant, if needed 4. Follow first responder procedures 5. Seize evidence seized at crime scene then safely number and secure it 6. Transport evidence to forensic laboratory 7. Make two bit-stream copies of evidence 8. Generate a checksum (generally MD5) on the bit-stream images 9. Prepare chain of custody 10. Store the original disk so that time stamps and evidence remain intact 11. Use image copy to analyze the evidence 12. Prepare a forensic report describing the forensic method and recovery tools 13. Submit the forensic report 14. Testify as expert witness, if needed
Yes
It is critical that the crime scene be secure. Should computers be detached from the network in order to contain the crime scene?
Yes
Is a vault needed in a forensic lab? - Yes - No
Yes, a vault protects against flood, fire, theft...
It is critical that the crime scene be secure. Should computers be detached from the network in order to contain the crime scene? - Yes - No
Yes, computers should be disconnected from networks to thoroughly secure the crime scene
Is it possible to break the passcode on a locked iPhone? - Yes - No - Only with hacking tools
Yes, there is a series of steps to break the passcode on an iPhone. 1. Press Emergency Call button 2. Type *#301#, press green button 3. Delete previous entry 6 times 4. Type 0, press green button 5. Answer call by pressing green button 6. End call by pressing red button 7. Press Decline button 8. In Contacts tab, press + button to create a new contact 9. In the Add new URL, type prefs: and press Save 10. Touch No Name 11. Click on home page prefs: 12. Click on General tab in Settings menu 13. Click on passcode Lock 14. Click Turn Passcode Off 15. Return to General tab by clicking Cancel 16. Click Auto-Lock and reset it to Never
What are two imagers in Helix?
dd and FTK Imager
Which dd command is used to copy a floppy?
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
Which dd command is used to copy a floppy? - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc - dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/mem of=/home/sam/mem.bin bs=1024
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc Make a copy of a floppy disk
Which statement is used to partition an image on another machine?
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
Which statement is used to partition an image on another machine? - dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 used to partition an image on another machine. Run on the source machine
Which dd command is used to make a complete physical backup of a hard disk? - dd if=/dev/hda of=/dev/case5img1 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
dd if=/dev/hda of=/dev/case5img1 make a complete backup of a hard disk
Which statement is used to see the contents of the MBR? - dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 - dd if=/dev/hda of=mbr.bin bs=512 count=1 - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
dd if=/dev/hda of=mbr.bin bs=512 count=1 used to see contents of the master boot record. Must be run as root. Reads the first 512 bytes from /dev/hda (the first IDE drive) and writes them to a file named mbr.bin
Which dd command is used to make an image of a CD?
dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
Which dd command is used to make an image of a CD? - dd if=/dev/hda of=/dev/case5img1 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc Make an image of a CD
Which dd command is used to copy RAM memory to a file?
dd if=/dev/mem of=/home/sam/mem.bin bs=1024
Which dd command is used to copy RAM memory to a file? - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc - dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/mem of=/home/sam/mem.bin bs=1024
dd if=/dev/mem of=/home/sam/mem.bin bs=1024 Used to copy RAM memory to a file
Which dd command is used to copy one hard disk partition to another hard disk?
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
Which dd command is used to copy one hard disk partition to another hard disk? - dd if=/dev/hda of=/dev/case5img1 - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror Copy one hard disk partition to another hard disk
Which dd command is used to restore a disk partiiton from an image file?
dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
Which dd command is used to restore a disk partiiton from an image file? - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc - dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/mem of=/home/sam/mem.bin bs=1024
dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror Used to restore a disk partition from an image file
What does the iPod System Partition contain?
iPod OS, images, and games and other default applications.
iPod Touch uses WiFi, Safari Web browser and wireless access to iTunes Store and YouTube. - True - False
iPod Touch is an iPod with Wi-FI, multitouch interface with Safari Web browser and wireless access to iTunes Store and YouTube. It uses the iPhone OS.
Why is it important to know with which type of system the iPod has been synchronized?
iPods sync'd with Mac computers use Apple's HFS+file system. iPods sync'd with Windows use FAT32.
____ is a wireless tool for Mac OS X that provides plug-ins for finding and discovering information about AirPort networks, Bluetooth devices, and Bonjour services.
iStumbler
What is the digital media player application most commonly used to interact with an iPod?
iTunes
What software is used to disable automatic syncing?
iTunes
A(n) ____ is a suitor who desires a physical or intimate relationship with the victim.
incompetent suitor
____ are the primary recorders of a user's activity on a system and of network activities.
log files
The most common way to use this command is with -ano switches or -r switch. - Netcat - Netstat - Nmap
netstat -ano displays TCP and UDP network connections, the listening ports and process identifiers (PID) using those network connections netstat - r displays the routing table
When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port?
netstat -o & fport (* netstat -o shows process to port mappings * netstat -b shows the executable involved in creating each connection (Windows XP) * fport shows process-to-port mappings but must be executed with administrator privileges)
When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port?
netstat -o and fport
What command can be used to display active TCP connections, Ethernet statistics and IP routing table? - netcat - netstat - nmap
netstat command can be used to display active TCp connections, Ethernet statistics and IP routing table
Which nmap scan is a slow scan to avoid detection? - nmap -sS -PT -PI -O -T1 122.13.145.15 - nmap -sP 10.1.2.0/24 - nmap -sS -O www.somewebsite.com/24
nmap -sS -PT -PI -O -T1 122.13.145.15
Computer records fall into what 3 categories?
1. Computer Generated. 2. Computer Stored. 3. Both Generated and Stored They require authentication.
Steps to recover image file.
1. Identify Image file fragments 2. Recover all the fragments from different disk areas. (Salvaging or Carving) 3. Restore the Fragments.
Key steps for Forensic Investigation
1. Identify the Computer Crime. 2. Collect Primary Evidence. 3. Obtain court warrant for seizure (if required). 4. Perform first responder Procedures. 5. Seize evidence at the crime scene. 6. Transport Evidence to the forensic laboratory. 7. Create 2-bit stream copies of the evidence. 8. Generate MD5 checksum on the images. 9. Chain of Custody. 10. Store the original evidence in a secure location. 11. Analyze the image copy for evidence. 12. Prepare a forensics report. 13. Submit the report to the client. 14. Attend Court and testify as an expert witness. (if necessary)
Which range of HTTP Status Codes reveals informational status codes?
100 - 101
802.11n
100+ Mbp,s MIMO - Multiple Input, Multiple Output.
Hashing Algorithm Lengths: MD5
128 Bits
Which law is applicable to fraudulent copyright notice?
17 U.S.C. 506(c-d)
What laws are applicable to cyberstalking?
18 U.S.C 875 18 U.S.C. 2261A
In a computer forensics laboratory, how many computers should be budgeted per examiner?
2
Wireless Standards: 802.11b
2.4 GHz and up to 11 Mbits per second
Wireless Standards: 802.11g
2.4 GHz and up to 54 Mbits per second
Wireless Standards: 802.11n
2.5 / 5 GHz and up to 54 / 600 Mbits per second
A accurate file signature analysis requires at least the first ____bytes of a file to determine type and function.
20
____ is a small, command-line utility for Windows that will break apart any JPEG file and generate the HTML code needed to reconstruct the picture
2Mosaic
On a GSM phone that is obstructed with a pin code, how many incorrect entries will block the SIM card?
3
Which range of HTTP Status Codes reveals client error status?
400 - 416
Which port does SSL typically use?
443
MAC filtering is based upon the ________ bit address
48
Hashing Algorithm Lengths: MD6
512 Bits
Hashing Algorithm Lengths: SHA-512
512 Bits
What Event ID is recorded for modification to the Windows audit policy?
612
An EnCase evidence file saves checksums for every block of ____ sectors of evidence.
64
What is true about the PE Header?
64-byte structure called IMAGE_DOS_HEADER First DWORD value refers to address of the new EXE file Value is defined in ntimage.h header file
In general, copyrights for works that are published after 1977 are valid for the life span of the author plus another ____ years
70 Years
Warm Boot
: Restarting the computer via the Operating System
Incident ____ involves not only responding to incidents but also triggering alerts to prevent potential risks and threats.
??
JPEG 2000 employs ____ technology so images can be better compressed without affecting quality of an image.
??
The ____ is the justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility.
??
What command displays the mappings between different layers of the network architecture?
??
____ evidence is data relevant to an investigation that is transferred by or stored on an electronic device.
??
Decipher the results of ls -l. (Choose all that apply) drwxr-xr-x 27 root root 4096 Apr 15 2012 /usr/include A) This is a directory B) Owner can read, write and execute files C) This is a regular file
A & B
How long can a search warrant be used?
A search warrant be used for the amount of time designated in the search order.
Modern BlackBerry devices have ARM7 or ____ processors
ARM9
What type of wireless attack is a Rogue Access Point?
Access control
____ play an important role in investigating routers and checking log messages. They count packets and log specific events.
Access control lists
Logical acquisition
Acquiring specific types of files or a specific area of the drive. Used to reduce a large amount of data or fit within the confines of a warrant. PDST an OST files. Does NOT collect unallocated areas of the drive.
Frye Standard
Admissibility of scientific examination. accepted by scientific community. Applied to procedures, principles and analysis. Number of experts should be provided.
Choose techniques commonly used to remove watermarks?
Algorithms, Transformations, Masking and filtering, LSB
Identify all required for setting up a forensics lab: - Office space - Storage for evidentiary materials - Interview facility - Operational laboratory - All of the Above
All of the Above: The forensics laboratory must have office space, storage for evidentiary materials, interview facility, and operational laboratory
What phone technology does the BitPim tool target for the recovery of data?
CDMA
____ Centre is a U.K.-based anti-child-pornography organization. It focuses on protecting children from sexual abuse.
CEOP Child exploitation and online protection
In ____ attacks, an attacker forces the victim to submit the attacker's form data to the victim's Web server.
CSRF Web
In ____, attackers illegally use another's credit card for purchasing goods and other services over the Internet.
Credit Crad Fraud
In ____, attackers illegally use another's credit card for purchasing goods and other services over the Internet.
Credit card fraud
____ is a Windows NT/2000/XP file undelete utility that can recover accidentally deleted files.
File Scavenger
Compound Files
Files containing multiple layers of other files.
____ is the willful act of stealing someone's identity for monetary benefits.
Identity Theft
Rule 609
Impeachment by evidence of conviction of crime
Net Commands: Net View
Net view is used to show a list of computers and network devices on the network.
Does Palm restrict access to code and data?
No
Office password recovery tools
Office - Advanced Office XP Password Recovery - Microsoft Office - Word Password Recovery Master - Office Password Recovery Toolbox - Passware Kit - 25 password recovery programs - PstPassword - Outlook - Access PassView - Microsoft Access
POP3 Port
Port 110
Enumeration
Process of extracting User and Group names, Machine names, Network Resources, Shares, and Services, from a system. Conducted in an IntrAnet environment.
Business Records Exception
RULE 803: an Exception to the Hearsay Rule. -The exception allows a business document, to be admitted into evidence, if a proper foundation is laid to show it is reliable.
Which is typically the largest list of password hashes?
Rainbow tables
Least Significant Bit (LSB)
Right-most bit of a pixel. Message is broken up and inserted into the least significant bit of each pixel in a deterministic sequence
Promiscuous Client
Rogue access point that forces user to connect to an unsecured network.
Client Mis-Association
Rogue access point that lures clients to connect, and bypasses network security
Task List Commands: tasklist /u
Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
Steganogrphic tool used to hide multple applications in an image.
S-Tools
Where are Windows passwords stored?
SAM and Active Directory
Which of the following devices allow a forensic investigator to copy a suspect hard drive to a clean hard drive very quickly?
SATA ports
____ cards are used primarily in digital cameras, particularly those made by Olympus and Fujifilm, developers of the format.
SD
LinkMASSter-2 uses write protection and supports MD5, CRC-32, and ____ hashing to ensure data integrity.
SHA-1
Recycled files on the NTFS system are categorized into directories named as C:\RECYCLER\S-...., based on the user's Windows ____.
SID
Techniques to locate and recover image files
Salvaging. Carving.
HKEY_LOCAL_MACHINE\SAM supports what?
Sam, Sam.log, Sam.sav (SAM stands for Security Accounts Manager. It contains Windows passwords)
Authentication attack
Steal identity of Wi-Fi clients (login credentials, personal info, etc) and Spoofing authentication packets.
Methods to Bypassing BIOS passwords
Use the manufacturers backdoor password. Password cracking Software, Resetting CMOS using jumpers. Remove the CMOS battery for 10 minutes. Use a professional Service. Overload the keyboard buffer.
In what format can video be stored on an iPod? - MPEG-4 and H.264 - unprotected WMA - WAV
Video can be stored as .m4v (H.264), .mp4 (MPEG-4) and unprotected WMA on Windows.
Tracing Back
View Header. Find originating mail server. Obtain server log files. obtain Internet Domain Information.
What are two ways to view running processes on Windows?
View Windows processes in TaskManager or by typing tasklist from the command prompt
A ____ is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user.
Virus
What does Visual TimeAnalyzer do? - Automatically tracks computer usage - Manually tracks computer usage - Presents detailed reports
VisualAnalyzer automatically tracks all computer usage and presents detailed illustrated reports
____ evidence is evidence that can easily be lost during the course of a normal investigation.
Volatile
What are questions to consider before beginning a forensic investigation involving PDAs?
What kind of investigation needs to be done? How should the PDA be handled? Can critical data on the PDA remain secure during examination?
The Linux ____ command can make a bit-stream disk-to-disk copy or a disk-to-image file.
dd
Which dd command is used to make a complete physical backup of a hard disk?
dd if=/dev/hda of=/dev/case5img1
Which statement is used to see the contents of the MBR?
dd if=/dev/hda of=mbr.bin bs=512 count=1
Which file system runs on FAT32?
iPod sync'd to Windows
What are two commands to obtain network information?
netstat -ano & netstat -r (* netstat -ano shows active connections including protocol, local address, foreign address, state and PID * netstat -r shows the routing table * netstat -b displays the executable involved in creating the connection * netstat -v is used in conjunction with -b to show sequence of components involved)
When acquiring electronic evidence at scene of crime it is best not to:
shut down the computer
Chain of Custody
"Chain of custody (CoC), in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer between sender and receiver, analysis, and disposition of physical or electronic evidence."
Client mis-association
"Client Mis-association can be accidental, deliberate (for example, done to bypass corporate firewall) or it can result from deliberate attempts on wireless clients to lure them into connecting to attacker's Access Point."
Cross-Site Request Forgery (CSRF) Attack
"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. An end-user may want to log out of the site and clear their browsers cookies at the end of the session."
Cross-Site Scripting (XSS) Attack
"Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user."
DNS Redirection
"DNS redirection is the controversial practice of serving a Web page to a user that is different from either the one requested or one that might reasonably be expected, such as an error page."
Raid Levels: RAID 1
"Disk mirroring, also known as RAID 1, is the replication of data to two or more disks. Disk mirroring is a good choice for applications that require high performance and high availability such as transactional applications, email, and operating systems."
Ext3
"Ext3 or third extended file system, is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions."
Directory Traversal Attack
"Aims to access restricted files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. It can be identified by several forward slashes such as //////////////////."
Computer crimes include what?
- Fraud via manipulation of computer records - Performing vulnerability assessment for a client - Spam - Deliberate avoidance of computer security systems - Unauthorized access - Unauthorized modification of software
What else do computer crimes include?
- Intellectual property theft - Industrial espionage by means of access to the computer - Identify theft - Spreading viruses or worms - Authorized penetration testing - Denial of Service or DDoS
Linux password recovery tools
- John the Ripper - DJohn
LossLess
- no data loss when image is copied.
What directory is used to store commands needed for system operability?
/bin
In Linux, files that are deleted using the command ___ remain on the disk
/bin/rm
Order of Volitility
1. Registers, Cache. 2. Routing and Process tables, Kernel Statistics and memory. 3. Temporary File Systems. 4. Disk or other storage media. 5. Remote logging and monitoring data. 6. Physical configuration and topology. 7. Archival Media and Backups.
Tracks numbering on a hard disk begins at 0, typically reaching a value of ___________.
1023
How many bytes per kilobyte?
1024 bytes/kb
Unix password recovery tools
- Crack
802.11b
11Mbps, 2.4 GHz
What kind of keyboard does the Blackberry have?
QWERTY
What command can be used to examine patches in the computer? - /dev/mem or /dev/kmem - version - show patch
/dev/mem or /dev/kmem command can be used to examine patches
Bad Cluster
"Is a sector on a computer's disk drive or flash memory that is either inacessible or unwriteable due to permanent damage, such as physical damage to the disk surface or failed flash memory transistors."
Denial of Service (DOS) Attack
"A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet."
Chain of Custody
"A method for documenting the history and possession of a sample from the time of collection, though analysis and data reporting, to its final disposition."
Net Commands: Net File
"Displays the names of all open shared files on a server and the number of file locks, if any, on each file."
Steganography Techniques: Spread Spectrum Technique
"There are two types of spread spectrum techniques, direct sequence and frequency hopping. In direct sequence, the stream information to be transmitted is divided in small pieces, each of which is allocated to a frequency channel spread across the spectrum. Frequency hopping is when a broad slice of the bandwidth spectrum is divided into many possible broadcast frequencies."
Where is the startup-configuration file for a Cisco router?
NVRAM
SSID
Name of a wireless network.
How does the SAM file store the password?
Name, UserID, LM Hash, NTLM Hash.
During a Linux boot sequence, the file that controls initialization is ____.
/etc/inittab
What files must be changed for remote logging?
/etc/rc.d/init.d/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" /etc/sysconfig/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r" /etc/services files. Syslog 514/udp After the three files have been changed, the administrator must run /sbin/service syslog restart
What directory is used to store libraries?
/lib
What directory is used to store commands for booting, repairing aor recovering the system?
/sbin
Default path for Apache Web Server Logs, on a Linux based machine?
/user/local/apache/logs
If the examiner wants to disable the auto save function in EnCase, what value would they place in the auto save field?
0 Placing a value of "0" in the auto save field in the options dialog will disable the auto save function of EnCase.
Once the scene has been secured, the next step should be:
Photograph the machine.
How many entrances should there be to a computer forensics laboratory?
1
Which of these statements are true regarding 18 U.S.C. 2318? - Trafficking in counterfeit computer programs - Trafficking in counterfeit motion pictures - Trafficking in child porn
1 & 2: 18 U.S.C. 2318 involves trafficking in counterfeit phone records, computer programs, motion pictures, audio visual works or computer program documentation
Which are true about EasyRecovery? - Repairs and restores corrupt or inaccessible Microsoft Office and Zip files - Includes EmailRepair - Disk imaging
1 & 2: EasyRecovery does not do disk imaging
What directory is used to store devices for terminals, disks...
/dev
What command can be used to examine patches in the computer?
/dev/mem or /dev/kmem
What are legal points an investigator should keep in mind?
- State statutes and local laws - Federal statutes such as Electronic Communications Privacy Act of 1986 (ECPA), Cable Communications Policy Act (CCPA), Privacy Protection Act of 1980 (PPA) and US Patriot Act of 2001 - Scope of the search
In order to recover the IMEI number of the device to establish the identity of the device owner. You would key in the following:
*#06#
The IEMI number for a GSM device can be obtained by pressing what key combination?
*#06#
What directory is used to store commands needed for system operability? - /bin - /dev - /etc
** /bin - commands needed for minimal system operability ** /dev - devices for terminals, disks... /etc - critical startup and configuration files /lib - libraries /sbin - commands for booting, repairing aor recovering the system
Which range of HTTP Status Codes reveals client error status? - 100-101 - 200-206 - 300-307 - 400-416 - 500-505
**HTTP Status Codes 400-416 - Client Error Status Codes ** HTTP Status Codes 100-101 - Informational Status Codes HTTP Status Codes 200-206 - Successful Status Codes HTTP Status Codes 300-307 - Redirection Status Codes HTTP Status Codes 500-505 - Server Error Status Codes
HTTP, POP3, FTP, Telnet password recovery tools
- Brutus
Which are true about Evidor? - Search text on hard disks and retrieves the context of keyword occurrences on computer media - Examines entire allocated space including swap space, hibernate files and unallocated space on hard drives - Local and remote hard disks
1 & 2: Evidor cannot access remote networked hard disks
4 reasons for increase of computers in criminal activity?
1. Expense 2. Speed. 3. Anonymity. 4. Fleeting nature of digital evidence.
Steps to Investigating a computer crime
1, Determine an incident has occurred. 2. Find/ Interpret clues. 3. Preliminary assessment and Search for evidence. 4. Search and Seize computer equipment. 5. Collect Evidence.
From this IIS log file, identify the service status code192.168.100.150, -, 03/6/11, 8:45:30, W3SVC2, SERVER, 172.15.10.30, 4210, 125, 3524, 100, 0, GET, /smile.gif,
100
The iPhone has a solid state NAND flash memory configured with two partitions by default. Choose the best description for these two default partitions.
300 MB root partition with OS, preloaded applications. Read-only and stays in the original factory state for the life of the iPhone, User partition mounted as /private/var
There are various types of Memory Sticks, with capacities ranging from 4 MB to ____ GB
32
ESN Number - Electronic Serial Number
32 bit hex identifier number. 8-14 bits Manufacturer. Remaining - Serial Number. CDMA
Resolution
Sharpness of image for printers, monitors and bit-maped images.
Sector
Smallest Physical storage unit. 512 bytes.
What is the proper order of volatility: A. Registers and cache B. Routing tables C. ARP cache D. Process table E. Kernal statistics and modules B, C, A, D, E A, B, C, D, E C, A, D, B, E
A, B, C, D, E The order of volatility is: A. Registers and cache B. Routing tables C. ARP cache D. Process table E. Kernal statistics and modules
According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the first five in random order. Choose the answer that puts these steps in the proper order. A- Do not turn off computer equipment, run programs or access data B- Identify type of data being sought and urgency of examination C- Secure relevant media D- Once machine is secured, obtain information about the machine, any peripherals and the network, if attached E- Suspend automated document destruction and recycling policies
A, C, E, B, D
According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. Listed below are the first five in random order. Choose the answer that puts these steps in the proper order. A- Do not turn off computer equipment, run programs or access data B- Identify type of data being sought and urgency of examination C- Secure relevant media D- Once machine is secured, obtain information about the machine, any peripherals and the network, if attached E- Suspend automated document destruction and recycling policies A, C, E, D, B A, C, E, B, D C, E, B, D, A
A, C, E, B, D According to the EC-Council, there are 10 steps to prepare for a computer forensic investigation. A- Do not turn off computer equipment, run programs or access data C- Secure relevant media E- Suspend automated document destruction and recycling policies B- Identify type of data being sought and urgency of examination D- Once machine is secured, obtain information about the machine, any peripherals and the network, if attached
Cellular phones with PDA functionality are called ____.
Smartphones
Blackberry OS 4.7, the newest version, supports which of the following?
AJAX and CSS 1 GB on board memory and 128 MB flash memory High-capacity slim 1500 mAh battery Tri-band UMTS: 2011/1900/850 3.6 Mbps HSDPA WiFi (802.11a/b/g) GPS Quad-band GSM/GPRS/EDGE Music synchronization Clock application
Palm OS is an embedded operating system originally based on the Motorola DragonBall MC68328 family of microprocessors. Newer devices use what?
ARM architecture-based StrongARM and XScale microprocessors
What command can be used to display the mappings between different layers of the network architecture? - RARP - MAC - ARP
ARP command can be used to display the mappings between different layers of network architecture
What kind of attack is a Key Logger?
Active Online Attack
What does HKEY_CURRENT_USER contain?
Active, loaded user profile for currently logged-on user
What are the two examples of mobile synchronization software?
ActiveSnyc and HotSync
A ____ is defined as the average packet rate of data packets with similar packet header information
Activity Profile
A(n) ____ is defined as the average packet rate of data packets with similar packet header information.
Activity Profile
ARP Table Commands: arp -s
Add the host and associates the IP Address with the physical address
Which registry key is NOT accessed and parsed when a user logs into a system? 1) HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Runonce 2) HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\PoliciesExplorer\Run 3) HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run 4) HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\Run 5) HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run 6) HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce 7) All of the above are parsed when a user logs into a system
All of the above are parsed when a user logs into a system. (Run means the values in this key execute at system startup Runonce means the values in this key execute once at system startup then they are deleted)
iPods can be customized. They can be configured as an external hard drive or used to execute custom scripts. What can criminals do with an iPod? - Spread viruses and Trojans - Store and distribute illegal images and videos - Distribute contact information of other criminals - Keep records of crimes including date and time - All of the above
All of the above: Criminals can use iPods to spread viruses and Trojans, store and distribute illegal images, keep records of crimes and distribute contact information of other criminals.
Which of the statements is true about the Mac OS? - Based on BSD Darwin engine - Startup items in /System/Library/StartupItems or /Library/StatupItems - uses .hidden to maintain a list of hidden files - All of the Above
All the above: The MAC OS is based on BSD Darwin engine Startup items in /System/Library/StartupItems or /Library/StatupItems Uses .hidden to maintain a list of hidden files
Which statements are true regarding EnCase? - Evidence can be viewed in table, gallery, timeline or report formats - Cases group information - Evidence data can be view as text, hex or picture
All the above: EnCase organizes evidence into cases. Evidence can be viewed in various formats.
What does HKEY_USERS hive contain?
All users profiles
What does an E icon designate on the iPhone? - third-generation network - WiFi - EDGE network
An E icon shows EDGE network connection. 3G shows third-generation network. Radiating signal bars show WiFi connectivity.
Real-Time Analysis
Analysis that is performed on a continuous basis; with results gained in time to alter the run-time system. Ongoing process.
Choose the volunteer organization focused on issues related to child exploitation, online predators and child pornography. - Innocent Images National Initiative (IINI) - Internet Crimes Against Children (ICAC) - Project Safe Childhood (PSC) - Anti-Child Porn.org (ACPO)
Anti-Child porn.org is a volunteer organization focused on issues related to child porn.
Email Client
Application that allows the user to send and receive email. Outlook (stand alone). Hotmail (Web based).
What are the layers of the OSI model?
Application, Presentation, Session, Transport, Network, Data Link, Physical
The ___ Attempts to eliminate driscrimination involving sexual harassment in the workplace, educational itstitutions and other public places
Australian Sex Discrimination Act of 1984
A(n) ____ is the use of the correct username and password for a particular site.
Authenticated cookie
Vulnerability analysis or ____ is the process of identifying technical vulnerabilities present in computers and networks.
Assesment
Roles of an expert witness in presenting evidence to court
Assist the court in understanding complex evidence. Help the attorney to get the truth. Honestly and fully express his or her expert opinion, without regard to any views.
NTP - Network Time Orotocol
Assures synchronization of clock times, to the millisecond, across a network. Built over TCP/IP.
How many keys does asymmetric encryption have? - 1 - 2 - 3
Asymmetric encryption has a public key and a private key
____ is the first line of defense for verifying and tracking the legitimate use of a Web application.
Authentication
Watermarking is used to facilitate which of the following?
Authentication of the author, Monitoring copyright material, Supporting fingerprint applications, Supporting data augmentation, Automatic audits of radio transmissions
How to maintain Log File authenticity.
Authenticity can be proven if they are Unaltered from the time they were recorded. -Move logs off of compromised server ASAP. -Move logs to Master Server and then to Secondary Secure storage (Archive) backup.
Computer crimes include all but which of the following? - Intellectual property theft - Industrial espionage by means of access to the computer - Identify theft - Spreading viruses or worms - Authorized penetration testing - Denial of Service or DDoS
Authorized penetration testing is NOT a computer crime. Computer crimes include: - Intellectual property theft - Industrial espionage by means of access to the computer - Identify theft - Spreading viruses or worms - Authorized penetration testing - Denial of Service or DDoS
What is the Index.dat file used for?
AutoComplete & Redundant information such as visited URLs, search queries, recently opened files (* Index.dat is used for redundant information such as AutoComplete information. * Index.dat can be found in the History folder for Internet Explorer)
From ECcouncil definitions: Which of the following approaches checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?
Automated field correlation approach
Residual Data
Data stored on a computer. in unassigned storage space, after it is deleted.
Electronic Communications Privacy act (ECPA) classes of information:
Basic subscriber information, Records or Information pertaining to customer or subscriber. Contents in USC 2510
E-mail is a term derived from the phrase electronic mail.
True
Why must a forensic investigator identify the type of device being investigated?
Because devices can be modified by changing logos or modifying the OS
What are the four steps that the Blackberry uses to receive email? Blackberry Enterprise Server (BES)
BES monitors user mailbox. When new message arrives, BES picks it up. Message is compressed, encrypted and sent over internet to Blackberry server Message is decrypted on users Blackberry device. Message is unreadable by any other device, including other Blackberry Server decrypts, decompresses and places email into Outbox. Copy of message put in Sent Items folder
Which statements are true regarding the BIOS password? - BIOS manufacturers do not provide a backup password in case the password is lost - BIOS will lock the system completely if the password is typed wrong three times - The BIOS password for Dell is Dell - The BIOS password for Compaq is central
BIOS manufacturers do provide backdoor passwords in case the BIOS password is lost. The Dell password is Dell and the Compaq password is Compaq. The Epox password is central. BIOS will lock after three invalid password attempts.
Which statements are true regarding the BIOS password?
BIOS will lock the system completely if the password is typed wrong three times, The BIOS password for Dell is Dell
____ is an application that helps in recovering corrupted or lost data fully from floppy disk, CD, CD-R, CD-RW, digital media, and Zip drives or disks.
BadCopy Pro
What refers to the width of the range of frequencies that an electronic signal uses on a given transmission medium?
Bandwidth
Which files are automatically displayed when a mail file is mounted?
Base 64, and UUE, encoded files
Before starting the investigation what are two important things to consider? - Crime scene technician capable of analyzing and acquiring a variety of evidence should be on the team - Crime scene analyst should be employed by the police or FBI - A forensic lab should be equipped with forensic tools required for the investigation
Before starting the investigation it is important to consider the following: - Crime scene technician capable of analyzing and acquiring a variety of evidence should be on the team - A forensic lab should be equipped with forensic tools required for the investigation
What does the Blackberry Attack Toolkit contain? - BBProxy and BBScan - Nmap port scanner - Metasploit patches to exploit web site vulnerabilities
Blackberry Attack Toolkit includes BBProxy, BBScan and Metasploit patches to exploit web site vulnerabilities. BBPRoxy allows the attacker to use a Blackberry as a proxy between the internet and the internal network. Attacker installs BBPRoxy on Blackberry or sends as email attachment. Once activated, it creates a covert channel between the attacker and the compromised host. BBScan is a port scanner that looks for open ports on the Blackberry.
Where are private encrypted keys stored on the Blackberry? - Object store - File system - Mailbox
Blackberry private encrypted keys are stored in the user's secure mailbox (Microsoft Exchange, IBM, Lotus, Domino, or Novell Groupwise)
What type of security does the Blackberry use? - RSA - 3DES - AES
Blackberry uses 3DES and AES. Blackberry security meets US military requirements.
What is the next-generation optical media patented by Sony?
Blu-ray
Disabling or Active Attacks against steganography.
Blur - Softens transitions and averages pixels, Noise- injects randome color pixels to an image. Noise Reduction-adjusting colors and averaging the pixel values. Sharpen- Increase contrast between adjacent pixels. Rotate- move image around a central point. Resample- raggedness while expanding image is reduced. Soften- uniform blur that softens edges and decreses contrast.
Sending large volumes of email to a single address in an attempt to overflow the mailbox, it is called:
Bombing
What item in a forensic lab holds all the reference books, articles, and magazines that an investigator would need in the course of an investigation?
Bookrack
What is true about BootX?
BootX is the default boot loader for Mac OS X
Which statement is true about BootX? - BootX is the default boot loader for Mac OS X - BootX cannot load kernals from HFS+, HFS, UFS, ext2 or TFTP - BootX is similar to BIOS
BootX is the default boot loader for Mac OS X. BootX can load kernals from HFS+, HFS, UFS, ext2 or TFTP
Windows Event Log will be reported as corrupt when what occurs?
Critical header and footer fields out of sync and file status is not 0x00 or 0x08
Phase of questioning by opposing counsil, following direct questioning.
Cross Examination.
Where are cookies housed in Internet Explorer and Mozilla Firefox?
C:\Documents and Settings\username\Cookies\ , ASCII file named history.dat , \Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\random text
Which folder are EnCase modules stored in?
C:\Program Files\Encase6\certs
On a FAT drive, deleted files are stored in the location
C:\RECYCLED
____ is a software solution that allows different law-enforcement agencies to collaborate. It also provides investigators with a set of software tools they can use when investigating child pornography.
CETS
Reg.exe
CMD tools for accessing and managing the registry
SafeBack ensures data integrity using ____.
CRC-32
Rule 614
Calling and interrogation of witnesses by court
Volatile Data
Can be modified, rapidly.
Laws pertaining to email
Can-Spam Act 18USC 2252A - Sending Child pornography 18USC 2252B - Obscene or offensive with misleading domain name. RCW 19.190.020- Washington state law for email crime.
According to the National Institute of Justice (2004), there are several steps to acquiring subject evidence.
Capture electronic serial number of the drive or other user-accessible, host-specific data, Account for all space on storage media, Use appropriate tools to obtain evidence such as duplication software, forensic analysis software, and dedicated hardware devices, Correlate, sector-by-sector, the values in the evidence and the backup
_________ is a process in which many web sites write binary log data.
Centralized binary logging
How does Lossy Compression work?
Certain amount of data is lost (integrity not maintained). Never used with Business data or Text files. Vector Quantization.
How is memory arranged on the Palm OS? - RAM and ROM are on the same memory module - RAM is on one module and ROM on another - PIM card
Certain applications are stored in ROM and user data and other applications are stored in RAM. There are add-on utilities available on ROM used to back up Personal Information Management (PIM) data. Both RAM and ROM are on the same memory module, known as a card.
What is a first step in repairing a corrupt Windows event log?
Change offset 36 to 0x08
What are two registry settings that could impact a forensic analysis and investigation?
ClearPageFileAtShutdown & DisableLastAccess (* ClearPageFileAtShutdown - tells the OS to clear the page file when the system is shut down. This will clear virtual memory in the swap file. * DisableLastAccess - disables updating of the last access times on files so the timestamp might not be accurate)
What are two registry settings that could impact a forensic analysis and investigation?
ClearPageFileAtShutdown and DisableLastAccess
IIS format
Client IP, Username, date, time, service/ instance, server name, server IP, Time taken, client bytes, Server bytes, SCV code, Windows code, request type, target of operation, parameters passed.
The iPhone OS ____ layer consists of UI Kit and Foundation frameworks, which provide the user with tools for implementing graphical and event-driven applications.
Cocoa Touch
In a(n) ____ attack, when a user sends any application to the server, an attacker hacks the application and adds malicious code.
Code Injection
What are the requirements for evidence to be admissible in court? - Competent - Relevant - Maternal - Material
Competent, Relevant & Material Federal Rules of Evidence Rule 402 states that all relevant evidence is admissible. Evidence must be competent and material. Rule 401 defines relevant as any evidence having a tendency to make the existence of any fact that is of consequence to the determination of the action more or less probable than it would be without the evidence. The Frye standard says that the scientific technique must be generally accepted in the field before the results of said technique can be admitted.
If you unsuccessfully tried three PIN numbers which blocked the SIM card. What can you do to reset the PIN and access SIM data?
Contact the network operator for Personal Unlock Number
Which statements are true about Word documents?
Contain past revisions and last 10 authors and Compound documents based on OLE
HKEY_LOCAL_MACHINE
Contains the majority of the configuration information for the software / hardware you have installed and for the OS itself.
What is true about syslog?
Controlled on per-machine basis with /etc/syslog.conf, Local and remote log collection, Facility, level and action are included, Audit mechanism used by Linux
UTC
Coordinated Universal Time. UTC is the standard used for all timekeeping applications, the reference time used for calculating all other time zones. In the United States, the national standard for time-of-day is UTC (NIST), the coordinated universal time maintained by the National Institute of Standards and Technology (NIST). See also GREENWICH MEAN TIME (GMT), ZULU TIME.
Backup Data
Copy of system data, used for the recovery process.
What issue might you encounter when recovering images?
Copyright laws.
Indications of a Web Based Attack.
Customers denied access to information or Services. Legitimate web page being redirected to an unknown website. Slow Network Performance. Anomalies found in Log Files.
Grill Cipher
Cutting holes in a template and lining them up with text.
____ is any ominous or improper behavior where cyber criminals use the Internet and other communication methods to victimize people.
Cyber STalking
____ is the use of information technology to tease or intimidate individuals, usually minors, causing them harm.
Cyberbullying
What is the definition of cybercrime? - Cybercrime means any illegal act that involves a computer or the systems and applications associated with it - Cybercrime is the same as identity theft - Cybercrime is any illegal act that involves a criminal using a computer
Cybercrime means any illegal act that involves a computer or the systems and applications associated with it
What is the definition of cybercrime?
Cybercrime means any illegal act that involves a computer or the systems and applications associated with it.
What best defines a Portable Executable (PE)?
Data structure for Windows OS loader to manage wrapped executable code Format for executables, object code and DLLs used in 32- and 64-bit versions of Windows
Fragile Data
Data temporarily saved to the hard disk and can be changed. (i.e. time stamps, access times...)
Static data.
Data that remains unchanged after shutting down.
Active Data
Data used for daily operations.
Difference between Frye & Daubert
Daubert provides a set of criteria for determining whether scientific testimony is admissible; Frye is more general
(../) sequences and their variations as an attack are referred to as
Directory traversal
Tracking user logon activity via Audit Event ID's: 531
Disabled Account
What tools can read CSI Stick and Device Seizure acquisition files? - DS Lite - Device Seizure - PDA secure
DS Lite can read CSI Stick and Device Seizure acquisition files. CSI Stick is a portable cell phone forensic and data gathering tool that looks like a USB memory stick.
Steganalysis
Discovering and Rendering covert messages, using steganography.
The ___ feature of the image MASSter Solo- 3 software can be used to hide and protect part of the drive from the operating system and file system
DCO
The ____ feature of the Image MASSter Solo-3 software can be used to hide and protect part of a drive from the operating system and file system.
DCO
A ____ attack is a DoS attack where a large number of compromised systems attack a single target.
DDos
The ____ is a semitrusted network zone that separates the untrusted Internet from the company's trusted internal network.
DMZ
____ is a service that translates domain names (e.g., www.eccouncil.org) into IP addresses (e.g., 208.66.172.56).
DNS Domaine Name Service
Which tools calculate MD5 and SHA1 hash values? - SIM Card Seizure - Hunt - DS Lite
DS Lite and SIM Card Seizure calculate MD5 and SHA1 hash values
ARP Table Commands: arp -d
Delete the host specified by the IP Address
Cybercrime
Deliberate acts, using a computer, to Commit or Facilitate a crime.
What is a DoS?
Denial of Service, a means for making a computer unavailable to users.
How many partitions does the iPod have?
Depends on the operating system used to sync
How many partitions does the iPod have? - 2 - 3 - Depends on the operating system used to sync
Depends: If the iPod syncs with Windows, the iPod file system has two partitions. However, if it syncs with MacIntosh then there will be three partitions. The extra partition in the MacIntosh version is necessary due to the HFS+ file system. This system has a resource fork and data fork.
Medical and Psychological Experts
Describe process of examining the victim. Physicians, PA's and nurses.
3 types of Metadata.
Descriptive. Structural. Administrative.
Which are true about FAT12?
Designed for floppy disks
Where should a forensic investigator look to find steganography?
Determine filenames and websites visited by viewing cookies or internet history. Look in the registry.Inspect the suspect's mailbox, chat or IMS logs. Check softare not normally used such as binary or hex editors, disk-wiping software... Multimedia files
What else is NOT part of forensic readiness planning?
Develop a plan to investigate team members
Choose the true statements about SIMPLE: - Developed by Australian university students using Linux Live CD - Customized kernal and OS so it is impossible to write to the hard disk - Will only launch on Windows
Developed by Aussies, live CD. Customized Kernal: SIMPLE launches from a CD
Choose the true statements about SIMPLE:
Developed by Australian university students using Linux Live CD, Customized kernal and OS so it is impossible to write to the hard disk
This tool examines cell phone and PDA data. It is capable of command-line acquisition, deleted data recovery, full data dumps, logical and physical acquisitions of PDAs, data cable access, and advanced reporting.
Device Seizure
TACC 1441
Device for cracking passwords using multiple GPU's.
UFED
Device for extracting data from mobile phones.
What is obtained when the computer is powered on? There may be a number of systems having the same address.
Dynamic address
What are types of MAC address?
Dynamic, Configurable, Static
The file De5.jpg is in the Recycler. What drive was the file deleted from.
E:\ Dxy.ext. x= the drive. Y= Sequence Number (SID)
EC-Council identified thirteen steps for evaluating a case. One of these steps involves assessing skill levels of users. Why is this important? - Because criminal always try to hide information - To determine how they might delete or conceal evidence - To profile them
EC-Council identified thirteen steps for evaluating a case. One of these steps involves assessing skill levels of users. Assessing skill levels is important to determine how users might delete or conceal evidence
EC-Council identified thirteen steps for evaluating a case. One of these steps involves sending any ______________________ to ISP or other storage provider to make sure evidence is not destroyed. - Chain of custody - Request for assistance - Preservation orders
EC-Council identified thirteen steps for evaluating a case. One of these steps involves sending any preservation orders to ISP or other storage provider to make sure evidence is not destroyed.
What is the key concept of Enterprise Theory of Investigation (ETI)? - Holistic approach used by FBI to look at any criminal activity as a piece of a criminal operation rather than a single criminal act. - Approach used by FBI where each crime is considered unique and isolated - Approach by FBI where criminal activity is investigated
Enterprise Theory of Investigation (ETI) is a holistic approach used by FBI to look at any criminal activity as a piece of a criminal operation rather than a single criminal act.
The process of discovering usernames, machine name, network resources, shares, and services available on a network is?
Enumeration
____ is the process of gathering information about a network that may help an intruder attack the network.
Enumeration
How does a network intruder enter a system?
Enumeration, Vulnerabilities, Viruses, Trojans, Email infection, Router attacks, Password cracking
Choose USA sexual harassment laws: - Equal Protection Clause of the 14th Amendment - Civil Rights Act of 2011 - Civil Rights Act of 1991 - 1964 Civil Rights Act, Title VII
Equal Protection Clause of the 14th Amendment Civil Rights Act of 1991 1964 Civil Rights Act, Title VII
What are the USA sexual harassment laws:
Equal Protection Clause of the 14th Amendment, Civil Rights Act of 1991, 1964 Civil Rights Act, Title VII
Which of the following are iPod and iPhone Forensics tools?
Erica and EnCase
Which of the following are iPod and iPhone Forensics tools? - Erica - EnCase - Wireshark
Erica and EnCase are iPod and iPhone forensics tools. Erica has some useful utilities: abquery - search address book by name appLoad appSearch - searchs App Store from command line using a simple query deviceInfo - queries iPod or iPhone for device attributes findme - returns physical location latitude and longitude in XML EnCase extract deleted information to devices that were restored to factory settings recover deleted files
_____ headers specify an address for mailer-generated errors?
Errors-To header
Operating System Log
Event Logs - operational actions. Audit Logs- Security Events. -used to identify or investigate suspicious activities.
Which statements are true regarding EnCase?
Evidence can be viewed in table, gallery, timeline or report formats, Cases group information, Evidence data can be view as text, hex or picture
Spectrum Analysis
Examination of a WiFi radio transmission to: Measure Amplitude or signals and RF pulses. Air Quality. Identify sources of interference. Wireless attack detection.
Dr. Nelson is a technical expert with a PhD in computer science along with several important computer certifications. She has spoken about computer science in many venues around the world and written a book on the subject. Suppose Dr. Nelson has been asked to be a witness, what type of witness is Dr. Nelson?
Expert
Witness who by virtue of Education, Training, or experience, has special knowledge beyond that of an average person, to the level that others may legally depend on his or her opinion.
Expert
In additional to special tools, what is another means of data acquisition from a PDA?
Exploit vulnerabilities such as weak authentication or buffer overflow (due to misconfigured network services or protocols) Use password cracking tools like Hydra or Cain and Abel Use backdoor's supplied by manufacturer Extract data from memory chips independently of the device Reverse engineer the OS
In additional to special tools, what is NOT another means of data acquisition from a PDA? - Exploit vulnerabilities such as weak authentication or buffer overflow (due to misconfigured network services or protocols) - Use password cracking tools like Hydra or Cain and Abel - Use backdoor's supplied by manufacturer - Extract data from memory chips independently of the device - Use a PDA sniffer - Reverse engineer the OS
Exploiting vulnerabilities or using manufacturer's backdoors may lead to access of a PDA device.
What is the table of functions called that DLLs maintain?
Export
Types of Wireless Networks
Extension, Multiple access points, LAN to LAN, 3G hotspots.
Where are deleted files from a FAT system stored?
FAT - Drive:\Recycled .
What type of scan sends FIN flag?
FIN
What pertains to federal information security?
FISMA (Federal Information Security Management Act)
Spread-spectrum encoding encodes a wide-band signal into a small-band cover
False
Master Boot Record (MBR
First sector of a data storage device. (Location, size, other important data)
The master boot record (MBR) resides at the ____ sector.
Fisrt
The classic iPods use hard drives to store data, but newer versions, such as iPod Nano, iPod Shuffle, and iPod Touch store data differently. How do they store it?
Flash Memory
TIFF - Tagged Imafe File Format
Flexible, Platform independent. Extendable to new image types. Portable. Revisable. If more than one IFD present, There is more than one image.
The goal of a(n) ____ attack is to degrade the performance of the network by directing unnecessary packets of data toward it.
Flooding
Postmortem Analysis
Forensic Analysis of logs, done for something that has already happened. Files have already been captured.
First response to an incident may not be a forensics expert. Of the people listed here which is best capable of collecting, preserving, and packaging electronic evidence?
Forensic staff
18 US Code 1029
Fraud and related activity in connection with access devices
18 USC 1029
Fraud and related activity in connection with access devices
18 US Code 1030
Fraud and related activity in connection with computers
18 USC 1030
Fraud and related activity in connection with computers
Slack Space
Free space on a cluster.
What steganography methods are used in audio files?
Frequencies inaudible to human ear, LSB, Substitution
The EnCase ____ search utility enables the investigator to search for information with a known general format, such as any telephone numbers, credit card numbers, network IDs, logon records, or IP addresses, even when the specific number is not known.
GREP
Windows CE OS contains GWES. What does GWES stand for? - Graphics Windows and Error Systems - Graphics, Windowing and Events Subsystem - Graphics, Windows and Entertainment Systems
GWES stands for Graphics, Windowing and Events Subsystem. it provides the interface between the user, application and OS. It has two components: GDI which draws graphics, text and images and user component for messaging events, keyboard input and mouse
What are some pitfalls of network evidence collection?
Gaps in evidence, Other nations may be involved creating legal and political challenges, Logs change rapidly and some information may be lost before permission is granted to analyze the log, Logs may be housed at ISP which requires special permission (such as a warrant) to view
Will record of failures or security breaches on the machine creating logs impeach the evidence?
Generally, yes
Vector image
Geometrical primitives (points, lines, curves, polygons) based on mathmatical equations, used to represent an image. Indefinitely zoomed without loss in quality. Moving, Scaling and rotating do not affect the quality of the image.
Windows CE OS contains GWES. What does GWES stand for?
Graphics, Windowing and Events Subsystem
For an iPod that was initially set up on a Macintosh based computer, what type of file system will it have?
HFS+
iPods formatted with Mac computers use Apple's ____ file system, while those formatted on Windows use the FAT32 file system.
HFS+
Which registry hive contains information about which applications are associated with various file extensions?
HKEY Classes Root
Which registry key or subkey does NOT identify a USB device?
HKEY_LOCAL_MACHINE\Hardware\USB
You can find the SIDs in Windows registry editor at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion \ProfileList
Some events are recorded by default. Others are recorded based on the audit configuration in the PolAdEvt registry key. Other aspects are maintained in what registry key?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Event Log
What Windows XP (or above) registry key can be changed to hex value 0x00000001 to block write access to any USB storage device?
HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies
What Windows XP (or above) registry key can be changed to hex value 0x00000001 to block write access to any USB storage device? - HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies - HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\USBPolicies - HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\WriteBlock
HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\StorageDevicePolicies can be changed to 0x00000001 to write block any USB device. To re-enable write access change this same key to 0x00000000.
When a USB removable storage device is connected to Windows, it is assigned a drive letter. Where does this drive letter show up in the registry?
HKEY_LOCAL_MACHINE\System\MountedDevices
____ is a practice used to obtain illegal access to computer systems owned by private corporations or government agencies in order to modify computer hardware and software.
Hacking
Parts of an email massage.
Header (email origin), Body (Mesage), Signature.
Which tool is a customized distribution of Knoppix Live Linux CD? This tool contains many application dedicated to incident response and forensics.
Helix
Which of the following is true about the swap file?
Hidden file in the root directory called pagefile.sys & Registry path is HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management (The swap file can be organized as a contiguous space so fewer I/O operations are required to read and write. It is a hidden file in the root directory called pagefile.sys.)
What is indicated if a TIFF image has more than one IFD (Image File Directory)?
If more than one IFD present, There is more than one image.
Which of the following is true about the swap file?
Hidden file in the root directory called pagefile.sys, Registry path is HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Folder Steganography
Hides data in folders. Invisible secrets4
Masking
Hides data using techniques similar to watermarks. Inside visible part of image. NOT hidden in noise of image.
Steganography Techniques: Transform Domain Technique
Hides the message data in the transform space of a signal. Can be commonly used in JPEG's photos.
Spam Steganography
Hiding data in spam or other emails.
____ attacks occur when an attacker injects a small number of bad packets into the router to exploit the network.
Hit and Run
What is the master boot record (MBR) used for?
Holding a Partition table. Bootstrapping an operating system. 32-bit disk signature (optional).
A ____ is a system that is put on a network that has no legitimate function.
Honeypot
What password cracking technique works most like a dictionary attack?
Hybrid attack
What does a good investigative report NOT include? - Adequate supporting data - Acknowledgments - Results and comments - Error analysis - Graphs and statistics - IDS/IPS
IDS/IPS may be too detailed for an investigative report. A good investigative report includes: - Methods of investigation - Adequate supporting data - Description of data collection techniques - Calculations used - Error analysis - Results and comments - Graphs and statistics explaining results - References - Appendices - Acknowledgments - Litigation support reports
Which file contains software update data?
IPSW file
Which file contains software update data? - SysInfo file - DeviceInfo file - IPSW file
IPSW file contains software update data. It is stored in the Library/iTunes/iPhone Software Updates directory
What item is NOT part of forensic readiness planning?
Identifying a crime scene
What occurs immediately after the investigation begins? - Immediate response to preliminary evidence including photographing the scene and marking evidence - Immediately determine the damage from the crime - Immediately call the police
Immediately after the investigation begins, collect preliminary evidence including photographing the scene and marking evidence
GIF uses ____ data compression techniques, which maintain the visual quality of the image.
Lossless
In the USA, the 4th Amendment of the United States Constitution prevents unreasonable search and seizure. What is the basis of a search warrant? - Government regulation - Possible cause - Probable cause
In the USA, the 4th Amendment of the United States Constitution prevents unreasonable search and seizure therefore, probable cause is required to get a search warrant.
This type of DDoS do the attacks usually spoof the originating IP addresses and send the requests at reflectors. - Teardrop - Jolt - Reflective DDoS
In there Reflective DDoS, the attacks usually spoof the originating IP addresses and send the requests at reflectors.
AC Forensics
Inc. provides forensic collection, examination and analysis of electronic evidence as well as email conversion, extraction and document production in various standard review formats
Process register
Includes services, such as calibration inspection and testing, construction management, hardware, and software.
____ contains the colors in RGB, but only the colors used by the image.
Indexed Color
What is FTK's strongest attribute?
Indexing
Enterprise Theory of Investigation (ETI)
Individuals commit crime, to further the Criminal Enterprise (sindicate) itself. Law Enforcement targets and dismantles the entire criminal enterprise.
Jargon code
Information hidden in a special language.
Covered Cipher
Information hidden openly.
Digital Evidence is defined as:
Information of "probative value" that is stored or transmitted in digital form.
Choose one answer naming what the FBI developed as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography. - Innocent Images National Initiative (IINI) - Internet Crimes Against Children (ICAC) - Project Safe Childhood - Anti-Child Porn.org (ACPO)
Innocent Images National Initiative (IINI) was developed by the FBI as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography.
What are the two modes of attack? - Computer attack - Insider attack - External attack
Insider attack and External attack are two modes of attack
Lossless Compression
Is a class of data compression algorithms that allows the original data to be perfectly reconstructed from the compressed data that maintains data integrity.
Cookie Poisoning
Is a process in which an unauthorized person changes the content within a user's cookie file in order to gain access to sensitive information that may be stored in the cookie or on the server for the website that the user is browsing.
Man in the middle Attack
Is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
WPA2
Is more secured then WPA and uses AES-CCMP encryption algorithm
Cluster
Is the smallest logical unit on a hard drive.
A forensics report can be render inadmissible in a court of law if
It is based on logical assumptions about the incident timeline
Vector Quantization
Lossy compression technique. Replaces a block of information with an average value.
Jack, a forensic investigator, believes key evidence is on a PDA device. The PDA has one card in the expansion slot and several more lying on a table. The PDA is in it's cradle. What should Jack do?
Jack should leave the card in expansion slot. Remove connection to desktop computer. Seize cradle, cords, cards lying on the table and PDA and place them in evidence bags.
This type of DoS attack does the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it.
Jolt
The Linux ____ consists of modular components and subsystems that include device drivers, protocols, scheduler, memory manager, virtual file system, and resource allocator.
Kernal
Which type of cell contains registry key information including offsets to other cells and LastWrite time for the key
Key cell
ActiveSync allows an unlimited number of password attempts. How can an attacker gain access to the password? Choose the easiest method.
Keylogger
____ is completely passive and is capable of detecting traffic from WAPs and wireless clients. It works on both open and closed networks.
Kismet
A ____ is a set of host machines in a relatively contiguous area, allowing for high data transfer rates among hosts on the same IP network.
LAN
Calculate disk capacity, in gigabytes, from LBA.
LBA * Density / 1024/ 1024 / 1024
Audio Steganography methods
LSB coding, Tone insertion, Phase Decoding
___ lossless data compression algorithim that combines the string of same Byte values into a single code word
LZW
What are two boot loaders for Linux?
Lilo and grub (details for each are found using more /etc/lilo.conf, more /etc/grub.conf)
Which file system runs on ext1, ext2, and ext3?
Linux
A ____ is a bootable version of an operating system that is loaded directly into RAM and functions outside and independently of the target computer's operating system.
LiveCD
Which devices can EnCase acquire data?
Local Device and Smartphones
From which devices can EnCase acquire data? - Evidence file (E01), raw image or dd image - Local Device - Smartphones
Local Device, Smartphones: Technically, EnCase would not acquire data from a raw image file or evidence file but these can be viewed in EnCase
In the memtest.exe file, What does the LS value represent?
Local Sector, counted from the start of the partion.
Computer Forensics Expert
Locate and recover information, through electronic discovery, while protecting evidentiary quality.
What are steps to removing the CMOS battery and why remove it?
Locate the battery on the motherboard and carefully lift it from the socket, To remove the battery, shut down the computer and disconnect the power plug, If the CMOS battery is removed and replaced after 20-30 minutes, the password will reset itself
What steps can be taken, to insure that log files accurately describe the activity on a system?
Log Everything. Use Multiple sensors. Synchronize times. Avoid missing logs.
Which are true about MD5?
MD5 produces 128-bit hash value (SHA-1 produces 160-bit has value). MD5 is used to check data integrity. MD5 is typically expressed as a 32-digit hexadecimal number
Which are true about MD5? - Produces 128-bit hash value (SHA-1 produces 160-bit has value) - Used to check data integrity - Typically expressed as a 32-digit hexadecimal number - suitable for SSL certificates and digital signatures
MD5 produces 128-bit hash value (SHA-1 produces 160-bit has value). MD5 is used to check data integrity. MD5 is typically expressed as a 32-digit hexadecimal number
____ is the intentional act of sending multiple copies of identical content to the same recipient.
Mail Bombing
MTA - Mail Transport Authority
Mail Server
When computers start communicating without human intervention they can create a flurry of junk mail, often sent by accident, called a ____.
Mail Storm
An e-mail client, also known as a ____, is a computer program for reading and sending e-mail.
Mail user agant (MUA)
What techniques can be used to detect wireless access points? - Manual detection, active wireless scanning, passive wireless scanning, Nessus vulnerability scanning - Manual detection, Nessus vulnerability scanning - Active and passive wireless scanning
Manual detection - physically visit the area where a WAP is likely to be and use wardriving techniques to attempt to detect the rogue access point Active wireless scanning technique - broadcasting a probe message and waiting for a response from devices in the range Passive wireless scanning technique - identifies the presence of any wireless communication to find identify active WAP connections Nessus vulnerability scanner
Which of these are built-in on many PDAs? - infrared - Bluetooth - WiFi
Many PDAs have built-in infrared, Bluetooth and WiFi
Psychological experts provide specialized assistance in which areas? - Dentistry - Prescription medication or illegal drugs - Mental illness, psychotropic drugs, standards of care, emotional distress
Medical experts provide expertise in dentistry, drugs, prescription medications and malpractise. Psychological experts provide expertise in diagnosis and treatment of mental illness, medications and psychotropic drugs, standards of care, emotional distress and effects of crime or event
Psychological experts provide specialized assistance in which areas?
Mental illness, psychotropic drugs, standards of care, emotional distress
What are some tools in Helix that are used for responding to incidents?
MessenPass, Putty SSH, Rootkit Revealer
____ is data about data, or more simply, embedded electronic data not necessarily seen on a printed document.
Metadata
Compression
Method of making a file smaller, in order to reduce disk space.
What are conceptual ways to write block removable media on the MacIntosh?
Methods for write blocking MacIntosh are preventing the Mac OS from automatically mounting removable media, preventing iTunes from loading when iPod is connected and mounting iPods with read-only access
In mobile device identification, what needs to be identified, for choosing the proper data acquisition tool?
Model. Operating System. Service Provider. Found in: Battery Cavity (Manufacturer Name, Model, IMEI, FCC-ID). Screen (Type of Phone, Service Provider, OS)
Older BlackBerry 950 and 957 had Intel 80386 processors. What type of processors due modern Blackberry devices have? - Intel 80386 - ARM7 of ARM9 - Intel PXA901 312 MHz
Modern Blackberry devices have ARM7 or ARM9. GSM Blackberry models (8100 and 8700) have Intel PXA901 312 MHz with 64 MB flash memory and 16 MG SDRAM. CDMA Blackberry smartphones have Qualcomm MSM6x00 chipsets.
Text Semagrams
Modifying the apprearance of the carrier test. Font size or type, extra spaces, flourashes in letters, handwritten text.
With ____, an administrator gives a piece of data to a person and if that information makes it out to the public domain, the administrator knows the organization has a mole.
Mole Detection
Windows CE has two types of device drivers?
Monolithic and Layered
What type of virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files.
Multipartite
In what format can music be stored on an iPod? - MP3, WAV, Apple Lossless - M4A/AAC, protected AAC, AIFF - MPEG
Music can be stored on an iPod as MP3, WAV, Apple Lossless, M4A/AAC, protected AAC, or AIFF formats
A(n) ____ is a piece of hardware used to provide an interface between a host machine and a computer network.
NIC
____ is the standard protocol for distributing and recovering Usenet messages.
NNTP
Does Palm restrict access to code and data? - Yes - No
NO: The architecture of Palm OS has four layers: - Application - OS - Software API and hardware drivers - Hardware The software API helps execute software on different hardware but developers can easily bypass the API and access the processor directly. Thus, malicious applications can be a security risk because Palm OS does not restrict access to the code and data. Anyone can modify it.
____ is an Internet standard protocol that is used to synchronize the clocks of client computers.
NTP
Where can registry keys be found for the user?
NTUSER.DAT
Code that is derived from mixing a cover message, within a large amount of plain text, to cover the message, is known as?
Null Cipher
Areal Density
Number of bits per square inch on a hard disk platter.
ICCID - Integrated Circuit Card Identification.
On the SIM and can be up to 20 digits long. -Industry Identifier Prefix (89 for telecommunications) -Country Code. -Issuer Identification number. -Account Identification Number. Helps to identify Country and Network Operator name.
dcfldd features
On-the-fly hashing of the transmitted data. Progress bar of how much data has already been sent. Wiping of disks with known patterns. Verification that the image is identical to the original drive, bit-for-bit. Simultaneous output to more than one file/disk is possible. The output can be split into multiple files. Logs and data can be piped into external applications
Where does Windows CE store data?
PIM and user data in RAM and operating system and supporting applications in ROM.
What kind of memory resides on a PDA? - ROM - RAM - Flash ROM
ROM, RAM and Flash RAM can reside on a PDA
What three things does the Mac OS X depend on? - Open firmware, boot loader, typical Mac OS X boot sequence - Proprietary firmware, boot loader, boot sequence - BIOS, boot loader, autoexec.bat
Open Firmware is a nonproprietary platform-independent boot firmware similar to PC BIOS. It is stored in ROM and is the first program executed at power up. Press Command-Option-O-F
Open Codes Steganography
Open codes make use of openly readable text. This text contains words or sentences that can be hidden in a reversed or vertical order. The letters should be in selected locations of the text in a specifically designed pattern. Open codes can be either jargon codes or covered ciphers.
What steganography methods are used in text files?
Open-space, Syntactic, Semantic
Rule 701
Opinion testimony by lay witnesses
Rules for allowing duplicate evidence.
Original evidence is not available, due to: -Evidence destroyed due to an uncontrollable event (Fire/ Flood). -Evidence destroyed in normal course of business. -Original evidence in possession of a third party.
other password recovery tools
Other - Advanced ZIP password recovery - zip file passwords - PicoZip Recovery - zip file passwords - PDF Password Crackers - pdf file passwords - Default Password Databases - Dialupass - dial-up passwords - Database Sleuth
What are two tools used to acquire information from a PDA? - PDA Seizure and Palm dd - Ghost and Hunt - Tripwire and Nmap
PDA Seizure and Palm dd are two tools to acquire information form a PDA.
Which list contains some important PDA security issues? - Password theft, virus attack, data corruption, application vulnerabilities - OS, hardware, battery - Sleep mode, nascent mode, quiescent mode
PDA security issues include the following: -Password theft -Virus attack -Data corruption -Applicaton vulnerabilties -Data theft -Wireless vulnerabilties -Device theft
What is needed to access the SIM
PIN code -3 attempts (if protected). 8-digit PUK (Personal Unlock Number), provided by network operator or Carrier. -10 attempts disables the phone.
What is the advantage of PMDump?
PMDump allows an investigator to dump contents of process memory WITHOUT stopping the process
____ is an Internet protocol used to retrieve e-mail from a mail server.
POP3
How is Palm OS memory organized? - Chunks known as data - Chunks known as records - Chunks known as folders
Palm OS memory is organized in chunks known as records. Records are grouped into a database called the Palm File Format (PFF). PFF has three types of files: Palm Database containing contact lists and application data Palm Resource with application code and user interface objects Palm Query Applications with World Wide Web contents
Which ports does HotSync open during the HotSync process? - TCP 12345, TCP 12346, UDP 12345 - TCP 139, TCP 445 - TCP 14237, TCP 14238, UDP 14237
Palm OS opens TCP 14237, TCP 14238, and UDP 14237 during the HotSync process.
____________________ helps devices interact with GPS receivers, wireless modems, keyboards and other peripheral devices using USB.
Palm Universal Connector System
____________________ helps devices interact with GPS receivers, wireless modems, keyboards and other peripheral devices using USB. - Palm Universal Connector System - Hotsync - Palm Expansion Card Slot
Palm Universal Connector System helps devices interact with GPS receivers, wireless modems, keyboards and other peripheral devices using USB.
Computer crimes include all but which of the following? - Fraud via manipulation of computer records - Performing vulnerability assessment for a client - Spam - Deliberate avoidance of computer security systems - Unauthorized access - Unauthorized modification of software
Performing vulnerability assessment for a client with permission is NOT a computer crime. Computer crimes include: - Fraud via manipulation of computer records - Performing vulnerability assessment for a client - Spam - Deliberate avoidance of computer security systems - Unauthorized access - Unauthorized modification of software
Mobile Switching Center- MSC
Performs switching of user calls, and provides functionality to handle mobile devices.
Technical witness
Person who does field work and only submits the results, without offering a view of their results.
WPA2
Personal - uses Shared Keys (PSK), 256 bit key Enterprise - uses EAP, RADIUS or Kerberos. -Multiple Authentication - Token cards, Certificates. -uses a central authentication server. Both use 128 bit AES-CCMP encryption (Actual value). 48 bit IV AES-CCMP Integrity Check Protects against forgery and Replay attacks.
What is a PDA?
Personal Digital Assistant
Which acts pertain to privacy? - CAN-SPAM - PIPEDA - Data Protection Act 1998 Section 55
Personal Information Protection and Electronic Documents Act Data Protection Act 1998 Section 55: Unlawful obtaining of personal data
____ is overhearing phone conversations while being physically present.
Phone Eavesdropping
____ is a direct form of harassment where an employee is expected to tolerate harassment in order to receive some benefit.
Quid pro quo
Raid Levels: RAID 3
RAID 3 is a RAID configuration that uses a parity disk to store the information generated by a RAID controller instead of striping it with the data.
Where is the running-configuration file for a Cisco router?
RAM
How is memory arranged on the Palm OS?
RAM and ROM are on the same memory module
Windows CE has four types of memory. What are they?
RAM, Expansion RAM, ROM, and Persistent storage
What are the main protocols for the Network Layer?
RARP, ICMP, IGMP, IP
What registry data type indicates raw binary data?
REG_BINARY
Rule 402
Relevant evidence generally admissible; irrelevant evidence inadmissible
In order to meet the Daubert standard, and be admissible in court, the testimony of an expert witness must be both relevant and __.
Reliable
A ____ party is an individual or business who used a particular work when the status of the work was in the public domain, prior to the URAA agreement.
Reliance
SIM - Subscriber Identity Module
Removable component, used to authenticate the user to the network, and contains subscriber information. Volatile and nonvolatile (file system) memory
Which are true about EasyRecovery?
Repairs and restores corrupt or inaccessible Microsoft Office and Zip files, Includes EmailRepair
Rule 703 includes which of the following? - Facts are disclosed to expert - Facts disclosed to the expert must also be disclosed to the jury - Court decides whether probative value in assisting jury to evaluate expert opinion outweighs prejudicial nature of facts used by said expert
Rule 703 allows the Court to determine whether facts disclosed to the expert are revealed to the jury based on whether the probative nature of said facts in assisting the jury to evaluate the expert opinion outweighs the prejudicial effect.
Forensic rule that sets requirements for original evidence.
Rule: 1002
Forensic rule that allows the admissibility of duplicates.
Rule: 1003
BlackBerry ____ Protocol backs up, restores, and synchronizes the data between BlackBerry devices and desktop systems.
Serial
Types of Data Acquisition.
Serial Communication, USB Data, Plug-in boards.
____ analyzes server logs by changing IP addresses into domain names with the help of httpdanalyse.c.
Server log analysis
Sources of data for digital evidence.
Server. Storage devices. Logs. Internal hardware.
According to the USPTO, a ____ mark is any word, name, symbol, device, or any combination, used, or intended to be used, in commerce, to identify and distinguish the services of one provider from services provided by others, and to indicate the source of the services.
Service
According to the USPTO, a ____ mark is any word, name, symbol, device, or any combination, used, or intended to be used, in commerce with the owner's permission by someone other than its owner, to certify regional or other geographic origin, material, mode of manufacture, quality, accuracy, or other characteristics of someone's goods or services, or that the work or labor on the goods or services was performed by members of a union or other organization.
Service Mark
What are types of search warrants?
Service provider search warrant and electronic storage device search warrant.
What data can be recovered from the SIM card?
Service-related information including unique identifiers Phonebook and call information such as ADN and LND SMS, EMS and multimedia messages LAI and RAI
In Linux every file has nine permission bits, choose all that apply.
Setuid, Sticky bit, Setgid (Setuid bits have an octal value of 4000 Setgid bits have an octal value of 2000 Sticky bits have an octal value of 1000 however, Linux silently ignores this type. Sticky bits were important as a modifier for executable files on early UNIX systems)
Shane, a forensic investigator, believes key evidence is on a PDA device. The PDA is currently powered on. What should Shane do?
Shane should make sure the device remains powered on by plugging it into a power supply or charging the battery. She should also photograph the device to capture the current state of the device.
Non-Electronic Password Attacks
Shoulder Surfing, Social Engineering, Dumpster Diving.
Paper printout
Shows data that have been printed out from a live computer.
Which type of cell holds series of indexes pointing to parent key cells?
Subkey list cell
Steganalysis Challenges
Suspect information may not have encoded hidden data. Efficient and Accurate detection of hidden content withing digital images. Data encrypted before being inserted into file or signal. Suspect files may have irrelevant data or noise inserted.
When collecting evidence from the RAM, where do you look for data?
Swap file
What is a swap file?
Swap file is space on a hard disk (nonvolatile memory) used as a virtual memory extension for RAM.
Jumpers or Dip Switches
Switches on the mother board that clear the BIOS and CMOS settings, allowing them to reset. You can also cross pins 2 and 3.
To obtain a search warrant, police or government agent must provide what
Sworn statement including location to search and type of property being sought, Written documentation about complaint initiating search and any supporting documentation
____ manipulates punctuation to hide messages.
Syntactic Steganography
____ evidence is oral evidence, presented by a competent eyewitness to the incident, that is relevant and material to the case.
Testimonial
Rule 702 includes what?
Testimony based on sufficient facts, Testimony is the product of reliable principles and methods, Witness has applied reliable principles and methods reliably to the facts of the case.
What kind of keyboard does the Blackberry have? - QWERTY - CUTEY - LCD
The Blackberry has a QWERTY keyboard.
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What comprises the Cocoa Touch layer? - Core Audio and OpenAL - UI Kit - Foundation frameworks providing graphical and event-driven applications
The Cocoa touch layer consists of UI Kit and Foundation frameworks which provide the user with tools for graphical and event-driven applications
Which two were created by the Department of Justice to safeguard children? - Innocent Images National Initiative (IINI) - Internet Crimes Against Children (ICAC) - Project Safe Childhood (PSC) - Anti-Child Porn.org (ACPO)
The Department of Justice created ICAC and PSC. Internet Crimes Against Children (ICAC) is a network of regional task forces to provide federal assistance to state and local law enforcement so they could better investigate computer and internet-based crimes that sexually exploit children. Project Safe Childhood (PSC) is an initiative developed to provide a coordinated effort in combating child porn. It strives to help local communities create programs to investigate child exploitation and identify and rescue victims.
Electronic Communications Privacy Act
The Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer.
Which agency of the United States Department of Justice investigates both federal crimes and acts as internal intelligence agency? - NIST - FBI - OSHA
The Federal Bureau of Investigation (FBI) investigates both federal crimes and acts as internal intelligence agency.
Fourth Amendment
The Fourth Amendment states, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supposed by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
How can you tell if a password dump is from a Windows Vista or Windows 7 based system?
The LM hash field will be blank. -Disabled on Windows 7 sand Vista.
What is true about the Mac OS?
The MAC OS is based on BSD Darwin engine Startup items in /System/Library/StartupItems or /Library/StatupItems Uses .hidden to maintain a list of hidden files
What happens when a file is deleted using Windows 7?
The MFT is marked with a special character that indicates that the file has been deleted
What area of a disk is changed when a primary partition is deleted?
The Master Boot Record (MBR)
The architecture of Windows CE has four layers: - Application - OS - Original Equipment Manufacturer (OEM) - Hardware What is the purpose of the OEM?
The OEM is between the OS and the hardware layer. It contains the OEM Adaptation Layer (OAL), drivers, and configuration files. It handles system startup, interrupt handling, power management, profiling, timer and clock.
There are three types of records in the PFF. Which is NOT one type? - Palm Database - Palm Folder - Palm Resource
The Palm File Format (PFF) has three types of files: Palm Database containing contact lists and application data Palm Resource with application code and user interface objects Palm Query Applications with World Wide Web contents
Event ID 4902
The Per-user audit policy table was created
What type of scan sends a SYN flag, receives an SYN/ACK then sends a RST? - XMAS - FIN - Half-open
The SYN scan creates a half-open TCP/IP connection
Network Forensics
The Sniffing, Recoding, Acquisition, and Analysis, of Network Traffic and Event Logs, in order to Investigate an Incident.
dcfldd
The ______ tool is a modified version of the dd tool that depicts the status as an image is being collected, hashed, and checked for integrity. Linux Defense Crime Forensic Lab dd
What is the best way to protect PDAs from wireless attacks? - Install wireless anti-virus for PDA - Install a VPN client on the PDA and encrypt the connection - Use port security
The best way to protect a PDA from wireless attacks is to install a VPN client on the PDA and encrypt the connection
Which copy is analyzed, the original or the bit-stream? - Original - Bit-stream
The bit-stream copy is analyzed. The original is stored in a safe location so no one can tamper with it. Initially, two copies are made. Then, if the first bit-stream copy is damaged, the second copy can be sued. If the second copy is damaged then another copy can be made from the original.
Wireless Active Scan
The client radio transmits or broadcasts a probe request and listens for a probe response from an Access Point.
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the Core Services Layer provide?
The core services layer provides the basic services for applications such as Address Book, Core Location, CFNetwork, Security and SQLite
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the Core Services Layer provide? - Basic Services for applications - Address Book, Core Location, CFNetwork, Security and SQLite - Graphics
The core services layer provides the basic services for applications such as Address Book, Core Location, CFNetwork, Security and SQLite
What is the "Best Evidence Rule"?
The court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy
Router Cache
The database of addresses and forwarding information of network traffic stored in a router. It can also provide information about attacks.
Why it is important to know with which type of system the iPod has been synchronized? - Need to know how much data has been transferred during sync - Different computers sync differently - iPods sync'd with Mac computers use Apple's HFS+file system. iPods sync'd with Windows use FAT32.
The file system on the iPod will be based on the computer used to sync the iPod. iPods sync'd with Mac will use Apple's HFS+ file system. iPods sync'd with Windows will use FAT32.
What are the four PDA generic states? - New, Active, Quiet, Selective - Configured, Active, Sleep, Semiactive - Nascent, Active, Quiescent, Semiactive
The generic PDA states include: -Nascent: device just received from manufacturer with factory configuration - Active: device powered on and performing tasks - Quiescent: sleep mode which conserves battery power while maintaining user data and background tasks - Semiactive: partway between active and quiescent and usually triggered by a timer to save battery life
Why is iPod useful for information theft? - Large storage capacity - Small size - Rapid data transfer
The iPod is useful for information theft because of its large storage capacity, small size and rapid data transfer
When does the investigation begin? - When the police arrive - When the crime scene technician arrives - When the crime is suspected
The investigation begins when the crime is suspected
Who should the expert witness face, while providing an answer?
The jury.
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the media layer provide?
The media layer provides graphics and media technologies such as Core Audio, OpenAL and video technologies
The iPhone OS has four abstraction layers. -Core OS Layer -Core services Layer -Media Layer -Cocoa Touch Layer What does the media layer provide? - Graphics and media technologies such as Core Audit, OpenAL and video technologies - UI Kit and Foundation framework - Fundamental services such as Address Book, CFNetwork, SQLite
The media layer provides graphics and media technologies such as Core Audio, OpenAL and video technologies
The definition of chain of custody is
The movement and location of physical evidence from the time it is obtained until the time it is presented in court.
Net Commands: Net Sessions
The net session command is used to list or disconnect sessions between the computer and others on the network
Net Commands: Net Start
The net start command is used to start a network service or list running network services.
What are the two sections of Windows CE RAM? - Object store - Program Memory - Data Folders
The object store and program memory are two sections of Windows CE RAM. The object store is a permanent virtual RAM disk. Data is retained there by a backup power supply.
Data Acquisition
The process of imaging, or otherwise obtaining information, from a digital device and its peripheral equipment and media.
File Carving
The process of reassembling computer files from fragments in the absence of file system metadata.
What is part of the role of a forensics investigator? - Create images of original evidence - Guides officials in managing investigation - Reconstructs damaged media - Analyzes data and prepares report - Addresses the issues in court, if necessary. May act as expert witness. - All of the above
The role of a forensics investigator is to: - Recover data - Determine damage from crime - Gather evidence based on forensic guidelines - Protect evidence - Create images of original evidence - Guide officials in managing investigation - Reconstruct damaged media - Analyze data and prepares report - Address the issues in court, if necessary. May act as expert witness.
What is the role of digital evidence in forensic investigation? - Provide material for investigative report in lawsuit - Provide clues to identify the criminal - Support expert witness testimony
The role of digital evidence in forensic investigation is to provide clues to identify the criminal
Slack Space
The space that exists between the end of a file and the end of the cluster. Unused storage capacity.
When a file is deleted from a Windows OS on an NTFS filing system, the files will go into a folder in the recycler, with what?
The users SID (y). $Ry.ext The file name and path will be stored in the INFO file.
Voluntary disclosure
The voluntary disclosure provisions of the SCA appear in 18 U.S.C. 2702. These provisions govern when a provider of RCS or ECS can disclose contents and other information voluntarily, both to the government and non-government entities.
There are two associations that can help forensics investigators. Which is NOT one of these helpful associations? - NIST - Computer Technology Investigators Network - Technology Crime Investigators Association
There is much information on the internet to assist forensics investigators. Two helpful associations are: - Computer Technology Investigators Network http://www.ctin.org/ - High Technology Crime Investigators Association http://www.htcia.org/
What are questions to consider before beginning a forensic investigation involving PDAs? (Choose all that apply) - What kind of investigation needs to be done? - How should the PDA be handled? - Can critical data on the PDA remain secure during examination?
These questions should be considered before beginning a forensic investigation involving PDAs: What kind of investigation needs to be done? How should the PDA be handled? Can critical data on the PDA remain secure during examination?
The BlackBerry Enterprise Solution provides AES and ____ encryption techniques
Triple DES
Is this the proper order for response to a crime by first responders: 1. Begin investigation the moment a crime is suspected 2. Response to preliminary evidence by photographing the scene and marking evidence 3. Obtain search warrant, if needed 4. Follow first responder procedures 5. Seize evidence seized at crime scene then safely number and secure it 6. Transport evidence to forensic laboratory 7. Make two bit-stream copies of evidence 8. Generate a checksum (generally MD5) on the bit-stream images 9. Prepare chain of custody 10. Store the original disk so that time stamps and evidence remain intact 11. Use image copy to analyze the evidence 12. Prepare a forensic report describing the forensic method and recovery tools 13. Submit the forensic report 14. Testify as expert witness, if needed Yes No
This is the proper order for response to a crime by first responders: 1. Begin investigation the moment a crime is suspected 2. Response to preliminary evidence by photographing the scene and marking evidence 3. Obtain search warrant, if needed 4. Follow first responder procedures 5. Seize evidence seized at crime scene then safely number and secure it 6. Transport evidence to forensic laboratory 7. Make two bit-stream copies of evidence 8. Generate a checksum (generally MD5) on the bit-stream images 9. Prepare chain of custody 10. Store the original disk so that time stamps and evidence remain intact 11. Use image copy to analyze the evidence 12. Prepare a forensic report describing the forensic method and recovery tools 13. Submit the forensic report 14. Testify as expert witness, if needed
When building a forensic lab health and safety factors are critical because?
This is to protect the staff
EC-Council identified thirteen steps for evaluating a case. One of these steps involves assessing skill levels of users. Why is this important?
To determine how they might delete or conceal evidence.
The goal of forensic science is:
To determine the evidential value of the crime scene and related evidence
What software is used to disable automatic syncing? - iPod desync - iTunes - iPod manager
To disable automatic syncing, open iTunes, select Preferences, click Syncing tab, and check disable automatic syncing for all iPhones and iPods
Rule-Based Attack
This type of attack is when the attacker already has some information about the password. The attacker can then write a rule so that the password-cracking software will only generate passwords that meet that particular rule.
A ____ is a section or instance of an application or program that is being run sequentially.
Thread
What are three classifications of steganography? - Photographic steganography - Technical steganography - Analog steganography - Linguistic steganography - Digital steganography
Three categories of steganography: technical, linguistic and digital.
Stratum 0 device
Time Reference Server, on an Atomic Clock.
To obtain a search warrant, police or government agent must (check all that apply) - Obtain signature by judge or magistrate - Present good reason for search - Verbally tell why the search warrant is needed
To obtain a search warrant, police or government agent must do the following: -Obtain signature by judge or magistrate -Present good reason for search
What are tools necessary for forensic analysis of an iPod or iPhone? - EnCase and Forensic Toolkit - Device Seizure - Recover My iPod and iPod Data Recovery
Tools necessary for forensic analysis of an iPod or iPhone include EnCase, Forensic Toolkit, Recover My iPod and iPod Data Recovery
True or False: When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected.
True (A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to. nbtstat -c can be used to view the cache of NetBIOS names on the host operating system)
How many bit-stream copies are made of the original evidence? 1 2 3 4 5 6
Two copies are made of the original evidence using two different software packages.
Choose all true about the USA PATRIOT Act - Greater authority to track and intercept communications for law enforcement and foreign intelligence gathering - Made wiretapping illegal - Passed in response to 911 terrorist attack
USA PATRIOT Act gave greater authority to track and intercept communications for law enforcement and foreign intelligence gathering. It was passed in response to the 911 terrorist attack in the USA.
What does the SIM card contain?
Unique identifiers for the SIM. -ICCID, Subscriber, IMSI. -Phone book and call information (last numbers dialed, abbreviated Dialing Numbers). -Messages (SMS, EMS, Multimedia). -Location Information
What are two ways to unmount an iPod?
Unmount the iPod by either dragging the iPod icon to the trash (Mac) or clicking the Safely Remove Hardware button (Windows)
Signature Analysis
Verifies file signatures Identifies the difference between file extension and the file header. Make Hash Sets Used to verify accuracy of the resident file extension.
Criminal Litigation Experts
Victim Advocates. address behavior of the defendant. Do not expect to be paid. Reputation may tarnish testimony.
In what format can video be stored on an iPod?
Video can be stored as .m4v (H.264), .mp4 (MPEG-4) and unprotected WMA on Windows.
802.16
WIMAX, Microwave Wireless Metropolitan Area Network, MANs
802.11l
WLANs, and Improved Encryption.
Blackberry Attachment Service has a known vulnerability. What is it?
WMF or EMF (known bug in GDI)
Which wireless security protocol is most secure?
WPA2
Which wireless security protocol is most secure? - WEP - WPA - WPA2
WPA2
The following are examples of what? "Access to this system is restricted." "Systems and networks are subject to monitoring at any time by the owner" "Unauthorized use is prohibited and will be subject to discipline or prosecution"
Warning Banner
The following are examples of what? Access to this system is restricted. Systems and networks are subject to monitoring at any time by the owner Unauthorized use is prohibited and will be subject to discipline or prosecution - Banner grabbing - Warning banners - Warning messages
Warning Banner is designed to state the responsibility a user accepts while using the system.
____ is a parental control tool, developed specially for protecting children from forbidden materials such as pornography, online gambling, and online drug information.
Web control for parents
Mobile Operating Systems
WebOS (Linux Kernal). Symbian (Nokia, Object Oriented, Java). Android (Google, Linux, Virtual Machine, SQLite storage). Apple iOS. Windows Phone 7 (Microsoft. RIM Blackberry OS (Research In Motion).
____ is wireless hacking that is used to capture information passing through a wireless network.
Whacking
When does the investigation begin?
When the crime is suspected
BMP (Bitmap) file
Windows Black and White is 1 bit per pixel. 24 bit color up to 16.7 million colors (RGB).
Windows CE has two types of device drivers? - Monolithic and Layered - Monumental and Layered - Monolithic and Latent
Windows CE has two types of device drivers: monolithic and layered. Monolithic drivers apply their interfaces as an action directly on the device. Layered device drivers divide their implementation between upper and lower layers. The upper layer exposes the driver's native interface. The lower layer interacts with the hardware.
The LinkMASSter-2 ____ option provides a quick non-DoD method of sanitizing a drive of all previously stored data.
WipeOut Fast
Passive Online Password Attacks
Wire Sniffing, Man-in-the-Middle attack. Replay Attack.
How does lossless file compression work?
Words are numbered and repeated words are replaced with a number (thus saving space). Huffman Lemple-Ziv
Most important step of Data Acquisition?
Write Protect everything.
THe driveSpy ____ command is used to regenerate information acquired through the SaveSect command
WriteSect
Which are true about X-Ways Forensics? - Viewing and dumping RAM and virtual memory - Disk cloning and imaging - Advanced work environment
X-Ways Forensics is a work environment including: Disk cloning and imaging Examining complete directory structure and disk space including slack space Viewing and dumping memory including virtual memory Support for FAT, NTFS, ext2/3
What type of scan sends FIN, URG, PSH flags?
XMAS
What type of scan sends FIN, URG, PSH flags? - XMAS - FIN - Half-open
XMAS scan sends FIN, URG, PSH
What format does Vista use for event logs?
XML
____ is a general-purpose specification for markup programming languages that allows the user to define specific elements to aid in sharing structured data among different types of computers with different operating systems and applications.
XML
Microsoft handheld OS was first called Windows CE, then PocketPC then Windows Mobile. But Windows CE 5.2 powers Windows Mobile 6. What devices does Windows CE run on?
XScale, ARM or SHx processors.
Are these steps the basic steps in PDA forensics? 1 - Secure and evaluate the crime scene 2 - Seize the evidence 3 - Identify the evidence 4 - Preserve the evidence 5 - Acquire information 6 - Examine and analyze the information 7 - Document 8 - Report Yes No
YES: These are the basic steps in PDA forensics: 1 - Secure and evaluate the crime scene 2 - Seize the evidence 3 - Identify the evidence 4 - Preserve the evidence 5 - Acquire information 6 - Examine and analyze the information 7 - Document 8 - Report
/var is used for system-specific data and configuration files. - Yes - No
YES: /var is used for system-specific data and configuration files
Are these the six stages of process creation? 1. Launch .exe: File Execution Options registry key is checked for debugger value. If yes, process starts over 2. EProcess object created along with KProcess, PEB, and initial address space 3. Initial thread created 4. Windows subsystem is notified of new process and thread 5. Execution of initial thread starts 6. Initialization of address space is complete for new process and thread
Yes
Blackberry OS is event-driven and supports multitasking and multithreading.
Yes
All evidence collected should be marked as exhibits using this format: ____, where • aaa are the initials of the forensic analyst or law enforcement officer seizing the equipment • zz is the sequence number for parts of the same exhibit. • nnnn is the sequential number of the exhibits seized by the analyst, starting with 001 • ddmmyy is the date of the seizure
aaa/ddmmyy/nnnn/zz
A(n) ____ is defined as the average packet rate of data packets with similar packet header information.
activity profile
What does Visual TimeAnalyzer do?
automatically tracks all computer usage and presents detailed illustrated reports
What is true about the USA PATRIOT Act?
ave greater authority to track and intercept communications for law enforcement and foreign intelligence gathering. It was passed in response to the 911 terrorist attack in the USA.
What term defines an empirically proven set of methods for performing a task in the best and most efficient way?
best pratices
What are some standard /usr sub-directories?
bin and local
Creating a ____ is the most common method forensic investogators use to acquire digital evidence
bit stream disk to image file
The ____ is the set of steps a computer system takes after it has been powered on.
boot sequence
____ is the process of loading an operating system into a computer's main memory.
booting
In a DDoS attack, attackers first infect multiple systems, called ____, which are then used to attack a particular target.
bots
A(n) ____ attack is a type of attack that sends excessive data to an application that either brings down the application or forces the data being sent to the application to be run on the host system.
buffer overflow
A ____ is a set of duplicate data that is stored in a temporary location so that a computer system can rapidly access that data.
cache
A(n) ____ is a type of warning, like a "Beware" sign posted near a dangerous area.
caveat
____ is a procedure that handles or controls all authorized changes to assets such as software and hardware.
change control
PromiscDetect
checks to see if NIC is in promiscuous mode.
What term refers to the smallest logical storage units on a hard disk?
clusters
What occurs immediately after the investigation begins?
collect preliminary evidence including photographing the scene and marking evidence
Choose other techniques commonly used to remove watermarks?
collusion attack, Jitter attack and StirMark
Electronic Communications Privacy act (ECPA) applies to:
communications that include e-mail, text messaging, networking software, blogs, and video conferencing. Requires subpoena, warrant or court order in order to force disclosure.
The first step in cracking a password is:
create a word list
Promqry
determines active network interface status on remote systems.
Openfiles command
displays open files. Queries, Displays, and Disconnects files,
Netstat -r option
displays routing table and persistent routes.
pslist -x option
displays threads and memory used.
Random compliations of data are not admissible. Logs must be kept as a regular business practice. Logs instituted after an incident has commenced ______________ under the business records exception.
do not qualify
What command can be used to view command history?
doskey /history & scroll up in the command window (If a command window is open, the investigator can scroll up to see command history. But the attacker may have typed cls to clear the screen. Then, the investigator can use the doskey /history command to see the history.)
What command is used to view EProcess block?
dt -a -b -v _EPROCESS
Spread Spectrum - Audio steganography
encodes data as a binary sequence, that sounds like noise. -Direct Sequence (Spread by chip rate - constant. -Frequency Hopping.
A(n) ____ investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked.
end to end
Something that is ____ is transient or short lived in nature.
ephemeral
A(n) ____ stalker is a stalker who believes that the victim is in love with him or her, even though the victim has not made any such statement.
erotomaniac and morbidly infatuated
What are names of the two Apache logs?
error log and access log
A(n) ____ file is a proprietary file created by EnCase to compress and preserve bit-stream images of acquired media.
evidence
Which file system runs on Linux? - ZFS - HFS+ - FAT32 - NTFS - HFS - UFS - ext
ext1, ext2, ext3 - Linux
What represents the space that exists between the end of the file and the end of the last cluster used by that file?
file slack
Objects in Windows CE are stored in three types of persistent storage. What are they?
file system, registry and property databases.
Huffman Coding Algorithm
fixed to variable length code. Takes a fixed length block of input and produces a variable length output. Assigns a codeword to each block with high and low probability. Merges least probable characters together, and reeated until there is only one character. (1110)
What term refers to a small, portable magnetic disk that is used to store and transfer computer data?
floppy disk
How does the OSI layer 'Data link' exchange data?
frames
How does the OSI layer 'Physical' exchange data?
frames
What is Event ID 642
gives information about changes to an account
What type of scan sends a SYN flag, receives an SYN/ACK then sends a RST?
half-open
What does HKEY_CURRENT_CONFIG?
hardware profile at startup
A ____ is an area of the drive where a certain portion of the drive's contents is hidden from the operating system and file system.
host protected area HPA
THe ipod touch uses the ____ OS as it's operating system
iPhone
The iPhone has a solid state NAND flash memory configured with two partitions by default. Choose the best description for these two default partitions. - Root partition is a 300 MB FAT32 drive - Root partition is a 300 MB, read-only partition housing the OS, preloaded applications - User partition mounted as /private/var
iPhone has two default disk partitions: 300 MB root partition with OS, preloaded applications. Read-only and stays in the original factory state for the life of the iPhone User partition mounted as /private/var
What can criminals do with iPhones?
iPhones can be used to steal data, send threatening or offensive SMS or MMS messages, change or clone SIM properties, remove the service provide lock (SP-Lock) to free iPhone from its network and send spam.
Which file system runs on HFS+?
iPod sync'd to MAC
GIF has a web-specific feature known as
interlacing
____ addressing is used in a network where a number of LANs or other networks are connected with the help of routers.
internetwork
Which items are examples of technical steganography?
invisible inks, microdots, and other such technologies
Session Poisoning
is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.
MRU list
list that contains a history of recent activity on a computer. Shows the last four opened registry files
psfile command
lists and closes remotely opened files.
Archival Data
long term storage of data.
What command can be used to display a list of open files?
lsof
What command can be used to display a list of open files? - dir - ls - lsof
lsof command can be used to retrieve a list of open files
What is Event ID 632
member added to global security group
What is Event ID 636
member added to local security group
What is Event ID 633
member removed from global security group
What is Event ID 637
member removed from local security group
How does the OSI layer 'Application' exchange data?
messages
How does the OSI layer 'Presentation' exchange data?
messages
How does the OSI layer 'Session' exchange data?
messages
Which netcat command is an example of port scanning?
nc -l -p port_number > /test/outfile.txt
Which netcat command is an example of port scanning? - nc -l -p port_number > /test/outfile.txt - nc www.targethost.com 80 - nc -v -z target port-range
nc -l -p port_number > /test/outfile.txt slow scan to avoid detection
Which statement is used to partition an image on another machine? - netcat -l -p 1234 | dd of=/dev/hdc bs=16065b - dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror - dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b used to partition an image on another machine. Run on the target machine
___ is a network-enabled espionage, in which an attacker uses the internet to perform corporate espionage.
netspionage
The ____ Linux command displays active TCP connections, Ethernet statistics, and the IP routing table.
netstat
The ____ command allows a user to collect information regarding network connections on a Windows system.
netstat
What command can be used to display active TCP connections, Ethernet statistics and IP routing table?
netstat
What are the two sections of Windows CE RAM?
object store and program memory
Burgess Forensics
offers computer forensic, electronic discovery, and expert witness and testimony since 1985. Burgess Forensics uses various tools, such as EnCase, SMART Forensics, Paraben, FTK, etc., to provide Macintosh Digital Forensics, Windows Digital Forensics, and Cell Phone/Mobile/PDA Forensics.
What are two main techniques of linguistic steganography?
open codes and semagrams
How does the OSI layer 'Network' exchange data?
packets
What is an important consideration for complete memory dump analysis?
pagefile.sys
LDAP injection
passing LDAP filters, used for searching Directory Services, through web application input, to obtain direct access to the database. =, >=, <=, ~=, * And(&), Or (|), NOT (!).
A ____ is a program that is used to identify an unknown or forgotten password to a computer or network resource.
password cracker
The term ____ refers to the process of taking a password hash and attempting to determine the associated password that generated that password hash.
password cracking
A ____ is a property right granted to the inventor by the USPTO to keep others from making, using, or selling the invention without authorization.
patent
A ____ attack consists of sending a malformed or otherwise malicious ping to a computer.
ping of death
____ is the standard for the transport of IP traffic over point-to-point links.
point to point protocaol PPP
A ____ virus is one that produces varied but operational copies of itself.
polomorphic
A ____ is a noninteractive program that helps the operating system and applications perform their tasks.
process
Association
process of connecting a device to a wireless access point.
Authentication
process of identifying prior to allowing access.
____ involves a perpetrator changing existing computer programs by either modifying them or inserting new programs and routines.
program manipulation fraud
____ mode is the mode of a network interface card in which the card passes all network traffic it receives to the host computer, rather than only the traffic specifically addressed to it.
promiscuos
____ mode refers to the state of a network interface card where it will register all network traffic, rather than only the traffic arriving with the card's own MAC address as the destination.
promiscuos mode
What is the role of digital evidence in forensic investigation?
provide clues to identify the criminal
Computer Forensics Services (CFS)
provides a complete suite of computer forensics, electronic evidence, and data recovery services.
Elluma Discovery
provides computer forensics, electronic discovery, forensic data recovery, forensic analysis, and computer expert witness services.
CyberControls
provides litigation consultancy and computer forensic services on a nationwide basis. It maintains a secured forensics lab along with a team of litigation consultants who provide a blending of technical and legal advice about e-discovery specifics.
What command can be used to view the process register? - ps - dir - ls
ps command can be used to view the process register
The ____ state is the sleep mode of the PDA device, which conserves battery power to maintain the user's data and perform other background activities.
quiescent
A ____ table is a table of password hashes created by hashing every possible password and variation thereof to be used in a rainbow attack to recover a plaintext password from a captured ciphertext.
rainbow
What is Event ID 624?
recorded when an account is created
Memory in Palm OS is arranged in chunks known as ____.
records
The term first ____ refers to a person who first arrives at a crime scene and accesses the victim's computer system once the incident has been reported.
responder
What is a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location?
search warrent
How does the OSI layer 'Transport' exchange data?
segments
____ hide information through the use of signs or symbols.
semagrams
What does the 'Apparently-To: ' in header, indicate?
sign of a mailing list. One per recipient. Unusual in legitimate emails.
____ is also called pattern analysis because the administrator is looking for a pattern that is indicative of a problem or issue.
signature analysis
____ is a steganography tool that exploits the nature of white space.
snow
Swap file
space on a hard disk, used as the virtual memory extension of a computer's real memory (RAM).
Evidence storage containers or cabinets should be made of what material?
steel
A ____ is the mechanism that is used in performing steganography.
stegosystem
What are two tools used for keyword searching in Linux?
string and grep
The ____ event log records events relating to system behavior, including changes to the operating system, changes to the hardware configuration, device driver installation, the starting and stopping of services, and a host of other items of potential investigative interest.
system
Improper use of resources may create a DoS attack.
tRUE
What are three classifications of steganography?
technical, linguistic and digital
Swap File
the disk space that is set aside for virtual memory.
The process of file ___ involves locating the data on the disk particitions and allowing the OS to access the file
undeletion
The process of file ____ involves locating the data on the disk partitions and allowing the operating system to access the file.
undeletion
What does the term jailbreaking mean?
unlocking the iPhone and iPod Touch to permit the installation of third-party applications
Linguistic Steganography
uses written natural language to hide the message in the carrier in non-obvious ways. Jargon code (special language), Covered Ciphers (hidden openly), Null Ciphers - (Encryption where plaintext is mixed with non-cipher material), Grille Ciphers (cutting holes and lining up text).
What format do iPods use to store contact information?
vCard
____ uses an algorithm to find out if the data can be disregarded based on vectors that are present in the image file.
vector quamtization
Forensic laboratory imaging system will have these qualities
very low image capture rate
____ is the measure of how perishable electronically stored data are.
volatility
____ information is information that is lost the moment a system is powered down or loses power.
volitile
A ____ boot is the restart of a system that is already on.
warm
What does a user usually read before signing on to a system in which the user's responsibilities while using the system are stated?
warning banner
The forensic investigator made a copy of the CopyInstall.log in the root directory and wants to see the contents in hex because he believes this file may not be what it seems. What Linux command line tool could he use?
xxd -l CopyInstall.log and xxd -l CopyInstall.log HexOutput.log