CIS 66 Ch. 1-7
The uppercase letter ____ has a hexadecimal value 41.
"A"
Describe some of the problems you may encounter if you decide to build your own forensics workstation.
...
The EMR from a computer monitor can be picked up as far away as ____ mile.
1/2
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
The FOIA was originally enacted in the ____.
1960s
IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics.
3
In general, forensics workstations can be divided into ____ categories.
3
Computing components are designed to last 18 to ____ months in normal business operations.
36
Image files can be reduced by as much as ____% of the original when using lossless compression.
50
Unused space in a cluster between the end of an active file's content and the end of the cluster
Drive slack
covert surveillance product
EnCase Enterprise Edition
A(n) ____ is a person using a computer to perform routine tasks other than systems administration.
End user
Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown.
Event log
Vendor-neutral specialty remote access utility designed to work with any digital forensics program
F-Response
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
A standard indicator for graphics files
FF D8
agencies must comply with these laws and make documents they find and create available as public records
FOIA
A high-end RAID server from Digital Intelligence
FREDC
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
T/F? ISPs can investigate computer abuse committed by their customers.
False
Gives an OS a road map to data on a disk
File system
_____ often work as park of a team to secure an organization's computers and networks.
Forensics investigators
A disk editor tool
Hex Workshop
By the early 1990s, the ___ introduced training on software for forensics investigations.
IACIS
One of the oldest professional digital forensics organizations
IACIS
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
IBM
States that Digital Evidence First Responders (DEFRs) should use validated tools
ISO 27037
ILookIX acquisition tool
IXImager
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
Insertion
Graphics file format that uses lossless compression
PNG
System file where passwords may have been written temporarily
Pagefile.sys
The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors
Partition boot sector
Short for "picture elements"
Pixels
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
Steel
____ has been used to protect copyrighted material by inserting digital watermarks into a file.
Steganography
____ is a data-hiding technique that uses host files to cover the contents of a secret message.
Steganography
T/F? A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility.
off-site
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.
sniffing
One technique for extracting evidence from large systems is called ____.
sparse acquisition
Steganalysis tools are also called ____.
steg tools
Concentric circles on a disk platter where data is located
tracks
____ involves sorting and searching through investigation findings to separate good data and suspicious data.
validation
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
virtual machine
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
warrant
Explain the difference between repeatable results and reproducible results.
"Repeatable results" means that if you work in the same lab on the same machine, you generate the same results. "Reproducible results" means that if you're in a different lab working on a different machine, the tool still retrieves the same information.
The FBI _____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
Computer Analysis and Response Team (CART)
____ records are data the system maintains, such as system log files and proxy server logs.
Computer-generated
In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
Configuration Management
A ____ is a column of tracks on two or more disk platters.
Cylinder
A ____ is where you conduct your investigations, store evidence, and do most of your work.
Digital forensics lab
T/F? If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
False
T/F? If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.
False
T/F? Maintain credibility means you must form and sustain unbiased opinions of your cases.
False
Gnome graphics editor
GIMP
Sponsors the EnCE certification program
Guidance Software
The first forensics vendor to develop a remote acquisition and analysis tool
Guidance Software
Linux ISO images that can be burned to a CD or DVD are referred to as ____.
Linux Live CDs
Identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes
Uniform Crime Report
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
dcfldd
The process of converting raw picture data to another format is referred to as ____.
demosaicing
To complete a forensic disk analysis and examination, you need to create a ____.
report
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
safety
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
sha1sum
Digital forensics tools are divided into ____ major categories.
2
Drawing program that creates vector files
Adobe Illustrator
In a criminal case or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ___.
Affidavit
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence
Affidavit
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
Allegation
Ways data can be appended to existing files
Alternate Data Streams
____ refers to the number of bits in one square inch of a disk platter.
Areal density
A person who has the power to initiate investigations in a corporate environment
Authorized requester
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.
Authorized requester
In the Pacific North West, ___ meets to discuss problems that digital forensics examiners encounter.
CTIN
Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist
Case law
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?
Certified Computer Forensic Technician, Basic
Confidential business data included with the criminal evidence are referred to as ____ data.
Commingled
In a ___ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.
Criminal
_____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data recovery
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder.
Device drivers
The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data
Digital Forensics
The _____ group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime.
Digital investigations
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
Disaster recovery
Addresses how to restore a workstation you reconfigured for a specific investigation
Disaster recovery plan
The most common and flexible data-acquisition method is ____.
Disk-to-image file copy
Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files.
DriveSpace
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
Most digital photographs are stored in the ____ format.
EXIF
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
Exhibits
T/F? For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.
False
T/F? Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.
False
T/F? Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.
False
T/F? Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
T/F? The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
T/F? Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
False
T/F? When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together.
False
T/F? When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers.
False
One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.
Forums and blogs
you should rely on this when dealing with a terrorist attack
HAZMAT
Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____.
Hearsay
a statement made while testifying at a hearing by someone other than an actual witness to the event
Hearsay
____ was created by police officers who wanted to formalize credentials in digital investigations.
IACIS
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
ISO 5725
PassMark Software acquisition tool for its OSForensics analysis product
ImageUSB
Involves selling sensitive or confidential company information to a competitor
Industrial espionage
information unrelated to a computing investigation case
Innocent information
The process of trying to get a suspect to confess to a specific incident or crime
Interrogation
Graphics file format that uses lossy compression
JPEG
The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes.
JPEG
Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence
Lab manager
Usually a laptop computer built into a carrying case with a small selection of peripheral options
Lightweight workstation
Published company policies provide a(n) ____ for a business to conduct internal investigations.
Line of authority
Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
Line of authority
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
Live
Most remote acquisitions have to be done as ____ acquisitions.
Live
____ compression compresses data by permanently discarding bits of information in the file.
Lossy
Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
Lossy compression
what most cases in the private sector environment are considered
Low-level investigations
Autopsy uses ____ to validate an image.
MD5
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
Combinations of bitmap and vector images
Metafile graphics
Most digital investigations in the private sector involve ____.
Misuse of digital assets
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
NIST
Briefly explain the NIST general approach for testing computer forensics tools.
NIST created criteria for forensics tools; the criteria is based on standard testing methods and ISO 17025 criteria for testing when no current standards are available. The lab must meet the following criteria and must keep accurate records for when new software and hardware become available: Establish categories for digital forensics tools; grouping software according to categories Identify forensics category requirements Develop test assertions Identify test cases Establish a test method Report test results
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
NSRL
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.
NTDetect.com
Microsoft's move toward a journaling file system
NTFS
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.
NTFS
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.
NTFS
Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with
Network forensics
One of the first MS-DOS tools used for digital investigations
Norton DiskEdit
Tool for directly restoring files
Norton Ghost
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
Notarized
____ is Windows XP system service dispatch stubs to executables functions and internal support functions.
Ntdll.dll
____ is the physical address support program for accessing more than 4 GB of physical RAM.
Ntkrnlpa.exe
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
Once
in 2001 redefined how ISPs and large organizations operate and maintain their records
PATRIOT Act
Software-enabled write-blocker
PDBlock
ProDiscover utility for remote access
PDServer
Explain the advantages and disadvantages of GUI forensics tools.
Pros:User-friendly; capabilities to perform multiple tasks; no requirement to learn older OSs. Cons: Excessive resource requirements; producing inconsistent results because of the type of OS used; creates investigator dependencies on using only one tool.
A computer configuration involving two or more physical disks
RAID
For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.
RAID
In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk.
RAID 0
collection of pixels stored in rows to make images easy to print
Raster image
A bit-for-bit copy of a data file, a disk partition, or an entire drive
Raw data
Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated.
Reasonable suspicion
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
Registry
What are some of the advantages of using command-line forensics tools?
Requires few resources because they're designed to run in minimal configurations. Some command-line tools are created specifically for Windows CLI platforms; others are created for macOS and Linux.
Determines the amount of detail that is displayed
Resolution
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.
Right of privacy
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
Risk management
Stands for supervisory control and data acquisition
SCADA
The primary hash algorithm used by the NSRL project is ____.
SHA-1
____ disks are commonly used with Sun Solaris systems.
SPARC
sets standards for recovering, preserving, and examining digital evidence
SWGDE
Command-line disk acquisition tool from New Technologies, Inc.
SafeBack
European term for carving
Salvaging
To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
Secure facility
Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.
Silver-platter
Lists each piece of evidence on a separate page
Single-evidence form
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
Sparse
a data-collecting tool
Spector
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
Static
A tower with several bays and many peripheral devices
Stationary workstation
____ steganography replaces bits of the host file with other bits of data.
Substitution
Briefly explain the purpose of the NIST NSRL project.
The goal of the NSRL project is the purpose of collecting all known hash values for commercial software and OS files. This is to reduce the number of known files, such as OS or program files, included in a forensics examination of a drive so that only unknown files are left.
Explain the validation of evidence data process.
This process is done by obtaining hash values. Most forensic tools and disk editors have one or more types of data hashing. How this is used depends on the investigation. This method produces a unique hexadecimal value for data, use to make sure the original data hasn't changed.
The space between each track
Track density
T/F? A forensics analysis of a 6 TB disk, for example, can take several days or weeks.
True
T/F? A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
T/F? A judge can exclude evidence obtained from a poorly worded warrant.
True
T/F? After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.
True
T/F? By the 1970s, electronic crimes were increasing, especially in the financial sector.
True
T/F? By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff.
True
T/F? Computing systems in a forensics lab should be able to process typical cases in a timely manner.
True
T/F? FTK Imager requires that you use a device such as a USB dongle for licensing.
True
T/F? If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
True
T/F? Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
T/F? Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
True
T/F? The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
True
T/F? The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.
True
T/F? The lab manager sets up processes for managing cases and reviews them regularly.
True
T/F? The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
T/F? The most common computer-related crime is check fraud.
True
T/F? The police blotter provides a record of clues to crimes that have been committed previously.
True
T/F? There's no simple method for getting an image of a RAID server's disks.
True
T/F? To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
True
When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.
U.S. DOJ
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers.
USB
An international data format
Unicode
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
Uniform crime reports
____ is a core Win32 subsystem DLL file.
User32.sys
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Vector graphics
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
copyright
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.
data runs
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive.
dd
In Windows 2000 and later, the ____ command shows you the file owner if you have multiple users on the system or network.
dir
One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex.
disk editor
The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.
disk-to-image
A(n) ____ should include all the tools you can afford to take to the field.
extensive-response field kit
Shows the known drives connected to your computer
fdisk -l
You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.
hash
If you can't open a graphics file in an image viewer, the next step is to examine the file's ____.
header data
The simplest way to access a file header is to use a(n) ____ editor
hexadecimal
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
image file
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
initial-response field kit
Under copyright laws, computer programs may be registered as ____.
literary works
The ____ command displays pages from the online help manual for information on Linux commands and their options.
man
Records in the MFT are called ____.
metadata
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.
much easier than
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating.
80
Open source data acquisition format
AFF
fingerprints can be tested with these systems
AFIS
Provides accreditation of crime and forensics labs worldwide
ANAB
Magnet ____ enables you to acquire the forensic image and process it in the same step.
AXIOM
What are the five major function categories of any digital forensics tool?
Acquisition; Validation and Verification; Extraction; Reconstruction; Reporting
Microsoft's utility for protecting drive data
BitLocker
____ images store graphics information as grids of pixels.
Bitmap
____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.
Boot.ini
Generally, digital records are considered admissible if they qualify as a ____ record.
Business
A plan you can use to sell your services to your management or clients
Business case
In the ____, you justify acquiring newer and better resources to investigate digital forensics cases.
Business case
____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
Probable cause
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.
Professional Conduct
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
Proprietary
In general, a criminal case follows three stages: the complaint, the investigation, and the ____.
Prosecution
Lab costs can be broken down into monthly, ____, and annual expenses.
Quarterly
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.
TEMPEST
The image format XIF is derived from the more common ____ file format.
TIF
Illustrate how to consider hardware needs when planning your lab budget.
Take into account the amount of time expected for the workstation to be running, expecting hardware failures, consultant and vendor fees to support the hardware when it fails; how often to anticipate replacing the forensic workstation.
T/F? If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
True
T/F? In Autopsy and many other forensics tools raw format image files don't contain metadata.
True
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
Warning banner
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
Whole disk encryption
Example of a lossless compression tool
WinZip
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.
Windows
____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.
Write-blockers
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03.
XIF
Recognizes file types and retrieves lost or deleted files
Xtree Gold
Illustrate the use of a write-blocker on a Windows environment.
You are able to direct the blocked drive with any capable Windows app. When you copy the data to the blocked drive or write updates to a particular file with Word, it shows the copy is successful however the write-blocker discards the written data.
____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks.
ZBR
Recovering fragments of a file is called ____.
carving
Process of coding of data from a larger form to a smaller form
data compression
You use ____ to create, modify, and save bitmap, vector, and metafile graphics.
graphics editors
The unused space between partitions
partition gaps
Many password recovery tools have a feature for generating potential lists for a ____ attack.
password dictionary
Courts consider evidence data in a computer as ____ evidence.
physical
A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____.
portable workstation
Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team.
professional curiousity
The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
recovery certificate
