Computer Forensics CTS2381
In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter. FTK FLETC CTIN IACIS
CTIN
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Computer Analysis and Response Team (CART) Federal Rules of Evidence (FRE) DIBS Department of Defense Computer Forensics Laboratory (DCFL)
Computer Analysis and Response Team (CART)
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. Disaster recovery Data recovery Computer forensics Network forensics
Data recovery
The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data
Digital Forensics
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime incident response digital investigations network intrusion detection litigation
Digital Investigations
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. configuration management disaster recovery security risk management
Disaster Recovery
Addresses how to restore a workstation you reconfigured for a specific investigation
Disaster Recovery Plan
A(n) ____ is a person using a computer to perform routine tasks other than systems administration. complainant investigator end user user banner
End user
Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. Event log Password log Io.sys Word log
Event Log
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. True False
F
For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs. True False
F
ISPs can investigate computer abuse committed by their customers. T F
F
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies. True False
F
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. True False
False
Maintaining credibility means you must form and sustain unbiased opinions of your cases. True False
False
The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD). True False
False
____ was created by police officers who wanted to formalize credentials in digital investigations. NISPOM HTCN IACIS TEMPEST
IACIS
Involves selling sensitive or confidential company information to a competitor
Industrial espionage
The process of trying to get a suspect to confess to a specific incident or crime
Interrogation
Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence
Lab Manager
Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
Line Of Authority
Linux ISO images that can be burned to a CD or DVD are referred to as ____. Linux Live CDS Forensic Linux Linux in a Box ISO CDs
Linux Live CDS
Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
Lossy Compression
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. four times three times twice once
Once
ProDiscover utility for remote access
PDServer
____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5. RAID 16 RAID 0 RAID 15 RAID 10
RAID 15
For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. RAID TEMPEST WAN ISDN
Raid
____, or mirrored striping, is a combination of RAID 1 and RAID 0. RAID 0 RAID 5 RAID 10 RAID 6
Raid 10
Stands for supervisory control and data acquisition
SCADA
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime. physical legal safety corporate
Safety
Lists each piece of evidence on a separate page
Single-evidence form
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. disk-to-disk lossless sparse disk-to-image
Sparse
Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. True False
T
The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases. True False
T
The lab manager sets up processes for managing cases and reviews them regularly. True False
T
The police blotter provides a record of clues to crimes that have been committed previously. True False
T
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. True False
T
There's no simple method for getting an image of a RAID server's disks. True False
T
To be a successful computer forensics investigator, you must be familiar with more than one computing platform. True False
T
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. line of authority right banner right of privacy warning banner
Warning Banner
Example of a lossless compression tool
WinZip
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. Windows Android Linux MacOS
Windows
Recognizes file types and retrieves lost or deleted files
Xtree Gold
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. as difficult as much easier than as easy as more difficult than
much easier than
When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers. True False
F
Vendor-neutral specialty remote access utility designed to work with any digital forensics program
F-Response
PassMark Software acquisition tool for its OSForensics analysis product
ImageUSB
You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. in-site off-site online storage
Off-site
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. litigation blotter prosecution allegation
allegation
In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. authority of right authority of line line of right authorized requester
authorized requester
Generally, digital records are considered admissible if they qualify as a ____ record. hearsay computer-stored business computer-generated
business
In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. business case upgrade policy configuration plan risk evaluation
business case
A ____ is where you conduct your investigations, store evidence, and do most of your work. forensic workstation digital forensics lab workbench storage room
digital forensics lab
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. reports litigation exhibits prosecution
exhibits
A(n) ____ should include all the tools you can afford to take to the field. forensic lab forensic workstation extensive-response field kit
extensive-response field kit
Shows the known drives connected to your computer
fdisk -l
One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search. AICIS lists forums and blogs Minix uniform reports
forums and blogs
You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. checksum md5sum hashlog hash
hash
Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. conclusive hearsay direct regular
hearsay
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. initial-response field kit bit-stream copy utility seizing order extensive-response field kit
initial-response field kit
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. static live passive local
live
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. Professional policy professional conduct line of authority oath
professional conduct
Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. professional curiosity FOIA laws HAZMAT teams onlookers
professional curiosity
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. AFD AFF raw proprietary
proprietary
identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes
uniform Crime Report
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. NTFS recovery wizards backup utilities whole disk encryption
whole disk encryption
In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 6 RAID 0 RAID 1 RAID 5
Raid 0
In Autopsy and many other forensics tools raw format image files don't contain metadata. True False
T
Computer investigations and forensics fall into the same category: public investigations. True False
F
The law of search and seizure protects the rights of all people, excluding people suspected of crimes. True False
F
A high-end RAID server from Digital Intelligence
FREDC
Sponsors the EnCE certification program
Guidance Software
The first forensics vendor to develop a remote acquisition and analysis tool
Guidance Software
By the early 1990s, the ____ introduced training on software for forensics investigations. CERT IACIS FLETC DDBIA
IACIS
One of the oldest professional digital forensics organizations
IACIS
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. NTFS FAT24 ext3 ext2
NTFS
Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with
Network Forensics
Tool for directly restoring files
Norton Ghost
A computer configuration involving two or more physical disks
RAID
A forensics analysis of a 6 TB disk, for example, can take several days or weeks. True False
T
A judge can exclude evidence obtained from a poorly worded warrant. True False
T
A separate manual validation is recommended for all raw acquisitions at the time of analysis. True False
T
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. True False
T
By the 1970s, electronic crimes were increasing, especially in the financial sector. True False
T
By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff. True False
T
Computing systems in a forensics lab should be able to process typical cases in a timely manner. True False
T
FTK Imager requires that you use a device such as a USB dongle for licensing. True False
T
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. T F
T
Chapter 5, Section 3, of the NISPOM describes the characteristics of a safe storage container.
True
A plan you can use to sell your services to your management or clients
Business Case
_____ records are data the system maintains, such as system log files and proxy server logs. Computer-generated Business Computer-stored Hearsay
Computer-generated
The most common and flexible data-acquisition method is ____. Disk-to-network copy Disk-to-image file copy Disk-to-disk copy Sparse data copy
Disk to image file copy
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. True False
F
Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. T F
F
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. True False
F
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. True False
F
When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together. True False
F
____ often work as part of a team to secure an organization's computers and networks.
Forensics investigators
ILookIX acquisition tool
IXImager
Autopsy uses ____ to validate an image. AFD MD5 AFF RC4
MD5
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. True False
T
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. True False
T
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. TEMPEST NISPOM RAID EMR
TEMPEST
When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. U.S. DOJ U.S. DoD Patriot Act Homeland Security Department
U.S. DOJ
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. Uniform Crime Reports IDE reports ASCLD reports HTCN reports
Uniform Crime Reports
Confidential business data included with the criminal evidence are referred to as ____ data. public revealed exposed commingled
commingled
n addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. risk assessment change management recovery logging configuration management
configuration management
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. fourth amendment corporate criminal civil
criminal
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. bitcopy dcfldd raw man
dcfldd
The ____ command displays pages from the online help manual for information on Linux commands and their options. man cmd hlp inst
man
Most digital investigations in the private sector involve ____. VPN abuse e-mail abuse Internet abuse misuse of digital assets
misuse of digital assets
Lab costs can be broken down into monthly, ____, and annual expenses. daily bimonthly quarterly weekly
quarterly
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. shasum rcsum sha1sum hashsum
sha1sum
Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist
Case Law
Open source data acquisition format
AFF
Provides accreditation of crime and forensics labs worldwide
ANAB
The EMR from a computer monitor can be picked up as far away as ____ mile. 1 3/4 1/4 1/2
1/2
The FOIA was originally enacted in the ____. 1970s 1940s 1960s 1950s
1960s
IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. 4 3 5 2
3
Computing components are designed to last 18 to ____ months in normal business operations. 24 30 36 42
36
Image files can be reduced by as much as ____% of the original when using lossless compression. 15 30 25 50
50%
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating. 90 105 80 95
80
A person who has the power to initiate investigations in a corporate environment
Authorized Requester
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence
Affidavit
Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. court order stating proof confirmed suspicion reasonable suspicion
reasonable suspicion
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. line of authority right of privacy line of right line of privacy
right of privacy
To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. secure workbench secure workstation protected PC secure facility
secure facility
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. real-time online static live
static
