Computer Forensics Exam 2

¡Supera tus tareas y exámenes ahora con Quizwiz!

American Standard Code for Information Interchange (ASCII)

An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.

Message Digest 5 (MD5)

An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed.

password dictionary attack

An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.

wear-leveling

An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells.

personal identity information (PII)

Any information that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver's license number.

Pagefile.sys

At startup, data and instruction code are moved in and out of this file to optimize the amount of physical RAM available during startup.

If a suspect computer is running Windows 10, which of the following can you perform safely

Browsing open applications

When validating the results of a forensic analysis, you should do which of the following

Calculate the hash value with two different tools

hazardous materials (HAZMAT)

Chemical, biological, or radiological substances that can cause harm to people.

data runs

Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components' content.

Describe what should be videotaped or sketched at a digital crime scene

Computers, cable connections, overview of scene—anything that might be of interest to the investigation.

tracks

Concentric circles on a disk platter where data is stored.

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following

Coordinate with the HAZMAT team

What does CHS stand for?

Cylinder, Head, Sector

According to ISO standard 27037, which of the following is an important factor in data acquisition

DEFR's competency, the use of validated tools.

computer-generated records

Data generated by a computer, such as system log files or proxy server logs.

innocent information

Data that doesn't contribute to evidence of a crime or violation.

List three subfunctions of the extraction function.

Data viewing, keyword searching, decompressing or uncompressing, carving, decrypting, bookmarking or tagging

sniffing

Detecting data transmissions to and from a suspect's computer and a network server to determine the type of data being transmitted over a network.

computer-stored records

Digital files generated by a person, such as electronic spreadsheets.

virtual machines

Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs.

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller

Enables you to remove and reconnect drives without having to shut down your workstation

digital evidence

Evidence consisting of information stored or transmitted in electronic form.

A live acquisition can be replicated

False

Building a forensic workstation is more expensive than purchasing one

False

Data can't be written to disk with a command-line tool

False

Hardware acquisition tools typically have built-in software for data analysis

False

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results

False

Small companies rarely need investigators

False

The plain view doctrine in computer searches is well-established law

False

You should always answer questions from onlookers at a crime scene

False

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible

False

List three items stored in the FAT database.

File and directory names, starting cluster numbers, file attributes, and date/time stamps.

device drivers

Files containing instructions for the OS for hardware devices, such as the keyboard, mouse, and video card.

EFS can encrypt which of the following?

Files, folders, and volumes

Forensics software tools are grouped into and applications.

GUI and Command Line

The standards for testing forensics tools are based on which criteria

ISO 17025

BootSect.dos

If a machine has multiple booting OSs, NTLDR reads this hidden file to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).

attribute ID

In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.

metadata

In NTFS, this term refers to information stored in the MFT. See also Master File Table (MFT).

Info2 file

In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.

private key

In encryption, the key used to decrypt the file. The file owner keeps the private key.

public key

In encryption, the key used to encrypt a file; it's held by a certificate authority, such as a global registry, network server, or company such as VeriSign.

bootstrap process

Information stored in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you

Initial-response field kit.

How many sectors are typically in a cluster on a disk drive?

1

recovery certificate

A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.

head and cylinder skew

A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.

keyword search

A method of finding files or other information by entering relevant characters, words, or phrases in a search tool.

one-time passphrase

A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.

initial-response field kit

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

extensive-response field kit

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware forensics tools, such as extra storage drives.

NT File System (NTFS)

A program in the root folder of the system partition that loads the OS. See also BootSect.dos.

NT Loader (Ntldr)

A program in the root folder of the system partition that loads the OS. See also BootSect.dos.

Computer Forensics Tool Testing (CFTT)

A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools.

Encrypting File System (EFS)

A public/ private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.

sector

A section on a track, typically made up of 512 bytes.

nonkeyed hash set

A unique hash number generated by a software tool and used to identify files.

hash value

A unique hexadecimal value that identifies a file or drive.

keyed hash set

A value created by an encryption utility's secret key.

validation

A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

to minimize how much you have to keep track of at the scene

In forensic hashes, when does a collision occur

two files have the same hash value

What are the three rules for a forensic hash

It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.

What's a virtual cluster number?

It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.

List two hashing algorithms commonly used for forensic purposes

MD5 and SHA-1

What does MFT stand for?

Master File Table.

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?

Most companies keep inventory databases of all hardware and software used.

Master File Table (MFT)

NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files.

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

No data from RAM is copied to RAM slack on a disk drive.

Which of the following Windows 8 files contains user-specific information?

Ntuser.dat

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

covert surveillance

Observing people or places without being detected, often by using electronic equipment, such as video cameras or keystroke/screen capture programs.

Master Boot Record (MBR)

On Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items.

National Institute of Standards and Technology (NIST)

One of the governing bodies responsible for setting standards for some U.S. industries.

UTF-8 (Unicode Transformation Format)

One of three formats Unicode uses to translate languages for digital representation.

unallocated disk space

Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously

low-level investigations

Private-sector cases that require less investigative effort than a major criminal case.

The verification function does which of the following

Proves that two set of data are identical via hash values

The reconstruction function is needed for which of the following purposes?

Re-create a suspect drive to show what happened, create a copy of a drive for other investigators, re-create a drive compromised by malware

A log report in forensics tools does which of the following

Records an investigator's actions in examining a case

Commingling evidence means what in a private-sector setting?

Sensitive corporate information being mixed with data collected as evidence.

List three items that should be in an initial-response field kit

Small computer tool kit, large capacity drive, IDE ribbon cables, Forensic boot media, laptop or portable computer.

person of interest

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.

clusters

Storage allocation units composed of groups of sectors. Clusters are 512, 1024, 2048, or 4096 bytes each.

Hal.dll

The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.

physical addresses

The actual sectors in which files are located. Sectors reside at the hardware and firmware level.

head

The device that reads and writes data to a disk drive.

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?

The file is unencrypted automatically.

High Performance File System (HPFS)

The file system IBM uses for its OS/2 operating system.

Partition Boot Sector

The first data set of an NTFS disk. It starts at sector [0] of the disk drive and can expand up to 16 sectors.

Ntoskrnl.exe

The kernel for the Windows NT family of OSs.

zone bit recording (ZBR)

The method most manufacturers use to deal with a platter's inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data.

professional curiosity

The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened.

areal density

The number of bits per square inch of a disk platter.

logical cluster numbers (LCNs)

The numbers sequentially assigned to each cluster when an NTFS disk partition is created and formatted. The first cluster on an NTFS partition starts at count 0. LCNs become the addresses that allow the MFT to read and write data to the disk's nonresident attribute area. See also data runs and virtual cluster number (VCN).

File Allocation Table (FAT)

The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations are FAT12, FAT16, FAT32, VFAT, and FATX.

acquisition

The process of creating a duplicate image of data; one of the required functions of digital forensics tools.

verification

The process of proving that two sets of data are identical by calculating hash values or using another similar method.

extraction

The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.

reconstruction

The process of rebuilding data files; one of the required functions of digital forensics tools.

brute-force attack

The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file.

track density

The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.

probable cause

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

RAM slack

The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found mainly in older Microsoft OSs.

file slack

The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.

file system

The way files are stored on a disk; gives an OS a road map to data on a disk.

Which of the following is true of most drive-imaging tools

They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive

What does the Ntuser.dat file contain?

This user-protected storage area contains the MRU files list and desktop configuration settings.

Why was EFI boot firmware developed?

To prove better protection against malware then BIOS does.

An encrypted drive is one reason to choose a logical acquisition

True

An image of a suspect drive can be loaded on a virtual machine

True

Computer peripherals or attachments can contain DNA evidence.

True

If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy

True

If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause

True

NTFS, files smaller than 512 bytes are stored in the MFT

True

The primary hashing algorithm the NSRL project uses is SHA-1

True

What is the space on a drive called when a file is deleted?

Unallocated space or Free space.

List two features NTFS has that FAT does not.

Unicode characters, security, journaling

drive slack

Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack.

partition gap

Unused space or void between the primary partition and the first logical partition.

Hash values are used for which of the following purposes?

Validating that original data hasn't changed and Filtering known good files from potentially suspicious data

Hashing, filtering, and file header analysis make up which function of digital forensics tools

Validation and verification?

Virtual machines have which of the following limitations when running on a host computer?

Virtual machines are limited to the host computers peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

alternate data streams

Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, alternate data streams become an additional file attribute.

virtual cluster number (VCN)

When a large file is saved in NTFS, it's assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the additional space needed to store the file. The LCN is a physical location on the NTFS partition; VCNs are the offset from the previous LCN data run. See also data runs and logical cluster numbers (LCNs).

plain view doctrine

When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. Applied to conducting searches of computers, the plain view doctrine's limitations are less clear.

logical addresses

When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.

limiting phrase

Wording in a search warrant that limits the scope of a search for evidence.

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens

You begin to take orders from a police detective without a warrant or subpoena.

partition

A logical drive on a disk. It can be the entire disk or part of the disk.

Cyclic Redundancy Check (CRC)

A mathematical algorithm that translates a file into a unique hexadecimal value.

Clusters in Windows always begin numbering at what number?

2

In FAT32, a 123 KB file uses how many sectors?

246 sectors.

On a Windows system, sectors typically contain how many bytes?

512

NTDetect.com

A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.

National Software Reference Library (NSRL)

A NIST project with the goal of collecting all known hash values for commercial software and OS files.

Registry

A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information.

ISO image

A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk.

Unicode

A character code representation that's replacing ASCII. It's capable of representing more than 64,000 characters and non-European-based languages.

cylinder

A column of tracks on two or more disk platters.

Automated Fingerprint Identification System (AFIS)

A computerized system for identifying fingerprints that's connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.

NTBootdd.sys

A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

geometry

A disk drive's internal organization of platters, tracks, and sectors.

virtual hard disk (VHD)

A file representing a system's hard drive that can be booted in a virtualization application and allows running a suspect's computer in a virtual environment.

Resilient File System (ReFS)

A file system developed for Windows Server 2012. It allows increased scalability for disk storage and has improved features for data recovery and error checking.

Boot.ini

A file that specifies the Windows path installation and a variety of other startup options.

Secure Hash Algorithm version 1 (SHA-1)

A forensic hashing algorithm created by NIST to determine whether data in a file or on storage media has been altered. See also National Institute of Standards and Technology (NIST).

Scientific Working Group on Digital Evidence (SWGDE)

A group that sets standards for recovering, preserving, and examining digital evidence.

write-blocker

A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.

Device drivers contain what kind of information?

instructions for the OS on how to interface with hardware devices

Which of the following techniques might be used in covert surveillance?

keylogging, data sniffing, network logs


Conjuntos de estudio relacionados

Ch14 - The Federal Reserve System

View Set

PS111: exam 1 (chapters 1-4), PS111 (federal courts, public opinion, the media, political parties and interest groups, and participation, campaigns, and elections), PS111: exam 2 (civil rights, congress, presidency, bureaucracy)

View Set

AOTA practice test for NBCOT. SLCHC class of 17

View Set

Biology: Quiz 5 Sexual Reproduction in Plants

View Set

ch. 4 prep-u: the health history

View Set

Accy 2036 (chapter 5 info) Exam 2

View Set

5.1 - Conviction-related Suspensions and Revocations

View Set

3. Physics Practice Questions - Chapter 3

View Set