Computer Forensics Exam 2
American Standard Code for Information Interchange (ASCII)
An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.
Message Digest 5 (MD5)
An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed.
password dictionary attack
An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.
wear-leveling
An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells.
personal identity information (PII)
Any information that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver's license number.
Pagefile.sys
At startup, data and instruction code are moved in and out of this file to optimize the amount of physical RAM available during startup.
If a suspect computer is running Windows 10, which of the following can you perform safely
Browsing open applications
When validating the results of a forensic analysis, you should do which of the following
Calculate the hash value with two different tools
hazardous materials (HAZMAT)
Chemical, biological, or radiological substances that can cause harm to people.
data runs
Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components' content.
Describe what should be videotaped or sketched at a digital crime scene
Computers, cable connections, overview of scene—anything that might be of interest to the investigation.
tracks
Concentric circles on a disk platter where data is stored.
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following
Coordinate with the HAZMAT team
What does CHS stand for?
Cylinder, Head, Sector
According to ISO standard 27037, which of the following is an important factor in data acquisition
DEFR's competency, the use of validated tools.
computer-generated records
Data generated by a computer, such as system log files or proxy server logs.
innocent information
Data that doesn't contribute to evidence of a crime or violation.
List three subfunctions of the extraction function.
Data viewing, keyword searching, decompressing or uncompressing, carving, decrypting, bookmarking or tagging
sniffing
Detecting data transmissions to and from a suspect's computer and a network server to determine the type of data being transmitted over a network.
computer-stored records
Digital files generated by a person, such as electronic spreadsheets.
virtual machines
Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs.
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller
Enables you to remove and reconnect drives without having to shut down your workstation
digital evidence
Evidence consisting of information stored or transmitted in electronic form.
A live acquisition can be replicated
False
Building a forensic workstation is more expensive than purchasing one
False
Data can't be written to disk with a command-line tool
False
Hardware acquisition tools typically have built-in software for data analysis
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results
False
Small companies rarely need investigators
False
The plain view doctrine in computer searches is well-established law
False
You should always answer questions from onlookers at a crime scene
False
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible
False
List three items stored in the FAT database.
File and directory names, starting cluster numbers, file attributes, and date/time stamps.
device drivers
Files containing instructions for the OS for hardware devices, such as the keyboard, mouse, and video card.
EFS can encrypt which of the following?
Files, folders, and volumes
Forensics software tools are grouped into and applications.
GUI and Command Line
The standards for testing forensics tools are based on which criteria
ISO 17025
BootSect.dos
If a machine has multiple booting OSs, NTLDR reads this hidden file to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).
attribute ID
In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.
metadata
In NTFS, this term refers to information stored in the MFT. See also Master File Table (MFT).
Info2 file
In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.
private key
In encryption, the key used to decrypt the file. The file owner keeps the private key.
public key
In encryption, the key used to encrypt a file; it's held by a certificate authority, such as a global registry, network server, or company such as VeriSign.
bootstrap process
Information stored in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you
Initial-response field kit.
How many sectors are typically in a cluster on a disk drive?
1
recovery certificate
A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.
head and cylinder skew
A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
keyword search
A method of finding files or other information by entering relevant characters, words, or phrases in a search tool.
one-time passphrase
A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.
initial-response field kit
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
extensive-response field kit
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware forensics tools, such as extra storage drives.
NT File System (NTFS)
A program in the root folder of the system partition that loads the OS. See also BootSect.dos.
NT Loader (Ntldr)
A program in the root folder of the system partition that loads the OS. See also BootSect.dos.
Computer Forensics Tool Testing (CFTT)
A project sponsored by the National Institute of Standards and Technology to manage research on digital forensics tools.
Encrypting File System (EFS)
A public/ private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.
sector
A section on a track, typically made up of 512 bytes.
nonkeyed hash set
A unique hash number generated by a software tool and used to identify files.
hash value
A unique hexadecimal value that identifies a file or drive.
keyed hash set
A value created by an encryption utility's secret key.
validation
A way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools.
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
to minimize how much you have to keep track of at the scene
In forensic hashes, when does a collision occur
two files have the same hash value
What are the three rules for a forensic hash
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
What's a virtual cluster number?
It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.
List two hashing algorithms commonly used for forensic purposes
MD5 and SHA-1
What does MFT stand for?
Master File Table.
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons?
Most companies keep inventory databases of all hardware and software used.
Master File Table (MFT)
NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files.
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
No data from RAM is copied to RAM slack on a disk drive.
Which of the following Windows 8 files contains user-specific information?
Ntuser.dat
Areal density refers to which of the following?
Number of bits per square inch of a disk platter
covert surveillance
Observing people or places without being detected, often by using electronic equipment, such as video cameras or keystroke/screen capture programs.
Master Boot Record (MBR)
On Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items.
National Institute of Standards and Technology (NIST)
One of the governing bodies responsible for setting standards for some U.S. industries.
UTF-8 (Unicode Transformation Format)
One of three formats Unicode uses to translate languages for digital representation.
unallocated disk space
Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously
low-level investigations
Private-sector cases that require less investigative effort than a major criminal case.
The verification function does which of the following
Proves that two set of data are identical via hash values
The reconstruction function is needed for which of the following purposes?
Re-create a suspect drive to show what happened, create a copy of a drive for other investigators, re-create a drive compromised by malware
A log report in forensics tools does which of the following
Records an investigator's actions in examining a case
Commingling evidence means what in a private-sector setting?
Sensitive corporate information being mixed with data collected as evidence.
List three items that should be in an initial-response field kit
Small computer tool kit, large capacity drive, IDE ribbon cables, Forensic boot media, laptop or portable computer.
person of interest
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
clusters
Storage allocation units composed of groups of sectors. Clusters are 512, 1024, 2048, or 4096 bytes each.
Hal.dll
The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.
physical addresses
The actual sectors in which files are located. Sectors reside at the hardware and firmware level.
head
The device that reads and writes data to a disk drive.
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?
The file is unencrypted automatically.
High Performance File System (HPFS)
The file system IBM uses for its OS/2 operating system.
Partition Boot Sector
The first data set of an NTFS disk. It starts at sector [0] of the disk drive and can expand up to 16 sectors.
Ntoskrnl.exe
The kernel for the Windows NT family of OSs.
zone bit recording (ZBR)
The method most manufacturers use to deal with a platter's inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data.
professional curiosity
The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened.
areal density
The number of bits per square inch of a disk platter.
logical cluster numbers (LCNs)
The numbers sequentially assigned to each cluster when an NTFS disk partition is created and formatted. The first cluster on an NTFS partition starts at count 0. LCNs become the addresses that allow the MFT to read and write data to the disk's nonresident attribute area. See also data runs and virtual cluster number (VCN).
File Allocation Table (FAT)
The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations are FAT12, FAT16, FAT32, VFAT, and FATX.
acquisition
The process of creating a duplicate image of data; one of the required functions of digital forensics tools.
verification
The process of proving that two sets of data are identical by calculating hash values or using another similar method.
extraction
The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.
reconstruction
The process of rebuilding data files; one of the required functions of digital forensics tools.
brute-force attack
The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file.
track density
The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.
probable cause
The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
RAM slack
The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found mainly in older Microsoft OSs.
file slack
The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.
file system
The way files are stored on a disk; gives an OS a road map to data on a disk.
Which of the following is true of most drive-imaging tools
They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive
What does the Ntuser.dat file contain?
This user-protected storage area contains the MRU files list and desktop configuration settings.
Why was EFI boot firmware developed?
To prove better protection against malware then BIOS does.
An encrypted drive is one reason to choose a logical acquisition
True
An image of a suspect drive can be loaded on a virtual machine
True
Computer peripherals or attachments can contain DNA evidence.
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy
True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause
True
NTFS, files smaller than 512 bytes are stored in the MFT
True
The primary hashing algorithm the NSRL project uses is SHA-1
True
What is the space on a drive called when a file is deleted?
Unallocated space or Free space.
List two features NTFS has that FAT does not.
Unicode characters, security, journaling
drive slack
Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack.
partition gap
Unused space or void between the primary partition and the first logical partition.
Hash values are used for which of the following purposes?
Validating that original data hasn't changed and Filtering known good files from potentially suspicious data
Hashing, filtering, and file header analysis make up which function of digital forensics tools
Validation and verification?
Virtual machines have which of the following limitations when running on a host computer?
Virtual machines are limited to the host computers peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
alternate data streams
Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, alternate data streams become an additional file attribute.
virtual cluster number (VCN)
When a large file is saved in NTFS, it's assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the additional space needed to store the file. The LCN is a physical location on the NTFS partition; VCNs are the offset from the previous LCN data run. See also data runs and logical cluster numbers (LCNs).
plain view doctrine
When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. Applied to conducting searches of computers, the plain view doctrine's limitations are less clear.
logical addresses
When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.
limiting phrase
Wording in a search warrant that limits the scope of a search for evidence.
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens
You begin to take orders from a police detective without a warrant or subpoena.
partition
A logical drive on a disk. It can be the entire disk or part of the disk.
Cyclic Redundancy Check (CRC)
A mathematical algorithm that translates a file into a unique hexadecimal value.
Clusters in Windows always begin numbering at what number?
2
In FAT32, a 123 KB file uses how many sectors?
246 sectors.
On a Windows system, sectors typically contain how many bytes?
512
NTDetect.com
A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.
National Software Reference Library (NSRL)
A NIST project with the goal of collecting all known hash values for commercial software and OS files.
Registry
A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information.
ISO image
A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk.
Unicode
A character code representation that's replacing ASCII. It's capable of representing more than 64,000 characters and non-European-based languages.
cylinder
A column of tracks on two or more disk platters.
Automated Fingerprint Identification System (AFIS)
A computerized system for identifying fingerprints that's connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.
NTBootdd.sys
A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
geometry
A disk drive's internal organization of platters, tracks, and sectors.
virtual hard disk (VHD)
A file representing a system's hard drive that can be booted in a virtualization application and allows running a suspect's computer in a virtual environment.
Resilient File System (ReFS)
A file system developed for Windows Server 2012. It allows increased scalability for disk storage and has improved features for data recovery and error checking.
Boot.ini
A file that specifies the Windows path installation and a variety of other startup options.
Secure Hash Algorithm version 1 (SHA-1)
A forensic hashing algorithm created by NIST to determine whether data in a file or on storage media has been altered. See also National Institute of Standards and Technology (NIST).
Scientific Working Group on Digital Evidence (SWGDE)
A group that sets standards for recovering, preserving, and examining digital evidence.
write-blocker
A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.
Device drivers contain what kind of information?
instructions for the OS on how to interface with hardware devices
Which of the following techniques might be used in covert surveillance?
keylogging, data sniffing, network logs