Computer Forensics Final- Haass

A 1200 megapixel camera used for surveillance creates a file with 4 bytes per pixel. The camera has 100 images. Is there enough room on your 2Gbyte USB to store this data? Will it need a Tbyte drive? What if you were taking images every 2 seconds, how long would it take approximately to fill a 2 Tbyte drive?

1200 x 4 x 100

In the hexadecimal system x3E0 is _______________ as the number x3E.

16 times larger

Marketing descriptions often use powers of 10 like the ISO system. 10^3, 10^6 to describe the number of objects like bits, bytes. In computer science it is typical to instead use powers of

2 such as 2^10, 2^20, etc.

If a hash function has a length of 64 bits how would you express the number of different values available for the hash function. What would happen if you had more than this many files to compare? Extra Credit: Is there a name for this condition?

2^64, if you had more than it would mean that one of the same files would have the same hash. It Is called a collision

Short filenames in FAT16 are limited to _________ characters. Vestiges of this still shows up in the directory structure for storing file with NTFS. T or F. How were we able to see files that did not follow this rule or were deleted?

8.3

We used quick stego in class and also had a homework (not graded) to try OpenStego with different files sizes. In a short sentence or bullets, why is it difficult use JPG as the filetype for the output file? Recall - Message file, Cover file, output file

A JPEG image has a lossy format, this means that when a JPEG image is compressed, some of the quality is lost. After continuous compressions, it will lose its original form due to too much noise and loss of data and after a certain amount, it loses its details and just looks like a block of colors. The complexity is also much higher than if you were to just use a .png file type.

Raw format

A data acquisition format that creates simple sequential flat files of a suspect drive or data set.

Live Acquisition

A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition.

What are a few important features of a forensics workstation?

A write blocker device, Disk editor tool, different connectors, A workstation running windows 10

Encryption is the process of scrambling plain text into an unreadable format using a mathematical formula known as a(n) ________.

Algorithm; algorithm is known, key is not

(Extra Credit) Approximately how many filetypes are available for a researcher to discover (or a tool to compare)? ( Explain how you discovered.)

Although there are the basic six file types on most applications, there are hundreds of filetypes that become available when using forensic tools. In Autopsy, when entering in or removing files it gives a list of the file types and the allowed extensions that are supported. Ex: "bag", "docm", "potm", "ppa", etc.

A file stored might have a physical size that is different from its logical size. The physical size is

Always larger than the logical size

Host Protected Area (HPA)

An area of a disk drive reserved for booting utilities and diagnostic programs. It's not visible to the computer's OS.

Whole Disk Encryption

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

Why should evidence media be write protected prior to an acquisition?

Because it maintains the quality and integrity of the evidence you are trying to preserve, prevents corruption

Business records are handled differently in the courts. Why would this be the case?

Business records are automatically automated. Although some are entered by people so it could be altered.

What are three items that should be on an evidence custody form?

Case number, investigators name, nature of the case, vendors name, model/serial number, date and time taken into custody, item #, description of evidence, signature, etc

Name a tool that can help you look at mobile devices?

Cellbrite UED, SIMmanager

Documentation of each person who has been in contact with evidence, from its seizure, to its investigation, to its submission to court is referred to as: ___________________

Chain of Custody; single evidence just tells you about the object itself, chain of custody is kept with evidence

An undercover investigation is the process used to acquire information without the individual or suspect knowing the true identity of the investigator. T or F. Why would this be legal?

Covert operations; it would be legal with a search warrant/subpoena. We would want to do it covertly because often times suspects may delete or destroy data if they are aware of an impending seizure.

The decimal number 13 is represented in the hexadecimal system as ________.

D

File slack refers to:

Difference between the space needed to store file in bytes and excess space from large cluster

If the evidence item at scene is still plugged in and operating you should

Disconnect from network and do full live image including RAM, Registry

In the last lab you use the tool FTK Imager. What type of image files can be created with this tool?

E01,S01,L01, AFF, AD1, and RAW/DD

When a file is deleted, the OS in Windows using FAT is notified by placing a character in the first position of the filename stored in the directory. Forensics tools can undelete. What information remains available to the tool like FTK, Sleuthkit etc. to allow this?

E5 is the first letter of the file name, the E5 does not remove the first letter of the file name but in the short filename it does

The IP address of a mail or web server can be found by an investigator. What is one way to look it up?

Email internet header, NSLookup

_______________________ evidence is used to prove the innocence of a defendant.

Exculpatory

What is a tool that allows us to modify a file without for example word being able to detect the change? How is this done?

FHRED, go into the panel with the hex value and then ASCII values, and we changed it in the ASCII part that we changed it in the slack space. Sectors are always 512, clusters have to be less than 512

Name three of the forensics tools we have used.

FTK Imager, FHRED, Parbean, MD5 Hash Calculator, WinHex

A corporation has a greater need for diversity in its software and hardware when compared with a law enforcement forensics lab. T or F Give short 1 sentence explanation of your answer.

False

A program like FTK uses the three letter file extension to correctly and rapidly classify files by type. T / F

False

The slack space in a storage system refers to a weakened part of the drive when the disk stops spinning T / F

False

Forensic Toolkit (FTK) is a court approved bit-stream imaging software analysis tool produced by Digital Guardian. T or F

False, Compare FTK imager with regular FTK, there is not as many tools that are available an its not bit-stream.

T/F When acquiring data from a hard disk drive found at an investigation site you should first power cycle the system to be sure that nothing is written to the evidence. Explain answer using last question with the question number.

False, If you powercycle the system Windows OS automatically begins to refresh or write to the files which would not be good because we want to maintain the file dates and when it was edited to when the person we were investigating did it, not when we imaged their computer.

PST files stored by Microsoft email retains only sent and inbox information. True or False - How did we examine a PST file?

False, Personal storage table, important folder, spam folder, drafts, trash, outbox

Certified Specialists in Computer Forensics hold their certificate forever just like a BS or MS degree. True or False

False, continued education classes

Digital Forensics and Data Recovery are synonymous. T or F. Give short 1 sentence explanation of your answer.

False, data recovery is a field that retrieves files that were deleted accidentally or purposefully. Digital forensics is the process of recovering or finding data on a computer system for use in a criminal investigation.

When acquiring data from a hard disk drive found at an investigation site you should first power cycle the system to be sure that nothing is written to the evidence. T / F

False, if you power cycle it will update the date modified times

T/F A typical corporation needs a greater variety in its software and hardware when compared with a law enforcement forensics lab. Explain your answer in the last question

False, in a law enforcement forensics lab there are many different criminal cases that investigators have to work on that require different forensics tools in able to do this. In a typical corporation, it is doubtful that you would have to use any forensics tools that law enforcement uses like FTK imager or SleuthKit, just simply because most people don't have the capabilities that criminals in the federal cases do.

When a file on a personal computer running Windows is permanently deleted, it is physically erased from the volume (disk). True or False. Explain.

False, it is not physically erased from the disk until it has been overwritten by new data as Windows just deletes the headers.

When a file on a personal computer is deleted, it is physically erased from the volume (disk) but now becomes available space. T or F (does it get used right away? Y/N)

False, no, Small change to the directory structure (8 characters for a short file name) if E5 is put in the very beginning there is no record of what the first character was. If it is a long file name then you can recover it as long as it is in English or does not use both bytes for a character. Using E5 makes a file no longer a part of the file system and the space becomes available, but it is not used right away because there is plenty of free space available.

A Geotag is digital image metadata containing the latitude and longitude of the geographic location where the picture was captured, it is stored with all EXIF or JPEG images. T or F

False, not in ALL images

The use of FAT or File Allocation Table is now obsolete. T or F. Give short explanation of answer.

False, people still use it with USB, drones, and cameras.

Hex editors like FRHED or WINHEX are obsolete due to tools like FTK that are more integrated. T / F What is your reasoning?

False, sometimes it is convenient to use a simple tool

Chain of custody form is also called a single evidence form. T or F. Give short 1 sentence explanation of your answer.

False, the chain of custody form documents the people that have it, the single evidence form has details of the evidence

Only criminal cases go to court so the methods used by computer forensic examiner is quite different from a civil or corporate case. T or F Give short 1 sentence explanation of your answer.

False. Civil cases can develop into criminal case and a criminal case can have implications leading to a civil case.

Under normal circumstances, a corporate investigator is considered an agent of law enforcement. T or F? Give short 1 sentence explanation of your answer.

False. It's not until the private-sector investigator starts working at the direction of law enforcement that they are considered an agent of law enforcement

In Lab 3 you find recovered tags for Documents and Pictures as well as the audio. a) How many files were found and what is the total size? b) Were you able to preview the Picture file? Record it's size and date modified. In a case you might take a screen shot of the image "the location where the body was found". c) Under RAW you find JPG images. How would you tell if File20 and FIle21 are copies? d) The client was concerned about confidential document being exfiltrated. Any luck?

I found 2,430 files and the total size is 4.47GB. I was able to preview the picture file using EaseUS Data Recovery Wizard. I was able to preview and its size was 44.5. That last date modified was 12/2/2020 at 9:42:00. You could tell if File20 and File21 are copies by identifying their file hash values and comparing them to see if they are identical. After the recovery was completed, there were two PDF files that were left labeled "Confidential." This could bring concern to the client about the document being exfiltrated and then deleted.

A systematic approach to solving a case includes

Identifying the problem, Acquiring evidence, Requesting additional information as needed, Working with experts for specialized analysis

Why do we usually keep careful notes as we examine a system? What might be a consequence of failing to do this?

If needed In court, it would be difficult to prove what happened and how the people got there if there is no

Written client - attorney communication should be:

Include markings such as confidential or privileged work

An audit of a forensics lab might include:

Interview with one of the forensics examiners or manager, Review of the evidence log book and storage shelves, Walkthrough of the procedures compared with the lab policy documents

A hash function is useful to the forensic examiner to:

Is the same as another file that has a different name or extension but same hash value

Why is bit-stream copy the preferred way to image a hard drive?

It gets all data, including deleted files, and slack space

We saw the ability to create a dd file image from a physical device and from an already existing forensic image with format e01. Why is dd sometimes called RAW?

It is called RAW because it is a bit for bit representation/image of a physical device.

Why are some systems moving away from ASCII and is this harder for a forensics examiner?

It is hard with mandarin and other languages but they're not moving away from it.

A bit stream image of a device differs from a logical image in that:

It is larger in physical size, It can also include deleted data, It can (if done properly) be mounted and viewed as a logical drive

A virtual machine has limitations

It is limited to the peripherals of the host machine - keyboard, usb, network

Our standard operating procedure suggests naming objects in a certain way in an evidence form. Demonstrate this with a laptop that has a solid state drive, a floppy drive and there is also a USB flash drive next to the running computer. How would you label these? What are some of the things you would write down?

Laptop-Q1 Solid-Q_1 Floppy Q_2 write down size, serial number, etc.

Sparse acquisition

Like logical acquisitions, this data acquisition method captures only specific files of interest to the case, but it also collects fragments of unallocated (deleted) data.

The _______________ ___ operating system is owned by Google. Name two other operating systems.

Linux, windows 11, iOS, Mados, unix, ubuntu (humanity)

An entry in the file system such as FAT32 includes valuable information for the forensic examiner such as

Long file name

Name one concern when performing live forensics that an examiner should consider in report.

Make note of the time, work with additional investigators, disconnect from the network and disable wifi, attempt to make a copy of the drive

The very beginning of a disk (the first sectors) are referred to MBR this is

Master Boot Record

NTFS is considered a journaling file system. This means that a forensic examiner does not have to work as hard because:

Metadata "like a log" is stored in MFT as well as mirrored terminology

What steps might an examiner take to demonstrate that a particular file or files were not "accidentally" placed on a computer? Consider different tools or aspects of the system.

Metadata, Using hashes of comparison of before and after it can into custody, date accessed, opened, created, time stamp

Summary of book case report for Ms Jones.

Ms. Jones has submitted a request for an investigation on a work machine to find out if a certain employee has been stealing manuscripts. She suspects that the employee is trying to sell or publish it to others for their own personal gain. Ms.Jones also wants to know if an account PIN was discovered and stored on the drive. This investigation will try to uncover if there has been any malicious activity done by the employee and attempt to confirm or disprove any doubts from Ms.Jones by examining an image file of the hard drive. In my investigation, I determined that there were many deleted files on the disk image some of which included manuscripts of various plays or other documents. Some of the manuscripts include: The Theory of Moral Sentiments, Socrates Apologies, The Odyssey, as well as other unnamed manuscripts. There were a lot of jpegs that were found as well. Lastly, I found that the account number PIN that was in question was on the disk image under an image file. PIN was 461562. The name of the file is 'count.gif' (Figure C). Autopsy also found approximately 320 images, 4 videos, 172 documents, and one executable file. In conclusion, my findings showed that Ms.Jones' suspicions were correct about the stolen manuscripts and about account PIN being on the disk and the employee's access to it. Although there were manuscripts found, there was no evidence that it had ever been sold or given to another entity. There were also many files that had been previously deleted and it was obvious that there was an attempt to try to hide information. My recommendation to Ms.Jones would be to terminate the employee who did these actions. The employee tried to get away with stealing from the company and they seem well-versed in knowing how to hide files, change the extension for it to appear to be something else, and his ability to clutter up other information with irrelevant information. If Ms.Jones ends up finding future evidence that the employee sold the manuscripts then it would be my recommendation to reach out once again to a forensic investigator and be open to the idea of pressing charges.

When someone says their computer has 500Gbytes memory are they referring to RAM?

No, they are referring to hard disk storage. There is only 512 in RAM

Write down 4 or 5 of the steps you would take upon starting a case with a discovered USB drive found in a classroom that is suspected to have malware?

Note the color, write down things to discover about it, start a log, turn on write protect, set up the ability to image it, make a forensic image and a copy, put away USB and evidence log w chain of custody, and start analyzing

When working on a corporate case and capturing evidence from a employee's work system you should:

Obtain the appropriate search warrant from the local government agency

Although dd began as a unix command in our reading and through the lab work it is a basic default image type. Name a benefit and a limitation of this file type and method.

One benefit of dd is that it does exactly what it is told to do. It is useful to convert and copy when having to use it as a forensics tool. One limitation is that dd just reads and writes files, it does not do anything when combined with other commands and you can only do things with the file on Linux and can be difficult with larger images. DD has 2 TB limit so won't work for 4TB drive for instance.

How could packed files help in delivering malware?

Packing files is a kind of tool that will modify the formatting of the code by encrypting or compressing the data. By packing the data, it makes it easy to modify the code without changing the underlying function of the file. It helps in changing what the executable code LOOKS like without actually changing anything about the file's purpose. Packing a file makes it more difficult to access and analyze. This will also mean that it will take longer for someone trying to unpack it so analyze its effects.

what is not true about a .dd file?

ProDiscover, FTK and other forensics tools can't use this antiquated file format

_______ is a common cause for lost or corrupted evidence.

Professional curiosity

With an online _________ ___, a user utilizes another computer to communicate with a third party, with the result that the third party cannot recognize the IP address of the originating communication.

Proxy; VPN (virtual private network)

Explain the differences between a quick format and "full format".

Quick format overwrites the boot sector and wipes directory, full format touches every item of the disk

Which option below is not a hashing function used for validation checks?

RSA

_____________ is a text message communication service found on mobile devices.

SMS

Disk storage is comprised of sectors and cylinders a typical configuration might be:

Sector size of 512 bytes with 8 sectors per cylinder

Be able to identify characteristics of Fhred.

See photo.

Antistatic polyethylene evidence bags are primarily designed to protect electronic devices from ________

Static electricity

Summary of book report case for Superior Bicycles.

Superior Bicycles has submitted a request for an investigation on the cell phones of two individuals, an employee, Sebastian Mwangonde and a consultant, Nau Tjeriko. They suspect that the two close friends are dealing drugs. This investigation will try to uncover if there has been any malicious activity or exchange/selling of drugs done by the employee and the consultant. This investigation will attempt to confirm or disprove any doubts from Superior Bicycles by examining the two cell phones' SMS logs. In summary, the suspects Sebastian Mwangonde and Nau Tjeriko's cell phones were seized and forensically examined. After identifying all the evidence found on the mobile devices the content does indicate that the text messages show that Nau attempted to purchase some sort of service or item from Sebastian. The text messages did not explicitly state what Nau asked Sebastian for, but it could be inferred that it is some sort of contraband, drugs, or illegal substance. The timestamps show that the exchanges happened later at night and in a private location. I was able to determine that the cell phone carrier was listed as Namibia Telecommunications Ltd. and the country code '+264' identified in the text messages matches the Namibia country code. In conclusion, the evidence presented from the SIM cards shows text messages between Sebastian and Nau that could imply that Sebastian is selling drugs to Nau, though that information was not directly discovered from the evidence and was only referred to as "stuff" in the texts. The late night texting, interesting location of the mobile provider, and private meeting places could also suggest that there is some sort of malicious activity happening. My recommendation for this company is to have a private conversation with both employees and determine the meaning of "stuff" as well as the reason they are communicating through a voicemail service. If there is no believable or reasonable explanation for what the undisclosed item is then my suggestion is to fire both Nau and Sebastian from their staff. It is important that there is no assumption about drugs made toward either employee because there is no detailed evidence that it is drugs and that could tip them off. Another thing that may be relevant is if there is a company policy of no drugs, then they could both be drug tested to see if any results are yielded. After both interviews have been completed then further action can be taken if there is a mismatch or withholding of information from either employee.

A forensics report is created primarily for the purpose of the examiner offering their opinion of the evidence as discovered. The details of how it was done, tools used are secondary.

T / F False, must have facts in court

In Lab 4 you will use Disk Management to modify a partition. Much like we did to find the image file after a quick format, we can recover information in the unallocated space of a partition. What was the clue leading you to expand the volume?

The clue that was leading me to expand the volume was that when you looked at the disk management tool, there was still 2GB labeled unallocated. This could mean that the 2GB was being used as a smaller driver and was then erased and marked as unallocated. Data could also be hidden in the 2GB of space.

As a general rule, what should be done by forensics experts when a suspect computer is seized in a powered-on state?

The decision should be left to the Digital Evidence First Responder (DEFR).

We know how to calculate the number of possible combinations of 24 bit colors. If I know that someone has used only lower case letters (a-z) how do I calculate the number of tries to brute force 8 character vs 12 character passwords? (e.c.) From the lab can you estimate the speed of trying different length passwords?

The equation for trying to figure out the number of combinations would be: Possible combinations = Possible number of characters^password length; 68^8 for 8 character and 94^12 for 12 characters. To estimate the speed you would do (Possible number of characters^password length)/2,000

In Lab 8 a file mismatch is identified by the tool. What are the term(s) we had for the information at the beginning of a file that allows mismatch like these to be discovered?

The information at the beginning of a file is called "magic numbers." This will tell you what type of file it is based off the contents inside. Some examples would include pdf, docx, doc, jpeg, etc.

An excel file was found on a computer with suspicious information about accounts, dollar transactions, dates. The owner of the computer claims they did not create or maintain this file. What kind of information would help build a case to tie the user to the file?

Timeline, information about the directory

Why might is be useful to review the case after completion?

To improve, to learn how to be more efficient

A company with a documented process and appropriate use policy can not be sued by an employee over unreasonable search. True or False

True

Attention to detail in chain of custody, professional documentation, written procedure, signatures and times, helps bolster your case for any computer forensic evidence presented in a court. True or False

True

Even with a solid state drive like USB thumb drive, the file system uses the concepts of cluster and sector to locate a file. True or False

True

Following a systematic checklist in your notes is only needed when you are just starting out, once experienced, you can just keep it in your head. True or False

True

Investigating a computer while it is turned on is called live forensics. T or F

True

Simple Mail Transport Protocol (SMTP) server is used to send email for a client; the email is then routed to another SMTP server or other email server. T or F

True

The use of computer forensics is sometimes used as incriminating evidence in criminal cases and is often referred to as inculpatory evidence. T or F

True

The ASCII representation of the English alphabet uses 2 hex characters per printable character including lowercase, uppercase, numbers and special symbols. T / F

True, 1 byte, 4 bits, so 2 hex each

A file system is a hierarchy of files and their respective directories. T or F. Can you name two common file systems?

True, FAT, FAT32, NTFS

Digital evidence can be categorized as hearsay (according to Federal Rules of Evidence). T or F. Are there circumstances that change the answer? Give an example.

True, If the records are automatically created by a program, than they cannot be considered hearsay. Phone logs, hash, time stamps, etc.

Computer forensics is the retrieval, analysis, and use of digital evidence in a civil or criminal investigation. T or F

True, Not data recovery, not the analysis of lost data or recovery

Even with a solid state drive like USB thumb drive, the file system uses the concept of cluster to locate a file. True or False

True, Using prodiscover we could use search to find clusters.

An undercover investigation is a process used to acquire information without the individual or suspect knowing the true identity of the investigator. T / F How might this be relevant to a forensic examiner in a case?

True, confidentiality

Adding salt to a file or digital object prior to performing a hash calculation is useful only if you keep track of the salt. T or F. Explain your answer.

True, if you do not track it then it is just an ordinary hash.

A company should have a documented process for appropriate computer use and corporate property rights as well as demonstrate that they follow it to avoid litigation over unreasonable search. True or False

True, negotiate the outcome

Deleting a file results in simply modifying a small part of the drive or storage medium on which it is stored. True or False. Explain

True, when a file is deleted the content is not overwritten until those clusters have been reused by the operating system. This allows files to be restored if they were recently deleted or had not been overwritten.

Smartphones and the use of things like Google voice are a rich source for intelligence agencies like the FBI. The average citizen is protected from FBI snooping by the 4th amendment. True or False

True, you need a warrant

If you suspect an employee of abuse of the system you can (as a corporation), without any previous warning, begin data-logging, keylogging or any other monitoring of corporate systems? True or False Short explanation.

True, you own it and said you would abide by the rules

Critical information stored in file system about a file does not include

User name

The triad of computing security includes which of the following

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

The triad of computing security includes which of the following?

Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

What is one way that WINHEX differs from FRHED? Is there a license fee for WINHEX?

WINHEX you can use on WIN95 and up and FRHED you can use with WIN98 and up. Also, FRHED is free to all users and WinHex is not. This also means that WinHex reserves some rights from licenses to use, modify, share modifications, or share the software. It is the opposite of open source or free software. Yes, Licenses cost $44 (Private, $25 per additional license), $84 (Professional, $48 per additional license), and $126 (Specialist, $67 per additional license).

ASCII uses 8 bits per character and works fine for English except for technical. The regular alphabet, numbers, letters

Were required to fit with only 7 bits

There are four ACPO (association of Chief Police Officers) principles for digital forensics. Which one of the below is not one of them?

When energy passes, as work, as heat, or with matter, into or out of a system, the system's internal energy changes in accord with the law of conservation of energy. Equivalently, perpetual motion machines of the first kind (machines that produce work with no energy input) are impossible.

Policies can address rules for which of the following?

When you can log on to a company network from home, The Internet sites you can or cannot access , The amount of personal e-mail you can send

In the /etc directory there are a number of files that look like copies of passwd. Are any valid copies? In a Linux system the real data is stored in a file called /etc/shadow. Compare it to /etc/passwd. The cryptic entries are salted hash entries. How could this assist an investigator?

Within the password name files, the second "passwd," "passwd+," and "passwd-" have similar hashes as well as "passwd.lock" and "passwd.3483" having similar hashes to each other. When comparing, I noticed that "shadow.lock" and "shadow" have similar hashes to each othe and to "passwd.lock" and "passwd.3483." Also, "shadow-" has a similar hash to the first "passwd" file. This can help assist an investigator because if the hashes are identical, this means that a perfect copy has been formed and nothing has been altered in anyway. If the hashes are different, that means that the file is corrupted by the secondary user and is no longer an exact original copy of the evidence.

Working on a corporate case and capturing evidence from a employee's work system you should:

Work with corporate HR and Legal for protocol

Can social media sites be used for computer forensics purposes? Y or N Can you give an example in use today?

Yes

Can a forensic examiner learn anything from the RAM in a system? Explain

Yes, applications that are currently running on the system, state of registry.

Can investigators easily bypass modern encryption methods today?

Yes, but not without a supercomputer

In our iLabs we used a variety of virtual machines to perform actions with files, images. Can a virtual machine execute an application not found on the host machine? Yes or No. Explain in short statement.

Yes, it has its own image so it can carry its own applications

The command line tools can assist the GUI. The commands have help entries, can you extract files directly via command line?

Yes, you can extract files directly via the command line, you just need the right executable. In lab 2, we used several command help entries to extract pictures and audio files.

Why might you need to use a write blocking devices when capturing the original image from a suspect computer?

You need to use a write blocking device when capturing an original image from a suspicious computer because Windows will immediately start writing to the drive if it is plugged in without one.

The e01 file format is considered proprietary yet it is supported now by several different company products. Why convert e01 to dd? What is 1 challenge in doing such and operation?

You would convert e01 to dd if you want to use a Linux system rather than a Windows system. I didn't have any challenges in doing it, but one possible challenge on the lab said that it is not possible to mount the evidence file from the directory, so you have to make a copy the file into the Home directory.

logical acquisition

a data acquisition method that captures only specific files of interest to the case or specific types of files, like outlook

static aquisition

a data acquisition method used when a suspect Drive is write protected and can't be altered

An evidence chain of custody form does not usually contain _______.

a witness list

What document is used to justify issuing a search warrant?

an affidavit

Advanced Forensic Format AFF

an open data source acquisition format that stores image data and metadata

The ______________ rule states that to prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required.

best evidence

The first sector on a hard disk (Sector 0) is known as the __________________ _______.

boot

Data the system maintains, such as system log files and proxy server logs

computer generated records

Electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word-processing document

computer stored records

A mathematic algorithm that translates a file into a unique hexadecimal value

cyclic redundancy check

_______ is not one of the functions of the investigations triad.

data recovery

Raw data files that are most compatible with other forensic tools are saved in this format

dd

File ___________ enables the user to scramble data, and the forensic examiner will have to try to solve this problem hoping the user left a clue. We saw examples in hide and seek, name some methods to try to resolve this.

encryption, Figure out the password, method of encryption, but rely on errors by the users, brute force

What are the steps you would take if I hand you evidence ... a flash drive with unknown size, format and say "I think this person was trying to take trade secrets out on this drive. It does not appear to have very much on it from file browser"? at least 5 items in your list

evidence form/ tag evidence chain of custody write blocker disk image/ second image- take hashes and compare. look for stuff write report- ACPO principles your process (SOP) evidence discovered check the hash (not the judge and jury- keep away from opinions).

This USB Is sold as a 1 GB drive. Why doesn't the drive state it's 1 GB?

factory formatting takes up some space (e.g. FAT) marketing using base 10 instead of base 2 (they round off)- e.g. 2^20 = 1048576 which is 1M

Performing a quick format on a disk is sufficient to fully remove the data on that drive. T or F

false

________ is a bag that prevents electronic signals from entering or existing. It is used to secure evidence such as cell phones.

faraday anti-static

We mostly saw FAT32, where did we find the information (metadata) about the files and directories?

file table

A disk _____ is a file or a group of files that contain bit-for-bit copies of a hard drive but cannot be used for booting a computer.

forensic image/image

You must abide by the _______ while collecting evidence for a criminal case

fourth amendment

. _______ is the term for a statement that is made by someone other than an actual witness to the event while testifying at a hearing.

hearsay

which of the following is a good practice in filling out a paper log?

if you make a mistake, one line through it and date and initial the line out, Use blue or black ink, use 24 hour time

A value created by an encryption utility's secret key

keyed hash set

_______ does not recover data in free or slack space

logical acquistion

which of the below is not a way an operating system can identify a file type?

magic number

You are working on collecting evidence on a large hard drive. What would be the best method for you to collect this evidence?

make a bit-stream image disk-to disk file

What should you do while copying data on a suspect's computer that is still live?​

make notes regarding everything you do

The _____ File Table or MFT maintains file and folder metadata in NTFS.

master

The first sector on a FAT32 hard disk (Sector 0) is known as the __

master boot record_________.

An algorithm that produces a hexadecimal value of a file or storage media; used to determine whether data has changed

message digest 5

File ____________ is information about a file and can include the creation, modified, and last access dates.

metadata

What sort of format do you get when you un-check the Quick Format square above? How is this format different than a Quick Format?

modern format- (didn't used to be this way), checks for bad sectors, wipes the memory, installs the format tables, and format. quick format- only does the tables- basically erases the directory and FAT table

Explain briefly the importance of physical security in a forensics lab. Consider evidence storage, custody, handling, access etc. 3 or 4 Bullets are fine

need to prove material was handled correctly, is the chain of custody true?

Is Google Mail stored on your hard drive?

no, in the cloud

The word ________ means "to bring to court."

none of the above

A unique hash number generated by a software tool and used to identify files

nonkeyed hash set

The ability to obtain a search warrant from a judge that authorizes a search and seizure of specific evidence requires sufficient _______.​

probable cause

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest

probable cause

which of the below are the elements of a typical criminal case? (check all that apply)

prosecution, arrest, investigation

What is RAM?

random access memory

The Windows __________ ____ is a hierarchical database that stores system configuration information. What is a tool that allows for the manipulation of this database?

registry, regedit

What are the elements of a report?

request, results, tool, processes, recommendation, conclusion, appendix

Which option below is not a recommendation for securing storage containers?

rooms with evidence containers should have a secured wireless network

When photographing hardware evidence, each item should be photographed as a whole, and then the _________ should be photographed.

serial number

A directory entry in the file system such as FAT32 includes valuable information for the forensic examiner including

short name file

The File system drop-down menu above includes: NTFS What are some advantage of NTFS over the default FAT choice (imagine a variety of disk sizes)? List at least 2.

size of the files that you're going to be using (e.g. video is much larger than normal word docs) to minimize the slack space (wasted space). operating system compatibility size of the drive you're going to format (if it's too big- e.g. greater than 32 GB- then you are more limited in your selection!) journaling file system handles larger disk sizes robust to errors in OS

Detecting data transmissions to and from a suspect's computer and a network server to determine the type of data being transmitted over a network

sniffing

Which of the following are true with regard to a civil case?

the penalty does not usually involve jail time, usually includes fines

The Windows application we used to manipulate and interrogate the Registry is called the Registry Viewer. T or F

true

Connecting a USB drive, or other kinds of flash memory, to a Windows computer leaves a digital footprint. T or F (Where might that footprint reside?)

true, Hashes; difference in algorithms, SHA1 is the first generation, SHA256 is part of the 2 generation; MD5 and SHA1 are deprecated by the NSA

We modified the Windows system to create write protect capabilities. In doing so there were two states on and off. We changed the Key from 0 to 1 for this. T or F Explain. What did we do before we made the change to prevent making a mistake?

true,Restore point

A(n) ____________ ____ is a hardware or software device that enables an individual to read data from a device, such as a hard drive, without writing to that device. What happens in Windows when you try to write to such a device?

write blocker, error message