digital forensic midterm
List three items that should be on an evidence custody form
Case number name of the investigator assigned to the case nature of the case
Describe what should be videotaped or sketched at a digital crime scene.
Computers, cable connections, overview of scene—anything that might be of interest to the investigation
List two types of digital investigations typically conducted in a business environment.
Email abuse and Internet abuse
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise, FTK, and ProDiscover Incident Response
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase, SafeBack, and SnapCopy
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness
Digital forensics and data recovery refer to the same activities. True or False
False
FTK Imager can acquire data in a drive's host protected area. True or False?
False
Small companies rarely need investigators. True or False?
False
The plain view doctrine in computer searches is well-established law. True or False?
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
You should always answer questions from onlookers at a crime scene. True or False?
False
You should always prove the allegations made by the person who hired you. True or False?
False
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Initial-response field kit
What are two concerns when acquiring data from a RAID server
1) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analysis tool can split RAID data into separate drives
List three items that should be in your case report.
1. An explanation of basic computer and network processes 2. a narrative of what steps you took 3. a description of your findings, and log files generated from your analysis tools.
What's a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk (Used for validation).
What are two advantages and disadvantages of the raw format?
- Advantages: 1. faster data transfer speeds 2. ignores minor data errors, and most forensic analysis tools can read it. - Disadvantages: 1. requires equal or greater target disk space 2. does not contain hash values in the raw file (metadata), might have to run a separate
List two items that should appear on a warning banner.
Access to this system and network is restricted and use of this system and network is for official business only.
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. c. Your internal investigation begins. d. None of the above.
a.
With remote acquisitions, what problems should you be aware of? (Choose all that apply.) a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. The password of the remote computer's user
all of the above
Police in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment d. None of the above
b
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used. b. The investigator doesn't have to get a warrant. c. The investigator has to get a warrant.
b
The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation d. Vulnerability assessment, intrusion response, and monitoring
c
4. What's the purpose of maintaining a network of digital forensics specialists?
to develop a list of colleagues who specialize in areas different from your own specialties in case you need help on an investigation.
In forensic hashes, when does a collision occur?
when two different files have the same hash value.
What are the three rules for a forensic hash?
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
List two hashing algorithms commonly used for forensic purposes.
MD5 and SHA-1
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence
Newer Linux distributions automatically mount the USB device, which could alter data on it.
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1
No, due to having input file as the source and output file as target should be reverse like this: dcfldd if =/dev/hdal of=image_file.
What is professional conduct, and why is it important?
Professional conduct involves ethics, morals, and standards of behavior. Being a professional, it is necessary for the person to maintain his/her ethical behavior and to have good professional conduct.
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the forensically collected data in case of any failures
Why should evidence media be write-protected?
To ensure that data isn't altered
Why should you do a standard risk assessment to prepare for an investigation?
To list problems that might happen when conducting your investigation.
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
To minimize how much you have to keep track of at the scene.
Computer peripherals or attachments can contain DNA evidence. True or False
True
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
For digital evidence, an evidence bag is typically made of anti-static material. True or False?
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act while investigating a company policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?
True
What's the most critical aspect of digital evidence?
Validation
What are the necessary components of a search warrant?
You need an affidavit of the evidence to conduct an investigation
If a suspect computer is running Windows 10, which of the following can you perform safely? a. Browsing open applications b. Disconnecting power c. Either of the above d. None of the above
a
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) a. Coordinate with the HAZMAT team. b. Determine a way to obtain the suspect's computer. c. Assume the suspect's computer is contaminated. d. Do not enter alone
a, c
What's the purpose of an affidavit?
support allegation to justify search warrant
List three items that should be in an initial-response field kit.
1. Small computer tool kit 2. large capacity drive 3. IDE ribbon cables 4. Forensic boot media 5. laptop or portable computer.
List two features common with proprietary format acquisition files.
1. to compress or not to compress, Capability to split an image into smaller segmented files 2. Capability to integrate metadata into the image file ( date and time , hash values).
What's the maximum file size when writing data to a FAT32 drive?
4 GB(32 bits of memory)
Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or can't access c. The amount of personal e-mail you can send d. Any of the above
d
Which of the following techniques might be used in covert surveillance? (Choose all that apply.) a. Keylogging b. Data sniffing c. Network logs d. None of the above
d
What are some ways to determine the resources needed for an investigation?
determine the OS of the suspects computer
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
determining whether there's sufficient electrical power and weather conditions(thunder, temperature, and humanity)
What does a sparse acquisition collect for an investigation?
fragments of un-allocated (deleted) data
In the Linux dcfldd command, which three options are used for validating data?
hash, hashlog, and vf
What does a logical acquisition collect for an investigation?
only specific files of interest to the case
What's the main goal of a static acquisition?
preserve the digital evidence.
Name the three formats for digital forensics data acquisitions.
raw, proprietary, and AFF.
Commingling evidence means what in a private-sector setting?
sensitive or confidential information being mixed with data collected as evidence
What should you consider when determining which data acquisition method to use?
size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located