Digital Forensics CH 9-16

TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.

IS-136

_______ recovery is a fairly easy task in forensic analysis.

Password

When working with image files, computer investigators also need to be aware of ________ laws to guard against copyright violations.

Copyright

Steganography cannot be used with file formats other than image files.

False

The American Bar Association (ABA) is licensing body.

False

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.

GUI

The ABA's ____ contains provisions limiting the fees experts can receive for their services.

Model Code

_____ increases the time and resources needed to extract, analyze, and present evidence.

Scope Crep

_________ has also been used to protect copyrighted material by inserting digital watermarks into a file.

Steganography

An expert's opinion is governed by FRE, Rule _____, and the corresponding rule in many states.

705

_____ are the experts who testify most often.

Medical Professionals

For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.

print

The most important laws applying to attorneys and witness are the ____.

Rules of Evidence

The term _____ comes from the Greek word for "hidden writing."

Steganography

____ is a good tool for extracting information from large Libpcap files.

Tcpslice

As with any research paper, write the report abstract last.

True

For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.

True

PsList from PsTools allows you to list detailed information about processes.

True

When cases go to trial, you as a forensics examiner can play one of ____ roles.

2

The abstract should be one or two paragraphs totaling about 150 to _____ words.

200

If your CV is more than ___ months old, you probably need to update it to reflect new cases and additional training.

3

Most packet sniffers operate on layer 2 or ____ of the OSI model.

3

The ____ Ethics Code cautions psychologists about the limitations of assessment tools.

APA's

_______ images store graphics information as grids of individual pixels.

Bitmap

Helix operates in two modes:Windows Live (GUI or command line) and ____.

Bootable Linux

_______ attacks use every possible letter, number, and character found on a keyboard when cracking a password.

Brute-force

Developed during WWII, this technology,____, was patented by Qualcomm after the war.

CDMA

When working on a Windows environment you can press ____ to copy the selected text to the clipboard.

CTRL + C

The report's ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.

Conclusion

Create a formal checklist of your procedures that's applied to all your cases or include such a checklist in your report.

False

Expert opinions cannot be presented without stating the underlying factual basis.

False

FTK cannot analyze data from image files from other vendors.

False

FTK cannot perform forensics analysis on FAT12 file systems.

False

If you must write a preliminary report, use words such as "preliminary copy," "draft copy," or "working draft."

False

Investigating cell phones and mobile devices is a relatively easy task in digital forensics.

False

Like a job resume, your CV should be geared for a specific trial.

False

Network forensics is a fast, easy process.

False

Operating systems do not have tools for recovering image files.

False

Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.

False

When intruders break into a network, they rarely leave a trail behind.

False

When writing a report, use a formal, technical style.

False

You can always rely on the return path in an e-mail header to show the source account of an e-mail message.

False

A written preliminary report is considered a ___ document because opposing counsel can demand discovery on it.

High-risk

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.

Honeynet

A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.

Honeypot

In the past, the method for expressing an opinion has been to frame a _____ question based on available factual evidence.

Hypothetical

____ questions can give you the factual structure to support and defend you opinion.

Hypothetical

_______ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Insertion

You begin any computer forensics case by creating a(an) _______.

Investigation Plan

A(n) ______ file has a hexadecimal header value of FF D8 FF E0 00 10.

JPEG

Generally, the best approach you attorney can take in direct examination is to ask you _____ questions and let you give your testimony.

Open-ended

____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.

SIM

In a(n) ____ attack, the attacker keeps asking your server to establish a connection.

SYN Flood

Leading questions such as "Isn't it true that forensics experts always destroy their handwritten notes?" are referred to as _____ questions.

Setup

____ is a popular network intrusion detection system that performs packet capture and analysis in real time.

Snort

______ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.

Steganography

________ is the art of hiding information inside image files.

Steganography

The _____ search feature allows you to look for words with extensions such as "ing," "ed," and so forth.

Stemming

Regarding a trial, the term _____ means rejecting potential jurors.

Strikes

The ____ digital network divides a radio frequency into time slots.

TDMA

The file format XIF is derived from the more common ____ file format.

TIFF

A common way of examining network traffic is by running the ____ program.

Tcpdump

When you give ____ testimony, you present this evidence and explain what it is and how it was obtained.

Technical/Scientific

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.

Temporary

Many people store more information on their cell phones than they do on their computers.

True

Part of what you have to deliver to the jury is a person they can trust to help them figure out something that's beyond their expertise.

True

Portability of information is what makes SIM cards so versatile.

True

TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.

True

The defense request for full discovery of digital evidence applies to only criminal cases in the United States.

True

With many computer forensics tools, you can open files with external viewers.

True

With the Knoppix STD tools on a portable CD, you can examine almost any network system.

True

People need ethics to help maintain their balance, especially in difficult and contentious situations.

Ture

Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.

Zombies

____ is the text version of Ethereal, a packet sniffer tool.

tethereal

Save broader generalizations and summaries for the report's _____.

Conclusion

All e-mail servers are databases that store multiple users' e-mails.

False

Data ______ involves changing or manipulating a file to conceal information.

Hiding

As an expert witness, you have opinions about what you have found or observed.

True

Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

True

Typically, UNIX installations are set to store logs such as maillog in the ______ directory.

/var/log

________ steganography replaces bits of the host file with other bits of data.

Substitution

Bitmap images are collections of dots, or pixels, that form an image.

True

In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of _______.

.pst

Jurors typically average just over __ years of education and eighth-grade reading level.

12

If a microphone is present during your testimony, place it __ to eight inches from you.

6

FRE ____ describes whether the expert is qualified and whether the expert opinion can be helpful.

702

FRE ____ describes whether basis for the testimony is adequate.

703

In an e-mail address, everything after the __ symbol represents the domain name.

@

The ___ has stated that, unlike attorneys, expert witnesses do not owe a duty of loyalty to their clients.

ABA

_____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities.

APA's Ethics Code

If a report is long and complex, you should write a(n)_____.

Abstract

A(n) ____ hearing generally addresses the administrative agency's subject matter and seeks evidence in your testimony on a subject for which it's contemplating making a rule.

Administrative

A written report is frequently a(n) _____ or a declaration.

Affidavit

If necessary, you can include _____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.

Appendixes

____ provide additional resource material not included in the body of the report.

Appendixes

In the main section of your report, you typically cite references with the _____ enclosed in parentheses.

Author's last name and year of publication

Discuss any potential problems with your attorney ____ a deposition.

Before

For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that you're constantly enhancing you skills through training, teaching, and experience.

CV

Recovering pieces of a file is called _______.

Carving

______ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.

Circular Logging

E-mail messages are distributed from one central server to many connected client computers, a configuration called _______.

Client/Server Architechture

Sometimes opposing attorneys ask several questions inside one question; this place is called ____ questions.

Compund

The files that provide helpful information to an e-mail investigation are log files and ______ files.

Configuration

___ is a attempt by opposing attorneys to prevent you from serving on an important case.

Conflicting out

The ____ network is a digital version of the original analog standard for cell phones.

D-AMPS

A report using the ____ numbering system divides material into sections and restarts numbering with each main section.

Decimal

The process or converting raw picture data to another format is referred to as _________.

Demosaicing

A _____ differs from a trial testimony because there is no jury or judge.

Deposition

Attorneys search ____ for information on expert witnesses.

Deposition Banks

Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.

Device Ssizure

The _____ examination is the most important part of testimony at a trial.

Direct

You provide ____ testimony when you answer questions from the attorney who hired you.

Direct

Remember that anything you write down as part of your examination for a report is subject to _____ from the opposing attorney.

Discovery

There are two types of depositions: ____ and testimony preservation.

Discovery

The ____ digital network, a faster version of GSM, is designed to deliver data.

EDGE

Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.

EEPROM

The majority of digital cameras use the _______ format to store digital pictures.

EXIF

A(n) ____ is a document that lets you know what kind of questions to expect when you are testifying.

Examination Plan

You can use the ____ to help your attorney learn the terms and functions used in computer forensics.

Examination Plan

_____ evidence is evidence that exonerates or diminishes the defendant's liability.

Exculpatory

Computer forensics examiners have two roles: scientific/technical witness and ____ witness.

Expert

Marking bad clusters data-hiding technique is more common with _____ file systems.

FAT

A nonsteganographic file has a different size than an identical steganographic graphics file.

False

A verbal report is more structured that a written report.

False

You use _________ to create, modify, and save bitmap, vector, and metafile graphics files.

Graphic Editors

Reports and logs generated by forensics tools are typically in plaintext format, a word processor format, or ___ format.

HTML

Validate your tools and verify your evidence with ___ to ensure its integrity.

Hashing Algorithms

If you can't open an image file in an image viewer, the next step is to examine the file's _________.

Header Data

The file system for a SIM card is a ____ structure.

Heirarchical

____ can be used to create a bootable forensic CD and perform a live acquisition.

Helix

The simplest way to access a file header is to use a(n) ________ editor.

Hexadecimal

Getting a hash value with a ______ is much faster and easier than with a(n) _____.

Hexidecimal Editor, Computer Forensics Tool

Many commercial encryption programs use a technology called _______, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.

Key Escrow

____ hide the most valuable data at the innermost part of the network.

Layered Network Defense Strategies

Typically, report writers use one of two numbering systems: decimal numbering or _____ numbering.

Legal-Sequential

Under copyright laws, computer programs may be registered as _______.

Literary works

____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.

Live

______ compression compresses data by permanently discarding bits of information in the file.

Lossy

The SIM file structure begins with the root of the system (____).

MF

____ is a forensics software tool containing a built-in write blocker.

MOBILedit!

____ is a written list of objectives to certain testimony of exhibits.

Motion in limine

____ forensics is the systematic tracking of incoming and outgoing traffic on your network.

Network

____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.

Network Forensics

To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click _____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.

Options

Most packet sniffer tools can read anything captured in ____ format.

PCAP

____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.

PDAs

People who want to hide data can also use advanced encryption programs, such as ______.

PGP

____ are devices and/or software placed on a network to monitor traffic.

Packet Sniffers

Attorneys can now submit documents electronically in many courts; the standard format in federal court is ____.

Portable Document Format (PDF)

The PSTools ____ kills processes by name or process ID.

PsKill

____ is a suite of tools created by Sysinternals.

PsTools

____ from both plaintiff and defense is an optional phase of the trial. Generally, it's allowed to cover an issue raised during cross-examination.

Rebuttal

____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.

RegMon

______ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation.

Remote Aquisitions

Exchange logs information about changes to its data in a(n) ____ log.

Transaction

As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

True

Besides representing the facts, reports can communicate expert opinion.

True

E-mail programs either save e-mail messages on the client computer or leave them on the server.

True

Experts should be paid in full for a all previous work and for the anticipated time required for testimony.

True

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

True

If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file.

True

In the United States, there's no state or national licensing body for computer forensics examiners.

True

_________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector Graphics

A(n) _____ is sworn to under oath (and penalty of perjury or comparable false swearing statute.

Written Report

The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password.

chntpw

____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD.

dcfldd

Some e-mail systems store messages in flat plaintext files, known as a(n) _____ format.

mbox

In civil and criminal cases, the scope is often defined by search warrents or ____, shich specify what data you can recover.

subpoenas