Digital Forensics Final Exam

¡Supera tus tareas y exámenes ahora con Quizwiz!

Three things to be considered a science...

1. Clearly define question or purpose of the research. 2. Define a hypothesis. 3. Verification of results (Many overlook this aspect.)

5 States of a mobile device...

1. Off - Powered off and the battery is removed. 2. Nascent State - No user data (Factory Fresh.) 3. Quiescent State - The device appears to be inactive even though it is actually performing functions. 4. Semi active State - The device is waiting for a set time to perform a function. 5. Active State - The device is powered on and tasks are being performed on it.

Four deployment models of cloud computing

1. Public - Services are used over the network or internet. All infrastructures except for basic networking components are located at the cloud provider. In addition, the operating system, system software, and applications are deployed and managed within the cloud provider's infrastructure at one or more of the cloud provider's data centers. 2. Private - Infrastructures and applications are hosted internally but offer some of the same benefits of cloud computing such as ability to shrink or expand the computing power and capacity on demand. Customers who are uncomfortable with placing their data and process in a public cloud but still like the advantages of a flexible cloud configuration may find this option attractive. Government regulations and laws may also drive a customer to choose this model. Consider a government application with classified information that cannot be deployed to a multi-tenant model due to a customer's policy or law. 3. Hybrid - This model is a combination of public and private clouds. For some of the same reasons stated in the private deployment model, customers may choose or be forced due to policy or regulation to deploy part of their system internally yet still take advantage of a public cloud service for other components of their systems and applications. 4. Community - This model is really a hybrid of the hybrid model. This model may be public, private, or both, but what makes it a little different is the customers who use the cloud service are part of a "community" with shared interests, goals, missions, and so on.

Social Engineer Techniques

1. Shoulder Surfing - The social engineer looks over the shoulder of mobile device users at public locations such as airports or Wi-Fi centers and captures their usernames and passwords. 2. Vishing - Social engineer sends a mobile voicemail message directing the recipient to contact his or her bank or company. 3. Tailgating - Social engineer pretends to be a company employee and follows one or more employees into a building bypassing access controls. 4. Rogue Wi-Fi Access Point - Social engineer establishes a rogue wireless access point in a public Wi-Fi facility to capture computer transmissions including usernames and passwords. 5. Intimidation, Persuasion, Ingratiation, or Assistance - The social engineer uses one or more psychological and cognitive techniques to obtain compliance from the target. More on pg. 128

Faraday Bag

A container that prevents a cell phone inside from receiving external cell signals

FAT file system

A file system in which one of the basic structures is a table used for allocating space. This table is called the file allocation table (FAT). (10)

Write Blocker

A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation. Ensure data is not altered when accessed.

SYSTEM Hive

A hive in the Registry which includes information about the devices and services installed on the computer. Is the first to boot up.

When was the Virtues of Jihad.pdf created? A. 8/7/2017 2:56:16 PM B. 8/4/2017 2:56:16 PM C. 8/5/2017 2:56:16 PM D. 8/6/2017 2:56:16 PM

A. 8/7/2017 2:56:16 PM

In Digital Forensics, what is an image/imaging? A. A bit for bit copy of information on a device. B. A digital picture reviewed on a device. C. A representation of the external form of a person or thing in art. D. The process of making a visual representation of something by scanning it with a detector.

A. A bit for bit copy of the information on a device.

Which of the following is NOT one of the six main attack vectors used by social engineers to perform their attacks? A. Anti-Forensics. B. Mobile devices. C. Waste management. D. Online. E. Telephone. F. Personal approaches.

A. Anti-Forensics

What are the names of the two types of Jump Lists created within user's profile by Operating System or applications when a user performs certain actions? (Choose 2) A. CustDest B. AutoDest C. CustDest D. DestList E. UserDest

A. CustDest B. AutoDest

Register Owner information is found under which file? A. SOFTWARE. B. SYSTEM. C. SAM. D. NT.USER.

A. SOFTWARE.

Digital Forensics is... A. The application of scientific principles to the process of discovering information from a digital device. B. Taking pictures of the scene of a crime and analyzing them with special software on a digital device. C. The application of scientific principles to deleting information from a digital device. D. All of the above.

A. The application of scientific principles to the process of discovering information from a digital device.

Estimates have found that ______ of current online terrorist activity occurs on social networking sites. A. 100% B. 90% C. 80% D. 60%

B. 90%

When responding to a scene, what do you need in order to retrieve any evidence? A. Police (for backup.) B. A signed warrant. C. Nothing. You can just walk in and take things. D. Identification (Badge.)

B. A signed warrant

Which of the following is true about traditional cases of digital forensics and social media forensics? A. Social media forensics focuses primarily on a single medium while traditional digital forensics focus is much broader. B. A traditional case of digital forensics focuses primarily on a single medium while social media forensics focus is much broader. C. In social media forensics the focus is often on a single individual or small group of individuals while traditional digital forensics focuses on large groups and organizations of people. D. None of the above.

B. A traditional case of digital forensics focuses primarily on a single medium while social media forensics focus is much broader.

The cluster limit for a FAT16 system is? A. Between 65,526 and 268,435,456 clusters, inclusive. B. Between 4087 and 65,526 clusters, inclusive. C. Fewer than 4087 clusters. D. None of the above.

B. Between 4087 and 65,526 clusters, inclusive.

What is the military's OODA approach? A. Organize, Observe, Determine, Approach B. Observe, Orient, Decide, Act C. Orient, Observe, Decide, Act D. Observe, Organize, Determine, Act

B. Observe, Orient, Decide, Act

Regarding the scientific process and how it relates to Digital Forensics, which of the three steps is most often overlooked? A. Defining a hypothesis. B. Verification of results. C. Clearly defining the question or purpose of the research. D. All of the above.

B. Verification of results.

Tools to bring to a scene

Backpack, screw drivers, sockets, hex keys, grounding device, suction cups, flash light, zip ties, string, scissors, Faraday bag, gloves, camera, blanket, various cables, change of clothes, labels, paper/ log book, pencil, magnifying glass, razor blades, pliers, extension cords, suction cups, etc.

Definition of imaging

Bit to bit copy of original source.

What type of social media is run by one or many and consists of posts?

Blog

On _________ drives, FAT mirroring can be disabled and a FAT other than the first one can be the primary (or "active") copy of the FAT? A. FAT12 B. FAT16 C. FAT32 D. All of the above

C. FAT32

Which of the following is NOT one of the four main approaches that have proved to be successful in social engineering? A. Intimidation. B. Persuasion. C. Infatuation. D. Assistance.

C. Infatuation

Account Expiration information can be found under which file? A. SYSTEM. B. SOFTWARE. C. SAM. D. NT.USER.

C. SAM

When responding to an incident, which of the following is the most important? A. Food B. Toolkit C. Safety D. Extra Clothes

C. Safety

What chapter of the book did Professor Otting write?

Chapter 7

What is cloud computing?

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

SOFTWARE Hive

Contains software and Windows settings (in the default hardware profile). It is mostly modified by application and system installers.

What stores information on websites that have been visited?

Cookies

Which of the following does NOT pose challenges to the world of Digital Forensics.? A. Internationalization connectivity. B. Anti-Forensics. C. Explosion of data and storage capabilities. D. All of the above pose challenges.

D. All of the above pose challenges.

From the Explorer Recent Documents, which of the following was the Recent Document with a value of 17? A. al-Sadr.jpg B. How to make Disposable Silencers.pdf C. Al Qaeda Training Manual.pdf D. German1pArabicB.jpg

D. German1pArabicB.jpg

Which federal agency has a significant digital forensics presence and is one of the top organizations in the world in digital forensics and associated technologies? A. FBI B. CIA C. ATF D. NSA

D. NSA

What is an attack that uses random words and characters?

Dictionary attack

Through Jump List analysis, forensic investigators can know (choose all that apply.) A. Modified files. B. Access count between two time instances. C. Accesses files. D. Created files. E. None of the above. F. All of the above.

F. All of the above

Best file extraction?

Full image of the original drive.

Why can't open source software be used in court?

It is not tested and regulated.

What is active file review?

Low Hanging Fruit, review of active file on a device. Usually doesn't involve to much digging. Can be easily found and accessed.

Ac Po 1st rule.

No action should alter original image

OODA

Observe, Orient, Decide, Act

Where do you find info about account expiration?

SAM

SAM Hive

SAM (Security Account Manager) uses cryptographic measures to prevent unauthenticated users accessing the system. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash.

Where do you find information on chat apps?

SOFTWARE

Where do you find the OS install information?

SOFTWARE

Where do you find the event log?

SYSTEM

Basic FAT File Information

SYSTEM Bytes per cluster within allocation table Cluster Limit FAT12 1.5 Fewer than 4087 clusters FAT16 2 Between 4087 and 65526 clusters, inclusive. FAT32 4 Between 65526 and 268,435,456 clusters inclusive.

peer-to-peer

Software (often free) which allows you to download files directly from a single computer anywhere in the world that also has the same software installed. Sometimes known as P2P, this is a commonly used way of accessing music, software and movies. Sometimes referred to as P2P. Usually consisted of partial files and not full files. This makes it harder for analysts to shut sites like this down. They often pop up and disappear in a quick time frame.

Three service models of cloud computing

Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) More on the cloud on pg. 72

If live laptop is found on the scene, what is the first thing you should do?

Take a picture of the home screen. (if its not deleting things.)

What is the first information on an NTFS volume?

The Partition Boot Sector ($Boot metadata file), which starts at sector 0 and can be up to 16 sectors long. This file describes the basic NTFS volume information and the location of the main metadata file — $MFT.

master file table (MFT)

The database used by the NTFS file system to track the contents of a volume or logical drive.

NT File System (NTFS)

The file system Microsoft created to replace FAT. NTFS uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT. The Windows NT file system (NTFS) provides a combination of performance, reliability, and compatibility not found in the FAT file system. It is designed to quickly perform standard file operations such as read, write, and search — and even advanced operations such as file-system recovery — on very large hard disks. Formatting a volume with the NTFS file system results in the creation of several system (metadata) files such as $MFT — Master File Table, $Bitmap, $LogFile and others, which contains information about all the files and folders on the NTFS volume.

Main function of a SIM Card?

Ties a cellphone to a network

NTUSER.DAT Hive

What file holds the preferences and settings of the currently signed-in user?


Conjuntos de estudio relacionados

Chapter 4: Eukaryotic Cells & Microorganisms

View Set

Intro to Criminal Law, Ch.1-5, Exam 1

View Set

U.S. History II- Chapter 12.1: "Expansion in the Pacific" Vocabulary

View Set

Daphne et Apollo, Met 1.553-567 in ordine

View Set

Western Civilization II - Quiz 4

View Set