Final Exam Review (cyber forensics)
Ethics
Help you maintain your self-respect and the respect of your profession.
0x30
If you're examining a forensic NTFS image from a Windows 7 or older system, you'll see two attribute ____: one for the short filename and one for the long filename.
Wang Laboratories, Inc v. Toshiba Corp
In what court case did the court summarize the process of determining whether an expert should be disqualified because of previous contact with an opposing party?
4
The examiner's written report must include a list of all other civil or criminal cases in which he/she has testified for the preceding _____ years.
Conclusion
The report's ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
Frye vs. United States
The rule that states that testimony is inadmissible unless it is "testimony deduced from a well-recognized scientific principle or discovery; the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs", was established in what court case?
Fact witness
This type of testimony reports only the facts (findings of an investigation); no opinion is given in court.
Expert Witness
This type of testimony reports opinions based on experience and facts gathered during an investigation.
Search warrant
To get a ____, a government entity must show that there's probable cause to believe the contents of a wire communication, an electronic communication, or other records are relevant to an ongoing criminal investigation.
Legal-sequential
Typically, report writers use one of two numbering systems: decimal numbering or ____ numbering.
2 to 8 hours of your usual billable rate
Which of the following options would represent a valid retainer?
Snapshot
With cloud systems running in a virtual environment, ____ can give you valuable information before, during, and after an incident.
Infrastructure as a service (IaaS)
With this cloud service level, an organization supplies its own OS, applications, databases, and operations staff, and the cloud provider is responsible only for selling or leasing the hardware.
Software as a service (SaaS)
With this cloud service level, typically a Web hosting service provides applications for subscribers to use.
Service level agreement (Cloud service agreement)
contract between a CSP and a customer that describes what services are being provided and at what level
Testimony Preservation Deposition
deposition held to preserve your testimony in case of schedule conflicts or health problems; usually recorded
Examination Plan
document that serves as guideline for knowing what questions to expect when you are testifying
Deposition
giving opposing council a chance to review your testimony before trial
sync_log.log
google drive file that contains a detailed list of users cloud transactions
Deposition bank
libraries of example of expert witness' previous testimony
Motion in Limine
motion to exclude certain evidence because its potential to prejudice
Discovery Deposition
opposing attorney sets the deposition and often conducts equivalent of both direct and cross-examination
Read_config.py
script that converts dropbox's config.db into a readable file
Electronic Communications Privacy Act allows:
search warrants, subpoenas, court orders
Closing arguments
statements that organize the evidence and state applicable law
Government Agency Subpoenas
used to get information when it is believed there is danger of death or serious injury or for the National Center of Missing and Exploited Children
FRE 703
whether basis for testimony if adequate
FRE 702
whether expert is qualified and whether the expert opinion can be helpful
Court Orders
written by judges to compel someone to do or not do something, such as a CSP producing user logon activities
Expert
Computer forensics examiners have two roles: scientific/technical witness and ____ witness.
Cloud Service Agreements (CSAs)
Contracts between a cloud service provider and a cloud customer. Any additions or changes to a CSA can be made through an addendum.
Hybrid Cloud
A cloud deployment model that combines public, private, or community cloud services under one cloud. Segregation of data is used to protect private cloud storage and applications.
Platform as a service (PaaS)
A cloud is a service that provides a platform in the cloud that has only an OS. The customer can use the platform to load their own applications and data. The CSP is responsible only for the OS and hardware it runs on; the customer is responsible for everything else that they have loaded on to it.
Private Cloud
A cloud service dedicated to a single organization.
Public Cloud
A cloud service that's available to the general public.
Multitenancy
A principle of software architecture in which a single installation of a program runs on a server accessed by multiple entities (tenants). When software is accessed by tenants in multiple jurisdictions, conflicts in copyright and licensing laws might result.
Community Cloud
A shared cloud service that provides access to common or shared data.
Management Plane
A tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly.
Administrative
A(n) ____ hearing generally addresses the administrative agency's subject matter and seeks evidence in your testimony on a subject for which it's contemplating making a rule.
Written Report layout
Abstract Table of Contents Body Conclusion References Glossary Acknowledgements Appendixes
Provisioning
Allocating cloud resources, such as additional disk space.
HTCIA
An organization that provides a detailed Code of Ethics of Professional Standards Conduct for its members.
ISFCE
An organization that provides guidelines for its members in the form of a Code of Ethics on how they are expected to perform their duties as forensics examiners.
Abstract
As with any research paper, write the ___________________ last.
Deprovisioning
Deallocating cloud resources that were assigned to a user or an organization.
Spoliation
Destroying, altering, hiding, or failing to preserve evidence, whether it's intentional or a result of negligence.
Curriculum Vitae
Extensive outline of professional history with cases worked and trainings listed
MAC
Metadata in a prefetch file contains an application's _____________ times in UTC format and a counter of how many times the application has run since the prefect file was created.
Voir Dire
Part of testimony where attorney asks you questions to elicit the qualifications that make you an expert witness
Improper
People who fear having their ____ acts revealed feel as though they must protest the ____ acts of others being revealed.
Federal Rules of Evidence
Prescribe the methods by which experts appear before court
IACIS
Provides a well-defined, simple guide for expected behavior of forensics examiners.
Hashing Algorithms
Validate your tools and verify your evidence with ____ to ensure its integrity.
Cloud Service Providers (CSPs)
Vendors that provide on-demand network access to a shared pool of resources (typically remote data storage or Web applications).
