Forensics Chap 1-13
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
Allegation
____ images store graphics information as grids of pixels.
Bitmap
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
Brute-Force
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.
Criminal
A ____ is a column of tracks on two or more disk platters.
Cylinder
A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
Disaster Recovery Plan
You begin a digital forensics case by creating a(n) ____.
Investigation Plan
One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex.
Disk Editor
The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.
Disk-to-disk
The most common and flexible data-acquisition method is ____.
Disk-to-image file copy
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
EFS
A JPEG file is an example of a vector graphic.
False
Graphics files stored on a computer can't be recovered after they are deleted.
False
ISPs can investigate computer abuse committed by their customers.
False
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
The validation function is the most challenging of all tasks for computer investigators to master.
False
Windows OSs do not have a kernel.
False
____ involves sorting and searching through investigation findings to separate good data and suspicious data.
Filtering
The simplest way to access a file header is to use a(n) ____ editor
Hexadecimal
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
Image File
The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS.
Kernel
To recover a password in macOS, which tool do you use?
Keychain Access
Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.
Much easier
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
NIST
____, or mirrored striping, is a combination of RAID 1 and RAID 0.
RAID 10
____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.
RAID 15
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
Static
____ is a data-hiding technique that uses host files to cover the contents of a secret message.
Steganography
A forensics analysis of a 6 TB disk, for example, can take several days or weeks.
True
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
A judge can exclude evidence obtained from a poorly worded warrant.
True
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.
True
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
All disks have more storage capacity than the manufacturer states.
True
Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.
True
By the 1970s, electronic crimes were increasing, especially in the financial sector.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
True
If a file contains information, it always occupies at least one allocation block.
True
In Autopsy and many other forensics tools raw format image files don't contain metadata.
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
True
The Internet is the best source for learning more about file formats and their extensions.
True
The lab manager sets up processes for managing cases and reviews them regularly.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
The most common computer-related crime is check fraud.
True
The pipe ( | ) character redirects the output of the command preceding it.
True
The type of file system an OS uses determines how data is stored on the disk.
True
There's no simple method for getting an image of a RAID server's disks.
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
Whole disk encryption
____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.
Write-Blockers
E-mail messages are distributed from a central server to many connected client computers, a configuration called ____.
client/server architecture
Most digital investigations in the private sector involve ____.
misuse of digital assets
When the hard link count drops to ____, the file is effectively deleted.
0
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
Computing components are designed to last 18 to ____ months in normal business operations.
36
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____
Affidavit
____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.
Affidavit
Generally, digital records are considered admissible if they qualify as a ____ record.
Business
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
In macOS, the ____ fork typically contains data the user creates.
Data
involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data Recovery
A ____ is where you conduct your investigations, store evidence, and do most of your work.
Digital Forensics Lab
A(n) ____ is a person using a computer to perform routine tasks other than systems administration.
End User
It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.
Exhibits
By the early 1990s, the ____ introduced training on software for forensics investigations.
IACIS
Records in the MFT are called ____.
MetaData
Published company policies provide a(n) ____ for a business to conduct internal investigations.
Line of Authority
Linux ISO images that can be burned to a CD or DVD are referred to as ____.
Linux Live CDs
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
Live
Most remote acquisitions have to be done as ____ acquisitions.
Live
In macOS, volumes have allocation blocks and ____ blocks.
Logical
A JPEG file uses which type of compression?
Lossy
____ compression compresses data by permanently discarding bits of information in the file.
Lossy
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
NSRL
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.
NTFS
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
Notarized
Courts consider evidence data in a computer as ____ evidence.
Physical
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.
Professional Conduct
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
Proprietary
In general, a criminal case follows three stages: the complaint, the investigation, and the
Prosecution
When you carve a graphics file, recovering the image depends on which of the following skills?
Recognizing the pattern of the file header content
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Vector Graphics
In macOS, w hen you're working with an application file, the ____ fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls.
Resource
In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
Resource
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.
Right of Privacy
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
Virtual Machine
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
Warning Banner
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive.
dd
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
sha1sum