Forensics Chap 1-13

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.

Allegation

____ images store graphics information as grids of pixels.

Bitmap

____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.

Brute-Force

In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

Criminal

A ____ is a column of tracks on two or more disk platters.

Cylinder

A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

Disaster Recovery Plan

You begin a digital forensics case by creating a(n) ____.

Investigation Plan

One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex.

Disk Editor

The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.

Disk-to-disk

The most common and flexible data-acquisition method is ____.

Disk-to-image file copy

When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.

EFS

A JPEG file is an example of a vector graphic.

False

Graphics files stored on a computer can't be recovered after they are deleted.

False

ISPs can investigate computer abuse committed by their customers.

False

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

The validation function is the most challenging of all tasks for computer investigators to master.

False

Windows OSs do not have a kernel.

False

____ involves sorting and searching through investigation findings to separate good data and suspicious data.

Filtering

The simplest way to access a file header is to use a(n) ____ editor

Hexadecimal

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

Image File

The term ____ is often used when discussing Linux because technically, Linux is only the core of the OS.

Kernel

To recover a password in macOS, which tool do you use?

Keychain Access

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.

Much easier

The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

NIST

____, or mirrored striping, is a combination of RAID 1 and RAID 0.

RAID 10

____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5.

RAID 15

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.

Static

____ is a data-hiding technique that uses host files to cover the contents of a secret message.

Steganography

A forensics analysis of a 6 TB disk, for example, can take several days or weeks.

True

A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.

True

A judge can exclude evidence obtained from a poorly worded warrant.

True

A separate manual validation is recommended for all raw acquisitions at the time of analysis.

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

True

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

True

All disks have more storage capacity than the manufacturer states.

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic.

True

By the 1970s, electronic crimes were increasing, especially in the financial sector.

True

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

True

If a file contains information, it always occupies at least one allocation block.

True

In Autopsy and many other forensics tools raw format image files don't contain metadata.

True

In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.

True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.

True

One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.

True

Software forensic tools are grouped into command-line applications and GUI applications.

True

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

True

The Internet is the best source for learning more about file formats and their extensions.

True

The lab manager sets up processes for managing cases and reviews them regularly.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

True

The most common computer-related crime is check fraud.

True

The pipe ( | ) character redirects the output of the command preceding it.

True

The type of file system an OS uses determines how data is stored on the disk.

True

There's no simple method for getting an image of a RAID server's disks.

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

True

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.

True

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

Whole disk encryption

____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.

Write-Blockers

E-mail messages are distributed from a central server to many connected client computers, a configuration called ____.

client/server architecture

Most digital investigations in the private sector involve ____.

misuse of digital assets

When the hard link count drops to ____, the file is effectively deleted.

0

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

Computing components are designed to last 18 to ____ months in normal business operations.

36

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____

Affidavit

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Affidavit

Generally, digital records are considered admissible if they qualify as a ____ record.

Business

____ is the file structure database that Microsoft originally designed for floppy disks.

FAT

In macOS, the ____ fork typically contains data the user creates.

Data

involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data Recovery

A ____ is where you conduct your investigations, store evidence, and do most of your work.

Digital Forensics Lab

A(n) ____ is a person using a computer to perform routine tasks other than systems administration.

End User

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.

Exhibits

By the early 1990s, the ____ introduced training on software for forensics investigations.

IACIS

Records in the MFT are called ____.

MetaData

Published company policies provide a(n) ____ for a business to conduct internal investigations.

Line of Authority

Linux ISO images that can be burned to a CD or DVD are referred to as ____.

Linux Live CDs

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.

Live

Most remote acquisitions have to be done as ____ acquisitions.

Live

In macOS, volumes have allocation blocks and ____ blocks.

Logical

A JPEG file uses which type of compression?

Lossy

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.

NSRL

____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.

NTFS

The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.

Notarized

Courts consider evidence data in a computer as ____ evidence.

Physical

Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.

Professional Conduct

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

Proprietary

In general, a criminal case follows three stages: the complaint, the investigation, and the

Prosecution

When you carve a graphics file, recovering the image depends on which of the following skills?

Recognizing the pattern of the file header content

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector Graphics

In macOS, w hen you're working with an application file, the ____ fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls.

Resource

In older versions of macOS, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.

Resource

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.

Right of Privacy

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.

Virtual Machine

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

Warning Banner

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive.

dd

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.

sha1sum