Module 9 Digital Forensics Analysis and Validation

¡Supera tus tareas y exámenes ahora con Quizwiz!

block-wise hashing

The process of hashing all sectors of a file and then comparing them with sectors on a suspect's drive to determine whether there are any remnants of the original file that couldn't be recovered.

scope creep

The result of an investigation expanding beyond its original description because the discovery of unexpected evidence increases the amount of work required.

Which forensic image file format creates or incorporates a validation hash value in the image file?

- AFF - SMART - Expert Witness

The Known File Filter (KFF) can be used for which of the following purposes?

- a: Filter known program files from view. - c: Compare hash values of known files with evidence files.

stego-media

In steganalysis, the file containing the hidden message. See also cover-media.

cover-media

In steganalysis, the original file with no hidden message. See also stego-media.

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

Internal corporate investigation because corporate investigators typically have ready access to company records

True or False The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length.

True

True or False: Commercial encryption programs often rely on key escrow technology to recover files if a password or passphrase is lost.

True

True or False: Scope creep happens when an investigation goes beyond the bounds of its original description.

True

Steganography is used for which of the following purposes?

Hiding data

For which of the following reasons should you wipe a target drive?

- a: To ensure the quality of digital evidence you acquire - b: To make sure unwanted data isn't retained on the drive

steganography

A cryptographic technique for embedding information in another file for the purpose of hiding that information from casual observers.

rainbow table

A file containing the hash values for every possible password that can be generated from a computer's keyboard.

The National Software Reference Library provides what type of resource for digital forensics examiners?

A list of MD5 and SHA1 hash values for all known OSs and applications

key escrow

A technology designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.

salting passwords

Adding bits to a password before it's hashed so that a rainbow table can't find a matching hash value to decipher the password. See also rainbow table.

Known File Filter (KFF)

An AccessData database containing the hash values of known legitimate and suspicious files. It's used to identify files that are possible evidence or eliminate files from an investigation if they're legitimate.

In a forensics investigation, you must follow certain procedures. Which of the following is NOT something you should do?

Carry out the investigation on the original evidence only

In OSForensics, how do you can attach to a drive to examine evidence?

Choose Mount Drive Image

True or False: After you shift a file's bits, the hash value remains the same.

False

True or False: Password recovery is included in all forensics tools.

False

Which of the following represents known files you can eliminate from an investigation?

Files associated with an application

Which of the following can be used to determine if the contents of a file have changed?

Hash

What is a good resource for known OSs and applications?

National Software Resource Library (NSRL)

Block-wise hashing has which of the following benefits for forensics examiners?

Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive

Which of the following contains a set of hashes for known passwords?

Rainbow Tables

Rainbow tables serve what purpose for digital forensics examinations?

Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?

Salting can make password recovery extremely difficult and time consuming.

In steganalysis, cover-media is which of the following?

The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?

There's a hidden partition.


Conjuntos de estudio relacionados

AP U.S. Gov/Politics Chapter 10 - Interest Groups

View Set

IO Psych Chapter 5 Performance Measurement

View Set

The Committee of Public Safety and the Terror (1793-94)

View Set

Exercise Physiology Chapter 25: Exercise and Thermal Stress

View Set