C840 Cyber Forensic (Test Question v2)
Advance Forensic File system (AFF) ; Three Variants AFF, AFM, AFD
AFF. It is open file standard with three variations. This variation stores all data meta-data in a single file. This variation stores the data and the metadata in separate files. This file format is part of the ____ Library and tools, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format
Carrier
Single, stream, or file in which the payload is hidden
priv.stm
Streaming Data
Legal process required to obtain Basic Subscriber Information
Subpoena, court order, or, search warrant
Legal process required to obtain Content Information
Search warrant
Argument RAM
Purpose of swap file
Information Contained in an email header
From/Date/Message-ID/In-Reply-To/To/Subject/Cc/Bcc/Content-Type/Precedence/Received/References/Reply-To/Sender
.db
Group Wise
Userxxx.db
GroupWise User Databases
Wphost.db
GroupWise User Databases
Real-Time acess
Obtain a wiretap order
.OST
Offline Outlook Storage
.PST
Outlook Email File Type
.mbx or .dbx
Outlook Express
Pwnage
This utility allows you to unlock a locked iPod Touch
Wolf
This utility is a full-featured iPhone forensic tool
Types of Legal Spyware Software
1. MySpy 2.Webwatcher 3.ICU 4.WorkTime
4 States of Mobile Devices
1. Nascent 2. Quiescent 3. Active 4. Semi-Active
Forensic Toolkit (FTK) and EnCase
Both check for stenography, and FTK has an entire image detection engine devoted to this task.
.emi
Common to several e-mail clients
.emi
Common to several email clients
ESN
Electronic Serial Number. Numbers used to uniquely identify mobile devices.
.mbx
Eudora Email File Type
Priv.edb
Exchange Private Folders
Pub.edb
Exchange Public Folders
.edb
Exchange Server
Snow
Hide images in white space
Index .dat File
Index.dat is a file used by Microsoft Internet Explorer to store Web addresses, search queries, and recently opened files.
/etc Directory
Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later.
USA Patriot Act
Law that led to the creation of the Electronic Crimes Task Force and Regional Laboratories
Linux Email Server
Logs/var/log/mail.*
.nsf
Lotus notes
Legal process required to obtain Transactional Information
Requires court order or search warrant
Forward Events Log
The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.
System Log
The System log contains events logged by Windows system components. This includes events like driver failures. This particular log is not as interesting from a forensic perspective as the other logs are.
Quiescent
The quiescent state is a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.
Semi-Active
The semi-active state is a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.
RFC 2282
The standard for e-mail format, including headers
/Users Directory
This directory contains all the user accounts and associated files. This is clearly critical to your investigation of a Macintosh machine.
/Volumes Director
This directory contains information about mounted devices. You will find data here regarding hard disks, external disks, CDs, digital video discs (DVDs), and even virtual machines. This is a very important directory in your forensic examination.
/Network Directory
This directory contains information about servers, network libraries, and network properties.
/Applications Directory
This directory is where all applications are stored. Particularly in cases of malware, this is a critical directory to check.
Data Doctor
This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence
/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File
This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence.
Security Log
This is probably the most important log from a forensic point of view. It has both successful and unsuccessful logon events.
Application Log
This log contains various events logged by applications or programs. Many applications record their errors here in the Application log.
Applications and Services logs
This log is used to store events from a single application or component rather than events that might have systemwide impact
Channel
This may be passive channel, such as photos, video, or sound files, or even an active channel such as a voice over IP (VoIP) voice call or streaming video connection
POP3/IMAP
Used to retrieve emails (Port 25/Port 143)
SMTP
Used to send emails/port 25
Payload
What you want to hide I.e. safe combinations would be the payload
Stealth Files 4
Works with sound files, video files, and image files
