certified computer forensic study set
A ________ is any security event that warrants activation of an incident response team to manage the event.
security incident
_____; Contains data concerning print jobs.
spl
The method of cryptography that hides a message in another file, such as a WAV file or BMP is called:
steganography
Recording the CMOS information, especially the __________, will be helpful in correlating similar temporal data during the analysis phase of the investigation.
time and date
What is the Safe Harbor Rule?
A provision that prohibits sanctions for loss of electronic information if it was lost due to routine, good faith operation of the system.
FAT is defined as
A table created during the format that the operating system reads to locate data on a drive
Section 1029 of Title 18 of the United States Code focuses on access devices. An access device is each of the following except:
A teletype machine
What is the extension that is used to apply a covert methodology to a file orexecutable?
ADS
What is the name of the function that can be used to attach or hide text or other executable in an existing file such that Windows or DOS related commands cannot see this file?
ADS
What is the name of the function that can be used to attach or hide text or other executable in an existing file such that windows or DOS related commands can't see this file?
ADS
____ data is information readily available and accessible to the end-user.
Active data
Which of the following was not a reason to upgrade from the FAT16 file system to the FAT32 file system?
Added security benefits
When is comes to physical evidence, you should collect
All the answers listed Items removed from the trash All computer equipment, including peripherals Cables
Which operating systems support the FAT32 file system? (Choose two)
All versions of Windows ME All versions of Windows XP
Which operating systems support the Fat32 file system? (Choose two)
All versions of Windows XP All versions of Windows ME
When it comes to actual rules of evidence, electric records are handled the same as paper records with the exception that electronic records are recognized as being more susceptible to _____.
Alteration
NTFS Alternate Data Streams is the ability to append data to existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Which of the following is true about Alternate Data Streams?
Alternate Data Streams are not detectable using built-in Windows tools.
Courts have also ruled that under any circumstances, a copy (or duplicate) of digital evidence is admissible as an original as long as someone can what?
Authenticate it
Courts have ruled that under any circumstances, a copy (or duplicate) of digital evidence is admissible as an original as long as someone can what?
Authenticate it
If evidence cannot be _____, then it cannot be admissible in court
Authenticated
Creating 'digital fingerprints' or cryptographic checksums is part of which phase of the Alpha 5
Authentication
_____: It is essential to preserve the authentication of the acquisition of the digital evidence.
Authentication
What is the BIOS?
BIOS stands for Basic Input Output System, and is a combination of low-level software and drives that function as the interface, intermediary, or layer between a computer's hardware and its operating system.
____ should include a concise history, full identification of the authorizing entity, legal caption and all involved parties, relevant dates and times, full identification of the examiners, and account for the examiner's qualifications.
Background
When duplicating media, authentication (hashing) procedures should take place:
Before and after duplication
Case Management is vital to your lab protocol. Which one of the following does NOT define the elements of 'Case Management?'
Begin your analysis on the evidence collected.
What is the deductive method of analysis in which the convergence of the evidence is the basis of fact finding rather than an inductive method?
Behavioral Evidence Analysis
_____ concerns matching specific outcomes with stated scenarios.
Validation Review
The study of why certain people are victims of crime and how lifestyles affect the chances that a certain person will fall victim to a crime is called
Victimology
What settings must you change with Windows Explorer to be able to view the thumbs.db file?
View All Files
What setting must you make with Windows Explorer to be able to view the thumbs.db file?
View Hidden Files
Residual data may also be found in 'swap file space' on a disk. Swap file space is based on the concept of what?
Virtual Memory
Every employer should keep up to date documented policy and procedures regarding their electronic data. If they don't follow this protocol which one of the following is true?
Vital trade secrets can be leaked out of your company via email. Employees have an expectation of privacy
What is the first sector on a volume called?
Volume boot record or sector
What are the contents of the Temporary Internet files?
Web mail artifacts Web pages files Index.dat files that are used to manage cached files
The concept of reconstructing an incident is fairly simple and the most crucial point of an event to all aspects of an investigation is?
When did it happen?
The ______ tool allows users to view and manipulate data on CDMA from LG, Samsung, Sanyo and others.
BitPim
There are several known Cryptographic Attacks, which one of the following is used to crack passwords.
Brute Force
This type of password cracking uses a trial and error method that uses all possible combinations of legal characters in sequence.
Brute Force
How is the chain of custody maintained?
By bagging evidence and sealing it to protect it from contamination or tampering By documenting what, when, where, how, and by whom evidence was seized By documenting in a log the circumstances under which evidence was removed from the evidence control room By documenting the circumstances under which evidence was subjected to analysis
How would you verify that the evidence file contains an exact copy of the source device?
By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file.
How is the chain of custody maintained?
By documenting the circumstances under which evidence was subjected to analysis By bagging evidence and sealing it to protect it from contamination or tampering By documenting, in a log, the circumstances under which evidence was removed from the evidence control room By documenting what, when, where, how, and by whom evidence was seized
Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn
Format the volume with the FAT file system. Give the volume a unique label to identify it. Create a directory to contain the evidence file. Wipe the volume before formatting to conform to best practices and avoid claims of cross-contamination.
Comparison is crucial when examining digital evidence. Which statement correctly defines comparison?
Comparing a piece of digital evidence with a control specimen to highlight unique aspects of the artifact
What is the process of comparing a piece of digital evidence with a control specimen, highlighting unique aspects of the artifact?
Comparison
What is the application of science to law?
Computer Forensics
Conduct which involves the manipulation of a computer or computer data, by whatever method, in order to dishonestly obtain money, property, or some other advantage of value, or to 'cause loss' is known as _______________.
Computer Fraud
What is the study of computers and how they relate to crimes?
Computer forensics
Which section of the report might include expert opinions if requested?
Conclusions
Concerns things like keeping the same message throughout the report and/or case, adhering to any given standards or policies, smoothing collaboration into a coherent, whole, continuous styles throughout, etc. These checks ensure the body of the work is coherent and meets all writing requirements, if any are imposed.
Content review
Subsequent to a search warrant where evidence is seized, what items should be left behind?
Copy of the search warrant List of items seized
Subsequent to a search warrant where evidence is seized, what items should be left behind (Select two that apply)
Copy of the search warrant List of items seized
Which criteria is not going to affect "data loss" when considering long term storage of magnetic media?
Cost
After the digital forensic investigator creates a bit-stream forensic image of the original evidence, what is the next step in processing the evidence?
Create an exact copy of the original evidence and store away the pristine copy.
Referring to types of crimes: _______ generally referred to any type of crime involving finances whereas _______crimes has to do with the right of the people.
Criminal Civil
As part of good forensic practice, a good idea to wipe a forensic drive before reusing it prevents ___________?
Cross-contamination
___________ is the discipline of making and breaking code.
Cryptology
An extension of an incident scene in the real world and the digital incident scene in itself is referred to as
Cybertrail
When a text file is sent to the Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted filename.
D=deleted, C=drive letter, 0=index number, file extension remains the same
The LanMan or Lan Manager used in Windows based operating systems to store passwords uses a hashing function of MD4. What is the encrypted hash output?
DES
Once the breadth of data to be collected has been agreed on to all parties' satisfaction, the next question is how to store it all. That process is called the _____.
Data Retention Policy
What is Meta Data?
Data about the data and it's data elements or attributes
Rule 26 (f) has provisions requiring that the initial disclosures and the initial 'meet-and-confer' sessions include a discussion of any issues relating to preserving discoverable information. All would apply with the exception of:
Data contained within the unallocated portion of the drive
When shutting down a computer, what information is typically lost?
Data in RAM memory Running processes Current network connections Current logged in users
Under the Windows OS, files have 3 dates attached to them. Pick the 3 timestamps that you'll find.
Date Last Accessed Date Modified Date Created
When were the Amendments to the Federal Rules of Civil Procedure announced?
December of 2006
When investigating computer crimes, the computer forensics practitioner should do all of the following EXCEPT:
Destroy evidence once the case goes to court
What is spoliation?
Destruction or failure to preserve electronic evidence during litigation or when litigation is evident
During reconstruction, digital evidence can be expected to provide all except:
Determine conclusions
During reconstruction, digital evidence can be used to provide all except:
Determine conclusions
The forensics process for mobile devices starts with _____.
Device seizure
Any information of probative value that is either stored or transmitted in binary form is referred to as?
Digital Evidence
_____ are agreements between parties that govern the scope and procedures necessary to testing and inspection of a digital device.
Digital Evidence Protocols
The _____ process is the entire efforts of a party to a lawsuit and their attorneys to obtain information before a trial through demands for production
Discovery
What is eDiscovery?
Discovery in legal proceedings where the information sought is in an electronic format
The fourth "Cardinal Rule" of digital forensics:
Document Everything
Prior to your analysis there are some questions you should ask: Which of the following questions would be appropriate to ask?
Does the client want a single forensics report for each piece of media examined or a report of the investigation that encompasses all media analyzed? How often does the client want a status report of your forensic examination? Which examiner should be assigned as the provider or author of the forensic report? Should the interim status reports be verbal or written?
EnCase is also the forensic tool of choice because it has passed the Daubert standards that are necessary for the admissibility of scientific evidence within the federal and State court systems. Which one of the following is NOT a factor when determining the reliability of the scientific techniques that are followed by the court system?
Does the expert sufficiently explain important empirical data?
A ________ is a counterpart produced by the same impression as the original, or by mechanical or electronic re-recording, or by other equivalent techniques that accurately reproduce the original. [Federal Rule of Evidence 1001(4)]
Duplicate
What is Paraben's mobile forensic software called?
E3:DS
What is ESI?
ESI is referred to as Electronically Stored Information Information that is stored in a medium from which it can be retrieved and examined.
When dealing with the legal implications of digital forensic evidence there is a standard or 'Best Evidence Rule. Which one of these is considered 'The Best Evidence Rule'?
EnCase evidence files are considered 'original' and therefore, suffices the Best Evidence Rule
The first and foremost goal of Operational Security is
Ensuring the physical safety of the team
What is the minimum number of cryptographic keys required for secure two-way communications in asymmetric key cryptography?
Four
In an NTFS file system, the date and time stamps recorded in the Registry are stored in:
GMT and converted based on the system's time zone settings
Once notified of litigation, parties must consider their obligation to take reasonable and _____ steps to preserve potentially relevant electronically stored information.
Good Faith
Can information stored in the BIOS ever change?
Yes
What is the first consideration when responding to a scene?
Your safety
A review of the entire body of physical evidence in a given case that questions all related assumptions and conclusions is referred to as
Equivocal Forensic Analysis
What is the process of familiarizing oneself with the digital evidence without leaping to conclusions?
Equivocal Forensic Analysis
What are some common security events of interest?
Espionage Malicious Code Denial of Service attacks
Which subsection is where you give an unambiguous listing of all submitted evidence and any derivatives thereof?
Evidence
Of the three major categories of evidence, which is considered evidence that neither supports not contradicts any theory?
Evidence of tampering
The value that equals one billion gigabytes is
Exabyte
Step 12 in the 20 basic steps of forensics is:
Examine unallocated and file slack space for digital evidence
Evidence that contradicts a given theory.
Exculpatory
What type of evidence contradicts a theory?
Exculpatory
Evidence that contradicts a given theory is called:
Exculpatory evidence
What is required for a duplicate of digital evidence to be admissible?
Expert authentication
What does "EXIF" stand for?
Extended Image Format
A computer forensic report should contain a "________" interpretation of the results from the various procedures applied to the evidence.
Factual
A file that is deleted from the command prompt or emptied out of the Recycle Bin is unrecoverable with forensic tools.
False
A standard DOS 6.22 boot disk does not make calls to the C:\volume of a hard drive when the diskette is booted.
False
An accurate printout of computer data always satisfies the best evidence rule.'
False
Any digital evidence that is obtained without a search warrant is inadmissible in court.
False
Assigning a different file extension to a file changes the file to an unstable state.
False
Assigning a different file extension to a file changes the file to an unusable state.
False
Criminal evidence is "a preponderance of the evidence" and Civil evidence is "beyond a reasonable doubt."
False
Each examiner should have one's own unique computer numbering scheme for documenting evidence.
False
In password recovery, a complex file would be classified as having a recovery time of 24 to 48 hours.
False
It is the responsibility of the client to take affirmative steps to preserve the electronic evidence when a request to produce any designated documents or electronically stored information to the courts.
False
The Fat32 file system is not supported on any version of DOS
False
The rules for digital evidence are different than those of paper files.
False
When documenting a crime scene, digital cameras should not be used because they can be altered with readily available programs.
False
When preparing a forensic report in anticipation of litigation, your report is protected under the 'work-product' doctrine.
False
When the MFT (Master File Table) or FAT (File Allocation Table) is deleted or damaged, the files on the partition are unrecoverable
False
When the Master File Table or File Allocation Table is deleted or damaged, the files on the partition are unrecoverable.
False
When using your incident response tools from the forensic toolkit that you have created, you should use the GUI interface that is associated with these tools instead of the console user interface
False
Without question, you should always pull the plug on a system instead of shutting it down normally.
False
This section is the bulk of the report as it details all the tools, forensic methods, and procedures undertaken.
Forensic Examination
What is the name of Access Data's software tool?
Forensic Tool Kit (FTK)
A Linux variant specifically crafted for forensic examination of live Mac system that have the Power PC processor chip.
Forensically sound, bootable CD for Power PC Mac Hardware
Having inadequate documentation of digital evidence can lead to what dire consequence?
Having the evidence found inadmissible
_____ evidence is any statement offered in evidence to "prove the truth of the matter asserted," unless made by the declarant while testifyng at the trial or hearing.
Hearsay
An 'objection' is a lawyer's protests about the legal propriety of a question which has been asked of a witness by the opposing attorney, with the purpose of making the trial judge decide if the question can be asked. A proper objection must be based on specific reasons for not allowing a question. Which one of the following is not part of an objection basis?
Hearsay (the answer would be what someone told the witness rather than what he/she knew first-hand) Calls for a conclusion (asking for opinion, not facts) Irrelevant, immaterial, incompetent (often stated together, which may mean the question is not about the issues in the trial or the witness is not qualified to answer) Leading (putting words in the mouth of one's own witness)
Disks and other media that are copies of the original evidence are considered what?
Hearsay evidence
What is WinHEx and what is it used for?
Hex editors let us view areas of the hard disk that are inaccessible using the OS (MBR, VBR, etc). WinHEx is a hex editor. Hex editors allow us recover deleted files using the legacy information in directories. Hex editors allow us to view and search for deleted files in unallocated space.
When a hacker compromises a system which one of the actions below will they attempt to perform?
Hide data in NTFS alternate data streams Shred files that may give clues to the hacker's actions Clear the event log Disable auditing
When creating your forensic 'ToolKit' which two of the following items are essential to your kit?
High-end processor Correct! Forensic Write blocker
____; A group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of the data in the hive.
Hive
What are some elements that we can use to assist us in attempting to hold asuspect accountable for a crime committed?
Hobby-related events Work-related events Gambling habits Use of peripheral devices
__; Should be implemented primarily on hosts for network-based IDS fails.
Host-base IDS
When handling computers for legal purposes, investigators increasingly are faced with four main types of problems, except:
How to keep your data and information safe from theft or accidental loss
What is located on a SIM card and can be up to twenty digits long and consist of an industry identifier prefix (usually 89 for telecommunications), country code, issuer identifier number, and individual account identification number?
ICCID
An example of academic style for computer sciences can be found within _____ papers.
IEEE
____; Should receive technical training, receive training on their responsibilities according to the response plan and associated policies, procedures, and understand the goals of incident response and how to report an incident.
IRT members
A good forensic investigator follows a defined process which involves the 6 A's: Assessment, Acquisition, Authentication, Analysis, Articulation, Archival. Which of the following is not part of the Assessment model?
Identify Repositories Establish Chain of Custody Protect and Preserve the data Determine Scope and quantity of the data
The introduction of digital evidence can be difficult because of the avenues open for challenging its relevance and reliability. Which of the following would be grounds to exclude the relevant evidence?
If its probative value is substantially out-weighed by the danger of unfair
Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system?
In Unallocated Clusters In the pagefile.sys folder In the hiberfil.sys folder In Temporary Internet Files under Local Settings in the user's profile
A _____ is a model taken from the military.
Standard Operating Procedures or "SOPs"
What qualities should your forensics report have if you are not going to be considered an expert in the case?
State your findings
What is Steganography?
Steganography is the process of hiding data within a wav or image file. Steganography is the process of taking one piece of information and hiding it within another.
Which of the following are typical examples of "fruits of a crime"?
Stolen software Stolen Hardware
Symmetric ciphers that encrypt one character at a time are called:
Stream ciphers
If the number of sectors reported does not match the number reported by the manufacturer for the drive, what should you do?
Suspect DCO Suspect HPA Boot with Linen for DOS and switch to Direct ATA access Boot with LinEn in Linux
What file on a drive has the most evidentiary value?
Swap File
Sometimes referred to as "page files" are based on the process where memory storage is augmented by writing some contents to the disk.
Swap Files
Which event log contains events logged by the Windows NT/2k/XP system components? For example, the failure of a driver or other system component to load during startup is recorded in ___________
System Log
All of the following are part of the report EXCEPT:
Technical Jargon
_____ is a legal principle that holds an original document as superior evidence, and a copy or facisimile as secondary evidence.
The Best Evidence Rule
All hearsay exemptions for digital evidence are detailed in which document?
The Federal Rule of Evidence
What is another resource besides Microsoft's Computer Dictionary that can be used to find standardized terminology for technology devices.
The Sedona Conference Glossary
What problems do you foresee if you draw a conclusion in your report but do not reference the file that led you to that conclusion?
The evidence could be found in-admissible
Why is it challenging to collect and identify computer evidence to be used in a court of law?
The evidence is mostly intangible.
When presenting digital evidence, you should consider using Charts, maps and models. Which of the following is not true about this statement?
The information is vital to your presentation and is all you need to present a compelling case.
A file's physical size is?
The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster
Which of the following is incorrect?
The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.
If a phone is found submerged in liquid during a seizure, you should remove the battery and seal it in an appropriate container along with what else?
The same liquid
What is the number one reason why external threats are difficult to investigate?
The significant variety of network topologies and access to same
Which statement is correct regarding Criminal Law?
The victim is "society" or the State
Dictionary attacks are limited by:
The words in the wordlist
Computer forensic practitioners investigate incidents which involve end-users who can be best described as 'insiders'. These people are usually in the position of trust. Which of the following are examples of internal theft? (Choose all that apply)
Theft of proprietary data Using company servers to distribute contraband
If an examiner were asked for "Curriculum Vitae," what should he/she be expected to produce?
Their resume of qualifications and experience in forensics
Why is it preferred that the acquisition be conducted in the forensic laboratory? (Choose all that apply)
There is less risk of "cross-contamination" in a controlled laboratory setting The lab is a "controlled" environment, usually void of distractions The lab maintains additional resources not usually available "on-scene"
What are some of the reasons eDocuments are such a problem when litigation arises?
They often continue to exist despite the user's intention to destroy them The metadata associated with them leaves a trail of evidence
What does TDMA stand for?
Time Division Multiple Access
Culpability means
To deserve the blame for a crime
Why is it important for a lab to have established and documented SOP, QA, and Separation of Duties?
To ensure the believability of the collected data
It is important for a forensic lab to establish well documented Policies and Procedures. Which is the most appropriate reason why this would be important?
To establish well documented rules that are used to collect and process data
What is the purpose of an eDiscovery Liaison?
To facilitate a list by content and location of ESI you expect to use in your case
What is the primary objective of data classification schemes?
To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
Federal Rule of Evidence 702 provides that in order for a witness to be qualified as an expert, the expert must meet the following criteria
To have knowledge, skill, experience, training, or education' regarding the subject matter involved.
When acquiring digital evidence, the evidence should not be left unattended in an unsecured location for what reason?
To maintain chain-of-custody
When would it be acceptable to navigate through a live system?
To observe the operating system to determine the proper shutdown process To document currently opened files To observe an encryption program running To access virtual storage facility (if search warrant permits; some are very specific about physical location)
The Fraud and Abuse Act of 1986 made it a misdemeanor to
Traffic in passwords
A computer forensic report allows for the highly technical information to be introduced in a concise and non-biased format.
True
A text file created with Microsoft Notepad has no file header
True
All forensic software must be licensed to the practitioner of the organization.
True
Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
True
Any deviation of a lab's standard operating procedures, whether documented or undocumented, makes the digital evidence inadmissible in court
True
Before the actual examination begins, all media should be scanned for viruses.
True
Computer savvy attorneys with a technical background could present significant technical challenges in the courtroom.
True
Digital evidence is a type of physical evidence?
True
Digital evidence is information process by a computer and stored on some form of media.
True
Forensic science involves "the application of science to law"
True
If the chain of custody is broken, the digital evidence will not stand up to scrutiny in court.
True
Individualization is finding characteristics of evidence that are sometimes created at random that give a unique quality.
True
Is the information contained on a computer's RAM chip accessible after a proper shutdown?
True
It is generally recognized that no hard and fast methodology for digital forensic examinations can be established since no two cases are exactly the same
True
Live memory capture requires administrative privileges.
True
Mac OSX Keychain is a password management application that stores passwords, certificates, encryption keys, and secure notes. Passwords are stored in a separate database by the user.
True
MacBook Airs may contain a hard drive, a solid-state drive, or NAND flash.
True
Magnetic hotel keys, vehicle computers, and Internet cookies are also included within the legal definition of discoverable ESI.
True
Mobile device acquisition and analysis can both be hindered by security settings within software or even the device itself.
True
Most digital forensics labs only take in removable media and items that are expected to contain digital evidence.
True
Only one file can occupy a cluster at one time and no two files can occupy the same cluster
True
Passwords can be found in memory.
True
Security controls for a forensic lab vary on your organizational needs. If you own a small business, all you need to secure your lab is an office behind a locked door with an inexpensive, fireproof safe.
True
The Electronic Communications Privacy Act, Fourth Amendment and numerous other federal and state statues will apply where there are no written directives to govern your organization's computer use.
True
The NTFS file system is not supported on any version of DOS.
True
The SWDGE standards state the agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
True
The court can decide whether inaccessible data should be produced once it is proven by the client that the cost to access the data can produce an undue burden.
True
The definition of digital evidence is any information of probative value that is either stored or transmitted in binary form.
True
The final goal of Quality Control is to demonstrate that, by meeting the objectives, a laboratory provides confidence in its quality of its products.
True
The purpose of setting up new amendments to the Federal Rules of Civil Procedure were to design a framework for the parties and the court to give early attention to issues relating to electronic discovery.
True
Using alternative data streams in a NTFS system, you have the ability to hide data, however, in a Linux file system there is no such thing as alternative data streams.
True
You cannot format a 3.5 floppy disk with the NTFS file system.
True
You cannot format a 3.5' floppy disk with the NTFS file system.
True
fstab is the configuration file containing all information about partitions and storage devices.
True
Why is biographical data on a suspect important when investigating digital evidence?
Users often use biographical data for passwords
To gather digital evidence based upon 'levels of proof', Criminal proof is defined as ____________ and Civil is _____________________. (Choose two)
a preponderance of the evidence beyond a reasonable doubt
The Host Protected Area (HPA) is:
a reserved area for data storage outside the normal operating file system
During the examination phase, the digital forensic practitioner should remove the hard drive from the case ________ photographs have been taken
after
Known file filtering (KFF) is the process of: (choose two)
alerting you to known illicit or dangerous files eliminating files known to be unimportant such as system and application files
The two classes of key-based encryption algorithms are: (Choose two)
asymmetric symmetric
The recovery process of binary data from file slack and unallocated space on media is referred to as:
carving
Name two of the three aspects to digital evidence reconstruction:
classification of the digital evidence recovery of active, backup, hidden, encrypted, deleted, or damaged artifacts
A forensically sound examination is one conducted under such controlled conditions that it is
completely documented verifiable repeatable
__________ and __________ form the basis for many modern cryptosystems because they tend to increase the workload of cryptanalysis.
confusion diffusion
Forensic Notes or a Forensic Log should: (Choose two)
contain sufficient detail to make it possible for another computer forensic practitioner to duplicate the original investigator's efforts be submitted to the forensic supervisor at the completion of the examination for review
After response to the incident site, the forensic practitioner must decide when and where to conduct the acquisition of potential digital evidence. Two of the main considerations during this event are
controllability, time
Forensically sterilizing (wiping) a drive prior to duplication ensures:
cross contamination will not take place
The goal of the digital evidence acquisition process is to duplicate the original evidence in a manner the protects and preserves the evidence in order to prevent (choose three answers)
damage destruction alteration
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS is a collection of:
digital signatures of known, traceable software applications
A _________ is an accurate digital reproduction of all data contained on an electronic storage device that maintains ALL contents and attributes and all slack space is transferred.
duplicate
____ is identified as an (which could be internal counsel, external counsel, employee, or consultant) who is knowledgeable about and responsible for all facets of ESI as it relates to the party.
eDiscovery Liaison
What is eDiscovery?
eDiscovery refers to discovery in civil litigation entire efforts of a party to a lawsuit and their attorneys to obtain information before trial through demands for production of documents
Encryption containers, network storages, databases, unsaved files..... must be acquired before shutdown as they will become:
inaccessible afterwards
Data about Internet cookies such as URL names, data and time stamps, and pointers to the actual location of the cookie is stored in:
index.dat file
Command to find unusual processes in Linux/Unix.
ps -eaf
What does unallocated space refer to?
Space on a drive that has not yet been written to
As the first person on the scene of an incident, you should
Collect and preserve as much evidence as possible
What would be an example of a function within an Operating System?
A malicious software program
What kind of files normally contain information about who accessed the system and when, where, and how long a user was on the system?
Audit Files
Mac OSX This subfolder contains the swap file and sleepimage. A sleepimage is much like a hibernation file on a Windows computer and is located in: /private/var/vm/sleepimage
/var/vm
MAC OSX The Software Installation history of installed applications and updates is located in _________.
/Library/Receipts/InstallHistory.plist
Mac OSX This subfolder contains temporary files. Programs store temporary data at /var/tmp.
/Temp
Linux The kernel version can be found in:
/etc/issue - /etc/*-release* /etc/version
Linux Default Application binaries are located in:
/user/bin/<application name>
Linux The authorization log full path is:
/var/log/auth.log
A directory entry in a FAT file system has a logical size of
0 bytes
The MD5 has algorithm produces a ________ value.
128-bit
The MD5 hash algorithm produces a ____ value.
128-bit
There are _____ basic steps offered as best practices offered in the field of digital forensics.
20
What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?
56
How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
63
The Cuckoo's Egg is
A book written by Cliff Stoll about international hackers
Section 1030 of Title 18 of the United States Code deals with fraud and related activity in connection with computer systems. A computer system is each of the following except:
A calculator
A misdemeanor is best described as
A criminal charge where the maximum penalty is less than one year incarceration
A felony is best described as
A criminal charge where the minimum penalty is greater than one year incarceration
A digital file produced or shaped by human craft, which retains investigative or historical interest is called
A digital artifact
To offer opinion testimony at trial, you must be qualified as what?
An Expert witness
Salami slicing is
An attack consisting of a series of small thefts spread over a large number of victims
What step is NOT part of the Alpha 5 method?
Application
_____; It contains events logged by applications or programs.
Application Log
Windows These logs contains errors related to individual software and applications installed by the user of the machine, but it can be useful when doing forensics because, for example, you can see if the Antivirus software was disabled during a specific period of time.
Application Logs
Data files of information that are no longer in active use, but stored separately to free space on a hard drive are referred to as?
Archival Data
_____: Identify which digital media may contain evidence, regardless of whether that evidence is incriminating or exculpatory in nature.
Assessment
At minimum, peer-review should occur after which of these phases:
At the completion of the analysis process At the completion of the analysis process After all documentation has been completed
Which of the following is NOT one of the Alpha 5 protocols?
Attack
Which of the following is not a class of 'attack' defined by the NSA for the recovery of digital data?
Attacks that utilize DNA evidence from the victim to recover data
In Windows 2000/XP, information about a specific user's preference is stored in the NTUSER.DAT file. This compound file can be found in________.
C:\Documents and Settings\username
A forensically sound software acquisition tool usually meets the following criteria
Can be used with 'write blocking' imaging equipment Is generally recognized in the digital forensic community as a 'standard' tool Provides an authentication feature
Protecting evidence and providing accountability for who handled it during the different steps during an investigation is referred to as what?
Chain of Custody
____ require a preponderance of evidence to meet its requirements.
Civil evidence rules
The process of finding characteristics that can be used to describe it in general terms and distinguish it from similar specimens is known as
Classification
What does CDMA stand for?
Code Division Multiple Access
Electronic discovery is governed by command and case law, as well as statutes, but primary governance comes from the ________.
Federal Rules of Civil Procedure
When data is written to a disk or media, it is written in 512-byte blocks. This means that if the end-user saves a 12-byte file to the media, the OS would actually save the 12 bytes and potentially 500 bytes of whatever happens to be in RAM (memory) at the time. The area left over is called?
File Slack
Which selection keeps track of a fragmented file in a FAT file system?
File allocation table
The FAT tracks the _______ while the directory entry tracks the _________.
File's last cluster (EOF) and file's starting cluster
Allows a Mac computer to act as if it is an external hard drive connected to another system. This mode operates at the firmware level, which means the OS is not engaged or booted. It is accessed by pressing "T" when starting the computer.
Firewire Target Disk Mode
Which device does not alter any data and allows reading of the ICCID, IMSI, fixed dialing numbers, hidden entries, MSISDN, deleted SMS, temporary mobile subscriber identity, and LAI information.
Forensic Card Readers
What is the preparation, detection, management, and resolution of incidents or events that occur in the information system?
Incident Handling
Evidence that supports a given theory.
Inculpatory Evidence
What file does Internet Explorer use to keep track of the history of web browsing?
Index.dat
What two processes carry out classification?
Individualization Comparison
During the early stages of a computer fraud investigation, the computer forensic practitioner may want to consider which of the following?
Interview with the system administrator to determine any internal security controls. Logical review of the media's file structure to develop the subject's 'level of expertise Conduct interviews with all complainants and witnesses
Which describes a DCO?
Is not normally seen by the BIOS Stands for Dynamic Configuration Overlay It may contain hidden data, which can be seen by switching to the Direct ATA mode in Linen. Was introduced in the ATA-6 specification
When using the performing a 'dir' using dos what does hdb2 refer to?
Is syntax used when reviewing Linux based system?
The forensic practitioner should employ what practice when examining unknown executable files?
Isolate the executable for analysis
What does UTC have to with digital evidence?
It is a standard of time as a quantified value that is used to bind validity, grant access and reconstruct the order of events
Why is recording the time/date information from the CMOS crucial to the investigation?
It is helpful in correlating temporal data during the analysis phase
Why is computer-generated documentation usually considered unreliable evidence?
It is too difficult to detect prior modifications.
Which of the following is a necessary characteristic of evidence for it to be admissible?
It must be reliable
What is another term for an incident response kit?
Jump Kit
When creating your forensic Tool Kit, which two of the following items are essential to your kit?
Laptop with relevant software tools Forensic Write blocker
____ refers to potentially existing, but not presently evident or realized evidence.
Latent evidence
According to the 'Theory of Transference' anyone entering or leaving a crime/incident scene _______. (Choose two)
Leaves something behind Takes something with them
The final section in your report is the _____.
Listing of Exhibits
What is the name of the principle that says: Anyone or anything entering a crime/incident scene takes something with them and leaves something of them behind when they depart?
Lockard's Principle
Windows _____ is covered by event id 104.
Logs were cleared
What is the term for when an established procedure is unable to be applied?
Major Deviation
___; Should have a basic understanding of the IR plan, be informed on how to report suspicious events, and be informed to provide support by allowing their employees to attend any training
Managers
What is found at Cylinder 0, Head 0, and Sector 1 on a hard drive?
Master Boot Record
Destroying or failing to preserve electronic evidence during litigation or when litigation is evident is called ______.
Spoilation
Password recovery software use different classifications for password recovery time. One of these classifications is:
Medium
Data or information about a file or data is called _____.
Metadata
What is defined as "data that provides information about other data"?
Metadata
_____ is information about other information. An example would be GPS location data embedded into a digital photo file, or authorship information embedded into a document.
Metadata
The size of a physical hard drive can be determined by which of the following?
Multiplying the cylinder x head x sector x 512 bytes Multiplying the total LBA sectors times 512 bytes
Windows _____ is covered by event log ID 5142.
Network Share Object was added
__; Should be implemented especially with non-trusted networks, such as the Internet extranets.
Network-based IDS
Which of the following is not one of the four 'Cardinal Rules' of Computer Forensics:
Never document until all evidence is evaluated
Is the information contained on a computer's RAM chip accessible after a proper shutdown?
No
Prior to the investigation, what should a computer forensic practitioner do? (Choose all that apply)
Notify decision makers Build your team of investigators Have a workstation and data recovery lab
What does OLE stand for?
Object Linking and Embedding
Policy and Practices are good organizational elements to have in place. Which element below does not apply to Data Retention Architecture policy?
On/Off site Frequently, other ESI, PDAs etc. Laptops and Home computers Desktops and Servers
When correctly implemented, what is the only cryptosystem known to be unbreakable?
One-time pad
Federal Rules of Civil Procedure (FRCP) rule 26(f) ........
Outlines what must be discussed during the eDiscovery Conference
Once notified of litigation, the obligation to protect information is on the _____.
Owner
Which items would potentially contain digital evidence?
PDA Cell phones MP3 players Tablet PC
An applied procedure that results in an "impartial and objective" analysis of the original digital evidence.
Peer review
The '___________' process is designed to provide insight to the computer forensic practitioner.
Peer review
Which statement is correct regarding Civil Law?
Penalties consist of financial restitution to the victim
Which is the most logical order for these events in regards to securing evidence?
Photograph, label, transport, present in court, return to owner
Which of the following items would be considered contraband?
Photos involving child exploitation
What can be used by the forensic practitioner to build a relationship between the incident scene, the victim, and the suspect? (Choose two)
Physical evidence Forensic science
After creating a duplicate from the original evidence, what should the digital forensic practitioner do with the original evidence?
Place original evidence in evidence locker or safe
All of the below are acceptable for 'bagging' a computer workstation except:
Plastic garbage bag
____ is the goal to prepare people, processes, and technologies for the prevention and detection of security incidents and to limit damage and downtime should such an incident occur.
Preparation
What is the first thing you should instruct your client to do once they have beenpresented with a litigation law suit?
Prepare and send a sample of a litigation hold to the attorney in the case
Step 1 in the 20 Basic Steps of Forensics is ________,
Prepare forensic lab environment
Which of the following is not considered an example of data hiding?
Preventing an authorized reader of an object from deleting that object
The goal of the digital evidence acquisition process is to duplicate the original evidence in a matter that: (Choose two)
Protects Preserves
This devices main function is to authenticate the user (subscriber) of the device to the network and provide access to the services they have subscribed in.
SIM Card
If portions of relevant data are recovered in unallocated or slack space areas of a drive, how would you present that evidence?
Provide a Screen shot of the evidence, which will provide full contextual presentation of the data.
The criteria that must be met to qualify as a forensically sound software is which one of the following
Provides an authentication feature Is generally accepted by the digital forensic community Has the ability to create a forensic bit-stream image while implementing 'write blocking' device
What criteria has to be met to identify a software acquisition tool as "forensically sound?" (Choose two)
Provides an authentication feature (MD5) Recognized in the digital forensic community as a "standard tool"
What is to be included in an Expert Forensic Report?
Providing facts of your analysis as well as, your opinion. A complete statement of all opinions to be expressed and the basis and reasons therefore
_____, which refers to the measures that are taken by a laboratory to monitor, verify, and document is performance.
Quality Assurance (QA)
Similar to the File slack, this occurs when an operating system allocates the minimum 512-byte block and the information does not fill that space fully.
RAM Slack
Order of volatility:
RAM, Running processes, Network connections, System settings, Storage
This basic step in the identification of an incident includes implementing a system to watch, monitor, and collect information.
Receive
The index.dat files are system files that store information about other files. They track data and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
Recycle Bin
In an NTFS file system, the date and time stamps offset are stored in:
Registry
When Forensic Laboratories receive intake from external sources, there are several documents and procedures that need to be followed to ensure compliance with custodial duties. The overarching document is usually called a __________.
Request for Service
What type of data is information that appears to be gone or non-existent to the end-user, but is still recoverable from the digital media?
Residual Data
When a file is deleted, the data in that file is not erased. Rather the file system marks the file space as 'free'. This is a type of what kind of data?
Residual Data
Which one of the FRCP addresses to 'Prepare a List, by content and location' of ESI you expect to use in your case?
Rule 26(a)(1)(B)
What are the three most widely used hashing authentication methods? (Choose three)
SHA1 MD5 CRC32
The smallest area on a drive that data can be written to is a _______while the smallest area on a drive that a file can be written to is a _______.
Sector and cluster
Which of the following is a document that defines the scope of security needed by an organization, lists the assets that need protection, and discusses the extent to which security solutions should go to provide the necessary protection?
Security policy
The concept of including a peer review and submittal of all documentation to a lab supervisor for administrative review is called
Separation of duties
When documenting the physical aspects of a hardware device, you should include:
Serial Numbers Make Configuration details Model All of the answers listed
Generally speaking, if you encounter an Apple Macintosh computer, how should you take down the machine?
Shut down by pulling the plug from the computer box
Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine?
Shut down by pulling the plug from the computer box.
Which of the following is typically not a characteristic considered when classifying data?
Size of object
The unused space in a disk cluster is referred to as
Slack space
What is the area between the end of a file's logical size and the file's physical size called?
Slack space
During the analysis phase of your investigation, classification and comparison are essential components, which one of the following best describes this process:
Sorting through the best of two findings and relying on its significance to compare the rest of the findings in relation to it
All items below must be accepted to meet the Daubert Test except:
Whether the theory or technique enjoys 'general acceptance' within the 'relevant scientific community' Whether it 'has been subjected to peer review and publication;' Whether a 'theory or technique can be (and has been) tested;'
___; Windows default for a print spool job.
emf
_____ is/are considered to be all types of legally-presented proof that is allowed by the judge, which is intended to convince the judge or jury of alleged facts material to the case.
evidence
A unique identifying pattern found within a file which indicates the data type of the file is called a:
file signature
The goal of digital evidence processing is to ____________ and examine the data.
gain access to the data
Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
hiberfil.sys
Which Registry key are the user's recent documents stored in?
hkey_currentuser
Which windows registry hive contains the information on all user profiles?
hkey_users
As a digital forensic practitioner, you are limited by time, tools, and ________ during the analysis phase of the investigation.
imagination
Can be used to find an opened file yet deleted.
lsof
Generally speaking, setting jumpers on the hard drive to a _________ setting will allow for a proper acquisition.
master
Class 3 attacks are very costly techniques used to recover the complete ________ of an __________ multi-gigabyte disk, as opposed to a few specifically targeted bytes.
overwritten copy
Which windows 98 registry file records everything that is installed on the computer?
system.dat
The preferred location for digital evidence acquisition is:
the forensic laboratory because it is a 'controlled' environment
All persons involved in conducting examination of digital evidence should be:
trained for this purpose
