Combined 1-8 Everything
What term refers to Linux ISO images that can be burned to a CD or DVD?
Linux Live CDs
Explain the difference between repeatable results and reproducible results.
"Repeatable results" means that if you work in the same lab on the same machine, you generate the same results. "Reproducible results" means that if you're in a different lab and working on a different machine, the tool still retrieves the same information.
What are two advantages and disadvantages of the raw format?
+ Fast transfers + Most tools can read it + Ignores minor data read errors - Requires as much space as the original, suspect drive - Some tools (mostly freeware) might skip bad sectors
innocent information
- Unrelated information - Often included with the evidence you're trying to recover
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? 1. You begin to take orders from a police detective without a warrant or subpoena. 2. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. 3. Your internal investigation begins. 4. None of the above.
1
If a suspect computer is running Windows 10, which of the following can you safely perform? 1. Browsing open applications 2. Disconnecting power 3. Either of the above 4. None of the above
1
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? 1. Most companies keep inventory databases of all hardware and software used. 2. The investigator doesn't have to get a warrant. 3. The investigator has to get a warrant. 4. Users can load whatever they want on their machines.
1, 2
Which of the following is true of most drive-imaging tools? (Choose all that apply.) 1. They perform the same function as a backup 2. They ensure that the original drive doesn't become corrupt and damage the digital evidence. 3. They create a copy of the original drive. 4. They must be run from the command line.
1, 2, 3
Which of the following techniques might be used in covert surveillance? 1. Keylogging 2. Data sniffing 3. Network logs 4. None of the above
1, 2, 3
When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply) 1. Calculate the hash value with two different tools. 2. Use a different tool to compare the results of evidence you find. 3. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. 4. Use a command-line tool and then a GUI tool.
1, 2, 3 (?)
The reconstruction function is needed for which of the following purposes? (Choose all that apply.) 1. Re-create a suspect drive to show what happened. 2. Create a copy of a drive for other investigators. 3. Recover file headers. 4. Re-create a drive compromised by malware.
1, 2, 4
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? 1. Coordinate with the HAZMAT team. 2. Determine a way to obtain the suspect's computer. 3. Assume the suspect's computer is contaminated. 4. Do not enter alone.
1, 3
The verification function does which of the following? 1. Proves that a tool performs as intended 2. Creates segmented files 3. Proves that two sets of data are identical via hash values 4. Verifies hex editors
1.
List two popular certification programs for digital forensics.
1. CFCE - Certified Forensic Computer Examiner 2. CCFP - Certified Cyber Forensic Professional
List three items that should be on an evidence custody form.
1. Case number 2. Investigating organization 3. Investigator's name 4. Nature of the case 5. Location where the evidence was obtained 6. Description of the evidence 7. Vendor's name 8. Model number or serial number 9. Who the evidence was recovered by 10. Date and time evidence was taken into custody 11. Evidence placed in which locker and when it was placed there 12. Item #/Evidence processed by/Disposition of evidence/Data/Time 13. Page #
List three subfunctions of the extraction function.
1. Data viewing 2. Keyword searching 3. Decompressing or uncompressing 4. Carving 5. Decrypting 6. Bookmarking or tagging
List two types of digital investigations typically conducted in a business environment.
1. Employee termination cases 2. Internet abuse investigations 3. E-mail abuse investigations 4. Attorney-Client privilege investigations 5. Industrial espionage investigations
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive
1. EnCase 2. X-Way Forensics
In the Linux dcfldd command, which three options are used for validating data?
1. Hashing via MD5, SHA-1, SHA-256, SHA-384, SHA-512 2. Verifying with the original disk or media data 3. Logging of errors to an output file for analysis and review 4. Referring to a status display indicating acquisition's progress in bytes
What are the three rules for a forensic hash?
1. It can't be predicted. 2. No two files can have the same hash value 3. If the file changes, the hash value changes.
What items should your business plan include?
1. Justification 2. Budget - including facility costs, hardware and software requirements, as well as misc. 3. Approval/Acquisition Methods - w/ risk analysis and the number of investigations you plan on pursuing and their average length 4. Implementation - how to incorporate and install all approved items and a timeline for delivery/installation/and inspection of the facility 5. Acceptance Testing - making sure everything works 6. Correction for Acceptance 7. Production
List three items that should be in an initial-response field kit.
1. Laptop 2. Camera 3. Flash light 4. Digital forensics kit Note - The list given here is not extensive. Ref Loc 5293 for a full list
List two features common with proprietary format acquisition files
1. Option to compress 2. Ability to split images for archival purposes 3. Ability to integrate metadata into the image
Name the three formats for computer forensics data acquisitions.
1. Raw 2. Proprietary 3. AFF (Advanced Forensics Format)
What three items should you research before enlisting in a certification program?
1. Requirements 2. Cost 3. Acceptability in your area of employment
What are the two main concerns when acquiring data from a RAID server?
1. Size 2. Configuration
List two items that should appear on a warning banner.
1. That the connection is restricted to authorized users 2. That the organization has a right to inspect and monitor computer and network usage
To determine the types of operating systems needed in your lab, list two sources of information you could use.
1. The Uniform Crime Report (UCR) 2. A list of crimes in your area or company
When you preform an acquisition at a remote location, what should you consider to prepare for the task?
1. The advanced privileges that are requires to push the agent application to the remote system 2. The antivirus, antispyware, or firewall applications that can be programmed to ignore remote access programs 3. That the suspect could have security tools that trigger an alarm on remote access intrusions
Hashing, filtering, and file header analysis make up which function of computer forensics tools? 1. Validation and verification 2. Acquisition 3. Extraction 4. Reconstruction
1. Validation and verification
List three items that should be in your case report.
1. What you did 2. What you found 3. Answer: Who, What, When, Where, How 4. Know your target reader and write for them 5. Provide an explanation for processes and how systems and their components work
At what distance can the EMR from a computer monitor be picked up?
1/2 mile
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?
1024
When was the Freedom of Information Act originally enacted?
1960s
Large digital forensics labs should have at least ______ exits.
2
What is the maximum file size when writing to FAT32 drives?
2 GB
Hash values are used for which of the following purposes? (Choose all that apply.) 1. Determining file size 2. Filtering known good files from potentially suspicious data 3. Reconstructing file fragments 4. Validating that the original data hasn't changed.
2, 4
A log report in forensics tools does which of the following? 1. Tracks file types 2. Monitors network intrusion attempts 3. Records an investigator's actions in examining a case 4. Lists known good files
3. Records an investigator's actions in examining a case
The standards for testing forensics tools are based on which criteria? 1. U.S. Title 18 2. ASTD 1975 3. ISO 17025 4. All of the above
3. USI 17025
According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply) 1. The DEFR's competency 2. The DEFR's skills in using the command line 3. Use of validated tools 4. Conditions at the acquisition setting
3. Use validated tools
The triad of computing security includes which of the following? 1. Detection, response, and monitoring 2. Vulnerability assessment, detection, and monitoring 3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation 4. vulnerability assessment, intrusion response, and monitoring
3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
What is the maximum amount of time computing components are designed to last in normal business operations?
36 months
Policies can address rules for which of the following? 1. When you can log on to a company network from home 2. The Internet sites you can or can't access 3. The amount of personal e-mail you can send 4. Any of the above
4. Any of the above
By what percentage can lossless compression reduce image file size?
50%
When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?
80 degrees or higher
map node
A B*-tree node that stores a node descriptor and map record.
keychains
A Mac feature used to track a user's passwords for applications, Web sites, and other system files.
ISO image
A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk
Unicode
A character code that enables most of the languages of the world to be symbolized with a special character identification.
UTF-8
A coding system for storing characters in bits, extending the 8-bit ASCII coding system to include international characters by sometimes using more than 8 bits.
Raster Images
A collection of pixels, but stored in rows to make images easy to print.
Registry
A database that Windows uses to store hardware and software configuration information, user preferences, and setup information.
NTBOOTDD.SYS
A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
Which type of tool can be used to compare results and verify a new tool by viewing data in its raw format?
A disk editor
Write Blocker
A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.
hash value
A hexadecimal code based on the contents of a file, folder, or entire drive.
tarball
A highly compressed data file containing one or more files or directories and their contents. Similar to a Windows zip
recovery certificate
A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.
head and cylinder skew
A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
file system
A method used by operating systems to store, retrieve, and organize files.
one-time passphrase
A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.
business case
A plan you can use to sell your services to management or clients
Initial-response field kit
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
extensive-response field kit
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.
What do you call a forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation?
A portable workstation
Evidence custody form
A printed form indicating who has signed out and been in physical possession of evidence.
configuration management
A process of recording all the updates made to your workstation
What must be created to complete a forensic disk analysis and examination?
A report
Explain the differences in resource and data forks used in macOs.
A resource fork is where file metadata and application information is stored, such as as menus, dialog boxes, icons, executable codes, and controls. The data fork is where the data itself is stored, such as user created text or spreadsheets.
What kind of forensic investigation lab best preserves the integrity of evidence?
A secure facility
device drivers
A software program that provides the instructions your computer needs to communicate with a device
nonkeyed hash set
A unique hash number generated by a software tool and used to identify files.
keyed hash set
A value created by an encryption utility's secret key.
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment?
A virtual machine
What usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will?
A warning banner
What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?
A warrant
What's a hashing algorithm?
A way of creating a binary or hexadecimal number that represents the uniqueness of the drive or data set; it's "digital fingerprint"
Validation
A way to confirm that a tool is function as intended.
Open source data acquisition format
AFF
fingerprints can be tested with these systems
AFIS
Provides accreditation of crime and forensics labs worldwide
ANAB
Which organization has guidelines on how to operate a digital forensics lab?
ANAB (ANSI-ASQ National Accreditation Board)
ANAB
ANSI-ASQ National Accreditation Board
Illustrate with an example the problems caused by commingled data.
ANSWER: Suppose that during an examination, you find adult and child pornography. Further examination of the subject's hard disk reveals that the employee has been collecting child pornography in separate folders on his workstation's hard drive. In the United States, possessing child pornography is a crime under federal and state criminal statutes. These situations aren't uncommon and make life difficult for investigators who don't want to be guilty of possession of this contraband on their forensic workstations. You survey the remaining content of the subject's drive and find that he's a lead engineer for the team developing your company's latest high-tech bicycle. He has placed the child pornography images in a subfolder where the bicycle plans are stored. By doing so, he has commingled contraband with company's confidential design plans for the bicycle. Your discovery poses two problems in dealing with this contraband evidence. First, you must report the crime to the police; all U.S. states and most countries have legal and moral codes when evidence of sexual exploitation of children is found. Second, you must also protect sensitive company information. Letting the high-tech bicycle information become part of the criminal evidence might make it public record, and the design work will then be available to competitors. Your first step is to ask your organization's attorney how to deal with the commingled contraband data and sensitive design plans.
AFF
Advanced Forensics Format. Open-source acquisitions file format created by Dr. Simson Garfinkel.
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence?
Affidavit
What are the five major function categories of any digital forensics tool?
All digital forensic tools, both hardware and software, perform specific functions. These functions are grouped into five major categories, each with subfunctions for refining data analysis and recovery and ensuring data quality: Acquisition Validation and discrimination Extraction Reconstruction Reporting
Which term refers to an accusation or supposition of a fact that a crime has been committed and is made by the complaint, based on the incident?
Allegation
Ways data can be appended to existing files
Alternate data streams
ASCII
American Standard Code for Information Interchange
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
An affidavit
brute force attack
An attack on passwords or encryption that tries every possible password or encryption key.
password dictionary attack
An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.
secure facility
An enclosed room with a lock with true floor-to-ceiling walls, no windows, with a secure container, and a visitor's log with legible entries.
Whole Disk Encryption
An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.
Which type of kit should include all the tools the investigator can afford to take to the field?
An extensive-response field kit
Where do software forensics tools copy data from a suspect's disk drive?
An image file
What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?
An initial-response field kit
wear leveling
An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells
Where should your computer backups be kept?
An off-site facility
Power should not be cut during an investigation involving a live computer, unless it is what type of system?
An older Windows or MS-DOS system
APFS
Apple File System. Differs from many file systems in that when data is written to a devices, the metadata is also copied to help with crash protection.
What term refers to the number of bits in one square inch of a disk platter?
Areal density
How frequently should floors and carpets in the computer forensic lab be cleaned to help minimize dust that can cause static electricity?
At least once a week
ACP
Attorney-client privlege
A person who has the power to initiate investigations in a corporate environment?
Authorized requester
What term refers to the individual who has the power to conduct digital forensic investigations?
Authorized requester
AFIS
Automated Fingerprint Identification System. Scans fingerprints electronically and plots the positions of their ridge characteristics, comparing them with prints in a database.
Vector Graphics
Based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
What are some ways to determine the resources needed for an investigation?
Bases on the OS of the computer you're investigating, list the software you plan to use for the investigation, noting other software, tools, or expert assistance you might need.
Why should evidence media be write-protected?
Because it maintains the quality and integrity of the evidence you're trying to preserve.
Why should you critique your case after it's finished?
Because self-evaluation and peer review are essential parts of professional growth. When a case is complete, review it to identify successful decisions and actions and determine how you could have improved your performance.
Describe the process of preparing an investigation team.
Before you initiate the search and seizure of digital evidence at incident or crime scenes, you must review all the available facts, plans, and objectives with the investigation team you have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data. Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. In some digital investigations, responding slowly might result in the loss of important evidence for the case.
Microsoft's utility for protecting drive data
BitLocker
What are BitLocker's current hardware and software requirements?
BitLocker's current hardware and software requirements are as follows: * A computer capable of running Windows Vista or later (non-home editions) * The Trusted Platform Module (TPM) microchip, version 1.2 or newer * A computer BIOS compliant with Trusted Computing Group (TCG) * Two NTFS partitions for the OS and an active system volume with available space * The BIOS configured so that the hard drive boots first before checking the CD/DVD drive or other bootable peripherals
What specifies the Windows XP path installation and contains options for selecting the Windows version?
Boot.ini
In what process is the acquisition of newer and better resources for investigation justified?
Building a business case
A plan you can use to sell your services to your management or clients
Business case
When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?
Business-records exception
How does macOS reduce file fragmentation?
By using clumps, which are groups of contiguous allocation blocks. As a file increases in size, it occupies more of the clump. Volume fragmentation is kept to a minimum by adding more clumps to larger files.
Which NIST project manages research on forensics tools?
CFTT
Which Pacific Northwest agency meets to discuss problems that digital forensics examiners encounter?
CTIN
Allows legal counsel to use previous cases similar to the current one because laws don't yet exist?
Case law
CCE
Certified Computer Examiner
What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?
Certified Computer Forensic Technician, Basic
CCFP
Certified Cyber Forensics Professional
CFCE
Certified Forensic Computer Examiner
tracks
Circles on a magnetic storage device where data is stored or retrieved.
data runs
Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components' content.
How are disk clusters numbered by Microsoft file structures?
Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT. The first sector of all disks contains a system area, the boot record, and a file structure database. The OS assigns these cluster numbers, which are referred to as logical addresses. They point to relative cluster positions; for example, cluster address 100 is 98 clusters from cluster address 2. Sector numbers, however, are referred to as physical addresses because they reside at the hardware or firmware level and go from address 0 (the first sector on the disk) to the last sector on the disk. Clusters and their addresses are specific to a logical disk drive, which is a disk partition.
Bitmap images
Collections of dots, or pixels, in a grid format that form a graphic.
Forensics software tools are grouped into ____ and ____ applications.
Command line and GUI
When confidential business data are included with the criminal evidence, what are they referred to as?
Commingled data
Standard Graphics File Formats
Common graphics file formats that most graphics programs and image viewers can open. These include png, gif, jpg/jpeg, tif/tiff, bmp
Which entity was formed by the FBI in 1984 to handle the increasing number of cases involving digital evidence?
Computer Analysis and Response Team
CFTT
Computer Forensics Tool Testing. NIST's established guidelines for testing, evaluating, and validating tools.
What type of records are considered data that the system maintains, such as system log files and proxy server logs?
Computer-generated
Describe what should be videotaped or sketched at a computer crime scene
Computers, cable connections, overview of the scene—anything that might be of interest to the investigation.
What process refers to recording all the updates made to a workstation?
Configuration management
low-level investigations
Corporate cases that require less investigative effort than a major criminal case.
Which type of case involves charges such as burglary,murder,or molestation?
Criminal
What are some of the features offered by current whole disk encryption tools?
Current whole disk encryption tools offer the following features that computer forensics examiners should be aware of: * Preboot authentication, such as a single sign-on password, fingerprint scan, or token (USB device) * Full or partial disk encryption with secure hibernation, such as activating a password-protected screen saver * Advanced encryption algorithms, such as AES and IDEA * Key management function that uses a challenge-and-response method to reset passwords or passphrases
CRC
Cyclic Redundancy Check. A mathematical algorithm that determines whether a file's contents have changed. It is not considered to be a forensic hashing algorithm.
What term refers to a column of tracks on two or more disk platters?
Cylinder
What does CHS stand for?
Cylinders, Heads, Sectors
With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above
D. All of them
A technician is trying to recover information on a computer that has been hidden or deleted on purpose in order to hide evidence of a crime. Which type of task is the technician performing?
Data Recovery
RAM slack
Data from RAM that is used to fill up the last sector on a disk
Computer-generated records
Data generated by a computer, such as system log files or proxy server logs.
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?
Data runs
What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card?
Device drivers
DEFR
Digital Evidence First Responder
DES
Digital Evidence Specialist
Which group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime?
Digital Investigators
The application of science to the identification,collection,examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data?
Digital forensics
What type of plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing?
Disaster recovery
Addresses how to restore a workstation you reconfigured for a specific investigation
Disaster recovery plan
Which type of copy from the suspect disk to the target location does the simplest method of duplicating a disk drive make?
Disk-to-image
What is the most common and flexible data-acquisition method?
Disk-to-image file copy
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
Doing so protects your equipment and minimizes how many items you have to keep track of at the scene.
Unused space in a cluster between the end of an active file's content and the end of the cluster
Drive slack
What older Microsoft disk compression tool eliminates only slack disk space between files?
DriveSpace
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
EFS
covert surveillance product
EnCase Enterprise Edition
Which forensic tools can connect to a suspect's computer and run surreptitiously?
Encase ProDiscover
EFS
Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.
What term refers to a person using a computer to perform routine tasks other than systems administration?
End user
What type of files might lose essential network activity records if power is terminated without a proper shutdown?
Event logs
How frequently does IACIS require recertification to demonstrate continuing work in the field of computer forensics?
Every 3 years
Digital Evidence
Evidence consisting of information stored or transmitted in electronic form.
Exculpatory evidence
Evidence indicating that a defendant did not commit the crime.
Exif
Exchangeable Image File Format. Created by the Japan Electronics and Information Technology Industries Association (JEITA) as a standard for storing metadata in JPEG and TIF files.
When an investigator seeks a search warrant, what must be included in an affidavit to support the allegation of a crime?
Exhibits
Of all of the proprietary formats, which is the unofficial standard?
Expert Witness Compression format
Explain how to identify an unknown graphics file format the your digital forensics tool doesn't recognize.
Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.
HFS+
Extended Format File System. Difference between HFS, HFS+: HFS - 65536 blocks. HF+ - 4 billion.
Vendor-neutral specialty remote access utility designed to work with any digital forensics program
F-Response
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
FAT
A standard indicator for graphics files
FF D8
agencies must comply with these laws and make documents they find and create available as public records
FOIA
A high-end RAID server from Digital Intelligence
FREDC
A JPEG file is an example of a vector graphic. True or False?
False
As data is added, the MFT can expand to take up 75% of the NTFS disk.
False
Because there are a number of different versions of UNIX and Linux, these OSs are referred to as CLI platforms.
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Computer investigations and forensics fall into the same category: public investigations.
False
Copyright laws don't apply to Web sites. True or False?
False
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.
False
Data can't be written to the disk with a command-line tool. True or False?
False
FTK Imager can acquire data in a drive's host protected area. True or False?
False
For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.
False
From a network forensics standpoint, there are no potential issues related to using virtual machines.
False
Graphics files stored on a computer can't be recovered after they are deleted. True or false?
False
Hardware manufacturers have designed most computer components to last about 36 months between failures.
False
ISPs can investigate computer abuse committed by their customers.
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
False
If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.
False
In software acquisition, there are three types of data-copying methods.
False
Linux is the only OS that has a kernel. True or False?
False
Only one file format can compress graphics files. True or False?
False
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.
False
Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.
False
Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.
False
Small companies rarely need investigators. True or False?
False
The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD).
False
The first 5 bytes (characters) for all MFT records are FILE.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
The plain view doctrine in computer searches is well-established law. True or False?
False
The validation function is the most challenging of all tasks for computer investigators to master.
False
Typically, a virtual machine consists of just one file.
False
When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police to present all evidence together.
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers.
False
You should always answer questions from onlookers at a crime scene. True or False?
False
False Positivies
False hits that require examining each search hit to verify whether it's what your are looking for.
The ANAB mandates the procedures established for a digital forensics lab. True or False?
False(?)
A live acquisition can be replicated. True or False?
False, due to volatile memory.
Digital forensics and data recovery refer to the activities. True or False?
False.
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?
False. All visitors must sign the log in order to ensure accountability and security.
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product work. True or False?
False. Any information discovered before the memo is issued can be used in discovery by the opposition.
A forensic workstation should always have a direct broadband connection to the Internet. True or False?
False. If Internet access is needed, a second, non-Forensic workstation should be used to access the Internet.
Evidence storage containers should have several master keys. True or False?
False. In order to maintain security, the less number of keys available, the better.
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False. It's not until the private-sector investigator starts working at the direction of law enforcement that they are considered an agent of law enforcement.
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False. That is "repeatable results".
Digital forensics facilities always have windows. True or False?
False. They do not have windows in order to protect the privacy and integrity of the investigation.
You should always prove the allegations made by the person who hired you. True or False?
False. You must always maintain an unbiased perspective and be objective in your fact-finding.
FAT
File Allocation Table
List three items stored in the FAT database.
File and directory names, starting cluster numbers, file attributes, date and time stamps.
Gives an OS a road map to data on a disk
File system
B*-tree
File system in earlier versions of Mac that is used to organize the directory hierarchy and file block mapping. In this file system, files are nodes (records or objects) contain file data. Each node is 512 bytes. The nodes containing actual file data are called leaf nodes; they're the bottom level of the B*-tree.
Which activity involves sorting and searching through investigation findings to separate good data and suspicious data?
Filtering
What are some of the components of a disk drive?
Following is a list of disk drive components: * Geometry—Geometry refers to a disk's logical structure of platters, tracks, and sectors. * Head—The head is the device that reads and writes data to a drive. There are two heads per platter that read and write the top and bottom sides. * Tracks—Tracks are concentric circles on a disk platter where data is located. * Cylinders—A cylinder is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom. * Sectors—A sector is a section on a track, usually made up of 512 bytes.
Which group often works as part of a team to secure an organization's computer and networks?
Forensics Investigators
Which resource can be helpful when investigating older and unusual computing systems?
Forums and blogs
Police in the United States must use procedures that adhere to which of the following? 1. Third Amendment 2. Fourth Amendment 3. First Amendment 4. None of the above
Fourth Amendment
Ext4
Fourth Extended File System; Linux; supports 1 EB volumes, 16 TB files; backwards-compatible with ext3 and ext2; can read and write to NTFS, FAT32, exFAT, HFS+, ext2, ext3, ext4
Explain the advantages and disadvantages of GUI forensics tools.
GUI tools have several advantages, such as ease of use, the capability to perform multiple tasks, and no requirement to learn older OSs. Their disadvantages range from excessive resource requirements (such as needing large amounts of RAM) and producing inconsistent results because of the type of OS used. Another concern with using GUI tools is that they create investigators' dependence on using only one tool. In some situations, GUI tools don't work and a command-line tool is required.
Metafile Graphics
Graphics files that are combinations of bitmap and vector images.
Sponsors the EnCE certification program
Guidance Software
The first forensics vendor to develop a remote acquisition and analysis tool
Guidance Software
you should rely on this when dealing with a terrorist attack
HAZMAT
HAZMAT
Hazardous Materials
a statement made while testifying at a hearing by someone other than an actual witness to the event
Hearsay
HFS
Hierarchical File System. Files are stored in directories that can be nested in other directories.
HPFS
High Performance File System - A file system created specifically for the OS/2 operating system to improve upon the limitations of the FAT file system. Among its improvements are: support for mixed case file names, support for long file names (255 characters), more efficient use of disk space, less fragmentation of data
HTCN
High Tech Crime Network
HPA
Host Protected Area. The area of the drive that's not normally visible to the OS.
One of the oldest professional digital forensics organizations
IACIS
What organization was created by police officers in order to formalize credentials for digital investigators?
IACIS
Which agency introduced training on software for forensics investigations by the early 1990s?
IACIS
The first MS-DOS tools that analyzed and extracted data from floppy disks and hard disks were used with which type of PC file systems?
IBM
States that Digital Evidence First Responders (DEFRs) should use validated tools
ISO 27037
Which standards document demands accuracy for all aspects of the testing process?
ISO 5725
ILookIX acquisition tool
IXImager
Why should you do a standard risk assessment to prepare for an investigation?
Identifying the risks can help mitigate or minimize any foreseeable issues with the investigation.
Why should companies publish a policy stating their right to inspect computing assets at will?
If a company doesn't display a warning banner or publish a policy stating that it reserves the right to inspect computing assets at will, employees have an expectation of privacy. When an employee is being investigated, this expected privacy prevents the employer from legally conducting an intrusive investigation. A well-defined company policy, therefore, should state that an employer has the right to examine, inspect, or access any company-owned computing assets. If a company issues a policy statement to all employees, the employer can investigate digital assets at will without any privacy right restrictions; this practice might violate the privacy laws of countries in the EU, for example. As a standard practice, companies should use both warning banners and policy statements. For example, if an incident is escalated to a criminal complaint, prosecutors prefer showing juries warning banners instead of policy manuals. A warning banner leaves a much stronger impression on a jury.
BootSect.dos
If a machine has multiple booting OSs, NTLDR reads BootSect.dos, which is a hidden file, to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).
What should you do when working on an Internet investigation and the suspect's computer is on?
If you're working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions. Don't examine folders or network connections or press any keys unless it's necessary. For systems that are powered on and running, photograph the screens. If windows are open but minimized, expanding them so that you can photograph them is safe. As a precaution, write down the contents of each window.
PassMark Software acquisition tool for its OSForensics analysis product
ImageUSB
plist files
In Mac, preference files for installed applications on a system, usually stored in /Library/Preferences.
attribute id
In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.
Carving
In North America, the process of recovering any type of file fragments. See also Salvaging
Info2 file
In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.
bad block inode
In the Linux file system, the inode that tracks bad sectors on a drive.
logical block
In the Mac file system, a collection of data that can't exceed 512 bytes. Logical blocks are assembled in allocation blocks to store files in a volume.
Allocation block
In the Mac file system, a group of consecutive logical blocks assembled in a volume when a file is saved.
logical EOF
In the Mac file system, the actual ending of a file's data.
Illustrate the use of a write-blocker on a Windows environment.
In the Windows environment, when a write-blocker is installed on an attached disk drive, the drive appears as any other attached disk. You can navigate to the blocked drive with any Windows application, such as File Explorer, to view files or use Word to read files. When you copy data to the blocked drive or write updates to a file with Word, Windows shows that the data copy is successful. However, the write-blocker actually discards the written data—in other words, data is written to null. When you restart the workstation and examine the blocked disk, you won't see the data or files you copied to it previously.
Involves selling sensitive or confidential company information to a competitor?
Industrial espionage
bootstrap process
Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Initial-response field kit
information unrelated to a computing investigation case
Innocent information
What are records in the MFT called?
Inodedata
Device drivers contain what kind of information?
Instructions for the OS on how to interface with hardware devices.
IACIS
International Association of Computer Investigative Specialists
The process of trying to get a suspect to confess to a specific incident or crime?
Interrogation
Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?
Investigating and controlling the scene is much easier in private sector environments.
How can you secure a computer incident or crime scene?
Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could jeopardize the investigation. If you're in charge of securing a digital incident or crime scene, use barrier tape to prevent bystanders from entering the scene accidentally, and ask police officers or security guards to prevent others from entering the scene or taking photos and videos with smartphones and other digital devices. Legal authority for an incident scene includes trespassing violations; for a crime scene, it includes obstructing justice or failing to comply with a police officer. Access to the scene should be restricted to only those people who have a specific reason to be there. The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. In this way, you avoid overlooking an area that might be part of the scene. Shrinking the scene's perimeter is easier than expanding it.
What must be done, under oath, to verify the information in the affidavit is true?
It must be notarized
What's a virtual cluster number?
It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.
Why is it good practice to make two images of a suspect drive in a critical investigation?
It's helpful in making sure that data has been copied correctly. It also protects against loss and minimizes the risk of failure in the investigation.
Describe how to use a journal when processing a major incident or crime scene.
Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene. With mobile devices, you can easily record a log of what you're doing; just be sure to check who has access to your mobile device.
Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence
Lab manager
LSB
Least Significant Bit, the right-most bit in a binary whole number or code
Nonstandard Graphics File Formats
Less common graphics file formats, including proprietary formats, newer formats, formats that most image viewers don't recognize, and old or obsolete formats. These include tga, rtl, psd, ai, fh11, svg, pcx.
Usually a laptop computer built into a carrying case with a small selection of peripheral options
Lightweight workstation
Specifies who has the legal right to initiate an investigation , who can take possession of evidence, and who can have evidence?
Line of authority
What do published company policies provide for a business that enables them to conduct internal investigations?
Line of authority
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
Live
What type of acquisition is used for most remote acquisitions?
Live
Keyword search
Looks for words anywhere in the data.
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
Lossless
Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed
Lossy compression
what most cases in the private sector environment are considered
Low-level investigations
What does Autopsy use to validate an image?
MD5
What is on an NTFS disk immediately after the Partition Boot Sector?
MFT
Which tool enables the investigator to acquire the forensic image and process it in the same step?
Magnet AXIOM
MBR
Master Boot Record. An area on a hard disk in its first sector. When the BIOS boots a system, it looks at the MBR for instructions and information on how to boot the disk and load the operating system. Some malware tries to hide here.
MFT
Master File Table
What does MFT stand for?
Master File Table
MD5
Message Digest 5. A hashing function used to provide integrity.
What is most often the focus of digital investigations in the private sector?
Misue of digital assets
At what levels should lab costs be broken down?
Monthly, quarterly, and annually
MSB
Most Significant Bit, the left-most bit in a binary whole number or code
Which organization provides good information on safe storage containers?
NISPOM (National Industrial Security Program Operating Manual) - Chapter 5, Section 3
Which entity publishes articles, provides tools, and creates procedures for testing and validating computer forensics software?
NIST
Briefly explain the NIST general approach for testing computer forensics tools.
NIST has created criteria for testing computer forensics tools, which are included in the article "General Test Methodology for Computer Forensic Tools" (version 1.9, November 7, 2001), available at www.cftt.nist.gov/testdocs.html. This article addresses the lack of specifications for what forensics tools should do and the importance of tools meeting judicial scrutiny. The criteria are based on standard testing methods and ISO 17025 criteria for testing when no current standards are available.
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?
NTBootdd.sys
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?
NTDetect.com
In addition to FAT16, FAT32, and Resilient File System, which file system can Windows hard disks also use?
NTFS
Microsoft's move toward a journaling file system
NTFS
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
NIST
National Institute of Standards and Technology
NSRL
National Software Reference Library. A compiled list of known file hashes for a variety of OSs, applications, and images. Currently adding hash values for iOS and Android applications.
Yields information about how attackers gain access to a network along with files they might have copied,examined,or tampered with?
Network forensics
NTFS
New Technology File System
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1
No! if is "input file". This process is reversed of what is should be.
Evidence bags
Nonstatic bags used to transport removable media, hard drives, and other computer components.
Static Acquisitions
Normally done on a system or drive that has been seized, often with a write-blocking device to prevent writing to the suspect disk.
One of the first MS-DOS tools used for digital investigations
Norton DiskEdit
Tool for directly restoring files
Norton Ghost
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?
Ntdll.dll
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Ntkrnlpa.exe
areal density
Number of bits per square inch of a disk platter
covert surveillance
Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs.
What are some of the advantages of using command-line forensics tools?
One advantage of using command-line tools for an investigation is that they require few system resources because they're designed to run in minimal configurations. In fact, most tools fit on bootable media (USB drives, CDs, and DVDs). Conducting an initial inquiry or a complete investigation with bootable media can save time and effort. Most tools also produce a text report that fits on a USB drive or other removable media.
Virtual Machine
One or more logical machines created within one physical machine.
Salvaging
Outside of North America, is the process of recovering any type of file fragments
in 2001 redefined how ISPs and large organizations operate and maintain their records
PATRIOT Act
Software-enabled write-blocker
PDBlock
ProDiscover utility for remote access
PDServer
System file where passwords may have been written temporarily
Pagefile.sys
The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors
Partition Boot Sector
unallocated disk space
Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously.
The unused space between partitions
Partition gap
Many password recovery tools have a feature for generating potential password lists for which type of attack?
Password dictionary
PII
Personally Identifiable Information. Information about individuals that can be used to trace a person's identity, such as a full name, birthdate, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.
What type of evidence do courts consider evidence data in a computer to be?
Physical
symbolic links
Pointers to other files; they can point to items on other drives or other parts of the network and don't affect the link count Need absolute path.
Live Acquisition
Powered-on device, logged on by the user
What's the main goal of static acquisition?
Preservation of digital evidence
Without a warning banner, what right might employees assume they have when using a company's computer systems and network access?
Privacy
How can you determine who is in charge of an investigation?
Private-sector investigations usually require only one person to respond to an incident or crime scene. Processing evidence usually involves acquiring an image of a suspect's drive. In law enforcement, however, many investigations need additional staff to collect all evidence quickly. For large-scale investigations, a crime or incident scene leader should be designated. Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to ensure that the team addresses all details when collecting evidence.
What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?
Probable cause
What investigator characteristic, which includes ethics,morals, and standards of behavior, determines the investigator's credibility?
Professional conduct
What is professional conduct, and why is it important?
Professional conduct is the ethics, morals, and standards by which you conduct yourself and you business. It is important because it determines your credibility.
The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?
Professional curiosity
Which type of format acquisition leaves the investigator unable to share an image between different vendors' computer forensics analysis tools?
Proprietary
What is the third stage of a criminal case, after the complaint and the investigation?
Prosecution
Verification
Proves that two sets of data are identical by calculating has values or using another similar method.
A computer configuration involving two or more physical disks
RAID
Methods for restoring large data sets are important for labs using which type of servers?
RAID
In which RAID configuration do two or more disk drives become one large volume, so the computer views the disks as a single disk?
RAID 0
In addition to RAID 0, what type of RAID configuration is available for Windows XP, 2000, and NT servers and workstations?
RAID 1
Which RAID configuration, also called mirrored striping, is a combination of RAID 1 and RAID 0?
RAID 10
Which RAID configuration offers the greatest access speed and most robust data recovery capability?
RAID 15
A bit-for-bit copy of a data file, a disk partition, or an entire drive
Raw data
At a minimum, what do most company policies require that employers have in order to initiate an investigation?
Reasonable suspicion that a law or policy is being violated.
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?
Recovery certificate
RAID
Redundant Array of Independent Disks. A computer configuration of two or more disks, originally developed as a data-redundancy measure. RAID 0, 1, 2, 3, 5, 10, 15
Raw File Format
Referred to as a digital negative Typically found on many higher-end digital cameras. Defined as simply recording pixels directly to the memory card without enhancement.
Typically, a(n) ______ lab has a separate storage area or room for evidence
Regional
ReFS
Resilient File System
Which activity involves determining how much risk is acceptable for any process or operation?
Risk management
Stands for supervisory control and data acquisition
SCADA
What is the primary hash algorithm used by the NIST project created to collect all known hash values for commercial software and OS files?
SHA-1
List two hashing algorithms commonly used for forensic purposes.
SHA-1 (and its variants), MD5
What type of disk is commonly used with Sun Solaris systems?
SPARC
sets standards for recovering, preserving, and examining digital evidence
SWGDE
Command-line disk acquisition tool from New Technologies, Inc.
SafeBack
In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?
Safety
European term for carving
Salvaging
SWGDE
Scientific Working Group on Digital Evidence
Commingling evidence means what in a private-sector setting?
Sensitive business information is mixed with the data that is collected as evidence.
Which doctrine, found to be unconstitutional, was used to allow a civilian or private-sector investigative agent to deliver evidence obtained in a manner that violated the Fourth Amendment to law enforcement agency?
Silver-platter
Sparse Acquisition
Similar to logical acquisition in that it gathers files and file types, bu also gathers fragments of deleted data
Raw forensic file format
Simple, sequential flat files of a suspected drive or data set, readable by almost all forensic acquisition tools
Lists each piece of evidence on a separate page?
Single-evidence form
What is required for real-time surveillance of a suspect's computer activity?
Sniffing data transmissions between a suspect's computer and a network server.
person of interest
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
If your time is limited, what type of acquisition data copy method should you consider?
Sparse
Which technique can be used for extracting evidence from large systems?
Sparse acquisition
What does a logical acquisition collect for an investigation?
Specific files or file types
What does a sparse acquisition collect for an investigation?
Specific files or file types, as well as fragments from unallocated areas
a data-collecting tool
Spector
What type of acquisition is typically done on a computer seized during a police raid?
Static
A tower with several bays and many peripheral devices
Stationary workstation
What material is recommended for secure storage containers and cabinets?
Steel
Partition Boot Sector
Stores info important to its partition, such as the location of OS boot files.
What are the major improvements in the Linux Ext4 file system?
Support for partitions larger than 16TB, improved management of large files, offers a more flexible approach to adding file system features.
During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. What did the U.S. Department of Defense call this special computer-emission shielding?
TEMPEST
What term refers to labs constructed to shield EMR (electromagnetic radiation) emissions?
TEMPEST
Which digital forensics tool is categorized as a single-purpose hardware component?
Tableau T35es-R2 SATA/IDE eSATA bridge
Give some guidelines on how to video record a computer incident or crime scene.
Take video and still recordings of the area around the computer or digital device. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers. Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug, in case you need to reassemble components at the lab. Make sure you take close-ups of all cable connections, including keyloggers (devices used to log keystrokes) and dongle devices used with software as part of the licensing agreement. Record the area around the computer, including the floor and ceiling, and all access points to the computer, such as doors and windows. Be sure to look under any tables or desks for anything taped to the underside of a table or desk drawer or on the floor out of view. If the area has ceiling panels—false ceiling tiles—remove them and record that area, too. Slowly pan or zoom the camera to prevent blurring in the video image, and maintain a camera log for all shots you take.
What do you call a list of people who have had physical possession of the evidence?
The Chain of Custody
Hal.dll
The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.
Ext2
The Second Extended File System. Supports Access Control Lists to control individual permissions, but it does not support journaling.
Ntoskrnl.exe
The Windows OS kernel.
Pagefile.sys
The Windows swap file that is used to hold the virtual memory that is used to enhance physical memory installed in a system.
Reconstruction
The ability to recreate a suspect drive to show what happened during a crime or an incident.
Fair Use
The ability to use a small amount of copyrighted work without permission, but only in certain ways and in specific situations (schoolwork and education, news reporting, criticizing or commenting on something, and comedy/parody).
Logical Acquisition
The acquisition of specific files or file types
What should you consider when determining which data acquisition method to use?
The circumstance of the investigation. Namely, the scope and length of possession.
Resolution
The density of pixels on screen and depends on a combination of hardware and software.
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
The device is automatically mounted and access. This likely alters the metadata.
At what location does the forensics investigator conduct investigations, store evidence, and do most of his or her work?
The digital forensics lab
indirect pointers
The first 10 inode pointers in the layer or group of an OS.
Acquisition
The first task in digital forensics investigations; making a copy of the original drive.
SHA-1
The first version of Secure Hash Algorithm, developed by NIST and slowly replacing CRC and MD5.
Describe some third-party disk encryption tools.
The following list describes some available third-party WDE utilities: • Endpoint Encryption (www.symantec.com/products/endpoint-encryption) can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows Server 2008 and later and Windows 7 and later. • Voltage SecureFile (www.voltage.com/products/data-security/hpe-securefile/) is designed for an enterprise computing environment. • Jetico BestCrypt Volume Encryption (www.jetico.com/products/personal-privacy/bestcrypt-volume-encryption) provides WDE for older MS-DOS and current Windows systems.
Summarize the evolution of FAT versions.
The following list summarizes the evolution of FAT versions: * FAT12—This version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB. * FAT16—To handle large disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 4 GB. * FAT32—When disk technology improved and disks larger than 2 GB were created, Microsoft released FAT32, which can access larger drives. * exFAT—Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks. The exFAT file system can store very large files, such as digital images, video, and audio files. * VFAT—Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95. VFAT is an extension of other FAT file systems.
risk management
The forecasting and evaluation of risks, together with the identification of procedures to avoid or minimize their impact.
double-indirect pointers
The inode pointers in the second layer or group of an OS. Originates in pointer #12, and points to blocks 139 to 128^2.
triple-indirect pointers
The inode pointers in the third layer or group of an OS. Originates at pointer #13, covers blocks 128^2+1 to 128^3
Plain View Doctrine
The legal principle that objects in plain view of a law enforcement agent who has the right to be in a position to have that view may be seized without a warrant and introduced as evidence.
digital forensics lab
The locations where you conduct investigations, store evidence, and do most of your work.
professional curiosity
The presence of police officers and other professionals who are not part of the crime scene-processing team. Their presence can contaminate the scene, either directly or indirectly.
Data Compression
The process of coding data from a larger form to a smaller form
Demosaicing
The process of converting raw picture data to another format
Briefly explain the purpose of the NIST NSRL project.
The purpose of the NSRL project is to reduce the number of known files, such as OS or program files, included in a forensics examination of a drive, so that only unknown files are left. You can also use the RDS to locate and identify known bad files, such as illegal images and malware, on a suspect drive.
Extraction
The recovery task in a digital investigation and the most challenging of all tasks to master.
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?
The registry
TEMPEST
The required shielding of sensitive computing systems and the prevention of electronic eavesdropping of computer emissions
resource fork
The resource fork is a companion file that stores information about the data in the data fork, such as the file type and the application that created it
track density
The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.
What are the necessary components of a search warrant?
The suspect's computer and its components. 1. It must be filled in good faith by a law enforcement officer 2. It must be based on reliable information showing probable cause to search 3. It must be issued by a neutral and detached magistrate 4. It must state specifically the place to be searched and the items to be seized
file slack
The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.
Under what circumstances are digital records considered admissible?
They are business records
Ext3
Third Extended File System. The first to support journaling, which is a technique that tracks and stores changes to the hard drive and helps prevent file system corruption.
Describe some of the problems you may encounter if you decide to build your own forensics workstation.
To decide whether you want to build your own workstation, first ask "How much do I have to spend?" Building a forensic workstation isn't as difficult as it sounds but can quickly become expensive if you aren't careful. If you have the time and skill to build your own forensic workstation, you can customize it to your needs and save money, although you might have trouble finding support for problems that develop. For example, peripheral devices might conflict with one another, or components might fail. If you build your own forensic workstation, you should be able to support the hardware. You also need to identify what you intend to analyze. If you're analyzing SPARC disks from workstations in a company network, for example, you need to include a SPARC drive with a write-protector on your forensic workstation.
Briefly explain NTFS compressed files.
To improve data storage on disk drives, NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility. With NTFS, you can compress files, folders, or entire volumes. With FAT16, you can compress only a volume. On a Windows NT or later system, compressed data is displayed normally when you view it in Windows Explorer or applications such as Microsoft Word. During an investigation, typically you work from an image of a compressed disk, folder, or file. Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. However, forensics tools might have difficulty with third-party compression utilities, such as the .rar format. If you identify third-party compressed data, you need to uncompress it with the utility that created it.
Why is physical security so critical for digital forensics labs?
To maintain chain of custody and prevent data from being lost, corrupted, or stolen
What's the purpose of maintaining a network of digital forensics specialists?
To supplement your knowledge and be able to get referrals and information when needed
What's the purpose of an affidavit?
To support facts about or evidence of a crime, in order to secure a warrant for seizure
What are logical cluster numbers (LCNs)?
To understand how data runs are assigned for nonresident MFT records, you should know that when a disk is created as an NTFS file structure, the OS assigns logical clusters to the entire disk partition. These assigned clusters, called logical cluster numbers (LCNs), are sequentially numbered from the beginning of the disk partition, starting with the value 0. LCNs become the addresses that allow the MFT to link to nonresident files (files outside the MFT) on the disk's partition.
The space between each track
Track density
Concentric circles on a disk platter where data is located
Tracks
A forensics analysis of a 6 TB disk, for example, can take several days or weeks.
True
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.
True
A judge can exclude evidence obtained from a poorly worded warrant.
True
A separate manual validation is recommended for all raw acquisitions at the time of analysis.
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized.
True
After a judge approves and signs a search warrant, it's ready to be executed , meaning you can collect evidence as defined by the warrant.
True
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file's contents.
True
An encrypted drive is one reason to choose a logical acquisition. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True or False?
True
By the 1970s, electronic crimes were increasing, especially in the financial sector.
True
By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff.
True
Chapter 5, Section 3, of the NISPOM describes the characteristics of a safe storage container.
True
Computer peripherals or attachments can contain DNA evidence. True or False?
True
Computers used several OSs before Windows and MS-DOS dominated the market.
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
True
Data blocks contain actual files and directories and are linked directly to inodes. True or False?
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or false?
True
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
FTK Imager requires that you use a device such as a USB dongle for licensing.
True
Hardware acquisition tools typically have built-in software for data analysis. True or False?
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.
True
If a company doesn't distribute a computing use policy stating an employer's rights to inspect employee's computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act while investigating a company police abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
True
In Autopsy and many other forensics tools raw format image files don't contain metadata.
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
Maintaining credibility means you must form and sustain unbiased opinions of your cases.
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
Software forensic tools are grouped into command-line applications and GUI applications.
True
Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's right to be secure in their person, residence, and property from search and seizure.
True
The definition of digital forensics has evolved over the years from simply involving and securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.
True
The lab manager sets up processes for managing cases and reviews them regularly.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.
True
The most common computer-related crime is check fraud.
True
The police blotter provides a record of clues to crimes that have been committed previously.
True
The primary hashing algorithm the NSRL project uses is SHA-1. True or False?
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
True
The type of file system an OS uses determines how data is stored on the disk.
True
There's no simple method for getting an image of a RAID server's disks.
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or false?
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support.
True
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?
True
Hard Links work in only one partition or volume. True or False?
True (?)
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True.
An employer can be held liable for e-mail harassment. True or False?
True. An employer is responsible for preventing and investigating harassment of employees and nonemployees associated with the workplace.
When seizing computer evidence in criminal investigations, which organization's standards should be followed?
U.S. DOJ
Devices used to prevent data from being written to a disk can connect to a computer through FireWire, SATA, PATA, and SCSI controllers as well as which other type of controller?
USB 2.0 and 3.0
An international data format
Unicode
List two features NTFS has that FAT does not.
Unicode characters, security, journaling.
Identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes
Uniform Crime Report
UCR
Uniform Crime Report
What reports are generated at the local, state, and federal levels to show the types and frequency of crimes committed?
Uniform crime reports
Partition gap
Unused space between partitions
drive slack
Unused space in a cluster between the end of an active file and the end of the cluster
Which filename refers to a core Win32 subsystem DLL file?
User32.sys
What's the most critical aspect of digital evidence?
Validating
Explain the validation of evidence data process.
Validation and verification functions work hand in hand. Validation is a way to confirm that a tool is functioning as intended, and verification proves that two sets of data are identical by calculating hash values or using another similar method. How data hashing is used depends on the investigation, but using a hashing algorithm on the entire suspect drive and all its files is a standard practice. This method produces a unique hexadecimal value for ensuring that the original data hasn't changed and copies are of the same unchanged data or image.
VQ
Vector Quantization. Uses complex algorithms to determine what data to discard based on vectors in the graphics file.
VCN
Virtual Cluster Number
VHD
Virtual Hard Disk
VCB
Volume Control Block, where some info from MDB is written to when the OS mounts a volume. Removed when a user no longer needs the volume and unmounts it
Alternate Data Streams
Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, these become an additional file attribute.
Briefly describe how to delete FAT files.
When a file is deleted in Windows Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) in the filename's first letter position in the associated directory entry. This value tells the OS that the file is no longer available and a new file can be written to the same cluster location. In the FAT file system, when a file is deleted, the only modifications made are that the directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the filename, and the FAT chain for that file is set to 0. The data in the file remains on the disk drive. The area of the disk where the deleted file resides becomes unallocated disk space (also called "free disk space"). The unallocated disk space is now available to receive new data from newly created files or other files needing more space as they grow. Most forensics tools can recover data still residing in this area.
How can you make sure a subject's computer boots to a forensic floppy disk or CD?
When a subject's computer starts, you must make sure it boots to a forensically configured CD, DVD, or USB drive, because booting to the hard disk overwrites and changes evidentiary data. To do this, you access the CMOS setup by monitoring the computer during the bootstrap process to identify the correct key or keys to use. The bootstrap process, which is contained in ROM, tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. You can also try unhooking the keyboard to force the system to tell you what keys to use. The key you press to access CMOS depends on the computer's BIOS. If necessary, you can change the boot sequence so that the OS accesses the CD/DVD drive, for example, before any other boot device. Each BIOS vendor's screen is different, but you can refer to the vendor's documentation or Web site for instructions on changing the boot sequence.
What is the plain view doctrine?
When approaching or investigating a crime scene, you might find evidence related to the crime but not in the location the warrant specifies. You might also find evidence of another unrelated crime. In these situations, this evidence is subject to the plain view doctrine. The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be met: • The officer is where he or she has a legal right to be. • Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars. • Any discovery must be by chance.
logical addresses
When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.
Partition
When referring to a computer hard drive, a disk partition or partition is a section of the hard drive that is separated from other segments. Partitions help enable users to divide a computer hard drive into different drives or different portions for a number of reasons.
In forensic hashes, when does a collision occur?
When the hash value is equivalent to another hash value generated from a different data set. These collisions are rare and have really only been detected on supercomputers.
What did Microsoft add to its newer operating systems that makes performing static acquisitions more difficult?
Whole disk encryption
Example of a lossless compression tool
WinZip
Ntldr (NT Loader)
Windows NT/2000/XP boot file. Launched by the MBR or MFT, ntldr looks at the boot.ini configuration file for any installed operating systems.
Briefly describe the process of obtaining a search warrant.
With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and seizure of specific evidence related to the criminal complaint. The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued.
What is the general term for software or hardware that is used to protect evidence disks by preventing data from being written to them?
Write-blockers
Recognizes file types and retrieves lost or deleted files.
Xtree Gold
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
You can remove and reconnect drives without having to restart the workstation.
Illustrate how to consider hardware needs when planning your lab budget.
You should plan your hardware needs carefully, especially if you have budget limitations. Include in your planning the amount of time you expect the forensic workstation to be running, how often you expect hardware failures, consultant and vendor fees to support the hardware, and how often to anticipate replacing forensic workstations. The longer you expect the forensic workstation to be running, the more you need to anticipate physical equipment failure and the expense of replacement equipment.
How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?
ZBR
ZBR
Zone bit recording, how most manufacturers deal with a platter's inner tracks having a smaller circumference and therefore less space to store data than in the outer tracks.
link count
a field in each inode that specifies the number of hard links
limiting phrase
a judge will often issue this in a warrant, which allows police to separate innocent info from evidence when commingled evidence is found
NTDETECT.COM
a required boot file for Windows operating systems through XP, responsible for detecting hardware necessary for a successful boot into Windows
public key
a value that can be used to encrypt a message. However, only when combined with a mathematically-related private key, can the message be decrypted.
What methods do steganography programs use to hide data in graphics files? (Choose all that apply) a. Insertion b. Substitution c. Masking d. Carving
a, b
The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply) a. Making necessary changes in lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives d. None of the above
a, b, c
Digital pictures use data compression to accomplish which of the following goals? (choose all that apply.) a. Save space on a hard drive b. Provide a crisp and clear image c. Eliminate redundant data d. Produce a file that can be emailed or posted on the internet.
a, c
Which of the following describes plist files? (Choose all that apply.) a. You must have a special editor to view them. b. They're found only in Linux file systems c. They're preference files for applications d. They require special installers
a, c
Which of the following is the main challenge in acquiring an image of a system running macOs? (Choose all that apply) a. Most commercial software doesn't support macOs. b. Vendor training is needed. c. The macOS is incompatible with most write-blockers. d. You need special tools to remove drives from a system running macOS or open its case.
a, d (?)
EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global registry d. Network servers
a.
A JPEG file uses which type of compression? a. WinZip b. Lossy c. Lzip d. Lossless
b
Hard links are associated with which of the following? a. Dot notation b. A specific inode c. An absolute path to a file d. Hidden files
b
In Linux, which of the following is the home directory for the superuser? a. home b. root c. super d. /home/superuser
b
When you carve a graphics file, recovering the image depends on which of the following skills? a. Recovering the image from a tape backup b. Recognizing the pattern of the data content c. Recognizing the pattern of the file header content d. Recognizing the pattern of a corrupt file
b
Which of the following is true about JPEG and TIF files? a. They have identical values for the first 2 bytes of their file headers b. They have different values for the first 2 bytes of their file headers. c. They differ from other graphics files because their file headers contain more bits. d. They differ from other graphics files because their file headers contain fewer bits.
b
Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply) a. Multiple copies of a graphics file b. Graphics files with the same name but different file sizes c. Steganography programs in the suspect's All Programs list d. Graphics files with different timestamps
b, c
What methods are used for digital watermarking? (Choose all that apply) a. Implanted subroutines that link to a central Web server automatically when the watermarked file is accessed b. Invisible modification of the LSBs in the file c. Layering visible symbols on top of the image d. Use a hex editor to alter the image data
b, c
Which of the following describes the superblock's function in the Linux file system? (Choose all that apply.) a. Stores bootstrap code b. Specifies the disk geometry c. Manages the file system, including configuration information d. Contains links between inodes
b, c
In JPEG files, what's the starting offset position for the JFiF label? a. Offset 0 b. Offset 2 c. Offset 6 d. Offset 4
c
To recover a password in macOS, which tool do you use? a. Finder b. PRTK c. Keychain Access d. Password Access
c
Which of the following certifies when an OS meets UNIX requirements? a. IEEE b. UNIX Users Group c. The Open Group d. SUSE Group
c
Which of the following is a new file added in macOS? (Choose all that apply.) a. /private/var/db b. /private/db c. /var/db/diagnostics d. /var/db/uuid.text
c, d
Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual websites b. Applications can be run on the virtual machines only if they're resident on the physical machine. c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine's OS.
c.
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? a. The file can no longer be encrypted b. EFS protection is maintained on the file c. The file is unencrypted automatically d. Only the owner of the file can continue to access it
c.
Areal density refers to which of the following? a. Number of bits per disk, b. Number of bits per partition, c. Number of bits per square inch of a disk platter, d. Number of bits per platter
c. Number of bits per square inch of a disk platter
Sniffing
capturing and recording network traffic
inodes
contain file and directory metadata and provide a mechanism for linking data stored in data blocks. Contains: Mode and type of the file or directory Number of links to a file or directory UID and GID of the file's or directory's owners Number of bytes in the file or directory File's or directory's last access time and last modified time Inode's last file status change time Block address for the file data Indirect, double-indirect, and triple-indirect block addresses for the file data Current usage status of the node The number of actual blocks assigned to a file File generation number and version number The continuation inode's link
inode blocks
contain the first data after the superblock. An inode is assigned to every file allocation unit. As files or directories are created or deleted, inodes are also created or deleted. The link between inodes associated with files and directories controls access to those files or directories.
boot block
contains the bootstrap code for startup. A UNIX/Linux computer has only one boot block, on the main hard disk.
superblock
contains vital information about the system and is considered part of the metadata. Specifies disk geometry and available space and keeps tracks of all inodes. Also manages the file system, including configuration information, such as block size for the dive, file system names, blocks reserved for inodes, and volume name.
Bitmap (.bmp) Files use which of the following types of compression? a. WinZip b. Lossy c. Lzip d. Lossless
d
On most Linux systems, current user login information is in which of the following locations? a. /var/log/dmesg b. /var/log/wmtp c. /var/log/usr d. /var/log/utmp
d
The process of converting raw images to another format is called which of the following? a. Data conversion b. Transmogrification c. Transfiguring d. Demosaicing
d
Which of the following Linux system files contains hashed passwords for the local system? a. /var/log/dmesg b. /etc/passwd c. /var/log/syslog d. /etc/shadow
d
Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above
d. All of the above
Lossless Compression
data compression techniques in which no data is lost.
Lossy Compression
data compression techniques in which some amount of data is lost. This technique attempts to eliminate redundant information.
metadata
data that describes other data
What command works similarly to the dd command but has many features designed for computer forensics acquisitions?
dcfldd
What Linux command is used to create the raw data format?
dd
What command creates a raw format file that most computer forensics analysis tools can read?
dd
In Windows 2000 and later, which command shows you the file owner if you have multiple users on the system or network?
dir
computer-stored records
electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word document
Shows the known drives connected to your computer
fdisk -l
clumps
groups of contiguous allocation blocks. Volume fragmentation is kept to a minimum by adding more clumps to larger files.
What option is used with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512?
hash
catalog
is the listing of all files and directories on the volume and is used to maintain relationships between files and directories on a volume.
physical EOF
is the number of byes allotted on the volume for a file
data block
is where directories and files are stored on a disk drive. This location is linked directly to inodes. 512 bytes. A data block is equivalent to a cluster of disk sectors on a FAT or NTFS volume.
unified logging
located in /var/db/diagnostics and /var/db/uuid.text. It includes three new utilities - log, log collect, and log show - that a forensics examiner can use.
LCNs
logical cluster numbers
What's the Disk Arbitration feature used for in macOS?
macOS feature for disabling and enabling automatic mounting when a drive is connected via USB or FireWire.
What command displays pages from the online help manual for information on Linux commands and their options?
man
Pixels
picture elements. Grids of stored graphics information.
Hard link
pointer that allows accessing the same file by different filenames. The filenames refer to the same inode and physical location on a drive. Originally used so that people with different logins could access the same physical file.
Building your own forensics workstation:
requires the time and skills necessary to support the chosen hardware.
In addition to md5sum, which hashing algorithm utility is included with current distributions of Linux?
sha1sum
Hard drive geometry
specifications of hard drives listing the number cylinders, heads and sectors
Header node
stores information about the B*-tree file
Index node
stores link information to previous and next nodes.
private key
the complementary key to a public key that is used to decrypt a message.
probable cause
the standard specifying whether a police officer has the right to make an arrest, conduct a personnel or property search or obtain a warrant for arrest
extents overflow file
used to store an file information in the MDB or a VCB
data fork
where data is stored. Typically contains data the user creates.
