Computer & Network Forensics (SCIA 470) Chapters 1-13
Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
key escrow
Computing components are designed to last 18 to ____ months in normal business operations.
36
Ext2fs can support disks as large as ____ TB and files as large as 2 GB.
4
___ components define the file system on UNIX.
4
When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____.
EFS
The majority of digital cameras use the ____ format to store digital pictures.
EXIF
The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.
EnCase
Use ____ to secure and catalog the evidence contained in large computer components.
Evidence Bags
TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
IS-136
The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.
ISO 5725
Data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
True
Steganography cannot be used with file formats other than image files.
False
The Windows platforms have long been the primary command-line interface OSs.
False
Most computer investigations in the private sector involve ____.
Misuse of computing assets
In a Windows environment, BitPim stores files in ____ by default.
My Documents\BitPim
The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.
NSRL
____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
NTBootdd.sys
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
Safety
____ increases the time and resources needed to extract,analyze,and present evidence.
Scope creep
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.
Sniffing
____ has also been used to protect copyrighted material by inserting digital watermarks into a file.
Steganography
The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.
XIF
____ is how most manufacturers deal with a platter's inner tracks being shorter than its outer tracks.
ZBR
Many password recovery tools have a feature that allows generating potential lists for a ____ attack.
password dictionary
Under copyright laws, maps and architectural plans may be registered as ____.
pictorial, graphic, and sculptural works
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
Repeatable findings
To complete a forensic disk analysis and examination, you need to create a ____.
Report
In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.
Resource
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
Risk Management
EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation
SAFE
____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
Snort
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
Sparse
One technique for extracting evidence from large systems is called ____.
Sparse Acquisition
____ is the art of hiding information inside image files.
Steganography
By the 1970s, electronic crimes were increasing, especially in the financial sector.
True
Chain of custody is also known as chain of evidence.
True
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
True
FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.
True
If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
True
In software acquisition, there are three types of data-copying methods.
True
Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file's contents.
testing, compressed
Computer forensics tools are divided into ____ major categories.
2
There are ____ searching options for keywords which FTK offers.
2
In general, forensics workstations can be divided into ____ categories.
3
Most packet sniffers operate on layer 2 or ____ of the OSI model.
3
All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.
40-pin
A ____ is a bit-by-bit copy of the original storage medium.
Bit-stream Copy
____ images store graphics information as grids of individual pixels.
Bitmap
FTK and other computer forensics programs use ____ to tag and document digital evidence.
Bookmarks
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
Brute-force
Generally, computer records are considered admissible if they qualify as a ____ record.
Business
In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.
Business Case
Developed during WWII, this technology,____, was patented by Qualcomm after the war.
CDMA
____ is a text file containing commands that typically run only at system startup to enhance the computer's DOS configuration.
Config.sys
Computer investigations and forensics fall into the same category: public investigations.
False
FTK cannot analyze data from image files from other vendors.
False
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
False
One advantage with live acquisitions is that you are able to perform repeatable processes.
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
False
You cannot use both multi-evidence and single-evidence forms in your investigation.
False
A bit-stream image is also known as a(n) ____.
Forensic Copy
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.
Forensic Workstation
The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
Honeynet
By the early 1990s, the ____ introduced training on software for forensics investigations.
IACIS
____ was created by police officers who wanted to formalize credentials in computing investigations.
IACIS
The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.
IBM
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
Initial-response field kit
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
Insertion
By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff.
Marketing
A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.
JPEG
AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
KFF
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
Once
The primary hash algorithm used by the NSRL project is ____.
SHA-1
SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity
SHA-256
One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.
SIGs
____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
SIM
To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
Secure facility
The list of problems you normally expect in the type of case you are handling is known as the ____.
Standard Risk Assessment
When preparing a case, you can apply ____ to problem solving.
Standard Systems Analysis Steps
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
Static
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
Steel
The ____ search feature allows you to look for words with extensions such as "ing,""ed," and so forth.
Stemming
In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.
Subpoenas
____ steganography replaces bits of the host file with other bits of data.
Substitution
The ____ digital network divides a radio frequency into time slots.
TDMA
The image format XIF is derived from the more common ____ file format.
TIFF
A common way of examining network traffic is by running the ____ program.
Tcpdump
____ is the text version of Ethereal, a packet sniffer tool.
Tethereal
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
True
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
True
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
True
To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.
True
With many computer forensics tools, you can open files with external viewers.
True
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.
USB
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
Uniform Crime Reports
Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
Zombies
A ____ allows you to create a representation of another computer on an existing physical computer.
virtual machine
Records in the MFT are referred to as ____.
metadata
Image files can be reduced by as much as ____% of the original.
50
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
False
Most federal courts have interpreted computer records as ____ evidence.
Hearsay
Linux ISO images are referred to as ____.
Live CDs
The file system for a SIM card is a ____ structure.
hierarchical
Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.
1995
____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.
www.freeality.com
The uppercase letter ____ has a hexadecimal value of 41.
"A"
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
.pst
On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive.
/dev/hda1
____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.
/etc/sendmail.cf
Typically, UNIX installations are set to store logs such as maillog in the ____ directory.
/var/log
To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.
0
The EMR from a computer monitor can be picked up as far away as ____ mile.
1/2
ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.
100
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.
65,535
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.
80
There are ____ tracks available for the program area on a CD.
99
You can use ____ to boot to Windows without writing any data to the evidence disk.
A Write-Blocker
The ____ provides several software drivers that allow communication between the OS and the SCSI component.
Advanced SCSI Programming Interface (ASPI)
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
Affidavit
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
Allegation
____ is a batch file containing customized settings for MS-DOS that runs automatically.
Autoexec.bat
People who want to hide data can also use advanced encryption programs, such as PGP or ____.
BestCrypt
What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations?
Certified Computer Forensic Technician, Basic
The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
Chain of Custody
The most common computer-related crime is ____.
Check Fraud
he ____ file provides a command prompt when booting to MS-DOS mode (DPMI).
Command.com
Confidential business data included with the criminal evidence are referred to as ____ data.
Commingled
A ____ is where you conduct your investigations, store evidence, and do most of your work.
Computer Forensics Lab
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
Computer Investigations
____ records are data the system maintains, such as system log files and proxy server logs.
Computer-generated
In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
Configuration Management
To begin conducting an investigation, you start by ____ the evidence using a variety of methods
Copying
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
Critique the case
When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
Ctrl+C
____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.
DIBS USA
Macintosh OS X is built on a core called ____.
Darwin
For computer forensics, ____ is the task of collecting digital evidence from electronic media.
Data Aquisition
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data Recovery
The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.
Data block
____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.
Device drivers
Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.
Device seizure
In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.
Dir
A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
Disaster Recovery
____ of data involves sorting and searching through all investigation data.
Discrimination
One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
Disk editor
The most common and flexible data-acquisition method is ____.
Disk-to-Image File Copy
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
EEPROM
A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.
Evidence Custody Form
The standard Linux file system is ____.
Ext2fs
A(n) ____ should include all the tools you can afford to take to the field.
Extensive-response field kit
Marking bad clusters data-hiding technique is more common with ____ file systems.
FAT
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
____ is a simple drive-imaging station.
FIRE IDE
A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
False
A nonsteganographic graphics file has a different size than an identical steganographic graphics file.
False
IDE ATA controller on an old 486 PC doesn't recognize disk drives larger than 8.4 ____.
GB
Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
GPL
With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
GUI
The Novell e-mail server software is called ____.
GroupWise
____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer's file system.
HDHOST
LILO uses a configuration file named ____ located in the /Etc directory.
Lilo.conf
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
Live
____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
Live
____ compression compresses data by permanently discarding bits of information in the file.
Lossy
The SIM file structure begins with the root of the system (____).
MF
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MFT
SafeBack and SnapCopy must run from a(n) ____ system.
MS-DOS
SnapBack DatArrest runs from a true ____ boot floppy.
MS-DOS
To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.
MS-DOS
On older Macintosh OSs all information about the volume is stored in the ____.
Master Directory Block (MDB)
____ is a hidden text file containing startup options for Windows 9x.
Msdos.sys
Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment.
Much easier than
The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.
NIST
____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR.
NTDetect.com
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.
NTFS
____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista.
NTFS
____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
Network
____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
Network Forensics
One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.
Norton DiskEdit
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
Notarized
You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
Off-site
In the following list, ____ is the only steg tool.
Outguess
____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
PDAs
____ are devices and/or software placed on a network to monitor traffic.
Packet sniffers
____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
Padding
____ recovery is a fairly easy task in computer forensic analysis.
Password
Courts consider evidence data in a computer as ____ evidence.
Physical
A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.
Portable workstation
____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
Probable Cause
Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team.
Professional curiosity
To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.
Properties
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
Proprietary
For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.
RAID
Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated.
Reasonable suspicion
When analyzing digital evidence, your job is to ____.
Recover the data
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
Registry
____ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation.
Remote acquisitions
SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.
Three
After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.
True
Employees surfing the Internet can cost companies millions of dollars.
True
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Vector Graphics
With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
Volume Bitmap
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
Warrant
Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
Whole Disk Encryption
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.
Windows 9x
____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.
Write-blockers
Recovering pieces of a file is called ____.
carving
In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
checkpoint
E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.
client/server architecture
When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.
copyright
A ____ is a column of tracks on two or more disk platters.
cylinder
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as ____.
data runs
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
dcfldd
____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD.
dcfldd
Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.
dd
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
The process of converting raw picture data to another format is referred to as ____.
demosaicing
The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.
disk-to-disk
On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB).
extents overflow file
When you write your final report, state what you did and what you ____.
found
You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.
graphic editors
If you can't open an image file in an image viewer, the next step is to examine the file's ____.
header data
The simplest way to access a file header is to use a(n) ____ editor
hexadecimal
Getting a hash value with a ____ is much faster and easier than with a(n) ____.
hexadecimal editor, computer forensics tool
Data ____ involves changing or manipulating a file to conceal information.
hiding
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
image file
In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.
indexed
Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.
inodes
You begin any computer forensics case by creating a(n) ____.
investigation plan
Under copyright laws, computer programs may be registered as ____.
literary works
The ____ command displays pages from the online help manual for information on Linux commands and their options.
man
The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key.
recovery certificate
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
sha1sum
The term ____ comes from the Greek word for "hidden writing."
steganography
____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
steganography
