CSC 410 Fall 2019 Final/Quiz Guide

The MD5 algorithm takes as input a message of ___________ and produces as output a ___________ bit "fingerprint" of the data.

Arbitrary length, 128-bit

Where can you change the Boot Order?

BIOS

Which of the following is NOT a Safety Net procedure?

Do analysis on original piece of evidence

All file types have a footer.

False

The letters in the acronym PPAD stands for Preserve, Protect, Analyze and Decide.

False

Write blocking should always be performed with a "live forensics" case.

False

Which of the following is not true about password protected file?

File data is converted to unreadable data.

A VM can be used as a "safe" testing environment to run unknown applications or virus infected files.

True

The MD5 algorithm was designed so that it is computationally unfeasible to produce two inputs having the same hash output, or to produce any input having a given pre-specified target hash output.

True

What is SAFE Block To Go?

A software writeblocker

According to the lecture, which of the following scenarios would result in a digital forensic examiner wanting to do a restore?

All of the above (jury presentation, The native environment or device is needed in order for the data to be interpreted, When you need a clone of the original drive to put the computer back in its original state)

What can both the Application Administrator and Case Administrators do?

Assign Rights to cases, Create Cases

A computer forensic examiner is never allowed to do analysis on-site.

False

According to the lecture, what is the most common reason for bad images during the imaging process?

I/O errors

Which is NOT correct about the Safety Net?

It is a specific list of items an examiner must follow at every crime scene.

What is the name of the test that analyzes whether or not the person's expectation of privacy was reasonable?

Katz Test

Which of the following scenarios would cause a search of a jpeg header to fail in locating the jgep image?

None (user changes file extension to .dat, user changes file name, user embed jpeg in another file)

Which native feature(s) of Windows To Go provides disk write blocking?

None of the Above (not read-only disk attributes or san policy 4-offline internal)

List the Order of Volatility of the following data types from most volatile to least volatile: Network state, RAM contents, Disk Contents, Running Processes

Order of Volatility: RAM contents, Network State, Running Processes, Disk Contents

What two levels are forensic analysis conducted on?

Physical and Logical

Which of the following image types is not compressed?

Raw (dd)

Disk Cloning in WinHex copies a defined number of _______ from a source drive to a destination disk.

Sectors

What is the name of the location where you place imaged data from a suspect's storage device?

Target media

A search is constitutional if it does not violate a person's reasonable expectation of privacy.

True

After the acquisition phase, hashing should be used to ensure the data (or copies of the original) have not changed.

True

As long as the forensic examiner is attempting to find data that is responsive to the warrant, the Fourth Amendment does not limit the techniques an examiner may use to examine a device.

True

Checksums and CRCs are not used to verify data in digital forensics because two different sets on data can have the same values.

True

Exceptions to having a warrant include consent, exigent circumstances, search during a lawful arrest, plain view, boarder searches, and a person is on parole.

True

File signatures do not always start at the first byte.

True

If the text is compressed, a standard string search will not find any matching hits.

True

Image verification is used to ensure that copies of the original image are identical to the original media.

True

In LiveView, you may boot from a disk image that is split or chunked as long as you select all of the pieces.

True

In a private sector business, employers or co-employees of common authority may provide consent to law enforcement for a search of an employee's area.

True

Installing a keylogger program is a covert method of obtaining a password.

True

Which of the following describes NAT Networking in VMWare?

Uses host NIC and shares IP address with host

Of the following operating systems, which needs files to have a file extension?

Windows 7

Which of the following is the correct order to prepare a target drive for an acquisition?

Wipe Drive, Partition Drive, Format Drive

According to the lecture, which type of file results in several repeated finds of the same data?

Zip files

What is the Helix (Linux) command to wipe a target drive?

dd

What is the difference between a physical and logical image?

A physical image is of an entire drive, while a logical image is of a single partition or set of files. Physical images are bootable when restored because it captures the MBR, unallocated space, slack space, etc. Logical images may or may not include deleted data.

Which of the following cannot be bookmarked in FTK?

All (data carved files, email attachments, text file with highlighted text)

What information cannot be used to conduct a search?

All can be used (file sizes, string search, file extensions, file creation dates)

In LiveView, you may boot from which of the following locations?

All of the above (physical disk, disk image file on encrypted network share, disk image file on local machine)

Which of the follow should a Control Boot Disk NOT utilize?

An OS that allows writing to attached disks

Data in an E01 image is broken into blocks that have a default size of 512 sectors.

False

Even if a file is fragmented, you can use the defined space between the header and footer to carve the entire file.

False

Even if a ribbon cable is worn and bent, they are so reliable that they rarely cause errors when creating an image.

False

In which cases should agents obtain multiple warrants?

If agents are doing a network search that may obtain data in different locations.

To use the Index Search feature, you must first process the case but this is not necessary for Live Search.

True

The SHA1 algorithm takes as input a(n) __________ and produces an output of length __________.

length < 2^64 bits, 160 bit

Most forensic software has the ability to go to the exact physical sector marked as corrupted and identify which file(s) are located in those sectors.

True

Which of the following is not considered by agents in determining if exigent circumstances exist?

The total "value" of the evidence in the case is worth enough to save

For Windows XP machines, the local administrator is no longer the default Data Recovery Agent but there is still a requirement that one exists.

False

High heat does not damage electronic media.

False

If a computer requires a BIOS password, if you connect the hard drive to a forensic workstation it will still require the BIOS password to see the drive.

False

When using FTK Imager, it is not necessary to use a write-blocker because there is one built into this tool that automatically starts when you launch the program.

False

With SAFE Block To Go enabled and a target disk is blocked, you can still clean, partition, and format the drive using Diskpart.

False

What is the quick picks symbol?

Green pentagon

Which of the following is FALSE about verifying a RBS image?

Hashing tools can tell the user how many changes have been made on an image.

Which tab in FTK would show how many Microsoft Word 2000 documents were in a case?

Overview tab

Briefly discuss the importance of Trusted Binaries in terms of forensic acquisition.

The use of known good applications (also referred to as trusted binaries) to investigate of acquire a suspect host is important for a couple of reasons. Since many OS component tools (e.g. netstat, nbstat, ipconfig etc) are OS version dependent, it's important to have a toolkit with trusted versions of any such tools for all the OS versions you will encounter because it is possible that the tools on the suspect machine may be corrupt or missing or maliciously tampered with.

One can view graphic files that are partial carved, but cannot view Microsoft application files that are partial carved.

True

One may adjust the carving size parameters up OR down and re-perform the data carve.

True

Orphaned objects are files/folders recovered, but the original parent folder is unknown.

True

The probable cause standard needed for warrants requires only a reasonable chance that contraband or evidence will be found.

True

To crack local account logon passwords you need the SAM and System file and for a domain account logon password you need the System and Security hives.

True

To ensure a tool is forensically sound, a computer forensic examiner should test and validate their own tools before using it on evidence.

True

While giving an expert testimony in court as a computer forensic analyst, one should only report their findings and not hypothesize on possible scenarios related to the case.

True

With Windows To Go, protected by SAFE Block To Go, you can use your favorite forensic tools, such as X-Ways, EnCase and FTK Imager

True

Your actions in everything you do as a computer forensic examiner will impact the credibility of your testimony.

True

Which file type can FTK's Data Carving not find?

WPD (Word Perfect Documents)

All file types have a header.

False

In a live acquisition, your pre-acquisition hash value of your disk or partition should ALWAYS match against the hash of the capture data.

False

In a live acquisition, your process and results of your capture should always be reproducible.

False

In computer forensics, RBS stands for reliable bit stream

False

In the Overview tab, the File Category categorizes files based on the header, not extension.

False

KFF stands for Known File Footer.

False

Linux Live CDs utilize software-write blocking.

False

LiveView will work with e01 and RBS images

False

Once assigned to a case everyone has full access, regardless of user type.

False

Once consent is given to a person of authority to search, it cannot be withdrawn at any time during an investigation.

False

Regardless of a child's age, parents are always able to provide consent to searches on their children's computer.

False

String search hits will never be found on a fragmented file because search tools cannot interpret the file system information.

False

The Fifth Amendment limits the ability of government agents to search for and seize evidence without a warrant.

False

The Fifth and Tenth Circuits view the computer as a single container as opposed to treating individual files as separate containers.

False

The disadvantage of asymmetric-key algorithms is that they require a shared secret key. Whereas symmetric-key algorithms use separate public and private keys.

False

The logical image hash value and the physical image hash value will always be the same.

False

The only use of hash values is for data authentication, which means to prove two things are the same.

False

Unicode is 1 byte per character and ASCII is 2 bytes per character.

False

When at a crime scene, the computer forensic examiner is not required to follow proper Chain of Custody procedures because that is only for police officers.

False

When searching with the operating system, you can always find items such as system files and data in unallocated space.

False

Which of the following is not a one of the write-blocking requirements?

The tool should be a hardware device as opposed to a software device.

Briefly identify two (2) situations in which a live acquisition would be considered over a "dead" or "cold" forensic acquisition. (Include examples of potential evidence that you may acquire in these situations)

1) We would consider a live acquisition if there was a risk of losing integral data if we were to proceed with a regular shutdown. For example, an evidence eliminator applications may installed to remove data at shutdown, or a pagefile may be set in the registry to wipe at shutdown. If we perform a regular shutdown we also run the risk of losing data not stored on the disk, such as RAM contents (which may contain important passwords or user information etc), open ports, running processes, and logged on users. 2) Live acquisition should also be considered when dealing with Full Disk Encryption or open encrypted drives, since we would not be able to obtain cached passwords or passphrases in RAM if we were to pefrorm a "cold" acquisition in this case.

How many binary files make up the DOS Controlled Boot Disk?

3

Which of the following is NOT true about E01 images?

A mismatch of one CRC will not affect the verification as long as the MD5 or SHA1 matches.

What operating system tool enables full disk or volume encryption?

Bitlocker

Which of the following is not true about Windows EFS?

Both (Exists on the FAT and NTFS partition, A new feature released with Windows XP is one can force a password change to log on to a system as a user and view the EFS encrypted files.)

Which of the following is NOT listed as a Pre-Processing Option in FTK?

Concatenate DriveFreeSpace

What does CRC stand for? How long is a CRC?

Cyclic redundancy check, 32 bits

A forensic examiner can only look at raw data at the logical level.

False

A logical image is bootable when restored in a program, such as VMWare, because it includes the MBR and partition tables.

False

A person still has Fourth Amendment Protections if their computer is at a repair shop.

False

As long as a warrant particularly describes the person or things to be seized, then it fulfills the Fourth Amendment.

False

Because of privacy laws, a police officer is not allowed to ask others for passwords used on their computer.

False

Bridge-networking should always be selected when restoring a sized hard drive image.

False

What does the Matlock approach imply?

If two people have equal joint access and control to a computer, only one person needs to give consent to a search even if the other is not present or objects.

Which of the following types of data is most volatile?

Registers, cache