ITP 375 Quizlet
In EnCase, if you have a file with a JPEG Extension but is really a rich text file (RTF), what will be filed in the file signature column
* Rich Text
Digital Evidence
Any information of probative value stored or transmitted in digital form.
Internal Investigation
Any type of investigation handled internally to an organization, prior to filing a formal report with law enforcement or court systems
Forensic Process: 6 A's
Assessment, acquisition, authentication, analysis, articulation, archival
How do we handle evidence?
Authentication of evidence, chain of custody, evidence validation
Computer: Contraband
Digital equipment, media, or data illegally obtained
Computer: Incidental to the Crime
Digital media is a storage repository of evidence of a crime
Recycle Bin
Everytime a file is deleted into the recycle bin, two files are created, both with same characters but preceded with either a $R or $I. $R is the actual deleted file, $I is the metadata.
RAW Duplicate
Exact binary copy from one disk onto another disk --> fastest way to make a copy. The drawback is that you must use a write blocker on copy at all times. You must verify copy has not been altered and must treat the entire disk as evidence
Master Boot Record
Limited to 4 physical partitions, info at the beginning of the disk at the first physical sector (sector 0)
Metadata vs Data
Metadata is "data about data," otherwise info that is useful or necessary for file system to organize the data. Completely independent of the stored data for file, and dependent on type of file system used. Data is the actual file contents in binary hex form
Cluster
Minimum file size for allocating data --> always 4KB
Forensic Process: Archival
Storage of the forensic media, notes, and report
Best Evidence
Most complete copy of evidence that was obtained that is most closely linked to original evidence. If the original drive is in possession, then that is the best evidence along with the original evidence
Full Format
Theoretically wipes the partition --> doesn't always though
True or false: A volume must have a configured file system
True
FTK Imager computers which hash numbers for a forensic image?
MD5 and SHA1
Forensic Process: Acquisition
Make your forensic duplicate of all digital media and making sure your tools used are designed/approved for forensics
Linux File Systems
Many different file systems, will talk about Ext2, Ext3, and Ext4. They implement Inodes
Which registry key contains an entry for the drive letter recently assigned to a flash drive?
MountedDevices
Which of the following is an invalid regular expression for finding USC email addresses? @usc.edu [a-zA-Z][a-zA-Z\-\.\_]+@usc\.edu [a-zA-Z\-\.\_]+@usc\.edu +@usc\.edu
@usc.edu
Working Copy of Evidence
A copy to work on that are not tracked by evidence custodians, especially in case anything goes wrong and you alter the data on the working copy
Write-Blockers
A device that stops the host system from sending a write signal to any connected drive
FAT Directory Entries
A file which contain a listing of the contents of a directory of a directory (file name, extension, attribute flags, creation date/time, last accessed, last written/modified, starting cluster
File Systems
A way of organizing the data on a disk, containing some abstract structure to map files to allocation units on a disk
A non-unique serial number will have which character as the second character of the number?
An ampersand (&)
Evidence Image Files (Bit-Stream Image)
Bit-for-bit duplicate otherwise known as a RAW duplicate (exact binary copy from one disk onto another). Can be stored as a RAW binary on a duplicate disk, or as a file on a destination disk (DD image, EnCase Image File E01).
Encase Image File
Bitstream separated into 32K of data (64 sectors) called chunks. Every 32K chunk has a 4-byte CRC checksum which is verified against the data every time file is opened. Allows for compression and encryption of data. Pros are single bit changes can be isolated to a 32k set of data, allowing rest of data to be pseudo-verified. Cons are that it is slower to create.
FAT Directory Table
Keeps track of all files contained in the directory. When a file is deleted, that entry is simply marked as "deleted" in the table. Undeleting a file in FAT means going through the directory table, following the cluster chain, and seeing if clusters have appropriate data
Inode
Like a pointer in programming which points to a block on the disk, pointing to actual stored data or a new table of inodes which point to indirect blocks. FIles in Unix and Linux are pointers to Inodes
Windows 7 AppData
Local: Application data specific to a computer. LocalLow: Supposed to be for internet browsers, but no one really uses it. Roaming: Application data that can move with a user account across a domain.
Internet History
A chronology of sites visited by a user.
Quick Format
Only writes the new file system information onto the partition
Volume
Partition with a single file system configured
Digital Media
Physical object(s) on which digital data can be stored
Hard Drive - Sectors
Pie-shaped wedges of tracks, 512 bytes for magnetic media (new hard drives have 4096 byte sectors). Smallest unit of data that can be read or written from magnetic storage media
Forensic Process: Analysis
Processing of the forensic duplicate, looking for evidence to support the case
Cookies
Saved information on a user's system for internet servers to track user information, such as shopping carts and session tokens
All USB Devices have registry entries in the USB Registry Key
True
File Extensions
Used by humans and operating system to identify the file type and program to open the file
Optical Media
Usually CD-ROM, DVD, Blu Ray. Uses a reflective surface as the digital storage medium. Writing data must be done to the entire disc at once, and thus inherently is read-only and does not need a write blocker
Magnetic Media
Usually floppy disks and hard disks. A magnetized medium holds a series of charges either positive or negative. Pros: Very large storage capabilities, data can be overwritten without being reset infinitely, fast sequential reads. Cons: Very slow access times, very slow random read/write, data must be reorganized to be sequential (defragmentation)
Flash Media
Usually solid state drives.
Bookmarks
Webpages marked as favorite for quick navigation
Unallocated Space
When a file is deleted in Windows, the clusters that contain the file do not get wiped. They get grouped into space available for file allocation, called "unallocated space". Undeleting files is going through unallocated space and trying to find actual files or file fragments.
Windows Pagefile
When your computer does not have enough memory to store all of the data from the applications you have open, it uses a swap file, otherwise a file on the computer for storing temporary memory --> pagefile.sys. Hit or miss, great for finding emails!
Which of the following descriptor fields is not required for a USB flash drive? iSerialNumber idProduct bcdDevice idVendor
iSerialNumber
Little Endian
Data held in primary memory are arranged in two bits that put the right most bit in the earliest memory positions.
Golden Rules of Digital Forensics
1. Protect and preserve the evidence. 2. Always assume the case is going to court.
Acquisition methodology
Demonstrating that your actions had as little impact on the evidence as possible
Which of the following file types does not have a file header?
Text (TXT)
In NTFS, where is the file metadata located?
The MFT
In FAT, where is the file metadata stored?
The directory entry
How is evidence admissible and relevant?
The judge determines what evidence is or is not admissible based on rules of evidence. Evidence is relevant if it has any tendency to make a fact more or less probable than it would be without the evidence and the fact is of consequence in determining the action.
Which of the following is not a registry hive in Windows 7? CONFIG SAM SOFTWARE
CONFIG
Recovering Partitions
Can recover a deleted partition by looking for the volume boot record, otherwise the first sector of the partition containing the boot instructions for loading the partition
Printer Spool Files
Contains information about printing items, such as shadow file that contains info about print job or spool file that contains actual file to print
How are computers used in crimes?
Contraband, tool for the crime, incidental to the crime
Volume Boot Record
Created at the first sector of the partition containing the partition and volume information, including file system type and other metadata about volume. When you format a disk, you are writing a file system onto a partition, turning it into a volume
Big Endian
Data held in primary memory are arranged in two bits that put the left most bit in the earliest memory positions.
Forensic Process: Articulation
Drafting and submitting your report
What evidence file contains CRC checksum of every 32 KB of data to identify which 32 KB of data has become corrupted in the event of a hash verification failure?
E01 File
If I had the following Hex number -- 85 13 3F EE -- how would it be written in memory in little-endian?
EE 5F 13 85
Forensic Process: Authentication
Ensure that any duplicates made during acquisition phase are verified to be perfect duplicates--> using hashes to ensure original media and duplicate are the same
FAT File System
FAT: File Allocation Table. Uses a construct called file allocation table which keeps track of clusters that are free for use, occupied, and linked to another cluster. Stores information in directory entries.
Which of the following is not a tool in Kali linux to create a forensic image file?
FTK Imager
True or False: By default, EnCase's built-in GREP expressions for credit cards eliminate most false positives.
False
True or false: A flash drive without a unique serial number will not have an entry in the USBSTOR registry hive
False
True or false: A partition must have a configured file system.
False
True or false: All email header server list is read from top to bottom, sender to receiver.
False
Forensic Process: Assessment
Gathering information about the case. 1. Determine your scope 2. Identify digital media 3. Mark and protect the media 4. Establish chain of custody
Which of the following is not a root registry key? HKEY_SYSTEM HKEY_LOCAL_MACHINE HKEY_CURRENT_CONFIG HKEY_CURRENT_USER
HKEY_SYSTEM
Computer: Tool(s) of the crime
Hacking cases
NTFS (New Technology File System)
Has a master file table (MFT) that is used for metadata and file allocation. Stores filename, attribute, date/times, as well as clusters allocated to that particular file. Uses a file called bitmap to store available cluster information. Just like FAT, when a file is deleted, it is marked deleted and can be unmarked.
Evidence Disposal
Initial disposal: working copies are returned to evidence custodian, who wipes them clean. Final disposal: all backups and best evidence can be wiped after a period of time
Civil Investigation
Investigation of a civil case: lawsuit between private entities, usually involving private property rights
Criminal Investigation
Investigation of a criminal case: lawsuit brought by a prosecutor employed by the government that charges a person with the commission of a crime
Partition
Set of consecutive sectors on a disk
LNK Files
Shortcuts, found everywhere but especially recent folder.
File Signatures or Headers
Some form of unique identifier in the beginning of the data identifying to a program the way that the data is encoded --> part of the data, not the metadata
Slack Space
Space between logical end of the file and actual end of the file. Hard disk is broken down into clusters (8 sectors, 4KB)
Daubert Standard
Standard used by a trial judge to make a preliminary assessment of whether the expert's scientific testimony is based on reasoning or methodology that is scientifically valid
DD Image File
Takes binary information from the source and writes it into a file on the destination. Contains exact binary of the evidence disk, but can be encapsulated on a file. Pros are that everything can read a DD file, it's fairly fast to create, and can be segmented. Cons are there are no way to detect changes without reverification, metadata is not stored, and changes to DD file will result in a verification failure.
Internet Cache
The saved HTML webpages and image assets to allow for quick webpage loading by the browser
