MIDTERM STUDY SET ITSY 2343
Which of the following Linux system files contains hashed passwords for the local system?
/etc/shadow
On most Linux systems, current user login information is in which of the following locations?
/var/log/utmp
Clusters in Windows always begin numbering at what number?
2
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
In FAT32, a 123 KB file uses how many sectors?
246 sectors. 123 x 1024 bytes per KB = 125,952 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
How many sectors are typically in a cluster on a disk drive?
4 or more
Sectors typically contain how many bytes?
512
What is a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
Hard links are associated with which of the following?
A specific inode
Which organization has guidelines on how to operate a digital forensics lab?
ASCLD
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed, type of RAID server (0, 1, 5, and so on), whether the acquisition tool can handle RAID acquisitions, whether the analysis tool can handle RAID data, and whether the analysis tool can split RAID data into separate disk drives, making it easier to distribute large data sets
In a private-sector environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer
Authorized Requester
The file where the bit-stream copy is stored
Bit stream image
Explain the differences in resource and data forks used in the Mac OS.
Both contain a file's resource map and header information, window locations, and icons. The data fork stores a file's actual data, however, and the resource fork contains file metadata and application information.
If a suspect computer is running Windows 7, which of the following can you perform safely?
Browsing open applications
How does the Mac OS reduce file fragmentation?
By using clumps, which are groups of contiguous allocation blocks
When validating the results of a forensics analysis, you should do which of the following?
Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find.
List two features common with proprietary format acquisition files.
Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files.
20. What do you call a list of people who have had physical possession of the evidence?
Chain of custody
Describe what should be videotaped or sketched at a digital crime scene.
Computers, mobile devices, cable connections, overview of scene—anything that might be of interest to the investigation
If a suspect computer is found in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.)
Coordinate with the HAZMAT team. . Assume the suspect computer is contaminated.
An expert who analyzes digital evidence and determines whether additional specialists are needed
DES Digital Evidence Specialist
What are the functions of a data run's field components in an MFT record?
Data runs have three components; the first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value (the LCN or the VCN).
With remote acquisitions, what problems should you be aware of? (Choose all that apply.)
Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs
The process of converting raw images to another format is called which of the following?
Demosaicing
12. What are some ways to determine the resources needed for an investigation?
Determine the OS of the suspect computer and list the software needed for the examination.
A professional who secures digital evidence at the scene and ensures its viability while transporting it to the lab
Digital Evidence First Responder
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise and ProDiscover Incident Response
Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive.
EnCase, SafeBack, and SnapCopy
Of all the proprietary formats, which one is the unofficial standard?
Expert Witness, used by Guidance Software EnCase
15. You should always prove the allegations made by the person who hired you. True or False?
False
7. Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
A JPEG file is an example of a vector graphic. True or False?
False
A forensic workstation should always have a direct broadband connection to the Internet. True or False?
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Copyright laws don't apply to Web sites. True or False?
False
Data can't be written to disk with a command-line tool. True or False?
False
Digital forensics and data recovery refer to the same activities. True or False?
False
Digital forensics facilities always have windows. True or False?
False
Evidence storage containers should have several master keys. True or False?
False
FTK Imager can acquire data in a drive's host protected area. True or False?
False
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
False
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?
False
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False
Linux is the only OS that has a kernel. True or False?
False
Only one file format can compress graphics files. True or False?
False
Small companies rarely need investigators. True or False?
False
The ASCLD mandates the procedures established for a digital forensics lab. True or False?
False
The plain view doctrine in computer searches is well-established law. True or False?
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
You should always answer questions from onlookers at a crime scene. True or False?
False
Zone bit recording is how manufacturers ensure that the outer tracks store as much data as possible. True or False?
False
21. Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
False. All data collected before an attorney issues notice of attorney-client privilege is subject to discovery by opposing counsel.
EFS can encrypt which of the following?
Files, folders, and volumes
Hash values are used for which of the following purposes?
Filtering known good files from potentially suspicious data. Validating that the original data hasn't changed
2. Police in the United States must use procedures that adhere to which of the following?
Fourth Amendment
8. List two types of digital investigations typically conducted in a business environment.
Fraud, embezzlement, insider trading, espionage, and e-mail harassment
Forensic software tools are grouped into _________ and _______________ applications.
GUI, command line (or CLI)
List two popular certification systems for digital forensics.
IACIS, HTCN, EnCE, ISFCE
The standards for testing forensics tools are based on which criteria?
ISO 17025
Evidence that indicates a suspect is guilty of the crime with which he or she is charged
Inculpatory Evidence
What methods do steganography programs use to hide data in graphics files?
Insertion. Substitution
Device drivers contain what kind of information?
Instructions for the OS on how to interface with hardware devices
What methods are used for digital watermarking?
Invisible modification of the LSBs in the file. Layering visible symbols on top of the image
What are the major improvements in the Linux Ext4 file system?
It added support for partitions larger than 16 TB, improved management of large files, and offered a more flexible approach to adding file system features.
What are the three rules for a forensic hash?
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
It enables you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive.
What's a virtual cluster number?
It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.
What's the Disk Arbitration feature used for in Mac OS X?
It's used to disable and enable automatic mounting when a drive is connected via a USB or FireWire device.
To recover a password on a Mac system, which tool do you use?
Keychain Access
Which of the following techniques might be used in covert surveillance? (Choose all that apply.)
Keylogging. Data sniffing
The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence, and have access to evidence
Line of Authrity
Bitmap (.bmp) files use which of the following types of compression?
Lossless
A JPEG file uses which type of compression?
Lossy
List two hashing algorithms commonly used for forensics purposes.
MD5 and SHA-1
The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply.)
Making necessary changes in lab procedures and software, Ensuring that staff members have enough training to do the job, Knowing the lab objectives
What does MFT stand for?
Master File Table
Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?
Most companies keep inventory databases of all hardware and software used.
Some clues left on a drive that might indicate steganography include which of the following?
Multiple copies of a graphics file. Graphics files with the same name but different file sizes. Steganography programs in the suspect's All Programs list
Which organization provides good information on safe storage containers?
NISPOM
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB thumb drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it.
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
No data from RAM is copied to RAM slack on a disk drive.
Which of the following Windows 8 files contains user-specific information?
Ntuser.dat
Areal density refers to which of the following?
Number of bits per square inch of a disk platter
In JPEG files, what's the starting offset position for the JFIF label?
Offset 6
What's the ProDiscover remote access utility?
PDServer
What items should your business plan include?
Physical security items, such as evidence lockers; how many machines are needed; what OSs your lab commonly examines; why you need certain software; and how your lab will benefit the company (such as being able to quickly exonerate employees or discover whether they're guilty).
How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?
ProDiscover provides 256-bit AES or Twofish encryption with GUIDs and encrypts the password on the suspect's workstation.
9. What is professional conduct, and why is it important?
Professional conduct includes ethics, morals, and standards of behavior. It affects your credibility.
The verification function does which of the following?
Proves that two sets of data are identical via hash values
The reconstruction function is needed for which of the following purposes?
Re-create a suspect drive to show what happened. Create a copy of a drive for other investigators. Re-create a drive compromised by malware.
When you carve a graphics file, recovering the image depends on which of the following skills?
Recognizing the pattern of the file header content
A log report in forensics tools does which of the following?
Records an investigator's actions in examining a case
What three items should you research before enlisting in a certification program?
Requirements, cost, and acceptability in your chosen area of employment
Digital pictures use data compression to accomplish which of the following goals?
Save space on a hard drive. : Produce a file that can be e-mailed or posted on the Internet.
The legal act of acquiring evidence for an investigation
Search and Seizure
A form that dedicates a page for each item retrieved for a case; it allows investigators to add more detail about exactly what was done to the evidence each time it was taken from the storage locker
Single Evidence Form
Which of the following describes the superblock's function in the Linux file system?
Specifies the disk geometry and available space. Manages the file system, including configuration information
6. List two items that should appear on a warning banner.
Statements that the organization has the right to monitor what users do, that their e-mail is not personal, and so on
What name refers to labs constructed to shield EMR emissions?
TEMPEST
According to ISO standard 27037, which of the following is an important factor in data acquisition?
The DEFR's competency. Use of validated tools
Which of the following certifies when an OS meets UNIX requirements?
The Open Group
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?
The file is unencrypted automatically.
Which of the following is true of most drive-imaging tools?
They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive.
Which of the following is true about JPEG and TIF files?
They have different values for the first 2 bytes of their file headers.
What does the Ntuser.dat file contain?
This user-protected storage area contains the MRU files list and desktop configuration settings.
4. What's the purpose of maintaining a network of digital forensics specialists?
To develop a list of colleagues who specialize in areas different from your own specialties in case youneed help on an investigation.
19. Why should you critique your case after it's finished?
To improve your work
14. Why should you do a standard risk assessment to prepare for an investigation?
To list problems that might happen when conducting an investigation, which can help in planning your case
Why is physical security so critical for digital forensics labs?
To maintain the chain of custody and prevent data from being lost, corrupted, or stolen
17. Why should evidence media be write-protected?
To make sure data isn't altered
Why was EFI boot firmware developed?
To provide better protection against malware than BIOS does
10. What's the purpose of an affidavit?
To provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant
16. For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True
A live acquisition is considered an accepted practice in digital forensics. True or False?
True
An employer can be held liable for e-mail harassment. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True or False?
True
Computer peripherals or attachments can contain DNA evidence. True or False?
True
Data blocks contain actual files and directories and are linked directly to inodes. True or False?
True
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
EnCase, FTK, SMART, and iLookIX treat the image file as though it were the original disk. True or False?
True
Hard links work in only one partition or volume. True or False?
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?
True
One reason to choose a logical acquisition is an encrypted drive. True or False?
True
The primary hash the NSRL project uses is SHA-1. True or False?
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
What is the space on a drive called when a file is deleted? (Choose all that apply.)
Unallocated space. Free space
List two features NTFS has that FAT does not.
Unicode characters, security, and journaling.
To determine the types of operating systems needed in your lab, list two sources of information you could use.
Uniform Crime Report statistics for your area and a list of cases handled in your area or at your company
Hashing, filtering, and file header analysis make up which function of computer forensics tools?
Validation and verification
Which of the following is the main challenge in acquiring an image of a Mac system?
Vendor training is needed. You need special tools to remove drives from a Mac system or open its case.
The decision returned by a jury
Verdict
Virtual machines have which of the following limitations when running on a host computer?
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
3. The triad of computing security includes which of the following?
Vulnerability/threat assessment, intrusion detection and incident response, and digital investigation
Text displayed on computer screens when people log on to a company computer; this text states ownership of the computer and specifies appropriate use of the machine or Internet access
Warning Banner
As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.)
You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
Which of the following describes plist files?
You must have a special editor to view them. They're preference files for applications.
Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.
You need to examine a copy of the unknown file with a hexadecimal editor to find the hex code for the first several bytes of the file. Then you need to examine other known file types with similar or identical header values to see whether you can confirm its file type.
13. List three items that should be on an evidence custody form.
case number, name of the investigator assigned to the case, nature of the case, location where evidence was obtained, description of the evidence, and so on.
What does CHS stand for?
cylinders, heads, sectors
List three subfunctions of the extraction function.
data viewing, keyword searching, decompressing, carving, decrypting, and bookmarking.
In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct?
dcfldd if=image_file.img of=/dev/hda1
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
determine whether there's enough electrical power and lighting and check the temperature and humidity at the location
18. List three items that should be in your case report.
explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools.
What are two advantages of the raw format?
faster data transfer speeds, ignores minor data errors, and most forensics analysis tools can read it.
List three items stored in the FAT database.
file and directory names, starting cluster numbers, file attributes, and date and time stamps.
What does a sparse acquisition collect for an investigation?
fragments of unallocated data in addition to the logical allocated data
In the Linux dcfldd command, which three options are used for validating data?
hash, hashlog, and vf
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
initial-response field kit
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
lossless
Hardware acquisition tools typically have built-in software for data analysis. True or False?
most are used only for acquisition.
11. What are the necessary components of a search warrant?
must specify who, what, when, and where—that is, specifics on place, time, items being searched for, and so forth—and include any supporting materials (affidavits and exhibits, for example). In addition,it must be signed by an impartial judicial officer. In many cases, it can also limit the scope of what can be seized.
What does a logical acquisition collect for an investigation?
only specific files of interest to the case
What's the main goal of a static acquisition?
preservation of digital evidence
Name the three formats for digital forensics data acquisitions.
raw format, proprietary formats, and Advanced Forensic Format (AFF)
Typically, a(n) ____________ lab has a separate storage area or room for evidence.
regional
What are two and disadvantages of the raw format?
requires equal or greater target disk space, doesn't contain hash values in the raw file (metadata), might have to run a separate hash program to validate raw format data, and might not collect marginal (bad) blocks.
In Linux, which of the following is the home directory for the superuser?
root
Commingling evidence means what in a corporate setting?
sensitive corporate information being mixed with data collected as evidence
What should you consider when determining which data acquisition method to use?
size of the source drive, whether the source drive is retained as evidence, how long the acquisition will take, and where the disk evidence is located
List three items that should be in an initial-response field kit.
small computer toolkit, large-capacity drive, IDE ribbon cables, forensic boot media, laptop IDE 40-to-44 pin adapter, laptop or portable computer, FireWire or USB dual write-protect external bay, flashlight, digital camera or 35mm camera, evidence log forms, notebook or dictation recorder, evidence bags (antistatic bags for digital devices), evidence labels, tape, tags, permanent ink marker, USB drives, or large portable hard drive
Why is it a good practice to make two images of a suspect drive in a critical investigation?
to ensure at least one good copy of the forensically collected data in case of any failures
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
to minimize how much you have to keep track of at the scene
Large digital forensics labs should have at least ______ exits.
two
In forensic hashes, a collision occurs when ____________________.
two different files have the same hash value
What's the most critical aspect of digital evidence?
validation