WGU C840
Deleted Files
When a file is deleted on the iPhone/iPad/iPod, it is actually moved to the .Trashes\501 folder
The /etc Directory
Where configuration files are located
EnCase
Widely used forensic toolkit -From Guidance Software -The evidence files is an exact copy of the hard drive. EnCase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alterations or errors
How to unlock an iPhone
XRY
FTK
-From AccessData -Particularly useful at cracking passwords -Also provides tools to search and analyze the Windows Registry
Eudora
.mbx
Where do deleted Apple iphone/ipad files go?
/.Trashes/501
Mac OS Command Prompt
A BASH shell so you can execute Linux commands
SQL Injection
An attack that targets SQL servers by injecting commands to be manipulated by the database.
What uses AFF file format?
Autopsy and Sleuth Kit -Stands for Advance Forensic File Format
Which tool makes a bit-by-bit copy of a windows 8 phone?
Cellebrite's UFED
CALEA
Comms Assistance for Law Enforcement Act- can tap lines if suspected of criminal activity. Includes other forms of electronic communication, including signaling traffic and metadata
Sarbanes-Oxley Act of 2002
Contains many provisions about record keeping and destruction of electronic records relating to the management and operation of publicly held companies
Secure the Evidence
Critical in maintaining the chain of custody.
oracle database format
DD-MON-YY
4th Amendment
Freedom from unreasonable searches and seizures
How does windows store pw?
Hash
Types of Drive Connections
Integrated Drive Electronics *(IDE)* Extended Integrated Drive Electronics *(EIDE)* Parallel Advanced Technology Attachment *(PATA)* Serial Advanced Technology Attachment *(SATA)* Serial SCSI
Consent to access property
Only the actual property owner can grand consent, or someone who has legal guardianship of the owner
.odt format
Open Office File, often created with Apache OpenOffice Writer and LibreOffice Writer
Which tool can do a workflow check of steganography?
Quickstego or Invincible Secrets?
Where does windows store pw?
SAM
Exchange File Format
SEF?
Which storage tech uses NAND?
SSD
HKEY_LOCAL_MACHINE\SAM
Sam, Sam.log, Sam.sav
Can you undelete in Mac OS?
Similar thing occurs as in Windows where the file is removed and the file system marks those clusters available, the space is temporarily available -Even if the data is overwritten, data may still exist in unallocated space and in index nodes
COPPA
The Children's Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and under from the collection and use of their personal information by websites. It is noteworthy that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to be unconstitutional.
CSA
The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
ECPA
The Electronic Communications Privacy Act- establishes the guidelines for e-mail monitoring by employers and employees.
GUID Partition Table
The GUID Partition Table is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Mac OS machines can boot only from drives that use the GUID Partition Table
Law for being able to collect GPS location?
The Wireless Communications and Public Safety Act of 1999. Broadly, it allows for collection and use of "empty" communications (nonverbal and nontext communications)
Payload
The information to be covertly communicated through steganography -Message you want to hide
Security log
The most important log from a forensics point of view. It has both successful and unsuccessful login events
Steganalysis
The process of analyzing a file or files for hidden content -Both FTK and EnCase both check for steganography
Internet Forensics
The process of piecing together where and when a user has been on the internet. For example, you can use internet forensics to determine whether inappropriate internet content access and downloading were accidental.
Carrier
The signal, stream, or file in which the payload is hidden in Steganography
Channel
The type of medium used. This may be a passive channel, such as phones/videos/sound files or an active channel like VoIP/video streaming
Data Doctor
This product recovers all Inbox and Outbox data and all contacts data, and has an easy-to-use interface. Most important, it has a free trial version, but there is a cost for the full version. It is available from http://www.simrestore.com/.
Pwnage
This utility allows you to unlock iPod Touch and is available from pwnage.com
Ophcrack
Uses rainbow tables to crack Windows local machine passwords
18 US 2252B
Law prohibiting misleading domain names
LSB
Least Significant Bit -One of the most common methods of performing steganography -Changes the last bit in a byte so changes 11111111 to 11111110
Whats /var/log/lpr?
Linux printer log
Email Files
Local storage archives are any archives that have an independent archive format from a mail server -.pst (outlook) -.ost (Offline Outlook Storage) -.mbox or .dbx (Outlook Express) -.mbox (Eudora)
The /Users/<user>/.bash_history log
Look for terminal history like when someone used a command like rm
Choosing a tool for disk investigation
Make certain that it has widespread acceptance and that there are no known issues with its use
Warrants
NOT needed when evidence is in plain sight
Which type of data are the authorities allowed to get from service providers?
subscriber information, metadata, and transactional data