certified computer forensic study set

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

A ________ is any security event that warrants activation of an incident response team to manage the event.

security incident

_____; Contains data concerning print jobs.

spl

The method of cryptography that hides a message in another file, such as a WAV file or BMP is called:

steganography

Recording the CMOS information, especially the __________, will be helpful in correlating similar temporal data during the analysis phase of the investigation.

time and date

What is the Safe Harbor Rule?

A provision that prohibits sanctions for loss of electronic information if it was lost due to routine, good faith operation of the system.

FAT is defined as

A table created during the format that the operating system reads to locate data on a drive

Section 1029 of Title 18 of the United States Code focuses on access devices. An access device is each of the following except:

A teletype machine

What is the extension that is used to apply a covert methodology to a file orexecutable?

ADS

What is the name of the function that can be used to attach or hide text or other executable in an existing file such that Windows or DOS related commands cannot see this file?

ADS

What is the name of the function that can be used to attach or hide text or other executable in an existing file such that windows or DOS related commands can't see this file?

ADS

____ data is information readily available and accessible to the end-user.

Active data

Which of the following was not a reason to upgrade from the FAT16 file system to the FAT32 file system?

Added security benefits

When is comes to physical evidence, you should collect

All the answers listed Items removed from the trash All computer equipment, including peripherals Cables

Which operating systems support the FAT32 file system? (Choose two)

All versions of Windows ME All versions of Windows XP

Which operating systems support the Fat32 file system? (Choose two)

All versions of Windows XP All versions of Windows ME

When it comes to actual rules of evidence, electric records are handled the same as paper records with the exception that electronic records are recognized as being more susceptible to _____.

Alteration

NTFS Alternate Data Streams is the ability to append data to existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Which of the following is true about Alternate Data Streams?

Alternate Data Streams are not detectable using built-in Windows tools.

Courts have also ruled that under any circumstances, a copy (or duplicate) of digital evidence is admissible as an original as long as someone can what?

Authenticate it

Courts have ruled that under any circumstances, a copy (or duplicate) of digital evidence is admissible as an original as long as someone can what?

Authenticate it

If evidence cannot be _____, then it cannot be admissible in court

Authenticated

Creating 'digital fingerprints' or cryptographic checksums is part of which phase of the Alpha 5

Authentication

_____: It is essential to preserve the authentication of the acquisition of the digital evidence.

Authentication

What is the BIOS?

BIOS stands for Basic Input Output System, and is a combination of low-level software and drives that function as the interface, intermediary, or layer between a computer's hardware and its operating system.

____ should include a concise history, full identification of the authorizing entity, legal caption and all involved parties, relevant dates and times, full identification of the examiners, and account for the examiner's qualifications.

Background

When duplicating media, authentication (hashing) procedures should take place:

Before and after duplication

Case Management is vital to your lab protocol. Which one of the following does NOT define the elements of 'Case Management?'

Begin your analysis on the evidence collected.

What is the deductive method of analysis in which the convergence of the evidence is the basis of fact finding rather than an inductive method?

Behavioral Evidence Analysis

_____ concerns matching specific outcomes with stated scenarios.

Validation Review

The study of why certain people are victims of crime and how lifestyles affect the chances that a certain person will fall victim to a crime is called

Victimology

What settings must you change with Windows Explorer to be able to view the thumbs.db file?

View All Files

What setting must you make with Windows Explorer to be able to view the thumbs.db file?

View Hidden Files

Residual data may also be found in 'swap file space' on a disk. Swap file space is based on the concept of what?

Virtual Memory

Every employer should keep up to date documented policy and procedures regarding their electronic data. If they don't follow this protocol which one of the following is true?

Vital trade secrets can be leaked out of your company via email. Employees have an expectation of privacy

What is the first sector on a volume called?

Volume boot record or sector

What are the contents of the Temporary Internet files?

Web mail artifacts Web pages files Index.dat files that are used to manage cached files

The concept of reconstructing an incident is fairly simple and the most crucial point of an event to all aspects of an investigation is?

When did it happen?

The ______ tool allows users to view and manipulate data on CDMA from LG, Samsung, Sanyo and others.

BitPim

There are several known Cryptographic Attacks, which one of the following is used to crack passwords.

Brute Force

This type of password cracking uses a trial and error method that uses all possible combinations of legal characters in sequence.

Brute Force

How is the chain of custody maintained?

By bagging evidence and sealing it to protect it from contamination or tampering By documenting what, when, where, how, and by whom evidence was seized By documenting in a log the circumstances under which evidence was removed from the evidence control room By documenting the circumstances under which evidence was subjected to analysis

How would you verify that the evidence file contains an exact copy of the source device?

By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file.

How is the chain of custody maintained?

By documenting the circumstances under which evidence was subjected to analysis By bagging evidence and sealing it to protect it from contamination or tampering By documenting, in a log, the circumstances under which evidence was removed from the evidence control room By documenting what, when, where, how, and by whom evidence was seized

Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn

Format the volume with the FAT file system. Give the volume a unique label to identify it. Create a directory to contain the evidence file. Wipe the volume before formatting to conform to best practices and avoid claims of cross-contamination.

Comparison is crucial when examining digital evidence. Which statement correctly defines comparison?

Comparing a piece of digital evidence with a control specimen to highlight unique aspects of the artifact

What is the process of comparing a piece of digital evidence with a control specimen, highlighting unique aspects of the artifact?

Comparison

What is the application of science to law?

Computer Forensics

Conduct which involves the manipulation of a computer or computer data, by whatever method, in order to dishonestly obtain money, property, or some other advantage of value, or to 'cause loss' is known as _______________.

Computer Fraud

What is the study of computers and how they relate to crimes?

Computer forensics

Which section of the report might include expert opinions if requested?

Conclusions

Concerns things like keeping the same message throughout the report and/or case, adhering to any given standards or policies, smoothing collaboration into a coherent, whole, continuous styles throughout, etc. These checks ensure the body of the work is coherent and meets all writing requirements, if any are imposed.

Content review

Subsequent to a search warrant where evidence is seized, what items should be left behind?

Copy of the search warrant List of items seized

Subsequent to a search warrant where evidence is seized, what items should be left behind (Select two that apply)

Copy of the search warrant List of items seized

Which criteria is not going to affect "data loss" when considering long term storage of magnetic media?

Cost

After the digital forensic investigator creates a bit-stream forensic image of the original evidence, what is the next step in processing the evidence?

Create an exact copy of the original evidence and store away the pristine copy.

Referring to types of crimes: _______ generally referred to any type of crime involving finances whereas _______crimes has to do with the right of the people.

Criminal Civil

As part of good forensic practice, a good idea to wipe a forensic drive before reusing it prevents ___________?

Cross-contamination

___________ is the discipline of making and breaking code.

Cryptology

An extension of an incident scene in the real world and the digital incident scene in itself is referred to as

Cybertrail

When a text file is sent to the Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted filename.

D=deleted, C=drive letter, 0=index number, file extension remains the same

The LanMan or Lan Manager used in Windows based operating systems to store passwords uses a hashing function of MD4. What is the encrypted hash output?

DES

Once the breadth of data to be collected has been agreed on to all parties' satisfaction, the next question is how to store it all. That process is called the _____.

Data Retention Policy

What is Meta Data?

Data about the data and it's data elements or attributes

Rule 26 (f) has provisions requiring that the initial disclosures and the initial 'meet-and-confer' sessions include a discussion of any issues relating to preserving discoverable information. All would apply with the exception of:

Data contained within the unallocated portion of the drive

When shutting down a computer, what information is typically lost?

Data in RAM memory Running processes Current network connections Current logged in users

Under the Windows OS, files have 3 dates attached to them. Pick the 3 timestamps that you'll find.

Date Last Accessed Date Modified Date Created

When were the Amendments to the Federal Rules of Civil Procedure announced?

December of 2006

When investigating computer crimes, the computer forensics practitioner should do all of the following EXCEPT:

Destroy evidence once the case goes to court

What is spoliation?

Destruction or failure to preserve electronic evidence during litigation or when litigation is evident

During reconstruction, digital evidence can be expected to provide all except:

Determine conclusions

During reconstruction, digital evidence can be used to provide all except:

Determine conclusions

The forensics process for mobile devices starts with _____.

Device seizure

Any information of probative value that is either stored or transmitted in binary form is referred to as?

Digital Evidence

_____ are agreements between parties that govern the scope and procedures necessary to testing and inspection of a digital device.

Digital Evidence Protocols

The _____ process is the entire efforts of a party to a lawsuit and their attorneys to obtain information before a trial through demands for production

Discovery

What is eDiscovery?

Discovery in legal proceedings where the information sought is in an electronic format

The fourth "Cardinal Rule" of digital forensics:

Document Everything

Prior to your analysis there are some questions you should ask: Which of the following questions would be appropriate to ask?

Does the client want a single forensics report for each piece of media examined or a report of the investigation that encompasses all media analyzed? How often does the client want a status report of your forensic examination? Which examiner should be assigned as the provider or author of the forensic report? Should the interim status reports be verbal or written?

EnCase is also the forensic tool of choice because it has passed the Daubert standards that are necessary for the admissibility of scientific evidence within the federal and State court systems. Which one of the following is NOT a factor when determining the reliability of the scientific techniques that are followed by the court system?

Does the expert sufficiently explain important empirical data?

A ________ is a counterpart produced by the same impression as the original, or by mechanical or electronic re-recording, or by other equivalent techniques that accurately reproduce the original. [Federal Rule of Evidence 1001(4)]

Duplicate

What is Paraben's mobile forensic software called?

E3:DS

What is ESI?

ESI is referred to as Electronically Stored Information Information that is stored in a medium from which it can be retrieved and examined.

When dealing with the legal implications of digital forensic evidence there is a standard or 'Best Evidence Rule. Which one of these is considered 'The Best Evidence Rule'?

EnCase evidence files are considered 'original' and therefore, suffices the Best Evidence Rule

The first and foremost goal of Operational Security is

Ensuring the physical safety of the team

What is the minimum number of cryptographic keys required for secure two-way communications in asymmetric key cryptography?

Four

In an NTFS file system, the date and time stamps recorded in the Registry are stored in:

GMT and converted based on the system's time zone settings

Once notified of litigation, parties must consider their obligation to take reasonable and _____ steps to preserve potentially relevant electronically stored information.

Good Faith

Can information stored in the BIOS ever change?

Yes

What is the first consideration when responding to a scene?

Your safety

A review of the entire body of physical evidence in a given case that questions all related assumptions and conclusions is referred to as

Equivocal Forensic Analysis

What is the process of familiarizing oneself with the digital evidence without leaping to conclusions?

Equivocal Forensic Analysis

What are some common security events of interest?

Espionage Malicious Code Denial of Service attacks

Which subsection is where you give an unambiguous listing of all submitted evidence and any derivatives thereof?

Evidence

Of the three major categories of evidence, which is considered evidence that neither supports not contradicts any theory?

Evidence of tampering

The value that equals one billion gigabytes is

Exabyte

Step 12 in the 20 basic steps of forensics is:

Examine unallocated and file slack space for digital evidence

Evidence that contradicts a given theory.

Exculpatory

What type of evidence contradicts a theory?

Exculpatory

Evidence that contradicts a given theory is called:

Exculpatory evidence

What is required for a duplicate of digital evidence to be admissible?

Expert authentication

What does "EXIF" stand for?

Extended Image Format

A computer forensic report should contain a "________" interpretation of the results from the various procedures applied to the evidence.

Factual

A file that is deleted from the command prompt or emptied out of the Recycle Bin is unrecoverable with forensic tools.

False

A standard DOS 6.22 boot disk does not make calls to the C:\volume of a hard drive when the diskette is booted.

False

An accurate printout of computer data always satisfies the best evidence rule.'

False

Any digital evidence that is obtained without a search warrant is inadmissible in court.

False

Assigning a different file extension to a file changes the file to an unstable state.

False

Assigning a different file extension to a file changes the file to an unusable state.

False

Criminal evidence is "a preponderance of the evidence" and Civil evidence is "beyond a reasonable doubt."

False

Each examiner should have one's own unique computer numbering scheme for documenting evidence.

False

In password recovery, a complex file would be classified as having a recovery time of 24 to 48 hours.

False

It is the responsibility of the client to take affirmative steps to preserve the electronic evidence when a request to produce any designated documents or electronically stored information to the courts.

False

The Fat32 file system is not supported on any version of DOS

False

The rules for digital evidence are different than those of paper files.

False

When documenting a crime scene, digital cameras should not be used because they can be altered with readily available programs.

False

When preparing a forensic report in anticipation of litigation, your report is protected under the 'work-product' doctrine.

False

When the MFT (Master File Table) or FAT (File Allocation Table) is deleted or damaged, the files on the partition are unrecoverable

False

When the Master File Table or File Allocation Table is deleted or damaged, the files on the partition are unrecoverable.

False

When using your incident response tools from the forensic toolkit that you have created, you should use the GUI interface that is associated with these tools instead of the console user interface

False

Without question, you should always pull the plug on a system instead of shutting it down normally.

False

This section is the bulk of the report as it details all the tools, forensic methods, and procedures undertaken.

Forensic Examination

What is the name of Access Data's software tool?

Forensic Tool Kit (FTK)

A Linux variant specifically crafted for forensic examination of live Mac system that have the Power PC processor chip.

Forensically sound, bootable CD for Power PC Mac Hardware

Having inadequate documentation of digital evidence can lead to what dire consequence?

Having the evidence found inadmissible

_____ evidence is any statement offered in evidence to "prove the truth of the matter asserted," unless made by the declarant while testifyng at the trial or hearing.

Hearsay

An 'objection' is a lawyer's protests about the legal propriety of a question which has been asked of a witness by the opposing attorney, with the purpose of making the trial judge decide if the question can be asked. A proper objection must be based on specific reasons for not allowing a question. Which one of the following is not part of an objection basis?

Hearsay (the answer would be what someone told the witness rather than what he/she knew first-hand) Calls for a conclusion (asking for opinion, not facts) Irrelevant, immaterial, incompetent (often stated together, which may mean the question is not about the issues in the trial or the witness is not qualified to answer) Leading (putting words in the mouth of one's own witness)

Disks and other media that are copies of the original evidence are considered what?

Hearsay evidence

What is WinHEx and what is it used for?

Hex editors let us view areas of the hard disk that are inaccessible using the OS (MBR, VBR, etc). WinHEx is a hex editor. Hex editors allow us recover deleted files using the legacy information in directories. Hex editors allow us to view and search for deleted files in unallocated space.

When a hacker compromises a system which one of the actions below will they attempt to perform?

Hide data in NTFS alternate data streams Shred files that may give clues to the hacker's actions Clear the event log Disable auditing

When creating your forensic 'ToolKit' which two of the following items are essential to your kit?

High-end processor Correct! Forensic Write blocker

____; A group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of the data in the hive.

Hive

What are some elements that we can use to assist us in attempting to hold asuspect accountable for a crime committed?

Hobby-related events Work-related events Gambling habits Use of peripheral devices

__; Should be implemented primarily on hosts for network-based IDS fails.

Host-base IDS

When handling computers for legal purposes, investigators increasingly are faced with four main types of problems, except:

How to keep your data and information safe from theft or accidental loss

What is located on a SIM card and can be up to twenty digits long and consist of an industry identifier prefix (usually 89 for telecommunications), country code, issuer identifier number, and individual account identification number?

ICCID

An example of academic style for computer sciences can be found within _____ papers.

IEEE

____; Should receive technical training, receive training on their responsibilities according to the response plan and associated policies, procedures, and understand the goals of incident response and how to report an incident.

IRT members

A good forensic investigator follows a defined process which involves the 6 A's: Assessment, Acquisition, Authentication, Analysis, Articulation, Archival. Which of the following is not part of the Assessment model?

Identify Repositories Establish Chain of Custody Protect and Preserve the data Determine Scope and quantity of the data

The introduction of digital evidence can be difficult because of the avenues open for challenging its relevance and reliability. Which of the following would be grounds to exclude the relevant evidence?

If its probative value is substantially out-weighed by the danger of unfair

Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system?

In Unallocated Clusters In the pagefile.sys folder In the hiberfil.sys folder In Temporary Internet Files under Local Settings in the user's profile

A _____ is a model taken from the military.

Standard Operating Procedures or "SOPs"

What qualities should your forensics report have if you are not going to be considered an expert in the case?

State your findings

What is Steganography?

Steganography is the process of hiding data within a wav or image file. Steganography is the process of taking one piece of information and hiding it within another.

Which of the following are typical examples of "fruits of a crime"?

Stolen software Stolen Hardware

Symmetric ciphers that encrypt one character at a time are called:

Stream ciphers

If the number of sectors reported does not match the number reported by the manufacturer for the drive, what should you do?

Suspect DCO Suspect HPA Boot with Linen for DOS and switch to Direct ATA access Boot with LinEn in Linux

What file on a drive has the most evidentiary value?

Swap File

Sometimes referred to as "page files" are based on the process where memory storage is augmented by writing some contents to the disk.

Swap Files

Which event log contains events logged by the Windows NT/2k/XP system components? For example, the failure of a driver or other system component to load during startup is recorded in ___________

System Log

All of the following are part of the report EXCEPT:

Technical Jargon

_____ is a legal principle that holds an original document as superior evidence, and a copy or facisimile as secondary evidence.

The Best Evidence Rule

All hearsay exemptions for digital evidence are detailed in which document?

The Federal Rule of Evidence

What is another resource besides Microsoft's Computer Dictionary that can be used to find standardized terminology for technology devices.

The Sedona Conference Glossary

What problems do you foresee if you draw a conclusion in your report but do not reference the file that led you to that conclusion?

The evidence could be found in-admissible

Why is it challenging to collect and identify computer evidence to be used in a court of law?

The evidence is mostly intangible.

When presenting digital evidence, you should consider using Charts, maps and models. Which of the following is not true about this statement?

The information is vital to your presentation and is all you need to present a compelling case.

A file's physical size is?

The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster

Which of the following is incorrect?

The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.

If a phone is found submerged in liquid during a seizure, you should remove the battery and seal it in an appropriate container along with what else?

The same liquid

What is the number one reason why external threats are difficult to investigate?

The significant variety of network topologies and access to same

Which statement is correct regarding Criminal Law?

The victim is "society" or the State

Dictionary attacks are limited by:

The words in the wordlist

Computer forensic practitioners investigate incidents which involve end-users who can be best described as 'insiders'. These people are usually in the position of trust. Which of the following are examples of internal theft? (Choose all that apply)

Theft of proprietary data Using company servers to distribute contraband

If an examiner were asked for "Curriculum Vitae," what should he/she be expected to produce?

Their resume of qualifications and experience in forensics

Why is it preferred that the acquisition be conducted in the forensic laboratory? (Choose all that apply)

There is less risk of "cross-contamination" in a controlled laboratory setting The lab is a "controlled" environment, usually void of distractions The lab maintains additional resources not usually available "on-scene"

What are some of the reasons eDocuments are such a problem when litigation arises?

They often continue to exist despite the user's intention to destroy them The metadata associated with them leaves a trail of evidence

What does TDMA stand for?

Time Division Multiple Access

Culpability means

To deserve the blame for a crime

Why is it important for a lab to have established and documented SOP, QA, and Separation of Duties?

To ensure the believability of the collected data

It is important for a forensic lab to establish well documented Policies and Procedures. Which is the most appropriate reason why this would be important?

To establish well documented rules that are used to collect and process data

What is the purpose of an eDiscovery Liaison?

To facilitate a list by content and location of ESI you expect to use in your case

What is the primary objective of data classification schemes?

To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity

Federal Rule of Evidence 702 provides that in order for a witness to be qualified as an expert, the expert must meet the following criteria

To have knowledge, skill, experience, training, or education' regarding the subject matter involved.

When acquiring digital evidence, the evidence should not be left unattended in an unsecured location for what reason?

To maintain chain-of-custody

When would it be acceptable to navigate through a live system?

To observe the operating system to determine the proper shutdown process To document currently opened files To observe an encryption program running To access virtual storage facility (if search warrant permits; some are very specific about physical location)

The Fraud and Abuse Act of 1986 made it a misdemeanor to

Traffic in passwords

A computer forensic report allows for the highly technical information to be introduced in a concise and non-biased format.

True

A text file created with Microsoft Notepad has no file header

True

All forensic software must be licensed to the practitioner of the organization.

True

Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.

True

Any deviation of a lab's standard operating procedures, whether documented or undocumented, makes the digital evidence inadmissible in court

True

Before the actual examination begins, all media should be scanned for viruses.

True

Computer savvy attorneys with a technical background could present significant technical challenges in the courtroom.

True

Digital evidence is a type of physical evidence?

True

Digital evidence is information process by a computer and stored on some form of media.

True

Forensic science involves "the application of science to law"

True

If the chain of custody is broken, the digital evidence will not stand up to scrutiny in court.

True

Individualization is finding characteristics of evidence that are sometimes created at random that give a unique quality.

True

Is the information contained on a computer's RAM chip accessible after a proper shutdown?

True

It is generally recognized that no hard and fast methodology for digital forensic examinations can be established since no two cases are exactly the same

True

Live memory capture requires administrative privileges.

True

Mac OSX Keychain is a password management application that stores passwords, certificates, encryption keys, and secure notes. Passwords are stored in a separate database by the user.

True

MacBook Airs may contain a hard drive, a solid-state drive, or NAND flash.

True

Magnetic hotel keys, vehicle computers, and Internet cookies are also included within the legal definition of discoverable ESI.

True

Mobile device acquisition and analysis can both be hindered by security settings within software or even the device itself.

True

Most digital forensics labs only take in removable media and items that are expected to contain digital evidence.

True

Only one file can occupy a cluster at one time and no two files can occupy the same cluster

True

Passwords can be found in memory.

True

Security controls for a forensic lab vary on your organizational needs. If you own a small business, all you need to secure your lab is an office behind a locked door with an inexpensive, fireproof safe.

True

The Electronic Communications Privacy Act, Fourth Amendment and numerous other federal and state statues will apply where there are no written directives to govern your organization's computer use.

True

The NTFS file system is not supported on any version of DOS.

True

The SWDGE standards state the agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.

True

The court can decide whether inaccessible data should be produced once it is proven by the client that the cost to access the data can produce an undue burden.

True

The definition of digital evidence is any information of probative value that is either stored or transmitted in binary form.

True

The final goal of Quality Control is to demonstrate that, by meeting the objectives, a laboratory provides confidence in its quality of its products.

True

The purpose of setting up new amendments to the Federal Rules of Civil Procedure were to design a framework for the parties and the court to give early attention to issues relating to electronic discovery.

True

Using alternative data streams in a NTFS system, you have the ability to hide data, however, in a Linux file system there is no such thing as alternative data streams.

True

You cannot format a 3.5 floppy disk with the NTFS file system.

True

You cannot format a 3.5' floppy disk with the NTFS file system.

True

fstab is the configuration file containing all information about partitions and storage devices.

True

Why is biographical data on a suspect important when investigating digital evidence?

Users often use biographical data for passwords

To gather digital evidence based upon 'levels of proof', Criminal proof is defined as ____________ and Civil is _____________________. (Choose two)

a preponderance of the evidence beyond a reasonable doubt

The Host Protected Area (HPA) is:

a reserved area for data storage outside the normal operating file system

During the examination phase, the digital forensic practitioner should remove the hard drive from the case ________ photographs have been taken

after

Known file filtering (KFF) is the process of: (choose two)

alerting you to known illicit or dangerous files eliminating files known to be unimportant such as system and application files

The two classes of key-based encryption algorithms are: (Choose two)

asymmetric symmetric

The recovery process of binary data from file slack and unallocated space on media is referred to as:

carving

Name two of the three aspects to digital evidence reconstruction:

classification of the digital evidence recovery of active, backup, hidden, encrypted, deleted, or damaged artifacts

A forensically sound examination is one conducted under such controlled conditions that it is

completely documented verifiable repeatable

__________ and __________ form the basis for many modern cryptosystems because they tend to increase the workload of cryptanalysis.

confusion diffusion

Forensic Notes or a Forensic Log should: (Choose two)

contain sufficient detail to make it possible for another computer forensic practitioner to duplicate the original investigator's efforts be submitted to the forensic supervisor at the completion of the examination for review

After response to the incident site, the forensic practitioner must decide when and where to conduct the acquisition of potential digital evidence. Two of the main considerations during this event are

controllability, time

Forensically sterilizing (wiping) a drive prior to duplication ensures:

cross contamination will not take place

The goal of the digital evidence acquisition process is to duplicate the original evidence in a manner the protects and preserves the evidence in order to prevent (choose three answers)

damage destruction alteration

The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS is a collection of:

digital signatures of known, traceable software applications

A _________ is an accurate digital reproduction of all data contained on an electronic storage device that maintains ALL contents and attributes and all slack space is transferred.

duplicate

____ is identified as an (which could be internal counsel, external counsel, employee, or consultant) who is knowledgeable about and responsible for all facets of ESI as it relates to the party.

eDiscovery Liaison

What is eDiscovery?

eDiscovery refers to discovery in civil litigation entire efforts of a party to a lawsuit and their attorneys to obtain information before trial through demands for production of documents

Encryption containers, network storages, databases, unsaved files..... must be acquired before shutdown as they will become:

inaccessible afterwards

Data about Internet cookies such as URL names, data and time stamps, and pointers to the actual location of the cookie is stored in:

index.dat file

Command to find unusual processes in Linux/Unix.

ps -eaf

What does unallocated space refer to?

Space on a drive that has not yet been written to

As the first person on the scene of an incident, you should

Collect and preserve as much evidence as possible

What would be an example of a function within an Operating System?

A malicious software program

What kind of files normally contain information about who accessed the system and when, where, and how long a user was on the system?

Audit Files

Mac OSX This subfolder contains the swap file and sleepimage. A sleepimage is much like a hibernation file on a Windows computer and is located in: /private/var/vm/sleepimage

/var/vm

MAC OSX The Software Installation history of installed applications and updates is located in _________.

/Library/Receipts/InstallHistory.plist

Mac OSX This subfolder contains temporary files. Programs store temporary data at /var/tmp.

/Temp

Linux The kernel version can be found in:

/etc/issue - /etc/*-release* /etc/version

Linux Default Application binaries are located in:

/user/bin/<application name>

Linux The authorization log full path is:

/var/log/auth.log

A directory entry in a FAT file system has a logical size of

0 bytes

The MD5 has algorithm produces a ________ value.

128-bit

The MD5 hash algorithm produces a ____ value.

128-bit

There are _____ basic steps offered as best practices offered in the field of digital forensics.

20

What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?

56

How many sector(s) on a hard drive are reserved for the master boot record (MBR)?

63

The Cuckoo's Egg is

A book written by Cliff Stoll about international hackers

Section 1030 of Title 18 of the United States Code deals with fraud and related activity in connection with computer systems. A computer system is each of the following except:

A calculator

A misdemeanor is best described as

A criminal charge where the maximum penalty is less than one year incarceration

A felony is best described as

A criminal charge where the minimum penalty is greater than one year incarceration

A digital file produced or shaped by human craft, which retains investigative or historical interest is called

A digital artifact

To offer opinion testimony at trial, you must be qualified as what?

An Expert witness

Salami slicing is

An attack consisting of a series of small thefts spread over a large number of victims

What step is NOT part of the Alpha 5 method?

Application

_____; It contains events logged by applications or programs.

Application Log

Windows These logs contains errors related to individual software and applications installed by the user of the machine, but it can be useful when doing forensics because, for example, you can see if the Antivirus software was disabled during a specific period of time.

Application Logs

Data files of information that are no longer in active use, but stored separately to free space on a hard drive are referred to as?

Archival Data

_____: Identify which digital media may contain evidence, regardless of whether that evidence is incriminating or exculpatory in nature.

Assessment

At minimum, peer-review should occur after which of these phases:

At the completion of the analysis process At the completion of the analysis process After all documentation has been completed

Which of the following is NOT one of the Alpha 5 protocols?

Attack

Which of the following is not a class of 'attack' defined by the NSA for the recovery of digital data?

Attacks that utilize DNA evidence from the victim to recover data

In Windows 2000/XP, information about a specific user's preference is stored in the NTUSER.DAT file. This compound file can be found in________.

C:\Documents and Settings\username

A forensically sound software acquisition tool usually meets the following criteria

Can be used with 'write blocking' imaging equipment Is generally recognized in the digital forensic community as a 'standard' tool Provides an authentication feature

Protecting evidence and providing accountability for who handled it during the different steps during an investigation is referred to as what?

Chain of Custody

____ require a preponderance of evidence to meet its requirements.

Civil evidence rules

The process of finding characteristics that can be used to describe it in general terms and distinguish it from similar specimens is known as

Classification

What does CDMA stand for?

Code Division Multiple Access

Electronic discovery is governed by command and case law, as well as statutes, but primary governance comes from the ________.

Federal Rules of Civil Procedure

When data is written to a disk or media, it is written in 512-byte blocks. This means that if the end-user saves a 12-byte file to the media, the OS would actually save the 12 bytes and potentially 500 bytes of whatever happens to be in RAM (memory) at the time. The area left over is called?

File Slack

Which selection keeps track of a fragmented file in a FAT file system?

File allocation table

The FAT tracks the _______ while the directory entry tracks the _________.

File's last cluster (EOF) and file's starting cluster

Allows a Mac computer to act as if it is an external hard drive connected to another system. This mode operates at the firmware level, which means the OS is not engaged or booted. It is accessed by pressing "T" when starting the computer.

Firewire Target Disk Mode

Which device does not alter any data and allows reading of the ICCID, IMSI, fixed dialing numbers, hidden entries, MSISDN, deleted SMS, temporary mobile subscriber identity, and LAI information.

Forensic Card Readers

What is the preparation, detection, management, and resolution of incidents or events that occur in the information system?

Incident Handling

Evidence that supports a given theory.

Inculpatory Evidence

What file does Internet Explorer use to keep track of the history of web browsing?

Index.dat

What two processes carry out classification?

Individualization Comparison

During the early stages of a computer fraud investigation, the computer forensic practitioner may want to consider which of the following?

Interview with the system administrator to determine any internal security controls. Logical review of the media's file structure to develop the subject's 'level of expertise Conduct interviews with all complainants and witnesses

Which describes a DCO?

Is not normally seen by the BIOS Stands for Dynamic Configuration Overlay It may contain hidden data, which can be seen by switching to the Direct ATA mode in Linen. Was introduced in the ATA-6 specification

When using the performing a 'dir' using dos what does hdb2 refer to?

Is syntax used when reviewing Linux based system?

The forensic practitioner should employ what practice when examining unknown executable files?

Isolate the executable for analysis

What does UTC have to with digital evidence?

It is a standard of time as a quantified value that is used to bind validity, grant access and reconstruct the order of events

Why is recording the time/date information from the CMOS crucial to the investigation?

It is helpful in correlating temporal data during the analysis phase

Why is computer-generated documentation usually considered unreliable evidence?

It is too difficult to detect prior modifications.

Which of the following is a necessary characteristic of evidence for it to be admissible?

It must be reliable

What is another term for an incident response kit?

Jump Kit

When creating your forensic Tool Kit, which two of the following items are essential to your kit?

Laptop with relevant software tools Forensic Write blocker

____ refers to potentially existing, but not presently evident or realized evidence.

Latent evidence

According to the 'Theory of Transference' anyone entering or leaving a crime/incident scene _______. (Choose two)

Leaves something behind Takes something with them

The final section in your report is the _____.

Listing of Exhibits

What is the name of the principle that says: Anyone or anything entering a crime/incident scene takes something with them and leaves something of them behind when they depart?

Lockard's Principle

Windows _____ is covered by event id 104.

Logs were cleared

What is the term for when an established procedure is unable to be applied?

Major Deviation

___; Should have a basic understanding of the IR plan, be informed on how to report suspicious events, and be informed to provide support by allowing their employees to attend any training

Managers

What is found at Cylinder 0, Head 0, and Sector 1 on a hard drive?

Master Boot Record

Destroying or failing to preserve electronic evidence during litigation or when litigation is evident is called ______.

Spoilation

Password recovery software use different classifications for password recovery time. One of these classifications is:

Medium

Data or information about a file or data is called _____.

Metadata

What is defined as "data that provides information about other data"?

Metadata

_____ is information about other information. An example would be GPS location data embedded into a digital photo file, or authorship information embedded into a document.

Metadata

The size of a physical hard drive can be determined by which of the following?

Multiplying the cylinder x head x sector x 512 bytes Multiplying the total LBA sectors times 512 bytes

Windows _____ is covered by event log ID 5142.

Network Share Object was added

__; Should be implemented especially with non-trusted networks, such as the Internet extranets.

Network-based IDS

Which of the following is not one of the four 'Cardinal Rules' of Computer Forensics:

Never document until all evidence is evaluated

Is the information contained on a computer's RAM chip accessible after a proper shutdown?

No

Prior to the investigation, what should a computer forensic practitioner do? (Choose all that apply)

Notify decision makers Build your team of investigators Have a workstation and data recovery lab

What does OLE stand for?

Object Linking and Embedding

Policy and Practices are good organizational elements to have in place. Which element below does not apply to Data Retention Architecture policy?

On/Off site Frequently, other ESI, PDAs etc. Laptops and Home computers Desktops and Servers

When correctly implemented, what is the only cryptosystem known to be unbreakable?

One-time pad

Federal Rules of Civil Procedure (FRCP) rule 26(f) ........

Outlines what must be discussed during the eDiscovery Conference

Once notified of litigation, the obligation to protect information is on the _____.

Owner

Which items would potentially contain digital evidence?

PDA Cell phones MP3 players Tablet PC

An applied procedure that results in an "impartial and objective" analysis of the original digital evidence.

Peer review

The '___________' process is designed to provide insight to the computer forensic practitioner.

Peer review

Which statement is correct regarding Civil Law?

Penalties consist of financial restitution to the victim

Which is the most logical order for these events in regards to securing evidence?

Photograph, label, transport, present in court, return to owner

Which of the following items would be considered contraband?

Photos involving child exploitation

What can be used by the forensic practitioner to build a relationship between the incident scene, the victim, and the suspect? (Choose two)

Physical evidence Forensic science

After creating a duplicate from the original evidence, what should the digital forensic practitioner do with the original evidence?

Place original evidence in evidence locker or safe

All of the below are acceptable for 'bagging' a computer workstation except:

Plastic garbage bag

____ is the goal to prepare people, processes, and technologies for the prevention and detection of security incidents and to limit damage and downtime should such an incident occur.

Preparation

What is the first thing you should instruct your client to do once they have beenpresented with a litigation law suit?

Prepare and send a sample of a litigation hold to the attorney in the case

Step 1 in the 20 Basic Steps of Forensics is ________,

Prepare forensic lab environment

Which of the following is not considered an example of data hiding?

Preventing an authorized reader of an object from deleting that object

The goal of the digital evidence acquisition process is to duplicate the original evidence in a matter that: (Choose two)

Protects Preserves

This devices main function is to authenticate the user (subscriber) of the device to the network and provide access to the services they have subscribed in.

SIM Card

If portions of relevant data are recovered in unallocated or slack space areas of a drive, how would you present that evidence?

Provide a Screen shot of the evidence, which will provide full contextual presentation of the data.

The criteria that must be met to qualify as a forensically sound software is which one of the following

Provides an authentication feature Is generally accepted by the digital forensic community Has the ability to create a forensic bit-stream image while implementing 'write blocking' device

What criteria has to be met to identify a software acquisition tool as "forensically sound?" (Choose two)

Provides an authentication feature (MD5) Recognized in the digital forensic community as a "standard tool"

What is to be included in an Expert Forensic Report?

Providing facts of your analysis as well as, your opinion. A complete statement of all opinions to be expressed and the basis and reasons therefore

_____, which refers to the measures that are taken by a laboratory to monitor, verify, and document is performance.

Quality Assurance (QA)

Similar to the File slack, this occurs when an operating system allocates the minimum 512-byte block and the information does not fill that space fully.

RAM Slack

Order of volatility:

RAM, Running processes, Network connections, System settings, Storage

This basic step in the identification of an incident includes implementing a system to watch, monitor, and collect information.

Receive

The index.dat files are system files that store information about other files. They track data and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.

Recycle Bin

In an NTFS file system, the date and time stamps offset are stored in:

Registry

When Forensic Laboratories receive intake from external sources, there are several documents and procedures that need to be followed to ensure compliance with custodial duties. The overarching document is usually called a __________.

Request for Service

What type of data is information that appears to be gone or non-existent to the end-user, but is still recoverable from the digital media?

Residual Data

When a file is deleted, the data in that file is not erased. Rather the file system marks the file space as 'free'. This is a type of what kind of data?

Residual Data

Which one of the FRCP addresses to 'Prepare a List, by content and location' of ESI you expect to use in your case?

Rule 26(a)(1)(B)

What are the three most widely used hashing authentication methods? (Choose three)

SHA1 MD5 CRC32

The smallest area on a drive that data can be written to is a _______while the smallest area on a drive that a file can be written to is a _______.

Sector and cluster

Which of the following is a document that defines the scope of security needed by an organization, lists the assets that need protection, and discusses the extent to which security solutions should go to provide the necessary protection?

Security policy

The concept of including a peer review and submittal of all documentation to a lab supervisor for administrative review is called

Separation of duties

When documenting the physical aspects of a hardware device, you should include:

Serial Numbers Make Configuration details Model All of the answers listed

Generally speaking, if you encounter an Apple Macintosh computer, how should you take down the machine?

Shut down by pulling the plug from the computer box

Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine?

Shut down by pulling the plug from the computer box.

Which of the following is typically not a characteristic considered when classifying data?

Size of object

The unused space in a disk cluster is referred to as

Slack space

What is the area between the end of a file's logical size and the file's physical size called?

Slack space

During the analysis phase of your investigation, classification and comparison are essential components, which one of the following best describes this process:

Sorting through the best of two findings and relying on its significance to compare the rest of the findings in relation to it

All items below must be accepted to meet the Daubert Test except:

Whether the theory or technique enjoys 'general acceptance' within the 'relevant scientific community' Whether it 'has been subjected to peer review and publication;' Whether a 'theory or technique can be (and has been) tested;'

___; Windows default for a print spool job.

emf

_____ is/are considered to be all types of legally-presented proof that is allowed by the judge, which is intended to convince the judge or jury of alleged facts material to the case.

evidence

A unique identifying pattern found within a file which indicates the data type of the file is called a:

file signature

The goal of digital evidence processing is to ____________ and examine the data.

gain access to the data

Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.

hiberfil.sys

Which Registry key are the user's recent documents stored in?

hkey_currentuser

Which windows registry hive contains the information on all user profiles?

hkey_users

As a digital forensic practitioner, you are limited by time, tools, and ________ during the analysis phase of the investigation.

imagination

Can be used to find an opened file yet deleted.

lsof

Generally speaking, setting jumpers on the hard drive to a _________ setting will allow for a proper acquisition.

master

Class 3 attacks are very costly techniques used to recover the complete ________ of an __________ multi-gigabyte disk, as opposed to a few specifically targeted bytes.

overwritten copy

Which windows 98 registry file records everything that is installed on the computer?

system.dat

The preferred location for digital evidence acquisition is:

the forensic laboratory because it is a 'controlled' environment

All persons involved in conducting examination of digital evidence should be:

trained for this purpose


Ensembles d'études connexes

oncologic management: chapter 12

View Set

Fundamentals of Nursing: Fluid and Electrolyte Imbalance

View Set

Chapter 19: History of Floral Design

View Set