Computer & Network Forensics (SCIA 470) Chapters 1-13

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.

key escrow

Computing components are designed to last 18 to ____ months in normal business operations.

36

Ext2fs can support disks as large as ____ TB and files as large as 2 GB.

4

___ components define the file system on UNIX.

4

When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called ____.

EFS

The majority of digital cameras use the ____ format to store digital pictures.

EXIF

The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.

EnCase

Use ____ to secure and catalog the evidence contained in large computer components.

Evidence Bags

TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.

IS-136

The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.

ISO 5725

Data streams can obscure valuable evidentiary data, intentionally or by coincidence.

True

The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.

True

Steganography cannot be used with file formats other than image files.

False

The Windows platforms have long been the primary command-line interface OSs.

False

Most computer investigations in the private sector involve ____.

Misuse of computing assets

In a Windows environment, BitPim stores files in ____ by default.

My Documents\BitPim

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.

NSRL

____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

NTBootdd.sys

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.

Safety

____ increases the time and resources needed to extract,analyze,and present evidence.

Scope creep

Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.

Sniffing

____ has also been used to protect copyrighted material by inserting digital watermarks into a file.

Steganography

The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03.

XIF

____ is how most manufacturers deal with a platter's inner tracks being shorter than its outer tracks.

ZBR

Many password recovery tools have a feature that allows generating potential lists for a ____ attack.

password dictionary

Under copyright laws, maps and architectural plans may be registered as ____.

pictorial, graphic, and sculptural works

In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.

Repeatable findings

To complete a forensic disk analysis and examination, you need to create a ____.

Report

In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a ____ fork, where file metadata and application information are stored.

Resource

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.

Risk Management

EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation

SAFE

____ is a popular network intrusion detection system that performs packet capture and analysis in real time.

Snort

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

Sparse

One technique for extracting evidence from large systems is called ____.

Sparse Acquisition

____ is the art of hiding information inside image files.

Steganography

By the 1970s, electronic crimes were increasing, especially in the financial sector.

True

Chain of custody is also known as chain of evidence.

True

Computing systems in a forensics lab should be able to process typical cases in a timely manner.

True

FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.

True

If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.

True

In software acquisition, there are three types of data-copying methods.

True

Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ file's contents.

testing, compressed

Computer forensics tools are divided into ____ major categories.

2

There are ____ searching options for keywords which FTK offers.

2

In general, forensics workstations can be divided into ____ categories.

3

Most packet sniffers operate on layer 2 or ____ of the OSI model.

3

All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable.

40-pin

A ____ is a bit-by-bit copy of the original storage medium.

Bit-stream Copy

____ images store graphics information as grids of individual pixels.

Bitmap

FTK and other computer forensics programs use ____ to tag and document digital evidence.

Bookmarks

____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.

Brute-force

Generally, computer records are considered admissible if they qualify as a ____ record.

Business

In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.

Business Case

Developed during WWII, this technology,____, was patented by Qualcomm after the war.

CDMA

____ is a text file containing commands that typically run only at system startup to enhance the computer's DOS configuration.

Config.sys

Computer investigations and forensics fall into the same category: public investigations.

False

FTK cannot analyze data from image files from other vendors.

False

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

False

One advantage with live acquisitions is that you are able to perform repeatable processes.

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

You cannot use both multi-evidence and single-evidence forms in your investigation.

False

A bit-stream image is also known as a(n) ____.

Forensic Copy

To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.

Forensic Workstation

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.

Honeynet

By the early 1990s, the ____ introduced training on software for forensics investigations.

IACIS

____ was created by police officers who wanted to formalize credentials in computing investigations.

IACIS

The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.

IBM

With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.

Initial-response field kit

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Insertion

By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff.

Marketing

A(n) ____ file has a hexadecimal header value of FF D8 FF E0 00 10.

JPEG

AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.

KFF

Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.

Once

The primary hash algorithm used by the NSRL project is ____.

SHA-1

SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity

SHA-256

One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.

SIGs

____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.

SIM

To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.

Secure facility

The list of problems you normally expect in the type of case you are handling is known as the ____.

Standard Risk Assessment

When preparing a case, you can apply ____ to problem solving.

Standard Systems Analysis Steps

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.

Static

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.

Steel

The ____ search feature allows you to look for words with extensions such as "ing,""ed," and so forth.

Stemming

In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.

Subpoenas

____ steganography replaces bits of the host file with other bits of data.

Substitution

The ____ digital network divides a radio frequency into time slots.

TDMA

The image format XIF is derived from the more common ____ file format.

TIFF

A common way of examining network traffic is by running the ____ program.

Tcpdump

____ is the text version of Ethereal, a packet sniffer tool.

Tethereal

Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.

True

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

To help determine what computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful.

True

With many computer forensics tools, you can open files with external viewers.

True

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers.

USB

____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.

Uniform Crime Reports

Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.

Zombies

A ____ allows you to create a representation of another computer on an existing physical computer.

virtual machine

Records in the MFT are referred to as ____.

metadata

Image files can be reduced by as much as ____% of the original.

50

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.

False

Most federal courts have interpreted computer records as ____ evidence.

Hearsay

Linux ISO images are referred to as ____.

Live CDs

The file system for a SIM card is a ____ structure.

hierarchical

Erich Boleyn created GRUB in ____ to deal with multiboot processes and a variety of OSs.

1995

____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names.

www.freeality.com

The uppercase letter ____ has a hexadecimal value of 41.

"A"

In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.

.pst

On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive.

/dev/hda1

____ contains configuration information for Sendmail, allowing the investigator to determine where the log files reside.

/etc/sendmail.cf

Typically, UNIX installations are set to store logs such as maillog in the ____ directory.

/var/log

To find deleted files during a forensic investigation on a Linux computer, you search for inodes that contain some data and have a link count of ____.

0

The EMR from a computer monitor can be picked up as far away as ____ mile.

1/2

ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable.

100

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

The maximum number of allocation blocks per volume that File Manager can access on a Mac OS system is ____.

65,535

When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.

80

There are ____ tracks available for the program area on a CD.

99

You can use ____ to boot to Windows without writing any data to the evidence disk.

A Write-Blocker

The ____ provides several software drivers that allow communication between the OS and the SCSI component.

Advanced SCSI Programming Interface (ASPI)

In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.

Affidavit

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.

Allegation

____ is a batch file containing customized settings for MS-DOS that runs automatically.

Autoexec.bat

People who want to hide data can also use advanced encryption programs, such as PGP or ____.

BestCrypt

What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations?

Certified Computer Forensic Technician, Basic

The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.

Chain of Custody

The most common computer-related crime is ____.

Check Fraud

he ____ file provides a command prompt when booting to MS-DOS mode (DPMI).

Command.com

Confidential business data included with the criminal evidence are referred to as ____ data.

Commingled

A ____ is where you conduct your investigations, store evidence, and do most of your work.

Computer Forensics Lab

The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.

Computer Investigations

____ records are data the system maintains, such as system log files and proxy server logs.

Computer-generated

In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.

Configuration Management

To begin conducting an investigation, you start by ____ the evidence using a variety of methods

Copying

After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.

Critique the case

When working on a Windows environment you can press ____ to copy the selected text to the clipboard.

Ctrl+C

____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.

DIBS USA

Macintosh OS X is built on a core called ____.

Darwin

For computer forensics, ____ is the task of collecting digital evidence from electronic media.

Data Aquisition

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data Recovery

The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive.

Data block

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.

Device drivers

Paraben Software is a leader in mobile forensics software and offers several tools, including ____, which can be used to acquire data from a variety of phone models.

Device seizure

In Windows 2000 and XP, the ____ command shows you the owner of a file if you have multiple users on the system or network.

Dir

A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

Disaster Recovery

____ of data involves sorting and searching through all investigation data.

Discrimination

One way to compare your results and verify your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.

Disk editor

The most common and flexible data-acquisition method is ____.

Disk-to-Image File Copy

____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.

E-mail

Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.

EEPROM

A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.

Evidence Custody Form

The standard Linux file system is ____.

Ext2fs

A(n) ____ should include all the tools you can afford to take to the field.

Extensive-response field kit

Marking bad clusters data-hiding technique is more common with ____ file systems.

FAT

____ is the file structure database that Microsoft originally designed for floppy disks.

FAT

____ is a simple drive-imaging station.

FIRE IDE

A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.

False

A nonsteganographic graphics file has a different size than an identical steganographic graphics file.

False

IDE ATA controller on an old 486 PC doesn't recognize disk drives larger than 8.4 ____.

GB

Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement.

GPL

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.

GUI

The Novell e-mail server software is called ____.

GroupWise

____ is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer's file system.

HDHOST

LILO uses a configuration file named ____ located in the /Etc directory.

Lilo.conf

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.

Live

____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.

Live

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

The SIM file structure begins with the root of the system (____).

MF

On an NTFS disk, immediately after the Partition Boot Sector is the ____.

MFT

SafeBack and SnapCopy must run from a(n) ____ system.

MS-DOS

SnapBack DatArrest runs from a true ____ boot floppy.

MS-DOS

To make a disk acquisition with En.exe requires only a PC running ____ with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.

MS-DOS

On older Macintosh OSs all information about the volume is stored in the ____.

Master Directory Block (MDB)

____ is a hidden text file containing startup options for Windows 9x.

Msdos.sys

Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment.

Much easier than

The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

NIST

____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR.

NTDetect.com

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.

NTFS

____ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista.

NTFS

____ forensics is the systematic tracking of incoming and outgoing traffic on your network.

Network

____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.

Network Forensics

One way to hide partitions is to create a partition on a disk, and then use a disk editor such as ____ to manually delete any reference to it.

Norton DiskEdit

The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.

Notarized

You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.

Off-site

In the following list, ____ is the only steg tool.

Outguess

____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.

PDAs

____ are devices and/or software placed on a network to monitor traffic.

Packet sniffers

____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.

Padding

____ recovery is a fairly easy task in computer forensic analysis.

Password

Courts consider evidence data in a computer as ____ evidence.

Physical

A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____.

Portable workstation

____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.

Probable Cause

Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team.

Professional curiosity

To retrieve an Outlook Express e-mail header right-click the message, and then click ____ to open a dialog box showing general information about the message.

Properties

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

Proprietary

For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.

RAID

Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated.

Reasonable suspicion

When analyzing digital evidence, your job is to ____.

Recover the data

When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.

Registry

____ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation.

Remote acquisitions

SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.

Three

After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools.

True

Employees surfing the Internet can cost companies millions of dollars.

True

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector Graphics

With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.

Volume Bitmap

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.

Warrant

Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.

Whole Disk Encryption

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.

Windows 9x

____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.

Write-blockers

Recovering pieces of a file is called ____.

carving

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.

checkpoint

E-mail messages are distributed from one central server to many connected client computers, a configuration called ____.

client/server architecture

When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.

copyright

A ____ is a column of tracks on two or more disk platters.

cylinder

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are referred to as ____.

data runs

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.

dcfldd

____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD.

dcfldd

Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command.

dd

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

The process of converting raw picture data to another format is referred to as ____.

demosaicing

The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.

disk-to-disk

On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB).

extents overflow file

When you write your final report, state what you did and what you ____.

found

You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.

graphic editors

If you can't open an image file in an image viewer, the next step is to examine the file's ____.

header data

The simplest way to access a file header is to use a(n) ____ editor

hexadecimal

Getting a hash value with a ____ is much faster and easier than with a(n) ____.

hexadecimal editor, computer forensics tool

Data ____ involves changing or manipulating a file to conceal information.

hiding

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

image file

In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period.

indexed

Linux is unique in that it uses ____, or information nodes, that contain descriptive information about each file or directory.

inodes

You begin any computer forensics case by creating a(n) ____.

investigation plan

Under copyright laws, computer programs may be registered as ____.

literary works

The ____ command displays pages from the online help manual for information on Linux commands and their options.

man

The purpose of the ____ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key.

recovery certificate

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.

sha1sum

The term ____ comes from the Greek word for "hidden writing."

steganography

____ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.

steganography


Ensembles d'études connexes

Unit 2 Module 4 Computer Systems Quiz - Latest

View Set

Cube Roots (1-10/-1 to -10) 8.EE.2

View Set

Religion in a Changing Society, Kaftan, Exam 2

View Set

Final Exam Life & Health Insurance Texas

View Set