Computer Forensics Ch. 1-5
How many sectors are typically in a cluster on a disk drive?
(ITS ONE TO ONE) SO IF 4KB CLUSTER WITH 512 BYTE PER SECTOR MEANS 8 SECTORS
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
In FAT32, a 123 KB file uses how many sectors?
246 Sectors. 123 x 1024 bytes per KB = 125,925 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors
How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computers?
256-bit AES of Twofish encryption and encrypts the password on the suspect's computer
Police in the United States must use procedures that adhere to which amendment?
4th amendment
On a Windows system, sectors typically contain how many bytes?
512
What is a hashing algorithm?
A utility designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or entire disk.
Which organization has guidelines on how to operate a digital forensics lab?
ASCLD
What are two concerns when acquiring data from a RAID server?
Amount of data storage needed the type of RAID
List three items that should be in your case report.
An explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools
List two items that should appear on a warning banner.
An organization has the right to monitor what end users do, and their e-mail is not personal and can be monitored
If a suspect computer is running Windows 2000, which of the following can you perform safely?
Browsing open applications
List two features common with proprietary format acquisition files.
Can compress or not compress the acquisition data; Can segment acquisition output files into smaller volumes, allowing them to be achieved to CD or DVD; Case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files.
List three items that should be on an evidence custody form.
Case number, name of the investigator assigned to the case, nature of the case, location where evidence was obtained, description of the evidence and so on.
What do you call a list of people who have had physical possession of the evidence?
Chain of Custody
Describe what should be videotaped or sketched at a digital crime scene.
Computers, cable connections, overview of scene—anything that might be of interest to the investigation
If a suspect computer is found in an area that might have toxic chemicals, what must you do?
Coordinate with the HAZMAT team. Assume the suspect computer is contaminated.
What does CHS stand for?
Cylinders, Heads, Sectors
What are the functions of a data run's field components in an MFT record?
Data runs have three components: first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value the LCN or the VC
With remote acquisitions, what problems should you be aware of?
Data transfer speeds Access permissions over the network Antivirus, antispyware, and firewall programs The password of the remote computer's user
What are some ways to determine the resources needed for an investigation?
Determine the OS of the suspect computer. List the necessary software to use for the examination.
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
Determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at location.
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive.
EnCase, SafeHack, and SnapCopy
Which forensics tools can connect to a suspect's remote computer and run surreptitiously?
Encase Enterprise, ProDiscover Investigator , and ProDiscover Incident Response
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder?
Encrypted files remain encrypted if they are moved or copied to another NTFS folder, but if they are moved or copied to a FAT or FAT32 volume or a floppy disk they are decrypted. Only the user who originally encrypted a file or folder, or another user who has been granted shared access, can move that file or folder to a FAT or FAT32 volume or another NTFS volume. However, any user can move an encrypted file to a different folder on the same NTFS volume.
List two types of digital investigations typically conducted in a business environment.
Espionage, and e-mail harassment
Of all the proprietary formats, which one is the unofficial standard?
Expert witness used by Guidance software EnCase
A forensic workstation should always have a direct broadband connection to the Internet. TRUE OR FALSE?
FALSE
Digital forensics facilities always have windows. True or False?
FALSE
Evidence storage containers should have several master keys. True or False?
FALSE
Small companies rarely need investigators. True or False
FALSE
The ASCLD mandates the procedures established for a digital forensics lab. True or False?
FALSE
The plain view doctrine in computer searches is well-established law. True or False?
FALSE
You should always answer questions from onlookers at a crime scene. True or False?
FALSE
You should always prove the allegations made by the person who hired you. True or False?
FALSE
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?
FALSE
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. TRUE OR FALSE?
FASLE
Digital forensics and data recovery refer to the same activities. True or False?
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
List three items stored in the FAT database.
File and directory names, starting cluster numbers, file attributes, date and time stamps.
What can EFS encrypt?
Files, folders, and volumes
In the Linux dcfldd command, which three options are used for validating data?
Hash=, hashlog= and vf=
List two popular certification systems for digital forensics.
IACIS, HTCN, EnCE.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Initial Response Field Kit
Device drivers contain what kind of information?
Instructions for the OS on how to interface with hardware devices
What are the three rules for a forensic hash?
It can't be predicted No two files can have the same hash value If the file changes, the hash value changes.
What techniques might be used in covert surveillance?
Keylogging Data sniffing
List two hashing algorithms commonly used for forensic purposes.
MD5 and SHA-1
What is the manager of a digital forensics lab is responsible for?
Making necessary changes in lab procedures and software Ensuring that staff members have enough training to do the job Knowing the lab objectives
What does MFT stand for?
Master File Table
Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?
Most companies keep inventory databases of all hardware and software used.
Which organization provides good information on safe storage containers?
NISPOM
With newer Linux kernel distributions, what happens if you connect a hot swappable device, such a USB drive, containing evidence?
Newer Linux distribution mount the USB drive automatically, which could alter data on it.
Which of the following Windows 8 files contains user-specific information?
Ntuser.dat
What does areal density refers to?
Number of bits per square inch of a disk platter
What does a logical acquisition collect for an investigation?
Only specific files of interest to the case.
What's the ProDiscover remote access utility?
PDServer
What items should your business plan include?
Physical security items, such as evidence lockers; how many machines are needed; what OS your lab commonly examines; why you need certain software; how your lab will benefit the company (such as being able to quickly exonerate employees or discover whether they're guilty)
What's the main goal of a static acquisition?
Preservation of digital evidence
What can building a business case can involve?
Procedures for gathering evidence Testing software Protecting trade secrets
What is professional conduct, and why is it important?
Professional conduct includes ethics, morals, and standards of behavior. It can affect your credibility.
Typically, a(n)______________ lab has a separate storage area or room for evidence.
REGIONAL
Name the three formats for digital forensics data acquisitions.
Raw format, proprietary formats, and Advanced Forensic Format(AFF)
What three items should you research before enlisting in a certification program?
Requirements, cost and acceptability in your chosen area of employment.
Compiling evidence means what in a corporate setting?
Sensitive corporate information being mixed with data collected as evidence.
What should you consider when determining which data acquisition method to use?
Size of the source drive Where the source drive be retained as evidence How long the acquisition will take Where the disk evidence is located.
List three items that should be in an initial-response field kit.
Small computer tool kit Large capacity drive IDE ribbon cables Forensic boot media laptop or portable computer.
What does a sparse acquisition collect for an investigation?
Specific files of interest to the case as well as arrangements of unallocated(deleted) data.
What term refers to labs constructed to shield EMR emissions?
TEMPEST
An employer can be held liable for e-mail harassment. True or False?
TRUE
An image of a suspect drive can be loaded on a virtual machine. True or False?
TRUE
Computer peripherals or attachments can contain DNA evidence. True or False?
TRUE
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
TRUE
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
TRUE
FTK Imager can acquire data in a drive's host protected area. True or False?
TRUE
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
TRUE
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
TRUE
If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
TRUE
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
TRUE
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?
TRUE
Clusters in Windows always begin numbering at what number?
TWO
Large digital forensics labs should have at least ______ exits.
TWO
What are the necessary components of a search warrant?
The affidavit is a sworn statement of support of facts about or evidence of a crime which is submitted to a judge with the request for a search warrant before seizing evidence. This includes evidence that support the allegation to justify the warrant. The affidavit is then notarized under sworn oath to verify that the information in the affidavit is true. The affidavit, the warrant, and return of service are basically the order of the procedure
What's the purpose of maintaining a network of digital forensics specialists?
To allow you the ability to cultivate professional relationships with people who specialize in technical area different from your own specialty
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the data in case of any failures.
Why should evidence media be write-protected?
To ensure that data isn't altered.
Why should you critique your case after it's finished?
To improve your work
Why should you do a standard risk assessment to prepare for an investigation?
To list problems that might happen when conducting your investigation.
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
To minimize how much you have to keep track of at the scene.
What's the purpose of an affidavit?
To provide a sworn statement of support of facts about evidence of a crime. this is submitted to a judge with the request for a search warrant before seizing evidence
What is the space on a drive called when a file is deleted?
Unallocated Space Free Space
List two features NTFS has that FAT does not.
Unicode characters, security, journaling.
To determine the types of operating systems needed in your lab, list two sources of information you could use.
Uniform Crime Report statistics for your area and a list of cases handled in your area or at your company.
What does the Ntuser.dat file contain?
User specific info. Registry file
What's the most critical aspect of digital evidence?
Validation of digital evidence
What limitations do virtual machines have when running on a host computer?
Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.
The triad of computing security includes which of the following?
Vulnerability assessment and risk management, intrusion detection and response, and investigation
What rules can policies address?
When you can log on to a company network from home The Internet sites you can or can't access. The amount of personal e-mail you can send
In a Linux shell, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if1 =image_file.img of=/dev/hda1
Wrong. This command read the imagine_file and writes it to the evidence drives /dev/hdal/ partition. The correct command is dcfldd if =/dev/hdal of=image_file.img.
As a corporate investigator, you can become an agent of law enforcement when which of the following happens?
You begin to take orders from a police detective without a warrant or subpoena. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
Why is physical security so critical for digital forensics labs?
to maintain the chain of custody and prevent data from being lost corrupted or stolen
In forensic hashes, a collision occurs when _______________________.
two files have the same hash value.
What are two advantages and disadvantages of the raw format?
• Advantages: Faster data transfer speeds, ignore minor data errors, and most forensics tools can read • Disadvantages: requires equal or greater target disk space, does not contain had values in the raw file(metadata), might have to run a separate hash program to validate raw formatted data and might not collect marginal (bad) blocks.