CSF 410 final study guide
mouse jiggler
A_____ is a device that keeps a computer from entering sleep mode or logging the user out
MBR
Identify the following hexadecimal signature: "55 AA"
booting in safe mode
If a image restore from a physical windows system is failing to boot a good first step to try is
true
In order to create a forensic copy of source media, the target media must be equal or greater capacity to the source
forensic copy
In which of the following aquisition methods is it most important to sterilize your target media
The NTUSER.dat registry hive
Intemet Explorer stored typed URLs in
True
Text files (trt) do not have a file signature
fingerprint
a useres internet viewing habits can almost be as distinctive as a
state their opinion
an expert witness can
true
an illicit image is an image whose subject matter is offensive or illegal depending on your cultural or legal landscape
true
many of the tools used to extract NTLM pasword hashes from registry hives get flagged as malware by windows
CHS - MBR LBA - GPT
match the addressing cheme with the partitioning scheme
false
most modern high-capacity hard drives use CHS addressing
false
once specified a files metadata cannot be modified
true
passwords used on word documents is secure because it relies on encryption
true
peer-to-peer (P2P) file-sharing is a decentralized method of file-sharing
false
law enforcement has mdm control over private citizen cell phones
false
proofreading is not necessity when writing reports, the court expects examiners to have mistakes since they are busy people
true
virus toal has a API that can be used to identify known malware signatures
false
vmware supports e01 images as a virtual CD/DVD drive
true
vmware vsphere migration tool can be used to convert a physical machine to a virtual machine
Filesystem
what is used within the boundaries of a volume and tracks file allocation and cluster use?
did not validate tools
what mistake did the investigators make in the casey anthony investigation
true
when a file is deleted from FAT filesystem file contents/data does get changed
FAT-formatted filesystems use ______ addressing
CHS
true
Expert witnesses must be able to explain the technical aspects of a case to a non-technical audience
slack space
Extra space following a file is called ______
four
MBR has a limit of ____ primary partititons
true
Peer-to-peer filesharing uses a decentralized network of computers
false
Peer-to-peer technology is illegal and has no legitimate use cases
false
Reading a files basiuc metadata requires an external application like exiftool due to OS limitations in windows 10/11
false
RAM contents must be captured in the field at the time of device seizure
true
SSds have several features that make it less likely an examiner can aquire deleted files from a filesystem
Publications prior testimony educational history
Select all of the following types of information that you should include on a CV for expert witness evaluation
Encase x-ways ftk suite
Select all of the following which are considered commercial forensic suites
Administrator permissions A capturing device/disk
Select all of the following which you NEED to capture RAM off a running system
memory.dmp
The _____ file stores overflow memory when the system runs out of physical memory
true
The latest version of microsofts web browser is based on chromium
false
The thumbcache is sufficient to prove a user had knowledge of a file's existence
Chain of Custody
Upon leaving a crime scene where the suspect had been accused of assistng in online auctions of illicit material, the police fail to document the person transporting a number of machines to a location used for evidence collection. This violates which of the following principles?
False
You should always pull the plug or power down on running ocmputers when arriving on the scene to not modify any data on the disk
false
VMware will not recognize disks mounted to the host using third party software like FTK imager or image mount pro
True
Vendor-neutral training focuses on methodology instead of using a particular vendor's software
FFFF FFF8
Which byte pattern is used to denote the last cluster in a file data stream in the FAT filesystem?
%AppData%\Roaming
Which folder(s) are uploaded to the active directory server to sync user settings?
Chain of custody
Which of the following are used to ensure that evidence is accounted for at all times?
emails can route through relays when in transit
Which of the following best explains why there may be multiple SMTP servers listed in a emails headers
64-bit chekcsum
Which of the following is teh best method for verifying a target media has been successfully sterilized
network adapter
Which of the following may you want to disable when booting from a restored suspect image
Password Protected Files BIOS Password Windows Login Password
Which of the following security measures can typically be bypassed without decryption
paladin ftk imager
Which of the following tolls can be used to take a forensic image
sample image
Which of the following would be the best choice to perform tool validation of a write blocker
SAM SYSTEM
Which registry hives are needed to extract a user's NTLM password hash?
Digital Forensics
Which terms best fits the definition: Examination and analysis of the digital evidence
remote desktop
_____ is the built-in windows utility to access a computer remotely via the network
gmail
_____ was one of the first client-side rendering applications meaning re-construction page contents with cache was unlikely
image_export
_____ will export file content from a device, media image, or forensic image
interactive
______ is a login where the user is physically located in front of the system per the windows event log
pre-investigation considerations
_______ is used determine your capabilities and equipment specifications to conduct a forensic exam regardless of whetehr it is in the field or a lab environment
white hat
a _____ hacker is a positive or non-malicious actor
false
all forensic analysis on amobile device must be performed internally by your agency
a 2-party consent
as a provate citizen or company in ______ state you must aquire permission to record a telephone conversation
pelican-type
as mentioned in the lecture video, a ___ case is watertight and crush-proof to protect equipment
false
chain of custody is only used in corporate investigations
false
changing a images EXIF metadata does not change the files hash
JSON
chrome stores bookmarks in the following format
false
chrome stores timestamps in the unix timestamp format
resident data
data streams contained within the mft are referred to as
false
emails cannot be routed over IPv4 private addressing space
true
file signatures are the first few bytes that can be used to determine the format of the file
true
ftk suite supports multiple users working on a single case
false
if a user opensa webmail message on their computer that action is untraceable to examiners
true
if a useres profile is corrupted windows will create a temporary user profile
senders IOS device receivers IOS device
imessages can be read by the follwoing parties
true
in order to conduct an online investigation a law enforcement agency is required to obtain a warrant
false
regular expressions are sued for decrypting files such as zip folders
BIOS password reset hardware clock reset boot order reset to factory default
select the likely effects of removing a CMOS battery from a motherboard
the end of the last cluster where a file resides
slack space is located at __
false
social media cannot be a source of digital evidence for showing a conspiracy
false
the DD command is a direct bit-for-bit copy; teh E01 format is also a bit-for-bit copy but does not include additional data within the forensic image
false
the FAT filestsem allows for larger max file sizes compared to NTFS
narrative
the ___ section of the report is the most detailed
investigator
the ____ takes charge of the scene and directs all activity
false
the examiner should only use commercially available write blockers for real investigations. Open source / free write blockers are not considered forensically sound
true
the executive summary portion of your report should be written for a non-technical audience
IOS
the plist format is used by
false
to present your findings in court you must only use commercial forensic software since open-source software is not accepted by the court
false
to recover deleted files media must be examined at the logical level
true
when collecting open source intel from the internet you must collect metadata about the source of that evidence
true
when conducting an undercover investigation you must preserve all communication involved even ones that are not evidentiary relevent to your side of the case
true
when we look at the values in USBSTOR they will inlcude the commerical name of the device
OST MDB PST
which file extentions are used in outlook
temp mail guerrilla mail
which of the following are examples of services that provide disposable emial accounts
aquire an RAM image from the device running the software capture a disk/drive image
which of the following are functions hat can be performed with the FTK imager freeware application
sas ide sata scsi
which of the following are interfaces used to attach a physical drive to a motherboard
tool validation should be performed regularly the examiner should keep a log / record of each time they perform tool validation
which of the following statements are true about tool validation
write blocking
which of the following would you use to protect the fragility of digital evidence
mandatory
which profile is created by network administrators to lock users down to a specific set of settings
PDF w/ Digital Signature
which report format can only be modified by the authors private key
executive staff directors employees with access to data
who will identify subjects that may be involved in an insider threat