Digital Forensics CH 9-16
True
For computer investigators, tracking intranet e-mail is relatively easy because the accounts use standard names established by the network or e-mail administrator.
For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command.
True
For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.
Hexidecimal Editor, Computer Forensics Tool
Getting a hash value with a ______ is much faster and easier than with a(n) _____.
Bootable Linux
Helix operates in two modes:Windows Live (GUI or command line) and ____.
True
If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file.
Header Data
If you can't open an image file in an image viewer, the next step is to examine the file's _________.
Temporary
In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.
.pst
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of _______.
SYN Flood
In a(n) ____ attack, the attacker keeps asking your server to establish a connection.
@
In an e-mail address, everything after the __ symbol represents the domain name.
subpoenas
In civil and criminal cases, the scope is often defined by search warrents or ____, shich specify what data you can recover.
False
Investigating cell phones and mobile devices is a relatively easy task in digital forensics.
True
Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.
Zombies
Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.
Key Escrow
Many commercial encryption programs use a technology called _______, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.
True
Many people store more information on their cell phones than they do on their computers.
FAT
Marking bad clusters data-hiding technique is more common with _____ file systems.
PGP
People who want to hide data can also use advanced encryption programs, such as ______.
True
Portability of information is what makes SIM cards so versatile.
True
PsList from PsTools allows you to list detailed information about processes.
Carving
Recovering pieces of a file is called _______.
mbox
Some e-mail systems store messages in flat plaintext files, known as a(n) _____ format.
False
Steganography cannot be used with file formats other than image files.
True
TDMA can operate in the cell phone (800 to 1000 MHz) or PCS (1900 MHz) frequency.
IS-136
TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life.
chntpw
The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password.
PsKill
The PSTools ____ kills processes by name or process ID.
MF
The SIM file structure begins with the root of the system (____).
Honeynet
The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.
TDMA
The ____ digital network divides a radio frequency into time slots.
EDGE
The ____ digital network, a faster version of GSM, is designed to deliver data.
D-AMPS
The ____ network is a digital version of the original analog standard for cell phones.
Stemming
The _____ search feature allows you to look for words with extensions such as "ing," "ed," and so forth.
True
The defense request for full discovery of digital evidence applies to only criminal cases in the United States.
TIFF
The file format XIF is derived from the more common ____ file format.
Heirarchical
The file system for a SIM card is a ____ structure.
Configuration
The files that provide helpful information to an e-mail investigation are log files and ______ files.
EXIF
The majority of digital cameras use the _______ format to store digital pictures.
Demosaicing
The process or converting raw picture data to another format is referred to as _________.
Hexadecimal
The simplest way to access a file header is to use a(n) ________ editor.
Steganography
The term _____ comes from the Greek word for "hidden writing."
Options
To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click _____ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialog box contains the message header.
/var/log
Typically, UNIX installations are set to store logs such as maillog in the ______ directory.
False
Typically, phones developed for use on a GSM network are compatible with phones designed for a CDMA network.
EEPROM
Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips.
Literary works
Under copyright laws, computer programs may be registered as _______.
False
When intruders break into a network, they rarely leave a trail behind.
CTRL + C
When working on a Windows environment you can press ____ to copy the selected text to the clipboard.
Copyright
When working with image files, computer investigators also need to be aware of ________ laws to guard against copyright violations.
GUI
With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk.
True
With many computer forensics tools, you can open files with external viewers.
True
With the Knoppix STD tools on a portable CD, you can examine almost any network system.
Investigation Plan
You begin any computer forensics case by creating a(an) _______.
False
You can always rely on the return path in an e-mail header to show the source account of an e-mail message.
Graphic Editors
You use _________ to create, modify, and save bitmap, vector, and metafile graphics files.
Packet Sniffers
____ are devices and/or software placed on a network to monitor traffic.
Helix
____ can be used to create a bootable forensic CD and perform a live acquisition.
Network Forensics
____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
PDAs
____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth.
SIM
____ cards are found most commonly in GSM devices and consist of a microprocessor and from 16 KB to 4 MB of EEPROM.
Network
____ forensics is the systematic tracking of incoming and outgoing traffic on your network.
Layered Network Defense Strategies
____ hide the most valuable data at the innermost part of the network.
RegMon
____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.
Tcpslice
____ is a good tool for extracting information from large Libpcap files.
Snort
____ is a popular network intrusion detection system that performs packet capture and analysis in real time.
PsTools
____ is a suite of tools created by Sysinternals.
dcfldd
____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD.
tethereal
____ is the text version of Ethereal, a packet sniffer tool.
Live
____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search.
Scope Crep
_____ increases the time and resources needed to extract, analyze, and present evidence.
Circular Logging
______ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.
Remote Aquisitions
______ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware of an ongoing investigation.
Lossy
______ compression compresses data by permanently discarding bits of information in the file.
Steganography
______ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there.
Brute-force
_______ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
Bitmap
_______ images store graphics information as grids of individual pixels.
Password
_______ recovery is a fairly easy task in forensic analysis.
Insertion
_______ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
Steganography
________ is the art of hiding information inside image files.
Substitution
________ steganography replaces bits of the host file with other bits of data.
Vector Graphics
_________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Steganography
_________ has also been used to protect copyrighted material by inserting digital watermarks into a file.
Transaction
Exchange logs information about changes to its data in a(n) ____ log.
False
FTK cannot analyze data from image files from other vendors.
False
FTK cannot perform forensics analysis on FAT12 file systems.
Honeypot
A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.
Tcpdump
A common way of examining network traffic is by running the ____ program.
False
A nonsteganographic file has a different size than an identical steganographic graphics file.
JPEG
A(n) ______ file has a hexadecimal header value of FF D8 FF E0 00 10.
False
All e-mail servers are databases that store multiple users' e-mails.
True
Bitmap images are collections of dots, or pixels, that form an image.
Hiding
Data ______ involves changing or manipulating a file to conceal information.
CDMA
Developed during WWII, this technology,____, was patented by Qualcomm after the war.
Client/Server Architechture
E-mail messages are distributed from one central server to many connected client computers, a configuration called _______.
True
E-mail programs either save e-mail messages on the client computer or leave them on the server.
PCAP
Most packet sniffer tools can read anything captured in ____ format.
3
Most packet sniffers operate on layer 2 or ____ of the OSI model.
False
Network forensics is a fast, easy process.
False
Operating systems do not have tools for recovering image files.
