DIgital Forensics Final

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Mac OS X inherits much from Unix, including the syslog daemon used as a way to handle log requests. While there is a syslog daemon running on a Mac OS X system, its sole job is to forward any log messages to the _________________ manager.

Apple System Log

While Windows event logs are used extensively by the operating system, they can also be used by any application. With Windows 2000 and up through Windows Server 2003, including Windows XP, there were typically three event log files on every system, ________________________________.

Application, System and Security

When examining a mobile device, if there is a _________ left behind on the desktop, it could be used to view the data from the mobile device without needing to use the mobile device itself

Backup

The registry is organized as a series of hives, which is a way the operating system separates out the type of content. These hives, for the information that remains persistent across reboots, are stored in ____________________________.

C:\ Windows\ System32\ config

In browsing the Internet the _________ is the storage of files that have been retrieved from the Web.

Cache

A _________________is the documentation of everywhere a piece of evidence has been as well as who the evidence has been handed off to. When someone hands the evidence off to someone else, both parties need to be documented.

Chain of Custody

When dealing with digital evidence, your _________________demonstrates that the evidence has always been in the control of someone known for purposes that are known.

Chain of Custody

Every time you visit a Web page, there are small pieces of data called a ____________ that are exchanged between your system and the Web server. This is a way of tracking you and making sure you get the experience, you want related to that Web site.

Cookie

Time zones are really important because time is not fixed across the world. There are number of terms that you may see when it comes to the first time zone. Historically, it was Greenwich Mean Time because it was the time zone where the Royal Observatory in Greenwich, England was located. The time zone has remained the same but you may see it referred to as UTC, which is a compromise acronym for ___________________________.

Coordinated Universal Time

A _______________ is a piece of malware that infests a system and encrypts the contents of the file system. This encryption could be whole disk or it could just be important parts of the filesystem, like the user's documents folder. The malware encrypts the folder, then issues a warning to the user that the files on the system have been encrypted and they should pay a ransom in order to get the key that could be used to decrypt the files

Crypto Locker

The main registry files that you will find in C:\ Windows\ System32\ config are

DEFAULT, SAM, SECURITY, SOFTWARE and SYSTEM

The __________ case states that expert testimony can be introduced if the expert's evidence can help the trier of fact come to the truth of a matter and if the testimony is based on sufficient facts. Also, the testimony must be based on reliable methods and procedures. This is different from the previous Frye test in that Frye expected there to be a consensus within the professional community regarding the method or procedure.

Daubert

Debugging is a process that every programmer will do at some point. When you run a program and it does not work the way you expect it to, you have to discover the problem using this process.

Debugging

Unix has a long history of a variety of executable formats and Linux has generally inherited the ability to support these different formats. The current standard executable format, though, is the ___________________________.

Executable and Linkable Format ELF

When referring to Windows files systems FAT is the acronym for ______________________.

File Allocation Table

______________is commonly used to refer to things that relate to a court or legal proceeding.

Forensics

The _____________ ruling created a standard test for the admissibility of evidence that ensured that the methods used were reliable and considered to be standard procedure. However, the ruling is more than 90 years old and most states have moved away from using it as the standard.

Frye

This key stores all of the information about the operating system parameters including the operating system product name, the build number, the version information that includes whether there is a service pack installed, the owner, the organization, and the location of the system root directory among other pieces of information. ______________________________.

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\CurrentVersion

This registry key shows the USB devices that have been connected to the operating system. Just as in the information available before, you will see the list of devices, including the vendor and product information.

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\USBSTOR

HTML which stands for _______________________ is used to generate Web pages

Hypertext Markup Language

Check one or more correct answers. Identify the correct types of cloud services:

Infrastructure as a Service (IaaS) Software as a Service (SaaS)

It is useful to know that there are different types of executables or programs. The reason for that is based on the CPU architecture (_____, Motorola, 32-bit, 64-bit, etc.) and the operating system in use.

Intel

The ________________ will generate a value that can be used to compare any subsequent copy against to ensure that it is identical. If we get the same value back from two different sets of evidence, we can be sure with a high degree of confidence that the evidence is identical.

MD5 or SHA1

The _____ at offset 0x30 within the BPB on NTFS is the location of the information for all of the files and directories in the entire file system.

MFT

____________ can strike anywhere and on any operating system.

Malware

Which of the following are operating systems?

Microsoft Windows Linux Mac OS X Unix

One advantage from the Morris worm was that it spawned the creation of the Computer Emergency Response Team (CERT) that remains in place in the United States today

Morris Worm

MRU is a set of initials you will see regularly in the Windows registry. It means ________________________ and is a list of values the user has used. This may be files or directories. Any MRU list will give you an indication of what the user has made use of or gained access to.

Most Recently Used

The _______________________ (NTFS) was developed by Microsoft to be part of the NT operating system, which Microsoft was intending to be a head up competitor of OS/ 2, the operating system Microsoft was developing with IBM.

New Technology File System

The _________________, in technical terms, is the software that interfaces with the hardware and controls the pieces of your computer system such as the processor, memory, hard disk, and other components.

Operating System

When memory gets full, the operating system will swap pages of physical memory out to disk in order to make room for memory allocations from other programs. On Windows, the operating system allocates a file to write those pages out into. This file is commonly called ___________ and it is generally located in the root of the C: drive.

Pagefile.sys

The ________________________ is the first sector in the partition and it describes the location of all the important data structures on disk, such as, where the table resides physically, as well as, where the backup table is.

Partition Boot Sector

The ______________________ was a feature that was introduced in Windows XP and was designed, in part, to speed up the boot process.

Prefetcher

Mac OS X systems use files called __________________, commonly called plists, to store configuration settings.

Property Lists

There are a large number of artifacts that can be extracted from the Windows registry that would be of significance for a forensic investigation. You can track the actions of a user, discover software and its configuration, and get a lot of additional information, as we have already seen through the use of tools like _______________.

RegRipper

Big-endian versus little-endian is an important concept. You are used to big-endian because of the way we usually write numbers. Keep in mind that if you are working with data from an Intel-based system, as all personal computers today are, you are working with little-endian and the byte order needs to be ____________, but only within the values

Reversed

Disk geometry. Match the correct name to the area shown in the diagram. The letter A points to several yellow areas which represent ________________.

Sectors

Many browsers have moved to using databases to store a lot of information. As a result, in order to perform forensic analysis of browsing activity, it is helpful to understand a little about how databases work. The most common type of database in use at the moment is relational. We need a programmatic way of getting data into the tables as well as getting it out again. One way of doing that is to use the ____________________.

Structured Query Language SQL

Disk geometry. Match the correct name to the area shown in the diagram. The letter B points to a blue line that indicates a ________________.

Track

A memory capture must be captured from a running system because once the system is powered off the memory is cleared. Dynamic random access memory (DRAM) requires an electrical signal to keep the bits in place. Once the power has been removed, the capacitors used to store the bits will quickly discharge, meaning there are no bits.

True

A program is a file on your disk that includes executable code but the program has to be put together in such a way that the operating system knows where all of the individual components of the program are.

True

Each file in the Prefetch folder includes information about the application the file refers to. This information, or metadata, will include the number of times the program has been executed, the last time the program was run, and a list of files that are associated with the program starting up. Using the Prefetch data, you can determine whether programs have been executed, how often and the last time they were run.

True

If you want to perform malware analysis, you should think about how you are going to do it safely. First, it probably goes without saying that you should never, ever play around with malware on your own system, but it may not be as obvious that even if you have a separate system, you should restrict its network access.

True

One of the challenges with service providers is that they are generally located in a different jurisdiction from the suspect. The location of the data may be in an entirely different jurisdiction. This means that you may run into jurisdictional issues that you should be aware of. When you obtain the data from the provider, you need to be aware of both the chain of custody and also how you can verify what you get

True

Shortcut properties give you the location that it points to. When you delete a source file that has a shortcut, the shortcut does not look any different. You will still have the properties indicating the location, where the original file is located. This may be one way to indicate that a file was once on a system

True

When a forensic investigator gets handed a system that has been involved in a crime, it is helpful for the investigator to know more than just how to run an application that is going to generate a report.

True

When writing your report should always be unbiased. You are not investigating to prove a theory. You are investigating to gather evidence related to the case

True

While Windows systems are most commonly infected for a number of reasons that have very little to do with the operating system itself, other operating systems such as Mac OS X and Linux are not invulnerable to malware attacks and outbreaks

True

Windows has configuration details stored in the Windows registry. Over time, the registry has grown to include all of the system configuration details, as well as configuration storage for applications.

True

In the case of Windows systems, time and date is stored as a 64-bit value that is the number of 100 ns since January 1, 1601, __________________. Times are stored as UTC and the system is then responsible for adjusting based on local time when the time and date are displayed.

Universal Coordinated Time

Linux OS inherits the bulk of its configuration specifics from _________.

Unix

If you want to perform malware analysis, you should think about how you are going to do it safely. One way of doing that is to make use of virtual machines.

Virtual Machines

A ____________ is a malicious piece of software that requires some sort of intervention to get from one system to another

Virus

Since SSDs use storage technology that can wear out, the drive uses something called _________________. This means that logical addresses may not always refer to the same spot on the disk over time, as the drive firmware moves some physical addresses out of current use to give them a break and maintain the overall longevity of the drive.

Wear Leveling

Drive-by attacks and watering holes use one of the most common attack methods today which is the _________________. This is because it may be the most commonly used application on your entire system. You may use it to read news, purchase goods, read e-mail, look up information, or any of countless other reasons

Web Browser

A ___________, which is either a hardware device or a piece of software that prevents any write requests from going to a disk under investigation

Write Blocker

While viruses can be used to infect systems, modern viruses will often download and install other software. Sometimes, the software that gets installed will turn the computer system into a slave of a larger network, controlled by malicious users. Once all of the compromised systems are collected together under a unified control infrastructure, the result is called a _________.

botnet

The Microsoft Office documents moved to an ____________________________ (XML)-based document format with Office 2007. The file formats use Open XML to store most of the document data

eXtensible Markup Language

Image files often store extensive information about where they were created, the program that created them, and the date and time they were created. In the mid-1990s, the Japan Electronics Industry Development Association specified formats for digital media storage. As part of that effort, they specified the _____________________________ to define metadata that would be stored in these media files, as well as the format for the data files themselves.

exchangeable image file format (Exif)

__________ has become a standard log format on Unix-like operating systems over the last 30 years.

syslog


Ensembles d'études connexes

Code, Standards, and Practices 1

View Set

Unit 5 - Care of Family Ch. 17, Unit 5 - Care of Family Ch. 18, Unit 5 - Care of Family Ch. 19

View Set