Forensics
Only one file format can compress graphics files. True or False?
False
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
True
FTK's Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply) A - Filter known program files from view B - Calculate hash values of known files to evidence files. C - Filter out evidence that doesn't relate to your investigation.
A - Filter known program files from view C - Filter out evidence that doesn't relate to your investigation.
What methods do steganography's programs use to hide data in grpahics files? (Choose all that apply.) A - Insertion B - Substitution C - Masking D - Carving
A - Insertion B - Substitution
Which of the following tools is most helpful in accessing cluster marked as "bad" on a disk? A - Norton DiskEdit B - FTK C - ProDiscover D - HDHOST E - None of the above
A - Norton DiskEdit
Digital pictures use data compression to accomplish which of the following goals? (choose all that apply.) A - Save space on a hard drive B - Provide a crisp and clear image C - Eliminate redundant data D - Produce a file that can be emailed or posted on the internet.
A - Save space on a hard drive D - Produce a file that can be emailed or posted on the internet.
Which of the following statements about HDHOST is true? (Choose all that apply.) A -It can be used to access a suspect's computer remotely. B -It requires installing the diskExplorer program corresponding to the suspects file system. C - It can run surreptitiously to avoid detection. D - It works over both serial and TCP/Ip interfaces.
A -It can be used to access a suspect's computer remotely. B -It requires installing the diskExplorer program corresponding to the suspects file system. D - It works over both serial and TCP/Ip interfaces.
Graphics files stored on a computer can't be recovered after they are deleted. True or false?
False
Password recovery is included in all computer forensics tools. True or False?
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
Name three types of log files you should examine after a network intrusion.
Firewall, router, network.
A JPEG file uses which type of compression?
Lossy
Why are live acquisitions becoming more common?
Network attacks are increasing and the OOV of vertain digital evidence dictates it.
In JPEG files, what's the starting offset position for the JFiF label?
Offset 6
What are the three modes of protection in the DiD strategy
People, technology, operations.
When you carve a graphics file, recovering the image depends on what skill?
Recognizing the pattern of the file header content
Ethereal can send automated alerts when it encounters anomalies in capture packets. True False?
False
Some clues left on a drive that might indicate steganography inclued which of the following?
All of the above
Which of the following represents known files you can eliminate from an investigation? A - Any graphics B - Files associated with an application C - System files the OS uses D - Any files pertaining to the company
B - Files associated with an application C - System files the OS uses
What methods are used for digital watermarking? (choose all that apply) A - Implanted subroutines that link to a central Webserver Automatically when the watermarked file is accessed B - Invisible modification of the LSBs in the file C - Layering visible symbols on top of the image D - Using a hex editor to alter the image data
B - Invisible modification of the LSBs in the file C - Layering visible symbols on top of the image
When do zero day attacks occur?
Before a patch is available Before the vendor is aware of the vulnerability
Which of the following tools from sysinternals monitors Registry data in real time? A - PsList B - Handle C - Regmon D - PsUpTime
C - Regmon
Salvaging a file is also known in North America by?
Carving
For which of the following reason should you wipe a target drive? A - To ensure the quality of digital evidence you acquire B - To make sure unwanted data isn't retained on the drive C - Neither of the above D - Both A and B
D - Both A and B
A JPEG file is an example of a vector graphic. True or False?
False
After you shift a files bits, the hash value remains the same. True or False?
False
Copyright laws don't apply to Websites True or False?
False
Data gathered from a honeypot is considered evidence that can be used in court. True or False?
False
What are the potential problems when you discover that another company's machines are being used as part of the same attack your company is dealing with?
For both companies, proprietary information is at stake. Calling in the authorities could expose both companies to unwanted scrutiny.
List the general procedure for making a live acquisition.
Have a bootable forensics CD handy, have a network drive you can download information to, if possible; keep a log, of all steps and information, copy RAM and running processes, look for rootkits.
JPEG and Tif files:
Have different values for the first 2 bytes of their file headers
Steganography is used for ?
Hiding data
A layered network defense strategy puts the most valuable data where?
In the innermost layer
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
Internal corporate investigation because corporate investigators typically have ready access to company records.
Commercial encryption programs often rely a technology known as _______ to recover files if a password or passphrase is lost.
Key escrow
Packet sniffers examine what layers of the OSI model?
Layers 2 and 3
What are the Pcap versions for UNIX/Linux and Windows
Libcap and Winpcap
Which FTK search option is more likely to find text hidden in unallocated space: live search or indexed search?
Live Search
Bitmap (.bmp) Files use which of the following types of compression?
Lossless
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
Lossless
_________ happens when an investigation foes beyond the bounds of its original description.
Scope Creep
You're using Disk Manager to view primary and extended partitions on a subjects drive. The program reports the extended partitions total size as larger than the sum of the sizes of logical partitions in the extended partition. What might you infer from this information?
Theres a hidden partition
In what way do live acquisitions violate standard forensics procedures?
They change the data and are not repeatable.
For what legal and illegal purposes can you use steganography?
To protect ownership of online artwork or to hide messages related to illegal activity
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or false?
True
Having the Hash values of standard installation files on a system can help you determine whether an attacker altered the OS. True or False.
True
Tcpsloce can be used to retrieve specfice timeframes of packet captures. True or False?
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or false?
True
Explain how to identify an unknown graphics file format that your computer forensics tool doesn't recognize.
You need to examine a copy of the unknown file with a hexadecimal editor to find the hex code for the first several bytes of the file. Then you need to examine other known file types with similar or identical header values to see whether you can confirm its file types.