ISCS Final Exam

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

In a prefetch file, the application's last access date and time are at offset _______________.​

0x90

Define cloud, based off the NIST definition.

A computing storage that provides on-deman network access for multiple users and can allocate storage to users to keep up with changes in their needs.

What is issued when information on the cloud is needed?

A subpoena for civil and criminal cases

What is issued when evidence on the cloud needs to be seized?

A warrant in a criminal case and is issued by law enforcement

Define community cloud

A way to bring people together for a specific purpose.

Define lay witness

A witness testifying to personally observed facts

Define public cloud

Accesible to anyone, and typically the only identification required is an e-mail address.

Which of the following is an example of a written report?

Affidavit

An expert witness can give an opinion in which of the following situations?

All of the above

sync_config.db

An SQL database file with Google Drive upgrade number, highest application version number, and local synchronization root path

Define cloud forensics

Applying digital forensics to cloud computing and is considered a subset of network forensics.

Define private cloud

Can be accessed only by people who have the necessary credentials, such as a logon name/password.

When are cloud investigations necessary?

Cases involving cyber attacks, policy violations, data recovery, and fraud complaints.

Technical challenges in cloud forensics:

Cloud architecture, data collection, legal issues, standards, and training.

What does CSP stand for?

Cloud service providers

When writing a report, what's the most important aspect of formatting?

Consistency

snapshot.db

Contains information about each file accessed, the URL pathname, the modified and created dates and times in UNIX timestamp format, and the file's MD5 value and size

What is a SLA?

Contract between a CSP and the customer that describes what services are being provided and at what level.

A ________________ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities.​

Court order

_________ are written by judges to compel someone to do or not do something, such as a CSP producing user logon activities.

Court orders

Two types of encrypted data in the cloud:

Data at rest and data in motion

What are the two states of encrypted data in a secure cloud?

Data in motion and data at rest

Define data in motion

Data that has been transmitted over a network

Define data at rest

Data that has been written to disk

Where are you most likely to find evidence on a Paps service level?

Desktop of the server, or on a company network, or the remote service provider's infrastructure.

Where are you most likely to find evidence on a IaaS service level?

Desktop of the server.

Where are you most likely to find evidence on a SaaS service level?

Desktop, laptop, tablet, or smartphone.

What is an anti-forensics?

Destroying ESI that's potential evidence (used by hackers)

Define examination plan

Documents that serves as a guideline for knowing what questions to expect when you're testifying.

Three widely used public cloud storage:

Dropbox, Google Drive, OneDrive

Define hybrid cloud

Enables a company to keep some information private and designate other files as public or community information.

Automated tools help you collect and report evidence, but you're responsible for doing which of the following?

Explaining the significance of the evidence

Which of the following rules or laws requires an expert to prepare and submit a report?

FRCP 26

Define spoliation

Failing to preserve evidence

(t/f) A feature of FROST is that it requires a virtual machine's hypervisor to run.

False

(t/f) A preliminary written report is not a high-risk document?

False

(t/f) A search warrant can be used in any kind of case, either civil or criminal.​

False

(t/f) A text editor can be used to read Dropbox files.

False

(t/f) Clarity of writing is not critical to a report's success?

False

(t/f) One of the mission or goals of the investigation is to reformat certain important documents.

False

`(t/f) Commingled data isn't a concern when acquiring cloud data?

False

What information below is not something recorded in Google Drive's snapshot.db file?​

File SHA values and sizes

The _________ is used to identify, label, record, and acquire data from the cloud.

Forensic data collection tool

Three types of reports

Formal report, preliminary written or verbal report to your attorney, and an examination plan.

_______________ is used to get information when it is believed there is a danger of death or serious physical injury or for the National Center for Missing and Exploited Children.

Government agency subpoena

Types of subpoenas (3)

Government agency, non-government, and civil litigation

__________________ uses an "ideal lattice" mathematical formula to encrypt data.

Homomorphic encryption

What capabilities should a forensics tool have to acquire data from a cloud? (choose all that apply.)

Identify and acquire data from the cloud, expand and contract data storage capabilities as needed for service changes, examine virtual systems.

In which cloud service level can customers rent hardware and install whatever OSs and applications they need?

Infrastructure as a service

With the _____________ ​cloud service, the cloud provider is responsible only for selling or leasing the hardware.

Infrastructure as a service

IaaS

Infrastructure as a service. Customers can rent hardware such as servers and workstations and install whatever OSs and applications, settings, and tools in the cloud environment.

Which of the following statements about the legal-sequential numbering system in report writing is true?

It doesn't indicate the relative importance of information

Define deposition bank

Libraries which store examples of expert witness's previous testimony

A _________________ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface.​

Management plane

Define multi tenancy

Many different unrelated businesses and users share the same applications and storage space.

____________ are used to produce information from private parties for litigation.

Non-government and civil litigation subpoenas

When can a search warrant be used?

Only in criminal cases, requested by a law enforcement officer

What are the three dimensions of cloud forensics?

Organizational, legal, technical

Which of the following is the standard format for reports filed electronically in federal courts?

PDF

PaaS

Platform as a service. Means an OS, such as Linux or Windows has been installed on a cloud server.

To reduce the time it takes to start applications, Microsoft has created __________ files, which contain the DLL pathnames and metadata used by applications.​

Prefetch

What does the technical dimensions deal with?

Procedures and specialized applications designed to perform forensic recovery and analysis of the cloud

Which of the following cloud deployment methods typically offers no security?

Public cloud

What does Rule 26 of the FRCP in the U.S. require?

Requires expert witnesses who anticipate on testifying to submit a written report including the expert's opinion along with the basis for it.

_________ in the cloud covers data owners, identity protection, users, access controls, and so forth.

Role management

What are the three levels of cloud services defined by NIST?

SaaS, PaaS, IaaS

The law requires that __________ to contain specific description of what is to be seized.

Search warrants

Five mechanisms used to collect digital evidence under the U.S. Electronic Communications Privacy Act (ECPA):

Search warrants, subpoenas, subpoenas with prior notice to the subscriber or customer, court orders, and court orders with prior notice to the subscriber or customer.

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?​

Seizure order

What does the legal dimension cover?

Service agreements and other jurisdictional matters

A(n) _______________________________________________ is a contract between a CSP and the customer that describes what services are being provided and at what level.

Service level agreement

What does SLA stand for?

Service level agreement

Evidence of cloud access found on a smartphone usually means which cloud service level was in use?

Software as a Service

SaaS

Software as a service. Applications delivered via the internet.

What is a government agency subpoena?

States that customer communications and records can't be knowingly divulged to any person or entity, although it allows specific expectations to government agencies.

Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (choose all that apply)

Subpoenas with prior notice, Search warrants, Court Orders

A CSP's incident response team typically consists of which staff?

System and Network Administrators

What is a major advantage of automated forensics tools in report writing?

The reports and log files generated by the software

What does the organizational dimensions address?

The structure of the cloud, such as location of data storage and administrations of services

What is a court order?

They are written by judges to compel someone to do or not do something

For what purpose have hypothetical questions traditionally been used in litigation?

To frame the factual context of rendering an expert witness's opinion.

Why do attorneys use depositions banks?

To research expert witnesses previous testimonies and to earn more about them.

(t/f) A written report/affidavit/declaration is sworn to under oath?

True

(t/f) All U.S district courts and many states require expert witnesses to submit written reports?

True

(t/f) Amazon was an early provider of Web-based services that eventually developed into the cloud concept.

True

(t/f) Anything you write down as part of your examination is subject to discovery?

True

(t/f) Cloud forensics typically involves litigation of criminal or civil matters?

True

(t/f) Digital forensics examiners could be held liable when conducting an investigation involving cloud data.

True

(t/f) Hypothetical questions can be abused and make so complex that the finder of fact (the expert) might not be able to remember enough of the question to evaluate the answer.

True

(t/f) If you were a lay witness at a previous trial, you shouldn't list that case in your written report.

True

(t/f) The multi-tenancy nature of cloud environments means conflicts in privacy laws can occur.

True

(t/f) To see Google Drive synchronization files, you need a SQL viewer.

True

​(t/f) The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).​

True

What is a non-government subpoena?

Used to produce information form private parties for litigation.

What does the CSP do?

User servers on distributive networks or mainframes that allow elasticity of resources for customers.

When should a temporary restraining order be requested for cloud environments?

When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.

What type of report must be submitted in a US district court?

Written report

sync_log.log

has a detailed list of user's cloud transactions

Select the folder below that is most likely to contain Dropbox files for a specific user:​

​C:\Users\username\Dropbox

Where is the snapshot database created by Google Drive located in Windows?​

​C:\Users\​username​\AppData\Local\\Google\Drive


Ensembles d'études connexes

English 11B - Use of Information

View Set

Principle of Financial Accounting- Chapter 8

View Set

History Chapter 9 Checkup Section D

View Set

OB— Chapter 4- common gynecologic issues

View Set