Mid-Term Exam

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

What are two advantages and disadvantages of the raw format?

+ Fast transfers + Most tools can read it + Ignores minor data read errors - Requires as much space as the original, suspect drive - Some tools (mostly freeware) might skip bad sectors

AFF

Advanced Forensics Format. Open-source acquisitions file format created by Dr. Simson Garfinkel.

ASCII

American Standard Code for Information Interchange

Allegation

An accusation of fact that a crime has been committed

brute force attack

An attack on passwords or encryption that tries every possible password or encryption key.

password dictionary attack

An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.

secure facility

An enclosed room with a lock with true floor-to-ceiling walls, no windows, with a secure container, and a visitor's log with legible entries.

Whole Disk Encryption

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.

wear leveling

An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells

warning banner

Asserts the right to conduct an investigation and notifies the user, often when the computer starts or connects to company intranet.

ACP

Attorney-client privlege

AFIS

Automated Fingerprint Identification System. Scans fingerprints electronically and plots the positions of their ridge characteristics, comparing them with prints in a database.

On a Windows system, sectors typically contain how many bytes? 1. 256 2. 512 3. 1024 4. 2048

B. 512

What are some ways to determine the resources needed for an investigation?

Bases on the OS of the computer you're investigating, list the software you plan to use for the investigation, noting other software, tools, or expert assistance you might need.

Why should evidence media be write-protected?

Because it maintains the quality and integrity of the evidence you're trying to preserve.

Why should you critique your case after it's finished?

Because self-evaluation and peer review are essential parts of professional growth. When a case is complete, review it to identify successful decisions and actions and determine how you could have improved your performance.

CCE

Certified Computer Examiner

CCFP

Certified Cyber Forensics Professional

CFCE

Certified Forensic Computer Examiner

tracks

Circles on a magnetic storage device where data is stored or retrieved.

data runs

Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components' content.

Forensics software tools are grouped into ____ and ____ applications.

Command line and GUI

CFTT

Computer Forensics Tool Testing. NIST's established guidelines for testing, evaluating, and validating tools.

CTIN

Computer Technology Investigators Network

Describe what should be videotaped or sketched at a computer crime scene

Computers, cable connections, overview of the scene—anything that might be of interest to the investigation.

low-level investigations

Corporate cases that require less investigative effort than a major criminal case.

CRC

Cyclic Redundancy Check. A mathematical algorithm that determines whether a file's contents have changed. It is not considered to be a forensic hashing algorithm.

What does CHS stand for?

Cylinders, Heads, Sectors

With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above

D. All of them

RAM slack

Data from RAM that is used to fill up the last sector on a disk

Computer-generated records

Data generated by a computer, such as system log files or proxy server logs.

How many sectors are typically in a cluster on a disk drive? 1. 1 2. 2 or more 3. 4 or more 4. 8 or more

Depending on the size of the drive, but 8 or more.

network intrusion detection and incident response

Detects intruded attacks by using automated tools and monitoring network firewall logs

DEFR

Digital Evidence First Responder

DES

Digital Evidence Specialist

When you arrive at the scene, why should you extract only those items you need to acquire evidence?

Doing so protects your equipment and minimizes how many items you have to keep track of at the scene.

Which forensic tools can connect to a suspect's computer and run surreptitiously?

Encase ProDiscover

EFS

Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.

Digital Evidence

Evidence consisting of information stored or transmitted in electronic form.

Exculpatory evidence

Evidence indicating that a defendant did not commit the crime.

Of all of the proprietary formats, which is the unofficial standard?

Expert Witness Compression format

Building a forensic workstation is more expensive than purchasing one. True or False?

False

Data can't be written to the disk with a command-line tool. True or False?

False

FTK Imager can acquire data in a drive's host protected area. True or False?

False

Small companies rarely need investigators. True or False?

False

The plain view doctrine in computer searches is well-established law. True or False?

False

You should always answer questions from onlookers at a crime scene. True or False?

False

A live acquisition can be replicated. True or False?

False, due to volatile memory.

Digital forensics and data recovery refer to the activities. True or False?

False.

If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?

False. All visitors must sign the log in order to ensure accountability and security.

Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product work. True or False?

False. Any information discovered before the memo is issued can be used in discovery by the opposition.

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

False. If Internet access is needed, a second, non-Forensic workstation should be used to access the Internet.

Evidence storage containers should have several master keys. True or False?

False. In order to maintain security, the less number of keys available, the better.

Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?

False. It's not until the private-sector investigator starts working at the direction of law enforcement that they are considered an agent of law enforcement.

In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?

False. That is "repeatable results".

Digital forensics facilities always have windows. True or False?

False. They do not have windows in order to protect the privacy and integrity of the investigation.

You should always prove the allegations made by the person who hired you. True or False?

False. You must always maintain an unbiased perspective and be objective in your fact-finding.

FAT

File Allocation Table

List three items stored in the FAT database.

File and directory names, starting cluster numbers, file attributes, date and time stamps.

Police in the United States must use procedures that adhere to which of the following? 1. Third Amendment 2. Fourth Amendment 3. First Amendment 4. None of the above

Fourth Amendment

HAZMAT

Hazardous Materials

HPFS

High Performance File System - A file system created specifically for the OS/2 operating system to improve upon the limitations of the FAT file system. Among its improvements are: support for mixed case file names, support for long file names (255 characters), more efficient use of disk space, less fragmentation of data

HTCN

High Tech Crime Network

HPA

Host Protected Area. The area of the drive that's not normally visible to the OS.

Why should you do a standard risk assessment to prepare for an investigation?

Identifying the risks can help mitigate or minimize any foreseeable issues with the investigation.

BootSect.dos

If a machine has multiple booting OSs, NTLDR reads BootSect.dos, which is a hidden file, to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).

attribute id

In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.

Info2 file

In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.

professional conduct

Includes ethics, morals, and standards of behavior

Inculpatory evidence

Incriminating evidence

bootstrap process

Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response field kit

Device drivers contain what kind of information?

Instructions for the OS on how to interface with hardware devices.

IACIS

International Association of Computer Investigative Specialists

As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? 1. You begin to take orders from a police detective without a warrant or subpoena. 2. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. 3. Your internal investigation begins. 4. None of the above.

1

If a suspect computer is running Windows 10, which of the following can you safely perform? 1. Browsing open applications 2. Disconnecting power 3. Either of the above 4. None of the above

1

Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? 1. Most companies keep inventory databases of all hardware and software used. 2. The investigator doesn't have to get a warrant. 3. The investigator has to get a warrant. 4. Users can load whatever they want on their machines.

1, 2

Which of the following is true of most drive-imaging tools? (Choose all that apply.) 1. They perform the same function as a backup 2. They ensure that the original drive doesn't become corrupt and damage the digital evidence. 3. They create a copy of the original drive. 4. They must be run from the command line.

1, 2, 3

Which of the following techniques might be used in covert surveillance? 1. Keylogging 2. Data sniffing 3. Network logs 4. None of the above

1, 2, 3

When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply) 1. Calculate the hash value with two different tools. 2. Use a different tool to compare the results of evidence you find. 3. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. 4. Use a command-line tool and then a GUI tool.

1, 2, 3 (?)

The reconstruction function is needed for which of the following purposes? (Choose all that apply.) 1. Re-create a suspect drive to show what happened. 2. Create a copy of a drive for other investigators. 3. Recover file headers. 4. Re-create a drive compromised by malware.

1, 2, 4

If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? 1. Coordinate with the HAZMAT team. 2. Determine a way to obtain the suspect's computer. 3. Assume the suspect's computer is contaminated. 4. Do not enter alone.

1, 3

The verification function does which of the following? 1. Proves that a tool performs as intended 2. Creates segmented files 3. Proves that two sets of data are identical via hash values 4. Verifies hex editors

1.

List two popular certification programs for digital forensics.

1. CFCE - Certified Forensic Computer Examiner 2. CCFP - Certified Cyber Forensic Professional

A log report in forensics tools does which of the following? 1. Tracks file types 2. Monitors network intrusion attempts 3. Records an investigator's actions in examining a case 4. Lists known good files

3. Records an investigator's actions in examining a case

The standards for testing forensics tools are based on which criteria? 1. U.S. Title 18 2. ASTD 1975 3. ISO 17025 4. All of the above

3. USI 17025

According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply) 1. The DEFR's competency 2. The DEFR's skills in using the command line 3. Use of validated tools 4. Conditions at the acquisition setting

3. Use validated tools

recovery certificate

A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.

head and cylinder skew

A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.

file system

A method used by operating systems to store, retrieve, and organize files.

one-time passphrase

A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.

business case

A plan you can use to sell your services to management or clients

Initial-response field kit

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

extensive-response field kit

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.

Evidence custody form

A printed form indicating who has signed out and been in physical possession of evidence.

configuration management

A process of recording all the updates made to your workstation

Sector

A section on a track, usually made up of 512 bytes

device drivers

A software program that provides the instructions your computer needs to communicate with a device

Forensic Workstation

A specially configured PC loaded with additional bays and forensics software

Boot.ini

A startup file for Windows XP that specifies the path installation and contains options for selecting the Windows version.

Affidavit

A sworn statement of support of facts about or evidence of a crime

nonkeyed hash set

A unique hash number generated by a software tool and used to identify files.

keyed hash set

A value created by an encryption utility's secret key.

What's a hashing algorithm?

A way of creating a binary or hexadecimal number that represents the uniqueness of the drive or data set; it's "digital fingerprint"

Validation

A way to confirm that a tool is function as intended.

innocent information

- Unrelated information - Often included with the evidence you're trying to recover

Clusters in Windows always begin numbering at what number?

0 in NTFS. 2 in FAT.

hostile work environment

A work environment that can result in an employee's civil lawsuit against the company that does nothing to prevent or respond to it.

Which organization has guidelines on how to operate a digital forensics lab?

ANAB (ANSI-ASQ National Accreditation Board)

ANAB

ANSI-ASQ National Accreditation Board

EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global registry d. Network servers

a.

probable cause

the standard specifying whether a police officer has the right to make an arrest, conduct a personnel or property search or obtain a warrant for arrest

In FAT32, a 123 KB files uses how many sectors?

It depends on how the OS determined the cluster size.

What's a virtual cluster number?

It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.

Why was EFI boot firmware developed?

It was designed to provide better protection against malware than BIOS does.

Why is it good practice to make two images of a suspect drive in a critical investigation?

It's helpful in making sure that data has been copied correctly. It also protects against loss and minimizes the risk of failure in the investigation.

search warrants

Legal documents that authorize a police officer or other officials to enter and search a premise

single-evidence form

Lists each piece of evidence on a separate page

Keyword search

Looks for words anywhere in the data.

Digital Investigations

Manages investigations and conducts forensics analysis of systems suspected of containing evidence. Fall into two categories: 1. Public sector 2. Private sector

MBR

Master Boot Record. An area on a hard disk in its first sector. When the BIOS boots a system, it looks at the MBR for instructions and information on how to boot the disk and load the operating system. Some malware tries to hide here.

MFT

Master File Table

What does MFT stand for?

Master File Table

MD5

Message Digest 5. A hashing function used to provide integrity.

Which organization provides good information on safe storage containers?

NISPOM (National Industrial Security Program Operating Manual) - Chapter 5, Section 3

NIST

National Institute of Standards and Technology

NSRL

National Software Reference Library. A compiled list of known file hashes for a variety of OSs, applications, and images. Currently adding hash values for iOS and Android applications.

NTFS

New Technology File System

In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

No! if is "input file". This process is reversed of what is should be.

Evidence bags

Nonstatic bags used to transport removable media, hard drives, and other computer components.

Static Acquisitions

Normally done on a system or drive that has been seized, often with a write-blocking device to prevent writing to the suspect disk.

areal density

Number of bits per square inch of a disk platter

covert surveillance

Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs.

In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?

On newer OSs, none.

Virtual Machine

One or more logical machines created within one physical machine.

unallocated disk space

Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously.

PII

Personally Identifiable Information. Information about individuals that can be used to trace a person's identity, such as a full name, birthdate, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.

Live Acquisition

Powered-on device, logged on by the user

What's the main goal of static acquisition?

Preservation of digital evidence

What is professional conduct, and why is it important?

Professional conduct is the ethics, morals, and standards by which you conduct yourself and you business. It is important because it determines your credibility.

Fourth Amendment

Protection from unlawful search and seizure.

Verification

Proves that two sets of data are identical by calculating has values or using another similar method.

RAID

Redundant Array of Independent Disks. A computer configuration of two or more disks, originally developed as a data-redundancy measure. RAID 0, 1, 2, 3, 5, 10, 15

Typically, a(n) ______ lab has a separate storage area or room for evidence

Regional

repeatable findings

Repeat the steps and produce the same result

ReFS

Resilient File System

Chain of custody

Route the evidence takes from the time you find it until the case is closed or goes to court.

List two hashing algorithms commonly used for forensic purposes.

SHA-1 (and its variants), MD5

SWGDE

Scientific Working Group on Digital Evidence

Physical address

Sector numbers that reside at the hardware or firmware level and go from address 0 to last on disk.

Commingling evidence means what in a private-sector setting?

Sensitive business information is mixed with the data that is collected as evidence.

Sparse Acquisition

Similar to logical acquisition in that it gathers files and file types, bu also gathers fragments of deleted data

Raw forensic file format

Simple, sequential flat files of a suspected drive or data set, readable by almost all forensic acquisition tools

Authorized requester

Someone who has the power to initiate investigations

person of interest

Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.

What does a logical acquisition collect for an investigation?

Specific files or file types

What does a sparse acquisition collect for an investigation?

Specific files or file types, as well as fragments from unallocated areas

line of authority

States who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

Partition Boot Sector

Stores info important to its partition, such as the location of OS boot files.

What term refers to labs constructed to shield EMR (electromagnetic radiation) emissions?

TEMPEST

Exhibits

Tangible material that either supports or refutes the allegation

vulnerability/threat assessment and risk management

Tests and verifies the integrity of stand-alone workstations and network servers

What do you call a list of people who have had physical possession of the evidence?

The Chain of Custody

search and seizure

The Fourth Amendment gives protection against unlawful search and seizure

Hal.dll

The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.

Ntoskrnl.exe

The Windows OS kernel.

Pagefile.sys

The Windows swap file that is used to hold the virtual memory that is used to enhance physical memory installed in a system.

Reconstruction

The ability to recreate a suspect drive to show what happened during a crime or an incident.

Logical Acquisition

The acquisition of specific files or file types

What should you consider when determining which data acquisition method to use?

The circumstance of the investigation. Namely, the scope and length of possession.

Data recovery

The customer or company just wants the data back. Don't care about legal matters.

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

The device is automatically mounted and access. This likely alters the metadata.

head

The device that reads and writes data to a drive.

Acquisition

The first task in digital forensics investigations; making a copy of the original drive.

SHA-1

The first version of Secure Hash Algorithm, developed by NIST and slowly replacing CRC and MD5.

risk management

The forecasting and evaluation of risks, together with the identification of procedures to avoid or minimize their impact.

Plain View Doctrine

The legal principle that objects in plain view of a law enforcement agent who has the right to be in a position to have that view may be seized without a warrant and introduced as evidence.

digital forensics lab

The locations where you conduct investigations, store evidence, and do most of your work.

professional curiosity

The presence of police officers and other professionals who are not part of the crime scene-processing team. Their presence can contaminate the scene, either directly or indirectly.

Digital Forensics

The process of systematically accumulating and analyzing digital information for use as evidence in a civil, criminal, or administrative case

interrogation

The process of trying to get a suspect to confess

Extraction

The recovery task in a digital investigation and the most challenging of all tasks to master.

TEMPEST

The required shielding of sensitive computing systems and the prevention of electronic eavesdropping of computer emissions

industrial espionage

The selling of sensitive or confidential company information to a competitor.

track density

The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.

What are the necessary components of a search warrant?

The suspect's computer and its components. 1. It must be filled in good faith by a law enforcement officer 2. It must be based on reliable information showing probable cause to search 3. It must be issued by a neutral and detached magistrate 4. It must state specifically the place to be searched and the items to be seized

file slack

The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.

white-collar crimes

These crimes are characterized by deceit, concealment, or violation of trust and are not dependent on the application or threat of physical force or violence. The motivation behind these crimes is financial—to obtain or avoid losing money, property, or services or to secure a personal or business advantage.

Why is physical security so critical for digital forensics labs?

To maintain chain of custody and prevent data from being lost, corrupted, or stolen

What's the purpose of maintaining a network of digital forensics specialists?

To supplement your knowledge and be able to get referrals and information when needed

What's the purpose of an affidavit?

To support facts about or evidence of a crime, in order to secure a warrant for seizure

An encrypted drive is one reason to choose a logical acquisition. True or False?

True

An image of a suspect drive can be loaded on a virtual machine. True or False?

True

Computer peripherals or attachments can contain DNA evidence. True or False?

True

EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?

True

Hardware acquisition tools typically have built-in software for data analysis. True or False?

True

If a company doesn't distribute a computing use policy stating an employer's rights to inspect employee's computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?

True

If you discover a criminal act while investigating a company police abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?

True

In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?

True

In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?

True

The primary hashing algorithm the NSRL project uses is SHA-1. True or False?

True

Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?

True

The ANAB mandates the procedures established for a digital forensics lab. True or False?

True (?)

For digital evidence, an evidence bag is typically made of antistatic material. True or False?

True.

An employer can be held liable for e-mail harassment. True or False?

True. An employer is responsible for preventing and investigating harassment of employees and nonemployees associated with the workplace.

List two features NTFS has that FAT does not.

Unicode characters, security, journaling.

UCR

Uniform Crime Report

Partition gap

Unused space between partitions

drive slack

Unused space in a cluster between the end of an active file and the end of the cluster

What does the Ntuser.dat file contain?

User-protected storage area; contains the list of the most recently used files and desktop configuration settings

interview

Usually conducted to collect information from a witness or suspect about specific facts related to an investigation.

What's the most critical aspect of digital evidence?

Validating

VCN

Virtual Cluster Number

VHD

Virtual Hard Disk

Alternate Data Streams

Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, these become an additional file attribute.

logical addresses

When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.

Partition

When referring to a computer hard drive, a disk partition or partition is a section of the hard drive that is separated from other segments. Partitions help enable users to divide a computer hard drive into different drives or different portions for a number of reasons.

In forensic hashes, when does a collision occur?

When the hash value is equivalent to another hash value generated from a different data set. These collisions are rare and have really only been detected on supercomputers.

Ntldr (NT Loader)

Windows NT/2000/XP boot file. Launched by the MBR or MFT, ntldr looks at the boot.ini configuration file for any installed operating systems.

What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?

You can remove and reconnect drives without having to restart the workstation.

ZBR

Zone bit recording, how most manufacturers deal with a platter's inner tracks having a smaller circumference and therefore less space to store data than in the outer tracks.

limiting phrase

a judge will often issue this in a warrant, which allows police to separate innocent info from evidence when commingled evidence is found

NTDETECT.COM

a required boot file for Windows operating systems through XP, responsible for detecting hardware necessary for a successful boot into Windows

public key

a value that can be used to encrypt a message. However, only when combined with a mathematically-related private key, can the message be decrypted.

The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply) a. Making necessary changes in lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives d. None of the above

a, b, c

Hard drive geometry

specifications of hard drives listing the number cylinders, heads and sectors

private key

the complementary key to a public key that is used to decrypt a message.

List three items that should be on an evidence custody form.

1. Case number 2. Investigating organization 3. Investigator's name 4. Nature of the case 5. Location where the evidence was obtained 6. Description of the evidence 7. Vendor's name 8. Model number or serial number 9. Who the evidence was recovered by 10. Date and time evidence was taken into custody 11. Evidence placed in which locker and when it was placed there 12. Item #/Evidence processed by/Disposition of evidence/Data/Time 13. Page #

List three subfunctions of the extraction function.

1. Data viewing 2. Keyword searching 3. Decompressing or uncompressing 4. Carving 5. Decrypting 6. Bookmarking or tagging

List two types of digital investigations typically conducted in a business environment.

1. Employee termination cases 2. Internet abuse investigations 3. E-mail abuse investigations 4. Attorney-Client privilege investigations 5. Industrial espionage investigations

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive

1. EnCase 2. X-Way Forensics

In the Linux dcfldd command, which three options are used for validating data?

1. Hashing via MD5, SHA-1, SHA-256, SHA-384, SHA-512 2. Verifying with the original disk or media data 3. Logging of errors to an output file for analysis and review 4. Referring to a status display indicating acquisition's progress in bytes

What are the three rules for a forensic hash?

1. It can't be predicted. 2. No two files can have the same hash value 3. If the file changes, the hash value changes.

What items should your business plan include?

1. Justification 2. Budget - including facility costs, hardware and software requirements, as well as misc. 3. Approval/Acquisition Methods - w/ risk analysis and the number of investigations you plan on pursuing and their average length 4. Implementation - how to incorporate and install all approved items and a timeline for delivery/installation/and inspection of the facility 5. Acceptance Testing - making sure everything works 6. Correction for Acceptance 7. Production

List three items that should be in an initial-response field kit.

1. Laptop 2. Camera 3. Flash light 4. Digital forensics kit Note - The list given here is not extensive. Ref Loc 5293 for a full list

List two features common with proprietary format acquisition files

1. Option to compress 2. Ability to split images for archival purposes 3. Ability to integrate metadata into the image

Name the three formats for computer forensics data acquisitions.

1. Raw 2. Proprietary 3. AFF (Advanced Forensics Format)

What three items should you research before enlisting in a certification program?

1. Requirements 2. Cost 3. Acceptability in your area of employment

What are the two main concerns when acquiring data from a RAID server?

1. Size 2. Configuration

List two items that should appear on a warning banner.

1. That the connection is restricted to authorized users 2. That the organization has a right to inspect and monitor computer and network usage

To determine the types of operating systems needed in your lab, list two sources of information you could use.

1. The Uniform Crime Report (UCR) 2. A list of crimes in your area or company

When you preform an acquisition at a remote location, what should you consider to prepare for the task?

1. The advanced privileges that are requires to push the agent application to the remote system 2. The antivirus, antispyware, or firewall applications that can be programmed to ignore remote access programs 3. That the suspect could have security tools that trigger an alarm on remote access intrusions

Hashing, filtering, and file header analysis make up which function of computer forensics tools? 1. Validation and verification 2. Acquisition 3. Extraction 4. Reconstruction

1. Validation and verification

List three items that should be in your case report.

1. What you did 2. What you found 3. Answer: Who, What, When, Where, How 4. Know your target reader and write for them 5. Provide an explanation for processes and how systems and their components work

Large digital forensics labs should have at least ______ exits.

2

What is the maximum file size when writing to FAT32 drives?

2 GB

Hash values are used for which of the following purposes? (Choose all that apply.) 1. Determining file size 2. Filtering known good files from potentially suspicious data 3. Reconstructing file fragments 4. Validating that the original data hasn't changed.

2, 4

What is the space on a drive called when a file is deleted? (Choose all that apply.) 1. Disk space 2. Unallocated space 3. Drive space 4. Free space

2, 4

The triad of computing security includes which of the following? 1. Detection, response, and monitoring 2. Vulnerability assessment, detection, and monitoring 3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation 4. vulnerability assessment, intrusion response, and monitoring

3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation

Policies can address rules for which of the following? 1. When you can log on to a company network from home 2. The Internet sites you can or can't access 3. The amount of personal e-mail you can send 4. Any of the above

4. Any of the above

Bit-stream copy

A bit-by-bit copy of the original storage medium. An exact copy of the original disk.

ISO image

A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk

Unicode

A character code that enables most of the languages of the world to be symbolized with a special character identification.

UTF-8

A coding system for storing characters in bits, extending the 8-bit ASCII coding system to include international characters by sometimes using more than 8 bits.

cylinder

A column of tracks on two or more disk platters.

Registry

A database that Windows uses to store hardware and software configuration information, user preferences, and setup information.

verdict

A decision on a disputed issue in a civil or criminal case

NTBOOTDD.SYS

A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

Bit-stream image

A file containing the bit-stream copy of all data on a disk or partition

multi-evidence form

A form that allows you to list multiple pieces of evidence on a single page

clusters

A grouping of sectors

Write Blocker

A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.

hash value

A hexadecimal code based on the contents of a file, folder, or entire drive.

Approved Secure Container

A lccked, fireproof locker or cabinet that has limited access.

Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual websites b. Applications can be run on the virtual machines only if they're resident on the physical machine. c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine's OS.

c.

What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? a. The file can no longer be encrypted b. EFS protection is maintained on the file c. The file is unencrypted automatically d. Only the owner of the file can continue to access it

c.

Areal density refers to which of the following? a. Number of bits per disk, b. Number of bits per partition, c. Number of bits per square inch of a disk platter, d. Number of bits per platter

c. Number of bits per square inch of a disk platter

Sniffing

capturing and recording network traffic

Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above

d. All of the above

Which of the following Windows 8 files contains user-specific information? a. User.dat b. Ntuser.dat c. System.dat d. SAM.dat

d. SAM.dat

metadata

data that describes other data

computer-stored records

electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word document

LCNs

logical cluster numbers


Ensembles d'études connexes

Vietnam worksheet section 2 fighting the war describing the war and the difficulties faced by American soldiers

View Set

A_Chapter 13: Social Psyc - PSYC 1105

View Set

Chap 34: Assessment and Management of Patients with Inflammatory Rheumatic Disorders

View Set

Labor and Birth, Care of Women with Complications during Labor and Delivery

View Set

High School Placement Test Vocabulary

View Set

Physical science Chapter 12 study guide

View Set

History Alive Flash Cards- 6th Grade Chapter 25

View Set