Mid-Term Exam
What are two advantages and disadvantages of the raw format?
+ Fast transfers + Most tools can read it + Ignores minor data read errors - Requires as much space as the original, suspect drive - Some tools (mostly freeware) might skip bad sectors
AFF
Advanced Forensics Format. Open-source acquisitions file format created by Dr. Simson Garfinkel.
ASCII
American Standard Code for Information Interchange
Allegation
An accusation of fact that a crime has been committed
brute force attack
An attack on passwords or encryption that tries every possible password or encryption key.
password dictionary attack
An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file's password or passphrase hash values.
secure facility
An enclosed room with a lock with true floor-to-ceiling walls, no windows, with a secure container, and a visitor's log with legible entries.
Whole Disk Encryption
An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.
wear leveling
An internal firmware feature used in solid-state drives that ensures even wear of read/writes for all memory cells
warning banner
Asserts the right to conduct an investigation and notifies the user, often when the computer starts or connects to company intranet.
ACP
Attorney-client privlege
AFIS
Automated Fingerprint Identification System. Scans fingerprints electronically and plots the positions of their ridge characteristics, comparing them with prints in a database.
On a Windows system, sectors typically contain how many bytes? 1. 256 2. 512 3. 1024 4. 2048
B. 512
What are some ways to determine the resources needed for an investigation?
Bases on the OS of the computer you're investigating, list the software you plan to use for the investigation, noting other software, tools, or expert assistance you might need.
Why should evidence media be write-protected?
Because it maintains the quality and integrity of the evidence you're trying to preserve.
Why should you critique your case after it's finished?
Because self-evaluation and peer review are essential parts of professional growth. When a case is complete, review it to identify successful decisions and actions and determine how you could have improved your performance.
CCE
Certified Computer Examiner
CCFP
Certified Cyber Forensics Professional
CFCE
Certified Forensic Computer Examiner
tracks
Circles on a magnetic storage device where data is stored or retrieved.
data runs
Cluster addresses where files are stored on a drive's partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components' content.
Forensics software tools are grouped into ____ and ____ applications.
Command line and GUI
CFTT
Computer Forensics Tool Testing. NIST's established guidelines for testing, evaluating, and validating tools.
CTIN
Computer Technology Investigators Network
Describe what should be videotaped or sketched at a computer crime scene
Computers, cable connections, overview of the scene—anything that might be of interest to the investigation.
low-level investigations
Corporate cases that require less investigative effort than a major criminal case.
CRC
Cyclic Redundancy Check. A mathematical algorithm that determines whether a file's contents have changed. It is not considered to be a forensic hashing algorithm.
What does CHS stand for?
Cylinders, Heads, Sectors
With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above
D. All of them
RAM slack
Data from RAM that is used to fill up the last sector on a disk
Computer-generated records
Data generated by a computer, such as system log files or proxy server logs.
How many sectors are typically in a cluster on a disk drive? 1. 1 2. 2 or more 3. 4 or more 4. 8 or more
Depending on the size of the drive, but 8 or more.
network intrusion detection and incident response
Detects intruded attacks by using automated tools and monitoring network firewall logs
DEFR
Digital Evidence First Responder
DES
Digital Evidence Specialist
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
Doing so protects your equipment and minimizes how many items you have to keep track of at the scene.
Which forensic tools can connect to a suspect's computer and run surreptitiously?
Encase ProDiscover
EFS
Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.
Digital Evidence
Evidence consisting of information stored or transmitted in electronic form.
Exculpatory evidence
Evidence indicating that a defendant did not commit the crime.
Of all of the proprietary formats, which is the unofficial standard?
Expert Witness Compression format
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Data can't be written to the disk with a command-line tool. True or False?
False
FTK Imager can acquire data in a drive's host protected area. True or False?
False
Small companies rarely need investigators. True or False?
False
The plain view doctrine in computer searches is well-established law. True or False?
False
You should always answer questions from onlookers at a crime scene. True or False?
False
A live acquisition can be replicated. True or False?
False, due to volatile memory.
Digital forensics and data recovery refer to the activities. True or False?
False.
If a visitor to your digital forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?
False. All visitors must sign the log in order to ensure accountability and security.
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product work. True or False?
False. Any information discovered before the memo is issued can be used in discovery by the opposition.
A forensic workstation should always have a direct broadband connection to the Internet. True or False?
False. If Internet access is needed, a second, non-Forensic workstation should be used to access the Internet.
Evidence storage containers should have several master keys. True or False?
False. In order to maintain security, the less number of keys available, the better.
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False. It's not until the private-sector investigator starts working at the direction of law enforcement that they are considered an agent of law enforcement.
In testing tools, the term "reproducible results" means that if you work in the same lab on the same machine, you generate the same results. True or False?
False. That is "repeatable results".
Digital forensics facilities always have windows. True or False?
False. They do not have windows in order to protect the privacy and integrity of the investigation.
You should always prove the allegations made by the person who hired you. True or False?
False. You must always maintain an unbiased perspective and be objective in your fact-finding.
FAT
File Allocation Table
List three items stored in the FAT database.
File and directory names, starting cluster numbers, file attributes, date and time stamps.
Police in the United States must use procedures that adhere to which of the following? 1. Third Amendment 2. Fourth Amendment 3. First Amendment 4. None of the above
Fourth Amendment
HAZMAT
Hazardous Materials
HPFS
High Performance File System - A file system created specifically for the OS/2 operating system to improve upon the limitations of the FAT file system. Among its improvements are: support for mixed case file names, support for long file names (255 characters), more efficient use of disk space, less fragmentation of data
HTCN
High Tech Crime Network
HPA
Host Protected Area. The area of the drive that's not normally visible to the OS.
Why should you do a standard risk assessment to prepare for an investigation?
Identifying the risks can help mitigate or minimize any foreseeable issues with the investigation.
BootSect.dos
If a machine has multiple booting OSs, NTLDR reads BootSect.dos, which is a hidden file, to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr).
attribute id
In NTFS, an MFT record field containing metadata about the file or folder and the file's data or links to the file's data.
Info2 file
In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion.
professional conduct
Includes ethics, morals, and standards of behavior
Inculpatory evidence
Incriminating evidence
bootstrap process
Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Initial-response field kit
Device drivers contain what kind of information?
Instructions for the OS on how to interface with hardware devices.
IACIS
International Association of Computer Investigative Specialists
As a private-sector investigator, you can become an agent of law enforcement when which of the following happens? 1. You begin to take orders from a police detective without a warrant or subpoena. 2. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. 3. Your internal investigation begins. 4. None of the above.
1
If a suspect computer is running Windows 10, which of the following can you safely perform? 1. Browsing open applications 2. Disconnecting power 3. Either of the above 4. None of the above
1
Private-sector investigations are typically easier than law enforcement investigations for which of the following reasons? 1. Most companies keep inventory databases of all hardware and software used. 2. The investigator doesn't have to get a warrant. 3. The investigator has to get a warrant. 4. Users can load whatever they want on their machines.
1, 2
Which of the following is true of most drive-imaging tools? (Choose all that apply.) 1. They perform the same function as a backup 2. They ensure that the original drive doesn't become corrupt and damage the digital evidence. 3. They create a copy of the original drive. 4. They must be run from the command line.
1, 2, 3
Which of the following techniques might be used in covert surveillance? 1. Keylogging 2. Data sniffing 3. Network logs 4. None of the above
1, 2, 3
When validating the results of a forensic analysis, you should do which of the following? (Choose all that apply) 1. Calculate the hash value with two different tools. 2. Use a different tool to compare the results of evidence you find. 3. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. 4. Use a command-line tool and then a GUI tool.
1, 2, 3 (?)
The reconstruction function is needed for which of the following purposes? (Choose all that apply.) 1. Re-create a suspect drive to show what happened. 2. Create a copy of a drive for other investigators. 3. Recover file headers. 4. Re-create a drive compromised by malware.
1, 2, 4
If a suspect's computer is found in an area that might have toxic chemicals, you must do which of the following? 1. Coordinate with the HAZMAT team. 2. Determine a way to obtain the suspect's computer. 3. Assume the suspect's computer is contaminated. 4. Do not enter alone.
1, 3
The verification function does which of the following? 1. Proves that a tool performs as intended 2. Creates segmented files 3. Proves that two sets of data are identical via hash values 4. Verifies hex editors
1.
List two popular certification programs for digital forensics.
1. CFCE - Certified Forensic Computer Examiner 2. CCFP - Certified Cyber Forensic Professional
A log report in forensics tools does which of the following? 1. Tracks file types 2. Monitors network intrusion attempts 3. Records an investigator's actions in examining a case 4. Lists known good files
3. Records an investigator's actions in examining a case
The standards for testing forensics tools are based on which criteria? 1. U.S. Title 18 2. ASTD 1975 3. ISO 17025 4. All of the above
3. USI 17025
According to ISO standard 27037, which of the following is an important factor in data acquisition? (Choose all that apply) 1. The DEFR's competency 2. The DEFR's skills in using the command line 3. Use of validated tools 4. Conditions at the acquisition setting
3. Use validated tools
recovery certificate
A method NTFS uses so that a network administrator can recover encrypted files if the file's user/creator loses the private key encryption code.
head and cylinder skew
A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
file system
A method used by operating systems to store, retrieve, and organize files.
one-time passphrase
A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires.
business case
A plan you can use to sell your services to management or clients
Initial-response field kit
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
extensive-response field kit
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.
Evidence custody form
A printed form indicating who has signed out and been in physical possession of evidence.
configuration management
A process of recording all the updates made to your workstation
Sector
A section on a track, usually made up of 512 bytes
device drivers
A software program that provides the instructions your computer needs to communicate with a device
Forensic Workstation
A specially configured PC loaded with additional bays and forensics software
Boot.ini
A startup file for Windows XP that specifies the path installation and contains options for selecting the Windows version.
Affidavit
A sworn statement of support of facts about or evidence of a crime
nonkeyed hash set
A unique hash number generated by a software tool and used to identify files.
keyed hash set
A value created by an encryption utility's secret key.
What's a hashing algorithm?
A way of creating a binary or hexadecimal number that represents the uniqueness of the drive or data set; it's "digital fingerprint"
Validation
A way to confirm that a tool is function as intended.
innocent information
- Unrelated information - Often included with the evidence you're trying to recover
Clusters in Windows always begin numbering at what number?
0 in NTFS. 2 in FAT.
hostile work environment
A work environment that can result in an employee's civil lawsuit against the company that does nothing to prevent or respond to it.
Which organization has guidelines on how to operate a digital forensics lab?
ANAB (ANSI-ASQ National Accreditation Board)
ANAB
ANSI-ASQ National Accreditation Board
EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global registry d. Network servers
a.
probable cause
the standard specifying whether a police officer has the right to make an arrest, conduct a personnel or property search or obtain a warrant for arrest
In FAT32, a 123 KB files uses how many sectors?
It depends on how the OS determined the cluster size.
What's a virtual cluster number?
It represents the assigned clusters of files that are nonresident in the MFT. If a file has become fragmented, it can have two or more VCNs. The first VCN for a nonresident file is listed as 0.
Why was EFI boot firmware developed?
It was designed to provide better protection against malware than BIOS does.
Why is it good practice to make two images of a suspect drive in a critical investigation?
It's helpful in making sure that data has been copied correctly. It also protects against loss and minimizes the risk of failure in the investigation.
search warrants
Legal documents that authorize a police officer or other officials to enter and search a premise
single-evidence form
Lists each piece of evidence on a separate page
Keyword search
Looks for words anywhere in the data.
Digital Investigations
Manages investigations and conducts forensics analysis of systems suspected of containing evidence. Fall into two categories: 1. Public sector 2. Private sector
MBR
Master Boot Record. An area on a hard disk in its first sector. When the BIOS boots a system, it looks at the MBR for instructions and information on how to boot the disk and load the operating system. Some malware tries to hide here.
MFT
Master File Table
What does MFT stand for?
Master File Table
MD5
Message Digest 5. A hashing function used to provide integrity.
Which organization provides good information on safe storage containers?
NISPOM (National Industrial Security Program Operating Manual) - Chapter 5, Section 3
NIST
National Institute of Standards and Technology
NSRL
National Software Reference Library. A compiled list of known file hashes for a variety of OSs, applications, and images. Currently adding hash values for iOS and Android applications.
NTFS
New Technology File System
In Linux, the fdisk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1
No! if is "input file". This process is reversed of what is should be.
Evidence bags
Nonstatic bags used to transport removable media, hard drives, and other computer components.
Static Acquisitions
Normally done on a system or drive that has been seized, often with a write-blocking device to prevent writing to the suspect disk.
areal density
Number of bits per square inch of a disk platter
covert surveillance
Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs.
In Windows 7 and later, how much data from RAM is loaded into RAM slack on a disk drive?
On newer OSs, none.
Virtual Machine
One or more logical machines created within one physical machine.
unallocated disk space
Partition disk space that isn't allocated to a file. This space might contain data from files that have been deleted previously.
PII
Personally Identifiable Information. Information about individuals that can be used to trace a person's identity, such as a full name, birthdate, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.
Live Acquisition
Powered-on device, logged on by the user
What's the main goal of static acquisition?
Preservation of digital evidence
What is professional conduct, and why is it important?
Professional conduct is the ethics, morals, and standards by which you conduct yourself and you business. It is important because it determines your credibility.
Fourth Amendment
Protection from unlawful search and seizure.
Verification
Proves that two sets of data are identical by calculating has values or using another similar method.
RAID
Redundant Array of Independent Disks. A computer configuration of two or more disks, originally developed as a data-redundancy measure. RAID 0, 1, 2, 3, 5, 10, 15
Typically, a(n) ______ lab has a separate storage area or room for evidence
Regional
repeatable findings
Repeat the steps and produce the same result
ReFS
Resilient File System
Chain of custody
Route the evidence takes from the time you find it until the case is closed or goes to court.
List two hashing algorithms commonly used for forensic purposes.
SHA-1 (and its variants), MD5
SWGDE
Scientific Working Group on Digital Evidence
Physical address
Sector numbers that reside at the hardware or firmware level and go from address 0 to last on disk.
Commingling evidence means what in a private-sector setting?
Sensitive business information is mixed with the data that is collected as evidence.
Sparse Acquisition
Similar to logical acquisition in that it gathers files and file types, bu also gathers fragments of deleted data
Raw forensic file format
Simple, sequential flat files of a suspected drive or data set, readable by almost all forensic acquisition tools
Authorized requester
Someone who has the power to initiate investigations
person of interest
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
What does a logical acquisition collect for an investigation?
Specific files or file types
What does a sparse acquisition collect for an investigation?
Specific files or file types, as well as fragments from unallocated areas
line of authority
States who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
Partition Boot Sector
Stores info important to its partition, such as the location of OS boot files.
What term refers to labs constructed to shield EMR (electromagnetic radiation) emissions?
TEMPEST
Exhibits
Tangible material that either supports or refutes the allegation
vulnerability/threat assessment and risk management
Tests and verifies the integrity of stand-alone workstations and network servers
What do you call a list of people who have had physical possession of the evidence?
The Chain of Custody
search and seizure
The Fourth Amendment gives protection against unlawful search and seizure
Hal.dll
The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware.
Ntoskrnl.exe
The Windows OS kernel.
Pagefile.sys
The Windows swap file that is used to hold the virtual memory that is used to enhance physical memory installed in a system.
Reconstruction
The ability to recreate a suspect drive to show what happened during a crime or an incident.
Logical Acquisition
The acquisition of specific files or file types
What should you consider when determining which data acquisition method to use?
The circumstance of the investigation. Namely, the scope and length of possession.
Data recovery
The customer or company just wants the data back. Don't care about legal matters.
With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?
The device is automatically mounted and access. This likely alters the metadata.
head
The device that reads and writes data to a drive.
Acquisition
The first task in digital forensics investigations; making a copy of the original drive.
SHA-1
The first version of Secure Hash Algorithm, developed by NIST and slowly replacing CRC and MD5.
risk management
The forecasting and evaluation of risks, together with the identification of procedures to avoid or minimize their impact.
Plain View Doctrine
The legal principle that objects in plain view of a law enforcement agent who has the right to be in a position to have that view may be seized without a warrant and introduced as evidence.
digital forensics lab
The locations where you conduct investigations, store evidence, and do most of your work.
professional curiosity
The presence of police officers and other professionals who are not part of the crime scene-processing team. Their presence can contaminate the scene, either directly or indirectly.
Digital Forensics
The process of systematically accumulating and analyzing digital information for use as evidence in a civil, criminal, or administrative case
interrogation
The process of trying to get a suspect to confess
Extraction
The recovery task in a digital investigation and the most challenging of all tasks to master.
TEMPEST
The required shielding of sensitive computing systems and the prevention of electronic eavesdropping of computer emissions
industrial espionage
The selling of sensitive or confidential company information to a competitor.
track density
The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.
What are the necessary components of a search warrant?
The suspect's computer and its components. 1. It must be filled in good faith by a law enforcement officer 2. It must be based on reliable information showing probable cause to search 3. It must be issued by a neutral and detached magistrate 4. It must state specifically the place to be searched and the items to be seized
file slack
The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.
white-collar crimes
These crimes are characterized by deceit, concealment, or violation of trust and are not dependent on the application or threat of physical force or violence. The motivation behind these crimes is financial—to obtain or avoid losing money, property, or services or to secure a personal or business advantage.
Why is physical security so critical for digital forensics labs?
To maintain chain of custody and prevent data from being lost, corrupted, or stolen
What's the purpose of maintaining a network of digital forensics specialists?
To supplement your knowledge and be able to get referrals and information when needed
What's the purpose of an affidavit?
To support facts about or evidence of a crime, in order to secure a warrant for seizure
An encrypted drive is one reason to choose a logical acquisition. True or False?
True
An image of a suspect drive can be loaded on a virtual machine. True or False?
True
Computer peripherals or attachments can contain DNA evidence. True or False?
True
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
Hardware acquisition tools typically have built-in software for data analysis. True or False?
True
If a company doesn't distribute a computing use policy stating an employer's rights to inspect employee's computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?
True
If you discover a criminal act while investigating a company police abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False?
True
In NTFS, files smaller than 512 bytes are stored in the MFT. True or False?
True
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a private-sector investigator can conduct covert surveillance on an employee with little cause. True or False?
True
The primary hashing algorithm the NSRL project uses is SHA-1. True or False?
True
Zone bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?
True
The ANAB mandates the procedures established for a digital forensics lab. True or False?
True (?)
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True.
An employer can be held liable for e-mail harassment. True or False?
True. An employer is responsible for preventing and investigating harassment of employees and nonemployees associated with the workplace.
List two features NTFS has that FAT does not.
Unicode characters, security, journaling.
UCR
Uniform Crime Report
Partition gap
Unused space between partitions
drive slack
Unused space in a cluster between the end of an active file and the end of the cluster
What does the Ntuser.dat file contain?
User-protected storage area; contains the list of the most recently used files and desktop configuration settings
interview
Usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
What's the most critical aspect of digital evidence?
Validating
VCN
Virtual Cluster Number
VHD
Virtual Hard Disk
Alternate Data Streams
Ways in which data can be appended to a file (intentionally or not) and potentially obscure evidentiary data. In NTFS, these become an additional file attribute.
logical addresses
When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers.
Partition
When referring to a computer hard drive, a disk partition or partition is a section of the hard drive that is separated from other segments. Partitions help enable users to divide a computer hard drive into different drives or different portions for a number of reasons.
In forensic hashes, when does a collision occur?
When the hash value is equivalent to another hash value generated from a different data set. These collisions are rare and have really only been detected on supercomputers.
Ntldr (NT Loader)
Windows NT/2000/XP boot file. Launched by the MBR or MFT, ntldr looks at the boot.ini configuration file for any installed operating systems.
What's the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
You can remove and reconnect drives without having to restart the workstation.
ZBR
Zone bit recording, how most manufacturers deal with a platter's inner tracks having a smaller circumference and therefore less space to store data than in the outer tracks.
limiting phrase
a judge will often issue this in a warrant, which allows police to separate innocent info from evidence when commingled evidence is found
NTDETECT.COM
a required boot file for Windows operating systems through XP, responsible for detecting hardware necessary for a successful boot into Windows
public key
a value that can be used to encrypt a message. However, only when combined with a mathematically-related private key, can the message be decrypted.
The manager of a digital forensics lab is responsible for which of the following? (Choose all that apply) a. Making necessary changes in lab procedures and software b. Ensuring that staff members have enough training to do the job c. Knowing the lab objectives d. None of the above
a, b, c
Hard drive geometry
specifications of hard drives listing the number cylinders, heads and sectors
private key
the complementary key to a public key that is used to decrypt a message.
List three items that should be on an evidence custody form.
1. Case number 2. Investigating organization 3. Investigator's name 4. Nature of the case 5. Location where the evidence was obtained 6. Description of the evidence 7. Vendor's name 8. Model number or serial number 9. Who the evidence was recovered by 10. Date and time evidence was taken into custody 11. Evidence placed in which locker and when it was placed there 12. Item #/Evidence processed by/Disposition of evidence/Data/Time 13. Page #
List three subfunctions of the extraction function.
1. Data viewing 2. Keyword searching 3. Decompressing or uncompressing 4. Carving 5. Decrypting 6. Bookmarking or tagging
List two types of digital investigations typically conducted in a business environment.
1. Employee termination cases 2. Internet abuse investigations 3. E-mail abuse investigations 4. Attorney-Client privilege investigations 5. Industrial espionage investigations
Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive
1. EnCase 2. X-Way Forensics
In the Linux dcfldd command, which three options are used for validating data?
1. Hashing via MD5, SHA-1, SHA-256, SHA-384, SHA-512 2. Verifying with the original disk or media data 3. Logging of errors to an output file for analysis and review 4. Referring to a status display indicating acquisition's progress in bytes
What are the three rules for a forensic hash?
1. It can't be predicted. 2. No two files can have the same hash value 3. If the file changes, the hash value changes.
What items should your business plan include?
1. Justification 2. Budget - including facility costs, hardware and software requirements, as well as misc. 3. Approval/Acquisition Methods - w/ risk analysis and the number of investigations you plan on pursuing and their average length 4. Implementation - how to incorporate and install all approved items and a timeline for delivery/installation/and inspection of the facility 5. Acceptance Testing - making sure everything works 6. Correction for Acceptance 7. Production
List three items that should be in an initial-response field kit.
1. Laptop 2. Camera 3. Flash light 4. Digital forensics kit Note - The list given here is not extensive. Ref Loc 5293 for a full list
List two features common with proprietary format acquisition files
1. Option to compress 2. Ability to split images for archival purposes 3. Ability to integrate metadata into the image
Name the three formats for computer forensics data acquisitions.
1. Raw 2. Proprietary 3. AFF (Advanced Forensics Format)
What three items should you research before enlisting in a certification program?
1. Requirements 2. Cost 3. Acceptability in your area of employment
What are the two main concerns when acquiring data from a RAID server?
1. Size 2. Configuration
List two items that should appear on a warning banner.
1. That the connection is restricted to authorized users 2. That the organization has a right to inspect and monitor computer and network usage
To determine the types of operating systems needed in your lab, list two sources of information you could use.
1. The Uniform Crime Report (UCR) 2. A list of crimes in your area or company
When you preform an acquisition at a remote location, what should you consider to prepare for the task?
1. The advanced privileges that are requires to push the agent application to the remote system 2. The antivirus, antispyware, or firewall applications that can be programmed to ignore remote access programs 3. That the suspect could have security tools that trigger an alarm on remote access intrusions
Hashing, filtering, and file header analysis make up which function of computer forensics tools? 1. Validation and verification 2. Acquisition 3. Extraction 4. Reconstruction
1. Validation and verification
List three items that should be in your case report.
1. What you did 2. What you found 3. Answer: Who, What, When, Where, How 4. Know your target reader and write for them 5. Provide an explanation for processes and how systems and their components work
Large digital forensics labs should have at least ______ exits.
2
What is the maximum file size when writing to FAT32 drives?
2 GB
Hash values are used for which of the following purposes? (Choose all that apply.) 1. Determining file size 2. Filtering known good files from potentially suspicious data 3. Reconstructing file fragments 4. Validating that the original data hasn't changed.
2, 4
What is the space on a drive called when a file is deleted? (Choose all that apply.) 1. Disk space 2. Unallocated space 3. Drive space 4. Free space
2, 4
The triad of computing security includes which of the following? 1. Detection, response, and monitoring 2. Vulnerability assessment, detection, and monitoring 3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation 4. vulnerability assessment, intrusion response, and monitoring
3. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
Policies can address rules for which of the following? 1. When you can log on to a company network from home 2. The Internet sites you can or can't access 3. The amount of personal e-mail you can send 4. Any of the above
4. Any of the above
Bit-stream copy
A bit-by-bit copy of the original storage medium. An exact copy of the original disk.
ISO image
A bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk
Unicode
A character code that enables most of the languages of the world to be symbolized with a special character identification.
UTF-8
A coding system for storing characters in bits, extending the 8-bit ASCII coding system to include international characters by sometimes using more than 8 bits.
cylinder
A column of tracks on two or more disk platters.
Registry
A database that Windows uses to store hardware and software configuration information, user preferences, and setup information.
verdict
A decision on a disputed issue in a civil or criminal case
NTBOOTDD.SYS
A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
Bit-stream image
A file containing the bit-stream copy of all data on a disk or partition
multi-evidence form
A form that allows you to list multiple pieces of evidence on a single page
clusters
A grouping of sectors
Write Blocker
A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation.
hash value
A hexadecimal code based on the contents of a file, folder, or entire drive.
Approved Secure Container
A lccked, fireproof locker or cabinet that has limited access.
Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual websites b. Applications can be run on the virtual machines only if they're resident on the physical machine. c. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine's OS.
c.
What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? a. The file can no longer be encrypted b. EFS protection is maintained on the file c. The file is unencrypted automatically d. Only the owner of the file can continue to access it
c.
Areal density refers to which of the following? a. Number of bits per disk, b. Number of bits per partition, c. Number of bits per square inch of a disk platter, d. Number of bits per platter
c. Number of bits per square inch of a disk platter
Sniffing
capturing and recording network traffic
Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above
d. All of the above
Which of the following Windows 8 files contains user-specific information? a. User.dat b. Ntuser.dat c. System.dat d. SAM.dat
d. SAM.dat
metadata
data that describes other data
computer-stored records
electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word document
LCNs
logical cluster numbers
