C840 Cyber Forensic (Test Question v2)

Advance Forensic File system (AFF) ; Three Variants AFF, AFM, AFD

AFF. It is open file standard with three variations. This variation stores all data meta-data in a single file. This variation stores the data and the metadata in separate files. This file format is part of the ____ Library and tools, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format

Carrier

Single, stream, or file in which the payload is hidden

priv.stm

Streaming Data

Legal process required to obtain Basic Subscriber Information

Subpoena, court order, or, search warrant

Legal process required to obtain Content Information

Search warrant

Argument RAM

Purpose of swap file

Information Contained in an email header

From/Date/Message-ID/In-Reply-To/To/Subject/Cc/Bcc/Content-Type/Precedence/Received/References/Reply-To/Sender

.db

Group Wise

Userxxx.db

GroupWise User Databases

Wphost.db

GroupWise User Databases

Real-Time acess

Obtain a wiretap order

.OST

Offline Outlook Storage

.PST

Outlook Email File Type

.mbx or .dbx

Outlook Express

Pwnage

This utility allows you to unlock a locked iPod Touch

Wolf

This utility is a full-featured iPhone forensic tool

Types of Legal Spyware Software

1. MySpy 2.Webwatcher 3.ICU 4.WorkTime

4 States of Mobile Devices

1. Nascent 2. Quiescent 3. Active 4. Semi-Active

Forensic Toolkit (FTK) and EnCase

Both check for stenography, and FTK has an entire image detection engine devoted to this task.

.emi

Common to several e-mail clients

.emi

Common to several email clients

ESN

Electronic Serial Number. Numbers used to uniquely identify mobile devices.

.mbx

Eudora Email File Type

Priv.edb

Exchange Private Folders

Pub.edb

Exchange Public Folders

.edb

Exchange Server

Snow

Hide images in white space

Index .dat File

Index.dat is a file used by Microsoft Internet Explorer to store Web addresses, search queries, and recently opened files.

/etc Directory

Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later.

USA Patriot Act

Law that led to the creation of the Electronic Crimes Task Force and Regional Laboratories

Linux Email Server

Logs/var/log/mail.*

.nsf

Lotus notes

Legal process required to obtain Transactional Information

Requires court order or search warrant

Forward Events Log

The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.

System Log

The System log contains events logged by Windows system components. This includes events like driver failures. This particular log is not as interesting from a forensic perspective as the other logs are.

Quiescent

The quiescent state is a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.

Semi-Active

The semi-active state is a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

RFC 2282

The standard for e-mail format, including headers

/Users Directory

This directory contains all the user accounts and associated files. This is clearly critical to your investigation of a Macintosh machine.

/Volumes Director

This directory contains information about mounted devices. You will find data here regarding hard disks, external disks, CDs, digital video discs (DVDs), and even virtual machines. This is a very important directory in your forensic examination.

/Network Directory

This directory contains information about servers, network libraries, and network properties.

/Applications Directory

This directory is where all applications are stored. Particularly in cases of malware, this is a critical directory to check.

Data Doctor

This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence

/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File

This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence.

Security Log

This is probably the most important log from a forensic point of view. It has both successful and unsuccessful logon events.

Application Log

This log contains various events logged by applications or programs. Many applications record their errors here in the Application log.

Applications and Services logs

This log is used to store events from a single application or component rather than events that might have systemwide impact

Channel

This may be passive channel, such as photos, video, or sound files, or even an active channel such as a voice over IP (VoIP) voice call or streaming video connection

POP3/IMAP

Used to retrieve emails (Port 25/Port 143)

SMTP

Used to send emails/port 25

Payload

What you want to hide I.e. safe combinations would be the payload

Stealth Files 4

Works with sound files, video files, and image files