Computer Forensics
6-step casey model
1.identification/assessment 2.collection/acquisition 3. preservation 4. examination 5. analysis 6. reporting
An affidavit
A written report is often submitted as what type of document?
inode
A(n) ________ is the smallest disk allocation unit in a UNIX filesystem.
logical
Acquiring iCloud backups is considered a(n) _________________ method of acquisition.
Phishing
An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
Discovery
Anything an investigator writes down as part of examination for a report in a civil litigation case is subject to which action from the opposing attorney?
MAC address
Every network device has a uniquely identifiable address across networks supplied by the manufacturer called a(n)______________ .
Google Apps
Examples of software as a service (Saas) might be:
Clusters
In Microsoft file structures, sectors are grouped to form ________, which are storage allocation units of one or more sectors.
volume
In a Macintosh file system, a _________ is any storage medium used to store files.
True
In a UNIX or LINUX operating system, if a file contains information, it always occupies at least one allocation block.
Software as a service
In which cloud service level are applications delivered via the Internet?
True
Network logs record traffic in and out of a network.
CCFE
One of the most popular certification exams for the computer forensic profession is_________.
capture and analyze network communication
Packet analyzer tools, like WireShark, tcpdump and snoop can be used to accomplish which network forensic tasks?
dictionary file
Password cracking utilities generally use a(n) ______________ as a major source of passwords.
carving
Recovering file fragments is called ___________, also known as salvaging outside North America.
Pharming
Reroutes requests for legitimate websites to false websites
True
The CLOUD Act creates a modern legal framework for how law enforcement agencies can access data across borders.
fragments
The TCP/IP protocol breaks up large packets of data into ____________ in order to transmit them more reliably.
registry
The _____ is a database in Windows that stores hardware and software configuration information, network connections, user preferences (including usernames and passwords), and setup information.
encryption
The encoding of data into another form requiring unique information to read is called ________.
recovery certificate
The purpose of the __________ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key.
False
Type 1 hypervisors are usually the ones you find loaded on a suspect machine.
True
Unlike a computer with platter based storage, images and artifacts deleted by a cell phone user are usually permanently deleted over time.
Devices or software placed on a network to monitor traffic
What are packet analyzers?
An affidavit
What does the investigator in a criminal or public-sector case submit, at the request of the prosecuting attorney, if he or she has enough information to support a search warrant?
Live
What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?
A hypothetical question based on available factual evidence
What type of question should an attorney ask to allow an investigator to offer an opinion?
Ext2
What was the early standard Linux file system?
Layered network defense
Which type of strategy hides the most valuable data at the innermost part of the network?
Snapshots
With cloud systems running in a virtual environment, what can be used to give the investigator valuable information before, during, and after an incident?
bad block inode
________ is where Linux stores information on bad sectors on a hard drive.
Geometry
________ refers to a disk's structure of platters, tracks, and sectors.
Patriot Act
allows interception of voice communications in computer hacking cases
plain view exception
apparent evidence in plain view can be seized without a warrant lawful arrest
3 c's of evidence
case, control, and chain of custody
active data
data intentionally remaining on the computer; hidden in plain sight
latent data
data unintentionally remaining on the computer; recoverable by forensic methods
chain of custody
full record of how the evidence was handled and who had access
computer forensics
involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis
aquisition
making a copy of a hard drive(two types: physical and logical)
Spoofing
misrepresenting oneself online
5th amendment
prevents self incrimination and being deprived of life, liberty, or property without due process of the law
4th amendment
protection against search & seizure
14th amendment
reinforces due process of the law
affidavit
sworn statement that explains the basis for the affiant's belief that the search is justified by probable cause
types of evidence
testimony of a witness, physical evidence, & electronic evidence
probable cause
the reasonable belief that a crime has been, is being, or is about to be committed - information written in an affidavit
Forensic Linguistics
where language and law intersect