ctc328 chapter solutions 8-11
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
Internet e-mail accessed with a Web browser leaves files in temporary folders. True or False?
True
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
Internal corporate investigation because corporate investigators typically have ready access to company records
Tcpslice can be used to retrieve specific timeframes of packet captures. True or False?
True
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
True
To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations. True or False?
True
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
Which of the following is a clue that a virtual machine has been installed on a host system?
Virtual network adapter
In VirtualBox, a(n) ____________________ file contains settings for virtual hard drives.
.vbox
Which of the following file extensions are associated with VMware virtual machines?
.vmx, .log, and .nvram
Graphics files stored on a computer can't be recovered after they are deleted. True or False?
False
A JPEG file uses which type of compression?
Lossy
After you shift a file's bits, the hash value remains the same. True or False?
False
Steganography is used for which of the following purposes?
Hiding data
A forensic image of a VM includes all snapshots. True or False?
False
What methods do steganography programs use to hide data in graphics files? (Choose all that apply.)
Insertion Substitution
Virtual Machine Extensions (VMX) are part of which of the following?
Intel Virtualized Technology
In steganalysis, cover-media is which of the following?
The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
A layered network defense strategy puts the most valuable data where?
In the innermost layer
Packet analyzers examine what layers of the OSI model?
Layers 2 and 3
To trace an IP address in an e-mail header, what type of lookup service can you use? (Choose all that apply.)
A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net Any Web search engine
12. The National Software Reference Library provides what type of resource for digital forensics examiners?
A list of MD5 and SHA1 hash values for all known OSs and applications
When do zero day attacks occur? (Choose all that apply.)
Before a patch is available Before the vendor is aware of the vulnerability
What information is not in an e-mail header? (Choose all that apply.)
Blind copy (bcc) addresses Contents of the message
When you access your e-mail, what type of computer architecture are you using?
Client/server
The process of converting raw images to another format is called which of the following?
Demosaicing
You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply.)
Desktop Smartphone Tablet
When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator? (Choose all that apply.)
E-mail header Firewall log
6. Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply.)
Expert Witness SMART AFF
A JPEG file is an example of a vector graphic. True or False?
False
Copyright laws don't apply to Web sites. True or False?
False
Only one file format can compress graphics files. True or False?
False
Password recovery is included in all forensics tools. True or False?
False
When investigating graphics files, you should convert them into one standard format. True or False?
False
You can view e-mail headers in Notepad with all popular e-mail clients. True or False?
False
Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)
Files associated with an application System files the OS uses
The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.)
Filter known program files from view. Compare hash values of known files to evidence files.
Which Registry key contains associations for file extensions?
HKEY_CLASSES_ROOT
What methods are used for digital watermarking?
Invisible modification of the LSBs in the file Layering visible symbols on top of the image
Bitmap (.bmp) files use which of the following types of compression?
Lossless
Phishing does which of the following?
Lures users with false promises
Which of the following is a current formatting standard for e-mail?
MIME
The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following?
Microsoft Exchange Server
In JPEG files, what's the starting offset position for the JFIF label
Offset 6
What's the main piece of information you look for in an e-mail message you're investigating?
Originating e-mail domain or IP address
What are the three modes of protection in the DiD strategy?
People, technology, operations
Block-wise hashing has which of the following benefits for forensics examiners?
Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive
The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of __________ and ______________.
RAM, storage
Rainbow tables serve what purpose for digital forensics examinations?
Rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords.
When you carve a graphics file, recovering the image depends on which of the following skills?
Recognizing the pattern of the file header content
When confronted with an e-mail server that no longer contains a log with the date information you require for your investigation, and the client has deleted the e-mail, what should you do?
Restore the e-mail server from a backup
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
Salting can make password recovery extremely difficult and time consuming.
Digital pictures use data compression to accomplish which of the following goals? (Choose all that apply.)
Save space on a hard drive. Produce a file that can be e-mailed or posted on the Internet.
___________________ happens when an investigation goes beyond the bounds of its original description
Scope creep
Sendmail uses which file for instructions on processing an e-mail message?
Sendmail.cf
E-mail headers contain which of the following information? (Choose all that apply.)
The sender and receiver e-mail addresses An ESMTP number or reference number The e-mail servers the message traveled through to reach its destination
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
There's a hidden partition.
Which of the following is true about JPEG and TIF files?
They have different values for the first 2 bytes of their file headers
Router logs can be use for validating what types of e-mail data?
Tracking flows through e-mail server ports
All e-mail headers contain the same types of information. True or False?
True
Explain how to identify an unknown graphics file format that your digital forensics tool doesn't recognize.
You need to examine a copy of the unknown file with a hexadecimal editor to find the hex code for the first several bytes of the file. Then you need to examine other known file types with similar or identical header values to see whether you can confirm its file type.
Some clues left on a drive that might indicate steganography include which of the following? (Choose all that apply.)
a. Multiple copies of a graphics file b. Graphics files with the same name but different file sizes c. Steganography programs in the suspect's All Programs list
To find network adapters, you use the ________ command in Windows and the _______________ command in Linux.
ipconfig, ifconfig
Commercial encryption programs often rely on _____________________ technology to recover files if a password or passphrase is lost.
key escrow
Which of the following types of files can provide useful information when you're examining an e-mail server?
log files
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
lossless
In Microsoft Outlook, what are the e-mail storage files typically found on a client computer?
pst and .ost
On a UNIX-like system, which file specifies where to save different types of e-mail log files?
syslog.conf