Digital forensics Midterm (1,3,4,6)
What's the maximum file size when writing data to a FAT32 drive?
2 GB (a limitation of FAT file systems)
What does a logical acquisition collect for an investigation?
A logical acquisition captures only specific files of interest to the case or specific types of files
What is a hashing algorithm?
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
What does a sparse acquisition collect for an investigation?
A sparse acquisition collects fragments of unallocated (detected) data.
If a suspect computer is running Windows 2000, which of the following can you perform safely? A) Browsing open applications B) Disconnecting power C) Either of the above D) None of the above
A) Browsing open applications refer to review sheets
List two items that should appear on a warning banner.
Access to this system and network is restricted and use of this system and network is for official business only.
What are two advantages and disadvantages of the raw format?
Advances for raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. Disadvantages of raw format is that some raw format tools might not collect marginal (bad) sectors on the source drive.
What's the purpose of an affidavit?
Affidavit is often used to justify issuing a warrant or to deal with abuse in a corporation.
What is professional conduct, and why is it important?
Behavior expected of an employee in the workplace or other professional setting. It is important because it determines your credibility.
List three items that should be on an evidence custody form.
Case number, Investigating organization, Investigator
What do you call a list of people who have had physical possession of the evidence?
Chain of Custody
Describe what should be videotaped or sketched at a computer crime scene.
Computers, cable connections, overview of scene—anything that might be of interest to the investigation
What should you consider when determining which data acquisition method to use?
Consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner.
What are the subfunctions of the extraction function?
Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking
What are some ways to determine the resources needed for an investigation?
Determine the OS of the suspect computer & list the software to use for the examination.
When you perform an acquisition at a remote location, what should you consider to prepare for this task?
Determining whether there's sufficient electrical power and lighting and checking the temperature and humidity at the location.
List two types of digital investigations typically conducted in a business environment.
Email Abuse, and Internet Abuse
Which forensics tool can connect to a suspect's remote computer and run surreptitiously?
EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
Name two commercial tools that can make a forensics sector-by-sector copy of a drive to a larger drive.
EnCase, and ProDiscover
List three items that should be in your case report.
Explanation of basic computer and network processes, a narrative of what steps you took, and a description of findings.
A disk partition can be copied only with a command-line acquisition tool. True or False?
False
A live acquisition is considered an accepted forensics practice. True or False?
False
Building a forensic workstation is more expensive than purchasing one. True or False?
False
Data can' t be written to the disk with a command-line tool. True or False?
False
Digital Forensics and data recovery refer to the same activities. True or False?
False
During a remote acquisition of a suspect drive, RAM data is lost. True or False?
False
NIST testing procedures are valid only for government agencies. True or False?
False
Small companies rarely need investigators. True or false?
False
The plain view doctrine in computer searches is well-established law. True or False?
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
You should always answer questions from onlookers at a crime scene. True or false?
False
You should always prove the allegations made by the person who hired you. True or False?
False
In a Linux shell, the f-disk -l command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of =/dev/hda1
False The correct command is dcfldd if=/dev/hda1 of=image_file.img.
Sleuth Kit is used to access Autopsy' s tools. True or False?
False (Autopsy is the front end to Sleuth Kit.)
What are the three rules for a forensic hash?
It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
Identify two hashing algorithms commonly used for forensic purposes.
MD5 and SHA-1
What' s the name of the NIST project established to collect all known hash values for commercial software and OS files?
National Software Reference Library (NSRL)
With newer Linux kernel distributions, what happens if you connect a hot swappable device, such a USB drive, containing evidence?
Newer Linux distributions automatically mount the USB device, which could alter data on it.
What's the ProDiscover remote access utility?
PDServer
How does ProDiscover Incident Response encrypt the connection between the examiner's and suspect's computer?
ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.
Name the three formats for digital forensics data acquisitions.
Raw format, proprietary format, and advanced forensic format
List three items that should be in an initial-response field kit.
Small computer toolkit, large-capacity drive, IDE ribbon cables
Of all the proprietary formats, which one is the unofficial standard?
The expert witness format is the unofficial standard.
List two features common with proprietary format acquisition files.
The option to compress or not compress image files of a suspect drive, thus saving target space. The capability to split an image into smaller segmented files for archiving purposes such as to CDs or DVDs, with data integrity checks integrated into each segment
Why should you critique your case after it's finished?
To determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases.
Why is it a good practice to make two images of a suspect drive in a critical investigation?
To ensure at least one good copy of the forensically collected data in case of any failures.
What's the purpose of maintaining a network of digital forensics specialists?
To have the option of calling on a specialist to help with a case you cannot solve
Why should evidence media be write-protected?
To make sure data can not be altered.
What's the main goal of a static acquisition?
To preserve digital evidence.
Computer peripherals or attachments can contain DNA evidence. True or false?
True
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
True
EnCase, FTK, SMART, and ILookIX treat an image file as though it were the original disk. True or False?
True
FTK Imager can acquire data in a drive's host protected area. True or False?
True
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or false?
True
Many of the newer GUI tools use a lot of system resources. True or False?
True
Why should you do a standard risk assessment to prepare for an investigation?
You do a standard risk assessment to understand the risks that could halt to investigation.
What are the necessary components of a search warrant?
You need an affidavit of the evidence to conduct an investigation
If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) A) Coordinate with a HAZMAT team B) Determine a way to obtain the suspect computer C) Assume the suspect computer is contaminated D) Do not enter alone
a. Coordinate with the HAZMAT team. c. Assume the suspect computer is contaminated.
With remote acquisitions, what problems should you be aware of? (Choose all that apply) a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. The password of the remote computer's user
a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs
Which of the following tools can examine files created by WinZip? a. FTK, b. Hex Workshop, c. Registry Viewer, d. SMART
a. FTK
Which of the following techniques might be used in covert surveillance? (Choose all that apply) A) Keylogging B) Data Sniffing C) Network logs
a. Keylogging b. Data sniffing refer to review sheets
Corporate investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used b. The investigator doesn't have to gets a warrant c. The investigator has to get a warrant d. Users can load whatever they want on their machines
a. Most companies keep inventory databases of all hardware and software used.
Hashing, filtering, and file header analysis make up which function of computer forensics tools? a. Validation and discrimination, b. Acquisition, c. Extraction, d. Reporting
a. Validation and discrimination
As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) A) You begin to take orders from a police detective without a warrant or subpoena. B) Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. C) Your internal investigation begins D) None of the above
a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
What are the five required functions for computer forensics tools?
acquisition, validation and discrimination, extraction, reconstruction, and reporting
What are two concerns when acquiring data from a RAID server?
amount of data storage needed, and the type of RAID server (0, 1, 5, etc.)
Hash values are used for which of the following purposes? (Choose all that apply.) a. Determining file size, b. Filtering known good files from potentially suspicious data, c. Reconstructing file fragments, d. Validating that the original data hasn' t changed
b. Filtering known good files from potentially suspicious data d. Validating that the original data hasn't changed
Police in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment d. None of the above
b. Fourth Amendment
Which of the following is true of most drive-imaging tools? (Choose all that apply.) a. They perform the same function as a backup. b. They ensure that the original drive doesn' t become corrupt and damage the digital evidence. c. They create a copy of the original drive. d. They must be run from the command line.
b. They ensure that the original drive doesn't become corrupt and damage the digital evidence. c. They create a copy of the original drive.
The standards for testing forensics tools are based on which criteria? a. U.S. Title 18, b. ISO 5725, c. ISO 17025, d. All of the above
c. ISO 17025
What two data-copying methods are used in software data acquisitions? a. Remote and local, b. Local and logical, c. Logical and physical, d. Physical and compact
c. Logical and physical,
When considering new forensics software, you should do which of the following? a. Uninstall other forensics software. b. Reinstall the OS. c. Test and validate the software. d. None of the above.
c. Test and validate the software.
The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation d. Vulnerability assessment, intrusion response, and monitoring
c. Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation
Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or can't access c. The amount of personal e-mail you can send d. Any of the above
d. Any of the above
When validating the results of a forensics analysis, you should do which of the following? a. Calculate the hash value with two different tools. b. Use a different tool to compare the results of evidence you find. c. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. d. Do both a and b. e. Do both b and c. f. Do both a and c. g. Do none of the above.
d. Do both a and b.
List four subfunctions of reconstructing drives.
disk-to-disk copy, image-to-disk copy, partition-to-partition copy, mage-to-partition copy
In the Linux dcfldd command, which three options are used for validating data?
hash=, hashlog=, and vf=
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
initial-response field kit
Commingling evidence means what in a corporate setting?
sensitive corporate information being mixed with data collected as evidence
When you arrive at the scene, why should you extract only those items you need to acquire evidence?
to minimize how much you have to keep track of at the scene
If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or false?
true
In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False?
true
In forensic hashes, a collision occurs when ________.
two files have the same hash value
What's the most critical aspect of digital evidence?
validation