CIS 66 Ch. 1-7

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

The uppercase letter ____ has a hexadecimal value 41.

"A"

Describe some of the problems you may encounter if you decide to build your own forensics workstation.

...

The EMR from a computer monitor can be picked up as far away as ____ mile.

1/2

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

The FOIA was originally enacted in the ____.

1960s

IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics.

3

In general, forensics workstations can be divided into ____ categories.

3

Computing components are designed to last 18 to ____ months in normal business operations.

36

Image files can be reduced by as much as ____% of the original when using lossless compression.

50

Unused space in a cluster between the end of an active file's content and the end of the cluster

Drive slack

covert surveillance product

EnCase Enterprise Edition

A(n) ____ is a person using a computer to perform routine tasks other than systems administration.

End user

Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown.

Event log

Vendor-neutral specialty remote access utility designed to work with any digital forensics program

F-Response

____ is the file structure database that Microsoft originally designed for floppy disks.

FAT

A standard indicator for graphics files

FF D8

agencies must comply with these laws and make documents they find and create available as public records

FOIA

A high-end RAID server from Digital Intelligence

FREDC

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.

False

T/F? ISPs can investigate computer abuse committed by their customers.

False

Gives an OS a road map to data on a disk

File system

_____ often work as park of a team to secure an organization's computers and networks.

Forensics investigators

A disk editor tool

Hex Workshop

By the early 1990s, the ___ introduced training on software for forensics investigations.

IACIS

One of the oldest professional digital forensics organizations

IACIS

The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for ____ PC file systems.

IBM

States that Digital Evidence First Responders (DEFRs) should use validated tools

ISO 27037

ILookIX acquisition tool

IXImager

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Insertion

Graphics file format that uses lossless compression

PNG

System file where passwords may have been written temporarily

Pagefile.sys

The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors

Partition boot sector

Short for "picture elements"

Pixels

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.

Steel

____ has been used to protect copyrighted material by inserting digital watermarks into a file.

Steganography

____ is a data-hiding technique that uses host files to cover the contents of a secret message.

Steganography

T/F? A separate manual validation is recommended for all raw acquisitions at the time of analysis.

True

You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility.

off-site

Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.

sniffing

One technique for extracting evidence from large systems is called ____.

sparse acquisition

Steganalysis tools are also called ____.

steg tools

Concentric circles on a disk platter where data is located

tracks

____ involves sorting and searching through investigation findings to separate good data and suspicious data.

validation

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.

virtual machine

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.

warrant

Explain the difference between repeatable results and reproducible results.

"Repeatable results" means that if you work in the same lab on the same machine, you generate the same results. "Reproducible results" means that if you're in a different lab working on a different machine, the tool still retrieves the same information.

The FBI _____ was formed in 1984 to handle the increasing number of cases involving digital evidence.

Computer Analysis and Response Team (CART)

____ records are data the system maintains, such as system log files and proxy server logs.

Computer-generated

In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.

Configuration Management

A ____ is a column of tracks on two or more disk platters.

Cylinder

A ____ is where you conduct your investigations, store evidence, and do most of your work.

Digital forensics lab

T/F? If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.

False

T/F? If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available.

False

T/F? Maintain credibility means you must form and sustain unbiased opinions of your cases.

False

Gnome graphics editor

GIMP

Sponsors the EnCE certification program

Guidance Software

The first forensics vendor to develop a remote acquisition and analysis tool

Guidance Software

Linux ISO images that can be burned to a CD or DVD are referred to as ____.

Linux Live CDs

Identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes

Uniform Crime Report

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.

dcfldd

The process of converting raw picture data to another format is referred to as ____.

demosaicing

To complete a forensic disk analysis and examination, you need to create a ____.

report

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.

safety

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.

sha1sum

Digital forensics tools are divided into ____ major categories.

2

Drawing program that creates vector files

Adobe Illustrator

In a criminal case or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ___.

Affidavit

Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence

Affidavit

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.

Allegation

Ways data can be appended to existing files

Alternate Data Streams

____ refers to the number of bits in one square inch of a disk platter.

Areal density

A person who has the power to initiate investigations in a corporate environment

Authorized requester

In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations.

Authorized requester

In the Pacific North West, ___ meets to discuss problems that digital forensics examiners encounter.

CTIN

Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist

Case law

What HTCN certification level requires candidates have three years of experience in computing investigations for law enforcement or corporate cases?

Certified Computer Forensic Technician, Basic

Confidential business data included with the criminal evidence are referred to as ____ data.

Commingled

In a ___ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

Criminal

_____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data recovery

____ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\Drivers folder.

Device drivers

The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data

Digital Forensics

The _____ group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime.

Digital investigations

A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.

Disaster recovery

Addresses how to restore a workstation you reconfigured for a specific investigation

Disaster recovery plan

The most common and flexible data-acquisition method is ____.

Disk-to-image file copy

Older Microsoft disk compression tools, such as DoubleSpace or ____, eliminate only slack disk space between files.

DriveSpace

When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.

EFS

Most digital photographs are stored in the ____ format.

EXIF

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant.

Exhibits

T/F? For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs.

False

T/F? Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.

False

T/F? Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses.

False

T/F? Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics.

False

T/F? The law of search and seizure protects the rights of all people, excluding people suspected of crimes.

False

T/F? Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.

False

T/F? When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together.

False

T/F? When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers.

False

One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search.

Forums and blogs

you should rely on this when dealing with a terrorist attack

HAZMAT

Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____.

Hearsay

a statement made while testifying at a hearing by someone other than an actual witness to the event

Hearsay

____ was created by police officers who wanted to formalize credentials in digital investigations.

IACIS

The standards document, ____, demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.

ISO 5725

PassMark Software acquisition tool for its OSForensics analysis product

ImageUSB

Involves selling sensitive or confidential company information to a competitor

Industrial espionage

information unrelated to a computing investigation case

Innocent information

The process of trying to get a suspect to confess to a specific incident or crime

Interrogation

Graphics file format that uses lossy compression

JPEG

The JFIF ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes.

JPEG

Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence

Lab manager

Usually a laptop computer built into a carrying case with a small selection of peripheral options

Lightweight workstation

Published company policies provide a(n) ____ for a business to conduct internal investigations.

Line of authority

Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

Line of authority

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.

Live

Most remote acquisitions have to be done as ____ acquisitions.

Live

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed

Lossy compression

what most cases in the private sector environment are considered

Low-level investigations

Autopsy uses ____ to validate an image.

MD5

On an NTFS disk, immediately after the Partition Boot Sector is the ____.

MFT

Combinations of bitmap and vector images

Metafile graphics

Most digital investigations in the private sector involve ____.

Misuse of digital assets

The ____ publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

NIST

Briefly explain the NIST general approach for testing computer forensics tools.

NIST created criteria for forensics tools; the criteria is based on standard testing methods and ISO 17025 criteria for testing when no current standards are available. The lab must meet the following criteria and must keep accurate records for when new software and hardware become available: Establish categories for digital forensics tools; grouping software according to categories Identify forensics category requirements Develop test assertions Identify test cases Establish a test method Report test results

The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____.

NSRL

____, located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.

NTBootdd.sys

____ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.

NTDetect.com

Microsoft's move toward a journaling file system

NTFS

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.

NTFS

____ was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.

NTFS

Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with

Network forensics

One of the first MS-DOS tools used for digital investigations

Norton DiskEdit

Tool for directly restoring files

Norton Ghost

The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.

Notarized

____ is Windows XP system service dispatch stubs to executables functions and internal support functions.

Ntdll.dll

____ is the physical address support program for accessing more than 4 GB of physical RAM.

Ntkrnlpa.exe

Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.

Once

in 2001 redefined how ISPs and large organizations operate and maintain their records

PATRIOT Act

Software-enabled write-blocker

PDBlock

ProDiscover utility for remote access

PDServer

Explain the advantages and disadvantages of GUI forensics tools.

Pros:User-friendly; capabilities to perform multiple tasks; no requirement to learn older OSs. Cons: Excessive resource requirements; producing inconsistent results because of the type of OS used; creates investigator dependencies on using only one tool.

A computer configuration involving two or more physical disks

RAID

For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets.

RAID

In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk.

RAID 0

collection of pixels stored in rows to make images easy to print

Raster image

A bit-for-bit copy of a data file, a disk partition, or an entire drive

Raw data

Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated.

Reasonable suspicion

When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.

Registry

What are some of the advantages of using command-line forensics tools?

Requires few resources because they're designed to run in minimal configurations. Some command-line tools are created specifically for Windows CLI platforms; others are created for macOS and Linux.

Determines the amount of detail that is displayed

Resolution

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.

Right of privacy

____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.

Risk management

Stands for supervisory control and data acquisition

SCADA

The primary hash algorithm used by the NSRL project is ____.

SHA-1

____ disks are commonly used with Sun Solaris systems.

SPARC

sets standards for recovering, preserving, and examining digital evidence

SWGDE

Command-line disk acquisition tool from New Technologies, Inc.

SafeBack

European term for carving

Salvaging

To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.

Secure facility

Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer.

Silver-platter

Lists each piece of evidence on a separate page

Single-evidence form

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

Sparse

a data-collecting tool

Spector

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.

Static

A tower with several bays and many peripheral devices

Stationary workstation

____ steganography replaces bits of the host file with other bits of data.

Substitution

Briefly explain the purpose of the NIST NSRL project.

The goal of the NSRL project is the purpose of collecting all known hash values for commercial software and OS files. This is to reduce the number of known files, such as OS or program files, included in a forensics examination of a drive so that only unknown files are left.

Explain the validation of evidence data process.

This process is done by obtaining hash values. Most forensic tools and disk editors have one or more types of data hashing. How this is used depends on the investigation. This method produces a unique hexadecimal value for data, use to make sure the original data hasn't changed.

The space between each track

Track density

T/F? A forensics analysis of a 6 TB disk, for example, can take several days or weeks.

True

T/F? A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks.

True

T/F? A judge can exclude evidence obtained from a poorly worded warrant.

True

T/F? After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant.

True

T/F? By the 1970s, electronic crimes were increasing, especially in the financial sector.

True

T/F? By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff.

True

T/F? Computing systems in a forensics lab should be able to process typical cases in a timely manner.

True

T/F? FTK Imager requires that you use a device such as a USB dongle for licensing.

True

T/F? If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.

True

T/F? Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive.

True

T/F? Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.

True

T/F? The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.

True

T/F? The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases.

True

T/F? The lab manager sets up processes for managing cases and reviews them regularly.

True

T/F? The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your disk-to-image file.

True

T/F? The most common computer-related crime is check fraud.

True

T/F? The police blotter provides a record of clues to crimes that have been committed previously.

True

T/F? There's no simple method for getting an image of a RAID server's disks.

True

T/F? To be a successful computer forensics investigator, you must be familiar with more than one computing platform.

True

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.

True

When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data.

U.S. DOJ

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers.

USB

An international data format

Unicode

____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.

Uniform crime reports

____ is a core Win32 subsystem DLL file.

User32.sys

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector graphics

When working with image files, computer investigators also need to be aware of ____ laws to guard against copyright violations.

copyright

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.

data runs

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

The raw data format, typically created with the Linux ____ command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive.

dd

In Windows 2000 and later, the ____ command shows you the file owner if you have multiple users on the system or network.

dir

One way to compare results and verify your a new tool is by using a ____, such as HexWorkshop, or WinHex.

disk editor

The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.

disk-to-image

A(n) ____ should include all the tools you can afford to take to the field.

extensive-response field kit

Shows the known drives connected to your computer

fdisk -l

You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.

hash

If you can't open a graphics file in an image viewer, the next step is to examine the file's ____.

header data

The simplest way to access a file header is to use a(n) ____ editor

hexadecimal

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

image file

With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.

initial-response field kit

Under copyright laws, computer programs may be registered as ____.

literary works

The ____ command displays pages from the online help manual for information on Linux commands and their options.

man

Records in the MFT are called ____.

metadata

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes.

much easier than

When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating.

80

Open source data acquisition format

AFF

fingerprints can be tested with these systems

AFIS

Provides accreditation of crime and forensics labs worldwide

ANAB

Magnet ____ enables you to acquire the forensic image and process it in the same step.

AXIOM

What are the five major function categories of any digital forensics tool?

Acquisition; Validation and Verification; Extraction; Reconstruction; Reporting

Microsoft's utility for protecting drive data

BitLocker

____ images store graphics information as grids of pixels.

Bitmap

____, located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version.

Boot.ini

Generally, digital records are considered admissible if they qualify as a ____ record.

Business

A plan you can use to sell your services to your management or clients

Business case

In the ____, you justify acquiring newer and better resources to investigate digital forensics cases.

Business case

____ is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest.

Probable cause

Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.

Professional Conduct

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

Proprietary

In general, a criminal case follows three stages: the complaint, the investigation, and the ____.

Prosecution

Lab costs can be broken down into monthly, ____, and annual expenses.

Quarterly

During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____.

TEMPEST

The image format XIF is derived from the more common ____ file format.

TIF

Illustrate how to consider hardware needs when planning your lab budget.

Take into account the amount of time expected for the workstation to be running, expecting hardware failures, consultant and vendor fees to support the hardware when it fails; how often to anticipate replacing the forensic workstation.

T/F? If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

True

T/F? In Autopsy and many other forensics tools raw format image files don't contain metadata.

True

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

Warning banner

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

Whole disk encryption

Example of a lossless compression tool

WinZip

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.

Windows

____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.

Write-blockers

The ____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03.

XIF

Recognizes file types and retrieves lost or deleted files

Xtree Gold

Illustrate the use of a write-blocker on a Windows environment.

You are able to direct the blocked drive with any capable Windows app. When you copy the data to the blocked drive or write updates to a particular file with Word, it shows the copy is successful however the write-blocker discards the written data.

____ is how most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks.

ZBR

Recovering fragments of a file is called ____.

carving

Process of coding of data from a larger form to a smaller form

data compression

You use ____ to create, modify, and save bitmap, vector, and metafile graphics.

graphics editors

The unused space between partitions

partition gaps

Many password recovery tools have a feature for generating potential lists for a ____ attack.

password dictionary

Courts consider evidence data in a computer as ____ evidence.

physical

A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____.

portable workstation

Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team.

professional curiousity

The purpose of the ____ is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.

recovery certificate


Set pelajaran terkait

Ch. 28 - Assessment of Hematologic Function and Treatment Modalities Questions

View Set

CompTIA Core 1 A+ Certmaster 3.4 Given a scenario install and configure motherboards, central processing units, and add-on cards

View Set

BIO 101 (Chapter 4 Energy & Metabolism) 9/12/17 TEST 2

View Set

chapter 18-the cardiovascular system: the heart

View Set

Map Reading and Land Navigation TC 3-25.26

View Set

Construction Principles II Final

View Set