CompForensics

Which of the following email repository files is not used by Outlook or Outlook Express?

.mbx

In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.

.pst

If left unpowered for more than ___ a flash memory device can begin to lose data.

1 Year

Each MFT entry takes up ___ bytes.

1024

In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.

1024

In general, forensics workstations can be divided into ____ categories.

3

The average life span of a standard hard drive is?

3-5 year

The MFT mirror file stores the first ___ records.

4

Image files can be reduced by as much as ____% of the original when using lossless compression.

50%

Normally a hard drive sector is how many bytes in size?

512 Bytes

Normally how many bytes are in a sector?

512 Bytes

In an e-mail address, everything after the ____ symbol represents the domain name.

@

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.

Allegation

If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.

Appendixes

____ provide additional resource material not included in the body of the report.

Appendixes

____ images store graphics information as grids of pixels.

Bitmap

A ___ refers to a specific location in the registry.

Branch

Recovering files from raw data is called ____.

Carving

In Microsoft file systems, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.

Clusters

The report's ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.

Conclusion

In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.

Criminal

For a ____ acquisition to be possible, client software needs to be pre-installed on the suspect's computer.

Data

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.

Data Recovery

The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.

Data runs

Remember that anything you write down as part of your examination for a report in a civil litigation case is subject to ____ from the opposing attorney.

Discovery

The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.

Disk-to-Image

The most common and flexible data-acquisition method is ____.

Disk-to-Image copy

When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.

Encrypting File System (EFS)

____ is the file structure database that Microsoft originally designed for floppy disks.

FAT

A file stored on a NTFS file system can have only one alternative data stream. (T/F)

False

A verbal report is more structured than a written report. (T/F)

False

At the beginning of a FAT filesystem is the header which takes up 2 sectors (1024 bytes). (T/F)

False

Big Endian is when the byte with the least significance is stored in memory first (T/F)

False

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. (T/F)

False

Digital forensic investigators must submit evidence custody forms when requesting for a warrant. (T/F)

False

Digital forensic investigators need to maintain chain of custody only when dealing with public sector investigations. (T/F)

False

Exposing a Floppy disk to a magnetic field will not impact the data stored on the Floppy disk. (T/F)

False

Floppy disk use lasers to store and read data. (T/F)

False

In Linux a hard link is the same thing as a shortcut in Windows. (T/F)

False

Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes. (T/F)

False

Linux forensic bootable media automatically mounts all drives as read only. (T/F)

False

MFT attributes have a set size that is universal across all MFT entries. (T/F)

False

Master Boot Record can support up to 6 partitions per storage drive. (T/F)

False

Standard hard drives are very resilient and can withstand physical bumps without running into errors. (T/F)

False

Steganography cannot be used with file formats other than image files. (T/F)

False

The law of search and seizure protects the rights of all people, excluding people suspected of crimes. (T/F)

False

The most common and time-consuming technique for preserving evidence is creating the disk-to-image file. (T/F)

False

The registry files default, SAM, Security, Software, and Ntuser are stored in the same location. "Windows\system32\config\" (T/F)

False

When a file is deleted from a FAT file system the cluster runs in the FAT table are maintained until they are used to store a new file. (T/F)

False

When conducting a live acquisition, you should install the acquisition tool on the suspect computer. (T/F)

False

____ refers to sectors in a cluster that are not being used to store file data.

File Slack

A ____ is where you conduct your investigations, store evidence, and do most of your work.

Forensics lab

___ refers to the categories the registry is broken up into.

HKEY or Hive Key

You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.

Hash

If you can't open a graphics file in an image viewer, the next step is to examine the file's ____.

Header Data

The simplest way to access a file header is to use a(n) ____ editor

Hex

Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.

Image File

____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Insertion

___ is a protocol used to retrieve emails from a server while maintaining the information on the server.

Internet Map Access Protocol (IMAP)

The ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes.

JPEG

____ is a single entry in the registry that can contain values or other ___s.

Key, keys

If the computer has an encrypted drive, a ____ acquisition is done.

Live

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

Autopsy uses ____ to validate an image.

MD5

On an NTFS disk, immediately after the Partition Boot Sector is the ____.

MTF

Which one of the following is not a component of an MBR?

Master File Table

____ is the field in the email header that stores the email's unique ID.

Message-ID

Records in the MFT are called ____.

Metadata

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.

NTFS

____ was introduced when Microsoft created Windows NT and is still the main file system in Windows

NTFS

The ___ registry file stores user settings.

NTUSER.dat

What Windows command displays statistics about current TCP/IP connections?

Netstat

If the data for a given file is too large to store in the MFT entry it is considered a ___ file.

Non-resident

A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____.

Portable Workstation

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.

Proprietary

____, or mirrored striping, is a combination of RAID 1 and RAID 0.

RAID 10 or RAID 1+0

___ is the field in the email header that stores the IP address of the sender along with the host name of the computer used.

Received Form

___ is a registry value type used to store binary values.

Reg_Binary

___ is a registry value type used to store 32-bit unsigned integer values.

Reg_Dword

___ is a registry value type used to store string values.

Reg_SZ

___ is the default program for editing the registry built into Windows.

Regedit

When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.

Registry

MFT attributes stored in the MFT entry are considered ___ attributes.

Resident

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.

Right of privacy

The ___ registry file stores user security settings.

SAM

Which of the following registry files is not associated to the HKEY_LOCAL_MACHINE registry entry?

SAM, Security, System, Software

Chrome and FireFox use what kind of database file to store user history?

SQLite

Most web browsers use ___ database files to store user history.

SQLite

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.

Safety

The ___ registry file stores security settings.

Security

Current distributions of Linux include hashing algorithm utilities such as ____.

Shalsum

___ are a registry key used to store users preferences while browsing folders.

Shellbag

___ is the protocol used to transfer email from one server to another.

Simple Mail Transfer Protocol (SMTP)

The ___ registry file stores software settings.

Software

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.

Sparse

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.

Static

A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.

Steel

____ has been used to protect copyrighted material by inserting digital watermarks into a file.

Steganography

____ is a data-hiding technique that uses host files to cover the contents of a secret message.

Steganography

___ is a key that is contained within another key.

Subkey

____ steganography replaces bits of the host file with other bits of data.

Substitution

The ___ registry file stores system settings.

System

What Windows command displays information about the suspect computer?

Systeminfo

A bit-stream copy should always be used when creating an image of a suspect's hard drive. (T/F)

True

A forensics analysis of a 6 TB disk, for example, can take several days or weeks. (T/F)

True

A judge can exclude evidence obtained from a poorly worded warrant. (T/F)

True

A separate manual validation is recommended for all raw acquisitions at the time of analysis. (T/F)

True

Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. (T/F)

True

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. (T/F)

True

Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. (T/F)

True

Always try to give preliminary reports verbally over creating a write up. (T/F)

True

As with any research paper, write the report abstract/executive summary last. (T/F)

True

Besides presenting facts, reports can communicate expert opinion. (T/F)

True

Bitmap images are collections of dots, or pixels, in a grid format that form a graphic (T/F)

True

By analyzing an entry in a MBR partition table you can determine the starting location of that partition. (T/F)

True

Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. (T/F)

True

E-mail programs either save e-mail messages on the client computer or leave them on the server. (T/F)

True

Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a reasonable suspicion that a law or policy is being violated. (T/F)

True

Every file in Linux has an inode value associated with it. (T/F)

True

FAT uses single linked lists for specify cluster runs. (T/F)

True

GPT can support an unlimited number of partitions but is normally capped at 128 partitions per storage drive. (T/F)

True

GUID Partition Table (GPT) starts at offset 00 at the very beginning of the storage drive. (T/F)

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. (T/F)

True

If a graphics file is fragmented across areas on a disk, you must recover all the fragments before recreating the file. (T/F)

True

If configured properly mail servers will maintain logs to track e-mail communications. (T/F)

True

If the computer has an encrypted drive, a live logical acquisition is done. (T/F)

True

In Linux all user directories excluding root are stored in the home directory. (T/F)

True

In Linux the files associated to the hardware are stored in the dev directory. (T/F)

True

In Linux the password hash values are stored in the shadow file. (T/F)

True

In Linux the password hashes are salted to prevent Rainbow table attacks. (T/F)

True

It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. (T/F)

True

Lawyers use services called deposition banks (libraries), which store examples of expert witnesses' previous testimony. (T/F)

True

Little Endian is when the byte with the least significance is stored in memory first (T/F)

True

Master Boot Record (MBR) and GUID Partition Table (GPT) are the two primary boot sectors used. (T/F)

True

Modifying the registry can potentially cause a system not to boot correctly. (T/F)

True

One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. (T/F)

True

Optical media uses lasers to store and read data. (T/F)

True

Preservation of collected data must be maintained throughout the digital forensic investigation. (T/F)

True

Probable cause is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. (T/F)

True

Registry Values consist of 3 parts name, data, and type. (T/F)

True

Software forensic tools are grouped into command-line applications and GUI applications. (T/F)

True

Solid State Drive (SSD) is a type of hard drive interface. (T/F)

True

Solid State Drives have automatic garbage collection built into the hardware controller. (T/F)

True

Solid State Drives store data as pages but can only erase data on the block level. (T/F)

True

Standard Hard drives use magnetic platters to store data. (T/F)

True

Technical writing encompasses the communication of complex processes to a non-technical audience. (T/F)

True

The Daubert Standard is used by a judge to determine if evidence is admissible. (T/F)

True

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure. (T/F)

True

The Internet is the best source for learning more about file formats and their extensions. (T/F)

True

The MBR is located at offset 512 right after the first sector. (T/F)

True

The Master File Table (MFT) stores entries for each file in the file system, including itself which is the first entry. (T/F)

True

The data for small files are stored directly in the MFT entry to improve performance when retrieving the data. (T/F)

True

The raw image format does not contain metadata and requires additional documentation for storing hash values. (T/F)

True

The two major forms of steganography are insertion and substitution. (T/F)

True

The type of file system an OS uses determines how data is stored on the disk. (T/F)

True

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. (T/F)

True

To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. (T/F)

True

Unlike RAID 0, RAID 1 alternates data writes (stripes) across all disks that make up one volume. (T/F)

True

When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. (T/F)

True

Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers.

USB

Keys contain ___ which store the data for the specific entry.

Value

____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Vector graphics

A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.

Virtual Machine

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.

Warning banner

Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.

Warrant

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.

Whole Disk Encryption

____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.

Write Blockers

A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).

Written Report

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.

dcfldd

The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.

dd

Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.

professional conduct

What are examples of anti-forensics?

• Data destruction (erasing) • Alternate data stream (NTFS) • Hiding data in file slack or other unlikely places • Renaming file extensions • File system alteration/corruption

What are examples of types of file systems?

• FAT (File Allocation Table) aka FAT32 • ExFAT (Extended File Allocation Table) • NTFS (New Technology File System) • HFS+ (Hierarchical File System) • APFS (Apple File System) • EXT2, EXT3, EXT4 (extended file system) • Reiser (Linux) • The Berkley Fast (Unix)