CompForensics
Which of the following email repository files is not used by Outlook or Outlook Express?
.mbx
In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.
.pst
If left unpowered for more than ___ a flash memory device can begin to lose data.
1 Year
Each MFT entry takes up ___ bytes.
1024
In the NTFS MFT, all files and folders are stored in separate records of ____ bytes each.
1024
In general, forensics workstations can be divided into ____ categories.
3
The average life span of a standard hard drive is?
3-5 year
The MFT mirror file stores the first ___ records.
4
Image files can be reduced by as much as ____% of the original when using lossless compression.
50%
Normally a hard drive sector is how many bytes in size?
512 Bytes
Normally how many bytes are in a sector?
512 Bytes
In an e-mail address, everything after the ____ symbol represents the domain name.
@
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
Allegation
If necessary, you can include ____ containing material such as raw data, figures not used in the body of the report, and anticipated exhibits.
Appendixes
____ provide additional resource material not included in the body of the report.
Appendixes
____ images store graphics information as grids of pixels.
Bitmap
A ___ refers to a specific location in the registry.
Branch
Recovering files from raw data is called ____.
Carving
In Microsoft file systems, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
Clusters
The report's ____ should restate the objectives, aims, and key questions and summarize your findings with clear, concise statements.
Conclusion
In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation.
Criminal
For a ____ acquisition to be possible, client software needs to be pre-installed on the suspect's computer.
Data
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data Recovery
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. These cluster addresses are called ____.
Data runs
Remember that anything you write down as part of your examination for a report in a civil litigation case is subject to ____ from the opposing attorney.
Discovery
The simplest method of duplicating a disk drive is using a tool that makes a direct ____ copy from the suspect disk to the target location.
Disk-to-Image
The most common and flexible data-acquisition method is ____.
Disk-to-Image copy
When Microsoft introduced Windows 2000, it added optional built-in encryption to NTFS called ____.
Encrypting File System (EFS)
____ is the file structure database that Microsoft originally designed for floppy disks.
FAT
A file stored on a NTFS file system can have only one alternative data stream. (T/F)
False
A verbal report is more structured than a written report. (T/F)
False
At the beginning of a FAT filesystem is the header which takes up 2 sectors (1024 bytes). (T/F)
False
Big Endian is when the byte with the least significance is stored in memory first (T/F)
False
Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. (T/F)
False
Digital forensic investigators must submit evidence custody forms when requesting for a warrant. (T/F)
False
Digital forensic investigators need to maintain chain of custody only when dealing with public sector investigations. (T/F)
False
Exposing a Floppy disk to a magnetic field will not impact the data stored on the Floppy disk. (T/F)
False
Floppy disk use lasers to store and read data. (T/F)
False
In Linux a hard link is the same thing as a shortcut in Windows. (T/F)
False
Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes. (T/F)
False
Linux forensic bootable media automatically mounts all drives as read only. (T/F)
False
MFT attributes have a set size that is universal across all MFT entries. (T/F)
False
Master Boot Record can support up to 6 partitions per storage drive. (T/F)
False
Standard hard drives are very resilient and can withstand physical bumps without running into errors. (T/F)
False
Steganography cannot be used with file formats other than image files. (T/F)
False
The law of search and seizure protects the rights of all people, excluding people suspected of crimes. (T/F)
False
The most common and time-consuming technique for preserving evidence is creating the disk-to-image file. (T/F)
False
The registry files default, SAM, Security, Software, and Ntuser are stored in the same location. "Windows\system32\config\" (T/F)
False
When a file is deleted from a FAT file system the cluster runs in the FAT table are maintained until they are used to store a new file. (T/F)
False
When conducting a live acquisition, you should install the acquisition tool on the suspect computer. (T/F)
False
____ refers to sectors in a cluster that are not being used to store file data.
File Slack
A ____ is where you conduct your investigations, store evidence, and do most of your work.
Forensics lab
___ refers to the categories the registry is broken up into.
HKEY or Hive Key
You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512.
Hash
If you can't open a graphics file in an image viewer, the next step is to examine the file's ____.
Header Data
The simplest way to access a file header is to use a(n) ____ editor
Hex
Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) ____.
Image File
____ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.
Insertion
___ is a protocol used to retrieve emails from a server while maintaining the information on the server.
Internet Map Access Protocol (IMAP)
The ____ format has a hexadecimal value of FFD8 FFE0 in the first four bytes.
JPEG
____ is a single entry in the registry that can contain values or other ___s.
Key, keys
If the computer has an encrypted drive, a ____ acquisition is done.
Live
____ compression compresses data by permanently discarding bits of information in the file.
Lossy
Autopsy uses ____ to validate an image.
MD5
On an NTFS disk, immediately after the Partition Boot Sector is the ____.
MTF
Which one of the following is not a component of an MBR?
Master File Table
____ is the field in the email header that stores the email's unique ID.
Message-ID
Records in the MFT are called ____.
Metadata
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System.
NTFS
____ was introduced when Microsoft created Windows NT and is still the main file system in Windows
NTFS
The ___ registry file stores user settings.
NTUSER.dat
What Windows command displays statistics about current TCP/IP connections?
Netstat
If the data for a given file is too large to store in the MFT entry it is considered a ___ file.
Non-resident
A forensics workstation consisting of a laptop computer with almost as many bays and peripherals as a stationary workstation is also known as a ____.
Portable Workstation
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
Proprietary
____, or mirrored striping, is a combination of RAID 1 and RAID 0.
RAID 10 or RAID 1+0
___ is the field in the email header that stores the IP address of the sender along with the host name of the computer used.
Received Form
___ is a registry value type used to store binary values.
Reg_Binary
___ is a registry value type used to store 32-bit unsigned integer values.
Reg_Dword
___ is a registry value type used to store string values.
Reg_SZ
___ is the default program for editing the registry built into Windows.
Regedit
When Microsoft created Windows 95, it consolidated initialization (.ini) files into the ____.
Registry
MFT attributes stored in the MFT entry are considered ___ attributes.
Resident
Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses.
Right of privacy
The ___ registry file stores user security settings.
SAM
Which of the following registry files is not associated to the HKEY_LOCAL_MACHINE registry entry?
SAM, Security, System, Software
Chrome and FireFox use what kind of database file to store user history?
SQLite
Most web browsers use ___ database files to store user history.
SQLite
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
Safety
The ___ registry file stores security settings.
Security
Current distributions of Linux include hashing algorithm utilities such as ____.
Shalsum
___ are a registry key used to store users preferences while browsing folders.
Shellbag
___ is the protocol used to transfer email from one server to another.
Simple Mail Transfer Protocol (SMTP)
The ___ registry file stores software settings.
Software
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
Sparse
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
Static
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
Steel
____ has been used to protect copyrighted material by inserting digital watermarks into a file.
Steganography
____ is a data-hiding technique that uses host files to cover the contents of a secret message.
Steganography
___ is a key that is contained within another key.
Subkey
____ steganography replaces bits of the host file with other bits of data.
Substitution
The ___ registry file stores system settings.
System
What Windows command displays information about the suspect computer?
Systeminfo
A bit-stream copy should always be used when creating an image of a suspect's hard drive. (T/F)
True
A forensics analysis of a 6 TB disk, for example, can take several days or weeks. (T/F)
True
A judge can exclude evidence obtained from a poorly worded warrant. (T/F)
True
A separate manual validation is recommended for all raw acquisitions at the time of analysis. (T/F)
True
Acquisitions of RAID drives can be challenging and frustrating for digital forensics examiners because of how RAID systems are designed, configured, and sized. (T/F)
True
After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. (T/F)
True
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence. (T/F)
True
Always try to give preliminary reports verbally over creating a write up. (T/F)
True
As with any research paper, write the report abstract/executive summary last. (T/F)
True
Besides presenting facts, reports can communicate expert opinion. (T/F)
True
Bitmap images are collections of dots, or pixels, in a grid format that form a graphic (T/F)
True
By analyzing an entry in a MBR partition table you can determine the starting location of that partition. (T/F)
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack. (T/F)
True
E-mail programs either save e-mail messages on the client computer or leave them on the server. (T/F)
True
Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a reasonable suspicion that a law or policy is being violated. (T/F)
True
Every file in Linux has an inode value associated with it. (T/F)
True
FAT uses single linked lists for specify cluster runs. (T/F)
True
GPT can support an unlimited number of partitions but is normally capped at 128 partitions per storage drive. (T/F)
True
GUID Partition Table (GPT) starts at offset 00 at the very beginning of the storage drive. (T/F)
True
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. (T/F)
True
If a graphics file is fragmented across areas on a disk, you must recover all the fragments before recreating the file. (T/F)
True
If configured properly mail servers will maintain logs to track e-mail communications. (T/F)
True
If the computer has an encrypted drive, a live logical acquisition is done. (T/F)
True
In Linux all user directories excluding root are stored in the home directory. (T/F)
True
In Linux the files associated to the hardware are stored in the dev directory. (T/F)
True
In Linux the password hash values are stored in the shadow file. (T/F)
True
In Linux the password hashes are salted to prevent Rainbow table attacks. (T/F)
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows. (T/F)
True
Lawyers use services called deposition banks (libraries), which store examples of expert witnesses' previous testimony. (T/F)
True
Little Endian is when the byte with the least significance is stored in memory first (T/F)
True
Master Boot Record (MBR) and GUID Partition Table (GPT) are the two primary boot sectors used. (T/F)
True
Modifying the registry can potentially cause a system not to boot correctly. (T/F)
True
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop. (T/F)
True
Optical media uses lasers to store and read data. (T/F)
True
Preservation of collected data must be maintained throughout the digital forensic investigation. (T/F)
True
Probable cause is the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. (T/F)
True
Registry Values consist of 3 parts name, data, and type. (T/F)
True
Software forensic tools are grouped into command-line applications and GUI applications. (T/F)
True
Solid State Drive (SSD) is a type of hard drive interface. (T/F)
True
Solid State Drives have automatic garbage collection built into the hardware controller. (T/F)
True
Solid State Drives store data as pages but can only erase data on the block level. (T/F)
True
Standard Hard drives use magnetic platters to store data. (T/F)
True
Technical writing encompasses the communication of complex processes to a non-technical audience. (T/F)
True
The Daubert Standard is used by a judge to determine if evidence is admissible. (T/F)
True
The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure. (T/F)
True
The Internet is the best source for learning more about file formats and their extensions. (T/F)
True
The MBR is located at offset 512 right after the first sector. (T/F)
True
The Master File Table (MFT) stores entries for each file in the file system, including itself which is the first entry. (T/F)
True
The data for small files are stored directly in the MFT entry to improve performance when retrieving the data. (T/F)
True
The raw image format does not contain metadata and requires additional documentation for storing hash values. (T/F)
True
The two major forms of steganography are insertion and substitution. (T/F)
True
The type of file system an OS uses determines how data is stored on the disk. (T/F)
True
To be a successful computer forensics investigator, you must be familiar with more than one computing platform. (T/F)
True
To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. (T/F)
True
Unlike RAID 0, RAID 1 alternates data writes (stripes) across all disks that make up one volume. (T/F)
True
When you research for computer forensics tools, strive for versatile, flexible, and robust tools that provide technical support. (T/F)
True
Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0 and 3.0, SATA, PATA, and SCSI controllers.
USB
Keys contain ___ which store the data for the specific entry.
Value
____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Vector graphics
A ____ enables you to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment.
Virtual Machine
A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will.
Warning banner
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
Warrant
Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult.
Whole Disk Encryption
____ can be software or hardware and are used to protect evidence disks by preventing data from being written to them.
Write Blockers
A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).
Written Report
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
dcfldd
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
dd
Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility.
professional conduct
What are examples of anti-forensics?
• Data destruction (erasing) • Alternate data stream (NTFS) • Hiding data in file slack or other unlikely places • Renaming file extensions • File system alteration/corruption
What are examples of types of file systems?
• FAT (File Allocation Table) aka FAT32 • ExFAT (Extended File Allocation Table) • NTFS (New Technology File System) • HFS+ (Hierarchical File System) • APFS (Apple File System) • EXT2, EXT3, EXT4 (extended file system) • Reiser (Linux) • The Berkley Fast (Unix)