Computer Forensics Ch. 9

After you shift a file's bits, the hash value remains the same. True or False?

False

Password recovery is included in all forensics tools. True or False?

False

What forensics image file format creates or incorporates a validation hash value in the image file?

SMART and Expert Witness

(blank) happens when an investigation goes beyond the bounds of its original description.

Scope Creep

You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?

There's a hidden partition

The National Software Reference Library provides what type of resource for digital forensics examiners?

a list of MD5 and SHA1 hash values for all known OSs and applications

Block-wise hashing has what benefits for forensics examiners?

allows validating sector comparisons between known files

Rainbow tables serve what purpose for digital forensics examinations?

file containing the hash values for every possible password that can be generated

What represents known files you can eliminate from an investigation?

files associated with applications and system files the OS uses

What is steganography used for?

hiding data

The Known File Filter can be used for what purpose?

identify files for evidence or eliminate them from the investigation if they are legit

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?

internal corporate investigations because corporate investigators tend to have access to company records

Commercial encryption programs often rely on (blank) technology to recover files if a password or passphrase is lost.

key escrow

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?

recovering passwords can take longer

What is cover-media (steganalysis)?

the content of a file used for a steganography message

Why should you wipe a target drive?

to ensure the quality of digital evidence and to make sure unwanted data isn't retained on the drive

The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?

true