Computer Forensics Ch. 9
After you shift a file's bits, the hash value remains the same. True or False?
False
Password recovery is included in all forensics tools. True or False?
False
What forensics image file format creates or incorporates a validation hash value in the image file?
SMART and Expert Witness
(blank) happens when an investigation goes beyond the bounds of its original description.
Scope Creep
You're using Disk Management to view primary and extended partitions on a suspect's drive. The program reports the extended partition's total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
There's a hidden partition
The National Software Reference Library provides what type of resource for digital forensics examiners?
a list of MD5 and SHA1 hash values for all known OSs and applications
Block-wise hashing has what benefits for forensics examiners?
allows validating sector comparisons between known files
Rainbow tables serve what purpose for digital forensics examinations?
file containing the hash values for every possible password that can be generated
What represents known files you can eliminate from an investigation?
files associated with applications and system files the OS uses
What is steganography used for?
hiding data
The Known File Filter can be used for what purpose?
identify files for evidence or eliminate them from the investigation if they are legit
Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
internal corporate investigations because corporate investigators tend to have access to company records
Commercial encryption programs often rely on (blank) technology to recover files if a password or passphrase is lost.
key escrow
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
recovering passwords can take longer
What is cover-media (steganalysis)?
the content of a file used for a steganography message
Why should you wipe a target drive?
to ensure the quality of digital evidence and to make sure unwanted data isn't retained on the drive
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
true