Digital Forensics II Final Exam
Anti-forensics is an effort to alter log records as well as date and time values of important system files and install malware to hide hacker's activities. Some anti-forensics tactics are inserting malware programs in other files, manipulating file metadata by changing the "last accessed" and "last modified" times, using encryption to obfuscate malware programs activated through other malware programs, and using data-hiding utilities that append malware to existing files.
Explain what "anti-forensics" is, and provide detail on some anti-forensics tactics.
PDAs
For personal use, ________ have been replaced by smartphones, iPads, and other mobile devices.
Time Division Multiple Access (TDMA)
Global System for Mobile Communications (GSM) uses the ___ technique, so multiple phones take turns sharing a channel.
You can prevent a phone from being remotely wiped by placing the device in airplane mode, placing the device in a paint can, using a Faraday bag, and turning the device off
How can you prevent a phone from being remotely wiped?
header data
If you can't open a graphics file in an image viewer, the next step is to examine the file's _______.
.pst/.ost
In Outlook, you can save sent, draft, deleted, and received e-mails in a(n) ___ file, or you can save offline files in a(n) ___ file.
@
In an e-mail address, everything after the _______ symbol represents the domain name
data
In macOS, the _______ fork typically contains data the user creates.
logical
In macOS, volumes have allocation blocks and ________ blocks.
Brute-force attacks use every possible letter, number, and character found on a keyboard. These can require a lot of time and processing power. Dictionary attacks use common words found in the dictionary and tries them as passwords. Most use a variety of languages
Briefly describe the differences between brute-force attacks and dictionary attacks to crack passwords.
3G
By the end of 2008, mobile phones had gone through three generations: analog, digital personal communications service (PCS), and ____.
UFED Reader
Cellebrite includes ____, a mobile forensics tool that's often used by law enforcement and the military.
zombies
Machines used on a DDoS are known as _________ simply because they have unwittingly become part of the attack.
Telecommunications Industry Association
Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ____.
Pcap
Most packet analyzer tools can read anything captured in ______ format.
ROM
Nonvolatile memory
diskpart
One way to hide partitions is with the Windows disk partition utility, _______.
warrant
Criminal investigations are limited to finding data defined in the search __________.
hiding
Data ________ involves changing or manipulating a file to conceal information.
A type 1 hypervisor loads on physical hardware and doesn't require a separate OS. These are typically loaded on servers or workstations with a lot of RAM and storage. A type 2 hypervisor rests on top of an existing OS usually in the form of a virtual machine. These are usually the ones you find loaded on a suspect machine.
Describe type 1 and type 2 hypervisors.
The approach you take for a forensics case depends largely on the specific type of case you're investigating because the type of case determines how you conduct your investigation. For example, if you are investigating a criminal case, you would need to obtain a search warrant to retrieve evidence. If you are investigating a civil case, you would need to obtain a court order to retrieve evidence. If you're investigating a suspect for child pornography, you may look for steganography tactics used by the suspect in video, image, and mp3 files. You would not look for steganography if you are viewing text messages or emails in a forensics case.
Describe with examples why the approach you take for a forensics case depends largely on the specific type of case you're investigating.
spoliation
Destroying, altering, hiding, or failing to preserve evidence is known as _____
client/server architecture
E-mail messages are distributed from a central server to many connected client computers, a configuration called _______.
E3:DS
Paraben Software, a vendor of mobile forensics software, offers several tools, such as ____, for mobile device investigations.
carving
Recovering fragments of a file is called _______.
GSM
SIM cards are usually found in _______ devices and consist of a microprocessor and internal memory.
mbox
Some e-mail systems store messages using flat plaintext files, known as a(n) ____ format.
EDGE
Standard developed specifically for 3G
International Telecommunications Union
The 3G standard was developed by the ____ under the United Nations.
chip-off
The ____ mobile forensics method requires physically removing the flash memory chip and gathering information at the binary level.
hierarchial
The file system for a SIM card is a _______ structure.
configuration
The files that provide helpful information to an e-mail investigation are log files and _______ files.
prefetch
To reduce the time it takes to start applications, Microsoft has created _______ files, which contain the DLL pathnames and metadata used by applications.
Properties
To retrieve e-mail headers in Microsoft Outlook, double-click the e-mail message, and then click File, ____. The "Internet headers" text box at the bottom of the dialog box contains the message header.
Show original
To view Gmail Web e-mail headers, open the e-mail, click the down arrow next to the Reply circular arrow, and click ________.
More
To view e-mail headers on Yahoo! click the ____ list arrow, and click View Raw Message.
True
True or False? A challenge with using social media data in court is authenticating the author and the information.
True
True or False? A honeypot is a computer set up to look like any other machine on your network, but it lures the attacker to it.
False
True or False? A honeywall is a computer set up to look like any other machine on your network, but it lures the attacker to it.
True
True or False? A search warrant can be used in a criminal case but not a civil case.
False
True or False? A search warrant can be used in any kind of case, either civil or criminal.
False
True or False? Because bring your own device (BYOD) has become a business standard, investigators do not need to consider how to keep employees' personal data separate from case evidence.
True
True or False? Because bring your own device (BYOD) has become a business standard, investigators must consider how to keep employees' personal data separate from case evidence.
True
True or False? Evidence artifacts vary depending on the social media channel and the device.
True
True or False? For static acquisitions, remove the original drive from the computer, if practical, and then check the date and time values in the system's BIOS/CMOS.
True
True or False? For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.
False
True or False? Gaming consoles such as the Sony PlayStation and Xbox are safe because they don't contain information hackers might try to intercept and collect.
True
True or False? Gaming consoles such as the Sony Playstation and Xbox might contain information hackers might try to intercept and collect.
True
True or False? If a file contains information, it always occupies at least one allocation block.
True
True or False? If a graphics file is fragmented across areas on a disk, you must recover all the fragments before re-creating the file.
False
True or False? Investigating smartphones and other mobile devices is a relatively easy task in digital forensics.
True
True or False? Investigating smartphones and other mobile devices is not a relatively easy task in digital forensics.
True
True or False? Many people store more information on smartphones and tablets than on computers.
False
True or False? Most people do not store more information on smartphones and tablets than on their computers.
False
True or False? Network forensics is a fast, easy process
True
True or False? Network logs record traffic in and out of a network.
True
True or False? Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data.
False
True or False? Remote acquisitions are often easier because you're usually dealing with large volumes of data.
True
True or False? Remote acquisitions are often more difficult because you're usually dealing with large volumes of data.
True
True or False? Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades.
False
True or False? Specially trained system and network administrators are not usually a CSP's first responders.
True
True or False? Specially trained system and network administrators are often a CSP's first responders.
False
True or False? Steganography cannot be used with file formats other than image files.
True
True or False? The internet is the best source for learning more about file formats and their extensions.
True
True or False? The law requires search warrants to contain specific descriptions of what is to be seized. For cloud environments, the property to be seized usually describes data rather than physical hardware, unless the CSP is a suspect.
False
True or False? The law requires search warrants to contain specific descriptions of what is to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect.
False
True or False? Type 2 hypervisors cannot be used on laptops.
False
True or False? Windows OSs do not have a kernel.
True
True or False? With many computer forensics tools, you can open files with external viewers.
True
True or False? You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network).
False
True or False? macOS is built with the new Apple File System (APFS). The current version offers better security, encryption, and performance speeds, but users can't mount HFS+ drives.
syslog.conf
Typically, a UNIX system has a variety of e-mail servers available, so the ____ file specifies where to save different types of e-mail log files.
erasable programmable read-only memory (EEPROM)
Typically, phones store system data in electronically ____, which enables service providers to reprogram phones without having to physically access memory chips.
Multipurpose Internet Mail Extensions (MIME)
Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____ formatting.
You can read the data of files of an NTFS hard drive on an Apple computer, but you cannot write to the NTFS hard drive on an Apple computer. When connecting an HFS+ formatted drive to a Windows computer, Windows will not even let you view the file on the hard drive formatted with an Apple file system.
What compatibility issues exist when connecting a NTFS formatted drive to an Apple computer? What compatibility issues exist when connecting an HFS+ formatted drive to a Windows computer?
EXIF data is metadata from a digital picture. This metadata could be the Date/Time the picture was taken, the Location/GPS of where the picture was taken, the Serial Number of the camera, and the Camera Model used to take the picture. This might be useful to an investigation because it can prove where a suspect was at a certain time or used to disprove a suspect's alibi.
What is Exchangeable Image File (EXIF) data and how might it be useful to an investigation?
Lossy
_______ compression compresses data by permanently discarding bits of information in the file.
Forensic linguistics
_______ trains people to listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question.
Scope creep
________ increases the time and resources needed to extract, analyze, and present evidence.
Vector graphics
_________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
Inodes
_________ contain file and directory metadata and provide a mechanism for linking data stored in data blocks.
Salting passwords
______ alters hash values, which makes cracking passwords more difficult.
Order of volatility
______ determines how long a piece of information lasts on a system.
Network forensics
_______ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.
service level agreement (SLA)
A contract between a CSP and the customer that describes what services are being provided and at what level is known as a ____
Notepad+
After you open e-mail headers, copy and paste them into a text document so that you can read them with a text editor, such as Windows ________.
Cloud computing is a computing storage system that provides on-demand network access for multiple users and can allocate storage to users to keep up with changes in their needs. Some challenges you may face when conducting a forensic examination of cloud evidence are architecture, data collection, analysis of cloud forensic data, anti-forensics, incident first responders, role management, legal issues, and standards and training.
What is cloud computing? What are some of the challenges you may face when conducting a forensic examination of cloud evidence?
Steganography is a technique that hides information inside image, video, and mp3 files. The information is hidden in such a way that only the intended recipient knows the information is there. This can affect your investigation because you will have to look through every photo, video, and mp3 file on a suspect hard drive, which can extend the length and time spent on the investigation by a great amount.
What is steganography? How might it affect your investigation?
It is important to look at the email message header because it can reveal important information about the message. The types of information you can find in an email message header are the originating e-mail's IP address, the date and time the message was sent, the filenames of any attachments, and the unique message number (if supplied).
When investigating an email message, why is it important to look at the email message header? What type of information might you find there?
Type 1 hypervisor
Which hypervisor type can be installed directly on hardware and is limited only by the amount of available RAM, storage, and throughput.
Computing as a service
Which of the following is NOT a service level for the cloud?
Virtualization as a service
Which of the following is NOT a service level for the cloud?
D. Seizure Order
Which of the following is NOT one of the five mechanisms the government can use to get electronic information from a provider? A. Search Warrants B. Subpoenas C. Court Orders D. Seizure Order
Infrastructure as a Service (IaaS)
Which of the three cloud service levels allows customers to rent hardware and install whatever OSs and applications they need?
It is useful to conduct a live acquisition because volatile items, such as RAM and running processes, can be retrieved from the suspect computer. When performing a type 1 hypervisor live acquisition, create or download a bootable forensic CD or USB drive, then make sure you keep a log of all your actions, then send the information you collect to a network drive, then copy the physical memory (RAM), finally be sure to get a forensic digital hash value of all files you recover during these. When performing a type 2 hypervisor live acquisition, you will be dealing with a virtual machine, therefore, make sure snapshots are incorporated.
Why is it useful to conduct a live acquisition? Describe the process of conducting a live acquisition.
snapshots
With cloud systems running in a virtual environment, _________ can give you valuable information before, during, and after an incident.
investigation plan
You begin a digital forensics case by creating a(n) _______.
graphics editors
You use _______ to create, modify, and save bitmap, vector, and metafile graphics.
Social media
___ can contain evidence of cyberbullying and witness tampering.
MOBILedit
____ is a forensics software tool containing a built-in write blocker.
