EXAMS #2 (ch#5-7)
What are the odds of two files having the same CRC (Cyclical Redundancy Check) value?
1 in 4,294,967,296 (4 billion & some change!)
What are the odds of two files having the same MD5 (Message Digest 5) hash value?
1 in approximately 340 billion billion billion billion.
Why is CRC preferred by EnCase over MD5? Or, why would you use CRC over MD5 for a hash?
1) MD5 has many more calculations thus using up computer system resources. 2) CRC has 32-bit hex value algorithm that is much more manageable.
Each block in the data is verified with its different CRC. True/False?
1. False (note: each block has it's own CRC value)
What are the three categories of Crimes Against the Corporation?
1. Input Scams, 2) Output Scams and 3) Throughput Scams.
Unlike linux, how are "bag & tag" items integrated in EnCase?
1. With EnCase, "bag-and-tag" information is created automatically & integrated into the evidence file while it is created.
What are considered as the corporate forms of misconduct?
1. a) Corporate Policy Violations b) Labor Violations c) Concerns for potential liability claims d) Suspected criminal activity e) Employee misconduct relating to computer use policy violations including internet usage, email.
How is the file created?
1. a) Header is the 1st part, it is CRCed & compressed, CRC is computed (calculated) for the 64 sectors, also computed in the MD5 hash for all the data. b) once all the data is CRC'd, acquisition hash is completed & written to the last or end of the evidence file. c) after the image is created the file is added to an open case.
In what case you will need to "span" another drive to be consistent?
1. a) If there is no MD5 hash at the end of each file b) Some drives may have the same space but not the same no. of sectors. (note: larger drive is preferred)
If an attack happens in the company and the attacker turns out to be internal, who is going to be the first & second suspects in this case?
1st one is the internal employees and the 2nd one is temporary employees or contractors.
What is the value of CRC algorithm?
32-bit hexadecimal value.
What is the basic block size or default block size?
64 sectors.
How many bits does each character contain in a byte of the hexadecimal value that is the result of the MD5 algorithm applied to streams of data such as files, devices & so on?
8 bits per character in 32 characters (so, 8 x 32 = 128 bit hexadecimal value)
A bit can have a binary value of which of the following?
A. 0 or 1 B. 0-9 C. 0-9 and A-F D. On or Off Ans: A) 0 or 1
Which of the following would be a search hit for the following GREP expression? [\x00-\x07]\x00\x00\x00...
A. 00 00 00 01 A0 EE F1 B. 06 00 00 00 A0 EE F1 C. 0A 00 00 00 A0 EE F1 D. 08 00 00 00 A0 EE F1 Ans: B) 06 00 00 00 A0 EE F1
Select all of the following that depict a Dword value.
A. 0000 0001 B. 0001 C. FF 00 10 AF D. 0000 0000 0000 0000 0000 0000 0000 0001 Ans: C) FF 00 10 AF D) 0000 0000 0000 0000 0000 0000 0000 0001
If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (2^8)?
A. 16 B. 64 C. 128 D. 256 Ans: 256 ( because 2^8 is 2x2x2x2x2x2x2x2 which is equal to 256)
. A byte consists of ___ bits.
A. 2 B. 4 C. 8 D. 16 Ans: 8 bits
The MD5 hash algorithm produces a _____ value.
A. 32-bit B. 64-bit C. 128-bit D. 256-bit Ans: C) 128-bit
How many characters can be addressed by the 7-bit ASCII character table?16-bit Unicode?
A. 64 and 256 B. 128 and 256 C. 64 and 65,536 D. 128 and 65,536 Ans: D) 128 and 65,536
3. What is the smallest file size that an EnCase evidence file can be saved as?
A. 64 sectors B. 512 sectors C. 1 MB D. 30 MB E. 640 MB Ans: D) 30 MB
What is the largest file segment size that an EnCase evidence file can be saved as?
A. 640 MB B. 1 GB C. 2 GB D. 8,796,093,018,112 MB E. No maximum limit Ans: D) 8,796,093,018,112 MB
What is the decimal integer value for the binary code 0000-1001?
A. 7 B. 9 C. 11 D. 1001 Ans: b) 9
Which of the following are untrue with regard to the EnCase Evidence Processor?
A. A device must be acquired first before processing or be acquired as a requisite first step within the EnCase Evidence Processor. B. A live device can be subjected to normal processing by the EnCase Evidence Processor and does not have to be acquired first. C. Items marked with red flags denote items that are not applicable to the file system being processed. D. Items marked with red flags denote items that must be run during the first or initial run of the EnCase Evidence Processor and can't be run in any subsequent run thereafter. E. A raw keyword search can be conducted during processing by the EnCase Evidence Processor. Ans: C) Items marked with red flags denote items that are not applicable to the file system being processed.
The EnCase evidence file is best described as follows:
A. A mirror image of the source device written to a hard drive B. A sector-by-sector image of the source device written to corresponding sectors of a secondary hard drive C. A bitstream image of a source device written to the corresponding sectors of a secondary hard drive D. A bitstream image of a source device written to a file or several file segments Ans: c) a bitstream image of a source device written to the corresponding sectors of a secondary hard drive.
Which of the following will not be a search hit for the following GREP expression? [^#]123[ \-]45[ \-]6789[^#]
A. A1234567890 B. A123 45-6789 C. A123-45-6789 D. A123 45 6789 Ans: A) A1234567890
Which of the following is not correct regarding EnCase 7 index searches?
A. Before searching, the index must first be created using the Create Index EnScript. B. Before searching, the index must first be created using the EnCase Evidence Processor. C. All queries are case insensitive regardless of any switches or settings, because that is the nature of all indexed searches. D. By default, queries are case insensitive but can be configured to be case sensitive. E. A query for any word in the noise file will not return any items as all words in the noise file are ignored and excluded from the index. Ans: A) Before searching, the index must first be created using the Create Index EnScript. (note: An index is required 1st before searching but is created by the EnCase Evidence Processor.
During reacquisition, you can change which of the following? (Choose all that apply.)
A. Block size and error granularity B. Add or remove a password C. Investigator's name D. Compression E. File segment size Ans: all of 'em (A,B,C,D,E)
How does EnCase verify that the evidence file contains an exact copy of the source device?
A. By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of the data stored in the evidence file B. By comparing the CRC value of the source device to the CRC of the data stored in the evidence file C. By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of the entire evidence D. By comparing the CRC value of the source device to the CRC value of the entire evidence file Ans: A) By comparing the MD5 hash value (alternatively SHA-1 or both) of the source device to the MD5 hash value (alternatively SHA-1 or both) of the data stored in the evidence file.
How is the Disk view launched?
A. By simply switching to the Disk view tab on the Table pane B. By launching it from the Device menu C. By right-clicking the device and choosing Open With Disk Viewer D. None of the above Ans: B) By launching it from the Device menu
Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z]
A. Elizabeth B. Lizzy C. Liz1 D. None of the above Ans: C) Liz1
What happens when EnCase attempts to reopen a case once the evidence file has been moved?
A. EnCase reports that the file's integrity has been compromised and renders the file useless. B. EnCase reports a different hash value for the evidence file. C. EnCase prompts for the location of the evidence file. D. EnCase opens the case, excluding the moved evidence file. Ans: C) EnCase prompts for the location of the evidence file.
If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered?
A. EnCase will detect the error when that area of the evidence file is accessed by the user. B. EnCase will detect the error only if the evidence file is manually reverified. C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed, but will not allow access to the corrupted or changed block. D. All of the above. Ans: B) EnCase will detect the error only if the evidence file is manually reverified (note: in lab 6, we had to manually reverify the evidence file to find the error)
2. How does EnCase verify the contents of an evidence file, using the default settings?
A. EnCase writes an MD5 and/or SHA-1 hash value for every 32 sectors copied. B. EnCase writes an MD5 and/or SHA-1 value for every 64 sectors copied. C. EnCase writes a CRC value for every 32 sectors copied. D. EnCase writes a CRC value for every 64 sectors copied. Ans: D) EnCase writes a CRC value for every 64 sectors copied.
When EnCase 7 is used to create a new case, which files are created automatically in the case folder under the folder bearing the name of the case?
A. Evidence, Export, Temp, and Index folders B. Export, Temp, and Index folders C. Email, Export, Tags, and Temp D. Evidence, Email, Tags, and Temp Ans: C) Email, Export, Tags, and Temp
Which of the following is true about the Gallery view?
A. Files that are determined to be images by their file extension will be displayed. B. Files that are determined to be images based on file signature analysis will be displayed after the EnCase evidence processor has been run. C. Files displayed in the Gallery view are determined by where you place the focus in the Tree pane or where you activate the Set-Included Folders feature. D. All of the above. Ans: B) Files that are determined to be images based on file signature analysis will be displayed after the EnCase evidence processor has been run.
What does the Gallery view tab use to determine graphics files?
A. Header or file signature B. File extension C. Filename D. File size Ans: B) File extension
When the letter A is represented as 41h, it is displayed in which of the following?
A. Hexadecimal B. ASCII C. Binary D. Decimal Ans: A) Hexadecimal
Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following?
A. Hexadecimal B. ASCII C. Binary D. FAT Ans: C) Binary
How would a user reverse-sort on a column in the Table view?
A. Hold down the Ctrl key, and double-click the selected column header. B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending. C. Both A and B. Ans: C) Both A and B.
In the EnCase environment, the term external viewers is best described as which of the following?
A. Internal programs that are copied out of an evidence file B. External programs loaded in the evidence file to open specific file types C. External programs that are associated with EnCase to open specific file types D. External viewers used to open a file that has been copied out of an evidence file Ans: B) External programs loaded in the evidence file to open specific file types
Which of the following aspects of the EnCase evidence file can be changed during a reacquisition of the evidence file?
A. Investigator's name B. Evidence number C. Notes D. Evidence file size E. All of the above Ans: D) Evidence file size ( so it's perfect for duplicating file)
When creating a new case, the Case Options dialog box prompts for which of the following?
A. Name (case name) B. Examiner name C. Base case folder path D. Primary evidence cache path E. All of the above Ans: E) All of the above.
An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?
A. Navigation Data on status bar B. Dixon box C. Disk view D. Hex view Ans: A) Navigation Data on status bar.
Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt?
A. No, because EnCase will treat it as a text file B. Yes, because the Gallery view looks at a file's header information and not the file extension C. Yes, but only if a signature analysis is performed to correct the File Category to Picture based on its file header information D. Yes, but only after a hash analysis is performed to determine the file's true identity Ans: C) Yes, but only if a signature analysis is performed to correct the File Category to Picture based on its File Header Information.
With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or spans in non-contiguous clusters?
A. No, because the letters are located in non-contiguous clusters. B. No, EnCase performs a physical search only. C. No, unless the File Slack option is deselected in the dialog box before the search. D. Yes, EnCase performs both physical and logical searches. Ans: D) Yes, EnCase performs both physical and logical searches.
An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM?
A. No. All evidence file segments must be put back together. B. Yes. Any evidence file segment can be verified independently by comparing the CRC values. Ans: B) Yes. Any evidence file segment can be verified independently by comparing the CRC values.
From the EnCase 7 Home screen, which of the following cannot be carried out?
A. Opening a case B. Creating a new case C. Opening options D. Generating a encryption key E. None of the above Ans: E) None of the above
How can you hide a column in the Table view?
A. Place the cursor on the selected column, and press Ctrl+H. B. Place cursor on the selected column, open Columns menu on the toolbar, and select Hide. C. Place cursor on the selected column, open the right-side menu, open the Columns sub-menu, and select Hide. D. Open the right-side menu, open the Columns E. All of the above Ans: E) All of the above
Which of the following would be a search hit for the following index search expression? <c>Saddam npre/3 Hussein.
A. Saddam Alfonso Adolph Cano Hitler Hussein B. saddam alfonso adolph cano hitler hussein C. Saddam Alfonso Hussein Adolph Cano Hitler D. saddam alfonso hussein adolph cano hitler E. Hussein Hitler Cano Adolph Alfonso Saddam F. None of the above Ans: B) saddam alfonso adolph cano hitler hussein
When EnCase sends a file to an external viewer, to which folder does it send the file?
A. Scratch B. Export C. Temp D. None of the above Ans: c) Temp
. How do you access the setting to adjust how often a backup file (.cbak) is saved?
A. Select Tools > Options > Case Options. B. Select View > Options > Case Options. C. Select Tools > Options > Global. D. Select View > Options > Global. Ans: C) Select Tools > Options > Global.
A sweep or highlight of a specific range of text is referred to as which of the following?
A. Table view bookmark B. Single item bookmark C. Highlighted data bookmark D. Notable file bookmark E. Notes bookmark Ans: C) Highlighted data bookmark (specific means highlighted)
For an EnCase evidence file to successfully pass the file verification process, which of the following must be true?
A. The MD5 hash value (alternatively SHA-1 or both) must verify. B. The CRC values and the MD5 hash value (alternatively SHA-1 or both) both must verify. C. Either the CRC or MD5 hash values (alternatively SHA-1 or both) must verify. D. The CRC values must verify. Ans: B) The CRC values and the MD5 hash value (alternatively SHA-1 or both) both must verify.
Regarding the EnCase backup process (EnCase 7.04 and newer), which are the following are true?
A. The case file backup is stored with a .cbak extension. B. By default, the backup frequency is every 30 minutes after completion of the previous backup. C. The evidence cache and the case folder are backed up, except for EnCase evidence files and the Temp and Export folders. D. All of the above are correct E. Only B and C are correct. Ans: E) Only B & C are correct.
How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has not been damaged or altered after the evidence file has been written?
A. The case file writes a CRC value for the case information and verifies it when the case is opened. B. EnCase does not verify the case information, because it can be changed at any time. C. EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case. D. EnCase writes an MD5 value of the case information and verifies the MD5 value when the evidence is added to a case. Ans: C) EnCase writes a CRC value for the case information & verifies the CRC value when the evidence is added to a case.
When performing a keyword search in Windows, EnCase searches which of the following?
A. The logical files B. The physical disk in unallocated clusters and other unused disk areas C. Both A and B D. None of the above Ans: C) Both A & B
Where is the list of external viewers kept within EnCase?
A. The settings in the TEXTSTYLES.INI file B. The settings in the FILETYPES.INI file C. The settings in the EXTERNALVIEWERS.CFG file D. The settings in the VIEWERS.INI file Ans: B) The settings in the FILETYPES.INI file
What determines the action that will result when a user double-clicks a file within EnCase?
A. The settings in the TEXTSTYLES.INI file B. The settings in the FILETYPES.INI file C. The settings in the FILESIGNATURES.INI file D. The settings in the VIEWERS.INI file Ans: B) The settings in the FILETYPES.INI file
How would a user change the default colors and text fonts within EnCase?
A. The user cannot change the default colors and fonts settings. B. The user can change the default colors and fonts settings by right-clicking the selected items and scrolling down to Change Colors and Fonts. C. The user can change the default colors and fonts settings by clicking the View tab on the menu bar and selecting the Colors tab or Fonts tab. D. The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab. Ans: D) The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab.
All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following?
A. To further the investigator's understanding of the evidence file B. To give more weight to the investigator's testimony in court C. To verify that all hardware and software is functioning properly D. All of the above Ans: D) all of the above.
What is the maximum number of columns that can be sorted simultaneously in the Table view tab?
A. Two B. Three C. Six D. 28 (maximum number of tabs) Ans: C) Six
Will EnCase allow a user to write data into an acquired evidence file?
A. Yes, when adding notes or comments to bookmarks. B. Yes, when adding search results. C. A and B. D. No, data cannot be added to the evidence file after the acquisition is made. Ans: D) No, data cannot be added to the evidence file after the acquisition is made.
Which of the following would be a raw search hit for the His keyword?
A. this B. His C. history D. [email protected] E. All of the above Ans: E) All of the above.
Give some examples of cyberslacking!
All the misuse methods such as sending personal emails, social networking sites, reading online newspapers, trading stocks online, shopping online, online chatrooms, watching TV, job searches, porn etc..
What does encryption provide if hashing provides integrity?
Confidentiality
By default, search terms are case sensitive. TRUE/FALSE
FALSE ( note: search terms are not case sensitive unless u select that option, it doesn't automatically make search items case sensitive)
The Ex01 evidence file format consists of three parts, which are the Ev2 Header, Data, and CRC record block. TRUE/FALSE?
FALSE (reason?? : subsequent evidence files don't contain header., after the header is created as the first step to creating a file)
CRC stores its value 64 sectors. True or false?
False. (128) (note: CRC values are written every 128 sectors instead of 64 sectors. That's a warning to investigators while examining files!!)
Where is OS under which the acquisition took place is located?
Header
What are the 3 components of evidence file?
Header / Data Blocks / Link Record
Where is the date/time of acquisition, notes, evidence name & number located?
Header.
In order to speed up the acquisition, is it a good idea to increase the block size or decrease it?
Increase the block size to speed up the acquisition.
What happens in output scams? What kind of data is used?
Individual seeks to use company owned data for personal gain.
What is throughput scams?
Individuals commits crimes against business computers. (for eg: in office space, small amount of money is taken electronically)
Embezzlement and money laundering is what type of crime against corporation?
Input Scams (note: data in a computer database is altered, deleted or fabricated) {note: Embezzlement is the act of withholding assets for the purpose of conversion (theft) of such assets, by one or more persons to whom the assets were entrusted, either to be held or to be used for specific purposes.}
Which algorithm is the industry standard in the computer forensics field for verifying the integrity of files & data streams?
MD5 (coz if 2 files have different hash values, their contents are different & reverse of it that 2 files can't have same hash value is true)
What is a part of the metadata contained in the final segment?
MD5 (note: once u see MD5 value, u know it is the end)
Does all the subsequent evidence files require header?
NO! only one header is required.
How would you determine acquisition hash has been completed?
Once all the data is completely CRC'd & no more data is present to process.
Other than bit-for-bit copy, what other information does evidence file contain?
Other information that serves to "bag & tag" the evidence file to preserve the chain of custody.
Does EnCase support SHA-1?
SHA-1 produces 160-bit value & is supported by EnCase like MD5 (we're allowed to calculate both or either one of them)
What is purpose of compressing the header after it is CRCed?
Saves space & removes ability to alter clear text data. (this is placed in front of the evidence file)
An evidence file can be moved to another directory without changing the file verification. TRUE/FALSE
TRUE
By selecting the Unicode box for a raw search, EnCase searches for both ASCII and Unicode formats. TRUE/FALSE
TRUE
The EnCase evidence file's logical filename can be changed without affecting the verification of the acquired evidence. TRUE/ FALSE?
TRUE
True or false? The right-side menu is a collection of the menus and tools found on its toolbar.
TRUE
True or false? The results of conditions and filters are seen immediately in the Table pane of the Evidence tab Entries view.
TRUE ( click the results tab)
When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files. TRUE/FALSE
TRUE (Reason??? : compression is done to save space & it also removes the ability to alter the clear text data which means it will remain same.)
What is the meaning of CYBERSLACKING?
The misuse of computer privileges by employees that results in financial loss, reduction of productivity, wasted resources and unnecessary business interruptions.
Who all are responsible for the misconduct in the company that could initiate corporate investigation for the allegations?
Whistleblowers, Senior Management, Board members, Employees, Vendors, Contractors, Suppliers, Media, Auditors, Compliance Officers, Police, Government agencies & competitors.
In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine? YES or NO?
YES!! (open case, add evidence)
Does the verification of the file occur automatically?
Yes (unless, you want to verify the duplicate of the file like in lab 6 where you had to click the data integrity section to verify the file integrity & the difference in the data shown in acquisition & verification MD5 was different, that's how u know it's a duplicate file. In this case, you have to manually reverify to find the error)
What is the process of investigation preparation?
a) Identify the purpose of the investigation. b) Identify the resources to conduct the investigation. c) Use Internal or external forensics examiners. Law enforcement.
What comes after the completion of acquisition hash?
acquisition hash is written to the last or end of the evidence file. How is the file created?
After the case file is created, what do you choose?
file name & the storage path
Give examples of crimes for the corporation.
inflating sales, underestimating expenses, over stating assets, investment fraud such as Ponzi schemes, price fixing etc...
Where is MD5 calculated?
only on the DATA
Where is the evidence placed in EnCase?
self-authenticating evidence container (note: this helps preserve the integrity of the evidence)
When is an error reported during verification process?
when the block is not verified.
