Final Forensics Study
On a Macintosh, the __________ directory is where configuration files are located.
/etc
The total number of possible keys for Data Encryption Standard (DES) is _________, which a modern computer system can break in a reasonable amount of time.
56
Describe how magic files/databases are used in Forensics?
A Magic file/database contains signatures for files. One method of determining the files is to look for standard signatures, normally using standard sequences at the start of the file. The magic database was used by the FileD program that was used to identify the type of file in the homework exercise.
__________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site.
A denial of service (DoS) attack
What is the definition of hash?
A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions
What is meant by symmetric cryptography?
A method in which the same key is used to encrypt and decrypt plaintext
What is Internet Message Access Protocol (IMAP)?
A protocol used to receive email that works on port 143
What is meant by distributed denial of service (DDoS) attack?
An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service
__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it.
Asymmetric cryptography
__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.
Bit-level information
Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next?
Boot the test system from its own internal drive
Linux offers many different shells. Each shell is designed for a different purpose. __________ is the most commonly used shell in Linux.
Bourne-again shell
John the ripper
Command line password cracker
The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications.
Communications Assistance for Law Enforcement Act of 1994
The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
Computer Security Act of 1987
RFC 3864 describes message header field names. Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type, refers to which header field?
Content-Type
Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway?
Cross-site scripting (XSS)
The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.
Crss.exe
What term describes a method of using techniques other than brute force to derive a cryptographic key?
Cryptanalysis
A suspect stores data where an investigator is unlikely to find it. What is this technique called?
Data hiding
The distribution of illegally copied materials via the Internet is known as __________.
Data piracy
Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________.
Digital Forensic Research Workshop (DFRWS) framework
The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files.
EnCase
The __________ is used primarily with computers that have an Intel-based processor. It requires Mac OS X v10.4 or later.
GUID Partition Table
__________ is a Windows file that is an interface for hardware.
Hal.dll
What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?
Host protected area (HPA)
What is NOT true of random access memory (RAM)?
It cannot be changed.
__________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.
Journaling
__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget.
Kali Linux
What name is given to a method of attacking polyalphabetic substitution ciphers? This method can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher.
Kasiski examination
What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse?
Live system forensics
What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system?
Logical analysis
What is the definition of stack (S)?
Memory that is allocated based on the last-in, first-out (LIFO) principle
What term describes data about information, such as disk partition structures and file tables?
Metadata
ADS is the ability to fork file data into existing files without affecting their functionality, size or display to traditional file browsing utilities. It is found in which of the following file systems.
NTFS
What common email header field is commonly used with the values "bulk," "junk," or "list"; or used to indicate that automated "vacation" or "out of office" responses should not be returned for the mail?
Precedence
Priyanka is a forensic investigator. She is at an office where a Macintosh computer was used in a suspected crime. The computer is still running. Priyanka wants to image the disk before transporting the computer to the forensic lab. She also wants to avoid accidentally altering information on the computer's hard disk. What should she do first?
Put the computer in Target Disk Mode.
The __________ cipher is a single-alphabet substitution cipher that is a permutation of the Caesar cipher. All characters are rotated 13 characters through the alphabet.
ROT13
__________ is perhaps the most widely used public key cryptography algorithm in existence today.
RSA
What common email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order?
Received
__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.
Rules of evidence
Which of the following BEST defines rules of evidence?
Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury
The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.
Sarbanes-Oxley Act of 2002
The Windows __________ log contains successful and unsuccessful logon events.
Security
What name is given to a protocol used to send email that works on port 25?
Simple Mail Transfer Protocol (SMTP)
What is a type of targeted phishing attack in which the criminal targets a specific group; forexample, IT staff at a bank?
Spear phishing
In the Mark Sievers trial, the forensics examiner from the sheriffs office identified several specific pieces of evidence and what she did with the evidence. Identify at least four pieces of evidence that were discussed.
Specific evidence would identify additional details (e.g. samsung phone, use of gps, toshiba laptop, to and from, type of message-sms, description of recording- where obtained, etc.
__________ involves making an email message appear to come from someone or someplace other than the real sender or location.
Spoofing
OpenPuff
Steganography and watermarking tool
__________ is a term that refers to hiding messages in sound files.
Steganophony
What term describes data that an operating system creates and overwrites without the computer user directly saving this data?
Temporary data
Marty is investigating the computer of a cyberstalking suspect. He wanted to check the suspect's browsing history in Microsoft Internet Explorer but it had already been erased. Where else can he look on the computer for browsing history information?
The index.dat file
Identify the most recent and widely used file systems for Linux, Mac, and Windows environments.
The most widely used/current file systems include: NTFS -Windows, APFS for Mac, and Ext4 for Linux
Identify the two of the four components of the of the organizational structures on the NFTS volume.
The organization of a NFTS volume includes: NFTS Boot structure Master File Table File System Data Master File Table Copy
SANS suggests that Memory Analysis can generally be accomplished in six steps. Identify four of the six steps identified by SANs.
The six steps identified by SANS from the pocket reference guide in Canvas include: 1. Identify rogue processes 2. Analyze Process DLLs and Handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of a rootkit 6. Extract processes, drivers, and objects.
Identify the steps in the Autopsy process/workflow.
The steps in the Autopsy workflow (in sequence) include: 1. Create a case 2. Add a data source 3. Analyze with ingest modules 4. Manual analysis and tagging 5. Report generation
Early in the examination of the forensics examiner from the Sheriffs office, the examiner was asked questions that were designed to establish her credibility. Describe how her credibility was established ( at least two examples).
They could also use the daubert standard.
The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called:
Three-way handshake
When gathering systems evidence, what is NOT a common principle?
Trust only virtual evidence.
What kind of data changes rapidly and may be lost when the machine that holds it is powered down?
Volatile data
__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.
Volatile memory analysis
Ophcrack
Windows based password cracker using rainbow tables
When attempting to recover a failed drive, which of the following is NOT true?
You should connect the failed drive to a test system and make the failed drive bootable.
How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.
a forensic analysis plan
A system that monitors network traffic looking for suspicious activity is __________.
an IDS
A(n) __________ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address.
anonymizer
Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.
bit-level tools
Linux is often used on embedded systems. In such cases, when the system is first powered on, the first step is to load the __________.
bootstrap environment
The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.
chain of custody
The file allocation table is a list of entries that map to each __________ on the disk partition.
cluster
The two NTFS files of most interest to forensics are the Master File Table (MFT) and the __________.
cluster bitmap
Sleuthkit
command line tools to analyze disk images
Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment.
data consistency
The term ______ refers to testimony taken from a witness or party to a case before a trial.
deposition
Any attempt to gain financial reward through deception is called ______.
fraud
Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.
life span
Malware that executes damage when a specific condition is met is the definition of __________.
logic bomb
In Mac OS X, the __________ shell command lists the current device files that are in use.
ls /dev/disk?
The Windows program that handles security and logon policies is __________.
lsass.exe
Which of the following is not an ingest module from the Autopsy software ?
metadata parser
Which of the following tools does not detect or allow for the identification of a steganized file?
openstego
An MD5 hash taken when a computer drive is acquired is used to check for all of the following except:
ownership
Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.
physical analysis
PSIclone provides a number of functions useful in digital forensics. Which of the following is not a function provided by the device?
recording
Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code?
scalpel
All of the following statements are true about ADS except:
streams can be attached to only to files
If you type the __________ command at the Linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges.
su
In Mac OS X, the __________ shell command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination.
system_profiler SPHardwareDataType
The type of medium used to hide data in steganography is referred to as __________. This may be a photo, video, sound file, or Voice over IP, for example.
the channel