Final Forensics Study

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

On a Macintosh, the __________ directory is where configuration files are located.

/etc

The total number of possible keys for Data Encryption Standard (DES) is _________, which a modern computer system can break in a reasonable amount of time.

56

Describe how magic files/databases are used in Forensics?

A Magic file/database contains signatures for files. One method of determining the files is to look for standard signatures, normally using standard sequences at the start of the file. The magic database was used by the FileD program that was used to identify the type of file in the homework exercise.

__________ is designed to render a target unreachable by legitimate users, not to provide the attacker access to the site.

A denial of service (DoS) attack

What is the definition of hash?

A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions

What is meant by symmetric cryptography?

A method in which the same key is used to encrypt and decrypt plaintext

What is Internet Message Access Protocol (IMAP)?

A protocol used to receive email that works on port 143

What is meant by distributed denial of service (DDoS) attack?

An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service

__________ is cryptography wherein two keys are used: one to encrypt the message and another to decrypt it.

Asymmetric cryptography

__________ is information at the level of 1s and 0s stored in computer memory or on a storage device.

Bit-level information

Paige is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next?

Boot the test system from its own internal drive

Linux offers many different shells. Each shell is designed for a different purpose. __________ is the most commonly used shell in Linux.

Bourne-again shell

John the ripper

Command line password cracker

The __________ is a federal wiretap law for traditional wired telephony that was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications.

Communications Assistance for Law Enforcement Act of 1994

The __________ was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.

Computer Security Act of 1987

RFC 3864 describes message header field names. Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type, refers to which header field?

Content-Type

Ben was browsing reviews on a sporting goods website from which he purchased items in the past. He saw a comment that read "Great price on camping gear! Read my review." When he clicked the associated link, a new window appeared and prompted him to log in again. What type of attack is most likely underway?

Cross-site scripting (XSS)

The program that handles tasks like creating threads, console windows, and so forth in Windows is __________.

Crss.exe

What term describes a method of using techniques other than brute force to derive a cryptographic key?

Cryptanalysis

A suspect stores data where an investigator is unlikely to find it. What is this technique called?

Data hiding

The distribution of illegally copied materials via the Internet is known as __________.

Data piracy

Identification, preservation, collection, examination, analysis, and presentation are six classes in the matrix of the __________.

Digital Forensic Research Workshop (DFRWS) framework

The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files.

EnCase

The __________ is used primarily with computers that have an Intel-based processor. It requires Mac OS X v10.4 or later.

GUID Partition Table

__________ is a Windows file that is an interface for hardware.

Hal.dll

What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format?

Host protected area (HPA)

What is NOT true of random access memory (RAM)?

It cannot be changed.

__________ is the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered.

Journaling

__________ is a Linux Live CD that you use to boot a system and then use the tools. It is a free Linux distribution, making it attractive to schools teaching forensics or laboratories on a strict budget.

Kali Linux

What name is given to a method of attacking polyalphabetic substitution ciphers? This method can be used to deduce the length of the keyword used in a polyalphabetic substitution cipher.

Kasiski examination

What is the process of searching memory in real time, typically for working with compromised hosts or to identify system abuse?

Live system forensics

What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system?

Logical analysis

What is the definition of stack (S)?

Memory that is allocated based on the last-in, first-out (LIFO) principle

What term describes data about information, such as disk partition structures and file tables?

Metadata

ADS is the ability to fork file data into existing files without affecting their functionality, size or display to traditional file browsing utilities. It is found in which of the following file systems.

NTFS

What common email header field is commonly used with the values "bulk," "junk," or "list"; or used to indicate that automated "vacation" or "out of office" responses should not be returned for the mail?

Precedence

Priyanka is a forensic investigator. She is at an office where a Macintosh computer was used in a suspected crime. The computer is still running. Priyanka wants to image the disk before transporting the computer to the forensic lab. She also wants to avoid accidentally altering information on the computer's hard disk. What should she do first?

Put the computer in Target Disk Mode.

The __________ cipher is a single-alphabet substitution cipher that is a permutation of the Caesar cipher. All characters are rotated 13 characters through the alphabet.

ROT13

__________ is perhaps the most widely used public key cryptography algorithm in existence today.

RSA

What common email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order?

Received

__________ govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

Rules of evidence

Which of the following BEST defines rules of evidence?

Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury

The __________ contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.

Sarbanes-Oxley Act of 2002

The Windows __________ log contains successful and unsuccessful logon events.

Security

What name is given to a protocol used to send email that works on port 25?

Simple Mail Transfer Protocol (SMTP)

What is a type of targeted phishing attack in which the criminal targets a specific group; forexample, IT staff at a bank?

Spear phishing

In the Mark Sievers trial, the forensics examiner from the sheriffs office identified several specific pieces of evidence and what she did with the evidence. Identify at least four pieces of evidence that were discussed.

Specific evidence would identify additional details (e.g. samsung phone, use of gps, toshiba laptop, to and from, type of message-sms, description of recording- where obtained, etc.

__________ involves making an email message appear to come from someone or someplace other than the real sender or location.

Spoofing

OpenPuff

Steganography and watermarking tool

__________ is a term that refers to hiding messages in sound files.

Steganophony

What term describes data that an operating system creates and overwrites without the computer user directly saving this data?

Temporary data

Marty is investigating the computer of a cyberstalking suspect. He wanted to check the suspect's browsing history in Microsoft Internet Explorer but it had already been erased. Where else can he look on the computer for browsing history information?

The index.dat file

Identify the most recent and widely used file systems for Linux, Mac, and Windows environments.

The most widely used/current file systems include: NTFS -Windows, APFS for Mac, and Ext4 for Linux

Identify the two of the four components of the of the organizational structures on the NFTS volume.

The organization of a NFTS volume includes: NFTS Boot structure Master File Table File System Data Master File Table Copy

SANS suggests that Memory Analysis can generally be accomplished in six steps. Identify four of the six steps identified by SANs.

The six steps identified by SANS from the pocket reference guide in Canvas include: 1. Identify rogue processes 2. Analyze Process DLLs and Handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of a rootkit 6. Extract processes, drivers, and objects.

Identify the steps in the Autopsy process/workflow.

The steps in the Autopsy workflow (in sequence) include: 1. Create a case 2. Add a data source 3. Analyze with ingest modules 4. Manual analysis and tagging 5. Report generation

Early in the examination of the forensics examiner from the Sheriffs office, the examiner was asked questions that were designed to establish her credibility. Describe how her credibility was established ( at least two examples).

They could also use the daubert standard.

The process of connecting to a server and exchanging packets containing acknowledgment (ACK) and synchronize (SYN) flags is called:

Three-way handshake

When gathering systems evidence, what is NOT a common principle?

Trust only virtual evidence.

What kind of data changes rapidly and may be lost when the machine that holds it is powered down?

Volatile data

__________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

Volatile memory analysis

Ophcrack

Windows based password cracker using rainbow tables

When attempting to recover a failed drive, which of the following is NOT true?

You should connect the failed drive to a test system and make the failed drive bootable.

How you will gather evidence and which tools are most appropriate for a specific investigation are part of ___________.

a forensic analysis plan

A system that monitors network traffic looking for suspicious activity is __________.

an IDS

A(n) __________ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address.

anonymizer

Use of __________ enables an investigator to reconstruct file fragments if files have been deleted or overwritten.

bit-level tools

Linux is often used on embedded systems. In such cases, when the system is first powered on, the first step is to load the __________.

bootstrap environment

The __________ is the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.

chain of custody

The file allocation table is a list of entries that map to each __________ on the disk partition.

cluster

The two NTFS files of most interest to forensics are the Master File Table (MFT) and the __________.

cluster bitmap

Sleuthkit

command line tools to analyze disk images

Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment.

data consistency

The term ______ refers to testimony taken from a witness or party to a case before a trial.

deposition

Any attempt to gain financial reward through deception is called ______.

fraud

Forensic investigators who collect data as evidence must understand the __________ of information, which refers to how long it is valid.

life span

Malware that executes damage when a specific condition is met is the definition of __________.

logic bomb

In Mac OS X, the __________ shell command lists the current device files that are in use.

ls /dev/disk?

The Windows program that handles security and logon policies is __________.

lsass.exe

Which of the following is not an ingest module from the Autopsy software ?

metadata parser

Which of the following tools does not detect or allow for the identification of a steganized file?

openstego

An MD5 hash taken when a computer drive is acquired is used to check for all of the following except:

ownership

Two of the easiest things to extract during __________ are a list of all website uniform resource locators (URLs) and a list of all email addresses on the computer.

physical analysis

PSIclone provides a number of functions useful in digital forensics. Which of the following is not a function provided by the device?

recording

Which file recovery tool works in Linux and Mac OS, and in Windows if you compile the source code?

scalpel

All of the following statements are true about ADS except:

streams can be attached to only to files

If you type the __________ command at the Linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges.

su

In Mac OS X, the __________ shell command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination.

system_profiler SPHardwareDataType

The type of medium used to hide data in steganography is referred to as __________. This may be a photo, video, sound file, or Voice over IP, for example.

the channel


Set pelajaran terkait

Forensics Study Guide (Glass & Ballistics)

View Set

Biology 100: Exam 2 Study Guide for Finals

View Set

English XI Fall Final: Rhetoric and Writing

View Set

The French Revolution Begin:Pre-Test

View Set

chapter 11 management, mgmt FINAL, Management Chapter 12, chapter 13 management, MGMT 300E Final Chapter 14, Manage chapter 15

View Set

ENA Renal and Genitourinary Emergencies

View Set

Accounting Chapter 14 LearnSmart

View Set

Chapter 42: Management of Patients w/ musculoskeletal trauma

View Set