Forensics Final Chapters 1-8

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

As a corporate investigator, you can become an agent of law enforcement when which of the following happens

A. you begin to take orders from a police detective without a warrant or subpoena. B. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the criminal evidence to law enforcement.

What is the most important point to remember when assigned to work on an attorney- client privilege case?

All information is to be kept confidential.

Computer forensics facilities always have windows. True or False?

False

Data can't be written to the disk with a command-line tool. True or False?

False

What two tasks is an acquisitions officer responsible for at a crime scene

Giving the forensics investigator documentation of items the investigation officers collected with the computer, notes the computer specifications, if the machine was running when discovered. Before shutting the machine down, photographs the open windows that were running.

For employee termination cases, what types of investigations do you typically encounter?

Hostile work environment caused by inappropriate Internet use. Sending harassing e-mail messages.

List two popular certification systems for computer forensics.

IAVIS, HTCN, EnCE

What are three rules for a forensic hash?

It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.

What is the purpose of maintaining a professional journal?

It helps you remember what procedures were followed if the case ever goes to court. It can also be used as a reference if you need to remember how you solved a previous problem

What are the basic guidelines when working on an attorney-client privilege case?

Minimize all written communications with the attorney, use the telephone when you need to ask questions or provide information related to the case. Any documentation written to the attorney must contain a header stating that it's Privileged Legal Communication-Confidential Work Product, as defined under the attorney-work-product rule. Assist the attorney and paralegal in analyzing the data.

What's the name of the NIST project established to collect all known hash values for commercial software and OS files?

National Software Reference Library (NSRL)

Areal density refers to which of the following?

Number of bits per square inch of a disk platter

HPFS is used on which OS?

OS/2

What is the EnCase Enterprise remote access program?

Servlet

What should you consider when determining which data acquisition method to use?

Size of the source drive, where the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located.

List three items that should be in an initial-response field kit.

Small computer tool kit, large capacity drive, IDE ribbon cables, Forensic boot media, laptop or portable computer.

What does a sparse acquisition collect for an investigation?

Specific files of interest to the case as well as arrangements of unallocated(deleted) data.

The Windows Registry in Windows 9x consists of what two files?

System.dat and User.dat

List two types of connections in HDHOST.

TCP/IP and serial RS232 port.

What term refers to labs constructed to shield EMR emissions?

TEMPEST

What are some reasons that an employee might leak information to the press?

To embarrass management, conducting a power struggle between other internal organizations. Pre-mature release of information about new products.

Why is it a good practice to make two images of a suspect drive in a critical investigation?

To ensure at least one good copy of the data in case of any failures.

Why should your evidence media be write-protected?

To ensure that data isn't altered.

Why should you critique your case after it's finished?

To improve your work

The National Cybercrime Training Partnership is available only to law enforcement. True or False?

To maintain the chain of custody and prevent data from being lost, corrupted, or stolen.

32. EnCase, FTK, SMART, and ILook treat an image file as though it were the original disk. True or False?

True

33. When possible, you should make two copies of evidence. True or False?

True

34. FTK Imager can acquire data in a drive's host protected area. True or False?

True

What is the space on a drive called when a file is deleted?

a. Unallocated space b. Free space

Virtual machines have what when following limitations when running on a host computer?

a. Virtual machines are limited to the host computer's peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices.

Who should have access to a secure container? a) Only the primary investigator b) Only the investigators in the group c) Everyone on the floor d) Only senior-level management

d) Only senior-level management

The standards for testing forensics tools are based on which criteria?

. ISO 17025

What are two concerns when acquiring data from a RAID server?

1) Amount of data storage needed 2) the type of RAID

What is the ratio of sectors per cluster in a floppy disk?

1:1

Clusters in Windows always begin numbering at what number?

2

What's the maximum file size when writing data to a FAT32 drive?

2 GB (a limitation of FAT file systems)

In FAT32, a 123 KB file uses how many sectors?

246 Sectors. 123 x 1024 bytes per KB = 125,925 total bytes in the file. 125,952 bytes / 512 sectors per cluster = 246 sectors

How does ProDiscover Investigator encrypt the connection between the examiner's and suspect's computers?

256-bit AES of Twofish encryption and encrypts the password on the suspect's computer

On a Windows system, sectors typically contain how many bytes?

512

What is a hashing algorithm?

A utility designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or entire disk.

If a suspect computer is located in an area that might have toxic chemicals, you much do which of the following?

A. coordinate with the HAZMAT team C. Assume the suspect computer is contaminated.

Which organization has guidelines on how to operate a computer forensics lab?

ASCLD

When might an interview turn into an interrogation?

After the person being interviewed has been read their Miranda Rights.

Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above

All of the Above

List three items that should be in your case report.

An explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools.

. Putting out fires in a computer lab usually requires a _____ rated fire extinguisher

B

If a suspect computer is running Windows 2000, which of the following can you perform safely?

Browsing open applications.

When validating the results of a forensic analysis, you should do what?

Calculate the hash value with two different tools. Use a different tool to compare the results of evidence you find.

List two features common with proprietary format acquisition files

Can compress or not compress the acquisition data; can segment acquisition output files into smaller volumes, allowing them to be achieved to CD or DVD; case metadata can be added to the acquisition file. Eliminating the need to keep track of any additional validation documentation or files.

List three items that should be on an evidence custody form.

Case number, name of the investigator assigned to the case, nature of the case, location where evidence was obtained, description of the evidence and so on.

What do you call a list of people who have had physical possession of the evidence?

Chain of custody

A virtual cluster consists of what kind of clusters?

Chained

Describe what should be videotaped or sketched at a computer crime scene

Computers, cable connections, overview of scene—anything that might be of interest to the investigation.

What does CHS stand for?

Cylinders, Heads, Sectors

What are the functions of a data run's field components in an MFT record?

Data runs have three components; first declares how many bytes are required in the attribute field to store the number of bytes needed for the second and third components. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value the LCN or the VCN.

Of the six functions of computer forensics tools, what are the subfunctions of the Extraction function?

Data viewing, Keyword searching, Decompressing, Carving, Decrypting, and Bookmarking

When you perform an acquisition at a remote location, what should you consider to prepare for this task?

Determing whether there's sufficient electrical power and lighting and checking the temperature and humidity at location.

What is the Runtime Software utility used to acquire data over a network connection?

DiskExplorer for NTFS or DiskExplorer for FAT

Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive

EnCase, SafeHack, and SnapCopy

Which computer forensics tools can connect to a suspect's remote computer and run surreptitiously?

Encase Enterprise, ProDiscover Investigator , and ProDiscover Incident Response

List two types of computer investigations typically conducted in the corporate environment.

Espionage, and e-mail harassment

Of all the proprietary formats, which one is the unofficial standard?

Expert witness used by Guidance software EnCase

Which of the following tools can examine files created by WinZip?

FTK

A corporate investigator must follow Fourth Amendment standards when conducting an investigation. True or False?

False

A disk partition can be copied only with a command-line acquisition tool. True or False?

False

A forensic workstation should always have a direct broadband connection to the Internet. True or False?

False

A live acquisition is considered an accepted forensics practice. True or False?

False

Building a forensic workstation is more expensive than purchasing one. True or False?

False

Computer forensics and data recovery refer to the same activities. True or False?

False

During a remote acquisition of a suspect drive, RAM data is lost. True or False?

False

HDHost is automatically encrypted when connected to another computer. True or False?

False

If a visitor to your computer forensics lab is a personal friend, it's not necessary to have him or her sign the visitor's log. True or False?

False

NIST testing procedures are valid only for government agencies. True or False?

False

Probable cause is not needed for a criminal investigation. True or False?

False

R-Studio and DiskExplorer are used primarily for computer forensics. True or False?

False

Sleuth Kit is used to access Autopsy's tools. True or False?

False

Small companies rarely need investigators. True or False?

False

The ASCLD mandates the procedures established for a computer forensics lab. True or False?

False

The chief custodian of evidence storage containers should keep several master keys. True or False?

False

Under normal circumstances, a corporate investigator is considered an agent of law enforcement. True or False?

False

You should always answer questions from onlookers at the crime scene? True or False?

False

You should always prove the allegations made by the person who hired you. T or F?

False

Zoned bit recording is how disk manufacturers ensure that a platter's outer tracks store as much data as possible. True or False?

False5.

List three items stored in the FAT database

File and directory names, starting cluster numbers, file attributes, date and time stamps.

EFS can encrypt what?

Files, folders, and volumes

Hash values are used for

Filtering known good files from potentially suspicious data Validating that the original data hasn't changed

Police in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment d. None of the above

Fourth Amendment

In the Linux dcfldd command, which three options are used for validating data?

Hash=, hashlog= and vf=

Determing whether there's sufficient electrical power and lighting and checking the temperature and humidity at location.

If the target drive is an external USB drive, the write-proctect feature prevents data from being written to it.

You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?

Initial-response field kit.

Device drivers contain what kind of information?

Instructions for the OS on how to interface with hardware devices.

Which of the following techniques might be used in covert surveillance?

Keylogging, data sniffing.

What two data-copying methods are used in software data acquisitions?

Logical and physical

Two hashing algorithms commonly used for forensic purposes are_____

MD5 and SHA-1

What does MFT stand for?

Master File Table

Which hashing algorithm utilities can be run from a Linux shell prompt?

Md5sum and sha1sum

Corporate investigations are typically easier than law enforcement investigations for which of the following reasons?

Most companies keep inventory databases of all hardware and software used.

Which organization provides good information on safe storage containers?

NISPOM

With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence?

Newer Linux distribution mount the USB drive automatically, which could alter data on it.

Which of the following Windows XP files contains user-specific information?

Ntuser.dat

What does a logical acquisition collect for an investigation?

Only specific files of interest to the case.

What is the ProDiscover remote access program?

PDServer

To encrypt a FAT volume, what utilities can you use?

PGP Whole Disk Encryption

What items should your business plan include?

Physical security items, such as evidence lockers; how many machines are needed; what Oss your lab commonly examines; why you need certain software; and how your lab will benefit the company (such as being able to quickly exmerate emplyees or discover whether they're guilty)

What is the primary goal of a static acquisition?

Preservation of digital evidence

What is professional conduct and why is it important?

Professional conduct includes ethics, morals, and standards of behavior. It can affect your credibility.

Name the three formats for computer forensics data acquisitions.

Raw format, proprietary formats, and Advanced Forensic Format(AFF)

Typically, a(n) ______ lab has a separate storage area or room for evidence

Regional

What three items should you research before enlisting in a certification program?

Requirements, cost and acceptability in your chosen area of employment.

Commingling evidence means what in a corporate setting?

Sensitive corporate information being mixed with data collected as evidence.

When considering new forensics software tools, you should do which of the following?

Test and validate the software.

What are the necessary components of a search warrant?

The affidavit is a sworn statement of support of facts about or evidence of a crime which is submitted to a judge with the request for a search warrant before seizing evidence. This includes exhibits (evidence) that support the allegation to justify the warrant. The affidavit is then notarized under sworn oath to verify that the information in the affidavit is true. The affidavit, the warrant, and return of service are basically the order of the procedure

What is the advantage of using a tape backup system for forensic acquisitions of large data sets?

There's no limit to the size of data you can write to magnetic tape.

What is true of most drive-imaging tools?

They ensure that the original drive doesn't become corrupt and damage the digital evidence. They create a copy of the original drive.

What is the purpose of maintaining a network of computer forensics specialists?

To allow you the ability to cultivate professional relationships with people who specialize in technical area different from your own specialty

When you arrive at the scene, why should you extract only those items that you need to acquire evidence?

To minimize how much you have to keep track of at the scene.

What is the purpose of an affidavit?

To provide a sworn statement of support of facts about evidence of a crime this is submitted to a judge with the request for a search warrant before seizing evidence

Why should companies appoint an authorized requester for computer investigations?

To reduce conflicts from competing interests among organizations or departments and to avoid starting investigations based on organizational/ departmental gains or jealousy

3. If you discover a criminal act, such as a murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False

True

An employer can be held liable for e-mail harassment. True or False?

True

An image of a suspect drive can be loaded on a virtual machine.

True

Data collected before an attorney issues a memorandum for an attorney-client privilege case is protected under the confidential work product rule. True or False?

True

For digital evidence, an evidence bag is typically made of anti static material. True or False?

True

If a company doesn't distribute a computing use policy stating an employer's rights to inspect employee's computers freely, including e-mail and web use, employees have an expectation of privacy. True or False?

True

In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader finds the disk. True or false?

True

Many of the newer GUI tools use a lot of system resources. True or False?

True

Most companies keep inventory databases of all hardware and software used.True or False?

True

NTFS, files smaller than 512 bytes are stored in the MFT.

True

RAM slack can contain passwords. True or False?

True

The National Cybercrime Training Partnership is available only to law enforcement. True or False?

True

Warning banners are often easier to present in court than policy manuals are. True or False?

True

Computer peripherals or attachments can contain DNA evidence. True or False?

True.

. Large computer forensics labs should have at least ____ exits?

Two

List two features NTFS has that FAT does not.

Unicode characters, security, journaling.

Hashing, filtering, and file header analysis make up which function of computer forensics tools?

Validation and discrimination

What is the most critical aspect of computer evidence?

Validation of digital evidence

What are the five required functions for computer forensics tools?

What are the five required functions for computer forensics tools?

When is a standard data backup tool, such as Norton Ghost, used for a computing investigation?

When the suspect computer can't be taken offline for several hours but can be shut down long enough to switch disk, allowing the investigator to take the original disk and preserve as a digital evidence.

In a Linux shell, the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1

Wrong. This command read the imagine_file and writes it to the evidence drives /dev/hdal/ partition. The correct command is dcfldd if =/dev/hdal of=image_file.img.

What are some ways to determine the resources needed for an investigation?

a. Determine the OS of the suspect computer. b. List the necessary software to use for the examination.

Windows 2000 can be configured to access which of these file formats?

a. FAT12 b. FAT16 c. FAT32 d. NTFS

The manager of a computer forensics lab is responsible for which of the following? (Choose all that apply.) a. Necessary changes in lab procedures and software b. Ensuring that staff members have sufficient training to do the job c. Knowing the lab objectives d. None of the above

a. Necessary changes in lab procedures and software b. Ensuring that staff members have sufficient training to do the job c. Knowing the lab objectives

What are some initial assessments you should make for a computing investigation?

a. Talk to others involved in the case and ask about the incident. b. Determine whether law enforcement or company security officers already seized the computer evidence. c. Determine whether the computer was used to commit a crime or contains evidence about the crime.

Laws and procedures for PDAs are which of the following? a. Well established b. Still being debated c. On the law books d. None of the above

b. Still being debated

The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability assessment, intrusion response, and investigation d. Vulnerability assessment, intrusion response, and monitoring

c. Vulnerability assessment, intrusion response, and investigation

With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above

d. All of the above

Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or cannot access c. The amount of personal e-mail you can send d. Any of the above

d. Any of the above

List four subfunctions of reconstructing drives.

disk-to-disk copy, image-to-disk copy, partition-to-partition copy, image-to-partition copy

In forensic hashes, a collision occurs when ____

two files have the same hash value.

What are two advantages and disadvantages of the raw format?

• Advantages: Faster data transfer speeds, ignore minor data errors, and most forensics tools can read • Disadvantages: requires equal or greater target disk space, does not contain had values in the raw file(metadata), might have to run a separate hash program to validate raw formatted data and might not collect marginal (bad) blocks.

List two items that should appear on an internal warning banner.

• An organization has the right to monitor what end users do, and their e-mail is not personal and can be monitored

List two organizations mentioned in the chapter that provide computer forensics training.

• CTIN: Computer Technology Investigators Network and • HTCIA: High Technology Crime Investigation Association

List three common types of digital crime.

• E-mail harassment, cyber stalking, and embezzlement.

To determine the types of operating systems needed in your lab, list two sources of information you could use.

• Uniform Crime Report statistics for your area and a list of cases handled in your area or at your company.


Set pelajaran terkait

Health Career Exploration Module- Health Care Career Pathways

View Set

chapter 13 learn smarts (with answers)

View Set

Practice Problems for Fractions, Decimals, & Percents

View Set

MAR4802-Lesson 15: Advertising and Public Relations

View Set

Optics of the Eye Quiz #1 Material (Lectures 1-9)

View Set