ISCS Final Exam
In a prefetch file, the application's last access date and time are at offset _______________.
0x90
Define cloud, based off the NIST definition.
A computing storage that provides on-deman network access for multiple users and can allocate storage to users to keep up with changes in their needs.
What is issued when information on the cloud is needed?
A subpoena for civil and criminal cases
What is issued when evidence on the cloud needs to be seized?
A warrant in a criminal case and is issued by law enforcement
Define community cloud
A way to bring people together for a specific purpose.
Define lay witness
A witness testifying to personally observed facts
Define public cloud
Accesible to anyone, and typically the only identification required is an e-mail address.
Which of the following is an example of a written report?
Affidavit
An expert witness can give an opinion in which of the following situations?
All of the above
sync_config.db
An SQL database file with Google Drive upgrade number, highest application version number, and local synchronization root path
Define cloud forensics
Applying digital forensics to cloud computing and is considered a subset of network forensics.
Define private cloud
Can be accessed only by people who have the necessary credentials, such as a logon name/password.
When are cloud investigations necessary?
Cases involving cyber attacks, policy violations, data recovery, and fraud complaints.
Technical challenges in cloud forensics:
Cloud architecture, data collection, legal issues, standards, and training.
What does CSP stand for?
Cloud service providers
When writing a report, what's the most important aspect of formatting?
Consistency
snapshot.db
Contains information about each file accessed, the URL pathname, the modified and created dates and times in UNIX timestamp format, and the file's MD5 value and size
What is a SLA?
Contract between a CSP and the customer that describes what services are being provided and at what level.
A ________________ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities.
Court order
_________ are written by judges to compel someone to do or not do something, such as a CSP producing user logon activities.
Court orders
Two types of encrypted data in the cloud:
Data at rest and data in motion
What are the two states of encrypted data in a secure cloud?
Data in motion and data at rest
Define data in motion
Data that has been transmitted over a network
Define data at rest
Data that has been written to disk
Where are you most likely to find evidence on a Paps service level?
Desktop of the server, or on a company network, or the remote service provider's infrastructure.
Where are you most likely to find evidence on a IaaS service level?
Desktop of the server.
Where are you most likely to find evidence on a SaaS service level?
Desktop, laptop, tablet, or smartphone.
What is an anti-forensics?
Destroying ESI that's potential evidence (used by hackers)
Define examination plan
Documents that serves as a guideline for knowing what questions to expect when you're testifying.
Three widely used public cloud storage:
Dropbox, Google Drive, OneDrive
Define hybrid cloud
Enables a company to keep some information private and designate other files as public or community information.
Automated tools help you collect and report evidence, but you're responsible for doing which of the following?
Explaining the significance of the evidence
Which of the following rules or laws requires an expert to prepare and submit a report?
FRCP 26
Define spoliation
Failing to preserve evidence
(t/f) A feature of FROST is that it requires a virtual machine's hypervisor to run.
False
(t/f) A preliminary written report is not a high-risk document?
False
(t/f) A search warrant can be used in any kind of case, either civil or criminal.
False
(t/f) A text editor can be used to read Dropbox files.
False
(t/f) Clarity of writing is not critical to a report's success?
False
(t/f) One of the mission or goals of the investigation is to reformat certain important documents.
False
`(t/f) Commingled data isn't a concern when acquiring cloud data?
False
What information below is not something recorded in Google Drive's snapshot.db file?
File SHA values and sizes
The _________ is used to identify, label, record, and acquire data from the cloud.
Forensic data collection tool
Three types of reports
Formal report, preliminary written or verbal report to your attorney, and an examination plan.
_______________ is used to get information when it is believed there is a danger of death or serious physical injury or for the National Center for Missing and Exploited Children.
Government agency subpoena
Types of subpoenas (3)
Government agency, non-government, and civil litigation
__________________ uses an "ideal lattice" mathematical formula to encrypt data.
Homomorphic encryption
What capabilities should a forensics tool have to acquire data from a cloud? (choose all that apply.)
Identify and acquire data from the cloud, expand and contract data storage capabilities as needed for service changes, examine virtual systems.
In which cloud service level can customers rent hardware and install whatever OSs and applications they need?
Infrastructure as a service
With the _____________ cloud service, the cloud provider is responsible only for selling or leasing the hardware.
Infrastructure as a service
IaaS
Infrastructure as a service. Customers can rent hardware such as servers and workstations and install whatever OSs and applications, settings, and tools in the cloud environment.
Which of the following statements about the legal-sequential numbering system in report writing is true?
It doesn't indicate the relative importance of information
Define deposition bank
Libraries which store examples of expert witness's previous testimony
A _________________ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface.
Management plane
Define multi tenancy
Many different unrelated businesses and users share the same applications and storage space.
____________ are used to produce information from private parties for litigation.
Non-government and civil litigation subpoenas
When can a search warrant be used?
Only in criminal cases, requested by a law enforcement officer
What are the three dimensions of cloud forensics?
Organizational, legal, technical
Which of the following is the standard format for reports filed electronically in federal courts?
PaaS
Platform as a service. Means an OS, such as Linux or Windows has been installed on a cloud server.
To reduce the time it takes to start applications, Microsoft has created __________ files, which contain the DLL pathnames and metadata used by applications.
Prefetch
What does the technical dimensions deal with?
Procedures and specialized applications designed to perform forensic recovery and analysis of the cloud
Which of the following cloud deployment methods typically offers no security?
Public cloud
What does Rule 26 of the FRCP in the U.S. require?
Requires expert witnesses who anticipate on testifying to submit a written report including the expert's opinion along with the basis for it.
_________ in the cloud covers data owners, identity protection, users, access controls, and so forth.
Role management
What are the three levels of cloud services defined by NIST?
SaaS, PaaS, IaaS
The law requires that __________ to contain specific description of what is to be seized.
Search warrants
Five mechanisms used to collect digital evidence under the U.S. Electronic Communications Privacy Act (ECPA):
Search warrants, subpoenas, subpoenas with prior notice to the subscriber or customer, court orders, and court orders with prior notice to the subscriber or customer.
Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?
Seizure order
What does the legal dimension cover?
Service agreements and other jurisdictional matters
A(n) _______________________________________________ is a contract between a CSP and the customer that describes what services are being provided and at what level.
Service level agreement
What does SLA stand for?
Service level agreement
Evidence of cloud access found on a smartphone usually means which cloud service level was in use?
Software as a Service
SaaS
Software as a service. Applications delivered via the internet.
What is a government agency subpoena?
States that customer communications and records can't be knowingly divulged to any person or entity, although it allows specific expectations to government agencies.
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (choose all that apply)
Subpoenas with prior notice, Search warrants, Court Orders
A CSP's incident response team typically consists of which staff?
System and Network Administrators
What is a major advantage of automated forensics tools in report writing?
The reports and log files generated by the software
What does the organizational dimensions address?
The structure of the cloud, such as location of data storage and administrations of services
What is a court order?
They are written by judges to compel someone to do or not do something
For what purpose have hypothetical questions traditionally been used in litigation?
To frame the factual context of rendering an expert witness's opinion.
Why do attorneys use depositions banks?
To research expert witnesses previous testimonies and to earn more about them.
(t/f) A written report/affidavit/declaration is sworn to under oath?
True
(t/f) All U.S district courts and many states require expert witnesses to submit written reports?
True
(t/f) Amazon was an early provider of Web-based services that eventually developed into the cloud concept.
True
(t/f) Anything you write down as part of your examination is subject to discovery?
True
(t/f) Cloud forensics typically involves litigation of criminal or civil matters?
True
(t/f) Digital forensics examiners could be held liable when conducting an investigation involving cloud data.
True
(t/f) Hypothetical questions can be abused and make so complex that the finder of fact (the expert) might not be able to remember enough of the question to evaluate the answer.
True
(t/f) If you were a lay witness at a previous trial, you shouldn't list that case in your written report.
True
(t/f) The multi-tenancy nature of cloud environments means conflicts in privacy laws can occur.
True
(t/f) To see Google Drive synchronization files, you need a SQL viewer.
True
(t/f) The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).
True
What is a non-government subpoena?
Used to produce information form private parties for litigation.
What does the CSP do?
User servers on distributive networks or mainframes that allow elasticity of resources for customers.
When should a temporary restraining order be requested for cloud environments?
When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case.
What type of report must be submitted in a US district court?
Written report
sync_log.log
has a detailed list of user's cloud transactions
Select the folder below that is most likely to contain Dropbox files for a specific user:
C:\Users\username\Dropbox
Where is the snapshot database created by Google Drive located in Windows?
C:\Users\username\AppData\Local\\Google\Drive
