ISM4324 Final Exam

The uppercase letter _____ has a hexadecimal value 41.

"A"

Describe type 1 and type 2 hypervisors. (written response)

-A Type 1 hypervisor (also known as a bare-metal hypervisor) is a layer of software we install directly on top of a physical server and its underlying hardware -A Type 2 hypervisor (also known as a hosted hypervisor) is typically installed on top of an existing OS. It relies on the host machine's preexisting OS to manage calls to CPU, memory, storage and network resources.

Provide some guidelines for writing an introduction section for a report. (written response)

-Give background information about the topic -Refer to the important findings of other researchers -Identify the need for further investigation -Indicate your plans for further investigation -State your hypothesis/research questions -State your aim -State your objectives -Indicate the scope of your study

Describe how the Forensic Open-Stack Tools (FROST) bypasses a virtual machine's hypervisor. (written response)

-Modifying existing forensic software to extend the capabilities -And presenting the memory of guest virtual machine in a format that FMA tools can understand

How can you isolate a mobile device from incoming signals? (written response)

-Place the device into airplane mode -Place the device into a paint can that contains radio wave blocking paint or multiple antistatic bags

What is the general procedure to access the content on a mobile phone SIM card? (written response)

-Seizing: The device which has to be go through the forensic process may contain the fingerprints of the persons that may be helpful in solving the case. So the device should be kept safe in a airtight packet without touching it directly by wearing gloves in hands. -Phone jammers and Airplane mode: The device may be connected to any network. So, we should make sure that it is not connected to any network or device. So a jammer and Airplane mode is applied. -Data Acquisition: The datas or contacts in the SIM card can be retrieved or accessed using the SIM card imagining technique. This creates a replica of the SIM card from which all the datas of SIM card can be retrieved. The original SIM card is kept undisturbed using this technique and the contents can be easily accessed.

What are the four conditions required for an expert witness to testify to an opinion or conclusion? (written response)

-The expert's witness knowledge will help the trier of fact to understand the evidence or to determine a fact in issue -The testimony is based on sufficient facts or data -The testimony is the product of reliable principles and methods -The expert has reliably applied the principles and methods to the facts of the case

____ contains configuration information for Sendmail, helping the investigator to determine where the log files reside.

/etc/sendmail.cf

Typically, UNIX installations are set to store logs such as maillog in the ____ directory.

/var/log

In a prefetch file, the application's last access date and time are at a offset _____.

0x90

By the end of 2008, mobile phones had gone through three generations: analog, digital personal communications service (PCS), and ____.

3G

In an e-mail address, everything after the ____ symbol represents the domain name.

@

Briefly describe known cover attack and known message attack. (written response)

A known cover attack is comparing original image with the object and pattern differences are detected. A known message attack is the analysis of known patterns that correspond to hidden information, which may help against attacks in the future.

Explain what "anti-forensics" is, and provide detail on some anti-forensics tactics. (written response)

Anti-forensics is an approach used by cybercriminals to challenge evidence gathering and analysis processes. -Encryption: is the data converted into an unreadable format using a pair of keys -Steganography: is the act of concealing data in plain sight -Tunneling: uses encapsulation to allow private communications to be exchanged over a public network -Onion routing: is the process of sending messages which are encrypted in layers, denoting layers of an onion -Obfuscation: is a technique that makes a message difficult to understand because of its ambiguous language -Spoofing: is the act of disguising communication to gain access to unauthorized systems or data

People who want to hide data can also use advanced encryption programs, such as PGP or _____.

BestCrypt

_____ images store graphics information as grids of pixels.

Bitmap

Where is the snapshot database created by Google Drive located in Windows?

C:\Users\?username?\AppData\Local\\Google\Drive

Select the folder below that is most likely to contain Dropbox files for a specific user:

C:\Users\username\Dropbox

Select the folder below that is most likely to contain Dropbox files for a specific user:​

C:\Users\username\Dropbox

Developed during WWII, this technology,____, was patented by Qualcomm after the war.

CDMA

_____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.

Circular logging

The ____ is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more.

Cloud Security Alliance

What are the steps for copying an e-mail message in Outlook or Outlook Express? (written response)

Copy the entire Outlook Express folder to a network location to which both the computers have access. Then on the computer where Outlook is installed, copy the folder from the network location to the computer.

The ____ network is a digital version of the original analog standard for cell phones.

D-AMPS

____ is a layered network defense strategy developed by the National Security Agency (NSA).

Defense in Depth

Marking bad clusters data-hiding technique is more common with ____ file systems.

FAT

The _____ tool can be used to bypass a virtual machine's hypervisor, and can be used with OpenStack.

FROST

T/F A verbal report is more structured than a written report

False

T/F Investigating smartphones and other mobile devices is a relatively easy task in digital forensics

False

T/F Magnet AXIOM Cloud can retrieve information from Skype, Instagram, Twitter, iCloud, but not from Facebook Messenger

False

T/F Network forensics is a fast, easy process

False

T/F When intruders break into a network, they rarely leave a trail behind

False

____ trains people to listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question.

Forensic linguistics

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.

Honeynet

AccessData _____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.

KFF

_____ hide the most valuable data at the innermost part of the network.

Layered Network Defense Strategies

Explain how lossless compression relates to image file formats. (written response)

Lossless compression algorithms relates to image file formats by reducing the file size while preserving a perfect copy of the original uncompressed image.

____ compression compresses data by permanently discarding bits of information in the file.

Lossy

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created.

MAC

A lesser known tool used widely by government agencies is _____, which retrieves data from smartphones, GPS devices, tablets, music players, and drones.

Micro Systemation XRY

In a Windows environment, BitPim stores files in _____ by default.

MyDocuments/BitPim

To enhance searching for and eliminating known OS and application files, Autopsy has an indexed version of the NIST ____ of MD5 hashes.

NSRL

_____ was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files.

Netdude

_____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.

Network forensics

After you open e-mail headers, copy and paste them into a text document so that you can read them with a text editor, such as Windows ____.

Notepad+

_____ are devices or software placed on a network to monitor traffic.

Packet sniffers

WinHex provides several hashing algorithms, such as MD5 and _____.

SHA-1

What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing?

Salesforce

_____ alters hash values, which makes cracking passwords more difficult.

Salting passwords

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider?

Seizure order

To view Gmail Web e-mail headers open the e-mail, click the down arrow next to the Reply circular arrow, and click _____.

Show Original

Explain how to use steganalysis tools. (written response)

Steganalysis tools are used to defeat steganography by detecting hidden information then extracting or destroying it.

_____ is a data-hiding technique that uses host files to cover the contents of a secret message.

Steganography

A common way of examining network traffic is by running the _____ program.

Tcpdump

____ can be programmed to examine TCP headers to fin the SYN flag.

Tethereal

How should you explain examination and data collection methods? (written response)

They are systematic processes of gathering observations or measurements.

T/F E-mail programs either save e-mail messages on the client computer or leave them on the server.

True

T/F Evidence artifacts vary depending on the social media channel and the device.

True

T/F For static acquisitions, remove the original drive from the computer, if practical, and then check the date and time values in the system's CMOS.

True

T/F Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data.

True

T/F Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades.

True

T/F Specially trained system and network administrators are often a CSP's first responders.​

True

T/F The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET).

True

T/F Virtual machines (VMs) help offset hardware costs for companies.

True

T/F You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network).

True

Cellebrite includes _____, a mobile forensics tool that's often used by law enforcement and the military.

UFED Reader

Intel _____ has responded to the need for security and performance by producing different CPU designs.

Virtualization Technology (VT)

Which of the following is NOT a service level for the cloud?

Virtualization as a service

The _____ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03.

XIF

What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds?

XenServer and XenCenter Windows Management Console

If a report is long and complex, you should provide a(n) ____.

abstract

In Facebook the _____ info simply tells you the last time a person logged on.

basic subscriber

The data-hiding technique _____ changes data from readable code to data that looks like binary executable code.

bit-shifting

In Exchange, to prevent loss of data from the last backup, a _____ file or marker is inserted in the transaction long to mark the last point at which the database was written to disk.

checkpoint

E-mail messages are distributed from a central server to many connected client computers, a configuration called _____.

client/server architecture

Save broader generalizations and summaries for the report's ____.

conclusion

When working with image files, computer investigators also need to be aware of _____ laws to guard against copyright violations.

copyright

The process of converting raw picture data to another format is referred to as _____.

demosaicing

Remember that anything you write down as part of your examination for a report in a civil litigation case is subject to ____ from the opposing attorney.

discovery

One way to hide partitions is with the Windows disk partitions utility, _____.

diskpart

You use ____ to create, modify, and save bitmap, vector, and metafile graphics files.

graphics editors

The simplest way to access a file header is to use a(n) _____ editor.

hexadecimal

The file system for a SIM card is a ____ structure.

hierarchical

You begin a digital forensics case by creating a(n) _____.

investigation plan

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.

key escrow

Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.

mbox

To reduce the time it takes to start applications, Microsoft has created _____ files, which contain the DLL pathnames and metadata used by applications.

prefetch

Mobile devices can range from simple phones to _____.

smartphones

The term _____ comes from the Greek word for "hidden writing."

steganography

In civil and criminal cases, the scope is often defined by search warrants or _____, which specify what data you can recover.

subpoenas

_____ is a good tool for extracting information from large Libpcap files.

tcpslice

A(n) ____ is sworn to under oath (and penalty of perjury or comparable false swearing statute).

written report