ITN 277

The ___________ directory holds compiled files, which means programs, including some malware may be found there

/bin

The _________ directory is different from any other directory in that it is not really stored on the hard disk. It is created in memory and keeps information about currently running processes

/proc

Post Office Protocol (POP)

A protocol used to retrieve email from a mail server. POP3 is a later iteration of the POP protocol, Port 110

Simple Mail Transfer Protocol (SMTP)

An Internet-standard protocol for sending email messages between servers on IP networks. Because SMTP is generally used to send messages from a mail client to a mail server Port 25

In Linux, as with windows, the first sector on any disk is called the

Boot sector

Maintaining __________ is a problem with live systems forensics in which data is not acquired at a unified moment

Data consistency

The majority of digital cameras use the __________ format to store digital pictures.

EXIF

Many devices, such as floppy and CD-ROM drives, are mounted in the /var directory.

False

The Windows Registry is organized into five sections. The ________________ section is very critical to forensic investigation. It has profiles for all the users, including their settinigs

HKEY_USERs (HKU)

If you can't open an image file in an image viewer, the next step is to examine the file's ____.

Header data

The simplest way to access a file header is to use a __________ editor

Hexadecimal

______________ steganography places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Insertion

A(n) ___________ file has a hexadecimal header value of FF D8 FF E0 00 10.

JPEG

Post power function

Power on self test, tests BIOS

A number of tools and even some windows utilities are available that can help you to analyze live data on a windows system, Use _____________ to view process and thread statistics on a system

PsList

__________ has also been used to protect copyrighted material by inserting digital watermarks.

Steganography

The image format XIF is derived from the more common ____________ file format.

TIFF

which of the following statement is true regarding the categories into which P2 Commander has presorted files

They make it easy to search for files in the evidence drive

Patriot Act

This law passed after 9/11 expanded the tools used to fight terrorism and improved communication between law enforcement and intelligence agencies

GNOME, which is built on GTK+, is a cross platform toolkit for creating graphical user interfaces

True

Like Windows, Linux has a number of logs that can be very interesting for a forensics investigation. The /var/log/ log is the printer log. It can give you a record of any items that have been printed from this machine

True

SNORT is an open source intrusion detection system (IDS)

True

_________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes

Vector graphics

The ________ header starts with a hexadecimal value of 49 49 2A and has on offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03

XIF

_____ images stores graphics information as grids of individual pixels

bitmap

In the Linux boot process, the MBR loads up a ___________ program, such as LILO

boot loader

How can forensic investigators prove the evidence was not altered during the course of an investigation

by showing that the hash code before the data was reviewed is identical to the has code after the investigation

Recovering pieces of a file is called ____.

carving

As you drill down within the file structure, the drives, directories, sub-directories, and folders of the evidence drive are added to the P2 Commander:

case file

When working with image files, computer investigators also need to be aware of ________ laws to guard against copyright violations

copyright

Electronic Communication act

creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

You can use the ________ command to make a physical image of what is live in memory.

dd

The process of converting raw pictures data to another format is refered to as

demosaicing

Which of the following is the definition of heap

dynamic memory for a program comes from the heap;segment;a process may use a memory allocator such as malloc to request dynamic memory

How is an audit trail of every machine through which an e-mail message has passed created?

each server along the way adds its own information to the message header

P2 Commander includes a(n) ___________ that enables the investigator to sort, search scan, and otherwise work with the e-mail data to find the data most relevant to the case.

email analyzer

The ____________ keeps a record of the message's journey as it travels through the communications network

email message header

______________ compression compresses data by permanently discarding bit of information in the file

lossy

What term is used to describe one of the five sections of the Windows registry

registry key

______________ is the art of hiding information inside image files

steganography

What is meant by a slurred image?

the result of acquiring a file as it is being updated

at a minimum, an email message header must include

the sender's account and the date

All versions of Windows support logging. The Applications and services log is used to store events from a single application or component rather than the events that might have system wide impact

true

The swap file is also referred to as virtual memory

true

The windows registry is a repository of all the information on a windows system

true

a mail server is like an electronic post office: It sends and recieves electronic mail

true

simple mail transfer protocol (smtp) is a protocol used to send e-mail that work on port 25

true

_____________________ is a live-system forensics technique in which you collect a memory dump and perform analysis in an isolated environment.

volatile memory analysis

Internet Mail Access Protocol (IMAP)

which operates on port 143. The main advantage of IMAP over POP3 is it allows the client to download only the email headers to the machine, so that the user can choose which messages are to be downloaded completely.

P2 Commander includes the option to calculate hash codes for drives and partitions. When this option is selected:

P2 commander automatically creates hash codes for the data on the evidence drive

Which Linux shell command lists all currently running processes that the user has started ( any program or daemon is a process)

PS