C840/D431 - Digital Forensics Practice Questions
Where do deleted Apple iPhone/iPad files go?
/.Trashes/501
What's inside an email header?
An email header is a section of an email message that contains metadata about the message, such as the sender and recipient information, date and time of sending, and information about the email server that handled the message.
What programs uses AFF file format?
Autopsy and Sleuth Kit use the AFF format because it offers flexibility, scalability, compression, and encryption, which are important features for digital forensic investigations.
Which law requires a free opt-out option?
CAN-SPAM Act. The CAN-SPAM Act is a U.S. law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.
What is the legal requirement for granting consent for a property, according to court rulings?
Courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner.
What is Forensic Toolkit particularly useful for?
Cracking passwords. FTK also provides tools to search and analyze the Windows Registry.
What is .db?
DB stands for Database. It is a generic file format used to store structured data in a database. The format may vary depending on the database management system (DBMS) being used.
What's Data Doctor?
Data Doctor Forensic Software is a powerful tool used in digital forensics investigations this product recovers all Inbox and Outbox data and all contact data.
What is .edb?
EDB stands for Exchange Database. It is a file format used by Microsoft Exchange Server to store mailbox data such as emails, calendar entries, contacts, and tasks
What is .emi?
EMI stands for "Exchange Message Interface". It is a proprietary file format used by Microsoft Exchange Server to store email messages and attachments.
What is FTK (The Forensic Toolkit)?
FTK (Forensic Toolkit) is a computer forensics software made by AccessData. It scans a hard drive looking for various information and can potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption1. It is intended to be a complete computer forensics solution.
What would be used to make a bit-by-bit copy of a windows 8 computer?
FTK Imager can create a forensic disk image of a Windows 8 computer by creating a bit-by-bit copy of the entire hard drive or storage media, including any deleted or hidden data.
What would be used to detect files leaving the network using steganography?
FTK is likely to be most effective in detecting steganographically hidden files leaving the network.
What is .mbx or .dbx?
File formats used by older versions of Microsoft Outlook Express to store email messages. They have largely been replaced by newer file formats like .pst and .ost
What are the two modern forensics tools to check steganography?
Forensic Toolkit (FTK) and EnCase both check for steganography.
What programs can image a phone for you?
Forensic Toolkit and EnCase
Which type of data are the authorities allowed to get from service providers?
In general, authorities may be allowed to obtain basic subscriber information such as the name, address, and phone number of an account holder. This information may be obtained without a warrant in some cases, depending on the specific circumstances and applicable laws.
What are the five types of drive connections?
Integrated Drive Electronics (IDE) [spoiler answer], Extended Integrated Drive Electronics (EIDE), Parallel Advanced Technology Attachment (PATA), Serial Advanced Technology Attachment (SATA), Serial SCSI.
What is Internet Forensics?
Internet forensics is the process of piecing together where and when a user has been on the internet. For example, you can use internet forensics to determine whether inappropriate internet content access and downloading were accidental
What is in the /etc directory?
Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later. The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File. This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence.
What does the command /var/log/lpr do?
Linux Printer Log. /var/log/lpr is a directory on Linux/Unix systems where log files related to the Line Printer (lpr) service are stored, containing information about printing jobs submitted to the system via the lpr service.
What is mbx?
MBX is a file format used by Eudora email client to store email messages.
What command prompt does MAC use?
Mac OS is a bash shell so you can execute Linux commands.
What does the /Users/<user>/.bash_history log do?
Mac OS is based on FreeBSD, a Unix variant. When you launch the terminal window, what you actually get is a BASH shell. So this particular log can be very interesting. It will show you a variety of commands. You might look for commands such as rm, which would be removing or deleting something, or commands like dd, indicating the user might have tried to make an image of the drive.
What are cryptographic hashes?
Many systems store passwords in hash format. Windows will then store that hash in the SAM (Security Accounts Manager) file in the Windows System directory.
How does NAND work?
Most SSDs use Negated AND (NAND) gate-based flash memory, which retains memory even without power.
What type of memory technology is commonly used in SSDs, and what unique feature does it possess that allows it to retain memory even without power?
Most SSDs use Negated AND (NAND) gate-based flash memory, which retains memory even without power.
Which storage tech uses NAND?
NAND is a type of flash memory technology commonly used in SSDs, USB drives, and memory cards.
What is .ost?
Offline Outlook Storage. OST stands for "Offline Storage Table". It is a file format used by Microsoft Outlook to store a synchronized copy of a user's mailbox on their local computer. The OST file allows users to access their mailbox even when they are not connected to the Exchange Server.
What is one of the first steps in any forensic examination and why are logs important when examining a Windows, Linux or Apple computer?
One of the first steps in any forensic examination should be to check the logs. Remember that logs are very important when examining a Windows or a Linux computer. They are just as important when examining an Apple computer. This section examines the Mac OS logs and what is contained in them.
What is a common method of Steganography?
One of the most common methods of performing this technique is the least significant bit (LSB) method (when the last bit or least significant bit is used to store data).
What is Ophcrack?
Ophcrack is a popular hacking tool that depends on rainbows tables. Ophcrack is usually very successful at cracking Windows local machine passwords.
What is .pst? ( Outlook )
PST stands for "Personal Storage Table". It is a file format used by Microsoft Outlook to store email, calendar, and contact information. It can be exported from Exchange Server for backup or archiving purposes.
A forensic specialist is getting ready to collect digital evidence. What should they do first?
Review the Chain of Custody. The first step in collecting digital evidence is to carefully review and document the chain of custody. This involves documenting who has had access to the device or data, when it was accessed, and any changes made to it since the incident occurred. By carefully documenting the chain of custody, the specialist can ensure that the evidence is admissible in court and has not been tampered with.
What are the supporting files of HKEY_LOCAL_MACHINE\SAM?
Sam, Sam.log, Sam.sav
Which tool can do a workflow check of steganography?
StegExpose is an open-source steganalysis tool that can detect hidden information in image files. It can detect a wide range of steganographic techniques, including JSteg, F5, and OutGuess.
What is Steganalysis?
Steganalysis is the process of analyzing a file or files for hidden content
What is steganography used for?
Steganography is the practice of concealing a message, image, or file within another message, image, or file in such a way that it is difficult to detect or decipher the hidden content.
What is AFF?
The Advanced Forensic Format (AFF) is a file format used in digital forensics to store disk images, file systems, and other digital evidence used by Sleuth Kit and Autopsy.
What is AFF?
The Advanced Forensic Format (AFF) is a file format used in digital forensics to store disk images, file systems, and other digital evidence.
What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a US law that requires website operators to obtain parental consent before collecting personal information from children under the age of 13.
What is CALEA?
The Communications Assistance for Law Enforcement Act (CALEA) is a US law that requires telecommunications companies to make their networks and services accessible to law enforcement agencies for lawful interception and surveillance of electronic. (Wiretap)
What is CSA?
The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
What is ECPA?
The Electronic Communications Privacy Act (ECPA) is a US law that governs the interception of electronic communications, including email, voicemail, and other forms of digital communication.
What is the role The ForwardedEvents log?
The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.
Where would they find logs about connections to remote computers?
The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.
What is 4th Amendment?
The Fourth Amendment to the US Constitution protects citizens from unreasonable searches and seizures by the government. In the context of digital forensics, this means that law enforcement must obtain a warrant before conducting a search of digital devices or networks.
What are GUID Partition Tables?
The GUID Partition Table is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Mac OS machines can boot only from drives that use the GUID Partition Table.
What is .odt?
The OpenDocument Text (ODT) format is an open standard file format used for storing text documents. It is used by many word processing applications, including LibreOffice and OpenOffice.
What is The Sarbanes-Oxley Act of 2002?
The Sarbanes-Oxley Act of 2002 contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.
What is the role of System Log?
The System log contains events logged by Windows system components. This includes events like driver failures. This particular log is not as interesting from a forensics perspective as the other logs are.
What is the role of Windows Swap File?
The Windows swap file is used to augment the RAM. Essentially, it is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval.
What is the Wireless Communications and Public Safety Act of 1999?
The Wireless Communications and Public Safety Act of 1999 allows for collection and use of "empty" communications, which means nonverbal and nontext communications, such as GPS information.
Law for being able to collect GPS location?
The Wireless Communications and Public Safety Act of 1999.
What is does the term "carrier" mean in stegangraphy?
The carrier (or carrier file) is the signal, stream, or file in which the payload is hidden.
What is does the term "channel" mean in Stegangraphy?
The channel is the type of medium used. This may be a passive channel, such as photos, video, or sound files, or even an active channel, such as a Voice over IP (VoIP) voice call or streaming video connection.
What is the significance of EnCase's MD5 hash in relation to the evidence file and how is it used to ensure the integrity of the data on the hard drive?
The evidence file is an exact copy of the hard drive. EnCase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alterations, or errors.
What is SCA?
The focus of Chapter 31 is the Stored Communications Act, 18 U.S.C. §§ 2701-12 ("SCA"). The SCA governs how investigators can obtain stored account records and contents from network service providers, including Internet service providers ("ISPs"), telephone companies, and cell phone service providers. SCA issues arise often in cases involving the Internet: when investigators seek stored information concerning Internet accounts from providers of Internet service [source: DOJ-Manual.pdf (clarkcunningham.org)]
What does the term "payload" mean in stegangraphy?
The term "payload" refers to the information covertly communicated (basically the message you want to hide).
What is 8 US 2252B?
This is a section of US law that deals with the production, distribution, and possession of child pornography, and imposes criminal penalties for these activities.
What is the role of Application log?
This log contains various events logged by applications or programs. Many applications record their errors here in the Application log.
What is Data Doctor?
This product recovers all Inbox and Outbox data and all contacts data, and has an easy-to-use interface. Available from simrestore.com.
What is Encase?
This tool allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine.
What does Pwnage do?
This utility allows you to unlock a locked iPod Touch and is available from https://pwnage.com/.
What is Transactional Data and does it require a warrant?
Transactional data such as call logs, text messages, and internet usage records may also be obtained by authorities in some cases, but typically require a warrant or court order. The specific requirements for obtaining this type of data will depend on the laws and regulations of the jurisdiction in question.
Which law suggests setting up forensic laboratories?
US Patriot Act. The USA Patriot Act is a law passed by the US Congress in response to the 9/11 terrorist attacks. It includes provisions for the establishment and funding of forensic laboratories to assist law enforcement agencies in the investigation and prosecution of terrorism and other crimes. The Act also provides for the training and certification of forensic specialists and the development of standards and protocols for the collection and analysis of evidence.
Which law led to the creation of the Electronic Crimes Task Force?
USA PATRIOT Act. The USA PATRIOT Act included provisions for the establishment of the ECTF to combat electronic crimes, including cyberterrorism and other computer-related offenses.
Are warrants needed when evidence in plain sight?
Warrants are not needed when evidence is in plain sight.
Where do deleted files go on Apple mobile products?
When a file is deleted from an iPhone, iPad, or iPod, it is actually moved to the .Trashes\501 folder. Essentially, the data is still there until it is overwritten, so recently deleted files can be retrieved.
Where does windows store pw?
Windows stores hashed passwords in the SAM (Security Accounts Manager).
What can be used to unlock an iPhone?
XRY can be used to bruteforce iPhone devices it tries multiple pins to gain access to device.
What is a tool used to breaking an iPhone passcode?
XRY is a tool that can break iPhone passcodes.
