Chapter 09: Digital Forensics Analysis and Validation
____ attacks use every possible letter, number, and character found on a keyboard when cracking a password.
Brute-force
One way to hide partitions is with the Windows disk partition utility, ____.
diskpart
You begin a digital forensics case by creating a(n) ____.
investigation plan
The term ____ comes from the Greek word for "hidden writing."
steganography
In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover.
subpoenas
Private-sector cases, such as employee abuse investigations, might not specify limitations in recovering data.
True
Several password-cracking tools are available for handling password-protected data or systems.
True
Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades.
True
The defense request for full discovery of digital evidence applies only to criminal cases in the United States.
True
People who want to hide data can also use advanced encryption programs, such as PGP or ____.
BestCrypt
Progressing to make any current encryption schemes obsolete
Quantum computing
A file containing the hash values for every possible password that can be generated from a computer's keyboard
Rainbow table
WinHex provides several hashing algorithms, such as MD5 and ____.
SHA-1
Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure
Salting password
____ alters hash values, which makes cracking passwords more difficult.
Salting passwords
Limit a civil investigation
Court orders for discovery
The original file with no hidden message
Cover-media
Program used to clean all data from the target drive you plan to use
Digital Intelligence PDWipe
____ have some limitations in performing hashing, however, so using advanced ____ is necessary to ensure data integrity.
Digital forensics tools, hexadecimal editors
____ increases the time and resources needed to extract, analyze, and present evidence.
Scope creep
Marking bad clusters data-hiding technique is more common with ____ file systems.
FAT
Autopsy for Windows cannot analyze data from image files from other vendors.
False
Autopsy for Windows cannot perform forensics analysis on FAT file systems.
False
Most organizations keep e-mail for longer than 90 days.
False
When viewing two files that look the same, but one has an invisible digital watermark, they appear to be the same file, except for their sizes.
False
Defines the investigation's goal and scope, the materials needed, and the tasks to perform
Investigation plan
AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.
KFF
Many password-protected OSs and applications store passwords in the form of ____ or SHA hash values.
MD5
To enhance searching for and eliminating known OS and application files, Autopsy has an indexed version of the NIST ____ of MD5 hashes.
NSRL
A password recovery program available from AccessData
PRTK
____ recovery is becoming more common in digital forensic analysis.
Password
____ is defined as hiding messages in such a way that only the intended recipient knows the message is there.
Steganography
The converted cover-media file that stores the hidden message
Stego-media
For static acquisitions, remove the original drive from the computer, if practical, and then check the date and time values in the system's CMOS.
True
For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.
True
One of the most critical aspects of computer forensics
Validating digital evidence
The data-hiding technique ____ changes data from readable code to data that looks like binary executable code.
bit-shifting
Data ____ involves changing or manipulating a file to conceal information.
hiding
Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.
key escrow
Criminal investigations are limited to finding data defined in the search ____.
warrant
