CJE 1682 Tracking and Profiling Hackers and Pedophiles
Which of the following are valid metafiles used by the Windows NFTS file system and can be used by hackers to hide data?
$BADCLUS
Which of the following entities hosts the Home Location Register database?
*Mobile Switching Center Base Transceiver Station Base Station Controller Visiter Location Register
After seizing a telephone, it occurs to you that cohorts of the suspect may hack into the phone and wipe it clean before you can examine it back at the lab. You don't have anything in which to store the phone which would block incoming signals, and because the phone is password-encoded, you need to keep it running. What else might you do to prevent this from happening?
*Put the phone in Airline Mode Pull the SIM card Enable call-waiting Pray
The mobile switching center provides which of the following services?
*Transfer land line calls to a cellular tower Manage tranceiver equipment and assign channels Communicate with mobile devices Hand off signals from one tower to another as the subscriber moves between areas of coverage
On a Windows XP machine, memory is treated as a physical device. The internal address for memory in XP is ________.
//physicalmemory
A 100Mb Ethernet connection would require approximately ________ of storage space to archive an hour's worth of network capture.
45MB
The average area of coverage for most cell towers is ________ square miles.
5 *10 14 22
Many modern computer systems have a function called the Device Configuration Overlay (DCO). Which of the following best describes the DCO?
A hidden partition not accessible to the file system that can be used to store configuration data and also user data if the user has the appropriate utilities
The incidence of multiple sites appearing in a web browser in just a few seconds as the result of clicking on a single link is a phenomenon called ________.
A popup bomb
In the Windows registry, what is a user's profile identified by?
A security identifer generated by Windows
Wiles and Reyes identified four critical characteristics that an evidence storage facility must possess. Which of the following helps describe a good lockup?
Access to the storage facility is limited to authorized storage custodians.
Which of the following statements best describes the concept of resource pooling?
All available resources of the service provider are readily available to all clients in a multitenant environment.
The NTFS file system holds a substantial amount of metadata in the $MFT file. Which of the following is not stored in this metafile?
Author's name
Most operating systems create a significant number of temporary files in the course of operation. Which one of the following might leave behind "footprints" if the computer is not shut down gracefully?
Autosave files Print spooler files Undo files *All of these
Why is it that most conventional applications are incapable of copying live memory from a computer system?
Because direct access to system memory requires a kernel-mode procedure call. Most applications only have user-mode access.
What does the term forensics actually mean?
Belonging to or usable in a a court of judicature or a public debate
Which of the following is the correct term for the smallest data unit that can be read by an operating system?
Bit
Which of the following features of Windows allows a user to dynamically encrypt selected files and folders?
Bitlocker
In the image below, identify which of the rectangles identifies the actual domain of the email user. billybob(a)@(b)mailbox.com(c)
C
By default, Internet Explorer stores cached files in the ________ directory.
C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\
Which of the following is part of the process of initial response when beginning a forensic investigation that involves a network examination?
Capture traffic between the suspect's computer and the rest of the network.
You are investigating a case in which the suspect is thought to have been transmitting classified information by hiding the data in MP3 files of popular songs and posting them in the Internet. The MP3 file in this scenario would be known as a ________.
Carrier file
Which of the following actions will affect how a file behaves when you double-click on the file name in Windows Explorer?
Changing the file extension
A coalition of libraries across the state pool their funds and build a cloud exclusively for the use of any library patron who wishes to use their services. One of the larger libraries which has the luxury of an experienced IT support staff has taken on the responsibility of maintaining and administering the cloud. This is an example of a ________ cloud.
Community
Which Linux utility is often used to make forensic disk images?
DD
Which of the following command-line utilities is capable of making a forensic image of a hard disk, assuming that a valid form of write-protection is in place?
DD
Foremost is a form of ________ utility.
Data carving
Which of the following is the best definition of the term metadata?
Data that describes data
The Web Historian application allows the investigator to create files that can be viewed in other applications by saving the output as a CSV file. Such a file is best opened in ________.
Excel
Which of the following file systems uses magic numbers to identify files to the operating system?
Ext3
A DoD approved disk wiping utility works by instructing the hard disk controller to apply a strong magnetic field to the disk surface, thereby electronically erasing the information from the disk.
False
Emptying the Recycle Bin in Windows permanently deletes the data from the surface of the medium.
False
If a user selects the option of deleting all cached files each time Internet Explorer closes, all cookies will be deleted as well.
False
In a cloud based document management system, the file metadata that indicates when it was created, last accessed, and last edited is all embedded within each file.
False
It is not possible to image a telephone the way one does a hard disk.
False
Knowledge of possession is not critical in proving culpability in a case involving possession of contraband data on a computer system.
False
Prior to becoming a qualified digital forensic investigator, a person must prove their ability as a computer scientist.
False
The fact that the files specific to a particular web page were all deleted on the same day is proof that the user had "knowledge of possession."
False
There are three primary forms of service that is typically available from a cloud service provider. One of these services is called Security as a Service.
False
You are working on a criminal case in which a spreadsheet found on the computer system indicates that the victim transferred money to the suspect just days before the crime was committed. You provide a hard copy of the spreadsheet, printed in landscape format, along with the digital file. The judge is most likely going to reject one or the other as evidence because they represent duplicate items.
False
You work for a large organization that has established its own digital investigation department for handling internal problems and electronic discovery motions. All employees of the organization are required to sign a notice stating that they have read the company policy, which includes a statement that says the company maintains the right to monitor all computer use by employees. Acting on the basis of that policy, you place keyloggers onto the computers of several employees suspected of selling proprietary information to the competition. Their lawyers sue, saying that in spite of the signed statement, since the statement did not specifically mention the use of keyloggers, the action was covered under the wiretap provisions. The employees are most likely going to win that case.
False
When transporting a cellular telephone as evidence you want to prevent anyone from making contact with the device. In order to do that, you store the phone in a ________.
Faraday bag
In addition to collecting actual keystrokes of a user, what else can advanced keylogger applications such as Watchdog collect?
File system resources Applications that were launched What files were downloaded *All of the above
You are examining a Linux box with multiple email accounts configured. You know which of the accounts holds the message you seek and you even have a few key words that you know are contained in the message. Which of the following utilities will you use to find those messages?
GREP
Individual user profiles are store in the ________ hive of the Windows registry.
HKEY_USERS
An email message that is intended to include complex formatting or graphics needs to have the ________ protocol enabled.
HTML
You are investigating a case of illegal piracy and distribution of copyrighted music. The local court has issued you a warrant to search all computer resources owned, operated, or managed by the suspect. In the course of your search, you find that the files in question are all stored on a cloud drive leased by this person. The suspect refuses to reveal the password. Which of the following solutions would work best for your situation?
In order to access servers controlled by the cloud provider, you are going to have to get a new court order issued. Your current warrant does not allow you to go onto the provider's systems.
After concluding an extensive cost analysis, executive management from your company has decided to outsource their servers, operating systems, applications, and support services to a cloud provider. Which service are they obtaining?
Infrastructure as Service
In order to make a forensically sound copy of a hard disk for analysis, it is critical that you employ a write-blocker. What does this device do that makes for a sound copy?
It prevents the OS from making any changes to the metadata of files as they are being copied.
Where does an application look when figuring out whether or not it can open a file, and how to manage the file, when asked by a user to open it?
It reads the file header
You have been called to the scene of a crime. One of the rooms on the premises has been set up as a small home office. The computer is running, You have a warrant to seize the computer, so your team gets ready to pack it up and haul it away. What is the proper approach?
Leave the device running until a determination is made whether or not to capture live memory.
Many years ago a scientist pointed out that everything a person or object touches is affected by that contact. And when departing the scene, the object will take a part of the scene with it. This idea was accepted a fact and became known as the ________.
Locard's Exchange Principle
The defined standard for the structure of an email is ________.
MIME
Which of the following agents is called upon when moving a message from one user to another?
Mail transport agent
Which of the following agents is called upon when linking the email client to a specific Windows profile?
Mail user agent
Leave the device running until a determination is made whether or not to capture live memory.
Master file table
The INFO2 file was a place for storing deleted files in which file system?
NTFS
Which of the following file systems supports alternate data streams?
NTFS 4.0
A router's operating system files are typically loaded in ________.
NVRAM
You are one of the first to arrive on a scene and you are asked to perform live memory capture on a machine reporting 4GB of RAM. Upon completion, the size of your actual image file is closer to 5GB. What happened? Did you mess up the memory capture?
No. The 4GB reported is RAM. The utility you used to capture system memory also was able to capture some of the device cache memory on the system.
In the Windows operating systems, deleting a file performs which of the following actions on the data stored on the surface of the medium?
Nothing happens to the data at this point. It is simply moved from the original folder to a hidden folder in the Recycle Bin.
In the Windows operating systems, deleting a file from the Recycle Bin performs which of the following actions on the data stored on the surface of the medium?
Nothing happens to the data at this point. The allocation marker for the file is simply reset.
Which of the following best defines the concept of spoofing?
Obfuscating truth with false information
Two forms of network data capture are PCAP and PCAP-NG. What are the differences between the two? (Select all that apply.)
PCAP-NG collected extended time-stamp information.
When evaluating the efficiency of a search operation, you take a look at the ratio of true positives to false positives. The correct term for this statistic is ________.
Precision
Before you can collect live network data for analysis, you must first place your network interface into ________ mode.
Promiscuous
A local Internet service provider upgrades their infrastructure and begins providing cloud services to all of its subscribers. This is an example of a ________ cloud.
Public
Which of the following statements best describes the concept of measured service?
Resource consumption is monitored and reported accurately, assuring that the client does not pay for more services than are actually consumed.
Arriving on the scene of a potential crime, you are asked to examine a computer. Before taking it down for transport you decide to do a live memory analysis. In the process you discover that a particularly malevolent piece of malware has been installed that will irreparably damage the file system if anyone but the original user logs on. What is the proper name for such a program?
Rootkit
The cell phone's operating system is stored on the ________ of the phone.
SIM RAM SSD *ROM
Which of the following utilities was native to the Windows operating system and can be used to do string searches across multiple directories?
STRINGS
Examine the following image and identify which of the following services it best defines.
Software as a service
Which of the following terms is used to describe data hidden inside of another seemingly innocent file?
Steganography
When a USB device is inserted into a computer, a device driver is loaded. In which of the following logs is this event recorded?
System
Many people in modern society have the notion that hard disks can be searched in a hour and files can be recovered from incinerated hard disks just by hooking them up to a computer. Experts have a term for this delusion. It is called ________.
The CSI effect
Every change that is made to a hard disk leaves behind artifacts of that change. Erased data leaves behind file system artifacts even if the data is overwritten on the disk. Electrical charges are altered...metadata is changed. All of these examples are evidence of ________ at work.
The Locard's Exchange Principle
A person is trying to hide her tracks after doing some things she shouldn't have on a computer system. She changes all of the file extensions for a bunch of document files from DOC to AVI. What does that do to the actual file?
The alteration changes how the file interacts with the OS and with the applications that should be able to open it.
When capturing live memory from a computer system what is meant by the term footprint?
The amount of memory on the target system required by the software tools being used to capture memory.
Which of the following definitions most appropriately describes a partition slack on a hard disk?
The area between the end of any logical partition and the end of the block of sectors assigned to the partition
When analyzing a file created in Microsoft Word you see that the file was printed four days earlier than it was supposedly created. Which of the following circumstances could cause this, yet be perfectly innocent in nature?
The file was created on one machine, copied to a flash drive, then copied to this machine and finally printed.
Why can most cell phones be accurately traced to a specific location?
Their SIM card constantly transmits a signal that towers relay to the base stations. *Phones are equipped with chips configured to connect to the Global Positioning System, which pinpoints their latitude and longitude with high precision. When two towers can lock onto the phone at the same time, the spot where the distance coordinates intersect is the phone's location. A navigation system built into the phone is linked to a specific user in the company's customer database. Three or more towers that can pick up the phone's signal can use distance coordinates to pinpoint the location of the phone.
When is Live collection of data necessary?
There is an on-going exfiltration of data
The base transceiver station provides which of the following services?
Transfer land line calls to a cellular tower Manage tranceiver equipment and assign channels *Communicate with mobile devices Hand off signals from one tower to another as the subscriber moves between areas of coverage
After the conclusion of any criminal trial, if it becomes evident that an appeal is not possible, all contraband must be destroyed.
True
Even after a file is emptied from the Recycle Bin, there remains an entry for that file in the MFT.
True
In the web address www.mwgraves.com, the ".com" indicates the top level domain, while the mwgraves identifies the user domain.
True
The contents of memory on a running system will change for no apparent reason while the system is sitting there doing nothing.
True
There are three primary forms of service that are typically available from a cloud service provider. One of these services is called Infrastructure as a Service.
True
Whenever a user physically types a web address into the browser's address bar, that URL is saved in the registry.
True
In the NTFS file system, how many versions of a file name are maintained?
Two. The file name given by the user along with an MS-DOS compatible version of that name.
The technical name for a user-friendly web address is ________.
Uniform Resource Locator, previously known as Universal Resource Locator
Why is MAC data considered unreliable as primary forensic evidence?
Users can easily modify that information.
Which of the following web services provides detailed information about servers residing at a specific IP address?
WHOIS
The $Recycle.Bin file was a place for storing deleted files in which file system?
Windows 7
Which of the following utilities allows you to capture live network traffic and analyze it at your leisure?
Wireshark
A Windows utility that is useful in connecting to a router interface is ________.
a Telnet
A cellular phone customer's personal phonebook is typically stored on the ________ inside the telephone.
flash drive *SIM PUK SSD
Which if the following is not a valid example of a web schema?
http ftp gopher *was
As an investigator looking into possible employee misconduct, you decide to look into what this person was doing on the Internet. The first place you look is ________.
the browser cache for temporary Internet files
As an arresting officer, you confiscate a telephone from a person suspected of trafficking in drugs. You are concerned that his partners might hack into the phone and wipe it clean before you can examine it back at the lab. Fortunately, you have a ________ in your equipment case, so you can stop that from happening.
write blocker *faraday bag signal scrambler call blocker
