Computer Forensics CTS2381

Ace your homework & exams now with Quizwiz!

In the Pacific Northwest, ____ meets to discuss problems that digital forensics examiners encounter. FTK FLETC CTIN IACIS

CTIN

The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence. Computer Analysis and Response Team (CART) Federal Rules of Evidence (FRE) DIBS Department of Defense Computer Forensics Laboratory (DCFL)

Computer Analysis and Response Team (CART)

____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. Disaster recovery Data recovery Computer forensics Network forensics

Data recovery

The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data

Digital Forensics

The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime incident response digital investigations network intrusion detection litigation

Digital Investigations

A ____ plan specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing. configuration management disaster recovery security risk management

Disaster Recovery

Addresses how to restore a workstation you reconfigured for a specific investigation

Disaster Recovery Plan

A(n) ____ is a person using a computer to perform routine tasks other than systems administration. complainant investigator end user user banner

End user

Certain files, such as the ____ and Security log in Windows, might lose essential network activity records if power is terminated without a proper shutdown. Event log Password log Io.sys Word log

Event Log

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation. True False

F

For daily work production, several examiners can work together in a large open area, as long as they all have different levels of authority and access needs. True False

F

ISPs can investigate computer abuse committed by their customers. T F

F

Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies. True False

F

If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is not available. True False

False

Maintaining credibility means you must form and sustain unbiased opinions of your cases. True False

False

The ANSI-ASQ National Accreditation Board (ANAB) is a wholly owned subsidiary of the American Society of Crime Laboratory Directors (ASCLD). True False

False

____ was created by police officers who wanted to formalize credentials in digital investigations. NISPOM HTCN IACIS TEMPEST

IACIS

Involves selling sensitive or confidential company information to a competitor

Industrial espionage

The process of trying to get a suspect to confess to a specific incident or crime

Interrogation

Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence

Lab Manager

Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

Line Of Authority

Linux ISO images that can be burned to a CD or DVD are referred to as ____. Linux Live CDS Forensic Linux Linux in a Box ISO CDs

Linux Live CDS

Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed

Lossy Compression

Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. four times three times twice once

Once

ProDiscover utility for remote access

PDServer

____, or mirrored striping with parity, is a combination of RAID 1 and RAID 5. RAID 16 RAID 0 RAID 15 RAID 10

RAID 15

For labs using high-end ____ servers or a private cloud (such as Dell PowerEdger or Digital Intelligence FREDC), you must consider methods for restoring large data sets. RAID TEMPEST WAN ISDN

Raid

____, or mirrored striping, is a combination of RAID 1 and RAID 0. RAID 0 RAID 5 RAID 10 RAID 6

Raid 10

Stands for supervisory control and data acquisition

SCADA

Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime. physical legal safety corporate

Safety

Lists each piece of evidence on a separate page

Single-evidence form

If your time is limited, consider using a logical acquisition or ____ acquisition data copy method. disk-to-disk lossless sparse disk-to-image

Sparse

Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. True False

T

The definition of digital forensics has evolved over the years from simply involving securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases. True False

T

The lab manager sets up processes for managing cases and reviews them regularly. True False

T

The police blotter provides a record of clues to crimes that have been committed previously. True False

T

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. True False

T

There's no simple method for getting an image of a RAID server's disks. True False

T

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. True False

T

A ____ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. line of authority right banner right of privacy warning banner

Warning Banner

Example of a lossless compression tool

WinZip

During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system. Windows Android Linux MacOS

Windows

Recognizes file types and retrieves lost or deleted files

Xtree Gold

Investigating and controlling computer incident scenes in private-sector environments is ____ in crime scenes. as difficult as much easier than as easy as more difficult than

much easier than

When you work in the enterprise digital group, you test and verify the integrity of standalone workstations and network servers. True False

F

Vendor-neutral specialty remote access utility designed to work with any digital forensics program

F-Response

PassMark Software acquisition tool for its OSForensics analysis product

ImageUSB

You should have at least one copy of your backups on site and a duplicate or a previous copy of your backups stored in a safe ____ facility. in-site off-site online storage

Off-site

Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed. litigation blotter prosecution allegation

allegation

In addition to warning banners that state a company's rights of computer ownership, businesses should specify a(n) ____ who has the power to conduct investigations. authority of right authority of line line of right authorized requester

authorized requester

Generally, digital records are considered admissible if they qualify as a ____ record. hearsay computer-stored business computer-generated

business

In the ____, you justify acquiring newer and better resources to investigate digital forensics cases. business case upgrade policy configuration plan risk evaluation

business case

A ____ is where you conduct your investigations, store evidence, and do most of your work. forensic workstation digital forensics lab workbench storage room

digital forensics lab

It's the investigator's responsibility to write the affidavit, which must include ____ (evidence) that support the allegation to justify the warrant. reports litigation exhibits prosecution

exhibits

A(n) ____ should include all the tools you can afford to take to the field. forensic lab forensic workstation extensive-response field kit

extensive-response field kit

Shows the known drives connected to your computer

fdisk -l

One way to investigate older and unusual computing systems is to keep track of ____ that you can find through an online search. AICIS lists forums and blogs Minix uniform reports

forums and blogs

You use the ____ option with the dcfldd command to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. checksum md5sum hashlog hash

hash

Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain ____. conclusive hearsay direct regular

hearsay

With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. initial-response field kit bit-stream copy utility seizing order extensive-response field kit

initial-response field kit

If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available. static live passive local

live

Your ____ as a digital investigation and forensics analyst is critical because it determines your credibility. Professional policy professional conduct line of authority oath

professional conduct

Evidence is commonly lost or corrupted through ____, which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. professional curiosity FOIA laws HAZMAT teams onlookers

professional curiosity

One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools. AFD AFF raw proprietary

proprietary

identifies the number of hard disk types, such as SATA or SCSI, and the OS used to commit crimes

uniform Crime Report

Microsoft has added ____ with BitLocker to its newer operating systems, which makes performing static acquisitions more difficult. NTFS recovery wizards backup utilities whole disk encryption

whole disk encryption

In ____, two or more disk drives become one large volume, so the computer views the disks as a single disk. RAID 6 RAID 0 RAID 1 RAID 5

Raid 0

In Autopsy and many other forensics tools raw format image files don't contain metadata. True False

T

Computer investigations and forensics fall into the same category: public investigations. True False

F

The law of search and seizure protects the rights of all people, excluding people suspected of crimes. True False

F

A high-end RAID server from Digital Intelligence

FREDC

Sponsors the EnCE certification program

Guidance Software

The first forensics vendor to develop a remote acquisition and analysis tool

Guidance Software

By the early 1990s, the ____ introduced training on software for forensics investigations. CERT IACIS FLETC DDBIA

IACIS

One of the oldest professional digital forensics organizations

IACIS

Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Resilient File System. NTFS FAT24 ext3 ext2

NTFS

Yields information about how attackers gain access to a network along with files they might have copied, examined, or tampered with

Network Forensics

Tool for directly restoring files

Norton Ghost

A computer configuration involving two or more physical disks

RAID

A forensics analysis of a 6 TB disk, for example, can take several days or weeks. True False

T

A judge can exclude evidence obtained from a poorly worded warrant. True False

T

A separate manual validation is recommended for all raw acquisitions at the time of analysis. True False

T

After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. True False

T

By the 1970s, electronic crimes were increasing, especially in the financial sector. True False

T

By using marketing to attract new customers or clients, you can justify future budgets for the lab's operation and staff. True False

T

Computing systems in a forensics lab should be able to process typical cases in a timely manner. True False

T

FTK Imager requires that you use a device such as a USB dongle for licensing. True False

T

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy. T F

T

Chapter 5, Section 3, of the NISPOM describes the characteristics of a safe storage container.

True

A plan you can use to sell your services to your management or clients

Business Case

_____ records are data the system maintains, such as system log files and proxy server logs. Computer-generated Business Computer-stored Hearsay

Computer-generated

The most common and flexible data-acquisition method is ____. Disk-to-network copy Disk-to-image file copy Disk-to-disk copy Sparse data copy

Disk to image file copy

If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately. True False

F

Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. T F

F

Similar to Linux, Windows also has built-in hashing algorithm tools for digital forensics. True False

F

Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume. True False

F

When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police present all evidence together. True False

F

____ often work as part of a team to secure an organization's computers and networks.

Forensics investigators

ILookIX acquisition tool

IXImager

Autopsy uses ____ to validate an image. AFD MD5 AFF RC4

MD5

If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. True False

T

Some acquisition tools don't copy data in the host protected area (HPA) of a disk drive. True False

T

During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding ____. TEMPEST NISPOM RAID EMR

TEMPEST

When seizing computer evidence in criminal investigations, follow the ____ standards for seizing digital data. U.S. DOJ U.S. DoD Patriot Act Homeland Security Department

U.S. DOJ

____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. Uniform Crime Reports IDE reports ASCLD reports HTCN reports

Uniform Crime Reports

Confidential business data included with the criminal evidence are referred to as ____ data. public revealed exposed commingled

commingled

n addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery. risk assessment change management recovery logging configuration management

configuration management

In a ____ case, a suspect is charged for a criminal offense, such as burglary, murder, or molestation. fourth amendment corporate criminal civil

criminal

The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions. bitcopy dcfldd raw man

dcfldd

The ____ command displays pages from the online help manual for information on Linux commands and their options. man cmd hlp inst

man

Most digital investigations in the private sector involve ____. VPN abuse e-mail abuse Internet abuse misuse of digital assets

misuse of digital assets

Lab costs can be broken down into monthly, ____, and annual expenses. daily bimonthly quarterly weekly

quarterly

Current distributions of Linux include two hashing algorithm utilities: md5sum and ____. shasum rcsum sha1sum hashsum

sha1sum

Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist

Case Law

Open source data acquisition format

AFF

Provides accreditation of crime and forensics labs worldwide

ANAB

The EMR from a computer monitor can be picked up as far away as ____ mile. 1 3/4 1/4 1/2

1/2

The FOIA was originally enacted in the ____. 1970s 1940s 1960s 1950s

1960s

IACIS requires recertification every ____ years to demonstrate continuing work in the field of computer forensics. 4 3 5 2

3

Computing components are designed to last 18 to ____ months in normal business operations. 24 30 36 42

36

Image files can be reduced by as much as ____% of the original when using lossless compression. 15 30 25 50

50%

When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to avoid damage to the drive from overheating. 90 105 80 95

80

A person who has the power to initiate investigations in a corporate environment

Authorized Requester

Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence

Affidavit

Every business or organization must have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a ____ that a law or policy is being violated. court order stating proof confirmed suspicion reasonable suspicion

reasonable suspicion

Without a warning banner, employees might have an assumed ____ when using a company's computer systems and network accesses. line of authority right of privacy line of right line of privacy

right of privacy

To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe. secure workbench secure workstation protected PC secure facility

secure facility

Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example. real-time online static live

static


Related study sets

chemistry b midterm - short answers

View Set

sensory perception alterations. med surg-unit 8

View Set

Labor Econ Chapter 10 reasons for decline in Unionism

View Set

Federal Government Ch. 4: Civil Liberties

View Set

Organizational Behavior, Chapter 12: Power, Influence, and Politics, Business Management Final-In Class Notes&Homework, Organizational Behavior Chapter 12 Quiz, Power, Influence and Politics, Principles of Organizational Behavior

View Set

MIS Chapter 6 - Foundations of Business

View Set