Digital Forensics Revised Study Guide

Ace your homework & exams now with Quizwiz!

Where do ipad/iphone deleted files go?

/.Trashes/501

Which of the following directories should be looked in to find the web server logs?

/var

Linux Printer log location

/var/log/lpr

18 U.S.C. 2252B

18 U.S.C. 2252B law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. This is a very serious concern and one that sometimes arises in child predator cases.

Foreign Intelligence Surveillance Act (FISA)

A U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents suspected of espionage or terrorism.

expert report

A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report.

test system

A functional system compatible with the hard drive from which someone is trying to recover data.

Global System for Mobile (GSM) communications

A standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.

Enhanced Data Rates for GSM Evolution (EDGE)

A technology that does not fit neatly into the 2G/3G/4G spectrum. It is technically considered pre-3G but was an improvement on GSM (2G).

Electronic serial numbers (ESNs)

A unique identification number developed by the U.S. Federal Communications Commission (FCC) to identify cell phones.

International Mobile Equipment Identity (IMEI) number

A unique number identifying GSM, LTE, and other types of phones. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone.

What file system is used in most modern Macintosh systems?

APFS

This forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows forensic courses.

AccessData Certified Examiner. AccessData is the creator of Forensic Toolkit (FTK) software.

AccessData Certified Examiner

AccessData is the creator of Forensic Toolkit (FTK) software. The company sponsors the AccessData Certified Examiner (ACE) certification program. ACE certification is open to the public and private sectors. This certification is specific to the use and mastery of FTK. Requirements for taking the ACE exam include completing the AccessData boot camp and Windows forensic courses.

personal identification number (PIN)

An ID number for a cell phone user.

Host protected area (HPA)

An area of a disk drive reserved for booting vendor utilities and diagnostic programs. It's not visible to the computer's OS.

What uses AFF file format?

Autopsy and Sleuth Kit

Which type of data are the authorities allowed to get from service providers?

Basic subscriber information, Transactional information, Content information, real-time access

Section 816 of the USA Patriot Act, titled the "Development and Support of Cybersecurity Forensic Capabilities," does what?

Calls for the establishment of regional computer forensic laboratories

OSForensics

Cheaper forensic toolkit

Where do deleted windows files go?

Deleted from MFT or FAT

Which software forensic tool offers Blade, HstEx, and NetAnalysis?

Digital Detective offers Blade, HstEx, and NetAnalysis. Blade is a Windows-based data recovery solution. It supports plug-ins that give it advanced data recovery and analysis capabilities.

Digital Intelligence, Inc

Digital Intelligence, Inc., offers a wide range of training with several partners including EnCase, FTK, Nuix, Cellebrite, IEF, and Forensic Explorer. The company also offers forensic hardware and software. Its software products include DRIVESPY, IMAGE, PART, PDBlock, and PDWipe.

Digital evidence

Digital evidence is information processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.

types of mass emails are not covered by the CAN-SPAM Act?

Emails advertising a church event

Expert testimony

Expert testimony involves the authentication of evidence-based upon scientific or technical knowledge relevant to cases. Forensic examiners are often called upon to authenticate evidence between given specimens and other items. Forensic specialists should not undertake an examination that is beyond their knowledge and skill.

EnCase

Forensic toolkit connected via ethernet or modem cable and prevents examiner from making any accidental changes.

The Forensic Toolkit (FTK)

Forensic toolkit good at cracking passwords and uses distributed processing.

Guidance Software

Guidance Software offers a number of EnCase products, including Enterprise, eDiscovery, Forensic, and Portable.

Where do deleted MAC files go?

Hidden folder /.Trash

Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine?

In the logs of the server; look for the reboot of the system

var/vm folder,

In the var/vm folder, one will find a subfolder named app profile. This file contains lists of recently opened applications as well as temporary data used by applications. These can be very interesting in a forensic examination.

Testimonial evidence

Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual.

/etc directory

Just as in Linux, the /etc directory is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later.

The most common way steganography is accomplished is via

LSB

OS X v10.5

Mac OS X v10.5, called Leopard, was released in 2007. It had over 300 new features, support for Intel x86 chips, and support for the new G3 processor.

Stack (S)

Memory is allocated based on the last-in, first-out (LIFO) principle.

What is the file format .edb used with?

Microsoft Exchange

What is the .ost file format used for?

Microsoft Outlook offline storage

Why can you undelete files in Windows 7?

Nothing is deleted; it is just removed from MFT.

Physical analysis

Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.

Data Doctor

Recovers all inbox and outbox data and contacts data

How does windows store passwords?

SAM File

Which storage tech uses NAND?

SSD

If the computer is turned on when you arrive, what does the Secret Service recommend you do?

Shut down according to the recommended Secret Service procedure.

Power Spy, Verity, ICU, and WorkTime

Spyware

Stealth Files 4

Steganography tool which works with sound files, video files, and image files.

Invisible Secrets

Steganography tool, much more robust with both free and commercial versions

QuickStego

Steganography tool, very easy to use but very limited.

Swap files

Swap files are the most important type of ambient data. Windows uses swap files on each system as a "scratch pad" to write data when additional RAM is needed. A swap file is a virtual memory extension of RAM. Most computer users are unaware of the existence of swap files. The size of these files is usually about 1.5 times the size of the physical RAM in the machine. Swap files contain remnants of word processing documents, e-mails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. Swap files can be temporary or permanent.

/Library/Receipts folder

The /Library/Receipts folder contains information about system and software updates. It is less useful for a forensic investigation than some of the other folders; however, it can be useful to know if a given patch was applied and when it was applied. This might be of some interest in investigating malware crimes.

advanced Forensic Format (AFF)

The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format.

Communications Assistance to Law Enforcement Act of 1994

The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata.

EnCase Certified Examiner (EnCE) certification

The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits the third party from intercepting or disclosing communications without authorization. The ECPA requires different legal processes to obtain specific types o

Electronic Communications Privacy Act

The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits the third party from intercepting or disclosing communications without authorization. The ECPA requires different legal processes to obtain specific types of information: 1. Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber's telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant. 2. Transactional information—This information includes Web sites visited, e-mail addresses of others with whom the subscriber exchanged e-mail, and buddy lists. An investigator can obtain this type of information with a court order or search warrant. 3. Content information—An investigator who has a search warrant can obtain content information from retrieved e-mail messages and also acquire un-retrieved stored e-mails. 4. Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.

EnCase Format

The EnCase format is a proprietary format that is defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source.

Federal Privacy Act of 1974

The Federal Privacy Act of 1974, a United States federal law that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies.

The Sleuth Kit

The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers.

Sleuth Kit

The Sleuth Kit is a free suite of command-line tools. The Sleuth Kit includes a number of search utilities and can search for fragments of deleted tools. Many users find the command-line interface to be cumbersome; fortunately, a graphical user interface (GUI) called Autopsy has been created for Sleuth Kit and is available.

payload

The data to be covertly communicated. In other words, it is the message you want to hide.

file allocation table (FAT)

The file allocation table (FAT) is a list of entries that map to each cluster on the disk partition. Each entry records one of five things: The cluster number of the next cluster for this file is recorded; if the cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry; bad clusters have a special entry in the file allocation table; reserved clusters have a special entry in the file allocation table; open, or available, clusters are also marked in the file allocation table. When files are deleted, data is not actually removed from the drive. Rather, the FAT is updated to reflect that those clusters are no longer in use. If new information is saved to the drive, it may be saved to those clusters overwriting the old information. Meaning, from a forensic point of view, that the more recently a file is deleted, the more likely you will be able to recover the file.

least significant bit (LSB)

The last bit or least significant bit is used to store data.

carrier

The signal, stream, or data file into which the payload is hidden.

Slack Space

The space between the end of a file and the end of the cluster (if there is any such space) is called what?

Daubert standard

The standard holding that only methods and tools widely accepted in the scientific community can be used in court.

channel

The type of medium used to hide data in steganography. This may be photos, video, sound files, or Voice over IP.

file slack

The unused space between the logical end of the file and the physical end of the file. It is also called slack space.

Steganophony

The use of steganography with sound files.

Disk Investigator

This tool runs on Windows and has a graphical user interface. It is not as full featured as EnCase or FTK, but it is free and very easy to use.

What is the starting point for investigating the denial of service attacks?

Tracing the packets

Which law is most relevant to a case where a suspect is using a fake domain name to appear to be someone he or she is not?

USA Patriot Act

volume slack

Volume slack is the unused space between the end of the file system and the end of the partition where the file system resides. For example, suppose that two partitions are filled with data. When you delete one of them, the data is not actually deleted. Instead, it is hidden.

Where does windows store passwords?

Windows\System32

In steganography, the ________ is the stream or file into which the data is hidden.

carrier

__________ is a commonly used name for a command-line utility that provides disk partitioning functions in an operating system. It can list the partitions on a Linux system.

fdisk

Does windows encrypt or hash the passwords?

hash

MP3Stego

hides a payload in MP3 files.

StegVideo

hides data in a video sequence

Deep Sound

hides data in sound files.

What file holds browser information after it's been deleted?

index.dat

APowerSoft and iMyPhone

recover deleted files from iphone

Recovery my ipod

recover deleted files from ipod

Slack space

space between end of the file and the end of the cluster

the following file systems cannot be mounted by using the mount command?

swap

Forensic Sim cloner

tool used to clone sim cards

Pwnage

unlock ipad touch


Related study sets

Ch15 quiz: Virus Infections: Respiratory and Skin

View Set