Digital Forensics Revised Study Guide
Where do ipad/iphone deleted files go?
/.Trashes/501
Which of the following directories should be looked in to find the web server logs?
/var
Linux Printer log location
/var/log/lpr
18 U.S.C. 2252B
18 U.S.C. 2252B law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. This is a very serious concern and one that sometimes arises in child predator cases.
Foreign Intelligence Surveillance Act (FISA)
A U.S. law that prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents suspected of espionage or terrorism.
expert report
A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report.
test system
A functional system compatible with the hard drive from which someone is trying to recover data.
Global System for Mobile (GSM) communications
A standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.
Enhanced Data Rates for GSM Evolution (EDGE)
A technology that does not fit neatly into the 2G/3G/4G spectrum. It is technically considered pre-3G but was an improvement on GSM (2G).
Electronic serial numbers (ESNs)
A unique identification number developed by the U.S. Federal Communications Commission (FCC) to identify cell phones.
International Mobile Equipment Identity (IMEI) number
A unique number identifying GSM, LTE, and other types of phones. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone.
What file system is used in most modern Macintosh systems?
APFS
This forensic certification is open to both the public and private sectors and is specific to the use and mastery of FTK. Requirements for taking the exam include completing the boot camp and Windows forensic courses.
AccessData Certified Examiner. AccessData is the creator of Forensic Toolkit (FTK) software.
AccessData Certified Examiner
AccessData is the creator of Forensic Toolkit (FTK) software. The company sponsors the AccessData Certified Examiner (ACE) certification program. ACE certification is open to the public and private sectors. This certification is specific to the use and mastery of FTK. Requirements for taking the ACE exam include completing the AccessData boot camp and Windows forensic courses.
personal identification number (PIN)
An ID number for a cell phone user.
Host protected area (HPA)
An area of a disk drive reserved for booting vendor utilities and diagnostic programs. It's not visible to the computer's OS.
What uses AFF file format?
Autopsy and Sleuth Kit
Which type of data are the authorities allowed to get from service providers?
Basic subscriber information, Transactional information, Content information, real-time access
Section 816 of the USA Patriot Act, titled the "Development and Support of Cybersecurity Forensic Capabilities," does what?
Calls for the establishment of regional computer forensic laboratories
OSForensics
Cheaper forensic toolkit
Where do deleted windows files go?
Deleted from MFT or FAT
Which software forensic tool offers Blade, HstEx, and NetAnalysis?
Digital Detective offers Blade, HstEx, and NetAnalysis. Blade is a Windows-based data recovery solution. It supports plug-ins that give it advanced data recovery and analysis capabilities.
Digital Intelligence, Inc
Digital Intelligence, Inc., offers a wide range of training with several partners including EnCase, FTK, Nuix, Cellebrite, IEF, and Forensic Explorer. The company also offers forensic hardware and software. Its software products include DRIVESPY, IMAGE, PART, PDBlock, and PDWipe.
Digital evidence
Digital evidence is information processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.
types of mass emails are not covered by the CAN-SPAM Act?
Emails advertising a church event
Expert testimony
Expert testimony involves the authentication of evidence-based upon scientific or technical knowledge relevant to cases. Forensic examiners are often called upon to authenticate evidence between given specimens and other items. Forensic specialists should not undertake an examination that is beyond their knowledge and skill.
EnCase
Forensic toolkit connected via ethernet or modem cable and prevents examiner from making any accidental changes.
The Forensic Toolkit (FTK)
Forensic toolkit good at cracking passwords and uses distributed processing.
Guidance Software
Guidance Software offers a number of EnCase products, including Enterprise, eDiscovery, Forensic, and Portable.
Where do deleted MAC files go?
Hidden folder /.Trash
Where would you seek evidence that ophcrack had been used on a Windows Server 2008 machine?
In the logs of the server; look for the reboot of the system
var/vm folder,
In the var/vm folder, one will find a subfolder named app profile. This file contains lists of recently opened applications as well as temporary data used by applications. These can be very interesting in a forensic examination.
Testimonial evidence
Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual.
/etc directory
Just as in Linux, the /etc directory is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system's configuration. Sometimes this is done in order to facilitate the criminal's return to the system later.
The most common way steganography is accomplished is via
LSB
OS X v10.5
Mac OS X v10.5, called Leopard, was released in 2007. It had over 300 new features, support for Intel x86 chips, and support for the new G3 processor.
Stack (S)
Memory is allocated based on the last-in, first-out (LIFO) principle.
What is the file format .edb used with?
Microsoft Exchange
What is the .ost file format used for?
Microsoft Outlook offline storage
Why can you undelete files in Windows 7?
Nothing is deleted; it is just removed from MFT.
Physical analysis
Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.
Data Doctor
Recovers all inbox and outbox data and contacts data
How does windows store passwords?
SAM File
Which storage tech uses NAND?
SSD
If the computer is turned on when you arrive, what does the Secret Service recommend you do?
Shut down according to the recommended Secret Service procedure.
Power Spy, Verity, ICU, and WorkTime
Spyware
Stealth Files 4
Steganography tool which works with sound files, video files, and image files.
Invisible Secrets
Steganography tool, much more robust with both free and commercial versions
QuickStego
Steganography tool, very easy to use but very limited.
Swap files
Swap files are the most important type of ambient data. Windows uses swap files on each system as a "scratch pad" to write data when additional RAM is needed. A swap file is a virtual memory extension of RAM. Most computer users are unaware of the existence of swap files. The size of these files is usually about 1.5 times the size of the physical RAM in the machine. Swap files contain remnants of word processing documents, e-mails, Internet browsing activity, database entries, and almost any other work that has occurred during past Windows sessions. Swap files can be temporary or permanent.
/Library/Receipts folder
The /Library/Receipts folder contains information about system and software updates. It is less useful for a forensic investigation than some of the other folders; however, it can be useful to know if a given patch was applied and when it was applied. This might be of some interest in investigating malware crimes.
advanced Forensic Format (AFF)
The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. Sleuth Kit and Autopsy both support this file format.
Communications Assistance to Law Enforcement Act of 1994
The Communications Assistance to Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over packet, and other forms of electronic communications, including signaling traffic and metadata.
EnCase Certified Examiner (EnCE) certification
The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits the third party from intercepting or disclosing communications without authorization. The ECPA requires different legal processes to obtain specific types o
Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits the third party from intercepting or disclosing communications without authorization. The ECPA requires different legal processes to obtain specific types of information: 1. Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber's telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant. 2. Transactional information—This information includes Web sites visited, e-mail addresses of others with whom the subscriber exchanged e-mail, and buddy lists. An investigator can obtain this type of information with a court order or search warrant. 3. Content information—An investigator who has a search warrant can obtain content information from retrieved e-mail messages and also acquire un-retrieved stored e-mails. 4. Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.
EnCase Format
The EnCase format is a proprietary format that is defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source.
Federal Privacy Act of 1974
The Federal Privacy Act of 1974, a United States federal law that establishes a code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies.
The Sleuth Kit
The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers.
Sleuth Kit
The Sleuth Kit is a free suite of command-line tools. The Sleuth Kit includes a number of search utilities and can search for fragments of deleted tools. Many users find the command-line interface to be cumbersome; fortunately, a graphical user interface (GUI) called Autopsy has been created for Sleuth Kit and is available.
payload
The data to be covertly communicated. In other words, it is the message you want to hide.
file allocation table (FAT)
The file allocation table (FAT) is a list of entries that map to each cluster on the disk partition. Each entry records one of five things: The cluster number of the next cluster for this file is recorded; if the cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry; bad clusters have a special entry in the file allocation table; reserved clusters have a special entry in the file allocation table; open, or available, clusters are also marked in the file allocation table. When files are deleted, data is not actually removed from the drive. Rather, the FAT is updated to reflect that those clusters are no longer in use. If new information is saved to the drive, it may be saved to those clusters overwriting the old information. Meaning, from a forensic point of view, that the more recently a file is deleted, the more likely you will be able to recover the file.
least significant bit (LSB)
The last bit or least significant bit is used to store data.
carrier
The signal, stream, or data file into which the payload is hidden.
Slack Space
The space between the end of a file and the end of the cluster (if there is any such space) is called what?
Daubert standard
The standard holding that only methods and tools widely accepted in the scientific community can be used in court.
channel
The type of medium used to hide data in steganography. This may be photos, video, sound files, or Voice over IP.
file slack
The unused space between the logical end of the file and the physical end of the file. It is also called slack space.
Steganophony
The use of steganography with sound files.
Disk Investigator
This tool runs on Windows and has a graphical user interface. It is not as full featured as EnCase or FTK, but it is free and very easy to use.
What is the starting point for investigating the denial of service attacks?
Tracing the packets
Which law is most relevant to a case where a suspect is using a fake domain name to appear to be someone he or she is not?
USA Patriot Act
volume slack
Volume slack is the unused space between the end of the file system and the end of the partition where the file system resides. For example, suppose that two partitions are filled with data. When you delete one of them, the data is not actually deleted. Instead, it is hidden.
Where does windows store passwords?
Windows\System32
In steganography, the ________ is the stream or file into which the data is hidden.
carrier
__________ is a commonly used name for a command-line utility that provides disk partitioning functions in an operating system. It can list the partitions on a Linux system.
fdisk
Does windows encrypt or hash the passwords?
hash
MP3Stego
hides a payload in MP3 files.
StegVideo
hides data in a video sequence
Deep Sound
hides data in sound files.
What file holds browser information after it's been deleted?
index.dat
APowerSoft and iMyPhone
recover deleted files from iphone
Recovery my ipod
recover deleted files from ipod
Slack space
space between end of the file and the end of the cluster
the following file systems cannot be mounted by using the mount command?
swap
Forensic Sim cloner
tool used to clone sim cards
Pwnage
unlock ipad touch