JCCC Computer Forensics Mid-Term Exam - Part 1
An image of an optical disk is stored in a file with the extension ________.
.iso
If trying to find the last time a USB device was connected to a computer, which key would you look for?
066
If a program is set to run at system boot, what will the start key be listed as?
0x02
Which Network Nametype indicates the network is wireless?
0x47
Which of the following are true of Current Control Set? (Select all that apply)
1. Is typically ControlSet001 2. Location is SYSTEM\Select 3. Contains system configuration settings needed to control system boot
What are two hashing algorithms that EnCase Imager supports?
1. SHA1 2. MD5
What are the advantages of creating a custom content image? (Select all that apply)
1. They are much smaller than a full image 2. They are much faster to create than a full image
Under the Sarbanes-Oxley Act, publicly traded companies must maintain all electronic information, including emails, for a minimum of ________ years.
5
SWGDE (Scientific Working Group on Digital Evidence)
A committee dedicated to sharing research and setting standards for investigators working with digital and multimedia evidence
Parasite
A point-of-sale skimmer
EnScript
A programming language developed by Guidance Software that enables users to create their own customized functions
When a volume is quick formatted, what exactly is erased?
A table such as the File Allocation Table
Encryption is the process of scrambling plain text into an unreadable format using a mathematical formula known as a(n) ________.
Algorithm
What does the HashCalc tool do?
Allows you to calculate hash values of data sets
Compare Proxy vs TOR vs VPN
An opinion: https://www.cloudwards.net/vpn-vs-proxy-vs-tor/
Cryptanalysis
Attempt to target weaknesses in protocols and cryptographic algorithms to in an attempt to break a system or gain access to data
The ________, produced by BlackBag Technologies, is available to the general public and is used to image Apple Macintosh computers, iPhones, and iPads.
BlackLight
A(n) ________ is composed of 8 bits and is the smallest addressable unit in memory.
Byte
Where is the Startup folder on newer Windows operating systems?
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup
What directory is the Prefetch folder located in?
C:\Windows\Prefetch (Windows 10)
Where is the location of the Event Viewer EVT files on a Microsoft Windows XP System?
C:\windows\system32\config
Where is the location of the Event Viewer EVTX files on a Windows 7 system?
C:\windows\system32\winevt\logs
The ________ tool is a lightweight application that runs on Microsoft Windows and enables the investigator to take notes. Sensitive notes can also be encrypted in this application using AES 512-bit encryption. MD5 hashes of all data entered are created.
CaseNotes
A disk ________ is an exact copy of a hard drive
Clone
What does the following Linux command do? fdisk -l /dev/sda
Displays all partitions on the sda disk
What is file signature analysis?
Every file has a signature, also known as a file header, which defines what type of file it is so that a program can properly recognize and associate it. There are several thousand file types and out of those many have been standardized by the International Standards Organization (ISO), and the International Telecommunications Union, Telecommunication Standardization Sector (ITU-T). Some users are known to deliberately change the file extensions to hide data. When a file extension is changed the file signature does not change but most programs won't recognize what the file is. Meaning if a JPEG file extension is changed from .JPG to .DLL, most programs won't be able to recognize it as an image file. To make sure there are no data that is being surreptitiously stored, it is important to perform signature analysis11 . EnCase contains a table of known file signatures, which can be modified or added to as the need might arise. EnCase, with click of a button, allows the investigator to compare the file signatures with its' internal table. After the comparison is finished, Encase labels the files in one of 4 ways: 1. !Bad Signature 2. *[Alias] 3. Match 4. Unknown
A(n) ________ locker is a metal cabinet with individual compartments that can be locked individually.
Evidence
________ evidence is used to prove the innocence of a defendant.
Exculpatory
What can be used to create a Custom Content Image?
FTK Imager
________ is a free online service that enables users to generate an ad hoc identity.
Fake Name Generator
Disks cannot be mounted as read-only in Linux - true or false?
False
The reliability achieved from a RAID array is known as ________.
Fault tolerance
Which USB information can be located by using the Setupapi.log?
First time a device connected
Flash Cookies
Flash cookies, also known as 'super cookies', are independent from the web browser. They are designed to be permanently stored on a user's computer. These types of cookies remain on a user's device even after all cookies have been deleted from their web browser.
SMART files
Forensic disk image files (compressed or uncompressed) originally developed by ASRData's Expert Witness
The word ________ means "to bring to court."
Forensics
GMT (Greenwich Mean Time)
Greenwich Mean Time (GMT), the name for mean solar time of the longitude (0°) of the Royal Greenwich Observatory in England. The meridian at this longitude is called the prime meridian or Greenwich meridian. Greenwich Mean Time (GMT) has been used to clearly designate epoch by avoiding confusing references to local time systems (zones).
Spoliation of evidence
Hiding, altering, or destroying evidence related to an investigation
Which of the following does MD5 confirm?
Integrity
The ________ is a tool available for secure communications and anonymous web surfing. This network uses public-private key encryption, and, like Tor, websites are hosted anonymously. On the suspect's computer, the router.config file contains some information about I2P connectivity by the user.
Invisible Internet Project (I2P)
What is the chain of custody form? Why is it important?
It documents Anyone who has been in contact with evidence in a case. It is important because it proves who has had access to the evidence and where it has been.
What is the Thumbs.db file?
It's an image cache that can be useful in digital forensics
The most popular picture file format is ________.
JPEG
File ________ is information about a file and can include the creation, modified, and last access dates.
Metadata
In Linux, what is the command to view all of the mounted file systems?
Mount
NCIC (National Crime Information Center)
NCIC is a computerized index of criminal justice information (i.e.- criminal record history information, fugitives, stolen properties, missing persons). It is available to Federal, state, and local law enforcement and other criminal justice agencies and is operational 24 hours a day, 365 days a year. PURPOSE: The purpose for maintaining the NCIC system is to provide a computerized database for ready access by a criminal justice agency making an inquiry and for prompt disclosure of information in the system from other criminal justice agencies about crimes and criminals. This information assists authorized agencies in criminal justice and related law enforcement objectives, such as apprehending fugitives, locating missing persons, locating and returning stolen property, as well as in the protection of the law enforcement officers encountering the individuals described in the system.
Does a quick format really erase all of the data on the disk?
No
A ________ is a logical storage unit on a disk.
Partition
Permanent Cookies (persistent)
Permanent cookies, also known as 'persistent cookies', remain in operation even after the web browser has closed. For example they can remember login details and passwords so web users don't need to re-enter them every time they use a site. The law states that permanent cookies must be deleted after 12 months.
The primary instant messenger ________ are IRC, ICQ, and XMPP.
Protocols
RAM vs ROM memory
RAM is Random Access Memory.ROM is Read Only Memory. RAM is the memory available for the operating system, programs and processes to use when the computer is running. ROM is the memory that comes with your computer that is pre-written to hold the instructions for booting-up the computer. RAM requires a flow of electricity to retain data (e.g. the computer powered on).ROM will retain data without the flow of electricity (e.g. when computer is powered off). RAM is a type of volatile memory. Data in RAM is not permanently written. When you power off your computer the data stored in RAM is deleted. ROM is a type of non- volatile memory. Data in ROM is permanently written and is not erased when you power off your computer.
Raster-based graphics
Rectangular pictures that are based on pixels
Issuer Identification Number (IIN)
Refers to the first six digits of a credit card number.
What is eSATA used for? When?
SATA also supports external drives through External SATA more commonly known as eSATA. eSATA offers many more advantages when compared to other solutions. For example, it is hot-swappable, supports faster transfer speeds with no bottleneck issues like USB and FireWire, and supports disk drive technologies such as S.M.A.R.T.. However, eSATA does have some disadvantages such as not distributing power through the cable like USB, which means drives require an external power source. The eSATA cable also supports a maximum length of up to 2 meters. Because of these disadvantages don't plan on eSATA becoming the only external solution for computers.
Which hash value does HashCalc not calculate?
SHA1024
Cellular telephones that operate on the Global System for Mobile Communications (GSM) network contain a _________ card.
SIM
Which Registry key allows you to determine the Microsoft OS Version of a computer?
SOFTWARE\Microsoft\Windows NT\Current Version
Which Registry Key can be used to identify the USB serial number?
SYSTEM\CurrentControlSet\Enum\USBSTOR
Which Registry Key can be used to find the Last Drive Letter for a USB device?
SYSTEM\MountedDevices
When photographing hardware evidence, each item should be photographed as a whole, and then the _________ should be photographed.
Serial Number
Session Cookie
Session cookies, also known as 'temporary cookies', help websites recognize users and the information provided when they navigate through a website. Session cookies only retain information about a user's activities for as long as they are on the website. Once the web browser is closed, the cookies are deleted. These are commonly used on shopping websites or e-commerce websites.
IDE (Integrated Drive Electronics)
Short for Integrated Drive Electronics, IDE is more commonly known as ATA or PATA (parallel ATA). It is a standard interface for IBM computers that was first developed by Western Digital and Compaq in 1986 for compatible hard drives and CD or DVD drives. IDE is different than SCSI and ESDI (Enhanced Small Disk Interface) because its controllers are on each drive, meaning the drive can connect directly to the motherboard or controller. IDE and its updated successor, EIDE (Enhanced IDE), are common drive interfaces found in IBM compatible computers. Below is a picture of the IDE connector on a hard drive, IDE cable, and the IDE channels on the motherboard.
SCSI (Small Computer System Interface)
Short for Small Computer System Interface, SCSI is pronounced as "Scuzzy" and is one of the most commonly used interface for disk drives that was first completed in 1982. Unlike competing standards, SCSI is capable of supporting eight devices, or sixteen devices with Wide SCSI. SCSI is a standard for parallel interfaces that transfers information at a rate of eight bits per second and faster, which is faster than the average parallel interface. SCSI-2 and above supports up to seven peripheral devices, such as a hard drive, CD-ROM, and scanner, that can attach to a single SCSI port on a system's bus. SCSI ports were designed for Apple Macintosh and Unix computers, but also can be used with PCs. Although SCSI was popular in the past, today it has largely been superseded by faster connection types, such as SATA.
SATA (Serial Advanced Technology Attachment)
Short for serial AT attachment, SATA 1.0 was first released in August 2001 and is a replacement for the parallel ATA interface used in IBM compatible computers. SerialATA is capable of delivering 1.5 Gbps (approximately 187 MBps) of performance to each drive within a disk array. It is backward-compatible with ATA and ATAPI devices, and offers a thin, small cable solution. This cable helps make a much easier cable routing and offers better airflow in the computer when compared to the earlier ribbon cables used with ATA drives. SATA also supports external drives through External SATA more commonly known as eSATA. eSATA offers many more advantages when compared to other solutions. For example, it is hot-swappable, supports faster transfer speeds with no bottleneck issues like USB and FireWire, and supports disk drive technologies such as S.M.A.R.T.
SSD (solid state drive)
Short for solid-state drive, an SSD is a storage medium that uses non-volatile memory as a means of holding and accessing data. Unlike a hard drive, an SSD has no moving parts which gives it advantages such as faster access time, noiseless operation, higher reliability, and lower power consumption. SSDs have traditionally used the SATA connection, which has a theoretical maximum transfer rate of 750 MB per second. Newer generations of SSDs connect to the motherboard's PCIe connection, offering speeds of up to 1.5 GB per second. The PCIe m.2 connection standard, introduced in 2014, offers a maximum real-world throughput of approximately 4 GB/s.
UPS (uninterruptible power supply)
Short for uninterruptible power supply, UPS is a hardware device that provides a backup power source in case of a power outage (blackout), brownout, or a surge in power. A UPS provides enough power for a computer(s) to shut down properly or remain functional during the outage. There are three versions of the UPS: standby, on-line and line interactive.
A ________ is a device used to illegally capture the data stored on the magnetic stripe of an ATM card, credit card, or debit card.
Skimmer
Blogs, Twitter, and Facebook are examples of ________ networking sites.
Social (None of the above on chpt 5 test)
________ is a free online service that enables a user to contact a cell phone number to hear who answers the telephone without identifying the number of the caller.
Spy Dialer
Antistatic polyethylene evidence bags are primarily designed to protect electronic devices from ________
Static Electricity
CART (Computer Analysis and Response Team)
The Computer Analysis and Response Team provides assistance to FBI field offices in the search and seizure of computer evidence as well as forensic examinations and technical support for FBI investigations. This Unit includes a state-of-the-art forensic laboratory comprised of computer specialists and a network of trained and equipped forensic examiners assigned to more than 50 field offices.
FLETC (Federal Law Enforcement Training Center)
The Federal Law Enforcement Training Centers, through strategic partnerships, prepares the federal law enforcement community to safeguard the American people, our homeland, and our values. The Federal Law Enforcement Training Centers is America's enterprise resource for federal law enforcement training. FLETC's core values - collaborative, comprehensive, responsible - are the guiding principles that influence decisions and actions we take in the name of FLETC.
Windows Registry
The Windows Registry is a database of settings used by Microsoft Windows. It stores configurations for hardware devices, installed applications, and the Windows operating system. The Registry provides a centralized method of storing custom preferences for each Windows user, rather than storing them as individual
What is the MBR? Which sector is it?
The master boot record is located on the first sector of a disk. The specific address on the disk is Cylinder: 0, Head: 0, Sector: 1. The master boot record is commonly abbreviated as MBR. You might also see it called the master boot sector, sector zero, master boot block, or master partition boot sector.
Discovery
The period leading up to trial during which each party involved in civil litigation can request evidence from the other party.
File Carving
The process of reassembling computer files from fragments in the absence of file system metadata.
Admendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
What is the Prefetch folder?
The system keeps track of which programs are commonly opened on a system and saves information about them in the Prefetch folder
What happens when you execute files that are not in the Windows PATH?
They won't run
third-party cookies
Third-party cookies are installed by third-parties with the aim of collecting certain information from web users to carry out research into, for example, behavior, demographics or spending habits. They are commonly used by advertisers who want to ensure that products and services are marketed towards the right target audience.
Certain open source tools are available to image a hard drive, but one of the reasons for using a licensed product, such as BlackLight, is ___________.
To use the comprehensive reporting tools that come with it
VMware is well-known virtual machine software that an investigator can use to reverse-engineer malware - True or False?
True
dictionary attack
Uses a predetermined list of words in an attempt to decrypt data or authenticate a user
A(n) ________ is a hardware device that enables an individual to read data from a device, such as a hard drive, without writing to that device.
Write Blocker
Do SSD drives wear out? What process occurs to help them last longer?
Yes: 1. Turn off hibernation 2. Disable page files 3. Disable de-fragmentation
Zombie Cookies
Zombie cookies are a type of flash cookie that are automatically re-created after a user has deleted them. This means they are difficult to detect or manage. They are often used in online games to prevent users from cheating, but have also been used to install malicious software onto a user's device.
The decimal number 12 is represented in the hexadecimal system as ________.
c
Which of the below commands can be used to create an image on Kali Linux and provides status updates?
dcfldd
What sort of tools can be used to wipe a disk?
dd, dcfldd in Linux and in windows the format tool
Which Linux command allows users to display the available disk space on the systems drive?
df
EGREP
egrep is an acronym for "Extended Global Regular Expressions Print". It is a program which scans a specified file line by line, returning lines that contain a pattern matching a given regular expression. The standard egrep command looks like: egrep <flags> '<regular expression>' <filename> which is more robust than 'GREP'
Which Linux command allows users to view disk and partitions?
fdisk
CTIN (computer technology investigators network)
https://ctin.org/objectives-and-purposes/
What command can be used in Kali to hash files?
md5sum
Which Linux command allows users to format partitions with various file system including FAT, NTFS, and EXT4?
mkfs
Which Linux command allows users to view which disks are currently mounted?
mount
What is the syntax of the command to dump the security log to a file named security.txt?
psloglist -r "security" > security.txt
To unmount the sdd1 partition, what command could you use?
umount /dev/sdd1
Which Linux command can attempt to download a webpage for local storage?
wget
What Linux command allows you to verify a disk has been zeroed out?
xxd