Chapter 5 Flashcards

1
Q

Sanitization Methods

A

Clear: overwrite storage space on the media with non-sensitive data

Destroy: Disintegrate, pulverize, melt, shred, shoot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Aftermath of an Incident

A

Identify shortcomings in risk assessment, policy, or implementation. repair the problems caused by the incident. Hold the person accountable if it was caused by a malicious act, collect evidence to clearly tie them to the event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Digital Forensics

A

What data shoudl we collect before an incident occurs? What data are we allowed to collect from an individuals personal computer? What data can we retrieve from persistent memories like USBs, and hard drives?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Fault and due diligence

A

In the US parties involved in an incident may be blamed for what they do or don’t do EG if a party should have prevented the incident but they failed to do so. There are customary acts to take for safety and security, parties are less at fault if they show due diligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Types of legal disputes

A

Private action: one aprty acts against another based on a shared relationship

Mediation: Two parties rely on a third party to negotiate a settlement

Civil complaint: A party files a lawsuit against another. settled in court unless settled informally ahead of time.

Criminal Compliant: A person is charged for breaking specific laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Admissible evidence

A

In private actions and mediation we can use informal evidence but mediators might demand admissable evidence. Civil and criminal we can only use admissible evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Collecting digital evidence

A

Must yield admissible evidence. There must be no modifications since collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Process of collecting digital evidence

A

1) securing the scene
2) documenting the scene
3) Collecting the evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Digital evidence procedures

A

take pictures of powered on devices. for most devices simply remove power source. If we reboot the OS we may modify or destroy evidence. Using CoC document all serial numbers, cords, and connections before removal, seal each item in an evidence bag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Forensic Hard Drive Analysis

A

Do not use native OS to analyze contents. 1) do an integrity check (md5,sha)
2)copy the hard drive and do the integrity check again.
analyze the copy, not the original, after you collect the evidence recalculate the integrity check.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sectors and Clusters

A

sectors are independent data blocks on the hard drive, each can be read or written individually. Clusters are a series of sectors treated as a single block by the file system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Partitions

A

breaking up the overall drive into smaller, individual drives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

FAT File System

A

Intorduced in MSDOS, widely used, used in cameras and flash drives and many other digital devices. Supports modern features like Long, mixed case filenames, hierarchical directories, and individual file sized up to 4GB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

FAT Volume Layout

A

bootblocks, file allocation table, root, clusters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Boot Blocks

A

contain bootstrap program on bootable drive, contains details on the volume format like how large the clusters are, FAT, root directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

FAT file deletion

A

locate the file’s directory entry and mark it as empty, if the file has a large name mark those entries empty as well. For each cluster in file retrieve the FAT entry and change the entry to show the cluster is free. You can undelete files because deletion doesn’t erase data it just modifies the FAT and directory

17
Q

Shortcomings of FAT

A

File sizes are limited to 4GB, small FAT systems can’t recover if errors strike the root directory, searches are slow on really large directories, FAT files can’t identify an owner, FAT files can’t support access restrictions beyond very simple ones.

18
Q

Modern File systems

A

HFS+ (apple), NTFS (Microsoft), UFS (unix)

19
Q

API

A

Application Programming Interface, simple and standard way for programs to use IO devices and files.

20
Q

Device Independence

A

Converts API operations into specific commands to individual devices. The file system converts file operations into API operations performed on the hard drive.