COIS 2750 Flashcards

Question 1

Q

What will directly impact your ability to write effective report

Answer

A

Your ability to take notes

Question 2

Q

What will be your foundation for reporting

Answer

A

Your notes

Question 3

Q

4 fundamental elements of note taking

Answer

A

what you did
what you saw
when you did something
why did you do it

Question 4

Q

General template for your notes

Answer

A

Administrative info
Executive summary
Narrative
Exhibits/technical details
Glossary

Question 5

Q

What are the keys to the change in browser history

Answer

A

user experience, security

Question 6

Q

what does the history database contain on chrome

Answer

A

Downloads, history

Question 7

Q

What do cookies do

Answer

A

Cookies are designed to track the user’s activity, such as adding an item to a shopping cart or recording the pages the user has visited.

Question 8

Q

True or False: A cookie is conclusive evidence that the user has accessed a website

Question 9

Q

What format are internet explorer bookmarks in

Answer

A

URL format

Question 10

Q

What are internet explorer bookmarks found in

Answer

A

Favourites

Question 11

Q

5 types of subscriber information

Answer

A

name, address, age, usage dates/times, and IP addresses

Question 12

Q

How does P2P filesharing work

Answer

A

When the user searches the P2P network and finds a file they wish to download, the application will identify all the nodes possessing that file. The application will then connect to the nodes and start downloading pieces of the file from all the available nodes

Question 13

Q

3 types of cloud based computing

Answer

A

Iaas - Infrastructure as a service
Saas - software as a service
Paas - Platform as a service

Question 14

Q

Saas

Answer

A

Applications are provided to the customer via the network

Question 15

Q

Iaas

Answer

A

The remote infrastructure is offered to the customer for use, while the provider maintains ownership and control of the hardware.

Question 16

Q

Paas

Answer

A

The operating system of the client is provided to the customer via a cloud server.

Question 17

Q

2 files found in dropbox

Answer

A

filecahce
config

Question 18

Q

what does config.dbx contain

Answer

A

Contains the user ID, account email address, account username, and path for the dropbox folder

Question 19

Q

what does filecache.dbx contain

Answer

A

consist of the filename, file path, and file size in the local host ID

Question 20

Q

3 files in google drive

Answer

A

sync_config.db
snapshot.db
device_db.db

Question 21

Q

what does sync_config.db contain

Answer

A

Contains the path, show if USB devices are being synced, and the email account associated

Question 22

Q

what does snapshot.db contian

Answer

A

include the serial number of the volume, filename, modified date/time stamps, file size, and show if it is a file or a folder

Question 23

Q

what does device_db.db contain

Answer

A

will contain the device ID of the USB device, the file name of the synced file, the file path, and the date/time stamp of when the file was synchronized to cloud-based storage.

Question 24

Q

What is an email protocol

Answer

A

An email protocol is a standard that is used to allow two computer hosts to exchange email communication

Question 25

Q

Where does an email go once it is sent

Answer

A

When an email is sent it travels from the senders host to an email server

Question 26

Q

What is the standardized protocol that allows users to access their inbox and download emails

Question 27

Q

What is IMAP

Answer

A

Internet message access protocol

Standard protocol used by an email client to access emails on an email server

Question 28

Q

What is the most significant difference between IMAP and POP3

Answer

A

The most significant difference between IMAP and POP is that POP retrieves the contents of the mailbox and IMAP was designed as a remote access mailbox protocol

Question 29

Q

Webmail providers

Answer

A

Gmail, Yahoo, Outlook, Hotmail

Question 30

Q

What do emails do on web based email

Answer

A

User deleted emails stored on a web-based email server typically remain on the server until the system deletes them

Question 31

Q

2 unique factors of emails

Answer

A

domain name, along with the message ID

Question 32

Q

What does it mean when you come across emails with the same message id

Answer

A

The email server is not compliant with the standard
The user has altered the email

Question 33

Q

What does this message ID mean 20080719233957

Answer

A

2008/july 19th/ at 11:39:57pm

Question 34

Q

What is the first thing an email touches

Answer

A

The received line is the first server the email touched

Question 35

Q

Where do undeliverable emails go

Answer

A

The return-path-field

Question 36

Q

What is MIME

Answer

A

Multipurpose Internet Mail Extensions

the internet standard for allowing emails to accept text other than ASCII, binary attachments, multi-part message bodies and non-ASCII base header information

Question 37

Q

PART is the file starter for what

Answer

A

MIME extensions

Question 38

Q

Outlook stores files in what types

Answer

A

pst, mbd, or ost

Question 39

Q

Thunderbird or Mozilla stores files in what format

Answer

A

.MBOX file

Question 40

Q

what are MSF files

Answer

A

Mail summary files

Question 41

Q

What is RAM

Answer

A

Random access memory

contain info about the current running state of the system before you shut it down

snapshot of a live running system, whereas a hard drive examination is static.

RAM is much more transient

Question 42

Q

What is the downfall to collecting RAM

Answer

A

Capturing the data in RAM will lead to the loss of potential evidence. You are changing evidence when you collect RAM.

Question 43

Q

True or false: Data can be written on RAM at extremely fast speeds

Question 44

Q

What tactic is no longer recommended in digital investigations

Answer

A

“pull the plug tactic”

Question 45

Q

What are the two types of RAM

Answer

A

Dynamic ram (Dram) and Static ram (Sram)

Question 46

Q

What is the difference between Dram and Sram

Answer

A

SRAm is faster and more efficient than DRAM
DRAM is cheaper to produce
You will typically find SRAM being used as cache memory for the CPU
DRAM chips being used for memory chips for the computer system.

Question 47

Q

What size is data stored in RAM

Answer

A

4KB pages

Question 48

Q

What is privilege seperation

Answer

A

Privilege determines what a user, user account, and the process is allowed to access. It is a form of access control and when used by the operating system, it helps provide system stability by isolating users and the CPU kernel’s actions

Question 49

Q

What is a system call

Answer

A

It is a bridge between the application and the operating system to allow the untrusted mode to become trusted for a specific instance

Question 50

Q

What is a thread

Answer

A

It is the basic unit of using the system’s resources, such as CPU

Question 51

Q

What contents can you find on RAM

Answer

A

artifacts of what is or has occurred on the system

Configuration information, Typed commands, Passwords, Encryption keys, Unencrypted data, IP addresses, Internet history, Chat conversations, Emails, Malware

Question 52

Q

What is hiberfill.sys

Answer

A

Hibernation file

Hibernation is the process of powering down the computer while still maintaining the current state of the system.

Question 53

Q

What is pagefile.sys

Answer

A

Pagefile

Paging is a method of storing/retrieving data being used in the RAM chips with a virtual memory file stored on a traditional storage device

Question 54

Q

What is swapfile.sys

Answer

A

Swapfile

When the application is suspended, the system will write the application data in its entirety into the swap file.

Question 55

Q

what is memory.dmp

Answer

A

Crash Dump

Happens when the system crashes
When that occurs, it may create a dump of memory to store information about the state of the system at the time of the crash

Question 56

Q

3 types of crash dumps

Answer

A

complete memory dump
kernel memory dump
small dump files

Question 57

Q

what is a complete memory dump

Answer

A

The data contained within the physical memory.

Question 58

Q

what is a kernel memory dump

Answer

A

Will only contain pages of data that were in kernel mode

Question 59

Q

what are small dump files

Answer

A

Contains information about running processes/loaded drivers at the time of the crash

Question 60

Q

What is SWGDE

Answer

A

The Scientific Workgroup on Digital Evidence

Question 61

Q

5 considerations when collecting volatile data

Answer

A

The application used to collect the data in memory will overwrite some contents of the memory.

The larger the tool and associated files are, the more data it overwrites.

The system may load the USB device driver into memory.

The system may load the USB device driver into the registry.

The application that’s used to collect the data in memory will show up in some Most Recently Used (MRUs).

Question 62

Q

3 things needed to capture RAM

Answer

A

A capturing device (such as a USB device)
Access to the system
Administrator privileges

Question 63

Q

What should your external device be formatted as when removing RAM

Answer

A

Your device should be formatted as an NTFS partition

Question 64

Q

What happens when a user first logs into a system

Answer

A

When the user first logs into the system, it will create a user profile

Answer 62

A

a registry hive

Answer 63

A

users preferences and configuration settings

Answer 64

A

Local
roaming
mandatory
temporary

Answer 65

A

This profile is created when the user logs on to a computer for the first time

Answer 66

A

This profile is an administrator-created, network-based profile.

Answer 67

A

This profile is a profile created by the network administrators to lock users down to a specific set of settings when they use a host on the network.

Answer 68

A

This profile is created when an error occurs when the system is loading the user’s profile

Answer 69

A

SAM
SECURITY
SOFTWARE
SYSTEM

Answer 70

A

The SAM hive is the Security Accounts Manager and contains login information about the users.

Answer 71

A

The SECURITY hive contains security information and, potentially, password information.

Answer 72

A

The SOFTWARE hive contains information about application information and the default Windows settings.

Answer 73

A

The SYSTEM hive includes information on the hardware and system configuration

Answer 74

A

An additional hive file which is stored in the root of the user profile
This contains information about the user behavior and their settings

Answer 75

A

Graphical user interface

Answer 76

A

Security identifier

Answer 77

A

Relative identifier

Answer 78

A

System: Information generated by the windows operating system
Application: Information generated by applications on the local machine
Security: Information related to login attempts

Answer 79

A

Th euser account had a successful login
The user account failed to log in
The user account successfully logged off from the local host
The user account had a successful login using explicit credentials; for example the command was run as
The user account had a successful login with elevated permissions
The user successfully created a user account

Answer 80

A

is a database of thumbnail images cereated when the user is using windows explorer in a thumbnail view

Answer 81

A

Most recently used
a list of recently used files that are stored in the users NTUSER.DAT hive

Answer 82

A

effort to protect the user form their own actions

Answer 83

A

It allows the user to access frequently used/recently used files from the windows taskbar

Answer 84

A

Automatic - system created. Records information about file usage
Custom - application-created. Records task-specific information about the application

Answer 85

A

a set of registry keys that remember the size and location of the folders and libraries that the user has accessed via the GUI

Answer 86

A

a feature microsoft introduced to enhance the user experience with the windows operating system by making faster response times to preloading data

stored in %WINDOWS%\PREFETCH

Answer 87

A

Whether there is a wireless network association
Whether there is a connection to a wireless network
Whether there is a failed connection to a wireless network
When the system is disconnected from a wireless network

Answer 88

A

is used to track compatibility issues with executed programs

File Path
$Standard information attribute modify time
The update time of the shimcache

Answer 89

A

can be used to exfiltrate data from one organization

they can be used to deliver malware to an organization to compromise its security protocols

Answer 90

A

%SystemRoot%\System32\Config

Answer 91

A

False

We cannot construe the mere presence of the artifact as a sign of a suspect’s guilt or innocence
The artifact needs to be placed within the context of the user and system activity

Answer 92

A

These may not be accurate
A third party user can use a third-party tool to change the timestamps
Moving files from one volume to another alters timestamps

Answer 93

A

FALSE
Hard drive capacity is not getting smaller, in fact it is increasing at a phenomenal rate

Answer 94

A

X Ways
Belkasoft
Autopsy
Recon Lab
Paladin

Answer 95

A

Is a python backend and framework for the logtimeline forensic tool that pulls out timestamps from a system and creates a database of all events known as a super timeline

Answer 96

A

Image export will export file content from a device, media image, or forensic image

Answer 97

A

CLI tool that is designed to extract chronological-based events from files, directories, forensic images or devices
It will create a database file that can then be analyzed by a variety of tools

Answer 98

A

Command line that is used to display information about the plaso database file

Answer 99

A

CLI tool that allows you to filter, sort, and conduct analysis on the contents of the plaso database file

Answer 100

A

This process also allows for filtering tagging and analysis.

Answer 101

A

Elasticsearch is the search and analytical engine. Logstash is the data processor and ingest engine, while Kibana is the visualizer

Answer 102

A

It is a commercial product specifically designed for creating timeline charts.

Answer 103

A

It is a commercial product specifically designed for creating visual timelines.

Answer 104

A

Timeline Explorer is an open source platform created by Eric Zimmerman, who wanted a tool to read MAC time and plaso-generated CSV files without the need to use Microsoft Excel

Answer 105

A

This is the space on the storage device that a file occupies. The filesystem recognizes the storage space as being used.

Answer 106

A

This is the space on the storage device that is not occupied by a file

Answer 107

A

When the data is stored in a cluster; if the file does not completely fill a cluster, the remaining space not used by the file is referred to as slack space

The space between the end of a logical file and the cluster boundary is called the file slack

Answer 108

A

This is the space on the disk that has been marked bad by the filesystem because of a defect. It can also be used by a user to hide data from a casual inspection

Answer 109

A

Disk, volume, filesystem, data unit, metadata

Answer 110

A

was developed to overcome the limitations of ASCII

Answer 111

A

read-only memory

Answer 112

A

It is a widespread practice to remove the hard drive from the system to create a forensic image

Answer 113

A

C drive belongs ot the logical partition of the hard drive

Answer 114

A

One or more platters stacked together with a spindle in the center to read and write data
Platters which are made of metal alloy or glass, are coated with a magnetic substance in which the heads magnetically encode information on the platters
The heads can write data on both sides of the platter
Actuators that control the heads

Answer 115

A

are storage devices that contain no moving parts. Instead, they are made up of memory chips.

Answer 116

A

Wear leveling
Trim
Garbage collection

Answer 117

A

This spreads the writes across the different chips so that it uses the chips at the same rate.

Answer 118

A

This will wipe the unallocated space of the device.

Answer 119

A

As the firmware scans the memory modules, it may identify pages within the data blocks that have been deleted. The firmware will move the allocated pages to a new block and will wipe the data block so that it can reuse the blocks. The firmware can only delete data in blocks.

Answer 120

A

defines the number of heads, the number of tracks, cylinders, and the sectors per track

Answer 121

A

A sector (B)

Answer 122

A

occurs when we divide the physical device into logical segments called “volumes”

Answer 123

A

Extended partition

Answer 124

A

File Allocation Table
The purpose of the file allocation table is to track the clusters and to track which files will occupy the clusters

Answer 125

A

NTFS filesystem

New technology filesystem

Answer 126

A

trier of fact

Answer 127

A

Digital forensic examiner controls the working environment of the digital forensic examination

No actions will occur unless the digital forensic examiner intends the action to occur

When the action has been completed, the examiner will reasonably know what the expected outcome is

Answer 128

A

the testifying will be unsuccessful

Answer 129

A

Understand their functionality
Document your training
Take notes during the exam
Validate the tools

Answer 130

A

We must use a write blocker.

Answer 131

A

hard ware writeblocker
software writeblocker

Answer 132

A

a device that intercepts and prevents any modification to the source device.

Answer 133

A

where a change is made to the operating system to stop it from making writes to the device.

Answer 134

A

Read-only
Read/write

Answer 135

A

FALSE you should always make a copy

Answer 136

A

This is a straight bit-for-bit copy of the source to the destination.
We will recover deleted files, file slack, and partition slack.

Answer 137

A

We are creating a bit-for-bit copy of the source device, but we store that data in a forensic image format.
We will recover deleted files, file slack, and partition slack.

Answer 138

A

Due to this, we can make logical copies of the files and folders pertinent to the investigation. We will NOT be able to recover deleted files, file slack, and partition slack.

Answer 139

A

Pre-investigation considerations
Understanding case information and legal issues
Understanding data acquisition
Understanding the analysis process
Reporting your findings

Answer 140

A

gloves, computer, notepad, paperwork, toolkit, camera

Answer 141

A

free for anyone to use
Use for educational, profit, or testing purposes
often CLI or GUI

Answer 142

A

paid for
more technical support

Answer 143

A

Whether the theory or technique can be or has been tested
Whether it has been subjected to peer review and publication
The known or potential error rate
The existence and maintenance of standards
Its acceptance within the scientific community

Answer 144

A

CAINE
SIFT
Autopsy
Paladin

Answer 145

A

X-Ways Forensics
EnCase
Forensic Toolkit (FTK)
Forensic Explorer (FEX)
Belkasoft Evidence Center
Axinom

Answer 146

A

International Association of Computer INvestigative Specialists(IACIS)
EnCase Certified Examiner (EnCE)
Accessdata Certified Examiner (ACE)
Computer Hacking Forensic INvestigator (CHFI)
Global Information Assurance Certification (GIAC)

Answer 147

A

Live system
Running
Network
Virtual
Physical

Answer 148

A

means leaving the smallest possible footprint during collection to minimize the amount of data being changed within collection

Answer 149

A

encryption is encoding information to protect the confidentiality of the information and allow only the person with the decryption key to access it.

Answer 150

A

Description of evidence
item number
quantity
description of item

Answer 151

A

Universal time (UTC) as a standard frame reference helps solve this problem.

Answer 152

A

A hash is a digital fingerprint for a file or piece of digital media.

Answer 153

A

MD5 and SHA-1

Answer 154

A

You can use it to verify the evidence has not changed
It can be used to exclude files
It can be used to identify files of interest

Answer 155

A

occurs when two different variable inputs result in the same fixed-length output

Answer 156

A

Ensures the file extension matches the file type

Answer 157

A

It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices.

Answer 158

A

First responder
Scene technician
Investigator

Answer 159

A

sworn unsworn

Answer 160

A

May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms.

Answer 161

A

May take an oath but do not have powers to arrest. These positions are typically crime scene analyst or law enforcement support technicians

Answer 162

A

Potential victims
Witnesses
Potential suspects
How best to maintain control

Answer 163

A

Take control of the scene

Answer 164

A

A search warrant obtained
Or the consent of the owner

Answer 165

A

probable cause

Answer 166

A

Stalking
p2p filesharing
Illicit images
Email based communications
newsgroups USEnet

Answer 167

A

a file type-digital images, videos, audio software or any other file type

USEnet file

Answer 168

A

A conspiracy occurs when two or more people agree to commit an illegal act
Just an agreement is not enough, there must be actions that carry out the plan

Answer 169

A

Statement from the organization addressing a specific issue

Answer 170

A

Specific instructions regarding how to accomplish the goals of the policy

Answer 171

A

Treat every investigation as if you will go to court for it

Answer 172

A

One organization spying on another organization to achieve commercial or financial gain

Answer 173

A

A hacker is a malicious user gaining access to information systems that belong to another

Answer 174

A

Someone who attacks a system with malicious intent
Goal is to violate and exploit the user information

Answer 175

A

Positive hacker, no malicious intent
Intent is to identify vulnerabilities in the system so the owner can help to fix them

Answer 176

A

Attacker attempts to trick user into gaining access to confidential information such as username or passwords

Answer 177

A

Insider threats are more dangerous than outsider threats
They take up 1/3 of digital forensic investigations

Answer 178

A

A subpoena

Brainscape's Knowledge GenomeTM

COIS 2750 Flashcards

Brainscape's Knowledge Genome^TM