COIS 2750 Flashcards

Question

Where does an email go once it is sent

Answer 1

When an email is sent it travels from the senders host to an email server

Answer 2

Internet message access protocol Standard protocol used by an email client to access emails on an email server

Answer 3

The most significant difference between IMAP and POP is that POP retrieves the contents of the mailbox and IMAP was designed as a remote access mailbox protocol

Answer 4

Gmail, Yahoo, Outlook, Hotmail

Answer 5

User deleted emails stored on a web-based email server typically remain on the server until the system deletes them

Answer 6

domain name, along with the message ID

Answer 7

The email server is not compliant with the standard The user has altered the email

Answer 8

2008/july 19th/ at 11:39:57pm

Answer 9

The received line is the first server the email touched

Answer 10

The return-path-field

Answer 11

Multipurpose Internet Mail Extensions the internet standard for allowing emails to accept text other than ASCII, binary attachments, multi-part message bodies and non-ASCII base header information

Answer 12

MIME extensions

Answer 13

pst, mbd, or ost

Answer 14

.MBOX file

Answer 15

Mail summary files

Answer 16

Random access memory contain info about the current running state of the system before you shut it down snapshot of a live running system, whereas a hard drive examination is static. RAM is much more transient

Answer 17

Capturing the data in RAM will lead to the loss of potential evidence. You are changing evidence when you collect RAM.

Answer 18

"pull the plug tactic"

Answer 19

Dynamic ram (Dram) and Static ram (Sram)

Answer 20

SRAm is faster and more efficient than DRAM DRAM is cheaper to produce You will typically find SRAM being used as cache memory for the CPU DRAM chips being used for memory chips for the computer system.

Answer 21

Privilege determines what a user, user account, and the process is allowed to access. It is a form of access control and when used by the operating system, it helps provide system stability by isolating users and the CPU kernel's actions

Answer 22

It is a bridge between the application and the operating system to allow the untrusted mode to become trusted for a specific instance

Answer 23

It is the basic unit of using the system's resources, such as CPU

Answer 24

artifacts of what is or has occurred on the system Configuration information, Typed commands, Passwords, Encryption keys, Unencrypted data, IP addresses, Internet history, Chat conversations, Emails, Malware

Answer 25

Hibernation file Hibernation is the process of powering down the computer while still maintaining the current state of the system.

Answer 26

Pagefile Paging is a method of storing/retrieving data being used in the RAM chips with a virtual memory file stored on a traditional storage device

Answer 27

Swapfile When the application is suspended, the system will write the application data in its entirety into the swap file.

Answer 28

Crash Dump Happens when the system crashes When that occurs, it may create a dump of memory to store information about the state of the system at the time of the crash

Answer 29

complete memory dump kernel memory dump small dump files

Answer 30

The data contained within the physical memory.

Answer 31

Will only contain pages of data that were in kernel mode

Answer 32

Contains information about running processes/loaded drivers at the time of the crash

Answer 33

The Scientific Workgroup on Digital Evidence

Answer 34

The application used to collect the data in memory will overwrite some contents of the memory. The larger the tool and associated files are, the more data it overwrites. The system may load the USB device driver into memory. The system may load the USB device driver into the registry. The application that's used to collect the data in memory will show up in some Most Recently Used (MRUs).

Answer 35

A capturing device (such as a USB device) Access to the system Administrator privileges

Answer 36

Your device should be formatted as an NTFS partition

Answer 37

When the user first logs into the system, it will create a user profile

Answer 38

a registry hive

Answer 39

users preferences and configuration settings

Answer 40

Local roaming mandatory temporary

Answer 41

This profile is created when the user logs on to a computer for the first time

Answer 42

This profile is an administrator-created, network-based profile.

Answer 43

This profile is a profile created by the network administrators to lock users down to a specific set of settings when they use a host on the network.

Answer 44

This profile is created when an error occurs when the system is loading the user's profile

Answer 45

SAM SECURITY SOFTWARE SYSTEM

Answer 46

The SAM hive is the Security Accounts Manager and contains login information about the users.

Answer 47

The SECURITY hive contains security information and, potentially, password information.

Answer 48

The SOFTWARE hive contains information about application information and the default Windows settings.

Answer 49

The SYSTEM hive includes information on the hardware and system configuration

Answer 50

An additional hive file which is stored in the root of the user profile This contains information about the user behavior and their settings

Answer 51

Graphical user interface

Answer 52

Security identifier

Answer 53

Relative identifier

Answer 54

System: Information generated by the windows operating system Application: Information generated by applications on the local machine Security: Information related to login attempts

Answer 55

Th euser account had a successful login The user account failed to log in The user account successfully logged off from the local host The user account had a successful login using explicit credentials; for example the command was run as The user account had a successful login with elevated permissions The user successfully created a user account

Answer 56

is a database of thumbnail images cereated when the user is using windows explorer in a thumbnail view

Answer 57

Most recently used a list of recently used files that are stored in the users NTUSER.DAT hive

Answer 58

effort to protect the user form their own actions

Answer 59

It allows the user to access frequently used/recently used files from the windows taskbar

Answer 60

Automatic - system created. Records information about file usage Custom - application-created. Records task-specific information about the application

Answer 61

a set of registry keys that remember the size and location of the folders and libraries that the user has accessed via the GUI

Answer 62

a feature microsoft introduced to enhance the user experience with the windows operating system by making faster response times to preloading data stored in %WINDOWS%\PREFETCH

Answer 63

Whether there is a wireless network association Whether there is a connection to a wireless network Whether there is a failed connection to a wireless network When the system is disconnected from a wireless network

Answer 64

is used to track compatibility issues with executed programs File Path $Standard information attribute modify time The update time of the shimcache

Answer 65

can be used to exfiltrate data from one organization they can be used to deliver malware to an organization to compromise its security protocols

Answer 66

%SystemRoot%\System32\Config

Answer 67

False We cannot construe the mere presence of the artifact as a sign of a suspect's guilt or innocence The artifact needs to be placed within the context of the user and system activity

Answer 68

These may not be accurate A third party user can use a third-party tool to change the timestamps Moving files from one volume to another alters timestamps

Answer 69

FALSE Hard drive capacity is not getting smaller, in fact it is increasing at a phenomenal rate

Answer 70

X Ways Belkasoft Autopsy Recon Lab Paladin

Answer 71

Is a python backend and framework for the logtimeline forensic tool that pulls out timestamps from a system and creates a database of all events known as a super timeline

Answer 72

Image export will export file content from a device, media image, or forensic image

Answer 73

CLI tool that is designed to extract chronological-based events from files, directories, forensic images or devices It will create a database file that can then be analyzed by a variety of tools

Answer 74

Command line that is used to display information about the plaso database file

Answer 75

CLI tool that allows you to filter, sort, and conduct analysis on the contents of the plaso database file

Answer 76

This process also allows for filtering tagging and analysis.

Answer 77

Elasticsearch is the search and analytical engine. Logstash is the data processor and ingest engine, while Kibana is the visualizer

Answer 78

It is a commercial product specifically designed for creating timeline charts.

Answer 79

It is a commercial product specifically designed for creating visual timelines.

Answer 80

Timeline Explorer is an open source platform created by Eric Zimmerman, who wanted a tool to read MAC time and plaso-generated CSV files without the need to use Microsoft Excel

Answer 81

This is the space on the storage device that a file occupies. The filesystem recognizes the storage space as being used.

Answer 82

This is the space on the storage device that is not occupied by a file

Answer 83

When the data is stored in a cluster; if the file does not completely fill a cluster, the remaining space not used by the file is referred to as slack space The space between the end of a logical file and the cluster boundary is called the file slack

Answer 84

This is the space on the disk that has been marked bad by the filesystem because of a defect. It can also be used by a user to hide data from a casual inspection

Answer 85

Disk, volume, filesystem, data unit, metadata

Answer 86

was developed to overcome the limitations of ASCII

Answer 87

read-only memory

Answer 88

It is a widespread practice to remove the hard drive from the system to create a forensic image

Answer 89

C drive belongs ot the logical partition of the hard drive

Answer 90

One or more platters stacked together with a spindle in the center to read and write data Platters which are made of metal alloy or glass, are coated with a magnetic substance in which the heads magnetically encode information on the platters The heads can write data on both sides of the platter Actuators that control the heads

Answer 91

are storage devices that contain no moving parts. Instead, they are made up of memory chips.

Answer 92

Wear leveling Trim Garbage collection

Answer 93

This spreads the writes across the different chips so that it uses the chips at the same rate.

Answer 94

This will wipe the unallocated space of the device.

Answer 95

As the firmware scans the memory modules, it may identify pages within the data blocks that have been deleted. The firmware will move the allocated pages to a new block and will wipe the data block so that it can reuse the blocks. The firmware can only delete data in blocks.

Answer 96

defines the number of heads, the number of tracks, cylinders, and the sectors per track

Answer 97

A sector (B)

Answer 98

occurs when we divide the physical device into logical segments called “volumes”

Answer 99

Extended partition

Answer 100

File Allocation Table The purpose of the file allocation table is to track the clusters and to track which files will occupy the clusters

Answer 101

NTFS filesystem New technology filesystem

Answer 102

trier of fact

Answer 103

Digital forensic examiner controls the working environment of the digital forensic examination No actions will occur unless the digital forensic examiner intends the action to occur When the action has been completed, the examiner will reasonably know what the expected outcome is

Answer 104

the testifying will be unsuccessful

Answer 105

Understand their functionality Document your training Take notes during the exam Validate the tools

Answer 106

We must use a write blocker.

Answer 107

hard ware writeblocker software writeblocker

Answer 108

a device that intercepts and prevents any modification to the source device.

Answer 109

where a change is made to the operating system to stop it from making writes to the device.

Answer 110

Read-only Read/write

Answer 111

FALSE you should always make a copy

Answer 112

This is a straight bit-for-bit copy of the source to the destination. We will recover deleted files, file slack, and partition slack.

Answer 113

We are creating a bit-for-bit copy of the source device, but we store that data in a forensic image format. We will recover deleted files, file slack, and partition slack.

Answer 114

Due to this, we can make logical copies of the files and folders pertinent to the investigation. We will NOT be able to recover deleted files, file slack, and partition slack.

Answer 115

Pre-investigation considerations Understanding case information and legal issues Understanding data acquisition Understanding the analysis process Reporting your findings

Answer 116

gloves, computer, notepad, paperwork, toolkit, camera

Answer 117

free for anyone to use Use for educational, profit, or testing purposes often CLI or GUI

Answer 118

paid for more technical support

Answer 119

Whether the theory or technique can be or has been tested Whether it has been subjected to peer review and publication The known or potential error rate The existence and maintenance of standards Its acceptance within the scientific community

Answer 120

CAINE SIFT Autopsy Paladin

Answer 121

X-Ways Forensics EnCase Forensic Toolkit (FTK) Forensic Explorer (FEX) Belkasoft Evidence Center Axinom

Answer 122

International Association of Computer INvestigative Specialists(IACIS) EnCase Certified Examiner (EnCE) Accessdata Certified Examiner (ACE) Computer Hacking Forensic INvestigator (CHFI) Global Information Assurance Certification (GIAC)

Answer 123

Live system Running Network Virtual Physical

Answer 124

means leaving the smallest possible footprint during collection to minimize the amount of data being changed within collection

Answer 125

encryption is encoding information to protect the confidentiality of the information and allow only the person with the decryption key to access it.

Answer 126

Description of evidence item number quantity description of item

Answer 127

Universal time (UTC) as a standard frame reference helps solve this problem.

Answer 128

A hash is a digital fingerprint for a file or piece of digital media.

Answer 129

MD5 and SHA-1

Answer 130

You can use it to verify the evidence has not changed It can be used to exclude files It can be used to identify files of interest

Answer 131

occurs when two different variable inputs result in the same fixed-length output

Answer 132

Ensures the file extension matches the file type

Answer 133

It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices.

Answer 134

First responder Scene technician Investigator

Answer 135

sworn unsworn

Answer 136

May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms.

Answer 137

May take an oath but do not have powers to arrest. These positions are typically crime scene analyst or law enforcement support technicians

Answer 138

Potential victims Witnesses Potential suspects How best to maintain control

Answer 139

Take control of the scene

Answer 140

A search warrant obtained Or the consent of the owner

Answer 141

probable cause

Answer 142

Stalking p2p filesharing Illicit images Email based communications newsgroups USEnet

Answer 143

a file type-digital images, videos, audio software or any other file type USEnet file

Answer 144

A conspiracy occurs when two or more people agree to commit an illegal act Just an agreement is not enough, there must be actions that carry out the plan

Answer 145

Statement from the organization addressing a specific issue

Answer 146

Specific instructions regarding how to accomplish the goals of the policy

Answer 147

Treat every investigation as if you will go to court for it

Answer 148

One organization spying on another organization to achieve commercial or financial gain

Answer 149

A hacker is a malicious user gaining access to information systems that belong to another

Answer 150

Someone who attacks a system with malicious intent Goal is to violate and exploit the user information

Answer 151

Positive hacker, no malicious intent Intent is to identify vulnerabilities in the system so the owner can help to fix them

Answer 152

Attacker attempts to trick user into gaining access to confidential information such as username or passwords

Answer 153

Insider threats are more dangerous than outsider threats They take up 1/3 of digital forensic investigations

Answer 154

A subpoena