computer forensics

Question 1

List examples of input devices?

Answer 1

1. Keyboard
2. Mouse
3. JoyStick
4. Scanner

Question 2

List examples of output devices?

Answer 2

1. Monitor
2. Printer
3. Speakers

Question 3

What is true of data storage and retrieval?

Answer 3

A. Examiners must be familiar with the file system they are examining
B. Evidence may be found in various computer locations and formats
C. There are two categories for data-related evidence:
1. Visible data
2. Latent data
D. The formatting process initializes portions of the hard drive so that it can store data, and it creates the structure of the file system

Question 4

Compare and contrast ROM and RAM.

Answer 4

Read Only Memory (ROM) – chips that store programs called firmware and are used to
start the boot process and configure a computer’s components
Random Access Memory (RAM) – the location in a computer where the operating system that
is in use can be stored and retrieved for quick reference by the CPU

Question 5

What are the initial steps in crime scene documentation for cyber crimes?

Answer 5

1. The scene should be initially documented in as much detail as possible before any
   evidence is moved and examined
2. Crime scene documentation is accomplished through two actions:
   a) Sketching – the crime scene must be thoroughly diagramed and sketched
   in a floor plan format
   b) Photographing – from all locations and all possible angles, and include
   wide and close-up images

Question 6

What is the correct way to process a computerized crime scene?

Answer 6

-Similar to processing a traditional crime scene (i.e. warrants, documentation, investigation techniques)
- Documentation is a significant component in the computerized crime scene

Question 7

How is data obtained from a system so that a forensic image can be created?

Answer 7

Because booting a HDD to its operating system changes many files and could destroy
evidentiary data, the data is generally obtained by removing the HDD from the system and
placing it in a laboratory forensic computer so that a forensic image can be created
F. Occasionally, in cases with specialized or unique equipment/systems the image of the
HDD must be obtained by using the seized computer

Question 8

Identify examples of user-created data.

Answer 8

Visible data is Data from a computer that is openly visible and easily available to users. It can encompass (from an evidentiary standpoint) any type of user- created data like
1. Word processing documents
2. Spreadsheets
3. Accounting records
4. Databases
5. Pictures

Question 9

What is meant by temporary files?

Answer 9

Files temporarily written by an application to perform a function
1. Most programs automatically save a temporary copy of the file in progress
2. Can be valuable as evidence
3. Can sometimes be recovered during a forensic examination including some of the data
that may have been altered from a previous version
Another type of temporary file valuable to the computer investigator is the printer spool

Question 10

Why can data be recovered from a printer spool?

Answer 10

1. When a print job is sent to the printer a spooling process delays the sending of the
   data so the application can continue to work while the printing takes place in the
   background
2. When the print job occurs, a temporary print spool file is created
3. This file contains a copy of all of the data from the printer

Question 11

Define forensic image acquisition.

Answer 11

The process of creating a bit for bit copy of data on a storage device in a forensically sound manner.
Because booting a HDD to its operating system changes many files and could destroy
evidentiary data, the data is generally obtained by removing the HDD from the system and
placing it in a laboratory forensic computer so that a forensic image can be created

Question 12

What is the difference between visible data and latent data?

Answer 12

Visible data is data from a computer that is openly visible and easily available to users
1. Word processing documents
2. Spreadsheets
3. Accounting records
4. Databases
5. Pictures

Latent data is the areas of files and disks that are typically not apparent to the computer user
Includes data in
1. Swap space (used to conserve the valuable RAM within the computer system)
2. RAM slack – the area from the end of the logical file to the end of the sector
3. File slack – the remaining area from the end of the final sector containing data to the
end of the cluster
4. Unallocated space – the space on a hard drive that contains available space; the
space may also contain temporary and deleted files

Question 13

Compare and contrast a sector and a cluster.

Answer 13

Sector – the smallest unit of data addressable by a hard disk drive, generally consisting of 512 bytes
Cluster – a group of sectors in multiples of two, typically the minimum space allocated in a file commonly, a cluster will have four or eight sectors

Question 14

What is meant by defragmenting a Hard Disk Drive?

Answer 14

Defragmenting a HDD involves reconnecting noncontiguous data, a method of storing data in sectors of memory that are not adjoining

Question 15

What can degrade the performance of a HDD, causing the read/write heads to have to traverse the platters to locate the data?

Answer 15

Fragmentation of numerous files can degrade the performance of a HDD, causing the read/write heads to have to traverse the platters to locate the data

Question 16

When a user deletes files, what happens to the data that remains behind?

Answer 16

1. The first character in the files directory entry (its name) is replaced with the Greek letter sigma
2. When the sigma replaces the first character, the file is no longer viewable through
   conventional methods and the operating system views the space previously occupied by the file as available

Question 17

Differentiate between modems, DSL lines, and WiFi.

Answer 17

An aspect of the internet includes various methods of connection that include
3. Wire
a) Modem – a device that allows computers to exchange and transmit information
through telephone lines
b) Cable lines or DSL telephone lines – provide higher speed broadband
Connections
4. Wireless (Wi-Fi)
Each computer that connects to the Internet has a unique numerical Internet Provider
(IP) address and usually a name

Question 18

Define search engines and web browsers.

Answer 18

A browser is a piece of software that retrieves and displays web pages; a search engine is a website that helps people find web pages from other websites

Question 19

Law enforcement faces new challenges with Internet crimes. What are these challenges?

Answer 19

1. Most law enforcement officers are not trained in the technologies
2. Internet crimes span multiple jurisdictions
3. There is a need to retrofit new crimes to existing laws

Computers are used to commit a variety of crimes
1. Identity Theft
2. Fraud
3. Industrial espionage
4. Child pornography
5. Harassment
6. Gambling
7. Piracy
8. Computer viruses and spam

Question 20

What are the tasks of forensic investigators?

Answer 20

The task of forensic investigators includes
1. Restoring deleted files and emails
2. Finding the hidden files through complex password encryption programs and searching
techniques
3. Tracking criminals through the digital trail — IP addresses, to ISPs, to the offender

Question 21

What is the difference between hardware and software?

Answer 21

• Hardware is the physical material that creates a computer
• Software are the programs and applications that carry out a set of instructions on the hardware

Question 22

Why do forensic examiner’s remove the HDD from the system and place it in a laboratory forensic computer?

Answer 22

Because booting a HDD to its operating system changes many files and could destroy evidentiary data, the data is generally obtained by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created.