Exam 1

Question 1

Bit

Answer 1

The smallest unit of measurement that a computer can interpret.
Also called a binary digit.

Question 2

Binary

Answer 2

Being binary implies only implies only two possible states: 0 or 1
+5v or -5v
Yes or No

Question 3

ASCII

Answer 3

American Standard Codes for Information Interchange.
7 bits per character.
Allows for 128 character possibilities.
1968.

Question 4

Extended ASCII

Answer 4

8 bits (1 byte) per character.
Added another 128 for a total of 256 characters.

Question 5

Byte

Answer 5

Collection of 8 bits representing a single character.

Question 6

Digital Forensics

Answer 6

The science of locating, extracting, and analyzing digital evidence in legal matters.

Question 7

FBI CART

Answer 7

FBI Computer Analysis and Response Team.
Circa 1984.
No personal computers yet, started with larger main-frame type computers.

Question 8

Fourth Amendment

Answer 8

Search warrants needed for digital devices.
Probable cause that crime has occurred and evidence is still there.
Can no longer search phone incident to arrest.
Warrants only apply to government, not corporate or private.

Question 9

Sub-Disciplines

Answer 9

Growing in number.
Computer Forensics.
Network Forensics.
Data Recovery.
Disaster Recovery.

Question 10

Network Forensics

Answer 10

Enterprise network environment.

Vulnerability assessment and risk management group.

Question 11

IACIS

Answer 11

International Association of Computer Investigative Specialists.
Formed by police officers who wanted to formalize credentials in computing investigations.
Formed in early 1990’s.

Question 12

Understanding Case Law

Answer 12

Technology evolves at an exponential rate.
Case law used when statutes or regulations don’t exist.
Laws developed in the 70’s.

Question 13

Computer Investigation Types

Answer 13

Public investigations.

Private or corporate investigations.

Question 14

Public Investigations

Answer 14

Law enforcement.
Performed by commissioned (armed) officers.
Moving toward more civilian investigators.

Question 15

Private Investigations

Answer 15

No fourth amendment restrictions.
Mostly internal with corporations.
Often have tools for own needs.
Can still involve legal-type aspects.
Everything from harassment to falsifying data.
Can lead to criminal charges.
Handles evidence similar to law enforcement so that if it becomes criminal it can be handed over to police or court.

Question 16

Professional Conduct in Corporate Investigations

Answer 16

Maintain objectivity by forming and sustaining unbiased opinions of case.
Keep cases confidential.
Case may become criminal if murder is involved (rare).
Professional conduct to maintain credibility.

Question 17

Digital Forensics Examiner

Answer 17

Must know more than one computing platform.

Question 18

Corporate Investigation Guidelines

Answer 18

Display warning banners to remind visitors and employees of policies.
Establish company policies.
Define and limit number of authorized requesters who can start investigation.

Question 19

Silver-platter Doctrine

Answer 19

When private investigations hand evidence over to law enforcement because of indications of criminal activity.

Question 20

Computer Forensics Lab

Answer 20

Conduct investigations.
Store evidence.
House equipment, hardware, and software.

Question 21

ASCLD

Answer 21

American Society of Crime Laboratory Directors.
Gives guidelines for:
Managing a lab.
Acquiring an official certification.
Auditing lab functions and procedures.

Question 22

Lab Manager Duties: Administrative

Answer 22

Enforce ethical standards among lab staff members.
Create and monitor lab policies for staff.
Promote group consensus in decision making.
Set reasonable production schedules.

Question 23

Lab Manager Duties: Lab

Answer 23

Plan updates for lab.
Maintain fiscal responsibility for lab needs.
Provide safe and secure workplace for staff and evidence.

Question 24

Lab Manager Duties: Processes

Answer 24

Set up processes for managing cases.
Establish and promote quality-assurance processes.
Estimate when to respect preliminary and final results.
Estimate how many cases an investigator can handle.

Question 25

Lab Staff Member Duties

Answer 25

Hardware and software.
OS and file types.
Technical training.
Deductive reasoning.
Investigative skills.

Question 26

Lab Budget Training

Answer 26

Break costs down into daily/quarterly/annual expenses.

Use past investigation expenses to extrapolate expected future costs.

Question 27

Lab Expenses

Answer 27

Hardware.
Software.
Facility space.
Trained personnel.

Question 28

Lab Budget Planning

Answer 28

Estimate number of cases lab expects to examine.
Identify types of computers you’re likely to examine.
Account for changes in technology.
Use statistics to determine which computer crimes are most likely to occur.

Question 29

Acquiring Certification and Training

Answer 29

Update skills through appropriate training.

Question 30

CEECS

Answer 30

Certified Electronic Evidence Collection Specialist.

Question 31

CFCE

Answer 31

Certified Forensic Computer Examiner.

Question 32

HTCN

Answer 32

High-Tech Crime Network.
Certified Computer Crime Investigator, basic and advanced level.
Certified Computer Forensic Technician, basic and advanced level.

Question 33

EnCE

Answer 33

EnCase Certified Examiner Certification.

Question 34

ACE

Answer 34

AccessData Certified Examiner Certification.

Question 35

HTCIA

Answer 35

High Technology Crime Investigation Association.

Question 36

SANS

Answer 36

SysAdmin, Audit, Network, Security Institute

Question 37

NTI

Answer 37

NewTechnologies, Inc.

Question 38

FLETC

Answer 38

Federal Law Enforcement Training Center

Question 39

NW3C

Answer 39

National White Collar Crime Center

Question 40

Physical Requirements for a Computer Forensics Lab

Answer 40

Secure so that evidence is not lost, corrupted, or destroyed.
Safe and secure physical environment.
Keep inventory control of assets.
Know when to reorder supplies.

Question 41

Lab Security Needs: General

Answer 41

Secure to preserve integrity of evidence data.
People working together should have same access level.
Staff briefed about security policy.

Question 42

Lab Security Needs: General Minimum Requirements

Answer 42

Small room with true floor-to-ceiling walls.
Door access with locking mechanism.
Secure containers.
Visitor’s log.

Question 43

Conducting High-Risk Investigations

Answer 43

These demand more security than min. requirements.
TEMPEST facilities, very expensive.
Electromagnetic Radiation (EMR) proof.
Can use low-emanation workstations instead.

Question 44

Using Evidence Containers

Answer 44

slide 6.2-7.1

Question 45

Overseeing Facility Maintenance

Answer 45

slide 7.2

Question 46

Physical Security Needs

Answer 46

slide 7.3

Question 47

Auditing a Computer Forensics Lab

Answer 47

slide 8.1

Question 48

Computer Forensic Lab Floorplans

Answer 48

slide 8.2-9.1

Question 49

Selecting a Basic Forensic Workstation

Answer 49

slide 9.2

Question 50

Workstations for Police Labs

Answer 50

slide 9.3

Question 51

Workstations for Private/Corporate Labs

Answer 51

slide 10.1

Question 52

Stocking Hardware Peripherals

Answer 52

slide 10.2

Question 53

Maintaining Operating Systems and Software Inventories

Answer 53

slide 10.3

Question 54

Using a Disaster Recovery Plan

Answer 54

slide 11.1

Question 55

Planning Equipment Upgrades

Answer 55

slide 11.2

Question 56

Using Laptop Forensic Workstations

Answer 56

slide 11.3

Question 57

Lab Summary Points

Answer 57

slide 12.1-2

Question 58

Expanded Bits

Answer 58

Every time you add a bit, you expand the possibilities by a factor of 2.

Question 59

1 Byte Conversion Table

Answer 59

128 - 64 - 32 - 16 - 8 - 4 - 2 - 1

Question 60

Byte to Decimal Conversion

Answer 60

Add the corresponding bit values (128, 64…2,1).

Question 61

Hexadecimal

Answer 61

Base-16 counting system.
1 byte (8 bits) per hex value (4F).

Question 62

Decimal

Answer 62

Base-10 counting system.

Question 63

Nibble

Answer 63

Half a byte (4 bits).

Question 64

Hexadecimal to Decimal

Answer 64

16^1, etc. Do we need to know this??

Question 65

Unicode

Answer 65

2 bytes (16 bits) per character.
Allows for 2^16 character possibilities.
Can accommodate multiple languages.
~ 68,000 human languages.
Sometimes uses 4 bytes per character.
Currently used in Windows, Macintosh, Office

Question 66

Reading Multiple Bytes

Answer 66

Some values require multiple bytes for a given value.

Windows date and time requires 8 bytes.

Question 67

Big Endian

Answer 67

Left to right.
Most significant byte is read first.
Motorola systems, old Macintosh.

Question 68

Little Endian

Answer 68

Right to left.
Least significant byte is read first.
Intel-based systems.

Question 69

Byte Groups: Words

Answer 69

1 byte: BYTE.
2 bytes: WORD.
4 bytes: DWORD (double word).
8 bytes: QWORD (quad word).

Question 70

Byte Groups: Numbers

Answer 70

1 byte: BYTE.
2 bytes: SHORT.
3 bytes: INT.
4 bytes: LONG.

Question 71

Byte Groups: Integers

Answer 71

Numbers can be expressed as positive or negative (signed integers).
Numbers with only positive values (unsigned integers).
Pos/neg values determined by left-most bit.
0 indicates positive integer, 1 indicates a negative.

Question 72

Encryption

Answer 72

The process of obfuscating data through some encoding methodology or mathematical formula.
This can be a the bit, nibble, or byte level.

Question 73

Bit Shifting

Answer 73

The process of shifting bits in a byte left or right.

Question 74

Nibble Swapping

Answer 74

Switches two nibbles within a byte.

Question 75

Bit Xoring

Answer 75

Using a key.
Adding bits together.
0 + 0 = 0.
1 + 1  = 0.
1 + 0 = 1.

Question 76

Hex Editors

Answer 76

HxD.
Winhex.
Diskedit.

Question 77

Offset

Answer 77

Number of bytes from a designated point.

Beginning of file, sector, drive, record, attribute.

Question 78

File Extensions

Answer 78

Use three letter extensions to help identify them.
(doc, exe, jpg, pdf,txt,etc.)
Changing extensions prevent files for opening.

Question 79

File Headers

Answer 79

In many file types, the first few bytes of data contain specific values that indicate file type.
If changed, file cannot be viewed properly.
Also known as Signatures or Magic Numbers.

Question 80

File Type Viewers

Answer 80

Instead of using native application to view files, it’s often easier to use a file viewer.
Quickview Plus, Keyview Pro, Diskjockey 2000.

Question 81

Graphic Viewers

Answer 81

slide 15.1

Question 82

Hash Value

Answer 82

Value is expressed in hexadecimal and is calculated based on the content of the item examined.
Digital fingerprint of a particular file at a particular time.
Any content changes changes value.

Question 83

Hashing Algorithms

Answer 83

MD5.
SHA-1.
CRC.

Question 84

MD5

Answer 84

Hashing algorithm.
Commonly used in forensics.
Typically expressed as a hex number.
128 (16 bytes, 32-digit hex number) long.
1 to 2^128 chance in two being the same.

Question 85

SHA-1

Answer 85

Hashing algorithm.
Commonly used in forensics.
160 bits (20 bytes) long.
Weaknesses make it unfit for cryptographic use.

Question 86

Hashable Data

Answer 86

Text string (group of words).
Files, data region, sectors.
Volumes and physical drives.

Question 87

Authentication and Verification of Files

Answer 87

Use hash values to see if they are in fact the same file or not.

Question 88

Hashing

Answer 88

One way process.
Cannot create file from hash.
Get hash from input.

Question 89

Hash Values in Forensics

Answer 89

Identification.
Verification.
Authentication/Validation.
Value matching for file exclusion.
Value matching for file flagging.

Question 90

Hash Input

Answer 90

Arbitrary block of data.
Any given data object (file, sector, cluster, volume, media device, application, text block, etc.)
Individual bytes, hex values, or also text.

Question 91

Hash Output

Answer 91

Regardless of the size of the input object, the result is a fixed-length hexadecimal value.
Hexadecimal digest is mapped to its input object.

Question 92

CRC

Answer 92

Hashing algorithm.
Cyclic Redundancy Check.
Developed to ensure data integrity.
Used especially during transmission.
Used for sector checking: bad or good.
Make sure programs are not corrupted.

Question 93

Checksum vs. CRC

Answer 93

16,32,64-bit variations.
Commonly used to ensure data integrity.
Detection of unwanted change in programs or data strings.
Verification of sterilization.

Question 94

CRC in Forensics

Answer 94

Old and weak.

Not used anymore except as a wipe verification using Checksum64 (similar in concept to CRC).

Question 95

Forensic Hash Verification

Answer 95

Show data has not been altered.
Renaming file (without altering contents) does not change hash value of file.
Verify no changes made during imaging.
Verify zero-wipe (Checksum64).

Question 96

Forensic Hash Authentication/Validation

Answer 96

Validate data received from opposing expert was not corrupted.
Validate copied image file.
Under proper circumstances can authenticate that restored image to another HD is exact copy of original HD.

Question 97

Hash File Exclusion

Answer 97

Exclude authentic system files from exam.
Exclude known software files from exam.
Greatly reduces number of files being examined.
Increases speed of exam.
Also called “negative hashing” or “De-NISTing”.

Question 98

Hash File Flagging

Answer 98

Hash list of known files can be compiled and matched against files found on image.
Watermarking files

Question 99

Hash Set

Answer 99

List or database of common hash values.
Files you seek to eliminate from exam.
Files of interest to identify.
Investigators sometimes share hash values to link subjects to crimes in other jurisdictions.

Question 100

Hash “Collisions”

Answer 100

Chinese researcher “broke” MD5 hash by producing 2 files with same hash value.
Manipulated bit by bit until it matched.
May be questioned about this in court.
Enough to make community move to SHA-1.

Question 101

Hash Value Mismatches: Software

Answer 101

Same data, different results.
Some programs that create image files add data to files.
Bad memory.
Carving functions of different programs may differ (logical file size vs. physical size).

Question 102

Hash Value Mismatches: Hardware

Answer 102

Same data, different results.
Read errors on data media, bad sectors.
Different utilities may read bad sectors differently.
First hash done on device, second on volume level.

Question 103

SSD

Answer 103

Solid State Drives (2007).
Contains no moveable parts.
Speeds up access to data.
Uses less battery power.
Built-in storage efficiency and intelligence.

Question 104

SSD Garbage Collection

Answer 104

Relocation of data on the drive so that space for deleted files can be erased for re-use.
Broken into “blocks”.

Question 105

SSD Garbage Collection: Blocks

Answer 105

Each block contains smaller “pages”.
Data written to pages but only an entire block can be deleted.
If block has 1 page unused, it will relocate it to be able to delete that block.

Question 106

SSD Wear-Leveling

Answer 106

SSD blocks have a life-cycle for write/erase.
3,000-10,000 cycles.
Controller moves data from a more used block to lesser used block.
Done to ensure uniform “wearing” of the drive.

Question 107

SSD Feature Problems

Answer 107

Garbage collection and wear-leveling.
Independent of the OS drive is used on.
Known to activate when SSD is in use, idle or a few minutes after power on.

Question 108

SSD Forensic Problems

Answer 108

Features resident on controller so connecting it to write-blocker does NOTHING.
Very possible to get hash mismatches even after properly blocking them.
Need to be aware of issues and be able to explain them.

Question 109

Hardware

Answer 109

The physical parts of a computer system.

Question 110

Software

Answer 110

Instructions for the computer.

Question 111

Electro Static Discharge

Answer 111

Human body can build up charge in the range of 25,00 volts.

Data stored as pos/neg .05 volts, as 1’s and 0’s on the drive.

Question 112

System Ports

Answer 112

SCSI: Small Computer System Interface.
NTSC video.
Firewire.

Question 113

Motherboard

Answer 113

Main printed circuit board.
Securely mounted inside case.
Embedded with some laptops.
Contains several buses, ports, and sockets.

Question 114

CPU

Answer 114

Central Processing Unit.
Located in socket on motherboard, usually covered by a heat sync device.
ZIF (Zero Insertion Force) pins.

Question 115

CMOS

Answer 115

Complimentary Metal Oxide Semiconductor.
Battery on motherboard.
Maintains system date, time, boot sequence, diagnostic information.
Most susceptible component to Electro Static Discharge.

Question 116

BIOS

Answer 116

Basic Input Output System.
POST (Power On Self Test).
Instructions held in ROM.
May be password protected.

Question 117

Memory

Answer 117

ROM.

RAM.

Question 118

ROM

Answer 118

Read-Only Memory.

Permanently stored instructions.

Question 119

RAM

Answer 119

Random Access Memory.
Group of memory chips.
Dynamic RAM (DRAM).

Question 120

Bus

Answer 120

slide 13.2-3

Question 121

Expansion Board

Answer 121

slide 14.1-3

Question 122

Hard Disk Drives

Answer 122

HHD.
Store operating system (OS), programs, files.
Controllers are part of drive (IDE, SATA, etc).

Question 123

IDE

Answer 123

Integrated Drive Electronics.
Each IDE bus is a channel in which two devices can be installed on (Master and Slave).
Primary and Secondary.
40-pin ribbon cable.
Officially know as the ATA (AT Attachment specification).

Question 124

SATA

Answer 124

Serial Advances Technology Attachment.

Serial ATA cable.

Question 125

HHD Encoding Methods and Interfaces.

Answer 125

IDE.
EIDE.
SATA.
SSD.

Question 126

EIDE

Answer 126

Enhanced Integrated Drive Electronics.

Question 127

HDD Interfaces

Answer 127

Normally today’s motherboards have at least two IDE/EIDE buses.

Question 128

Platter

Answer 128

Drives usually have more than one.
Each is referenced by top and bottom sides or heads.
Each side is broken into concentric circles called tracks.
Usually numbered starting with 0.

Question 129

Tracks

Answer 129

The concentric circles on a platter.
Numbered starting with 0.
Broken into sectors.

Question 130

Cylinder

Answer 130

The group of identically number tracks across multiple platters.
Numbered starting with 0.

Question 131

Sectors

Answer 131

Section of a track.
Numbered starting with 1.
Each sector always 512 bytes of data in DOS/Windows system.
Lots of wasted space.

Question 132

Hard Drive Structure

Answer 132

Number of tracks or head may vary depending on size of drive.

Question 133

CHS

Answer 133

Cylinder Head Sector.
3D coordinate for data.
First identify Head, then cylinder, then sector (although not written that way!).
Can be used to calculate drive capacity.

Question 134

Calculating Drive Size

Answer 134

Cylinders * Heads * Sectors per Track * 512 bytes per sector.
Usually assume that number of sectors per track is constant.
Current drives usually have 63.

Question 135

Formatting

Answer 135

Current drives use zone recording.

Question 136

LBA

Answer 136

Logical Block Addressing.

Treats sectors linearly then translated CHS value to operating system.

Question 137

MBR

Answer 137

Master Boot Record.
First track is reserved for it, only uses 1 sector.
First 446 bytes of MBR contain Boot Code.
Remainder is made up of the Partition Table (64 bytes).
Gives info about itself (location, size, structure, etc).

Question 138

Boot Code

Answer 138

First 446 bytes of MBR.
Code varies depending on OS.
At offset 440 there is a 32-bit value called the Disk Signature.

Question 139

Partition Table

Answer 139

Allows for 4 16-byte entries.

Last two bytes of the sector are hex values 55 AA.

Question 140

MBR Partition Table Entries

Answer 140

slide 15.1

Question 141

Boot Indicator

Answer 141

Only one partition can be marked as bootable.
00 non -bootable.
80 bootable.

Question 142

MBR in Forensics

Answer 142

First track reserved for MBR, but it only uses one sector, so there are lots of space to hide things.

Question 143

Primary vs. Extended Partitions

Answer 143

Primary partitions can be bootable.

Extended partitions cannot.

Question 144

Extended Partitions

Answer 144

There can only be one extended partition.
Extended partitions can be split into multiple logical drives/volumes.
A partition table exists in the first sector of each logical volume.
No boot code will be present and at most only two entries will be used.