Final

Question 1

prove user did what was accused

Answer 1

user path, link files, cross examination, windows password

Question 2

in encase, the search hit result and boomarks are stored in the evidence file: t/f

Answer 2

f

Question 3

explain locards principal

Answer 3

perp goes into crime scene they bring something in and leave it and grab something else when they leave (taking something from it)

Question 4

list users created account the system: under users and screen cap

Answer 4

norm peterson + zerobit

Question 5

printed version of a document as well as a digital doc, what does two things the digital/ paper has over the other

Answer 5

digital: metadata, hex
paper: possible dna, original signature or any extraious notes

Question 6

slackspace (end of file to the end of the cluster) the same as unallocated and how are they different

Answer 6

slackspace (end of file to the end of the cluster) the same as unallocated by having empty space at the end allocated space, different is marked for deletion, they are the same where data can be eventually be written to
unallocated is deleted files while slackspace is a gap of space

Question 7

explain how the file system in use on the computer is significant
what makes a search approach different between file systems

Answer 7

different hierarchy, and system structured different

Question 8

what are two sets of circumstances that result in temp files:

Answer 8

videos file, zoom files, word document

Question 9

email header: to from date return path, envelope to , devilery date, message Id, mime version, content type, xspam status and xspam level

explain each part

Answer 9

email header: to from date return path, envelope to(email user will never see) , devilery date, message Id(unique string to the message was created), mime version(internet standard which extends the format of email), content type(format of message html plain text, xspam status ( a spam score) and xspam level

Question 10

explain why a cookie can show a user has visited a specific site even if deleted

Answer 10

metadata from website it keeps track of, stored separately

Question 11

the first sector of a partion is referred to as

Answer 11

master boot record

Question 12

example of compound file

Answer 12

all of the above

Question 13

what is smallest file size in encase can be save a file as the (e01)

Answer 13

1 megabyte

Question 14

in extraction is there an sus of user trying to access a fake passport: t/f

Answer 14

t

Question 15

prove user look at image recently

Answer 15

link file

Question 16

owatt

Answer 16

is yes

Question 17

jolly is jpg?

Answer 17

ffd8 missing

Question 18

alfredo

Answer 18

no evidence of communication

Question 19

what is a wall file and what’s a journal file:

Answer 19

wal file is a write ahead log, information that gonna get stored within a database, journal file hold information that has been already committed to the database , temp holding stops for the db

Question 20

what is the first consideration when going to a scene

Answer 20

safety

Question 21

encase is best described as a :

Answer 21

a bit stream image of source device written to a file

Question 22

how does encase verify contents of data:

Answer 22

crc for every 64 sector

Question 23

sqlite database in hex viewer how may bites consist of header:
bites 16 and 17 tell us what:
at offset 28 for 4 bites give you
multiply total x pages size is

Answer 23

16 bytes
page size
total number of pages
number of bytes

Question 24

how does ensace source device:

Answer 24

md5 of source and copy by comparing the md of source and md of copy of edivce file

Question 25

for a encase file to pass the verification process

Answer 25

both crc + md5

Question 26

md5 hash algorithm is ____ in length

Answer 26

128

Question 27

will encase allow user to write in file: t/f

Answer 27

f

Question 28

when’s non compressed file is .and telling it to make new copy compressed is it the same?: t/f

Answer 28

t

Question 29

what happens when encase tries to open evidence file that has been moved?:

Answer 29

encase prompts for the location of the file

Question 30

during reaqiscition you may change on of the following?:

Answer 30

file segment size