Final Flashcards
prove user did what was accused
user path, link files, cross examination, windows password
in encase, the search hit result and boomarks are stored in the evidence file: t/f
f
explain locards principal
perp goes into crime scene they bring something in and leave it and grab something else when they leave (taking something from it)
list users created account the system: under users and screen cap
norm peterson + zerobit
printed version of a document as well as a digital doc, what does two things the digital/ paper has over the other
digital: metadata, hex
paper: possible dna, original signature or any extraious notes
slackspace (end of file to the end of the cluster) the same as unallocated and how are they different
slackspace (end of file to the end of the cluster) the same as unallocated by having empty space at the end allocated space, different is marked for deletion, they are the same where data can be eventually be written to
unallocated is deleted files while slackspace is a gap of space
explain how the file system in use on the computer is significant
what makes a search approach different between file systems
different hierarchy, and system structured different
what are two sets of circumstances that result in temp files:
videos file, zoom files, word document
email header: to from date return path, envelope to , devilery date, message Id, mime version, content type, xspam status and xspam level
explain each part
email header: to from date return path, envelope to(email user will never see) , devilery date, message Id(unique string to the message was created), mime version(internet standard which extends the format of email), content type(format of message html plain text, xspam status ( a spam score) and xspam level
explain why a cookie can show a user has visited a specific site even if deleted
metadata from website it keeps track of, stored separately
the first sector of a partion is referred to as
master boot record
example of compound file
all of the above
what is smallest file size in encase can be save a file as the (e01)
1 megabyte
in extraction is there an sus of user trying to access a fake passport: t/f
t
prove user look at image recently
link file
owatt
is yes
jolly is jpg?
ffd8 missing
alfredo
no evidence of communication
what is a wall file and what’s a journal file:
wal file is a write ahead log, information that gonna get stored within a database, journal file hold information that has been already committed to the database , temp holding stops for the db
what is the first consideration when going to a scene
safety
encase is best described as a :
a bit stream image of source device written to a file
how does encase verify contents of data:
crc for every 64 sector
sqlite database in hex viewer how may bites consist of header:
bites 16 and 17 tell us what:
at offset 28 for 4 bites give you
multiply total x pages size is
16 bytes
page size
total number of pages
number of bytes
how does ensace source device:
md5 of source and copy by comparing the md of source and md of copy of edivce file
