FINAL

Question 1

What are Hardware Forensic Tools

Answer 1

single-purpose components to computer systems and servers

Question 2

What are software forensic tools used for

Answer 2

create copy of data from suspect’s disk drive to an image file

Question 3

Types of Software forensic tools

Answer 3

Command-line applications, GUI applications

Question 4

What are the categories of validated tools

Answer 4

Acquisition, Validation & Verification, Extraction, Reconstruction, Reporting

Question 5

ISO Standard 27037

Answer 5

Digital evidence first responders should use validated tools

Question 6

Acquisition definition

Answer 6

Making a copy of the original drive

Question 7

Acquisition subfunctions

Answer 7

Physical data copy, logical data copy, data acquisition format, command-line acquisition, gui acquisition, remote & live & memory acquisition

Question 8

Acquisition methods

Answer 8

Physically copying entire drive, logically copying disk partition

Question 9

Format for Disk Acquisition

Answer 9

vary from raw data to vendor-specific proprietary

Question 10

Acquisition Common feature

Answer 10

Creating smaller segmented files

Question 11

What do larger organizations use for acquisition

Answer 11

Remote acquisition

Question 12

Validation Definition

Answer 12

Way to confirm that a tool is functioning as intended

Question 13

Verification Definition

Answer 13

Proves that two sets of data are identical by calculating hash values or using another similar method, also separating good and suspicious data (filtering)

Question 14

Validation: common file header value purpose

Answer 14

see whether a file extension is incorrect for the file type, identifiable by most forensic tools

Question 15

Extraction Definition

Answer 15

Recovery task in digital investigation, most challenging

Question 16

Extraction Subfunctions

Answer 16

Data viewing, keyword searching, decompressing, carving, decrypting, bookmarking

Question 17

What can be used to speed up analysis (extraction)

Answer 17

Keyword search

Question 18

What can you do when things are password protected (2 options)

Answer 18

Brute force or dictionary attack

Question 19

Reconstruction definition

Answer 19

Re-create a suspect drive to show what happened during a crime or an incident

Question 20

Reconstruction methods

Answer 20

Disk-to-disk copy, partition-to-partition copy, image-to-disk copy, image-to-partition copy, disk-to-image copy, rebuilding files from data runs and carving

Question 21

How to recreate an image of a suspect drive

Answer 21

Copy an image to another location, such as a partition, physical disk, or a virtual machine, easiest: direct disk to image copy

Question 22

Disk to image copy tools

Answer 22

Linux dd command, ProDiscover, Voom technologies shadow drive

Question 23

Reporting purpose

Answer 23

to perform a forensics disk analysis and examination, you need to create a report

Question 24

Report subfunctions

Answer 24

Bookmarks or tagging, log reports, timelines, report generator

Question 25

First tools for analysis

Answer 25

MS-DOS, Norton DiskEdit, Command-line tools

Question 26

What has mostly replaced Unix

Answer 26

Linux

Question 27

SMART features

Answer 27

Multiple linux versions, several file systems, many plug-in utilities, hex viewer

Question 28

Helix 3 features

Answer 28

One of easiest, can load on Windows, loads bootable Linux OS from cold boot, not necessarily valid in international court

Question 29

Kali Linux features

Answer 29

Includes variety of tools and has an easy-to-use K Desktop Environment interface

Question 30

Autopsy and SleuthKit features

Answer 30

Sleuthkit is linux forensics tool, autopsy was the browser interface to access SleuthKit

Question 31

Forcepoint Threat Protection features

Answer 31

Linux memory analysis tool, both onsite and remote memory acquisitions

Question 32

GUI Forensic tools purpose

Answer 32

Simplify digital forensics investigations

Question 33

Structure of GUI tools

Answer 33

Suites of tools with simplified training

Question 34

Advantages of GUI tools

Answer 34

ease of use, multitasking, no need for learning old OS’s

Question 35

Disadvantages of GUI tools

Answer 35

Excessive resource requirements, inconsistent results, tool dependencies

Question 36

Budget Considerations

Answer 36

time of workstation, failures, consultant and vendor fees, anticipate equipment restrictions

Question 37

Categories of Forensic Tools

Answer 37

Stationary, portable, lightweight

Question 38

Advantages of Forensic Workstations

Answer 38

Customized to needs, save money

Question 39

Disadvantages of Forensic Workstations

Answer 39

Hard to find support, can become expensive

Question 40

Vendor Workstations

Answer 40

F.R.E.D, mounts from ForensicsPC

Question 41

Advantages of Vendor Workstations

Answer 41

Support, mix and match components

Question 42

Write blocker definition

Answer 42

Prevents data writes to hard disk

Question 43

Software Blocker Feature

Answer 43

run in shell mode

Question 44

Hardware blocker features

Answer 44

ideal for GUI tools, bridge between suspect drive and workstation

Question 45

Write blocker connecting technologies

Answer 45

Firewire, USb 2.0 & 3.0, Sata & Pata & scsi controllers

Question 46

Recommendations for forensic lightweight workstation

Answer 46

full tower to allow expansion, memory and processor power as budget allows, different size hard drives, 400-watt or better power supply with backup battery, external fireWire and USB ports, assortment of drive adapter bridges, good video card, high-end video card and dual monitors

Question 47

CFTT

Answer 47

Computer forensics tool testing, manages research on forensics tools

Question 48

Lab must meet these criteria

Answer 48

Establish categories for tools, identify forensics category requirements, test assertions, identify test cases, establish a test method, report test results

Question 49

ISO 5725

Answer 49

Specifies results must be repeatable and reproducible

Question 50

National Software Reference Library Project

Answer 50

Collects all known hash values for commercial software applications and OS files, filtering known information, use RDS to locate and identify known bad files

Question 51

Validation Protocols

Answer 51

Verify results, use at least two tools, understand how tools work, compare results

Question 52

Disk editor features

Answer 52

reliable tools, access raw data

Question 53

Digital Forensics Examination Protocol

Answer 53

Perform investigation with GUI tool, verify your results with disk editor, compare hash values obtained with both tools

Question 54

Digital Forensics tool upgrade protocol

Answer 54

Test, report problems with tools, use test hard disk for validation, check for any updates

Question 55

Types of Images

Answer 55

Bitmap images, vector graphics, metafile graphics

Question 56

Bitmap Images

Answer 56

Collection of dots, grid of individual pixels

Question 57

Vector Graphics

Answer 57

Based on mathematical instructions

Question 58

Metafile Graphics

Answer 58

Combination of bitmap and vector

Question 59

Types of Graphic file programs

Answer 59

Graphics editors, image viewers

Question 60

Raster Images

Answer 60

Pixels are stored in rows, better for printing

Question 61

Image Quality is based on…

Answer 61

Screen resolution, software, number of color bits per pixel

Question 61

Characteristics of Vector Graphics

Answer 61

Use lines instead of dots, store calculations for drawing lines and shapes, smaller than bitmap files, preserve quality when scaled up

Question 61

Vector Graphic Softwares

Answer 61

CoreIDRAW, Adobe illustrator

Question 61

Metafile advantages and disadvantages

Answer 61

Share with both types, when enlarged bitmap part loses quality

Question 62

PNG

Answer 62

Portable Network Graphic

Question 63

GIF

Answer 63

Graphic Interchange Form

Question 64

JPEG

Answer 64

Joint Photographic Experts Group

Question 65

TIFF

Answer 65

Tagged Image File Format

Question 66

BMP

Answer 66

Window Bitmap

Question 67

Standard Vector File Formats

Answer 67

Hewlett Packard Graphics Language (hpgl), Autocad (dxf)

Question 68

TGA

Answer 68

Targa

Question 69

RTL

Answer 69

Raster Transfer Language

Question 70

.psd and .ai

Answer 70

Adobe Photoshop and Illustrator

Question 71

Freehand

Answer 71

.fh11

Question 72

SVG

Answer 72

Scalable Vector Graphics

Question 73

PCX

Answer 73

Paintbrush

Question 74

Raw file format properties

Answer 74

‘digital negative’, typically found on many higher-end digital cameras, maintains best picture quality

Question 75

Raw file format disadvantage

Answer 75

Not all image viewers can display proprietary images

Question 76

Demosaicing

Answer 76

Process of converting raw picture data to another format

Question 77

EXIF

Answer 77

Exchangeable image file, used to store digital pictures

Question 78

How to view EXIF metadata

Answer 78

Exif reader, IrfanView, Magnet Forensics AXIOM, Autopsy metadata at beginning of file

Question 79

What type of files compress their data

Answer 79

Graphics (GIF and JPEG)

Question 80

Types of data compression

Answer 80

Lossy and Lossless

Question 81

Properties of Lossless compression

Answer 81

Reduces size without removing data, based on Huffman or Lempel-Ziv Welch coding

Question 82

Properties of Lossy Conversion

Answer 82

Permanently discards bits of information using Vector Quantization

Question 83

Vector Quantization

Answer 83

Determines what data to discard based on vectors in graphics file

Question 84

Properties of OS Tools for Locating and Recovering Graphics Files

Answer 84

Time consuming, results are difficult to verify

Question 85

Properties of Forensic tools for locating and recovering graphics files

Answer 85

Use image headers to create a baseline analysis, reconstruct fragmented files by identifying data patterns and modified headers

Question 86

Carving or Salvaging

Answer 86

Recovering ay type of file fragments

Question 87

How to reconstruct image header

Answer 87

compare hex values of known graphics file formats with the pattern of found header

Question 88

Steps to Reconstruct File Fragments

Answer 88

Locate and export all clusters of file, determine starting and ending cluster number for each fragmented group of sectors, copy each fragmented group of sectors in their correct sequence to a recovery file, rebuild file header, add .txt extension on all copied sectors

Question 89

Analyzing Graphics File Headers

Answer 89

Necessary on unrecognized tools, use hex editor such as winhex to record hex values in header and use them to define file type

Question 90

Properties of tools for viewing images

Answer 90

no one tool works for all types, most GUI forensics tools include image viewers that display common image formats

Question 91

Steganography

Answer 91

hides information inside image files

Question 92

Steganography major forms

Answer 92

insertion and substitution

Question 93

Insertion Steganography

Answer 93

Hidden data is not displayed when viewing host file in its associated program

Question 94

Substitution Steganography

Answer 94

Replaces bits of the host file with other bits of data, usually change last two least significant bits

Question 95

Clues for Steganography

Answer 95

Duplicate files with different hashes, steganography programs on suspect’s drive

Question 96

Steganalysis Tools Purpose

Answer 96

detect, decode, and record hidden data

Question 97

Scope Creep

Answer 97

When investigation expands beyond original description, due to unexpected evidence, increases time and resources needed to extract, analyze, and present evidence

Question 98

What to include in investigation plan

Answer 98

goal/scope of investigation, materials needed, tasks to perform

Question 99

What should you investigation plan rely on

Answer 99

Type of case, i.e. corporate, criminal, civil

Question 100

Steps for digital forensic investigations

Answer 100

1. Use wiped media reformatted and inspected for viruses for target drive
2. Inventory the hardware on the suspect’s computer, note condition of seized computer
3. For static acquisitions, remove original drive
4. Record how you acquired
5. Process contents
6. List folders and files
7. Examine contents
8. Recover file contents for password-protected
9. Identify function of executable files that don’t match hash values
10. maintain control of all evidence and findings

Question 101

Autopsy File Systems Microsoft

Answer 101

FAT, NTFS, ExFAT, UFS1, and UFS2

Question 102

Autopsy File Systems ISO

Answer 102

9660, YAFFS2

Question 103

Autopsy File Systems MAC

Answer 103

HFS+, HFSX

Question 104

Autopsy File Systems Linux

Answer 104

Ext2fs, ext3fs, Ext4fs

Question 105

Autopsy file formats

Answer 105

Raw, Expert Witness, and vm image files

Question 106

Validating Forensic Data Process

Answer 106

Ensure integrity of data, hash image files, advanced hex editors to ensure integrity

Question 107

What do Hex editors offer that forensics tools do not

Answer 107

hashing specific files or sectors

Question 108

Advantage of recording hash values

Answer 108

Determine whether data has changed

Question 109

Block-wise hashing

Answer 109

process that builds a data set of hashes of sectors from the original file, examines sectors on suspect drive to find sector match, confirmation of file stored on suspect drive

Question 110

AccessData’s own hashing database

Answer 110

Known File Filter, filters known program files from view and contains hash values of known illegal files, compares known file hash values with files on your evidence drive to see whether they contain suspicious data, others import NSRL db

Question 111

Validate with Expert witness or SMART format

Answer 111

additional options for hashing all the data are available, validation report lists MD5 and SHA-1 hash values

Question 112

Data-Hiding

Answer 112

Changing or manipulating a file to conceal information

Question 113

Techniques for Data-Hiding

Answer 113

Hide entire partition, change file extensions, set file attributes to hidden, bit-shifting, encryption, password protection

Question 114

what command hides by unassigning the partition

Answer 114

diskpart remove letter

Question 115

How to detect if partition is hidden

Answer 115

Account for all the disk space when examining an evidence drive, analyze space you can’t account for

Question 116

Can forensics tools detect and view hidden partitions

Answer 116

Most can

Question 117

FAT file systems data-hiding technique

Answer 117

placing data in free or slack space on partition clusters

Question 118

How does the FAT system trick other OS’s into thinking good clusters are unusable

Answer 118

Mark them as bad clusters

Question 119

What is bit-shifting

Answer 119

Low level encryption program that changes the order of binary data, changes data from readable code to data that looks like a binary executable

Question 120

What softwares provide ability to bit-shift

Answer 120

winHex and Hex workshop

Question 121

Digital Watermarking Definition

Answer 121

Way to protect file ownership, usually not visible when used for steganography

Question 122

Way to make cracking message really difficult (steganalysis)

Answer 122

Encrypt plaintext file with PGP and insert encrypted text into steganography file

Question 123

Steganalysis Methods

Answer 123

stego-only, known cover, known message, chosen stego, chosen message

Question 124

What is key escrow

Answer 124

Technology designed to recover encrypted data if users forget passwords or use key is corrupted

Question 125

Key escrow key sizes

Answer 125

128 bits to 4096 bits

Question 126

Password cracking tools

Answer 126

Last bit, AccessData PRTK, ophcrack, John the Ripper, Passware

Question 127

Rainbow Table

Answer 127

File containing the hash values for every possible password that can be generated from a computer’s keyboard

Question 128

Salting Passwords

Answer 128

Alters hash values and makes cracking passwords more difficult

Question 129

Ways to recover passwords

Answer 129

Dictionary attacks, brute-force attacks, rainbow tables

Question 130

Software that runs virtual machines

Answer 130

hypervisor

Question 131

Types of hypervisor

Answer 131

Type 1: Loads on physical hardware and doesn’t require separate OS, Type 2: rests on top of existing OS

Question 132

Which type of hypervisor is typically found on suspect machine

Answer 132

Type 2

Question 133

What type of hypervisor is typically on servers or workstations with a lot of RAM and storage

Answer 133

Type 1

Question 134

Virtualization Technology

Answer 134

Intel’s CPU design for security and performance enhancements that enable the BIOS to support virtualization

Question 135

Virtualization Machine Extensions

Answer 135

Instruction sets created for intel processors to handle virtualization

Question 136

Popular type 2 hypervisors

Answer 136

Parallels Desktop, Kernel-Based Virtual Machine, Microsoft Hyper-V, VMware Workstation and Player, VirtualBox

Question 137

How to detect if VM is on a host computer

Answer 137

Look in Users or Documents folder, check hosts registry for clues that VMs have been installed or uninstalled, existence of virtual network adapter or USB drives

Question 138

Process for Investigation with Type 3 Hypervisors

Answer 138

1. Image the host machine
2. Locate Virtualization software and VMs
3. Export from ost machine all VM files
4. Record hash of all files
5. Open VM as image file in forensics software and create a forensic image or mount as drive

Question 139

Why are live acquisitions of VMs importabt

Answer 139

Make sure snapshots are incorporated

Question 140

Mounting VM as external drive features

Answer 140

Make it behave more like physical computer, use same standard examination procedures for static drive

Question 141

Other VM Examination Methods

Answer 141

Mount VMs as external drive, make copy of VM forensic image and open the copy while it is running

Question 142

Where are type 1 hypervisors installed

Answer 142

Directly on hardware

Question 143

Type 1 Hypervisors

Answer 143

VMware vSphere, Microsoft Hyper-V 2016, XenProject XenServer, IBM PowerVM, Parallels Desktop for MAC

Question 144

Order of Volatility

Answer 144

How long a piece of information lasts on a system

Question 145

When are live acquisitions especially useful?

Answer 145

When dealing with active network intrusions of attacks (must be before taking system offline)

Question 146

Steps of Live Acquisition

Answer 146

1. Create bootable forensic CD or USB
2. Log all actions
3. Send info to network drive
4. Copy RAM
5. Varies based on incident
6. Get hash value of all files recovered

Question 147

Tools to Capture RAM

Answer 147

Mandiant Memoryze, Belkasoft RamCapturer, Kali Linux

Question 148

Network Forensics

Answer 148

Process of collecting and analyzing raw network data and tracking network traffic

Question 149

What is an important part in spotting variations in network traffic

Answer 149

Knowing network’s typical traffic patterns

Question 150

Need for Established Procedures

Answer 150

Necessary for ensuring all compromised systems have been found, must be based on needs and complement network infrastructure

Question 151

Layered Network Defense Strategy

Answer 151

Sets up layers of protection to hide the most valuable data at the innermost part of the network

Question 152

Defense in Depth (DiD)

Answer 152

Modes of protection: people, technology, operations

Question 153

Are security precautions against internal threats necessary for companies with less than ten people

Answer 153

Yes

Question 154

Testing ____ is as important as testing servers

Answer 154

Networks

Question 155

Networks forensics standard procedures

Answer 155

1. Use standard installation image for systems on network
2. Fix any vulnerability after attack
3. Attempt to retrieve all volatile data
4. Acquire all compromised drives
5. Compare files on forensic image to original installation image

Question 156

Where can you work from to find most of the deleted or hidden files and partitions

Answer 156

The image

Question 157

What do you have to do in order to understand attack

Answer 157

Restore drives

Question 158

Tools for examining network traffic

Answer 158

Tcpdump and wireshark

Question 159

Network logs record ingoing and outgoing traffic of what

Answer 159

Network servers, routers, firewalls

Question 160

Network tools

Answer 160

Splunk, spiceworks, Nagios, Cacti

Question 161

Packet analyzers

Answer 161

Devices or software that monitor network traffic

Question 162

What level of OSI do packet analyzers work at

Answer 162

2 or 3

Question 163

most tools for packet analysis use this format

Answer 163

Packet Capture (Pcap)

Question 164

How to identify packets in packet analysis

Answer 164

TCP headers (tcpdump or tethereal)

Question 165

packet Analysis Tools

Answer 165

Tcpslice, Tcpreplay, Etherape, Netdude, Argus, Wireshark

Question 166

How is virtual switch different than physical switch

Answer 166

No spanning tree between virtual switches

Question 167

Complications of Investigating Virtual Networks

Answer 167

Hypervisors can assign MAC addresses to virtual devices, devices can have same MAC address on different Virtual Networks, Cloud service providers host networks for several to hundreds of companies

Question 168

Tools for investigating virtual networks

Answer 168

Wireshark, network miner

Question 169

DDoS attack

Answer 169

Major threat that may go through other organizations’ networks, hundreds or thousands of zombie machines can be used

Question 170

Honeynet Project

Answer 170

Make information widely available in attempt to thwart internet and network attackers

Question 171

Zero Day Attacks

Answer 171

Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available

Question 172

Honeypot

Answer 172

Normal looking computer that lures attackers to it

Question 173

Honeywalls

Answer 173

Monitor what’s happening to honeypots on your network and record what attackers are doing

Question 174

When are live acquisitions necessary

Answer 174

To retrieve volatile items (RAM, running processes)

Question 175

Items stored on cell phones

Answer 175

Calls, Text/Sms, email, IM, web pages, pictures, videos, music, Calendars, social media info, gps data, voice recordings, back account, access to home

Question 176

Are warrants required for mobile devices

Answer 176

Yes

Question 177

Is there a standard for how and where phones store messages

Answer 177

No, makes investigating them difficult

Question 178

Generations of Phones

Answer 178

Analog, Digital personal communication service, Third generation (3G)

Question 179

When was fourth generation introduced

Answer 179

2009

Question 180

when was fifth generation finalized

Answer 180

2020

Question 181

Code Division Multiple Access

Answer 181

Conform to IS-95, referred to as CDMA1, when 3G became CDMA2000

Question 182

What technique for Global System for Mobile Communications

Answer 182

Time division Multiple access, multiple phones take turns sharing a channel

Question 183

International Telecommunications Union

Answer 183

Developed 3G under UN

Question 184

What standard was developed specifically for 3G

Answer 184

Enhanced Data GSM Environment

Question 185

4G Network Technologies

Answer 185

Orthogonal Frequency Division Multiplexing, Mobile WiMAX, Ultra Mobile Broadband, Multiple input multiple output, long term evolution

Question 186

Main Components for Mobile Communication

Answer 186

Base transceiver station, Base station controller, mobile switching center

Question 187

Hardware components of mobile devices

Answer 187

Microprocessor, ROM, RAM, digital signal processor, radio module, microphone and speaker, hardware interfaces, LCD display

Question 188

Do smartphones use same OSs and PCs

Answer 188

Yes, but it is proprietary

Question 189

Where do phones store data

Answer 189

Electronically erasable programmable read-only memory (EEPROM)

Question 190

Why do phones store data in EEPROM

Answer 190

Enables service providers to reprogram phones without having to physically access memory chips

Question 191

Where is OS stored

Answer 191

ROM

Question 192

PDA

Answer 192

Personal digital assistants, mostly irrelevant

Question 193

Peripheral memory cards used with PDAs

Answer 193

Compact Flash, Multimedia Card, Secure Digital

Question 194

SIM

Answer 194

Subscriber identity module

Question 195

Where are sim cards found

Answer 195

GSM devices

Question 196

What do SIM cards consist of

Answer 196

Microprocessor and internal memory

Question 197

How many sizes do SIM cards come in

Answer 197

3

Question 198

What makes SIM cards versatile

Answer 198

Portability

Question 199

ME

Answer 199

Mobile equipment, need SIM card

Question 200

Additional purposes of SIM card

Answer 200

Identifies subscriber, stores service related information, can be used to backup device

Question 201

What do phones include for external storage

Answer 201

SD cards

Question 202

3 main concerns of mobile devices

Answer 202

Loss of power, syncing with cloud, remote wiping

Question 203

What type of memory do mobile devices have

Answer 203

Volatile

Question 204

If mobile device attached to PC what should be done and why

Answer 204

Disconnect to prevent syncing that might occur automatically and overwrite data

Question 205

How can you isolate device from incoming signals

Answer 205

Airplane mode, pain can, faraday bag, turn off

Question 206

Downside of isolating device

Answer 206

Drains battery

Question 207

SANS DFIR Forensics Recommendation if device on and unlocked

Answer 207

Isolate from network, disable lock screen, remove passcode

Question 208

SANS DFIR Forensics recommendation if on and locked

Answer 208

Depends on type of device

Question 209

SANS DFIR Forensics Recommendation if off

Answer 209

Physical static acquisition and turn device on

Question 210

What areas to check in forensics lab

Answer 210

Internal memory, SIM, removable or external memory cards, network provider

Question 211

Complication of warrant or subpeona

Answer 211

Backup might be stored in cloud or with third party

Question 212

Structure of SIM file system

Answer 212

Hierarchial

Question 213

Categories of information retrieved

Answer 213

Service data, call data, message information, location information

Question 214

What might be required if power to device is lost

Answer 214

PINs or other access codes

Question 215

Biggest challenge of mobile forensics

Answer 215

Constantly changing phone models

Question 216

Procedure for working with mobile device

Answer 216

1. Identify device
2. Make sure you have installed mobile device forensic software
3. Attach phone to power and connect cables
   Start forensics software and download information

Question 217

What is used to access SIM card

Answer 217

Combination of hardware and software devices

Question 218

Are all SIM card readers forensically sound

Answer 218

No

Question 219

Should you document messages that haven’t been read yet

Answer 219

Yes

Question 220

Mobile phone forensics tools

Answer 220

AccessData FTK Imager, MacLockPick 3.0

Question 221

Types of mobile forensics methods

Answer 221

Manual, logical, physical, hex dumping and joint test action group, chip-off, micro read

Question 222

Datapilot

Answer 222

Collection of cables that can interface with phones from different manufacturers

Question 223

BitPam

Answer 223

Used to view data on many CDMA phones

Question 223

Cellbrite UFED Forensic System

Answer 223

works with smartphones, PDAs, Tablets, and GPS devices, often used by law enforcement

Question 224

MOBILedit Forensic

Answer 224

Contains built in write blocker

Question 225

Are tools used to edit information forensically sound

Answer 225

Not typically

Question 226

Options for data extraction

Answer 226

Logical, file system, physical

Question 227

What is required if you connect a mobile device to a computer to browse file system and examine and retrieve files

Answer 227

USB write-blocker

Question 228

Projected number of IoT devices in next few decades

Answer 228

50 billion

Question 229

What is IoE

Answer 229

Internet of everything, includes non-tangible but widespread technology

Question 230

What is IoA

Answer 230

Includes cars, homes, pets, livestock, and applications for making all these things work together, eventually 5G devices

Question 231

5G Devices Categories

Answer 231

Enhanced mobile broadband, ultra-reliable and low latency communications, massive machine type communications

Question 231

New forensic challenges of 5G devices

Answer 231

People to device, device to device, device to cloud

Question 231

What service led the way to cloud

Answer 231

Salesforce.com

Question 233

Who came up with cloud computing

Answer 233

John McCarthy and DR. J.C.R. Licklider

Question 234

Amazon Mechanical Turk

Answer 234

2002, storage, computations, and human intelligence

Question 235

What year and after which web version did providers start their own cloud services

Answer 235

2009, 2.0

Question 236

What is cloud computing

Answer 236

Computing storage system that provides on-demand network access for multiple users and can allocate storage to users to keep up with changes in their needs

Question 237

Service levels of Cloud

Answer 237

Software as a Service, Platform as a Service, Infrastructure as a Service

Question 238

Software as a Service

Answer 238

Applications are delivered via the internet

Question 239

Platform as a service

Answer 239

An OS has been installed on a cloud server

Question 240

Infrastructure as a Service

Answer 240

Customers can rent hardware and install whatever OSs and applications they need

Question 241

Deployment methods for a cloud

Answer 241

Public, private, community, hybrid

Question 242

Some cloud service providers (CSP)

Answer 242

Salesforce, Cisco cloud computing, IBM cloud, Amazon EC2, AT&T Synaptic, Google Cloud Storage, HP Helion, Microsoft Azure, XenServer and XenCenter Windows Management Console, Rackspace, Oracle cloud

Question 243

What is cloud forensics a subset of

Answer 243

Digital forensics

Question 244

Dimensions of Cloud Forensics

Answer 244

Organizational, legal, technical

Question 245

Organizational Dimension

Answer 245

address structure of cloud

Question 246

Legal Dimension

Answer 246

Covers service agreements and other jurisdictional matters

Question 247

Technical Dimension

Answer 247

Deals with procedures and specialized applications designed to perform forensics recovery and analysis in the cloud

Question 248

Forensic Data Collection for cloud

Answer 248

Must be able to identify, label, record, and acquire data from the cloud

Question 249

Elastic, static, and live forensics for cloud

Answer 249

Must be able to expand and contract their storage

Question 250

Evidence segregation for cloud

Answer 250

Different businesses and users share the same applications and storage space

Question 251

Investigations in virtualized environments for cloud

Answer 251

Should have capability to examine virtual systems

Question 252

Cloud Service agreements

Answer 252

Contract between CSP and the customer that describes what services are being provided and at what level

Question 253

CSAs also specify

Answer 253

Support options, penalties for services not provided, system performance, fees, provided software or hardware

Question 254

What do CSAs define

Answer 254

Scope of services the CSP provide (service hours, restrictions to the customer, response time for data transfers, throughput limitations, contingency plan for incident response, business continuity and disaster recovery plan, fees, security measures, terminology)

Question 255

What must CSP components state

Answer 255

Who is authorized to access data and what the limitations are in conducting acquisitions for an investigation

Question 256

Policies for CSPs

Answer 256

detailed rules for CSPs internal operation

Question 257

Standards for CSPs

Answer 257

Give guidance to staff for unique operations, hardware, and software and describe the staff’s obligations regarding security of CSP env

Question 258

Guidelines for CSPs

Answer 258

Describe best practices for cloud processes and give staff an example of what they should strive to achieve in their work

Question 259

What are CSP processes and procedures

Answer 259

Detailed documents that define workflow and step-by-step instructions for CSP staff (often with hardware config, network maps, application flow charts)

Question 260

What are CSP Processes and Procedures used for by digital forensics examiners

Answer 260

Understand how data is stored, manipulated, secured, backed up, restored, and accessed by CSP staff and customers

Question 261

What is an example of a document of interest

Answer 261

CSP Business continuity and disaster recovery plans

Question 262

Is there a law that ensures uniform access or required handling procedures for the cloud

Answer 262

No

Question 263

What should investigators be concerned about

Answer 263

Cases involving data commingled with other customers’ data

Question 264

What is a factor in problems with right to access data

Answer 264

How privacy rights are defined in different jurisdictions

Question 265

EU Directive 95/46/EC

Answer 265

Protects private information for all EU citizens, more restrictive than rules in other countries

Question 266

Can digital forensics investigators be held liable when conducting an investigation involving cloud data

Answer 266

Yes

Question 267

ECPA

Answer 267

Electriconic Communications Privacy Act

Question 268

ECPA mechanisms (5)

Answer 268

Search warrants, subpoenas, subpoenas with prior notice to customer, court orders, court orders with prior notice to customer

Question 269

Search Warrants

Answer 269

Only issued in criminal cases, requires probable cause, specific descriptions of what is to be seized, typically data in the case of cloud, must include location, how carried out

Question 270

Government Agency Subpoenas

Answer 270

Customer communications and records. can’t be knowingly divulged to any person or entity

Question 271

non-government and civil litigation subpoenas

Answer 271

Used to produce information from private parties for litigation

Question 272

Court Orders

Answer 272

Written by judges to compel someone to do or not so something

Question 273

Challenges in conducting cloud forensics

Answer 273

Architecture, data collection, analysis of cloud forensic data, anti-forensics, incident first responders, role managements, legal issues, standards and training

Question 274

Are CSPs configured the same way as any othe CSP

Answer 274

No

Question 275

Where do CSPs keep data

Answer 275

Often kept secret for security reasons

Question 276

What can complicate the chain of evidence of an investigation

Answer 276

Differences in recording procedures or log keeping

Question 277

What does analyzing digital evidence from a cloud require

Answer 277

verifying data with other data and other log records

Question 278

What might need to happen to data so that investigators can determine what actually occured

Answer 278

Reconstruction

Question 279

What can be compared using logs

Answer 279

modifications, las access, create dates and times

Question 280

Anti-forensics

Answer 280

Destroying electronically stored information (ESI) that may be potential evidence

Question 281

Methods for anti-forensics

Answer 281

Malware, encryption of malware, data-hiding

Question 282

How do anti-forensic methods affect file metadata

Answer 282

Changing modify and last access date

Question 283

How can you determine what files may have been altered

Answer 283

Compare hash values of files to those of known good files

Question 284

factors in incident first response, if not already part of CSP

Answer 284

CSPs staff cooperation, brief about security options, train staff in evidence collection

Question 285

Functions of Role management in cloud covers

Answer 285

Data owners, identity protection, users, access controls

Question 286

CSA

Answer 286

Cloud Security Alliance, develops resource documentation for CSPs and their staff

Question 287

What is there an effort to standardize cloud architecture for

Answer 287

Operating procedures, interoperability, testing, validation

Question 288

Sources for cloud forensics training

Answer 288

(ISC)^2’s Certified Forensics Professional, INFOSEC Institute, SANS Cloud Forensics with F-Response, National Institute of Justice Digital Forensics Training, University College Dublin Centre for Cybersecurity and Cybercrime Investigation

Question 289

What do methods to collect evidence count on

Answer 289

The nature of the case

Question 290

Why might recovering deleted data be limited

Answer 290

The type of file the CSP uses

Question 291

States of data in the cloud

Answer 291

reset and motion

Question 292

Data at rest

Answer 292

Data that has been written to disk

Question 293

Data in motion

Answer 293

Data being transmitted over a network

Question 294

Vendors for cloud data encryption

Answer 294

Atalla, SecureCloud, Safeguard

Question 295

Homomorphic Encryption

Answer 295

Use an ‘ideal lattice’ mathematical formula to encrypt data

Question 296

Where can you find cloud data if the application is not installed

Answer 296

Web Cache

Question 297

Prefetch file

Answer 297

contain the DLL pathnames and metadata of an application

Question 298

Where is the prefetch file loaded once OS reads it

Answer 298

Computer’s memory

Question 299

Widely used cloud services

Answer 299

Dropbox, Google Drive, One Drive