Final

Question 1

Forensics

Answer 1

The use of science and technology to investigate and establish facts in criminal or civil courts of law.

Question 2

Relevant evidence

Answer 2

1. tendency to make a fact more or less probable then it would be without evidence. 2. the fact is of consequence in determining the action.

Question 3

digital evidence

Answer 3

information of probative value stored or transmitted in digital form

Question 4

digital media

Answer 4

physical objects where data is stored

Question 5

computer use in crime

Answer 5

contraband, tool for the crime, incidental to the Crime

Question 6

contraband

Answer 6

digital equipment etc was illegally obtained

Question 7

tool of crime

Answer 7

hacking

Question 8

incidental to the crime

Answer 8

digital media has evidence of the crime(phone contacts etc)

Question 9

types of investigations

Answer 9

internal, civil, criminal

Question 10

daubert standard

Answer 10

judge makes a call on if the scientific expert is basing their reason on proven scientific methodology. Daubert challenge is if you use anything thats not accepted by a majority of professionals

Question 11

Locard’s principle of Transference

Answer 11

you can’t interact with an environment without leaving something behind

Question 12

Inman-Rudin Paradigm

Answer 12

transfer, identification, individualization (narrowing evidence to certain classification), association (linking to a person or system), reconstruction (what happened), sixth principle (evidence must divide before transfer)

Question 13

cross validation

Answer 13

any forensic artifact must be discoverable with multiple tools and techniques

Question 14

6 As

Answer 14

Assessment (gathering information, chain of custody, determine scope, protect media), acquisition (make the copy of the data), authentication (verify copies), analysis (looking for the artifacts), articulation (drafting and submitting the report), archival (Storage of media, notes, and report).

Question 15

What are hashes used for

Answer 15

1. determining if data is unique. 2. determine if data is the same. 3. determine if any changes have been made to the data

Question 16

Floppy disk life span

Answer 16

2 years

Question 17

CD-RW life span

Answer 17

3 years or up to 50 with proper storage

Question 18

USB drive life span

Answer 18

up to 10 if not heavily used

Question 19

hard drive life span

Answer 19

up to 34 years

Question 20

evidence

Answer 20

ANY INFORMATION OF PROBATIVE VALUE

Question 21

Best Evidence

Answer 21

most complete copy of evidence that was obtained that is most closely linked to the original evidence

Question 22

Computer components that hold evidence

Answer 22

hard drives, removable media, RAM (has to be collected through live analysis), motherboard BIOS, scanners, printers

Question 23

Network devices that hold evidence

Answer 23

clients, servers, routers, gateways, firewalls, network printers, NAS (network attached storage)

Question 24

magnetized media

Answer 24

holds a series of charges. Pro: very large storage capacity, data can be overwritten without being reset. Cons: slow access time, slow random read and write

Question 25

Hard Drive Physical components

Answer 25

platters (magnetized surface containing charge), Read/Write heads (electromagnets used for reading or changing charges), Arm (moves read/write head towards the inside of the disk)

Question 26

Hard Drive Logical Components

Answer 26

Tracks-rings that go completely around the center of the platter. Cylanders- tracks that line up on parallel platters

Question 27

Hard Drive Sectors

Answer 27

Pie-Shaped wedge tracks (a sector is the smallest unit of data that can be read or written from magnetic storage media

Question 28

Two Hard Drive Interfaces

Answer 28

IDE and SATA

Question 29

Floppy disk forensics

Answer 29

treat like a single platter hard drive

Question 30

magnetic media forensics

Answer 30

never truly wiped, data isn’t erased before overwritten

Question 31

optical media forensics

Answer 31

cd-rom, blue ray disk, DVD-rom. (inherently read only), writing data must be done to the entire disk at once

Question 32

RAID

Answer 32

Redundant array of independent disks - used to prevent hardware failure

Question 33

RAID Levels

Answer 33

0 - block stripping (data distributed among multiple drives) one drive fails all fail. 1 - disk mirroring data written to two disks simultaneously. onE disk fails the other comes online. 2- disk mirroring with ECC (NOT USED). 3- Byte stripping with parity. 4- block stripping with parity drive.

Question 34

Three RAID implementations

Answer 34

Internal Hardware (RAID controller card), external hardware (enclosure in a separate cabinet), software, cannot boot off a software RAID volume

Question 35

How to acquire RAID data?

Answer 35

boot the suspect computer into a forensically sound environment and acquire raid volume. In encase: device view, select drives, edit disk config, specify RAID

Question 36

SSDs

Answer 36

uses modified transistors for non-volatile storage, very fast data access, issues with recovering deleted data.

Question 37

Assembly

Answer 37

low level language for microprocessors

Question 38

order of memory speed

Answer 38

registers, caches, main memory, disk storage

Question 39

4 kinds of memory

Answer 39

Internal (registers and CPU cache), main memory (RAM), on-line mass storage (Hard drive, ssd, usb), offline bulk storage (tape arrays)

Question 40

Computer Busses

Answer 40

single copper wire can transfer electrons, a bunch of wires doing this is a bus. Motherboards contain busses to communicate.

Question 41

Power On

Answer 41

1. self test 2. microprocessor does ROM BIOS, microprocessor begins executing attached bios code, 4. POST, 5. BIOS locates CMOS (stores boot order etc), loads the OS

Question 42

BIOS vs EFI

Answer 42

BIOS was the original way to interface with motherboard, EFI is the new replacement it has better GUI, multi language support, full networking, fully modular

Question 43

Two Forensics systems’ roles

Answer 43

Aquisition/duplication (make the copy), Analysis (parse it)

Question 44

write blocker

Answer 44

device that stops the host system from sending a write signal to any connected device

Question 45

Forensic Drive duplicator

Answer 45

device that makes a forensic image

Question 46

Forensic Software

Answer 46

encase, SMART (asr data), FTK (windows), paraben, GetData, Blackbag

Question 47

How to collect BIOS information

Answer 47

1. start computer with no drives. 2. hit a function key to load bios or ufi, record system date and time, record the boot order.

Question 48

things that can ruin a forensic image

Answer 48

1. Booting drive into Windows without write protection.. 2. using an unmodified boot disk. 3. mounting the drive as read/write in linux, choosing the wrong drive as source or destination.

Question 49

How are files stored on a disk?

Answer 49

files store bytes at a low level. bytes are displayed as hexadecimal. 2 hex digits for each byte.

Question 50

Standard file metadata

Answer 50

FAT, file name, extension, attributes, creation date and time, access date, modification date and time

Question 51

partition

Answer 51

set of consecutive sectors on a disk

Question 52

Volume

Answer 52

partition with a single file system

Question 53

initializing a disk

Answer 53

writes information in the beginning of the disk at the first physical sector

Question 54

formatting a disk

Answer 54

writing a file system onto a partition. Turning a partition into a volume.

Question 55

file system

Answer 55

organizes data on a disk. FAT & NTFS are cluster. EXT2,3,4 are Block. Keeps track of file allocation and file metadata.

Question 56

FAT

Answer 56

File Allocation Table. For floppy disks, uses a file allocation table which keeps track of clusters.

Question 57

FAT Directory

Answer 57

A file that contains a listing of the contents of the directory (directory table)

Question 58

Where is the root directory stored?

Answer 58

FAT VBR

Question 59

How to undelete a FAT file

Answer 59

go through the directory table, follow the cluster chain in FAT, and see if the clusters have the appropriate data. (When the file is deleted the entry is marked deleted)

Question 60

How to undelete NTFS file

Answer 60

MFT contains a master record of every file on the drive, when a file is deleted it is marked as deleted, undeleting is changing the mark from deleted to not-deleted on the master record.

Question 61

Linux File Systems

Answer 61

Ext2 (disk broke into partitions and groups) Inode table and bitmap. Ext3 same as before but with journaling - read and writes are done all at once or not at all. Ext4- large file size, better performance.

Question 62

Inode

Answer 62

pointer. It points to a block on the disk.

Question 63

Raw duplicate

Answer 63

exact binary copy from one disk to another. Fastest way to make a copy. Drawbacks: must use write blocker on copy at all times, must verify copy has not been altered, must treat entire disk as evidence

Question 64

DD image file

Answer 64

contains the exact binary of the evidence disk. Ad: everything can read it, fast to create, can be segmented. Dis: no way to detect changes without re verification, metadata not stored.

Question 65

Encase Image File

Answer 65

allows for compression and encryption of data, ad: single bit changes can be isolated. Dis: slower to create then dd file.

Question 66

What are operating systems responsible for?

Answer 66

input/output, data management through file systems, Networking, memory, peripheral device management

Question 67

multiuser

Answer 67

simultaneous users can run programs

Question 68

multiprocessing

Answer 68

OS can run multiple processes on multiple processors

Question 69

multitasking

Answer 69

OS can run concurrent programs on single processor

Question 70

multi-threading

Answer 70

OS allows programs to be broken down into threads and run independently and dependently

Question 71

OS kernal

Answer 71

low level input and output, handware interfaces, memory management, allows for program execution.

Question 72

Interrupts

Answer 72

signal sent by hardware device to the kernal indicating that it needs attention

Question 73

API

Answer 73

Application program interface. Allows programs to interact with the OS

Question 74

How to recover a partition

Answer 74

look for the volume boot sector, for FAT and NTFS 55 AA

Question 75

Master boot record location

Answer 75

On the first sector of the drive

Question 76

Windows 7 App Data

Answer 76

Local (app data specific to computer) Local Low (internet browsers), Roaming (application data from a user account accross domain)

Question 77

Windows swapfile

Answer 77

for when many things are open. Part of virtual memory, pagefile.sys

Question 78

printer spool file

Answer 78

windows/system32/spool/printers

Question 79

unallocated space

Answer 79

when a file is deleted in windows the clusters get grouped into the space available for file allocation

Question 80

slack space

Answer 80

space between the logical end of the file and the actual end of the file

Question 81

Recycle Bin

Answer 81

Everytime a file is deleted into the recycle bin two files are created $R (deleted file) and $I (metadata) preceding.

Question 82

What times does windows track?

Answer 82

Created, Modified, accessed

Question 83

FAT time stamps

Answer 83

stored in directory entries, stored in local time according to bios. If file is MOVED all times stay same. If file is copied all stay the same but the created.

Question 84

NTFS

Answer 84

times stored UTC, registry settings for which the timezone is located, displayed times are based on stored times. If copied the created time changes and the accessed time, if moved the accessed time changes.

Question 85

What if a FAT file has a created time after the modified and accessed time stamps?

Answer 85

file is a copy of another file

Question 86

What if a FAT file is moved to NTFS? (time stamps)

Answer 86

accessed date changes. If copied then both the access date and the created date would change. (follows the rule of NTFS)

Question 87

What if an NTFS file is moved to FAT? (Time stamps)

Answer 87

moved changes the accessed date. Copied would change the created and access date.

Question 88

Registry

Answer 88

stores configuration settings and options for the systems and users. all windows specific settings are stored here. Key: container for either another key or value. Value: name and data (discriptors, bits, strings)

Question 89

7 registry root keys

Answer 89

HKLM(local machine), HKCC(current config), HKCR(classes root), HKCU(current user), HKU (users),HKEY_performace_data, HKEY_dynamic_data.

Question 90

Windows NT based registry locations

Answer 90

systemroot/system32/config - SAM, SECURITY, SOFTWARE, SYSTEM. also userprofile\ntuserdat

Question 91

Windows USB device installation (registry)

Answer 91

windows\inf\usbstor.inf

Question 92

DeviceInstanceID gives access to this registry key:

Answer 92

SYSTEM\CurrentControlSet\Enum\USB

Question 93

How to find first time a USB was attached?

Answer 93

setupapi log (under inf)

Question 94

How to find each time USB was attached?

Answer 94

enum/USB or enum/USBSTOR keep a permanent record of each USB attached. The last written time stamp is the last attachment

Question 95

Internet Cache

Answer 95

allows a user to return to a website quickly if there is no new content

Question 96

cookies

Answer 96

tracks user activity, stores session ID

Question 97

where is internet data in directory?

Answer 97

documents and settings\username\appdata. Local (has history, cache, cookies), Local Low, roaming

Question 98

email header

Answer 98

tells you the servers or routers the email took to get to you

Question 99

User assist registry

Answer 99

ntuserdat - \Software\Microsoft\Windows\currentversion\explorer\userassist. Gives what programs or shortcuts a user has executed, time stamps, frequency of running a particular program (but not how many times it has been run).