ITN276 - Computer Forensics - Midterm Exam - Review Flashcards
Study Guide Definitions
Computer Forensics
The American Heritage Dictionary defines __________as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.”
Roles of the first responder to a crime scene
Prepare evidence
Preserve Evidence
Chain of Custody
The continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.
One must be able to show the whereabouts and custody of the evidence, how it was handled and stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court.
Daubert standard
TheDaubert Standard dictates that only methods and tools widely accepted in the scientific community can be used in court.
Anti-forensics
The actions that perpetrators take to conceal their locations, activities, or identities.
Rainbow table
Rainbow table means type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space.
Physical analysis
offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system
Bit-level information
information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system’s interpretation.
Volatile Data
Data that changes rapidly and may be lost when the machine that holds it is powered down?
Temporary Data
Data that an operating system creates and overwrites without the computer user taking a direct action to save this data
Types of cyber crime
Identity theft
Hacking Systems for data .
Cyberstalking / Harassment
Internet Fraud -
Non Access Computer Crimes
Cyber Terrorism
Techniques that cybercriminals use
Phishing - attempt to trick a victim into giving up personal information
Spyware - any software that can monitor your activity on a computer
Hacking - breaking into a system
SQL Injection - May be the most common Web application attacj and is based on inserting Structured Language Query (SQL) commands into text boxes such as the username and password fields on a login screen.
XSS (Cross Site Scripting) - perp seeks out somewhere that allows end users to post and posts javascript that will execute.
Sarbanes-Oxley Act of 2002
contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.
SQL attack
May be the most common Web application attack and is based on inserting Structured Language Query (SQL) commands into text boxes such as the username and password fields on a login screen.
Ophcrack
One of the most basic tools or physically accessing a Windows machine.
Tool to crack Windows passwords
A ________ is malware that is designed to do harm to the system when some logical condition is reached.
logic bomb
Virus
any software that self-replicates
A customized Linux Live CD used for computer forensics.
Helix
Denial of Service (DoS)
attack is designed to render the target unreachable by legitimate users, not to provide the attacker access to the site.
Basis Technology invented an open file standard format with three variations, all supported by Sleuth Kit and Autopsy. The name of this file format is what?
the Advanced Forensic Format
Slack space
The unused space between the logical end of file and the physical end of file is known as (aka. file slack)
Unallocated space
Also known as free space - area of the hard drive that has never been allocated for file storage of leftover area that the computer regards as unallocated after file deletion.
A computer cant access any unallocated space in a partition.
Raw format
The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions. There is no metadata stored in RAW Image Format files. … The RAW Image Format was originally used by dd, but is supported by most of the computer forensics applications
Disk imaging
Imaging create a large compressed file of your drive. You can then restore this file to bring your drive back to life. Because the image file itself is large, people often save them to external drives or file shares.
Tools for forensic imaging
s
People try to thwart investigators by using encryption to scramble information or_________ to hide information, or both together.
antiforensics, steganography, running processes
Data acquisition methods
Static and live
Static and live data acquisition
LIVE - a data acquisition method used when a suspect computer can’t be shut down to perform a static acquisition. data is collected from the local computer or over a remote network connection. the captured data might be altered during the acquisition because it’s not write-protected. live acquisitions aren’t repeatable because data is continually being altered by the suspect computer’s OS.
STATIC - a data acquisition method used when a suspect drive is write-protected and can’t be altered. if disk evidence is preserved correctly, static acquisitions are repeatable
Net sessions command
Shows even meaningless connections such as the comuter opening a web browser.
Shows only established network communication sessions.
MD5
The MD5 hash function was originally designed for use as a secure cryptographic hash algorithm for authenticating digital signatures
dd and dcfldd commands
Used to make copies of a suspect drive.
WinAudit
WinAudit is an inventory utility for Windows computers. It creates a comprehensive report on a machine’s configuration, hardware and software. WinAudit is free, open source and can be used or distributed by anyone.
Swap file
The most important type of ambient data that Windows uses to write data when additional RAM is needed.
A virtual extension of RAM
Net sessions command
Shows even meaningless connections such as the computer opening a web browser.
Shows only established network communication sessions.
Volume slack
The space that remains on the hard drive if the partitions do not use all the available space.
Steganalysis
The process of analyzing a file or files for hidden content.
A Difficult task and at best shows a likelihood that a given file has additional information hidden in it.
Steganography
The art and science of writing hidden messages. The goal is to hide information so that even if it is intercepted, it is not clear what information is hidden there
Metadata
Data about information (data about data) such as disk partition structures and file tables. Also includes file creation and modification times.
Gigabyte
1000 bytes
Search warrant
Needed to search computer
Plain view
No warrant needed if in plain sight
Sarbanes-Oxley Act of 2002
Contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.
Netstat
netstat (network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol …
