ITN276 - Computer Forensics - Midterm Exam - Review

Question 1

Computer Forensics

Answer 1

The American Heritage Dictionary defines __________as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.”

Question 2

Roles of the first responder to a crime scene

Answer 2

Prepare evidence

Preserve Evidence

Question 3

Chain of Custody

Answer 3

The continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.

One must be able to show the whereabouts and custody of the evidence, how it was handled and stored and by whom, from the time the evidence is first seized by a law enforcement officer or civilian investigator until the moment it is shown in court.

Question 4

Daubert standard

Answer 4

TheDaubert Standard dictates that only methods and tools widely accepted in the scientific community can be used in court.

Question 5

Anti-forensics

Answer 5

The actions that perpetrators take to conceal their locations, activities, or identities.

Question 6

Rainbow table

Answer 6

Rainbow table means type of password crackers that work with pre-calculated hashes of all passwords available within a certain character space.

Question 7

Physical analysis

Answer 7

offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system

Question 8

Bit-level information

Answer 8

information at the level of actual 1s and 0s stored in memory or on the storage device, as opposed to going through the file system’s interpretation.

Question 9

Volatile Data

Answer 9

Data that changes rapidly and may be lost when the machine that holds it is powered down?

Question 10

Temporary Data

Answer 10

Data that an operating system creates and overwrites without the computer user taking a direct action to save this data

Question 11

Types of cyber crime

Answer 11

Identity theft

Hacking Systems for data .

Cyberstalking / Harassment

Internet Fraud -

Non Access Computer Crimes

Cyber Terrorism

Question 12

Techniques that cybercriminals use

Answer 12

Phishing - attempt to trick a victim into giving up personal information

Spyware - any software that can monitor your activity on a computer

Hacking - breaking into a system

SQL Injection - May be the most common Web application attacj and is based on inserting Structured Language Query (SQL) commands into text boxes such as the username and password fields on a login screen.

XSS (Cross Site Scripting) - perp seeks out somewhere that allows end users to post and posts javascript that will execute.

Question 13

Sarbanes-Oxley Act of 2002

Answer 13

contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.

Question 14

SQL attack

Answer 14

May be the most common Web application attack and is based on inserting Structured Language Query (SQL) commands into text boxes such as the username and password fields on a login screen.

Question 15

Ophcrack

Answer 15

One of the most basic tools or physically accessing a Windows machine.

Tool to crack Windows passwords

Question 16

A ________ is malware that is designed to do harm to the system when some logical condition is reached.

Answer 16

logic bomb

Question 17

Virus

Answer 17

any software that self-replicates

Question 18

A customized Linux Live CD used for computer forensics.

Answer 18

Helix

Question 19

Denial of Service (DoS)

Answer 19

attack is designed to render the target unreachable by legitimate users, not to provide the attacker access to the site.

Question 20

Basis Technology invented an open file standard format with three variations, all supported by Sleuth Kit and Autopsy. The name of this file format is what?

Answer 20

the Advanced Forensic Format

Question 21

Slack space

Answer 21

The unused space between the logical end of file and the physical end of file is known as (aka. file slack)

Question 22

Unallocated space

Answer 22

Also known as free space - area of the hard drive that has never been allocated for file storage of leftover area that the computer regards as unallocated after file deletion.

A computer cant access any unallocated space in a partition.

Question 23

Raw format

Answer 23

The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions. There is no metadata stored in RAW Image Format files. … The RAW Image Format was originally used by dd, but is supported by most of the computer forensics applications

Question 24

Disk imaging

Answer 24

Imaging create a large compressed file of your drive. You can then restore this file to bring your drive back to life. Because the image file itself is large, people often save them to external drives or file shares.

Question 25

Tools for forensic imaging

Answer 25

s

Question 26

People try to thwart investigators by using encryption to scramble information or_________ to hide information, or both together.

Answer 26

antiforensics, steganography, running processes

Question 27

Data acquisition methods

Answer 27

Static and live

Question 28

Static and live data acquisition

Answer 28

LIVE - a data acquisition method used when a suspect computer can’t be shut down to perform a static acquisition. data is collected from the local computer or over a remote network connection. the captured data might be altered during the acquisition because it’s not write-protected. live acquisitions aren’t repeatable because data is continually being altered by the suspect computer’s OS.

STATIC - a data acquisition method used when a suspect drive is write-protected and can’t be altered. if disk evidence is preserved correctly, static acquisitions are repeatable

Question 29

Net sessions command

Answer 29

Shows even meaningless connections such as the comuter opening a web browser.

Shows only established network communication sessions.

Question 30

MD5

Answer 30

The MD5 hash function was originally designed for use as a secure cryptographic hash algorithm for authenticating digital signatures

Question 31

dd and dcfldd commands

Answer 31

Used to make copies of a suspect drive.

Question 32

WinAudit

Answer 32

WinAudit is an inventory utility for Windows computers. It creates a comprehensive report on a machine’s configuration, hardware and software. WinAudit is free, open source and can be used or distributed by anyone.

Question 33

Swap file

Answer 33

The most important type of ambient data that Windows uses to write data when additional RAM is needed.

A virtual extension of RAM

Question 34

Net sessions command

Answer 34

Shows even meaningless connections such as the computer opening a web browser.

Shows only established network communication sessions.

Question 35

Volume slack

Answer 35

The space that remains on the hard drive if the partitions do not use all the available space.

Question 36

Steganalysis

Answer 36

The process of analyzing a file or files for hidden content.

A Difficult task and at best shows a likelihood that a given file has additional information hidden in it.

Question 37

Steganography

Answer 37

The art and science of writing hidden messages. The goal is to hide information so that even if it is intercepted, it is not clear what information is hidden there

Question 38

Metadata

Answer 38

Data about information (data about data) such as disk partition structures and file tables. Also includes file creation and modification times.

Question 39

Gigabyte

Answer 39

1000 bytes

Question 40

Search warrant

Answer 40

Needed to search computer

Question 41

Plain view

Answer 41

No warrant needed if in plain sight

Question 42

Sarbanes-Oxley Act of 2002

Answer 42

Contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.

Question 43

Netstat

Answer 43

netstat (network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol …