lec 10 computing

Question 1

hardware

Answer 1

The physical components of a computer
-case, keyboard, monitor, motherboard, RAM, HDD, mouse, etc

Question 2

software

Answer 2

A set of instructions compiled
into a program that performs a
particular task; software consists
of programs and applications that
carry out a set of instructions on
the hardware.

Question 3

motherboard

Answer 3

main system board of a computer
-delivers power, data, and instructions
-every component in the computer connects to the motherboard directly or indirectly

Question 4

central processing unit (CPU)

Answer 4

-main chip within the computer/ processor
-aka the brain of the computer
-handles most of the operations of the computer

Question 5

random-access memory (RAM)

Answer 5

serves to take the burden off of the computer’s processor and Hard Disk Drive (HDD)
-A computer stores data in RAM for quick access
-RAM is referred to as volatile memory (not permanent)
-Its contents undergo constant change and are forever lost once power is taken away from the computer

Question 6

hard disk drive (HDD)

Answer 6

-main storage location within the computer
-generally permanent storage
-HDDs are mapped/formatted and have a defined layout
-operating system, applications, and user data are stored

Question 7

operating system (OS)

Answer 7

-software that provides the bridge between the system hardware and the user
-lets the user interact with the hardware, manages the file system and applications
-examples are Windows (XP, Vista, and Windows 7 and 8), Linux, and Mac OS

Question 8

partition

Answer 8

A contiguous set of blocks that are
defined and treated as an independent disk.

Question 9

sector

Answer 9

The smallest addressable unit of
data by a hard disk drive; generally
consists of 512 bytes.

Question 10

byte

Answer 10

A group of eight bits.

Question 11

bit

Answer 11

Short for binary digit; taking the
form of either a one or a zero, it is
the smallest unit of information on
a machine.

Question 12

cluster

Answer 12

-Groups of sectors and their size is defined by the OS
-group of sectors in multiples of two (therefore consist of 2, 4, 6, 8 sectors etc)
-cluster size varies from file
system to file system
-typically, the minimum space allocated to a file

Question 13

Message Digest 5 (MD5)/Secure Hash Algorithm (SHA)

Answer 13

-A software algorithm used to “fingerprint” a file or contents of a disk
-used to verify the integrity of data

Question 14

visible data

Answer 14

All data that the operating system
is presently aware of and thus is
readily accessible to the user.

Question 15

swap file

Answer 15

A file or defined space on the HDD
used to conserve RAM; data is
swapped, or paged, to this file or
space to free RAM for applications
that are in use

Question 16

temporary files

Answer 16

Files temporarily written by an
application to perform a function
or to provide a “backup” copy of a
work product should the computer
experience a catastrophic failure.

Question 17

latent data

Answer 17

Areas of files and disks that are typically not apparent to the computer user (and often not to the
operating system) but contain data
nonetheless.

Question 18

file slack

Answer 18

The area that begins at the end of
the last sector that contains logical
data and terminates at the end of
the cluster.

Question 19

unallocated space

Answer 19

unused area of the HDD that the operating system file system
table sees as empty (i.e., containing no logical files) but that may
contain old data (latent)

Question 20

Internet cache

Answer 20

Portions of visited web pages
placed on the local hard disk drive
to facilitate quicker retrieval when a
web page is revisited.

Question 21

cookies

Answer 21

Files placed on a computer from
a visited website that are used to
track visits to and usage of that
site.

Question 22

Internet history

Answer 22

An accounting of websites visited;
different browsers store this information in different ways.

Question 23

bookmark

Answer 23

A feature that enables the user to
designate favorite sites for fast and
easy access.

Question 24

hacking

Answer 24

A slang term frequently used to
refer to performing an unauthorized computer or network intrusion.

Question 25

firewall

Answer 25

Hardware or software designed to protect intrusions into an Internet network.

Question 26

a cluster is a group of ___ in multiples of ___ a. partitions, two b. disks, four c. cylinders, three d. sectors, two

Answer 26

d. sectors, two

Question 27

which of the following is NOT classified as software? a. operating systems b. word processors c. web browsers d. flash drives

Answer 27

d. flash drives

Question 28

which of the following places would a computer forensic investigator look for latent data? a. RAM slack b. file slack c. unallocated space d. all of the above

Answer 28

d. all of the above

Question 29

which of the following is NOT considered a hardware device? a. monitor b. hard disk drive c. mouse d. operating system

Answer 29

d. operating system

Question 30

the first thing a crime scene investigator should do when encountering computer forensic evidence is a. unplug every device from the CPU to preserve the hard disk drive b. procure a warrant to search c. remove the system to the laboratory for processing d. document the scene

Answer 30

b. procure a warrant to search

Question 31

when is it necessary to make a "fingerprint" of an HDD

Answer 31

before and after imaging its contents

Question 32

a software algorithm used to create a "fingerprint" of a file or an entire HDD is called

Answer 32

MD5

Question 33

which of the following actions taken at the crime scene involving a computer is incorrect? a. upon arrival, sketching the overall layout as well as photographing it b. photographing any running monitors c. removing the plug from the back of the computer, not from the wall d. none of these

Answer 33

d. none of these

Question 34

the term 'bit' is short for

Answer 34

binary digit

Question 35

if a file system defines a cluster as six sectors, how many bytes of info can be stored on each cluster? a. 24,576 b. 512 c. 3,072 d. 307.2

Answer 35

c. 3,072

Question 36

a motherboard a. is the main circutboard within a computer b. has a socket to accept RAM c. connects to every device used by the system d. all of these

Answer 36

d. all of these

Question 37

the ___ is a complex network of wires that carry data from one hardware device to another

Answer 37

motherboard

Question 38

the ultimate goal of obtaining an image of a hard disk drive is to..?

Answer 38

obtain information without altering the drive in any way

Question 39

hard drive partitions are typically divided into a. sectors b. clusters c. tracks d. all of these

Answer 39

d. all of these

Question 40

Digital evidence

Answer 40

any stored or transmitted data in binary format that may be useful in a criminal or civil investigation

Question 41

Binary Format

Answer 41

how computers store information -Rendered in bits (either 0s or 1s)

Question 42

Meta-data

Answer 42

‘data about data’ – When file is saved, also records info ABOUT the file – not just the file itself (Location, time, author, etc.)

Question 43

4 common forms that digital evidence can take

Answer 43

-Hard drives -Cell phones -Mobile storage media -Networks

Question 44

Computer Case/Chassis

Answer 44

physical box holding the fixed internal components in place

Question 45

Power supply

Answer 45

converts the power it gets from the wall outlet to a useable format for the computer and its components

Question 46

System Bus

Answer 46

Contained on the motherboard, the system bus is a vast, complex network of wires that serves to carry data from one hardware device to another

Question 47

Read-Only Memory (ROM)

Answer 47

-store programs called firmware, used to start the boot process and configure a computer's components -CMOS – complementary metal-oxide semiconductor – allows user to exercise set-up control over several components -Both ROM and CMOS can be referred to as the BIOS (basic input output system)

Question 48

Input Devices

Answer 48

-devices are used to get data into the computer -example: keyboard, mouse, scanner

Question 49

output devices

Answer 49

-Equipment through which data is obtained from the computer -examples: monitor, printer, speakers

Question 50

what are the three steps required to prepare an HDD?

Answer 50

1. Low-level formatting -Done by the manufacturer -divides the platters into tracks and sectors 2.Partitioning -Accomplished through a utility such as fdisk or Disk Manager to define a contiguous set of blocks 3. High-level formatting -Initializing portions of the disk and creating the file system structure The end result: drive is logically defined

Question 51

Tracks

Answer 51

-Concentric circles that are defined around the platter

Question 52

Cylinders

Answer 52

-Groups of tracks that reside directly above and below each other

Question 53

two types of HDD maps

Answer 53

-File Allocation Tables “FAT” -Master File Tables “MFT”

Question 54

what is a metaphor for envisioning a partition and file system?

Answer 54

bank safes, as each safe has a number and defined safe for the number, which only the person with the key can open

Question 55

the analysis of electronic data is bound only by...?

Answer 55

the level of skill of the examiner, as it is virtually limitless

Question 56

three common types of visible data

Answer 56

1. Data/Work Product Files 2. Swap File Data 3. Temporary Files

Question 57

Data/Work Product Files

Answer 57

-any type of user created data, such as: – Word processing documents – Spread sheets – Accounting records – Databases – Pictures

Question 58

Swap File Data

Answer 58

-Swap file: A file or defined space on the HDD used to conserve RAM -Data is swapped, or paged, to this file or space to free RAM for applications that are in use

Question 59

Temporary Files

Answer 59

-created by programs as a sort of "backup on the fly" -also prove valuable as evidence

Question 60

reason that a forensic image of an HDD is created

Answer 60

latent data, imaging picks up info that would be lost with a traditional image

Question 61

how do we actually view latent data?

Answer 61

Use programs that allow us to view HDD on a binary level – WinHex – allows all data to be read on the binary level independent of the OS

Question 62

slack space

Answer 62

Empty space on a hard disk drive created because of the way the HDD stores files -Evidentiary latent data can exist in both RAM and file slack

Question 63

RAM slack

Answer 63

the area from the end of the logical file to the end of the sector

Question 64

how is data orphaned in latent areas?

Answer 64

-constant shuffling of data through deletion, defragmentation, swapping, etc. -when a user deletes files the data typically remains behind

Question 65

like a traditional crime scene, an electronic crime scene involves

Answer 65

-warrants -documentation -good investigation techniques -follow proper legal procedures when collecting evidence -pictures: closeups of running monitors, pics of layout, connections and wires (back of pc)

Question 66

after documentation what are the 3 options investigators have for processing electronic CS

Answer 66

-Perform a live acquisition of the data -Perform a system shut down -Pull the plug from the back of the computer

Question 67

what factors influence the decision of shutting down the computer or pulling the plug?

Answer 67

-Do I think encryption is being used? -Do I think some crucial evidence exists in the RAM that has not been saved to the HDD?

Question 68

what does live acquisition of data entail?

Answer 68

-The investigator needs to work with the computer system which means there will be changes made to the data, (we want to minimize the changes) -Investigator must consider an “order of volatility” (most important data to save first ) -Allows the investigator to develop a sequence of steps that will limit the effects of each change on the subsequent steps and collection methods -Allows you to collect the greatest amount of unaltered evidentiary data

Question 69

what are the steps of live acquisition of data?

Answer 69

1. Photograph all sections of the conversation screen to document the conversation in the same form the user sees 2. Acquire the contents of RAM – Accomplished by running a controlled application designed for this purpose – Resulting content is written on a clean piece of media (NOT written to the hard drive of the computer under investigation) 3. Copy and paste text of conversation and save in text format 4. If encryption is being used, may image entire hard drive – Encryption renders data unreadable without a password

Question 70

the goal of obtaining data from an HDD is

Answer 70

to do so without altering even one bit (0/1)

Question 71

briefly explain how a computer 'fingerprint' is obtained

Answer 71

-algorithm is run and a 32-character alphanumeric string is produced based on the drive's contents -then run against the resulting forensic image, and if nothing changed, the same alphanumeric string will be produced

Question 72

what is the purpose of a computer 'fingerprint'

Answer 72

to prove that original contents of the computer were not altered in the imaging process

Question 73

what is the difference between normal imaging of a computer and forensic imaging of a computer?

Answer 73

normal imaging- what the computer can see forensic imaging- total data from HDD, visible and invisble

Question 74

3 Places where a forensic computer examiner might look to determine what websites a computer user has visited recently?

Answer 74

1. Internet cache -Portions of visited web pages placed on the local HDD to facilitate quicker retrieval when a web page is revisited 2. Cookies -Used by websites to track certain information about their visitors -History of visits, purchasing habits, passwords, etc. -Valuable information 3. Internet history -accounting of websites visited -Collects URL, date and time of access

Question 75

role of IP addresses

Answer 75

-provide the means by which data can be routed to the appropriate location -Can lead to the identity of a real person

Question 76

investigators concentrate their effort in three important locations

Answer 76

-Log files -Volatile memory (RAM) -Network traffic

Question 77

what is the significance of mobile forensics

Answer 77

-texts and phonecalls discoverable -triangulate location based on cell towers

Question 78

Preferred method of preserving data from a mobile device

Answer 78

-Leaving a mobile device running but placing it in something that will block its communication

Question 79

what makes preservation of mobile data so difficult?

Answer 79

- remote capabilities and constant connection with service providers -clear and remote kill capabilities -battery, if phone dies it can alter data