lec 10 computing Flashcards

1
Q

hardware

A

The physical components of a computer
-case, keyboard, monitor, motherboard, RAM, HDD, mouse, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

software

A

A set of instructions compiled
into a program that performs a
particular task; software consists
of programs and applications that
carry out a set of instructions on
the hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

motherboard

A

main system board of a computer
-delivers power, data, and instructions
-every component in the computer connects to the motherboard directly or indirectly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

central processing unit (CPU)

A

-main chip within the computer/ processor
-aka the brain of the computer
-handles most of the operations of the computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

random-access memory (RAM)

A

serves to take the burden off of the computer’s processor and Hard Disk Drive (HDD)
-A computer stores data in RAM for quick access
-RAM is referred to as volatile memory (not permanent)
-Its contents undergo constant change and are forever lost once power is taken away from the computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

hard disk drive (HDD)

A

-main storage location within the computer
-generally permanent storage
-HDDs are mapped/formatted and have a defined layout
-operating system, applications, and user data are stored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

operating system (OS)

A

-software that provides the bridge between the system hardware and the user
-lets the user interact with the hardware, manages the file system and applications
-examples are Windows (XP, Vista, and Windows 7 and 8), Linux, and Mac OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

partition

A

A contiguous set of blocks that are
defined and treated as an independent disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

sector

A

The smallest addressable unit of
data by a hard disk drive; generally
consists of 512 bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

byte

A

A group of eight bits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

bit

A

Short for binary digit; taking the
form of either a one or a zero, it is
the smallest unit of information on
a machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

cluster

A

-Groups of sectors and their size is defined by the OS
-group of sectors in multiples of two (therefore consist of 2, 4, 6, 8 sectors etc)
-cluster size varies from file
system to file system
-typically, the minimum space allocated to a file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Message Digest 5 (MD5)/Secure Hash Algorithm (SHA)

A

-A software algorithm used to “fingerprint” a file or contents of a disk
-used to verify the integrity of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

visible data

A

All data that the operating system
is presently aware of and thus is
readily accessible to the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

swap file

A

A file or defined space on the HDD
used to conserve RAM; data is
swapped, or paged, to this file or
space to free RAM for applications
that are in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

temporary files

A

Files temporarily written by an
application to perform a function
or to provide a “backup” copy of a
work product should the computer
experience a catastrophic failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

latent data

A

Areas of files and disks that are typically not apparent to the computer user (and often not to the
operating system) but contain data
nonetheless.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

file slack

A

The area that begins at the end of
the last sector that contains logical
data and terminates at the end of
the cluster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

unallocated space

A

unused area of the HDD that the operating system file system
table sees as empty (i.e., containing no logical files) but that may
contain old data (latent)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Internet cache

A

Portions of visited web pages
placed on the local hard disk drive
to facilitate quicker retrieval when a
web page is revisited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

cookies

A

Files placed on a computer from
a visited website that are used to
track visits to and usage of that
site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Internet history

A

An accounting of websites visited;
different browsers store this information in different ways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

bookmark

A

A feature that enables the user to
designate favorite sites for fast and
easy access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

hacking

A

A slang term frequently used to
refer to performing an unauthorized computer or network intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
firewall
Hardware or software designed to protect intrusions into an Internet network.
26
a cluster is a group of ___ in multiples of ___ a. partitions, two b. disks, four c. cylinders, three d. sectors, two
d. sectors, two
27
which of the following is NOT classified as software? a. operating systems b. word processors c. web browsers d. flash drives
d. flash drives
28
which of the following places would a computer forensic investigator look for latent data? a. RAM slack b. file slack c. unallocated space d. all of the above
d. all of the above
29
which of the following is NOT considered a hardware device? a. monitor b. hard disk drive c. mouse d. operating system
d. operating system
30
the first thing a crime scene investigator should do when encountering computer forensic evidence is a. unplug every device from the CPU to preserve the hard disk drive b. procure a warrant to search c. remove the system to the laboratory for processing d. document the scene
b. procure a warrant to search
31
when is it necessary to make a "fingerprint" of an HDD
before and after imaging its contents
32
a software algorithm used to create a "fingerprint" of a file or an entire HDD is called
MD5
33
which of the following actions taken at the crime scene involving a computer is incorrect? a. upon arrival, sketching the overall layout as well as photographing it b. photographing any running monitors c. removing the plug from the back of the computer, not from the wall d. none of these
d. none of these
34
the term 'bit' is short for
binary digit
35
if a file system defines a cluster as six sectors, how many bytes of info can be stored on each cluster? a. 24,576 b. 512 c. 3,072 d. 307.2
c. 3,072
36
a motherboard a. is the main circutboard within a computer b. has a socket to accept RAM c. connects to every device used by the system d. all of these
d. all of these
37
the ___ is a complex network of wires that carry data from one hardware device to another
motherboard
38
the ultimate goal of obtaining an image of a hard disk drive is to..?
obtain information without altering the drive in any way
39
hard drive partitions are typically divided into a. sectors b. clusters c. tracks d. all of these
d. all of these
40
Digital evidence
any stored or transmitted data in binary format that may be useful in a criminal or civil investigation
41
Binary Format
how computers store information -Rendered in bits (either 0s or 1s)
42
Meta-data
‘data about data’ – When file is saved, also records info ABOUT the file – not just the file itself (Location, time, author, etc.)
43
4 common forms that digital evidence can take
-Hard drives -Cell phones -Mobile storage media -Networks
44
Computer Case/Chassis
physical box holding the fixed internal components in place
45
Power supply
converts the power it gets from the wall outlet to a useable format for the computer and its components
46
System Bus
Contained on the motherboard, the system bus is a vast, complex network of wires that serves to carry data from one hardware device to another
47
Read-Only Memory (ROM)
-store programs called firmware, used to start the boot process and configure a computer's components -CMOS – complementary metal-oxide semiconductor – allows user to exercise set-up control over several components -Both ROM and CMOS can be referred to as the BIOS (basic input output system)
48
Input Devices
-devices are used to get data into the computer -example: keyboard, mouse, scanner
49
output devices
-Equipment through which data is obtained from the computer -examples: monitor, printer, speakers
50
what are the three steps required to prepare an HDD?
1. Low-level formatting -Done by the manufacturer -divides the platters into tracks and sectors 2.Partitioning -Accomplished through a utility such as fdisk or Disk Manager to define a contiguous set of blocks 3. High-level formatting -Initializing portions of the disk and creating the file system structure The end result: drive is logically defined
51
Tracks
-Concentric circles that are defined around the platter
52
Cylinders
-Groups of tracks that reside directly above and below each other
53
two types of HDD maps
-File Allocation Tables “FAT” -Master File Tables “MFT”
54
what is a metaphor for envisioning a partition and file system?
bank safes, as each safe has a number and defined safe for the number, which only the person with the key can open
55
the analysis of electronic data is bound only by...?
the level of skill of the examiner, as it is virtually limitless
56
three common types of visible data
1. Data/Work Product Files 2. Swap File Data 3. Temporary Files
57
Data/Work Product Files
-any type of user created data, such as: – Word processing documents – Spread sheets – Accounting records – Databases – Pictures
58
Swap File Data
-Swap file: A file or defined space on the HDD used to conserve RAM -Data is swapped, or paged, to this file or space to free RAM for applications that are in use
59
Temporary Files
-created by programs as a sort of "backup on the fly" -also prove valuable as evidence
60
reason that a forensic image of an HDD is created
latent data, imaging picks up info that would be lost with a traditional image
61
how do we actually view latent data?
Use programs that allow us to view HDD on a binary level – WinHex – allows all data to be read on the binary level independent of the OS
62
slack space
Empty space on a hard disk drive created because of the way the HDD stores files -Evidentiary latent data can exist in both RAM and file slack
63
RAM slack
the area from the end of the logical file to the end of the sector
64
how is data orphaned in latent areas?
-constant shuffling of data through deletion, defragmentation, swapping, etc. -when a user deletes files the data typically remains behind
65
like a traditional crime scene, an electronic crime scene involves
-warrants -documentation -good investigation techniques -follow proper legal procedures when collecting evidence -pictures: closeups of running monitors, pics of layout, connections and wires (back of pc)
66
after documentation what are the 3 options investigators have for processing electronic CS
-Perform a live acquisition of the data -Perform a system shut down -Pull the plug from the back of the computer
67
what factors influence the decision of shutting down the computer or pulling the plug?
-Do I think encryption is being used? -Do I think some crucial evidence exists in the RAM that has not been saved to the HDD?
68
what does live acquisition of data entail?
-The investigator needs to work with the computer system which means there will be changes made to the data, (we want to minimize the changes) -Investigator must consider an “order of volatility” (most important data to save first ) -Allows the investigator to develop a sequence of steps that will limit the effects of each change on the subsequent steps and collection methods -Allows you to collect the greatest amount of unaltered evidentiary data
69
what are the steps of live acquisition of data?
1. Photograph all sections of the conversation screen to document the conversation in the same form the user sees 2. Acquire the contents of RAM – Accomplished by running a controlled application designed for this purpose – Resulting content is written on a clean piece of media (NOT written to the hard drive of the computer under investigation) 3. Copy and paste text of conversation and save in text format 4. If encryption is being used, may image entire hard drive – Encryption renders data unreadable without a password
70
the goal of obtaining data from an HDD is
to do so without altering even one bit (0/1)
71
briefly explain how a computer 'fingerprint' is obtained
-algorithm is run and a 32-character alphanumeric string is produced based on the drive's contents -then run against the resulting forensic image, and if nothing changed, the same alphanumeric string will be produced
72
what is the purpose of a computer 'fingerprint'
to prove that original contents of the computer were not altered in the imaging process
73
what is the difference between normal imaging of a computer and forensic imaging of a computer?
normal imaging- what the computer can see forensic imaging- total data from HDD, visible and invisble
74
3 Places where a forensic computer examiner might look to determine what websites a computer user has visited recently?
1. Internet cache -Portions of visited web pages placed on the local HDD to facilitate quicker retrieval when a web page is revisited 2. Cookies -Used by websites to track certain information about their visitors -History of visits, purchasing habits, passwords, etc. -Valuable information 3. Internet history -accounting of websites visited -Collects URL, date and time of access
75
role of IP addresses
-provide the means by which data can be routed to the appropriate location -Can lead to the identity of a real person
76
investigators concentrate their effort in three important locations
-Log files -Volatile memory (RAM) -Network traffic
77
what is the significance of mobile forensics
-texts and phonecalls discoverable -triangulate location based on cell towers
78
Preferred method of preserving data from a mobile device
-Leaving a mobile device running but placing it in something that will block its communication
79
what makes preservation of mobile data so difficult?
- remote capabilities and constant connection with service providers -clear and remote kill capabilities -battery, if phone dies it can alter data