Miscellaneous Flashcards

1
Q

Where is the file signature located for a digital file?

A

the first 20 bytes of the file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In File Carving, file identification and extraction is based on certain characteristics such as ______ ______ ______ ______ rather than the file extension or metadata.

A

file header or footer

In this technique, file identification and extraction is based on certain characteristics such as file header or footer rather than the file extension or metadata.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A file header as a signature is also known as?

A

a magic number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

File carving refers to a technique that is used to recover deleted/lost files and fragments of files from the hard disk when?

A

file system metadata is missing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

File carving in SSDs is different from HDDs because?

A

files deleted from the TRIM (enabled by default) enabled SSDs cannot be recovered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In TRIM _______ SSD’s, the forensic investigator can perform file carving to recover lost data from the drive.

A

disabled

In TRIM disabled SSD’s, the forensic investigator can perform file carving to recover lost data from the drive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When a file is deleted from Linux using the command ______, the _____ pointing to the file gets removed but the file remains on the disk until it is ______ with new data

A

/bin/rm/
inode
overwritten

When a file is deleted from Linux using the command /bin/rm/, the inode pointing to the file gets removed but the file remains on the disk until it is overwritten with new data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In Linux, if an executable erases itself, its contents can be retrieved from a ______ memory image.

A

/proc

In Linu, if an executable erases itself, its contents can be retrieved from a /proc memory image.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the HTTP GET method do?

A

GET is used to request data from a specified resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the HTTP POST method do?

A

POST is used to send data to a server to create/update a resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the HTTP Connect method do?

A

The CONNECT method is used to start a two-way communications (a tunnel) with the requested resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a CFL?

A

Computer Forensics Lab

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 2 main accreditations for forensic lab licensing?

A

ASCLD/LAB Accreditation
ISO/IEC 17025

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does ASCLD/LAB stand for?

A

The American Society of Crime Laboratory Directors/Laboratory Accreditation Board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does ASCLD/LAB do?

A

They assess and certify the competence of forensic laboratories

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does ASCLD/LAB accreditation enhances for a digital forensics lab?

A

ASCLD/LAB accreditation enhances the credibility of a digital forensics lab, making its findings more likely to be accepted in court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ASCLD/LAB accreditation ensures that the lab follows standardized procedures, which is crucial for what?

A

The reliability and repeatability of forensic investigations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the ISO/IEC 17025 standard?

A

ISO/IEC 17025 is an international standard that specifies the general requirements for the competence of testing and calibration laboratories. This standard is used by laboratories to develop their quality management systems and ensure they can consistently produce valid results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Who launched the Computer Forensics Tool Testing Project (CFTT)?

A

National Institute of Standards and Technology (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the two main types of search warrants for a digital forensics investigation?

A

Electronic Storage Device Search Warrant, Search Provider Search Warrant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the equivalent in LInux of the dir command in Windows?

A

ls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Where are the recently created files located in Windows and a place to look for malware?

A

startup or system32 folder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Where are recently created documents in Linux and a place to look for malware?

A

rc.local file

24
Q

What does ACPO mean?

A

Association of Chief Police Officers

25
Q

Which ACPO principles do they refer to (Principle 1 - Principle 4)?

A. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

B. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

C. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

D. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court

A

A. Principle 3
B. Principle 1
C. Principle 4
D. Principle 2

26
Q

What does SWGDE stand for?

A

Scientific Working Group on Digital Evidence

27
Q

What does SWGDE stand for?

A

Scientific Working Group on Digital Evidence

28
Q

Which SWGDE principles do these refer to?
(Principle 1
Standards and Criteria 1.1
Standards and Criteria 1.2
Standards and Criteria 1.3
Standards and Criteria 1.4
Standards and Criteria 1.5
Standards and Criteria 1.6
Standards and Criteria 1.7)

A. Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.

B. All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.

C. All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony.

D. In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.

E. Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.

F. The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure.

G. Any action that has potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner.

H. The agency must maintain written copies of appropriate technical procedures.

A

A. Standards and Criteria 1.3

B. Standards and Criteria 1.1

C. Standards and Criteria 1.6

D. Principle 1

E. Standards and Criteria 1.2

F. Standards and Criteria 1.5

G. Standards and Criteria 1.7

H. Standards and Criteria 1.4

29
Q

What does CIRT stand for?

A

Computer Incident Response Team

30
Q

What does SOC stand for?

A

Security Operations Center

31
Q

What is the SOC?

A

Security Operations Center (SOC) is a centralized unit that continuously monitors and analyzes ongoing activities on an organization’s information systems such as networks, servers, endpoints, databases, applications, websites, etc. to look for anomalies

32
Q

In incident response, what is the role of the SOC?

A

The SOC team acts as the initial point for incident detection and validation

33
Q

Upon incident validation, the incident response team gathers the evidence and provides it to the _______ ______, which then starts the ______ investigation

A

forensics team

Upon incident validation, the incident response team gathers the evidence and provides it to the forensics team which then starts the __________ investigation

34
Q

What are tracks on a hard drive?

A

concentric circles on platters

35
Q

How does track numbering begin on a hard drive?

A

from 0

36
Q

How much data does a sector hold on a hard drive?

A

512 bytes

37
Q

How is track density defined?

A

space between tracks on a disk

38
Q

How is areal density defined?

A

number of bits per square inch on a platter?

39
Q

How is bit density defined?

A

bits per unit length of track

40
Q

Formula of total size on a disk?

A

cylinders * heads * sectors * 512 bytes

41
Q

What is the smallest logical storage unit on a hard disk?

A

a cluster

42
Q

A _______ is a set of sectors with a disk ranging from ____ to _____

A

cluster

2 to 32

43
Q

clusters are also known as?

A

allocation units

44
Q

In the File Allocation Table (FAT) file system, the clusters linked with a file keep track of _____ _____ on the hard disk’s file allocation

A

file data

45
Q

What is a File Allocation Table (FAT) error that occurs when the OS marks clusters as used but does not allocate any file to them called?

A

a lost cluster

46
Q

What are the two types of file slack?

A

Ram slack and drive slack

47
Q

In practice, the Master Boot Record (MBR) almost always refers to the _____ ______ boot sector (or partition sector) of a disk

A

512-byte

48
Q

What are the 3 main functions of the Master Boot Record?

A

–holding a partition table which refers to the partitions of a hard disk

–bootstrapping an OS

–distinctively recognizing individual hard disk media with a 32-bit signature

49
Q

Disk partitioning is the creation of _______ divisions on a storage device (HDD/SDD) to allow the user to OS-specific logical formatting

A

logical

50
Q

What is a Globally Unique Identifer (GUID)?

A

A GUID is a 128-bit number used to uniquely identify information in computer systems.

51
Q

What does Logon Event 4624 mean?

A

A user successfully logged on to a computer.

52
Q

What does Logon Type 2 mean?

A

Interactive

A user logged on to this computer.

53
Q

What does Logon Type 3 mean?

A

Network

A user or computer logged on to this computer from the network

54
Q

What does Logon Event 4625 mean?

A

Logon failure. A logon attempt was made with an unknown username or a known username with a bad password.

55
Q
A