Miscellaneous Flashcards
Where is the file signature located for a digital file?
the first 20 bytes of the file
In File Carving, file identification and extraction is based on certain characteristics such as ______ ______ ______ ______ rather than the file extension or metadata.
file header or footer
In this technique, file identification and extraction is based on certain characteristics such as file header or footer rather than the file extension or metadata.
A file header as a signature is also known as?
a magic number
File carving refers to a technique that is used to recover deleted/lost files and fragments of files from the hard disk when?
file system metadata is missing
File carving in SSDs is different from HDDs because?
files deleted from the TRIM (enabled by default) enabled SSDs cannot be recovered
In TRIM _______ SSD’s, the forensic investigator can perform file carving to recover lost data from the drive.
disabled
In TRIM disabled SSD’s, the forensic investigator can perform file carving to recover lost data from the drive.
When a file is deleted from Linux using the command ______, the _____ pointing to the file gets removed but the file remains on the disk until it is ______ with new data
/bin/rm/
inode
overwritten
When a file is deleted from Linux using the command /bin/rm/, the inode pointing to the file gets removed but the file remains on the disk until it is overwritten with new data
In Linux, if an executable erases itself, its contents can be retrieved from a ______ memory image.
/proc
In Linu, if an executable erases itself, its contents can be retrieved from a /proc memory image.
What does the HTTP GET method do?
GET is used to request data from a specified resource.
What does the HTTP POST method do?
POST is used to send data to a server to create/update a resource.
What does the HTTP Connect method do?
The CONNECT method is used to start a two-way communications (a tunnel) with the requested resource.
What is a CFL?
Computer Forensics Lab
What are the 2 main accreditations for forensic lab licensing?
ASCLD/LAB Accreditation
ISO/IEC 17025
What does ASCLD/LAB stand for?
The American Society of Crime Laboratory Directors/Laboratory Accreditation Board
What does ASCLD/LAB do?
They assess and certify the competence of forensic laboratories
What does ASCLD/LAB accreditation enhances for a digital forensics lab?
ASCLD/LAB accreditation enhances the credibility of a digital forensics lab, making its findings more likely to be accepted in court.
ASCLD/LAB accreditation ensures that the lab follows standardized procedures, which is crucial for what?
The reliability and repeatability of forensic investigations.
What is the ISO/IEC 17025 standard?
ISO/IEC 17025 is an international standard that specifies the general requirements for the competence of testing and calibration laboratories. This standard is used by laboratories to develop their quality management systems and ensure they can consistently produce valid results.
Who launched the Computer Forensics Tool Testing Project (CFTT)?
National Institute of Standards and Technology (NIST)
What are the two main types of search warrants for a digital forensics investigation?
Electronic Storage Device Search Warrant, Search Provider Search Warrant
What is the equivalent in LInux of the dir command in Windows?
ls
Where are the recently created files located in Windows and a place to look for malware?
startup or system32 folder
Where are recently created documents in Linux and a place to look for malware?
rc.local file
What does ACPO mean?
Association of Chief Police Officers
Which ACPO principles do they refer to (Principle 1 - Principle 4)?
A. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
B. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
C. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
D. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court
A. Principle 3
B. Principle 1
C. Principle 4
D. Principle 2
What does SWGDE stand for?
Scientific Working Group on Digital Evidence
What does SWGDE stand for?
Scientific Working Group on Digital Evidence
Which SWGDE principles do these refer to?
(Principle 1
Standards and Criteria 1.1
Standards and Criteria 1.2
Standards and Criteria 1.3
Standards and Criteria 1.4
Standards and Criteria 1.5
Standards and Criteria 1.6
Standards and Criteria 1.7)
A. Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
B. All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
C. All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony.
D. In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.
E. Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
F. The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure.
G. Any action that has potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner.
H. The agency must maintain written copies of appropriate technical procedures.
A. Standards and Criteria 1.3
B. Standards and Criteria 1.1
C. Standards and Criteria 1.6
D. Principle 1
E. Standards and Criteria 1.2
F. Standards and Criteria 1.5
G. Standards and Criteria 1.7
H. Standards and Criteria 1.4
What does CIRT stand for?
Computer Incident Response Team
What does SOC stand for?
Security Operations Center
What is the SOC?
Security Operations Center (SOC) is a centralized unit that continuously monitors and analyzes ongoing activities on an organization’s information systems such as networks, servers, endpoints, databases, applications, websites, etc. to look for anomalies
In incident response, what is the role of the SOC?
The SOC team acts as the initial point for incident detection and validation
Upon incident validation, the incident response team gathers the evidence and provides it to the _______ ______, which then starts the ______ investigation
forensics team
Upon incident validation, the incident response team gathers the evidence and provides it to the forensics team which then starts the __________ investigation
What are tracks on a hard drive?
concentric circles on platters
How does track numbering begin on a hard drive?
from 0
How much data does a sector hold on a hard drive?
512 bytes
How is track density defined?
space between tracks on a disk
How is areal density defined?
number of bits per square inch on a platter?
How is bit density defined?
bits per unit length of track
Formula of total size on a disk?
cylinders * heads * sectors * 512 bytes
What is the smallest logical storage unit on a hard disk?
a cluster
A _______ is a set of sectors with a disk ranging from ____ to _____
cluster
2 to 32
clusters are also known as?
allocation units
In the File Allocation Table (FAT) file system, the clusters linked with a file keep track of _____ _____ on the hard disk’s file allocation
file data
What is a File Allocation Table (FAT) error that occurs when the OS marks clusters as used but does not allocate any file to them called?
a lost cluster
What are the two types of file slack?
Ram slack and drive slack
In practice, the Master Boot Record (MBR) almost always refers to the _____ ______ boot sector (or partition sector) of a disk
512-byte
What are the 3 main functions of the Master Boot Record?
–holding a partition table which refers to the partitions of a hard disk
–bootstrapping an OS
–distinctively recognizing individual hard disk media with a 32-bit signature
Disk partitioning is the creation of _______ divisions on a storage device (HDD/SDD) to allow the user to OS-specific logical formatting
logical
What is a Globally Unique Identifer (GUID)?
A GUID is a 128-bit number used to uniquely identify information in computer systems.
What does Logon Event 4624 mean?
A user successfully logged on to a computer.
What does Logon Type 2 mean?
Interactive
A user logged on to this computer.
What does Logon Type 3 mean?
Network
A user or computer logged on to this computer from the network
What does Logon Event 4625 mean?
Logon failure. A logon attempt was made with an unknown username or a known username with a bad password.