Targeted Flashcards
What allows for a lawful search to be conducted without a warrant or probable cause?
Consent of person with authority
When is warrantless seizure of evidence justified?
When destruction of evidence is imminent and there is probable cause that the seized item is evidence of criminal activity.
When can an investigator collect evidence without formal consent?
When properly worded banners are displayed on a computer screen.
What is a web app threat in which the application unintentionally reveals sensitive information to an unauthorized user?
Information Leakage
What type of information can be found in a common metadata field for a file?
Network name
Which registry key can be analyzed to retrieve folder information?
BagMRU
Which registry key tracks files that have been opened or saved within a Windows shell dialog box?
OpenSaveMRU
Which registry key may shed light on a user’s activity in a system and can indicate execution of a program or script on a device?
RunMRU
Which file format is being viewed if the first hex characters are 42 4D?
BMP
Which file format is being viewed if the first hex characters are 47 49 46 38?
GIF
Which file format is being viewed if the first hex characters are 89 50 4e 47?
PNG
Which file format is being viewed if the first hex characters are ff d8 ff?
JPEG
Which file format is being viewed if the first hex characters are 25 50 44 46?
Which file format is being viewed if the first hex characters are d0 cf 11 e0 a1 b1 1a e1?
XLS, DOC, or PPT
Which file format is being viewed if the first hex characters are 50 4b 03 04 14 00 06 00?
XLSX, DOCX, or PPTX
Which file format is being viewed if the first hex characters are 4e 42 2a 00?
JNT
Which file format is being viewed if the first hex characters are 50 4b 03 04?
ZIP
Which file format is being viewed if the first hex characters are 52 61 72 21 1a 07?
RAR
Which file format is being viewed if the first hex characters are 30 26 b2 75 8e 66 cf 11?
WMV
Which file format is being viewed if the first hex characters are 52 49 46 46?
AVI
Which file format is being viewed if the first hex characters are 49 44 33 03?
MP3
Which file format is being viewed if the first hex characters are 49 20 49?
TIF
Which software tool is designed strictly for maintaining the integrity of evidence during data acquisition?
SAFE Block
What is the difference between the NIST SP 800-88 recommended types of sanitization, clear, purge, and destroy?
clear: sanitizes media but does not guarantee infeasible recover. allows media reuse.
purge: sanitizes media and guarantees infeasible recovery. allows media reuse.
destroy: destroys media and guarantees infeasible recovery. media not reusable.
What are the 3 types of data files MSSQL server stores data and logs in?
Primary data files (MDF)
secondary data files (NDF)
transaction log data files (LDF)
Which MySQL utility program is used to dump single or multiple databases for backup purposes?
Mysqldump
Which MySQL utility program is used to check the access privileges defined for a hostname or username?
Mysqlaccess
Which MySQL utility program is used to process the MyISAM log file and perform recovery operation, display version information, etc?
myisamlog
Which MySQL utility program is used to obtain the status of the MyISAM table, identify the corrupted tables, repair the corrupted tables, etc.?
Myisamchk
Which MySQL utility program is used to display the content of bin logs (mysql-bin.nnnnnn) in text format?
Mysqlbinlog
Which MySQL utility program is used to export metadata, data, or both from one or more databases?
mysqldbexport
What python-based tool can be used to analyze suspect MS Office Documents?
oleid
What are the different types of logon events?
2: Interactive (user logged on)
3: Network (logged on from network)
4: Batch
5: Service (service started by service control manager)
7: Unlock
8: NetworkCleartext (logged on from network, PW passed unhashed)
9: NewCredentials (cloned current token and specified new credentials for outbound connections
10: RemoteInteractive (User logged on remotely)
11: CachedInteractive (user logged on with cached network credentials
What are the two components of an Apache Web Server?
Apache Core: basic functionalities such as allocation of requests and connection maintenance
Apache Modules: Add-ons used for extending core functionality
What are the elements of the Apache core component?
http_protocol: responsible for managing routines
http_main: handles server startup and timeouts as well as main server loop
http_request: controls stepwise procedure followed among modules to complete client request as well as error handling
http_core: Includes a header file thaht is not required by the app module
Alloc.c: handles allocation of resource pools
http_config: reads and handles configuration files and arranges the modules
What are the two types of Apache Web Server logs?
Access log: records all requests processed by server
error log: diagnostic information and errors the server faced during requests
Which program may be used to convert a dd image into a bootable VM?
QEMU disk image utility
What TSK command is used to odisplay general details of a file system?
fsstat
What TSK command is used to display the details of a metadata structure?
istat
What TSK command is used to display the file and directory names in a disk?
fls
What TSK command is used to display the details of an image file?
img_stat
What is Windows Event ID 4688?
A new process has been created
What is Windows Event ID 5156?
Windows Filtering Platform has allowed connection (outbound network connection)
What is Windows Event ID 7045?
Service was installed in the system
What is Windows Event ID 4657?
Registry value was modified
What is Windows Event ID 4660?
Object was deleted (such as account name, domain, process ID, etc.)
What is Windows Event ID 4663?
An attempt was made to access an object
What is Windows Event ID 7036?
Windows Protection Service has entered the stopped state
What is Windows Event ID 7040?
The start of Windows Protection Service was changed from autostart to demand start/auto start disabled
Which utility may be used to acquire Mozilla Thunderbird data?
SysTools MailPro+
What is the minimum Linux kernel version to support ext4?
2.6.19
What is file carving?
technique to recover files and fragments of files from a hard disk in the absence of file system metadata
What application should be used for file carving in Windows?
R-Studio, Autopsy, Recover My Files, Ease US Data Recovery Wizard, WinUndelete, R-Undelete
What application should be used for file carving in Linux?
R-Studio, Mondo Rescue, Scalpel, Autopsy, Foremost, PhotoRec
What application should be used for file carving in macOS?
AppleXsoft File Recovery, 321Soft Data Recovery, Disk Doctors, Disk Drill, R-Studio, Data Rescue 4, Mac Data Recovery Guru
What is RAID 0?
Striping only, no redundancy. Min 2 drives
What is RAID 1?
Mirroring only. Requires even number of drives
What is RAID 2?
Bit-level striping. Better data-integrity, but slower than RAID 0
What is RAID 3?
Byte-level striping and dedicated parity disk. Requires at least 3 drives
What is RAID 5?
Byte-level striping and distributed parity among drives. Data writing is slow. Min 3 drives
What is RAID 6?
Double parity RAID. Data striped across multiple drives and uses dual parity for better redundancy than RAID 5. Min 4 drives.
What is RAID 10?
Combo of 0 and 1. Min 4 drives. Includes fault tolerance of RAID 1 and includes redundancy through mirroring
