Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Moot Court - Technical Terms > Tech Terms > Flashcards

Tech Terms Flashcards

1
Q

Active File vs. File Fragment

A
  1. Active - file currently being accessed or is available for use.
    - See, open access
    1. Fragment - Data (files) stored in non-contiguous segments or clusters. Usually occurs when a file is deleted. Think deleted file fragment - the stuff left over by previously deleted files.
    Forensic Importance: Fragmented files can be difficult to recover, and must be carved out. Can contain useful evidence.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

App vs. Program

A
  1. Application - program or group of programs
    - designed for the end user; calls for user interface
    - directly helps the end user perform a task
    - dependent on system software to execute
    - term Apps began with mobile devices
    - Examples: Windows Media Player and Firefox
    - have a graphical user interface
    1. Program - set of instructions telling a computer what to do.
      - All applications are programs, but a program is not necessarily an application
      - Can run silently in the background (think System Functions)

Forensic Importance: Since applications are designed for the user to perform a specific task. An application will not just run in the background without being told to do so. program, on the other hand, does not always require user interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ASCII vs. UNICODE

A
  1. ASCII - American Standard Code for Information Interchange assigns binary digits to specific symbols
    - 128 characters, 7 bit encoding
    - Extended allows for 256 values
    1. Unicode - Universal Coded Character Set provides a unique binary or hexadecimal sequence for every character or symbol
      - Variable encoding length
      - Adopted as the standard character encoding and can address all language characters across the globe.
    Forensic Importance: These coding standards offers a way to make computer language human readable, and vice versa. Allows for live search in AD Lab.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Backup Software vs. Volume Shadow Copy

A
  1. Backup - full copy of files and folders
    a. Computer programs or applications that are used to perform a backup of files, folders, or entire computers
    b. Exact duplication to restore original content
    c. Time Machine, Carbonite
    d. Some software supports differential back ups (also referred to as incremental) by backing up the changes to the original file. Can help increase speed efficiency by updating only the changes.
    e. Back up software can also compress data
    1. VSC - Windows service capturing snapshots called shadow copies
      • Read-only point in time copy of the volume.
        • User data and not programs
      • Shadow copy is read only access
      • Stored in System Volume Information
        • NTFS
        • Created using two methods - Complete Copy and Differential Copy (updating changes live).
          Each method results in two data images: Original Volume – full read/write access, Shadow Copy Volume – read only access.
        • To restore a Shadow Copy, the original volume must also be present
    Forensic Importance: There may be data on a backup copy that was deleted from the local machine. You may be able to recover a volume shadow copy of a Windows machine.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Carved File vs. Recovered Deleted File

A
  1. Carved File - file is that not recorded in the file system records, but data is on the physical disk.
    - no names, metadata, or attributes associated with it
    - no reference data in the file table
    - “carving” locates data by file signature and extracts that data into a new file
    - Process of recovering and extracting intact files from memory / pagefile and unallocated space
    - Scan for known file headers and carve out a file out based on normal length
    (A file header is a sequence of bytes at the beginning of the file that is unique to a file type -
    Who am I and how do you treat me?)
    - Carve for predictable length or until a known footer is found
  2. Recovered Deleted File - User has deleted the file, but the MFT entry has not been overwritten.
    - Could be in the recycle bin
    - When deleted, a file stays in the same place; pointer is deleted

Forensic Importance: You can carve for files by extracting data from the disk. With a deleted file, you can conduct keyword searches or signature identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cloud Storage v. Network Drive

A
  1. Cloud Storage - online storage space
    - Data is uploaded and stored in a cloud
    - Examples iCloud, Google Drive, DropBox
    - Pay as you go
    - Third party is managing the infrastructure
    - Efficient way to share data
    1. Network Drive is a storage device on a local area network.
      - Usually located on a server or a NAS
    Forensic Importance: If data is not stored on the device itself, an additional search warrant may be required. Should be able to determine if the device connected to a cloud storage or to a network storage, and under which account. That information should be provided to the case agent for additional legal processes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cluster vs. Sector

A
  1. Sectors - tracks on a hard drive platter are broken into sectors
    a. smallest unit that can be accessed on a storage device (HDD or SSD)
    b. usually 512 bytes of accessible data, 59 bytes for ECC
    c. smallest addressable unit
  2. Cluster - group of sectors that make up the smaller unit of disk allocation for a file within a file system
    a. file system’s cluster size is the smallest amount of space a file can take up on a computer
    b. specified in Volume Boot Record
    c. smallest allocation unit - a set of contiguous sectors which will be used for file space allocation.Forensic Importance: Understand how a computer stores files.
    Analogy: Filing cabinets in records storage. The cabinet is the cluster. The drawer is the sector.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Container Email vs. Web Email

A
  1. Container Email
    a. Accessed thru an email client
    b. Data is stored local computer/device or server
    c. Example: Outlook (?)
  2. Webmail
    a. Accessed thru a web browser
    b. Data is stored on the internet
    c. Examples - Gmail or Yahoo

Forensic Importance: Know to advise the case agent that in order to access webmail, they would need an additional search warrant if it’s not stored on the device.

Getting news in a physical paper vs online

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DCO vs HPA

A
  1. DCO - Device Configuration Overlay
    - Tells the drive how to behave
    - Allows vendors to purchase HDDs from different manufacturers with potentially different sizes and then configure them to have the same number of sectors
    - Can hold hidden data
    - May cause drive to appear smaller than it actually is
    1. HPA - Host Protected Area
      • Reserved area on a hard disk for booting and diagnostic code
      • Not usually visible to the computer’s operating system
      • Stores information in a way that cannot be easily modified or accessed by the user BIOS, or OS.

two areas at the end of SATA and IDE hard disk drives that are only accessible via special utilities but not the operating system, BIOS or general user. Both the HPA and DCO can reside on the same drive, and both areas offer potential storage for hiding small to large amounts of secret data

Forensic Importance: Data could potentially be hidden in these areas. Additionally, imaging the HPA or DCO is beyond limitations of some tools. If someone is storing data in these spaces, it indicates a high level of computer knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DD vs. E01 Image

A
  1. DD - a RAW image is a bit-for-image
    - contains only the data from the source disk
    - No header or metadata included in the image file, but some utilities may include a separate log file with metadata.
    1. E01 Image (Encase Image File Format)
      • Disk images that contain a header and footer with metadata about the image
        • timestamp
        • cryptographic hash (“fingerprint”)
        • Drive type
        • Version of software that created the image
        • Source disk operating system
        • Cyclical Redundancy Check (CRC) provides an integrity check over the previous block of data
      • Compressed
    Forensic Importance: Compression of e01 takes up less space, but is slower
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Deleted Files vs. Recycle Bin Files

A
  1. Deleted File
    - When file is deleted, OS writes 0xE5 in the first byte of the file’s directory entry.
    - FAT changes to indicate cluster is now available for data
    - Pointer ($I30) to file deleted
    - Space is marked available for use (i.e. -unallocated)
    - File and its contents remain
    - Most (if not all) can be recovered
    1. Recycle Bin
      • Contents not actually deleted
      • File moved in the directory structure
      • $R
        • $Recycle.Bin
        • Each SID has a subfolder within
        • Two files in $Recycle.Bin created
        • $I is an Info file – contains metadata such as deletion date/time and the original name and path
        • $R is the actual file
    Forensic Importance: A deleted file may not be written over, and items in the recycle bin are not deleted.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DHCP vs. Static IP address:

A
  1. DHCP - Dynamic Host Configuration Protocol
    - an IP address is series of numbers divided into four octets that uniquely identifies a computer on a network. numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. With depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address
    - A DCHP server assigns an IP address from a pool on a network
    - Changes when a user logs off
    1. Static - Permanently assigned to a computer
      • Does not change when user logs off
      • Often used on devices like printers
    Forensic Importance: Understand what kind of IP address you’re seeing. Can use the IP addresses to confirm a device connected to a network. Analogy: classroom with assigned seat vs. a classroom without. OR Buying a book vs checking out from library
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Digital Forensics vs. General Forensics

A
  1. Digital Forensics - Application of scientific and investigatory techniques to digital evidence
    - Identification, preservation, examination, and analysis of data
    - Digital devices - hard drives, removable drives, optical media
    - Use scientifically accepted and validated processes for presentation of evidence in a court of law
    - For purpose of reconstructing past events
    1. General Forensics - Application of scientific methods and techniques in a legally sound manner to investigate a crime
      • Process of collecting, examining, and analysis of physical evidence
    Forensic Importance - Ensures the integrity of the work, the evidence, and the case.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Encryption vs Password Protection

A
  1. Encryption - Encoding the data
    - Need a key to decode
    1. Password Protection - locks the data, but does not encode it. Like a safe. If you break into it, you can read it.
    Forensic Importance- Need the decryption key in order read/view encrypted data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ESE vs. SQLite Database

A
  1. ESE - Extensible Storage Engine
    - Microsoft database – “heart of active directory”
    - Windows Search database (Windows.edb)
    - Exchange
    - Also stores WebCacheV*.dat for IE10+
    - ESE database was designed for massive numbers of reads and writes. Uses a write-ahead model, new data is not immediately written. first is written into log files. Log files are cached in memory for subsequent use, and when convenient the database commits the changes from the memory cache into the database. expect massive amounts of data to be cached that does not yet exist in the ESE database.
    - Physical and logical grouping of data
    - Looks like a single file to Windows, but is a collection of 2, 4, 8, 16, and 32 KB pages
    - May contain up to 16 TB of data
    - Internet Explorer History
    1. SQLite – Structured Query Language
      • Open source, widely supported, cross-platform database
      • Used in a lot of mobile phone apps
      • Relational, transaction (transaction = change to database) based database
      • Runs in RAM - small footprint, no installation
      • A “database contained within a single file”
      • Standalone – does not require a client/server relationship
    Forensic Importance: With so many applications, forensic tools can’t handle every use case, and sometimes SQLite forensic artifacts can only be located through examiner analysis. “A widely used data storage format that forensic tools can’t always analyze.”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Event Log vs. USN Journal

A
  1. Event Log - Primary source of evidence as the OS logs every system activity
    - Three main components:
    - Application - records application related events that are installed
    - System
    - Security - logon/logoff activity and others
    - May find:
    - Timeline based on logging information
    - Incorrect login attempts
    - Hack, breach, system setting modifications
    - Application Failure
    - System Failure
    1. USN Journal – Update Sequence Number $J
      - feature of Windows NTFS which, when enabled, maintains a record of changes made to the volume
      - Enabled with Vista on
      • stored in $EXTEND
      • one Journal for each NTFS volume
      • Each record identified by a 64-bit Update sequence Number. Contains the USN, name of the file, and info about what the change was
        • May find:
          • File creations and deletions
          • Peer to Peer services
          • cloud services
          • Email openings
    Forensic Importance: These logs/journals can hold a lot of evidentiary value.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

FAT vs. MFT

A
  1. FAT - File Allocation Table (FAT) family of file systems
    - Used in flash drives, sd cards, USBs, and other external media
    - Doesn’t hold as much metadata
    -size limitations
    1. MFT - Master File Table (Manager in a warehouse analogy)
      • stores data for the NTFS
      • Tracks all files and directories in the volume and is similar to a database
      • Every file has a corresponding MFT record
      • Each record is 1024 bytes in size by default and contains a header, attributes, and unused space
        -Records all file:
        Locations, folder create dates, entry modified dates, access dates, last written dates.
        Physical and Logical file size
        If a file is marked for deletion (unallocated)
    Forensic Impact - can affect the tools we use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

File Date vs. Metadata Date

A
  1. File Date: (file system)
    a. If a file gets moved or copied, receives new date
    b. File system metadata include the date and time a file or folder was created, accessed, or modified.
  2. Metadata Date: (application)
    a. File information that is not the actual data in the file - embedded into the file itself
    b. Includes created, modified, and viewed information
    c. Information about information (the file itself)
    d. Metadata retains the original created date and time information
    e. Information can be modified
    f. They can also track a variety of application-specific attributes as well - the name of the author, the name of the company or organization, and the computer name.Forensic Importance: Even if a file get moved or copied, the metadata date will remain the same. However, it is possible to change the date in the metadata manually. Important for creating timelines.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

File Extension vs. File Signature

A
  1. File Extension- three character string after the period in a file’s name (.jpg)
    - provides a quick look at the type of file
    - can be changed (label switching with salt and sugar metaphor)
    - tells the system how to treat it (open it with a text reading program, for example)
    1. File Signature - situated at the beginning of the content of some files.
      - JPG pictures, MPG movies, and ZIP files all have identifiable signatures
      - Cannot be changed
      - Also referred to as headers
    Forensic Importance: Extension can easily be changed just by renaming a file. Change in extension does not change the file’s content, but appears as though the file is something different.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

File Path vs. File Name

A
  1. File Path - details location of a file; where the file has been saved. Know where to go to find that file. Like a card catalog in a library.
    1. File name - title. What the file has been saved as. (Name of the book in the library)
    Forensic Importance: File names can be searched for. The file path will provide where that file was located - including in which users account. You also need to be able to relay to a case agent or jury about the location.
21
Q

Formatting vs. Partitioning

A
  1. Formatting - creates a file system volume
    - lays a file system on a drive
    - creates a table in which to structure the data
    - sets up directory structure
    - makes it usable
    1. Partitioning - specify boundaries on a disk
      - You format a partition
      - dividing up storage area
      - Can have four 4 primary partitions (or 3 pri and 1 ext)
    Forensic Importance - Forensically prepared media needs to be properly formatted and partitioned. Recognize and account for partitions in an exam. Conversely, know that formatting may erase data on a drive.
22
Q

Formatting vs. Wiping a Drive

A
  1. Formatting - process by which a piece of magnetic storage is structured to accept data.
    - laying a file system on a drive
    • creating volume boot records, setting up directory structure, noting number of sectors, grouping sectors into clusters
      2. Wiping a Drive - places a known pattern (usually zeroes) on all addressable locations on the drive
      - no file system
      - wiped drive requires formatting in order to be used
      - Analogy: remove all contents in a file cabinet

Forensic Importance: Policy dictates that a piece of media be forensically prepared - that is ready to accept a forensic image for processing. The target drive is wiped, then formatted.

23
Q

Free/Unallocated Space vs. Slack Space

A
  1. Free/Unallocated Space - space within a partition that has been formatted
    - not currently holding a valid or allocated file.
    - may contain remnants of or entire deleted files
    - available to be written to
    - File cabinet analogy
    1. Slack Space – unused area from the end of the logical file to the end of the nearest cluster; VHS analogy
      - 2 types: RAM or File
      - Ignored by the operating system
      - May contain residual information of a file that longer exists
    Forensic Importance: Data can exist in both free/unallocated space and in slack space.
24
Q

GIF v. JPG v. PNG

A
  1. GIF - Graphical Interchange Formats are primarily used banners and advertisements on websites
    1. JPG - Joint Photographic Experts Group
      • picture format for posting picots on the Internet - great compression with quality
    2. PNG - Portable Network Graphics - Microsoft
      - support lossless data compression (a class of data compression algorithms that allows the original data to be perfectly reconstructed from the compressed data)
      - Created as a replacement for GIFs
      • screenshots
    Forensic Importance: All ways in which pictures can be saved.
25
Q

Hardware v. Software Write Protection

A
  1. Hardware
    a. All digital media evidence must be write protected whenever possible
    b. Hardware write protection is preferred
    c. Connect the media to the device before turning on
    d. Using a write blocker to physically stop an electrical signal from writing to a device.
  2. Software
    a. All digital media evidence must be write protected whenever possible
    b. Initiate during boot process
    c. If not initiated during boot process, do so before attaching the media
    d. Optical media
    e. Using code within a forensic computer system to tell components of the system to not write and only read to the device
    f. Only use when hardware write-blocking is not available

Forensic Importance: A critical procedure that insures the integrity of the original media.

26
Q

Indexed Search v. Live/GREP Search

A
  1. Index Search - Catalog of every word that exists on a piece of media
    - Indexing occurs during pre-processing
    - Results are instantaneous
    - Interpreted search - small words and non-ASCII text are ignored
    1. Live Search - search for the exact term listed by the examiner
      - Requires a wait, as the search does not reference an index
      - Terms can be searched using ASCII, Unicode, and GREP
    Forensic Importance - A live search takes longer An index search may not discover relevant information because it ignores smaller characters.
27
Q

Internet Cache vs. Internet History

A
  1. Internet Cache - stored in a database
    - contains the information each web pages downloaded
    - Used to recreate the page quickly and reduce server lag
    - Cache has content
    1. Internet History - catalog of websites visited by a user on the Internet
      - most browsers record history in ways that a user can recall past sites and re-visit them.
    Forensic Importance: Cached database contains file category types the can be carved and expanded. Internet history can provide evidence of websites listed, though the access dates and times may not be accurate. Both the cache and the internet history can be cleared.
28
Q

iOS vs. macOS

A
  1. iOS- operating system software on Apple mobile devices
    - iPod, iPhone, iPad
    1. macOS - OS that runs on Apple’s line of Macintosh computers
    Forensic Importance: It’s important to recognize which operating system a subject issuing in the imaging or extraction of a device, and in the subsequent processing and analyzing.
29
Q

Jump Lists vs. LNK Files

A
  1. Jump Lists - Windows 7 task bar feature
    - catalogs the 11 most recently and frequently opened files
    - includes recent tasks and media files
    - automatically created by Windows, but can be turned off
    - Two variations of jump lists are created in user’s profile by OS or Application
    - Automatic Destinations: destList records the order of file accesses and access count of each file that may serve as most recently/frequently MRU/MFU list
    - Custom Destinations: custDest created mainly by web browsers and Windows Media Player. Web browsers record the user’s web history.
    - Stored in C:\Users\AppData\Roaming\microsoft\windows\recent\AutomaticDestinations or CustomDestinations
  2. LNK Files - shortcuts that allow users to launch programs, specific files and folder, or connect to other computers or websites.
    - points to executable file located somewhere else on PC, USB, or network
    - link to local or network programs, files, folders, or computers
    - system generated
    - stored in a Windows Recent folder
    - .url extension to reference web pages
    - includes original path, time stamp, size of target fileForensic Importance: Valuable Windows artifacts that show a file was opened. Can get date/time of created, modified, and accessed. LNK files still exist after target file is deleted.
30
Q

Legacy BIOS vs. UEFI Booting

A
  1. Legacy BIOS - Basic Input Output System
    - Enables computer’s motherboard to communicate with keyboard, mouse, and monitor
    - Stored in a non-volatile ROM chip
    - Firmware that controls the boot process and power-on-self-test.
    - Two most important settings: 1. Boot Order; 2. Date/Time
    - Older computers
    1. UEFI - Unified Extensible Firmware Interface
      - Newer firmware chip
      - Contains many of the same functions as the BIOS
      - Boot Order
      - Date/Time Settings
      - In some computers, an switch to BIOS in order for hardware to work
      Forensic Importance: Need to enter BIOS/UEFI settings in order to determine the date/time or change boot order if necessary. All of the computer time stamps and a subsequent timeline of activity can then be calculated based off this time.
31
Q

Logical Copy vs. Physical Image

A
  1. Logical Copy
    a. Copy of a file within native operating system
    b. No software needed to make the copy
    c. Lose file slack
    d. Most often used when encountering a running machine with encryption
  2. Physical Image
    a. Saves entire data from a disk
    i. Includes file structure
    ii. Includes slack space
    b. Bit for bit copy

Forensic Importance: A logical copy is most often made when you encounter a running machine that may be encrypted. This copy allows you to get the data before powering off the machine, and potentially not being able to access it anymore. A physical image is more commonly used in digital forensics. All images must be verified – usually through an MD5 hash- to verify integrity. Both the logical and physical images are necessary so that the original evidence cannot be altered.

32
Q

Logical Drive vs. Physical Drive

A
  1. Logical Drive - Partition or volume. Area on the physical drive formatted to store data
    - May contain clusters not currently assigned to a file = unallocated space
    - Virtual tool on a physical disk
    - Commonly used to organize the storage of a physical disk
    1. Physical Drive - actual drive itself and all available sectors (from 0 to last)
      - data storage device that can store digital information
      - can be external or connected directly
      - split into one or more logical drives
    Forensic Importance: In most instances, create a forensic image of a physical drive. Will contain area outside of any logical drive.Unallocated space would be included in a forensic image of a logical drive. Unused space would not be collected.
33
Q

MAC address vs. IP address

A
  1. MAC address - Media Access Control
    - unique identifier for hardware that connects to a network
    - assigned by the manufacturer of the device
    - physical address
    - 48 bit hex. Listed in 6 pairs
    - Analogy: The VIN of a car
    1. IP Address - Internet Protocol
      • unique address of a device connected to a network using TCP/IP protocol
      • static or dynamic; public or private
      • IPv4 or IPv6
      • Analogy: phone number

Forensic Importance: You can use both MAC and IP addresses to determine if a certain device has connected to a network. MAC addresses can also be blocked by a network.

34
Q

MD5 Hash vs. SHA1 Hash

A

takes an input and gives you an output. Must use a hash. MD5 is the FBI standard.

1. MD5 - Message Digest5
	- algorithm that produces a unique value to a particular file
	- faster but less secure than SHA1 - 128-bit hash value - non-cryptographic checksum to verify data integrity and detect unintentional data corruption

2. SHA1 Hash - Secure Hashing Algorithm
	- algorithm that produces a unique value to a particular file
	- Cryptographic hash function
	- more secure than MD5 - 160-bit hash - Slower speed than MD5 - Typically rendered as a hexadecimal number, -40 digits long. - Designed by NSA

Forensic Importance: Courts have accepted forensic images since hash values show that they are identical to the original evidence. Hashes are crucial to demonstrating the integrity of evidence before a jury.
35
Q

Mechanical Hard Drive vs. SSD

A
  1. Mechanical Hard Drive
    - data stored on a platter
    - has moving parts, including an actuator arm
    - Data stored in sectors, clusters, and tracks
    1. SSD - Solid State Drive
      • no moving parts
      • utilize flash memory
      • Data stored in blocks and subdivided into pages.
      • Generally faster, lighter, and more energy efficient

Forensic Importance: More likely to encounter failures in a hard drive than SSD. SSDs are a good option for on-scene imaging due to portability and speed. Both store data. SSDs have TRIM and garbage collection that affect hash values. Analogy: Mechanical = copying notes by hand. SSD = using a Xerox to copy.

36
Q

Mobile: Android vs. iOS

A
  1. Android
    a. Google developed mobile OS
    b. Open Source
    c. Based on Linux kernel, highly customizable
    d. Largely used (2.5 billion active devices)
    e. Vulnerable when it comes to malware
    f. File Format: ext3/ext4/exfat
    g. Apps: Google Play Store and sideloading
  2. iOS
    a. Apple mobile devices
    b. Newer ones need graykey
    c. File System Encryption
    d. Second most widely installed OS
    e. Proprietary
    f. File Format: APFS
    g. Apps: Apple App Store only

Forensic Importance: More up to date OS makes getting into mobile devices harder. Get a passcode, swipe, pin, fingerprint whenever possible! With Android, there are many OS versions, and updates are not required. They are also more vulnerable to malware.

37
Q

Mobile: Bluetooth vs. WiFi

A

different standards for wireless connection

  1. Bluetooth connects short range devices for sharing data
    a. Connecting devices to one another
    b. Limited number of connections
    c. Short range (approx. 30 ft)
    d. Often used to pair mobile devices with other devices
  2. WiFi provides high speed internet access
    a. Connecting a device to the internet
    b. Radio broadcast
    c. More secure than Bluetooth
    d. 2.4 and 5 GHz

Forensic Importance: Devices can connect to other devices and to the internet. Might be able to determine what those devices are. SSID information on the device. Corroborate information regarding location.

38
Q

Mobile: CDMA vs. GSM vs. LTE

A

. CDMA - Code Division Multiple Access

	- Verizon, US Cellular, Cricket
	- Subscriber information on device and provider network
	- Every call is encoded with a unique key and transmitted all at once
	- No SIM required
	- Subscriber verification list - uses entire bandwidth, divides channels  - CDMA equivalent of an IMEI is Mobile Equipment identifier.
2. GSM - Global System for Mobile Communication
	- Subscriber information is stored on removable SIMs as IMEI
	- Uses Time Division Multiple Access - voice is converted into a digital signal and assigned a time slot (calls take turns) - Carriers: AT&T, T-Mobile, Metro-PCS    - Designed in Europe primarily by Ericsson and Nokia
3. LTE - Long Term Evolution 
	- Orthogonal Frequency Division Multiplexing
	- Requires a U-Sim, however Sprint and Verizon use SIM card for LTE data network
	- Most currently used for data. Still rely on CDMA or GSM for voice - a marketing phrase to signify progression toward true 4G. So when someone says 4G LTE, they are actually talking about something weaker than true 4G, but better than simple 3G.

Forensic Importance: Each technology has different methods for identifying a device on their network. Being able to profile a device will help in extracting data.
39
Q

Mobile: Chat vs. SMS/MMS

A
  1. Chat
    a. Communication over internet
    b. Real time
    c. “Messaging” requires an app (3rd party)
    d. Usually used with customer support
  2. SMS/MMS
    a. Short Messaging Service
    i. Sends only text characters
    ii. 160 character limit
    b. Multimedia Messaging Service
    i. Extension of SMS protocol
    ii. Can send photos, images, gifs, etc
    c. Require cellular network connection
    d. Native to the operating system
    e. Data stored on device or in the cloud

Forensic Importance: Communication between two individuals can exist natively on a mobile device, or within an application (like Facebook Messenger)

40
Q

Mobile: File System vs. Logical vs. Physical Extraction

A
  1. File System
    - Gets more information than a logical extraction.
    - Useful for obtaining file structure
    - Extracts all files present, including:
    - Database files
    - System files
    - System logs
    - 3rd party applications
    - Can see deleted files (not content, but that file was deleted)
    - Can get part of the user data partition
    - No deleted files
    - Android or iOS
    1. Logical - Quickest and most widely supported
      • Most limited
      • Forensic tools use Application Programming Interface (API) for syncing and data backup
      • Won’t get deleted items or unallocated space
      • Most third party apps are not supported in a logical extraction
      • Very specific (such as pictures)
    2. Physical
      • most extensive data acquisition
      • least supported
      • Gets everything in storage - same concept as physical imaging of a hard drive
      • Bit for bit copy of entire flash memory
      • Acquires active files, hidden files, and system files
      • No live memory
      • Full disk encryption
      • Android devices only
      • Being phased out

Forensic Importance: Know what type of extraction to use depending on the case needs and time.

41
Q

Mobile: IMEI vs. IMSI

A
  1. IMEI - International Mobile Equipment Identity
    - 15 or 16 digit unique number identifying a device on a GSM network
    - Serial number for the device - stays with it
    - GSM networks can use the IMEI to block the device from the network if stolen
    1. IMSI - International Mobile Subscriber Identity
      • 15 digit number
      • Identifies the subscriber (user) to the FSM network
      • Regardless of the device used
      • NOT the serial number for the SIM
      • 1st 3 numbers are country code
      • Next 3: service provider
    Forensic Importance: IMSI and IMEI can both be used to identify a device, and/or determine if a device has connected to a network.
42
Q

Mobile MicroSD Card vs. SIM card

A
  1. MicroSD Card (secure digital)
    a. Used in mobile devices
    b. Stores data
    c. Smallest memory card (physically)
    d. 64 MB to 128 / 256 GB
  2. SIM Card
    a. Subscriber Identification Module
    b. Stores IMSI - unique to the subscriber
    c. Used to identify and authenticate subscribers
    d. May store contact information
    e. GSM phones

Forensic Importance: Data can be retrieved from a MicroSD card. A SIM card can identify a subscriber.

43
Q

Non-volatile vs. Volatile memory

A
  1. Volatile - Data in RAM
    - exists only as long as power is supplied
    1. Non-volatile - data saved on hard drive, SD card, USB
      - exists even after power has been removed
    Forensic Importance: If an examiner comes upon a running machine, then volatile memory can still be captured. Don’t pull the plug. Can find password, program data from currently running programs. Analogy: grocery list written down vs. in your head.
44
Q

P2P vs. Torrent File Sharing

A

. P2P - Peer to Peer

	- file sharing over the internet
	- No centralize server containing the entire file
	- Users have listing for which other users are hosting
	- Utilizes swarming downloads
2. Torrent File Sharing
	- files being hosted are called torrents
	- .torrent
	- Fast - a method of distributing files over the BitTorrent protocol to facilitate P2P - Expensive server equipment isn't necessary - low-bandwidth (slow) networks can just as easily download large sets of data. - through a special file that uses the .TORRENT file extension.  - requires BitTorrent software - computers in a BitTorrent “swarm” (a group of computers downloading and uploading the same torrent) transfer data between each other without the need for a central server - Within the file are directions for how to share specific data with other people - can be accessed from more than one server at once. Anyone downloading the torrent gets it in bits and pieces from the other servers. Other servers are really other home PCs.

Forensic Importance: Torrent protocols often used in the distribution of child pornography. If a case agent knows that a subject was utilizing a P2P program or application, the forensic exam can confirm that the program existed on a device

Analogy: P2P like trading cards. Torrent -.

45
Q

Page File vs. RAM

A
  1. Page File - reserved portion of a hard disk
    - used as an extension of RAM
    - AKA Swapfile
    - Temporary data storage if RAM becomes too busy
    - Found at the root of C:
    1. RAM - Random Access Memory
      • Temporary storage for applications to read and write data on a short-term basis.
    Forensic Importance: RAM capture can obtain immediate data on scene. Page file can help determine if certain applications or programs are being run. Analogy: meal prep and cutting board.
46
Q

Physical Machine vs. Virtual Machine

A
  1. Physical machine
    - Computer tower, laptop, etc
    - Actual computer with storage space
    1. Virtual machine
      • a computer that runs within another computer
      • runs in that computers RAM

Forensic Importance: VM can contain evidence, just as a physical machine. Can be processed like a physical machine

47
Q

pLists vs. Registry

A

. pLists - property lists

	- file on a Mac
	- Contains user settings and metadata
2. Registry 
	- Specific to Windows
	- Specifies how the computer operates and interacts with software
	- Five parts:
		1. System
		2. SAM
		3. Software
		4. Security
		5. NTUser
	- Tracks user activity, software history, externally attached devices

Forensic Importance: Both contain artifacts that can help determine if an action occurred.

48
Q

RAID vs. Single Drive

A
  1. RAID - Redundant Array of Independent Disks
    - 2 or more hard drives
    - Used to increase size, speed, or redundancy. Multiple physical or software disks that the computer thinks is one.
    - RAID 0 – striping, 2 drive min, no failures
    - RAID 1 - mirroring
    - RAID 5 - striping with parity; requires 3 hard drives; 1 failure; usable space is number of drive minus one
    - RAID 10 – striped and mirrored, 4 drive min, can lose one
    1. Single Drive - all data is contained in location
      • Can be partitioned as a RAID in Disk Management
      • Limited by size and speed of that particular disk
    Forensic Importance: Know how data is stored in order to image a device.
49
Q

Wired vs. Wireless Network Connection

A
  1. Wired – “a wired network uses cables to connect devices, such as laptop or desktop computers, to the Internet or another network.”
    a. Most use Ethernet cables
    b. Other types: dial-up, DSL, cable, fiber optic
    c. Connect computers to routers
    d. Generally faster than wireless
    e. Less interference
    f. More secure
  2. Wireless
    a. Uses radio waves to connect
    b. Access point is needed
    c. More mobility
    d. Some devices can only connect wirelessly

Forensic Importance: Windows artifacts can tell you if a subject was connected to the internet and whether or not it was wireless.

Moot Court - Technical Terms (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions