"What you need to know for the C840"

Question 1

is the process of acquiring and analyzing information stored on physical storage
media, such as computer hard drives, smartphones, GPS systems, and removable media. Disk
forensics includes both the recovery of hidden and deleted information and the process of
identifying who created a file or message.

Answer 1

Disk Forensics

Question 2

is the study of the source and content of email as evidence. Email forensics
includes the process of identifying the sender, recipient, date, time, and origination location of
an email message. You can use email forensics to identify harassment, discrimination, or
unauthorized activities. There is also a body of laws that deal with retention and storage of
emails that are specific to certain fields, such as financial and medical.

Answer 2

Email Forensics

Question 3

is the process of examining network traffic, including transaction logs and
real-time monitoring using sniffers and tracing.

Answer 3

Network Forensics

Question 4

is the process of piecing together where and when a user has been on the
internet. For example, you can use internet forensics to determine whether inappropriate
internet content access and downloading were accidental.

Answer 4

Internet Forensics

Question 5

also known as malware forensics, is the process of examining malicious
computer code.

Answer 5

Software Forensics

Question 6

is the process of searching memory in real time, typically for working
with compromised hosts or to identify system abuse. Each of these types of forensic analysis
requires specialized skills and training.

Answer 6

Live System Forensics

Question 7

is the process of searching the contents of cell phones. A few years ago,
this was just not a big issue, but with the ubiquitous nature of cell phones today, cell-phone
forensics is a very important topic. A cell phone can be a treasure trove of evidence. Modern
cell phones are essentially computers with processors, memory, even hard drives and operating
systems, and they operate on networks. Phone forensics also includes VoIP and traditional
phones and may overlap the Foreign Intelligence Surveillance Act of 1978 (FISA), the USA
PATRIOT Act, and the Communications Assistance for Law Enforcement Act (CALEA) in the
United States.

Answer 7

Cell-Phone Forensics

Question 8

___________ establishes a code of information-handling practices that governs the
collection, maintenance, use, and dissemination of information about individuals that is
maintained in systems of records by U.S. federal agencies. A system of records is a group of
records under the control of an agency from which information is retrieved by the name of the
individual or by some identifier assigned to the individual.

Answer 8

The Federal Privacy Act of 1974

Question 9

________ protects journalists from being required to turn over to
law enforcement any work product and documentary materials, including sources, before it is
disseminated to the public. Journalists who most need the protection of the PPA are those who
are working on stories that are highly controversial or that describe criminal acts, because the
information gathered may also be useful to law enforcement.

Answer 9

The Privacy Protection Act of 1980

Question 10

A federal wiretap law for
traditional wired telephony. It was expanded in 2004 to include wireless, voice over packets, and
other forms of electronic communications, including signaling traffic and metadata.

Answer 10

The Communications Assistance to Law Enforcement Act of 1994 (CALEA)

Question 11

governs the privacy and disclosure,
access, and interception of content and traffic data related to electronic communications.

Answer 11

The Electronic Communications Privacy Act of 1986

Question 12

passed to improve the security and privacy of sensitive
information in federal computer systems. The law requires the establishment of minimum
acceptable security practices, creation of computer security plans, and training of system users
or owners of facilities that house sensitive information.

Answer 12

The Computer Security Act of 1987 (CSA)

Question 13

is a law that allows for collection of
“foreign intelligence information” between foreign powers and agents of foreign powers using
physical and electronic surveillance. A warrant is issued by the FISA court for actions under
FISA.

Answer 13

The Foreign Intelligence Surveillance Act of 1978

Question 14

requires service providers
that become aware of the storage or transmission of child pornography to report it to law
enforcement.

Answer 14

The Child Protection and Sexual Predator Punishment Act of 1998

Question 15

protects children 13 years of age and under from the collection and use of their personal information by websites. It is noteworthy
that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to
be unconstitutional.
The Communications

Answer 15

The Children’s Online Privacy Protection Act of 1998 (COPPA)

Question 16

designed to protect persons 18 years of age
and under from downloading or viewing material considered indecent. This act has been subject
to court cases that subsequently changed some definitions and penalties.

Answer 16

The Communications Decency Act of 1996

Question 17

Includes many provisions relative to the privacy and
disclosure of information in motion through and across telephony and computer networks.

Answer 17

The Telecommunications Act of 1996

Question 18

allows for collection and use of
“empty” communications, which means nonverbal and nontext communications, such as GPS
information.

Answer 18

The Wireless Communications and Public Safety Act of 1999

Question 19

primary law under which a wide variety of internet and
communications information content and metadata is currently collected. Provisions exist within
the PATRIOT Act to protect the identity and privacy of U.S. citizens.

Answer 19

The USA PATRIOT Act

Question 20

contains many provisions about recordkeeping and destruction
of electronic records relating to the management and operation of publicly held companies.

Answer 20

The Sarbanes-Oxley Act of 2002

Question 21

This is one of the most widely used laws in hacking cases. It covers a wide range of crimes
involving illicit access of any computer.

Answer 21

18 USC 1030 Fraud and Related Activity in Connection with Computers

Question 22

This is closely related to 1030 but covers access devices (such as routers).

Answer 22

18 USC 1020 Fraud and Related Activity in Connection with Access Devices

Question 23

This controversial law was enacted in 1998. It makes it a crime to publish methods or techniques to circumvent copyright protection. It is controversial because it has been used against legitimate researchers publishing research papers.

Answer 23

The Digital Millennium Copyright Act (DMCA)

Question 24

As the name suggests, this law targets any crime related to identity theft. It is often applied in
stolen credit card cases.

Answer 24

18 USC § 1028A Identity Theft and Aggravated Identity Theft

Question 25

This law covers a range of child exploitation crimes and is often seen in child pornography
cases. Related to this rather broad law are several others, such as:

Answer 25

18 USC § 2251 Sexual Exploitation of Children

Question 26

Production of sexually explicit depictions of a minor for importation into the
United States

Answer 26

18 U.S.C. § 2260:

Question 27

Certain activities relating to material involving the sexual exploitation of
minors (possession, distribution, and receipt of child pornography)

Answer 27

18 U.S.C. § 2252:

Question 28

Certain activities relating to material constituting or containing child
pornography

Answer 28

18 U.S.C. § 2252A:

Question 29

This was designed as an area where computer vendors could
store data that is protected from user activities and operating system utilities, such as delete
and format. To hide data in the ____ a person would need to write a program to access the ____ and write the data.

Answer 29

(HPA) Host Protected Area

Question 30

This requires only a single sector, leaving 62 empty sectors of
___ space for hiding data.

Answer 30

Master Boot Record

Question 31

This is the space that remains on a hard drive if the partitions do not use all the available space. For example, suppose that two partitions are filled with data. When you delete one of them, its data is not actually deleted. Instead, it is hidden.

Answer 31

Volume slack

Question 32

An operating system can’t access any unallocated space in a partition.
That space may contain hidden data.

Answer 32

Unallocated space