Computer and Cyber Forensics – Flashcards
Unlock all answers in this set
Unlock answersquestion
By the 1970s, electronic crimes were increasing, especially in the financial sector.
answer
True
question
To be a successful computer forensics investigator, you must be familiar with more than one computing platform.
answer
True
question
Computer investigations and forensics fall into the same category: public investigations.
answer
False
question
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
answer
False
question
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
answer
Data recovery
question
The ____ group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime.
answer
computer investigations
question
By the early 1990s, the ____ introduced training on software for forensics investigations.
answer
IACIS
question
Based on the incident or crime, the complainant makes a(n) ____, an accusation or supposition of fact that a crime has been committed.
answer
allegation
question
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit a(n) ____.
answer
affidavit
question
The affidavit must be ____ under sworn oath to verify that the information in the affidavit is true.
answer
notarized
question
Most computer investigations in the private sector involve ____.
answer
misuse of computing assets
question
Chain of custody is also known as chain of evidence.
answer
True
question
Employees surfing the Internet can cost companies millions of dollars.
answer
True
question
You cannot use both multi-evidence and single-evidence forms in your investigation.
answer
False
question
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data.
answer
True
question
A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible.
answer
False
question
The ____ is the route the evidence takes from the time you find it until the case is closed or goes to court.
answer
chain of custody
question
When preparing a case, you can apply ____ to problem solving.
answer
standard systems analysis steps
question
The list of problems you normally expect in the type of case you are handling is known as the ____.
answer
standard risk assessment
question
A(n) ____ helps you document what has and has not been done with both the original evidence and forensic copies of the evidence.
answer
evidence custody form
question
Use ____ to secure and catalog the evidence contained in large computer components.
answer
evidence bags
question
____ prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab.
answer
Padding
question
____ investigations typically include spam, inappropriate and offensive message content, and harassment or threats.
answer
E-mail
question
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a ____.
answer
forensic workstation
question
You can use ____ to boot to Windows without writing any data to the evidence disk.
answer
a write-blocker
question
To begin conducting an investigation, you start by ____ the evidence using a variety of methods.
answer
copying
question
A ____ is a bit-by-bit copy of the original storage medium.
answer
bit-stream copy
question
A bit-stream image is also known as a(n) ____.
answer
forensic copy
question
When analyzing digital evidence, your job is to ____.
answer
recover the data
question
When you write your final report, state what you did and what you ____.
answer
found
question
In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as ____.
answer
repeatable findings
question
After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and ____.
answer
critique the case
question
If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately.
answer
False
question
Computing systems in a forensics lab should be able to process typical cases in a timely manner.
answer
True
question
A ____ is where you conduct your investigations, store evidence, and do most of your work.
answer
computer forensics lab
question
____ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
answer
Uniform crime reports
question
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ____, and Windows File System.
answer
NTFS
question
____ was created by police officers who wanted to formalize credentials in computing investigations.
answer
IACIS
question
What HTCN certification level requires candidates have three years of investigative experience in any discipline from law enforcement or corporate or have a college degree with one year of experience in investigations?
answer
Certified Computer Forensic Technician, Basic
question
To preserve the integrity of evidence data, your lab should function as an evidence locker or safe, making it a ____ or a secure storage safe.
answer
secure facility
question
The EMR from a computer monitor can be picked up as far away as ____ mile.
answer
1/2
question
A secure storage container or cabinet should be made of ____ and include an internal cabinet lock or external padlock.
answer
steel
question
Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity.
answer
once
question
One way to investigate older and unusual computing systems is to keep track of ____ that still use these systems.
answer
SIGs
question
A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you're analyzing.
answer
disaster recovery
question
You should have at least one copy of your backups on site and a duplicate copy or a previous copy of your backups stored in a safe ____ facility.
answer
off-site
question
In addition to performing routine backups, record all the updates you make to your workstation by using a process called ____ when planning for disaster recovery.
answer
configuration management
question
For labs using high-end ____ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets.
answer
RAID
question
____ involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
answer
Risk management
question
Computing components are designed to last 18 to ____ months in normal business operations.
answer
36
question
In the ____, you justify acquiring newer and better resources to investigate computer forensics cases.
answer
business case
question
By using ____ to attract new customers or clients, you can justify future budgets for the lab's operation and staff.
answer
marketing
question
One advantage with live acquisitions is that you are able to perform repeatable processes.
answer
False
question
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
answer
True
question
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
answer
True
question
FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing.
answer
True
question
Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume.
answer
False
question
For computer forensics, ____ is the task of collecting digital evidence from electronic media.
answer
data acquisition
question
One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors' computer forensics analysis tools.
answer
proprietary
question
Typically, a(n) ____ acquisition is done on a computer seized during a police raid, for example.
answer
static
question
If the computer has an encrypted drive, a ____ acquisition is done if the password or passphrase is available.
answer
live
question
The most common and flexible data-acquisition method is ____.
answer
Disk-to-image file copy
question
SafeBack and SnapCopy must run from a(n) ____ system.
answer
MS-DOS
question
If your time is limited, consider using a logical acquisition or ____ acquisition data copy method.
answer
sparse
question
Image files can be reduced by as much as ____% of the original.
answer
50
question
Microsoft has recently added ____ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
answer
whole disk encryption
question
Linux ISO images are referred to as ____.
answer
Live CDs
question
The ____ command displays pages from the online help manual for information on Linux commands and their options.
answer
man
question
The ____ command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions.
answer
dd
question
The ____ command, works similarly to the dd command but has many features designed for computer forensics acquisitions.
answer
dcfldd
question
Current distributions of Linux include two hashing algorithm utilities: md5sum and ____.
answer
sha1sum
question
The ____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable.
answer
EnCase
question
EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (____) workstation
answer
SAFE
question
SnapBack DatArrest runs from a true ____ boot floppy.
answer
MS-DOS
question
SnapBack DatArrest can perform a data copy of an evidence drive in ____ ways.
answer
three
question
SafeBack performs a(n) ____ calculation for each sector copied to ensure data integrity
answer
SHA-256
question
____ has developed the Rapid Action Imaging Device (RAID) to make forensically sound disk copies.
answer
DIBS USA
question
If a corporate investigator follows police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.
answer
True
question
The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.
answer
True
question
Most federal courts have interpreted computer records as ____ evidence.
answer
hearsay
question
Generally, computer records are considered admissible if they qualify as a ____ record.
answer
business
question
____ records are data the system maintains, such as system log files and proxy server logs.
answer
Computer-generated
question
Investigating and controlling computer incident scenes in the corporate environment is ____ in the criminal environment.
answer
much easier than
question
Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated.
answer
reasonable suspicion
question
Confidential business data included with the criminal evidence are referred to as ____ data.
answer
commingled
question
____ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
answer
Probable cause
question
Law enforcement investigators need a(n) ____ to remove computers from a crime scene and transport them to a lab.
answer
warrant
question
Environmental and ____ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
answer
safety
question
When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ____ degrees, you should take measures to prevent a hard disk from overheating to prevent damage.
answer
80
question
With a(n) ____ you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible.
answer
initial-response field kit
question
A(n) ____ should include all the tools you can afford to take to the field.
answer
extensive-response field kit
question
Courts consider evidence data in a computer as ____ evidence.
answer
physical
question
Evidence is commonly lost or corrupted through ____, which involves police officers and other professionals who aren't part of the crime scene processing team.
answer
professional curiosity
question
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ____ or MS-DOS system.
answer
Windows 9x
question
One technique for extracting evidence from large systems is called ____.
answer
sparse acquisition
question
Real-time surveillance requires ____ data transmissions between a suspect's computer and a network server.
answer
sniffing
question
The most common computer-related crime is ____.
answer
check fraud
question
Computer forensics is obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases.
answer
Obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases.
question
Please explain what is the forth amendment
answer
The fourth amendment requires a search warrant for obtaining evidence, protects everyones right to be secure in their person, residence, and property from search and seizure.
question
Please explain what is public investigation and private investigation
answer
A public investigation involves government agencies responsible for criminal investigation and prosecution. Organizations must observe legal guidelines and are governed by criminal law and fourth amendment. A private investigation deals with private companies, non-law enforcement government agencies and lawyers and is not governed directly by criminal law or the fourth amendment, it is governed by internal policies.
question
Please list the main commerical forensics tool, Linux forensics tool and other tool
answer
The main commercial forensics tools are Encase, FTK, and Prodiscover. The linux based forensic tools are Backtrack, Helix, and Knoppiz Live CD's. The other tools are hash calculator and Metasploit.
question
please list the five main cases for employee termination
answer
1. Employee Termination Case 2. Email Abuse investigation 3. Media Leak Investigation 4. Industrial Espionage Investigation 5. Attorney-Client Privelage Investigation
question
Please explain what is Bit-stream copy and what is Bit-stream image
answer
1. Bit-stream copy- bit by bit copy of the original storage medium, exact copy of the original disk, different then simple back up copy 2. Bit-stream image- forensics copy, file containing the bit-stream copy of all the data on a disk or partition
question
American Society of Crime Laboratory Directors (ASCLD) offers what guidlines?
answer
1. managing a lab 2. acquiring an official certification 3. auditing lab functions and procedures
question
Please list the general rules for policy lab.
answer
1. one computer investigator for every 250,000 people in the region 2. one multipurpose forensic workstation, one general-purpose workstation
question
Please list the two main types of data acquisition. Please explain the different data acquisition from the following aspects: data changing or not. What are the two good aspects of live acquisition?
answer
1. Static Acquisition - the computer is off during capturing of data therefore data is not changed. 2. Live Acquisition - the computer is on during capturing of data therefore data is altered. Two advantages of live acquisition are it collects RAM data and it is preffered because it bypasses hardisk encryption.
question
Please list the three main formats for data storage. Suppose there is evidence disk size about 100 GB. I only have two disks. One is about 20 GB and one is about 30 GB to store the evidence image. I also need to put investigator's name and hash value into the two disks. Also, I need to use different tools later to work on these evidence images. What kind of format you are going to use
answer
1. Raw format - bit to bit 2. Propreitary format - certain forensic tools 3. Advanced forensics format - multiple forensics tools In the case stated above we would use advanced forensics format to capture the data because it will compress the data size and allow us to analyze the data with a number of forensic tools.
question
What are the three method of disk acquisition methods
answer
1. Disk to disk - bit to bit 2. Disk to image - bit to image 3. Logical - only acquiring needed information
question
Can computer evidence be directly adopted in law? Is there any exception. How to prove this kind of exception
answer
Digital evidence cannot be directly adopted in law because it is actually considered hearsy evidence, meaning second hand or indirect evidence. There are two exceptions: business record exception and computer sorted exception. Business record exception can be proved by assuring that the program creating the output is functioning correctly. Computer sorted exception can be proved by confirming a special person created the records.
question
If you are a corporate investigator and the law enforcement officer ask you to find more information, you should do what
answer
Don't do any further investigation until you receive a subpoena or court order.
question
what is innocent information?
answer
Innocent information is unrelated information.
question
How to handle a running computer when you seize the computer
answer
1, Live acquisition 2. Normal shutdown 3. Save the data 4. Record activity 5. Photograph the screen
