Computer Forensics – Flashcards
Unlock all answers in this set
Unlock answersquestion
What makes up the physical hardware components of a computer?
answer
Monitor - keyboard - mouse - RAM - CPU - disk and CD drives - computer chassis
question
What is a computer chassis?
answer
1) Physical box holding the components in place 2) Desktop, tower, all-in-one monitor/computer 3) Aka system unit
question
What is the Power Supply?
answer
Components that converts power from wall outlet into a useable format
question
What is the Motherboard also called?
answer
The Main Circuit Board
question
What is the Chassis also called?
answer
System Unit
question
What does the Motherboard contain?
answer
1) Chip Sockets or RAM & CPU 2) Slots for connected to networks, sound cards, video cards
question
Where do the peripheral components connect to?
answer
The Motherboard (Main Circuit Board)
question
What does the System Bus do?
answer
A network of wires that carry data from one hardware device to another, which is sent using binary codes
question
What is ROM?
answer
Read only memory which are chips on the motherboard that run firmware programs which boots the computer and configures components
question
What is the CPU also called?
answer
Central processing unit is also called The Brain of the computer
question
What is the largest chip in the Motherboard?
answer
CPU
question
What carries out the program steps to complete a task like opening up MS Word
answer
CPU
question
Where is the Intel Pentium chips located?
answer
CPU
question
Volatile Memory is ???
answer
Memory stored in RAM that stays while computer is on, but removed when power is taken away
question
What component takes the burden off the processor?
answer
RAM
question
RAM stands for?
answer
Random Access Memory
question
Where is data stored to increase the computer speed & efficiency?
answer
RAM
question
Function of Input Devices?
answer
1) Gets data into computer 2) Gives computer instructions
question
Used computer components
answer
Input Devices
question
What shows results of the instructions or tasks?
answer
Output Devices
question
Name some Hardware Components
answer
HDD NIC
question
HDD stands for?
answer
Hard Disk Drive
question
What is the primary storage component of a computer?
answer
Hard Disk Drive - HDD
question
What holds the operating system, programs, and data files?
answer
Hard Disk Drive - HDD
question
What component serves as Permanent Storage?
answer
Hard Disk Drive - HDD
question
What component is used to communicate to a network?
answer
Network Interface Card - NIC
question
What component can be built-in, wireless, or a plug-in?
answer
Network Interface Card - NIC
question
Name some Storage Devices:
answer
1) Compact Disk Record/Rewrite - CD-R/RW 2) DVD-Record/Rewrite - DVD-R/RW 3) Floppy Disk 4) USB Thumbdrive 5) Tapes
question
What storage devices can be encoded in different ways?
answer
Compact Disk Record/Rewrite - CD-R/RW 2) DVD-Record/Rewrite - DVD-R/RW
question
What storage device stores data in similar way to HDD?
answer
Floppy Disk
question
What storage device contains no moving parts?
answer
USB Thumbdrive
question
What storage device is used to backup data?
answer
USB Thumbdrive & Tapes
question
What are the 3 main steps to collecting a computer at a crime scene?
answer
1) Live Data Acquisition 2) System Shutdown 3) Pull The Plug
question
What is it called when you collect computer data on-scene?
answer
LIVE DATA ACQUISITION
question
If you shutdown a system, you have to collect what on-scene?
answer
The Server Equipment
question
Why do you remove plug from computer and not the wall?
answer
1) Data on RAM not saved to HDD will be lost 2) Can cause data to be encrypted and unreadable w/out password or key 3) Battery back-up may be initiated, keeping system on
question
Battery back-up has been initiated - what did you do?
answer
I pulled the plug from the computer
question
What is the least intrusive method used in computer forensics?
answer
Forensic Image Acquisition of HDD
question
What is the goal of FIA of HDD?
answer
To obtain data without altering it
question
Name 4 steps of FIA of HDD:
answer
1) Remove HDD from suspect computer and place in side forensic computer 2) Analyze drive as "write-blocked", read-only 3) Fingerprint drive before & after to ensure all data was recovered 4) Create an image of the HDD
question
What is write-blocked?
answer
Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.
question
An image of the HDD is what?
answer
An exact duplice of the contents
question
How is an exact image of HDD different than a backup?
answer
FIA Takes all contents, not just pieces
question
What is Visible Data Analysis?
answer
All information the OS is aware of and readily accessible by the user
question
Name Some VD - Visible Data
answer
1) Data/Work Product Files 2) Swap File Data 3) Temp Files
question
What Visible Data are word processing documents?
answer
DATA/WORK PRODUCT FILES
question
What Visible Data are only what is currently in use is used in RAM?
answer
SWAP FILE DATA
question
What Visible Data is graphics & photo edited applications?
answer
DATA/WORK PRODUCT FILES
question
What Visible Data is finance software and bank acct records?
answer
DATA/WORK PRODUCT FILES
question
What Visible Data are used to recover docs that have been typed & printed, but never saved?
answer
TEMP FILES
question
What Visible Data are files that are being worked on and is saved periodically in a file?
answer
TEMP FILES
question
What Visible Data most OS are programmed to conserve RAM because it is limited?
answer
SWAP FILE DATA
question
What Visible Data results in limited data loss when computer loses power?
answer
TEMP FILES
question
What Visible Data continues as you switch between programs?
answer
SWAP FILE DATA
question
What Visible Data program & data are loaded into RAM while in use?
answer
SWAP FILE DATA
question
What Visible Data works on open & unused docs that are kicked out of RAM and written to another space on HDD?
answer
SWAP FILE DATA
question
What Visible Data type will convert temp file to actual file when changes are saved?
answer
TEMP FILES
question
Print spool file is what file for printer?
answer
TEMP FILE FOR PRINTER
question
What allows printer to work w/o slowing computer?
answer
The Print Spool File
question
What data includes all data hidden from any user's view?
answer
LATENT DATA
question
What data must be read at the binary level using special applications?
answer
LATENT DATA
question
Standard copy would not include what type of data?
answer
LATENT DATA
question
What do you use in Latent Data Analysis to prevent change to data?
answer
WRITE-BLOCKER
question
Name examples of Latent Data:
answer
1) Slack Space 2) Unallocated Space 3) Swap File/Swap Space 4) Defragmenting 5) Deleted Files
question
Which type of Latent Data HDD allocates space in defined byte increments called clusters?
answer
SLACK SPACE
question
What are clusters?
answer
HDD allocates space in defined byte increments
question
What is the empty space on HDD created due to the way HDD stores files?
answer
SLACK SPACE
question
Latent Data type files that are below the increment have...?
answer
SLACK SPACE
question
Files that are above the increment need...?
answer
A Second Space
question
What is the portion of the hard drive that does not contain user-saved data?
answer
UNALLOCATED SPACE
question
Some docs come here when file is rewritten to other places
answer
UNALLOCATED SPACE
question
What Latent Data type puts orphan files in unallocated space
answer
SWAP FILE/SWA SPACE
question
What Latent Data type can slow HDD performed?
answer
Defragmenting
question
What Latent Data type moves non-contiguous data back together, creating contiguous clusters?
answer
DEFRAGMENTING
question
What Latent Data type can leave data in unallocated space?
answer
DELTED FILES
question
What Latent Data type is not viewable through regular methods
answer
DELETED FILES
question
What Latent Data type writes a new file to the location of the orig file which will remove the orig data?
answer
DELETED FILES
question
What Latent Data type the OS views the space as being available but the data remains?
answer
DELETED FILES
question
When a file is deleted the first character in the file's name is replaced with sigma
answer
DELETED FILES
question
What is the cashing system that speeds up web browsing?
answer
INTERNET CACHE
question
Can deleted cache files still be recovered?
answer
YES
question
What allows portions of the page to be reconstructed faster from saved data?
answer
INTERNET CACHE
question
What is Internet Cache
answer
When web browsers store portions of their pages on the hard drive
question
What information is retrieved when the site is revisited?
answer
INTERNET COOKIES
question
What are saved on the hard drive by visited websites?
answer
INTERNET COOKIES
question
What tracks information about visitors?
answer
INTERNET COOKIES
question
What tracks the history of web page visits?
answer
INTERNET IP ADDRESS
question
Files accessed on external drives may appear in history
answer
INTERNET IP ADDRESS
question
Displays the uniform resource locator (URL), data & time accessed?
answer
INTERNET IP ADDRESS
question
What is used to investigate internet communications?
answer
1) IP Address 2) Email, Chat, IM 3) Hacking
question
IP?
answer
Internet Protocol
question
What does IP address consist of?
answer
4 grps of numbers ranging from 0-255 which can lead to the identity of a person
question
What Internet Communications may be housed at the network and not on the computer?
answer
Emails
question
What Internet Communications are stored in RAM?
answer
Chat & IM
question
What Internet Communications can be found on HDD usually fragmented, disconnected, and incomplete?
answer
CHAT & IM
question
What Internet Communications are found in the Internet Cache?
answer
Web-based emails