Test 1 Computer Forensics – Flashcards

Unlock all answers in this set

Unlock answers
question
Fourth Amendment
answer
The _________ to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
question
Police Blotter
answer
The _________ provides a record of clues to crimes that have been committed previously.
question
Litigation
answer
The legal process of proving guilt or innocence in court
question
Computer Forensics
answer
Investigates data that can be retrieved from a computer's hard disk or other storage media.
question
Affidavit
answer
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.
question
Case Law
answer
Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist.
question
Line of Authority
answer
Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
question
HTCIA
answer
Organization that exchanges information about techniques related to computer investigations and security.
question
Network Forensics
answer
Yields information about how a perpetrator or an attacker gained access to a network.
question
Industrial espionage
answer
Involves selling sensitive or confidential company information to a competitor.
question
Single-Evidence Form
answer
A(n) ________ lists each piece of evidence on a separate page.
question
Interview
answer
A(n) ____________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
question
Self-Evaluation
answer
An essential part of professional growth.
question
FTK's Internet Keyword Search
answer
Extracts all related e-mail address information for web-based e-mail investigations.
question
Interrogation
answer
Process of trying to get a suspect to confess to a specific incident or crime.
question
Multi-evidence form
answer
A type of evidence custody form
question
Data recovery
answer
Is the more well known and lucrative side of the computer forensics business.
question
Free Space
answer
Can be used for new files that are saved or files that expand as data is added to them.
question
MS-Dos 6.22
answer
The least intrusive (in terms of changing data) Microsoft operating system.
question
Norton DiskEdit
answer
An older computer forensics tool.
question
ASCLD (American Society of Crime Laboratory Directors)
answer
The __________ provides guidelines for managing a forensics lab and for acquiring official crime-lab certification.
question
the same
answer
For daily work production, several examiners can work together in a large open area, as long as they all have ________ level of authority and access need.
question
Guidance Software
answer
Sponsors the EnCe certification program
question
Business Case
answer
A plan you can use to sell your services to your management or clients
question
MAN
answer
Stands for Metropolitan Area network
question
Norton Ghost
answer
Tool for directly restoring files
question
Disaster Recovery Plan
answer
Addresses how to restore a workstation you reconfigured for a specific investigation.
question
FireWire
answer
Ruled by the IEEE 1394B standard
question
SIG
answer
Can be a valuable source of support for recovering and analyzing uncommon systems.
question
ASCLD/LAB
answer
Certification program that regulates how crime labs are organized and managed.
question
raw
answer
Bit-stream data to files copy techniques creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n) ______ format.
question
lossless
answer
Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ________ compression.
question
live
answer
There are two types of acquisitions: Static acquisitions and _________ acquisitions.
question
EnCase
answer
Forensic tool developed by Guidance Software
question
SafeBack
answer
Example of a disk-to-disk copy maker tool.
question
AFF
answer
Open source data acquisition format.
question
Lossy Compression
answer
Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed.
question
IXimager
answer
ILook imaging tool
question
Data Acquisition
answer
Process of copying data
question
WinZip
answer
Example of a lossless compression tool.
question
Data Recovery
answer
Involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash.
question
Computer Forensics
answer
The task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data that users have hidden or deleted, with the goal of ensuring that thee recovered data is valid so that it can be used as evidence.
question
Inculpatory
answer
In criminal cases, the expression is "incriminating".
question
Exculpatory
answer
Evidence that might clear the suspect.
question
data recovery
answer
Use computer forensics techniques to retrieve information their clients have lost.
question
CART (The FBI Computer Analysis and Response Team)
answer
This group was formed in 1984 to handle the increasing number of cases involving digital evidence.
question
Fourth Amendment
answer
This protects everyone's rights to be secure in their person, residence, and property from search and seizure.
question
Affidavit
answer
A sworn statement of support of facts about or evidence of a crime, submitted to a judge with the request for a search warrant before seizing evidence.
question
notarized
answer
You must have an affidavit ________ under sworn oath to verify that the information in the affidavit is true.
question
Line of authority
answer
This states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
question
Line of Authority
answer
The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence and have access to evidence.
question
Search Warrant
answer
Legal documents that allow law enforcement to search an office, a place of business, or other locale for evidence related to an alleged crime.
question
Silver-Platter Doctrine
answer
A policy no longer in effect that allowed a state law enforcement officer to pass illegally obtained evidence to the federal government and allowed federal prosecution to use that evidence.
question
Private Sector
answer
During this kind of investigation, you search for evidence to support allegations of abuse of a company's assets and, in some cases, criminal complaints.
question
Computing Assets
answer
Most computer investigations in the private sector involve misuse of ___________.
question
Industrial Espionage, Embezzlement, and Murder
answer
Criminal acts in private sectors involve acts such as:
question
Chain of Custody
answer
The route the evidence takes from the time you find it until the case is closed or goes to court.
question
Preserve the evidence
answer
The first rule for all investigations.
question
Evidence Custody Form
answer
Helps to document what has and has not been done with the original evidence and forensic copies of the evidence.
question
Who recovered the Evidence When the evidence was recovered Who possessed the evidence at the time it was recovered
answer
What information should be documented about evidence?
question
Single-Evidence Form
answer
Lists each piece of evidence on a separate page
question
Multi-Evidence form
answer
An evidence custody form used to list all items associated with a case.
question
anti-static bags
answer
Which type of bag should be used when collecting computer evidence?
question
Single-Evidence Form
answer
This form gives you more flexibility in tracking separate pieces of evidence for your chain-of-custody log.
question
Attorney-Client Privilege
answer
When conducting a computer forensic analysis under ______ rules for an attorney, you must keep all findings confidential.
question
Interview
answer
Usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
question
Interrogation
answer
The process of trying to get a suspect to confess to a specific incident or crime.
question
Forensic Workstation
answer
To conduct an investigation and analysis, you must have a specifically configured PC known as?
question
Forensic Workstation
answer
A computer loaded with additional bays and forensic software.
question
MS-DOS 6.22
answer
The least intrusive OS to disks in terms of changing data.
question
Hardware Write-Blockers
answer
Some of these are inserted between the disk controller and the hard disk, and others are connected to USB or FireWire ports.
question
Things required for a Forensics Workstation
answer
A workstation A write-blocker device Computer Forensic Acquisition tool Computer Forensic Analysis tool Target Drive Spare PATA or SATA ports USB Ports
question
Bit-Stream Copy
answer
a bit-by-bit copy (also known as a sector copy) of the original drive or storage medium and is an exact duplicate.
question
Backup Software
answer
This type of software can only copy or compress files that are stored in a folder or are a known file type.
question
Bit-Stream Image
answer
The file containing the bit-stream copy of all data on a disk or disk partition.
question
Forensic Copy
answer
Another name for Bit-Stream Image
question
Preserve the original evidence
answer
The first rule of computer forensics
question
Case Critique
answer
In order to improve your work, you need to do a __________ after the case is closed.
question
low-emanating Workstation
answer
A workstation that is more expensive than the average workstation, but less expensive than a TEMPEST lab.
question
2, 1
answer
The ideal configuration for multiple work stations is to have ____ forensic workstations plus ____ non-forensic workstation with Internet Access.
question
2, 0
answer
Large or regional computer forensic labs should have at least ___ controlled exits and ____ windows.
question
Uniform Crime Report
answer
Annual ___________ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
question
IACIS (International Association of Computer Investigative Specialists)
answer
One of the oldest professional computer forensic organizations created by police officers who wanted to formalize credentials in computing investigations.
question
NTFS
answer
New Technology File System
question
FAT16, FAT32, NTFS
answer
Windows File Systems:
question
SIGs (Special Interest Groups)
answer
These can be a valuable source of support for recovering and analyzing uncommon systems.
question
Disaster recovery Plan
answer
This ensures that you can restore your workstation and file servers to their original condition if a catastrophic failure occurs.
question
Backup System
answer
Central to a disaster recovery plan is:
question
RAID
answer
For labs using high-end ______ severs, you must consider methods for restoring large data sets.
question
Electromagnetic Radiation (EMR)
answer
Most electronic devices emit this
question
intercept
answer
Certain kinds of equipment can _________ EMR, which can be used to determine the data the device is transmitting or displaying.
question
TEMPEST
answer
A ________ lab requires lining the walls, ceiling, floor, and doors with specially grounded conductive metal sheets.
question
TEMPEST
answer
A shield which shields sensitive computing systems and prevent electronic eavesdropping of any computer emission.
question
Configuration Management
answer
A process which records all updates you make to your workstation.
question
Risk Management
answer
Determining how much risk is acceptable for any process or operation.
question
image file
answer
The data a computer forensics tool collects is stored as a __________
question
raw format
answer
This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these files is referred to as?
question
Proprietary format
answer
This type of format typically offers several features that complement the vendor's analysis tool.
question
Advanced Forensic Format (AFF)
answer
A new open-source acquisition format developed by Dr. Simson L. Garfinkel
question
Static Acquisition
answer
This type of acquisition is typically done on a computer seized during a police raid.
question
Live Acquistion
answer
If a computer has an encrypted drive, this type of acquisition is done.
question
Static Acquisitions
answer
This is the preferred way to collect digital evidence.
question
Logical Acquisition
answer
Captures only specific files of interest to a case or specific file types
question
Sparse Acquisition
answer
Collects that of the Logical Acquisition, but also collects fragments of unallocated data.
question
Sparse Acquisition
answer
Use this acquisition method only when you don't need to examine the entire drive.
question
Hardware Acquisition
answer
This type of acquisition tool can access the drive at the BIOS level
question
2
answer
As standard practice, make at least ____ images of digital evidence you collect.
question
Write-blocking hardware device
answer
Because windows can easily contaminate your evidence drive, you must protect it with a well tested ___________________.
question
Live CDs
answer
Linux ISO Images are referred to as
question
Computer Forensics
answer
Linux ISO images are specifically designed for?
question
fdisk -l
answer
This Linux command lists all IDE drives as hda, hdb, and so on.
question
Government Agencies
answer
Private-sector organizations include business and ________ that aren't involved in law enforcement.
question
Expectation of Privacy
answer
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have a(n) ___________
question
Limiting Phrase
answer
When an investigator finds a mix of information, judges often issue a(n) ______ to the warrant, which allows the police to separate innocent information from evidence.
question
bit-stream
answer
If decontamination of a crime scene might destroy electronic evidence, a HAZMAT specialist or an investigator in HAZMAT gear should make a(n) _________ image copy of a suspect's hard disk.
question
HAZMAT
answer
You should rely on this when dealing with terrorist attacks
question
Konkeror
answer
Web browser
question
Low-Level investigations
answer
What most cases in the corporate environment are considered
question
FOIA
answer
Agencies must comply with these laws and make documents they find and create available as public records
question
AFIS
answer
Fingerprints can be tested with these systems
question
innocent information
answer
Information unrelated to a computing investigation case.
question
commingled data
answer
Confidential business data that might be included with the criminal evidence.
question
Commingled
answer
Placing child pornography images in a subfolder where bicycle plans are stored is doing what to the data?
question
ISPs
answer
Can investigate computer abuse committed by their employees, but not customers.
question
CTIN (Computer Technology Investigators Network)
answer
List one organization mentioned in the chapter that provides computer forensics training.
question
false
answer
Computer forensics and data recovery refer to the same thing, true or false
question
Fourth Amendment
answer
Police in the United States must use procedures that adhere to which of the following?
question
c
answer
The triad of computing security includes which of the following? Answer a b c or d a. Detection, response, and monitoring b. vulnerability assessment, detection, and monitoring c. vulnerability assessment, intrusion response, and investigation d. vulnerability assessment, intrusion response, and monitoring
question
embezzlement, e-mail harassment, cyberstalking,
answer
List the three common types of digital crime
question
false
answer
A corporate investigator must follow Fourth Amendment standards when conducting an investigation
question
d
answer
Policies can address rules for which of the following? Answer a b c or d a. when you can log on to a company network from home b. the internet sites you can or cannot access c. the amount of personal email you can send d. any of the above
question
right to monitor
answer
List an item that should appear on an internal warning banner.
question
True
answer
Warning banners are often easier to present in court than policy manuals are
question
false
answer
under normal circumstances a corporate investigator is considered an agent of law enforcement
question
Corporate environment
answer
fraud, embezzlement, insider trading, espionage, and email harassment are all types of computer investigations typically conducted in the __________________.
question
professional conduct
answer
_________ is ethics, morals and stands of behavior. It is important because it determines your credibility.
question
Professional Journal
answer
This helps you remember what procedures were followed if the case ever goes to court.
question
Still being debated
answer
Laws and procedures for PDAs are which of the following? a. well established b. still being debated c. on the law books d. none of the above
question
Requester
answer
__________ should be appointed to avoid conflicts from competing interests between organizations or departments.
question
affidavit
answer
The purpose of an __________ is to provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant.
question
who, what, when and where
answer
What are the necessary components of a search warrant?
question
evidence custody form
answer
Case number, investigator and location evidence was obtained are all items that should be on a ___________.
question
Risk assessment
answer
________ should be done to list problems that might happen when conducting your investigation as an aid in planning a case.
question
false
answer
You should always prove the allegations made by the person who hired you.
question
True
answer
For digital evidence, an evidence bag is typically made of antistatic material
question
b
answer
Who should have access to a secure container? answer a b c or d a. only the primary investigator b. only the investigators in the group c. everyone on the floor d. only senior-level management
question
write-protected
answer
Evidence media should be _________ to ensure that is is not altered
question
case report
answer
An explanation of basic computer and network processes, a narrative of what steps you took, and a description of your findings should all be included in your __________.
question
Chain of custody
answer
What do you call a list of people who have had physical possession of the evidence?
question
acquisitions officer
answer
providing a list of all components that were seized, noting whether the computer was running at the time it was taken into evidence, making notes of the state of the computer at the time it was acquired, noting the operating system if the computer is running, and photographing any open windows to document currently running programs are all jobs that a ________ is responsible for at a crime scene.
question
confidentiality
answer
The most important point to remember when assigned to work on an attorney-client privilege case is?
question
Attorney-Client
answer
You should minimize written correspondence, make sure all written documentation and communication includes a label stating that it is privileged communications and confidential work product, and assisting the attorney and paralegal in analyzing data when working in an ___________ case.
question
False
answer
Data collected before an attorney issues a memorandum for an attorney client privilege case is protected under the confidential work product rule.
question
True
answer
An employer can be held liable for email harassment true or false
question
d
answer
Building a business case can involve which of the following? answer a b c or d a. Procedures for gathering evidence b. testing software c. protecting trade secrets d. all of the above
question
False
answer
The ASCLD mandates the procedures established for a computer forensic lab, true or false?
question
d
answer
The manager of a computer forensic lab is responsible for which of the following? Answer a b c or d a. necessary changes in lab procedures and software b. ensuring that staff members have sufficient training to do the job. c. knowing the lab objectives d. All of the above
question
OS
answer
Uniform Crime report statistics for your area and a list of cases handled in your area or at your company are sources that can help you determine the _________ needed in your lab.
question
business plan
answer
Physical Security Items, How many machines are needed, what os's the lab commonly examines, why certain software is needed, and how the lab will benefit the company are all things that should be included in a _______________.
question
certification
answer
IACI, HTCN, EnCE, ACE are all popular ________ systems for computer forensics
question
True
answer
The national cybercrime training partnership is available only to law enforcement true or false
question
Physical Security
answer
________ is critical for computer forensics lab to maintain the chain of custody and prevent data from being lost, corrupted, or stolen.
question
False
answer
If a visitor to your computer forensics lab is a personal friend, it is not necessary to have him or her sign the visitor's log, true or false?
question
Requirements, Cost, Acceptability
answer
What three items should you research before enlisting in a certification program?
question
2
answer
Large computer forensic labs should have at least _______ exits
question
Regional
answer
Typically a(n) _________ lab has a separate storage are or room for evidence.
question
False
answer
Computer forensic facilities always have windows, true or false.
question
False
answer
The chief custodian of evidence storage containers should keep several master keys, true or false?
question
B
answer
Putting out fires in a computer lab typically requires a ______ rated fire extinguisher
question
False
answer
A forensic workstation should always have a direct broadband connection to the internet, true or false?
question
NISPOM
answer
Which organization provides good information on safe storage containers?
question
ASCLD
answer
Which organization has guidelines on how to operate a computer forensics lab?
question
TEMPEST
answer
What name refers to labs constructed to shield EMR emissions?
question
Static Acquisition
answer
The primary goal of __________ is to preserve digital evidence.
question
proprietary format
answer
This type of file format gives options to compress or not compress files, and has the capability to split an image into smaller segments.
question
Expert Witness Format
answer
Which propriety format is the unofficial standard?
question
magnetic tape
answer
The advantage of using this type of backup system for forensic acquisitions if that there is no limit to the size of data that can be acquired.
question
standard data backup tool
answer
When a suspects computer can't be taken offline for several hours, but can be shut down long enough to switch disks, you should use a ____________ such as Norton Ghost
question
Validation
answer
What is the most critical aspect of computer evidence?
question
hashing algorithm
answer
A utility designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file or entire disk.
question
md5sum and sha1sum
answer
Which hashing algorithm utilities can be run from a linux shell prompt?
question
hash= , hashlog= , vf=
answer
In the linux dcfldd command, which three options are used for validating data?
question
2 GB
answer
What is the maximum file size when writing data to a FAT32 drive?
question
False
answer
R-Studio and DiskExplorer are used primarily for computer forensics. True or false?
question
d
answer
With remote acquisitions, what problem should you be aware of? answer a b c or d a. data transfer speeds b. access permissions over the network c. antivirus, antispyware, and firewall programs, d all of the above
question
ProDiscover
answer
The program _______ provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.
question
ServLet
answer
What is the EnCase Enterprise remove program?
question
PDServer
answer
What is the ProDiscover remote access program?
question
DiskExplorer
answer
What is the Runtime Software utility used to acquire data over a network connection?
question
False
answer
HDHost is automatically encrypted when connected to another computer, true or false?
question
TCP/IP, Serial RS232 Port
answer
List the two types of connections in HDHost.
question
False
answer
EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk, true or false?
question
True
answer
When possible, you should make two copies of evidence, true or false?
question
False
answer
FTK imager can acquire data in a drive's host protected area, true or false?
question
a
answer
Corporate investigations are typically easier than law enforcement for which of the following reasons? a. most companies keep inventory databases of all hardware and software used. b. the investigator does not have to get a warrant c. the investigator has to get a warrant. d. users can load whatever they want on their machines.
question
True
answer
In the united states, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause, true or false?
question
True
answer
If you discover a criminal act, such as murder or child pornography, while investigation a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or false?
question
agent of law enforcement
answer
As a corporate investigator, you can become an _______ __ ____ __________ when you begin to take orders from a police detective without a warrant or subpoena and/or your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
question
False
answer
The plain view doctrine in computer searches is well-established law. True or false.
question
a and c
answer
If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following (choose all that apply answer a b c and/or d) a. Coordinate with the HAZMAT team b. Determine a way to obtain the suspect computer c. Assume the suspect computer is contaminated. d. Do not enter alone.
question
forensic hash
answer
A _______ can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes are all rules for a?
question
collision
answer
In forensic hashes, a ___________ occurs when two files have the same hash value.
question
True
answer
Computer peripherals or attachments can contain DNA evidence, true or false?
question
Browsing open applications
answer
If a suspect computer is running windows 2000, which of the following can you perform safely? a. browsing open applications b. disconnecting power c. Either of the above d. none of the above
question
anything that might be of interest
answer
Describe what should be videotaped or sketched at a computer crime scene.
question
Data Sniffing, Keylogging
answer
Which of the following techniques might be used in covert surveillance? (choose all that apply) a. keylogging b. data sniffing c. network logs d. none of the above
question
commingling
answer
This means confidential business data that might be included with the criminal evidence.
question
SHA-1, MD5
answer
List two hashing algorithms commonly used for forensic purposes.
question
False
answer
Small companies rarely need investigators true or false
question
True
answer
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
question
Initial response field kit
answer
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
question
False
answer
You should always answer questions from onlookers at a crime scene. True or False?
question
Affidavit
answer
The document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation.
question
allegations
answer
A charge made against someone or something before proof has been found.
question
authorized requester
answer
In a corporate environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer.
question
Computer Forensics
answer
The process of applying scientific methods to collect and analyze data and information that can be used as evidence.
question
Computer Investigations
answer
Conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime.
question
CTIN (Computer Technology Investigations Network)
answer
A nonprofit group based in Seattle-Tacoma, WA, composed of law enforcement members, private corporation security professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest.
question
Criminal Case
answer
A case in which criminal law must be applied.
question
Criminal Law
answer
Statutes applicable to a jurisdiction that state offenses against the peace and dignity of the jurisdiction and the elements that define these offenses.
question
data recovery
answer
A specialty field in which companies retrieve files that were deleted accidentally or purposefully.
question
disaster recovery
answer
A specialty field in which companies perform real-time backups, monitoring, data recovery, and hot site operations.
question
enterprise network environment
answer
A large corporate computing system that can include formerly independent systems.
question
approved secure container
answer
A fireproof container locked by a key or combination.
question
attorney-client priviledge
answer
Communication between an attorney and client about legal matters is protected as confidential communications. The purpose of having confidential communications is to promote honest and open dialogue between an attorney and client. This confidential information must not be shared with unauthorized people.
question
bit-stream copy
answer
A bit-by-bit duplicate of data on the original storage medium. This process is usually called "acquiring an image" or "making an image.
question
bit-stream image
answer
The file where the bit-stream copy is stored; usually referred to as an "image," "image save," or "image file."
question
chain of custody
answer
The route evidence takes from the time the investigator obtains it until the case is closed or goes to court.
question
evidence bags
answer
Nonstatic bags used to transport removable media, hard drives, and other computer components.
question
evidence custody form
answer
A printed form indicating who has signed out and been in physical possession of evidence.
question
forensic copy
answer
Another name for a bit-stream image.
question
forensic workstation
answer
A workstation set up to allow copying forensic evidence, whether on a hard drive, USB drive, CD, or Zip disk. It usually has software preloaded and ready to use.
question
password-cracking software
answer
Software used to match the hash patterns of passwords or to simply guess passwords by using common combinations or standard algorithms.
question
password protected
answer
The method of requiring a password to limit access to certain files and areas of storage media; this method prevents unintentional or unauthorized use.
question
repeatable findings
answer
Being able to obtain the same results every time from a computer forensics examination.
question
ASCLD (American Society of Crime Laboratory Directors)
answer
A national society that sets the standards, management, and audit procedures for labs used in crime analysis, including computer forensics labs used by the police, FBI, and similar organizations.
question
business case
answer
A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility. In many instances, a business case shows how upgrades will benefit the company.
question
CEECS (Certified Electronic Evidence Collection Specialists)
answer
A certificate awarded by IACIS at completion of the written exam.
question
CFCE (Certified Forensic Computer Examiner)
answer
A certificate awarded by IACIS at completion of all portions of the exam.
question
configuration management
answer
The process of keeping track of all upgrades and patches you apply to your computer's OS and applications.
question
HTCN (High Tech Crime Network)
answer
A national organization that provides certification for computer crime investigators and computer forensics technicians.
question
risk management
answer
The process of determining how much risk is acceptable for any process or operation, such as replacing equipment.
question
Secure Facility
answer
A facility that can be locked and allows limited access to the room's contents.
question
SIGs (Special Interest Groups)
answer
Associated with various operating systems, these groups maintain electronic mailing lists and might hold meetings to exchange information about current and legacy operating systems.
question
TEMPEST
answer
A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility.
question
Uniform Crime Report
answer
Information collected at the federal, state, and local levels to determine the types and frequencies of crimes committed.
question
AFF (Advanced Forensic Format)
answer
A new data acquisition format developed by Simson L. Garfinkel and Basis Technology. This open and extensible format stores image data and metadata. File extensions include .afd for segmented image files and .afm for ______ metadata.
question
live acquisition
answer
A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition. Data is collected from the local computer or over a remote network connection. The captured data might be altered during the acquisition because it's not write-protected. ___________ aren't repeatable because data is continually being altered by the suspect computer's OS.
question
logical acquisition
answer
This data acquisition method captures only specific files of interest to the case or specific types of files, such as Outlook PST files.
question
raw format
answer
A data acquisition format that creates simple sequential flat files of a suspect drive or data set.
question
RAID (Redundant Array of Independent Disks)
answer
Two or more disks combined into one large drive in several configurations for special needs. Some_______ systems are designed for redundancy to ensure continuous operations if one disk fails. Another configuration spreads data across several disks to improve access speeds for reads and writes.
question
Sparse Acquisitions
answer
Like logical acquisitions, this data acquisition method captures only specific files of interest to the case, but it also collects fragments of unallocated (deleted) data.
question
Static Acquisitions
answer
A data acquisition method used when a suspect drive is write-protected and can't be altered. If disk evidence is preserved correctly, _____________ are repeatable.
question
whole disk encryption
answer
An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.
question
4-mm dat
answer
Magnetic tapes that store about 4 GB of data, but like CD-Rs, are slow to read and write data.
question
AFIS (Automated Fingerprint Identification System)
answer
A computerized system for identifying fingerprints that's connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.
question
computer-generated records
answer
Data generated by a computer, such as system log files or proxy server logs.
question
computer-stored records
answer
Digital files generated by a person, such as electronic spreadsheets.
question
Covert Surveillance
answer
Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs.
question
CRC (Cyclic Redundancy Check)
answer
A mathematical algorithm that translates a file into a unique hexadecimal value.
question
digital evidence
answer
Evidence consisting of information stored or transmitted in electronic form
question
extensive response field kit
answer
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.
question
Hazardous Materials (HAZMAT)
answer
Chemical, biological, or radiological substances that can cause harm to people.
question
initial response field kit
answer
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
question
innocent information
answer
Data that doesn't contribute to evidence of a crime or violation.
question
IOCE (International Organization on Computer Evidence)
answer
A group that sets standards for recovering, preserving, and examining digital evidence.
question
keyed hash set
answer
A value created by an encryption utility's secret key.
question
limiting phrase
answer
Wording in a search warrant that limits the scope of a search for evidence.
question
low-level investigations
answer
Corporate cases that require less effort than a major criminal case.
question
MD5 (message Digest 5)
answer
An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed.
question
NIST (National Institute of Standards and Technology)
answer
One of the governing bodies responsible for setting standards for various U.S. industries.
question
nonkeyed hash set
answer
A unique hash number generated by a software tool
question
Person of interest
answer
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
question
Plain View Doctrine
answer
When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. As applied to executing searches of computers, the plain view doctrine's limitations are less clear.
question
ServLet
answer
a small, server-resident program that typically runs automatically in response to user input.
question
Nonkeyed Hash Set
answer
Most computer forensic hashing needs can be satisfied with a _____________________.
question
MD5
answer
You can use the ____ function in FTK Imager to obtain the digital signature of a file or an entire drive.
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New