Please enter something
Home Page Science Medicine Physical Fitness Collect And Analyze Data Test 1 Computer Forensics - Flashcards

Test 1 Computer Forensics – Flashcards

Jennifer Hawkins
8 July 2022
277 test answers

Unlock all answers in this set

Unlock answers 277
question
Fourth Amendment
answer
The _________ to the U.S. Constitution (and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure.
question
Police Blotter
answer
The _________ provides a record of clues to crimes that have been committed previously.
question
Litigation
answer
The legal process of proving guilt or innocence in court
question
Computer Forensics
answer
Investigates data that can be retrieved from a computer's hard disk or other storage media.
question
Affidavit
answer
Sworn statement of support of facts about or evidence of a crime that is submitted to a judge to request a search warrant before seizing evidence.
Unlock the answer
question
Case Law
answer
Allows legal counsel to use previous cases similar to the current one because the laws don't yet exist.
Unlock the answer
question
Line of Authority
answer
Specifies who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
Unlock the answer
question
HTCIA
answer
Organization that exchanges information about techniques related to computer investigations and security.
Unlock the answer
question
Network Forensics
answer
Yields information about how a perpetrator or an attacker gained access to a network.
Unlock the answer
question
Industrial espionage
answer
Involves selling sensitive or confidential company information to a competitor.
Unlock the answer
question
Single-Evidence Form
answer
A(n) ________ lists each piece of evidence on a separate page.
Unlock the answer
question
Interview
answer
A(n) ____________ is usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
Unlock the answer
question
Self-Evaluation
answer
An essential part of professional growth.
Unlock the answer
question
FTK's Internet Keyword Search
answer
Extracts all related e-mail address information for web-based e-mail investigations.
Unlock the answer
question
Interrogation
answer
Process of trying to get a suspect to confess to a specific incident or crime.
Unlock the answer
question
Multi-evidence form
answer
A type of evidence custody form
Unlock the answer
question
Data recovery
answer
Is the more well known and lucrative side of the computer forensics business.
Unlock the answer
question
Free Space
answer
Can be used for new files that are saved or files that expand as data is added to them.
Unlock the answer
question
MS-Dos 6.22
answer
The least intrusive (in terms of changing data) Microsoft operating system.
Unlock the answer
question
Norton DiskEdit
answer
An older computer forensics tool.
Unlock the answer
question
ASCLD (American Society of Crime Laboratory Directors)
answer
The __________ provides guidelines for managing a forensics lab and for acquiring official crime-lab certification.
Unlock the answer
question
the same
answer
For daily work production, several examiners can work together in a large open area, as long as they all have ________ level of authority and access need.
Unlock the answer
question
Guidance Software
answer
Sponsors the EnCe certification program
Unlock the answer
question
Business Case
answer
A plan you can use to sell your services to your management or clients
Unlock the answer
question
MAN
answer
Stands for Metropolitan Area network
Unlock the answer
question
Norton Ghost
answer
Tool for directly restoring files
Unlock the answer
question
Disaster Recovery Plan
answer
Addresses how to restore a workstation you reconfigured for a specific investigation.
Unlock the answer
question
FireWire
answer
Ruled by the IEEE 1394B standard
Unlock the answer
question
SIG
answer
Can be a valuable source of support for recovering and analyzing uncommon systems.
Unlock the answer
question
ASCLD/LAB
answer
Certification program that regulates how crime labs are organized and managed.
Unlock the answer
question
raw
answer
Bit-stream data to files copy techniques creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n) ______ format.
Unlock the answer
question
lossless
answer
Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ________ compression.
Unlock the answer
question
live
answer
There are two types of acquisitions: Static acquisitions and _________ acquisitions.
Unlock the answer
question
EnCase
answer
Forensic tool developed by Guidance Software
Unlock the answer
question
SafeBack
answer
Example of a disk-to-disk copy maker tool.
Unlock the answer
question
AFF
answer
Open source data acquisition format.
Unlock the answer
question
Lossy Compression
answer
Used with .jpeg files to reduce file size and doesn't affect image quality when the file is restored and viewed.
Unlock the answer
question
IXimager
answer
ILook imaging tool
Unlock the answer
question
Data Acquisition
answer
Process of copying data
Unlock the answer
question
WinZip
answer
Example of a lossless compression tool.
Unlock the answer
question
Data Recovery
answer
Involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash.
Unlock the answer
question
Computer Forensics
answer
The task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data that users have hidden or deleted, with the goal of ensuring that thee recovered data is valid so that it can be used as evidence.
Unlock the answer
question
Inculpatory
answer
In criminal cases, the expression is "incriminating".
Unlock the answer
question
Exculpatory
answer
Evidence that might clear the suspect.
Unlock the answer
question
data recovery
answer
Use computer forensics techniques to retrieve information their clients have lost.
Unlock the answer
question
CART (The FBI Computer Analysis and Response Team)
answer
This group was formed in 1984 to handle the increasing number of cases involving digital evidence.
Unlock the answer
question
Fourth Amendment
answer
This protects everyone's rights to be secure in their person, residence, and property from search and seizure.
Unlock the answer
question
Affidavit
answer
A sworn statement of support of facts about or evidence of a crime, submitted to a judge with the request for a search warrant before seizing evidence.
Unlock the answer
question
notarized
answer
You must have an affidavit ________ under sworn oath to verify that the information in the affidavit is true.
Unlock the answer
question
Line of authority
answer
This states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.
Unlock the answer
question
Line of Authority
answer
The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence and have access to evidence.
Unlock the answer
question
Search Warrant
answer
Legal documents that allow law enforcement to search an office, a place of business, or other locale for evidence related to an alleged crime.
Unlock the answer
question
Silver-Platter Doctrine
answer
A policy no longer in effect that allowed a state law enforcement officer to pass illegally obtained evidence to the federal government and allowed federal prosecution to use that evidence.
Unlock the answer
question
Private Sector
answer
During this kind of investigation, you search for evidence to support allegations of abuse of a company's assets and, in some cases, criminal complaints.
Unlock the answer
question
Computing Assets
answer
Most computer investigations in the private sector involve misuse of ___________.
Unlock the answer
question
Industrial Espionage, Embezzlement, and Murder
answer
Criminal acts in private sectors involve acts such as:
Unlock the answer
question
Chain of Custody
answer
The route the evidence takes from the time you find it until the case is closed or goes to court.
Unlock the answer
question
Preserve the evidence
answer
The first rule for all investigations.
Unlock the answer
question
Evidence Custody Form
answer
Helps to document what has and has not been done with the original evidence and forensic copies of the evidence.
Unlock the answer
question
Who recovered the Evidence When the evidence was recovered Who possessed the evidence at the time it was recovered
answer
What information should be documented about evidence?
Unlock the answer
question
Single-Evidence Form
answer
Lists each piece of evidence on a separate page
Unlock the answer
question
Multi-Evidence form
answer
An evidence custody form used to list all items associated with a case.
Unlock the answer
question
anti-static bags
answer
Which type of bag should be used when collecting computer evidence?
Unlock the answer
question
Single-Evidence Form
answer
This form gives you more flexibility in tracking separate pieces of evidence for your chain-of-custody log.
Unlock the answer
question
Attorney-Client Privilege
answer
When conducting a computer forensic analysis under ______ rules for an attorney, you must keep all findings confidential.
Unlock the answer
question
Interview
answer
Usually conducted to collect information from a witness or suspect about specific facts related to an investigation.
Unlock the answer
question
Interrogation
answer
The process of trying to get a suspect to confess to a specific incident or crime.
Unlock the answer
question
Forensic Workstation
answer
To conduct an investigation and analysis, you must have a specifically configured PC known as?
Unlock the answer
question
Forensic Workstation
answer
A computer loaded with additional bays and forensic software.
Unlock the answer
question
MS-DOS 6.22
answer
The least intrusive OS to disks in terms of changing data.
Unlock the answer
question
Hardware Write-Blockers
answer
Some of these are inserted between the disk controller and the hard disk, and others are connected to USB or FireWire ports.
Unlock the answer
question
Things required for a Forensics Workstation
answer
A workstation A write-blocker device Computer Forensic Acquisition tool Computer Forensic Analysis tool Target Drive Spare PATA or SATA ports USB Ports
Unlock the answer
question
Bit-Stream Copy
answer
a bit-by-bit copy (also known as a sector copy) of the original drive or storage medium and is an exact duplicate.
Unlock the answer
question
Backup Software
answer
This type of software can only copy or compress files that are stored in a folder or are a known file type.
Unlock the answer
question
Bit-Stream Image
answer
The file containing the bit-stream copy of all data on a disk or disk partition.
Unlock the answer
question
Forensic Copy
answer
Another name for Bit-Stream Image
Unlock the answer
question
Preserve the original evidence
answer
The first rule of computer forensics
Unlock the answer
question
Case Critique
answer
In order to improve your work, you need to do a __________ after the case is closed.
Unlock the answer
question
low-emanating Workstation
answer
A workstation that is more expensive than the average workstation, but less expensive than a TEMPEST lab.
Unlock the answer
question
2, 1
answer
The ideal configuration for multiple work stations is to have ____ forensic workstations plus ____ non-forensic workstation with Internet Access.
Unlock the answer
question
2, 0
answer
Large or regional computer forensic labs should have at least ___ controlled exits and ____ windows.
Unlock the answer
question
Uniform Crime Report
answer
Annual ___________ are generated at the federal, state, and local levels to show the types and frequency of crimes committed.
Unlock the answer
question
IACIS (International Association of Computer Investigative Specialists)
answer
One of the oldest professional computer forensic organizations created by police officers who wanted to formalize credentials in computing investigations.
Unlock the answer
question
NTFS
answer
New Technology File System
Unlock the answer
question
FAT16, FAT32, NTFS
answer
Windows File Systems:
Unlock the answer
question
SIGs (Special Interest Groups)
answer
These can be a valuable source of support for recovering and analyzing uncommon systems.
Unlock the answer
question
Disaster recovery Plan
answer
This ensures that you can restore your workstation and file servers to their original condition if a catastrophic failure occurs.
Unlock the answer
question
Backup System
answer
Central to a disaster recovery plan is:
Unlock the answer
question
RAID
answer
For labs using high-end ______ severs, you must consider methods for restoring large data sets.
Unlock the answer
question
Electromagnetic Radiation (EMR)
answer
Most electronic devices emit this
Unlock the answer
question
intercept
answer
Certain kinds of equipment can _________ EMR, which can be used to determine the data the device is transmitting or displaying.
Unlock the answer
question
TEMPEST
answer
A ________ lab requires lining the walls, ceiling, floor, and doors with specially grounded conductive metal sheets.
Unlock the answer
question
TEMPEST
answer
A shield which shields sensitive computing systems and prevent electronic eavesdropping of any computer emission.
Unlock the answer
question
Configuration Management
answer
A process which records all updates you make to your workstation.
Unlock the answer
question
Risk Management
answer
Determining how much risk is acceptable for any process or operation.
Unlock the answer
question
image file
answer
The data a computer forensics tool collects is stored as a __________
Unlock the answer
question
raw format
answer
This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these files is referred to as?
Unlock the answer
question
Proprietary format
answer
This type of format typically offers several features that complement the vendor's analysis tool.
Unlock the answer
question
Advanced Forensic Format (AFF)
answer
A new open-source acquisition format developed by Dr. Simson L. Garfinkel
Unlock the answer
question
Static Acquisition
answer
This type of acquisition is typically done on a computer seized during a police raid.
Unlock the answer
question
Live Acquistion
answer
If a computer has an encrypted drive, this type of acquisition is done.
Unlock the answer
question
Static Acquisitions
answer
This is the preferred way to collect digital evidence.
Unlock the answer
question
Logical Acquisition
answer
Captures only specific files of interest to a case or specific file types
Unlock the answer
question
Sparse Acquisition
answer
Collects that of the Logical Acquisition, but also collects fragments of unallocated data.
Unlock the answer
question
Sparse Acquisition
answer
Use this acquisition method only when you don't need to examine the entire drive.
Unlock the answer
question
Hardware Acquisition
answer
This type of acquisition tool can access the drive at the BIOS level
Unlock the answer
question
2
answer
As standard practice, make at least ____ images of digital evidence you collect.
Unlock the answer
question
Write-blocking hardware device
answer
Because windows can easily contaminate your evidence drive, you must protect it with a well tested ___________________.
Unlock the answer
question
Live CDs
answer
Linux ISO Images are referred to as
Unlock the answer
question
Computer Forensics
answer
Linux ISO images are specifically designed for?
Unlock the answer
question
fdisk -l
answer
This Linux command lists all IDE drives as hda, hdb, and so on.
Unlock the answer
question
Government Agencies
answer
Private-sector organizations include business and ________ that aren't involved in law enforcement.
Unlock the answer
question
Expectation of Privacy
answer
If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have a(n) ___________
Unlock the answer
question
Limiting Phrase
answer
When an investigator finds a mix of information, judges often issue a(n) ______ to the warrant, which allows the police to separate innocent information from evidence.
Unlock the answer
question
bit-stream
answer
If decontamination of a crime scene might destroy electronic evidence, a HAZMAT specialist or an investigator in HAZMAT gear should make a(n) _________ image copy of a suspect's hard disk.
Unlock the answer
question
HAZMAT
answer
You should rely on this when dealing with terrorist attacks
Unlock the answer
question
Konkeror
answer
Web browser
Unlock the answer
question
Low-Level investigations
answer
What most cases in the corporate environment are considered
Unlock the answer
question
FOIA
answer
Agencies must comply with these laws and make documents they find and create available as public records
Unlock the answer
question
AFIS
answer
Fingerprints can be tested with these systems
Unlock the answer
question
innocent information
answer
Information unrelated to a computing investigation case.
Unlock the answer
question
commingled data
answer
Confidential business data that might be included with the criminal evidence.
Unlock the answer
question
Commingled
answer
Placing child pornography images in a subfolder where bicycle plans are stored is doing what to the data?
Unlock the answer
question
ISPs
answer
Can investigate computer abuse committed by their employees, but not customers.
Unlock the answer
question
CTIN (Computer Technology Investigators Network)
answer
List one organization mentioned in the chapter that provides computer forensics training.
Unlock the answer
question
false
answer
Computer forensics and data recovery refer to the same thing, true or false
Unlock the answer
question
Fourth Amendment
answer
Police in the United States must use procedures that adhere to which of the following?
Unlock the answer
question
c
answer
The triad of computing security includes which of the following? Answer a b c or d a. Detection, response, and monitoring b. vulnerability assessment, detection, and monitoring c. vulnerability assessment, intrusion response, and investigation d. vulnerability assessment, intrusion response, and monitoring
Unlock the answer
question
embezzlement, e-mail harassment, cyberstalking,
answer
List the three common types of digital crime
Unlock the answer
question
false
answer
A corporate investigator must follow Fourth Amendment standards when conducting an investigation
Unlock the answer
question
d
answer
Policies can address rules for which of the following? Answer a b c or d a. when you can log on to a company network from home b. the internet sites you can or cannot access c. the amount of personal email you can send d. any of the above
Unlock the answer
question
right to monitor
answer
List an item that should appear on an internal warning banner.
Unlock the answer
question
True
answer
Warning banners are often easier to present in court than policy manuals are
Unlock the answer
question
false
answer
under normal circumstances a corporate investigator is considered an agent of law enforcement
Unlock the answer
question
Corporate environment
answer
fraud, embezzlement, insider trading, espionage, and email harassment are all types of computer investigations typically conducted in the __________________.
Unlock the answer
question
professional conduct
answer
_________ is ethics, morals and stands of behavior. It is important because it determines your credibility.
Unlock the answer
question
Professional Journal
answer
This helps you remember what procedures were followed if the case ever goes to court.
Unlock the answer
question
Still being debated
answer
Laws and procedures for PDAs are which of the following? a. well established b. still being debated c. on the law books d. none of the above
Unlock the answer
question
Requester
answer
__________ should be appointed to avoid conflicts from competing interests between organizations or departments.
Unlock the answer
question
affidavit
answer
The purpose of an __________ is to provide facts in support of evidence of a crime to submit to a judge when requesting a search warrant.
Unlock the answer
question
who, what, when and where
answer
What are the necessary components of a search warrant?
Unlock the answer
question
evidence custody form
answer
Case number, investigator and location evidence was obtained are all items that should be on a ___________.
Unlock the answer
question
Risk assessment
answer
________ should be done to list problems that might happen when conducting your investigation as an aid in planning a case.
Unlock the answer
question
false
answer
You should always prove the allegations made by the person who hired you.
Unlock the answer
question
True
answer
For digital evidence, an evidence bag is typically made of antistatic material
Unlock the answer
question
b
answer
Who should have access to a secure container? answer a b c or d a. only the primary investigator b. only the investigators in the group c. everyone on the floor d. only senior-level management
Unlock the answer
question
write-protected
answer
Evidence media should be _________ to ensure that is is not altered
Unlock the answer
question
case report
answer
An explanation of basic computer and network processes, a narrative of what steps you took, and a description of your findings should all be included in your __________.
Unlock the answer
question
Chain of custody
answer
What do you call a list of people who have had physical possession of the evidence?
Unlock the answer
question
acquisitions officer
answer
providing a list of all components that were seized, noting whether the computer was running at the time it was taken into evidence, making notes of the state of the computer at the time it was acquired, noting the operating system if the computer is running, and photographing any open windows to document currently running programs are all jobs that a ________ is responsible for at a crime scene.
Unlock the answer
question
confidentiality
answer
The most important point to remember when assigned to work on an attorney-client privilege case is?
Unlock the answer
question
Attorney-Client
answer
You should minimize written correspondence, make sure all written documentation and communication includes a label stating that it is privileged communications and confidential work product, and assisting the attorney and paralegal in analyzing data when working in an ___________ case.
Unlock the answer
question
False
answer
Data collected before an attorney issues a memorandum for an attorney client privilege case is protected under the confidential work product rule.
Unlock the answer
question
True
answer
An employer can be held liable for email harassment true or false
Unlock the answer
question
d
answer
Building a business case can involve which of the following? answer a b c or d a. Procedures for gathering evidence b. testing software c. protecting trade secrets d. all of the above
Unlock the answer
question
False
answer
The ASCLD mandates the procedures established for a computer forensic lab, true or false?
Unlock the answer
question
d
answer
The manager of a computer forensic lab is responsible for which of the following? Answer a b c or d a. necessary changes in lab procedures and software b. ensuring that staff members have sufficient training to do the job. c. knowing the lab objectives d. All of the above
Unlock the answer
question
OS
answer
Uniform Crime report statistics for your area and a list of cases handled in your area or at your company are sources that can help you determine the _________ needed in your lab.
Unlock the answer
question
business plan
answer
Physical Security Items, How many machines are needed, what os's the lab commonly examines, why certain software is needed, and how the lab will benefit the company are all things that should be included in a _______________.
Unlock the answer
question
certification
answer
IACI, HTCN, EnCE, ACE are all popular ________ systems for computer forensics
Unlock the answer
question
True
answer
The national cybercrime training partnership is available only to law enforcement true or false
Unlock the answer
question
Physical Security
answer
________ is critical for computer forensics lab to maintain the chain of custody and prevent data from being lost, corrupted, or stolen.
Unlock the answer
question
False
answer
If a visitor to your computer forensics lab is a personal friend, it is not necessary to have him or her sign the visitor's log, true or false?
Unlock the answer
question
Requirements, Cost, Acceptability
answer
What three items should you research before enlisting in a certification program?
Unlock the answer
question
2
answer
Large computer forensic labs should have at least _______ exits
Unlock the answer
question
Regional
answer
Typically a(n) _________ lab has a separate storage are or room for evidence.
Unlock the answer
question
False
answer
Computer forensic facilities always have windows, true or false.
Unlock the answer
question
False
answer
The chief custodian of evidence storage containers should keep several master keys, true or false?
Unlock the answer
question
B
answer
Putting out fires in a computer lab typically requires a ______ rated fire extinguisher
Unlock the answer
question
False
answer
A forensic workstation should always have a direct broadband connection to the internet, true or false?
Unlock the answer
question
NISPOM
answer
Which organization provides good information on safe storage containers?
Unlock the answer
question
ASCLD
answer
Which organization has guidelines on how to operate a computer forensics lab?
Unlock the answer
question
TEMPEST
answer
What name refers to labs constructed to shield EMR emissions?
Unlock the answer
question
Static Acquisition
answer
The primary goal of __________ is to preserve digital evidence.
Unlock the answer
question
proprietary format
answer
This type of file format gives options to compress or not compress files, and has the capability to split an image into smaller segments.
Unlock the answer
question
Expert Witness Format
answer
Which propriety format is the unofficial standard?
Unlock the answer
question
magnetic tape
answer
The advantage of using this type of backup system for forensic acquisitions if that there is no limit to the size of data that can be acquired.
Unlock the answer
question
standard data backup tool
answer
When a suspects computer can't be taken offline for several hours, but can be shut down long enough to switch disks, you should use a ____________ such as Norton Ghost
Unlock the answer
question
Validation
answer
What is the most critical aspect of computer evidence?
Unlock the answer
question
hashing algorithm
answer
A utility designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file or entire disk.
Unlock the answer
question
md5sum and sha1sum
answer
Which hashing algorithm utilities can be run from a linux shell prompt?
Unlock the answer
question
hash= , hashlog= , vf=
answer
In the linux dcfldd command, which three options are used for validating data?
Unlock the answer
question
2 GB
answer
What is the maximum file size when writing data to a FAT32 drive?
Unlock the answer
question
False
answer
R-Studio and DiskExplorer are used primarily for computer forensics. True or false?
Unlock the answer
question
d
answer
With remote acquisitions, what problem should you be aware of? answer a b c or d a. data transfer speeds b. access permissions over the network c. antivirus, antispyware, and firewall programs, d all of the above
Unlock the answer
question
ProDiscover
answer
The program _______ provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect's workstation.
Unlock the answer
question
ServLet
answer
What is the EnCase Enterprise remove program?
Unlock the answer
question
PDServer
answer
What is the ProDiscover remote access program?
Unlock the answer
question
DiskExplorer
answer
What is the Runtime Software utility used to acquire data over a network connection?
Unlock the answer
question
False
answer
HDHost is automatically encrypted when connected to another computer, true or false?
Unlock the answer
question
TCP/IP, Serial RS232 Port
answer
List the two types of connections in HDHost.
Unlock the answer
question
False
answer
EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk, true or false?
Unlock the answer
question
True
answer
When possible, you should make two copies of evidence, true or false?
Unlock the answer
question
False
answer
FTK imager can acquire data in a drive's host protected area, true or false?
Unlock the answer
question
a
answer
Corporate investigations are typically easier than law enforcement for which of the following reasons? a. most companies keep inventory databases of all hardware and software used. b. the investigator does not have to get a warrant c. the investigator has to get a warrant. d. users can load whatever they want on their machines.
Unlock the answer
question
True
answer
In the united states, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause, true or false?
Unlock the answer
question
True
answer
If you discover a criminal act, such as murder or child pornography, while investigation a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or false?
Unlock the answer
question
agent of law enforcement
answer
As a corporate investigator, you can become an _______ __ ____ __________ when you begin to take orders from a police detective without a warrant or subpoena and/or your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement.
Unlock the answer
question
False
answer
The plain view doctrine in computer searches is well-established law. True or false.
Unlock the answer
question
a and c
answer
If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following (choose all that apply answer a b c and/or d) a. Coordinate with the HAZMAT team b. Determine a way to obtain the suspect computer c. Assume the suspect computer is contaminated. d. Do not enter alone.
Unlock the answer
question
forensic hash
answer
A _______ can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes are all rules for a?
Unlock the answer
question
collision
answer
In forensic hashes, a ___________ occurs when two files have the same hash value.
Unlock the answer
question
True
answer
Computer peripherals or attachments can contain DNA evidence, true or false?
Unlock the answer
question
Browsing open applications
answer
If a suspect computer is running windows 2000, which of the following can you perform safely? a. browsing open applications b. disconnecting power c. Either of the above d. none of the above
Unlock the answer
question
anything that might be of interest
answer
Describe what should be videotaped or sketched at a computer crime scene.
Unlock the answer
question
Data Sniffing, Keylogging
answer
Which of the following techniques might be used in covert surveillance? (choose all that apply) a. keylogging b. data sniffing c. network logs d. none of the above
Unlock the answer
question
commingling
answer
This means confidential business data that might be included with the criminal evidence.
Unlock the answer
question
SHA-1, MD5
answer
List two hashing algorithms commonly used for forensic purposes.
Unlock the answer
question
False
answer
Small companies rarely need investigators true or false
Unlock the answer
question
True
answer
If a company doesn't distribute a computing use policy stating an employer's right to inspect employees' computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False?
Unlock the answer
question
Initial response field kit
answer
You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you?
Unlock the answer
question
False
answer
You should always answer questions from onlookers at a crime scene. True or False?
Unlock the answer
question
Affidavit
answer
The document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation.
Unlock the answer
question
allegations
answer
A charge made against someone or something before proof has been found.
Unlock the answer
question
authorized requester
answer
In a corporate environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer.
Unlock the answer
question
Computer Forensics
answer
The process of applying scientific methods to collect and analyze data and information that can be used as evidence.
Unlock the answer
question
Computer Investigations
answer
Conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime.
Unlock the answer
question
CTIN (Computer Technology Investigations Network)
answer
A nonprofit group based in Seattle-Tacoma, WA, composed of law enforcement members, private corporation security professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest.
Unlock the answer
question
Criminal Case
answer
A case in which criminal law must be applied.
Unlock the answer
question
Criminal Law
answer
Statutes applicable to a jurisdiction that state offenses against the peace and dignity of the jurisdiction and the elements that define these offenses.
Unlock the answer
question
data recovery
answer
A specialty field in which companies retrieve files that were deleted accidentally or purposefully.
Unlock the answer
question
disaster recovery
answer
A specialty field in which companies perform real-time backups, monitoring, data recovery, and hot site operations.
Unlock the answer
question
enterprise network environment
answer
A large corporate computing system that can include formerly independent systems.
Unlock the answer
question
approved secure container
answer
A fireproof container locked by a key or combination.
Unlock the answer
question
attorney-client priviledge
answer
Communication between an attorney and client about legal matters is protected as confidential communications. The purpose of having confidential communications is to promote honest and open dialogue between an attorney and client. This confidential information must not be shared with unauthorized people.
Unlock the answer
question
bit-stream copy
answer
A bit-by-bit duplicate of data on the original storage medium. This process is usually called "acquiring an image" or "making an image.
Unlock the answer
question
bit-stream image
answer
The file where the bit-stream copy is stored; usually referred to as an "image," "image save," or "image file."
Unlock the answer
question
chain of custody
answer
The route evidence takes from the time the investigator obtains it until the case is closed or goes to court.
Unlock the answer
question
evidence bags
answer
Nonstatic bags used to transport removable media, hard drives, and other computer components.
Unlock the answer
question
evidence custody form
answer
A printed form indicating who has signed out and been in physical possession of evidence.
Unlock the answer
question
forensic copy
answer
Another name for a bit-stream image.
Unlock the answer
question
forensic workstation
answer
A workstation set up to allow copying forensic evidence, whether on a hard drive, USB drive, CD, or Zip disk. It usually has software preloaded and ready to use.
Unlock the answer
question
password-cracking software
answer
Software used to match the hash patterns of passwords or to simply guess passwords by using common combinations or standard algorithms.
Unlock the answer
question
password protected
answer
The method of requiring a password to limit access to certain files and areas of storage media; this method prevents unintentional or unauthorized use.
Unlock the answer
question
repeatable findings
answer
Being able to obtain the same results every time from a computer forensics examination.
Unlock the answer
question
ASCLD (American Society of Crime Laboratory Directors)
answer
A national society that sets the standards, management, and audit procedures for labs used in crime analysis, including computer forensics labs used by the police, FBI, and similar organizations.
Unlock the answer
question
business case
answer
A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility. In many instances, a business case shows how upgrades will benefit the company.
Unlock the answer
question
CEECS (Certified Electronic Evidence Collection Specialists)
answer
A certificate awarded by IACIS at completion of the written exam.
Unlock the answer
question
CFCE (Certified Forensic Computer Examiner)
answer
A certificate awarded by IACIS at completion of all portions of the exam.
Unlock the answer
question
configuration management
answer
The process of keeping track of all upgrades and patches you apply to your computer's OS and applications.
Unlock the answer
question
HTCN (High Tech Crime Network)
answer
A national organization that provides certification for computer crime investigators and computer forensics technicians.
Unlock the answer
question
risk management
answer
The process of determining how much risk is acceptable for any process or operation, such as replacing equipment.
Unlock the answer
question
Secure Facility
answer
A facility that can be locked and allows limited access to the room's contents.
Unlock the answer
question
SIGs (Special Interest Groups)
answer
Associated with various operating systems, these groups maintain electronic mailing lists and might hold meetings to exchange information about current and legacy operating systems.
Unlock the answer
question
TEMPEST
answer
A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can't be monitored or accessed easily by someone outside the facility.
Unlock the answer
question
Uniform Crime Report
answer
Information collected at the federal, state, and local levels to determine the types and frequencies of crimes committed.
Unlock the answer
question
AFF (Advanced Forensic Format)
answer
A new data acquisition format developed by Simson L. Garfinkel and Basis Technology. This open and extensible format stores image data and metadata. File extensions include .afd for segmented image files and .afm for ______ metadata.
Unlock the answer
question
live acquisition
answer
A data acquisition method used when a suspect computer can't be shut down to perform a static acquisition. Data is collected from the local computer or over a remote network connection. The captured data might be altered during the acquisition because it's not write-protected. ___________ aren't repeatable because data is continually being altered by the suspect computer's OS.
Unlock the answer
question
logical acquisition
answer
This data acquisition method captures only specific files of interest to the case or specific types of files, such as Outlook PST files.
Unlock the answer
question
raw format
answer
A data acquisition format that creates simple sequential flat files of a suspect drive or data set.
Unlock the answer
question
RAID (Redundant Array of Independent Disks)
answer
Two or more disks combined into one large drive in several configurations for special needs. Some_______ systems are designed for redundancy to ensure continuous operations if one disk fails. Another configuration spreads data across several disks to improve access speeds for reads and writes.
Unlock the answer
question
Sparse Acquisitions
answer
Like logical acquisitions, this data acquisition method captures only specific files of interest to the case, but it also collects fragments of unallocated (deleted) data.
Unlock the answer
question
Static Acquisitions
answer
A data acquisition method used when a suspect drive is write-protected and can't be altered. If disk evidence is preserved correctly, _____________ are repeatable.
Unlock the answer
question
whole disk encryption
answer
An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method.
Unlock the answer
question
4-mm dat
answer
Magnetic tapes that store about 4 GB of data, but like CD-Rs, are slow to read and write data.
Unlock the answer
question
AFIS (Automated Fingerprint Identification System)
answer
A computerized system for identifying fingerprints that's connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed.
Unlock the answer
question
computer-generated records
answer
Data generated by a computer, such as system log files or proxy server logs.
Unlock the answer
question
computer-stored records
answer
Digital files generated by a person, such as electronic spreadsheets.
Unlock the answer
question
Covert Surveillance
answer
Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs.
Unlock the answer
question
CRC (Cyclic Redundancy Check)
answer
A mathematical algorithm that translates a file into a unique hexadecimal value.
Unlock the answer
question
digital evidence
answer
Evidence consisting of information stored or transmitted in electronic form
Unlock the answer
question
extensive response field kit
answer
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.
Unlock the answer
question
Hazardous Materials (HAZMAT)
answer
Chemical, biological, or radiological substances that can cause harm to people.
Unlock the answer
question
initial response field kit
answer
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
Unlock the answer
question
innocent information
answer
Data that doesn't contribute to evidence of a crime or violation.
Unlock the answer
question
IOCE (International Organization on Computer Evidence)
answer
A group that sets standards for recovering, preserving, and examining digital evidence.
Unlock the answer
question
keyed hash set
answer
A value created by an encryption utility's secret key.
Unlock the answer
question
limiting phrase
answer
Wording in a search warrant that limits the scope of a search for evidence.
Unlock the answer
question
low-level investigations
answer
Corporate cases that require less effort than a major criminal case.
Unlock the answer
question
MD5 (message Digest 5)
answer
An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed.
Unlock the answer
question
NIST (National Institute of Standards and Technology)
answer
One of the governing bodies responsible for setting standards for various U.S. industries.
Unlock the answer
question
nonkeyed hash set
answer
A unique hash number generated by a software tool
Unlock the answer
question
Person of interest
answer
Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest.
Unlock the answer
question
Plain View Doctrine
answer
When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. As applied to executing searches of computers, the plain view doctrine's limitations are less clear.
Unlock the answer
question
ServLet
answer
a small, server-resident program that typically runs automatically in response to user input.
Unlock the answer
question
Nonkeyed Hash Set
answer
Most computer forensic hashing needs can be satisfied with a _____________________.
Unlock the answer
question
MD5
answer
You can use the ____ function in FTK Imager to obtain the digital signature of a file or an entire drive.
Unlock the answer
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New
Get unstuck with AI assistant right now
  • Enter your topic/question
  • Receive an explanation
Pro tips to get quality response
  • Ask one question at a time
  • Enter a specific assignment topic
  • Aim at least 500 characters
Question
What is the right structure for an essay
Answer
A paragraph is a related group of sentences that develops one main idea. Each paragraph in the body of the essay should contain:
  • a topic sentence that states the main or controlling idea
  • supporting sentences to explain and develop the point you’re making
  • evidence from your reading or an example from the subject area that supports your point
  • analysis of the implication/significance/impact of the evidence finished off with a critical conclusion you have drawn from the evidence.