Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
158 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
What are the 3 main elements of digital forensics? |
- Securely collecting computer data - Examining suspect data to discover content - Presenting computer based inormation in courts |
|
|
|
What is the difference between computer forensics and digital forensics? |
- Computer forensics: Obtaining analysed digital information from a computer - Digital forensics: A branch of computer forensics, recover investigation material found in digital devices, including GPS data for example |
|
|
|
What are the first 5 steps to digital forensics according to Nelson et al (the recommended textbook for this half of the module)? |
1) Initial assessment of case 2) Determine approach 3) Design an approach 4) Obtain evidence copy 5) Identify risk assessment |
|
|
|
What are steps 6 - 10 of digital forensics according to Nelson et al (the recommended textbook for this half of the module)? |
6) Test your designed approach 7) Analyse/recover digital evidence 8) Apply evidence to the case 9) Write up case report 10) Critique your investigation |
|
|
|
What are the 3 key principles to a systematic approach to digital forensics? |
- Acquire evidence without altering or damaging the original copy - Authenticate the acquired record against the original (hash) - Analyse data without modifying it |
|
|
|
What are the 7 principles of a systematic approach to digital forensics? |
1) Documentation 2) Reason/justification for actions taken 3) Do not harm any evidence 4) Computer and data are treated as crime scene 5) Chain of custody 6) Use of standard practice 7) FIT toolkits |
|
|
|
Regrarding software of the suspect computer, what must be used/untouched during evidence capture? |
- Do not use software on the suspect computer - Use your own forensic tools on a dedicated forensic investigation computer. |
Encase or FTK imager |
|
|
What is the first principle of the ACPO police guidelines for capturing digital evidence? |
No action taken by law enforcement agencies should change data held on a computer or storage media which may be subsequently relied upon in court |
|
|
|
What is the second principle of the ACPO police guidelines for capturing digital evidence? |
When an agent needs to access original data held on a suspect drive, this agent must be competent to do so, and give evidence explaining the relevance and impact of their actions. |
|
|
|
What is the third principle of the ACPO police guidelines for capturing digital evidence? |
There must be an audit trail of all processes applied to computer evidence. This audit trail must be examined by an independant third party, and be followed to achieve the same result. |
|
|
|
What is the fourth principle of the ACPO police guidelines for capturing digital evidence? |
There should be a superior officer in charge of the investigation, ensuring that all other principles in the ACPO guidelines are adhered to. |
|
|
|
What describes a computer-as-a-target computer crime? |
A computers data or hardware is targeted |
|
|
|
Describe identity theft as a computer crime. |
Gaining relevant information to pose as a different person for mailcious or fraudulent purposes. |
|
|
|
Describe hacking as a computer crime |
Obtaining access to a computer or network without authorisation |
|
|
|
Describe the use of viruses and worms as a computer crime. |
- Virus: Malicious software designed to attack and eventually break a system - Worm: Networking a victim machine with another computer |
|
|
|
Describe cyber-stalking as a computer crime. |
Blackmailing through use of private media acquired maliciously or without the owners permission. |
|
|
|
Describe spamming as a computer crime. |
Sending large amounts of emails to a particular address, ussually to crash or DDoS a mail server |
Criminal to server: "Spam, Spam Eggs and Spam, Spam Ham and Spam or Spam Spam and more Spam" Server: " TOO MUCH SPAM ARGGHH!!" |
|
|
Describe theft of intellectual property as a computer crime. |
- Gaining un-authorised access to patents - Acquiring trade secrets - Assets that belong to a particular organisation - Corporate espionage |
|
|
|
Describe software piracy as a computer crime |
- Uploading and hosting software without authorisation of the software vendor - Similar to the hosting of music, movies and tv shows without the creators authorisation |
Yarr, ill swindle yer software me hearty.... |
|
|
What is the first principle of the principles of digital evidence? |
No action taken should change data |
|
|
|
What is the second principle of the principles of digital evidence? |
If changes to data must be made, the consequences must be understood |
|
|
|
What is the third principle of the principles of digital evidence? |
An audit trail must be created, and a third party should be able to follow this audit trail and achieve the same result. |
|
|
|
What is the fourth principle of the principles of digital evidence? |
There must always be a person who assumes full overall responsibility in an investigation |
|
|
|
How should software be used in a systematic approach to digital forensics ? |
- Do not use software on the suspect machine - Use specialist software to obtain evidence |
EnCase, FTK Imager etc... |
|
|
How should hardware be used in a systematic approach to digital forensics? |
Forensics hardware that blocks writes to the suspect drive |
Tableau |
|
|
What defines a 'computer as a target' crime? |
Where a computers assets (hardware/data) is targetted |
|
|
|
What defines a 'computer as an instrument' crime? |
Use of a computer or group of computers for illegal malicious purposes |
Botnet |
|
|
What five assurances should a forensic expert provide about digital evidence? |
- Preservation - Prevention of contamination - Correct extraction - Accountability - Ethics of investigation |
|
|
|
What are the main objectives of computer forensics? |
To recover, analyse and preserve computer related materials, for presentation in court |
|
|
|
What is a chain of custody? |
A complete and traceable audit trail of evidence from acquisition to presentation in court |
|
|
|
What is the definition of digital evidence? |
Any information of probative value which is stored or transmitted in a digital form |
|
|
|
What are the 5 classes of hardware that digital evidence could be obtained from? |
- Peripherals - Storage devices - Mobile devices - Cameras - Networking hardware |
|
|
|
When is a search warrant issued? |
When law enforcement provide sufficient proof that there is probable cause that a crime has been committed. |
|
|
|
What must a law officer specify when searching under a warrant? |
- Premises to be searched - Items being looked for - Persons to be searched and interviewed |
|
|
|
What is volatile data? |
Data that is easily changed - For example RAM data or Temporary file systems |
|
|
|
What are the rules of evidence? |
- Allowable - Authentic - Complete - Reliable - Believable |
There are 5 |
|
|
What is Locard's Principle? |
- Physical evidence cannot be wrong - Physical evidence is silent and immutable. |
|
|
|
What should suspect drives be stored in to avoid damage? |
Anti-static bag |
|
|
|
What should be used to read data of a suspect SIM card without compromising its integrity as evidence? |
Forensic SIM card reader |
|
|
|
What should be used to read data from a suspect drive without compromising its integrity as evidence? |
A write blocker |
|
|
|
What are the two types of write blocker? |
- Software - Hardware |
|
|
|
What does a hash function do? |
Takes a string of varying length, and produces a fixed length static string |
|
|
|
What are hash strings used for in digital forensics? What do they support in the chain of custody? |
They are generated from the hard disk image of a suspect drive - They support the audit trail for the chain of custody |
|
|
|
How do hash values support the audit trail in the chain of custody? |
It validates that the investigator has no altered the integrity of the acquired data. |
Validation... |
|
|
During incident response where the suspect machine is off, what should be photographed/sketched? |
The scene and all components - Label the ports and cables going into the suspect machine on the photograph |
|
|
|
During incident response where the suspect machine is off, should the machine be switched on for any reason? |
No |
|
|
|
During incident response, where the suspect machine is off, what should be done with laptop batteries? |
Remove the battery and power source |
|
|
|
What can give clues to accessing a suspect machine when investigating a scene in incident response? |
Diaries, notebooks or other documents with passwords or password hints written on them |
|
|
|
Can an investigator ask the user of the suspect machine about their computer? |
Yes - But only if the circumstances dictate so. |
|
|
|
In addition to photography taken in a machine on incident, what should be photographed/filmed? |
The display and what is on it when investigation begins and any video playback occurring at the time of investigation |
|
|
|
What data can only be collected when the suspect machine is powered on? |
- Running processes - Network traffic info |
|
|
|
In incident response, if a printer is printing what should the investigator do? |
Allow the printer to finish its jobs |
It might run out of ink... |
|
|
When removing the power cable from a suspect machine, which end should be unplugged? |
The end attached to the computer, not the socket |
|
|
|
What are the requirements of a write blocker? |
- Does not allow a protected drive to be changed - Does not prevent obtaining information about any drive - Does not prevent any operations to an unprotected drive |
|
|
|
How does a write blocker work? |
Either: -Denies all write attempts to the selected disk - Caches the writes during session |
One-way data flow, instead of multidirectional like normal. |
|
|
What system software built in to windows can be used as a software write blocker? |
RegEdit |
|
|
|
Where is the write protection registry entry stored in the registry? |
StorageDevicePolicies |
|
|
|
What are the limitations of write blocking? |
- Does not block internal drive operations on suspect drive - Does not work on RAID configs - Does not prevent all changes |
|
|
|
In what type of forensics is write blocking impossible? |
Live forensics |
Its...aLIVE!! |
|
|
What is an imaging tool? |
- A tool that takes a complete bit-by-bit image of a suspect drive |
VM snapshots are similar to this |
|
|
What can imaging tools be used for? |
- Viewing evidence disks and disk-to-image files - Making disk-to-image evidence files |
|
|
|
All remaining bytes between the end of sector and end of cluster are known as _____? |
File slack |
Quit slacking... |
|
|
What is a drive sector? |
It is a segment of a cluster, on a track of a platter of a drive |
Tiniest bit
|
|
|
What is a drive cluster? |
It is a fixed size group of sectors that is allocated by the OS for storing bytes of data. |
|
|
|
What is a drive platter?
|
It is a single flat disk in a hard drive, usually there are 3 or 4 of these stacked together in a commercial hard drive |
Looks like a frisbee (a bit...) |
|
|
What is a drive cylinder? |
It is a combination of all tracks in the same position on each platter from top to bottom of a drive |
|
|
|
What does FAT stand for in the Windows File System?
|
File Allocation Table
|
|
|
|
What is FAT used for in Windows? |
Organise files on the disk so that they are easily accessible by the OS |
|
|
|
What are the main variations of the FAT file system? |
- FAT12 - FAT16 - FAT32 |
|
|
|
How many bytes can be stored on a FAT16 formatted drive between 8 and 32 MB in size? |
512 bytes |
Half a kilobyte |
|
|
How does the amount of bytes on a drive increase with the number of clusters on a FAT16 drive? |
They both double respectively: - 1 cluster = 512 bytes - 2 clusters = 1 KB - 4 clusters = 2 KB |
Times 2 |
|
|
What is the main difference in cluster size between NTFS and FAT16?
|
NTFS allocates the same 4KB cluster with 8 sectors to all drive sizes unless the drive is larger than 16TB. |
Big clusters |
|
|
Is hidden data always user generated? |
No |
|
|
|
What are the most common types of password hiding?
|
- Password protected files - Disk encryption - File encryption - Steganography |
There are 4 |
|
|
What are the main password breaking techniques used in forensics? |
- Brute force - Brute force w/ mask - Dictionary attack - Rainbow tables |
There are 4 |
|
|
What is a brute force/brute force with mask password breaking technique? |
Brute force: Uses all characters, in all configs and combos until it finds a match Brute force with mask: Same as regular brute force, but there is a known part |
One is clueless, the other knows a little |
|
|
What is a dictionary attack?
|
The use of a library of known common passwords, and effectively brute forcing with those preset strings until there is a match, or there is no match. |
Password Password123 etc.. |
|
|
What are rainbow tables and how are they used in password breaking forensics? |
They are databases containing common passwords and their hashed equivalents in MD5, SHA-1 etc. They are then checked against the hash obtained from the suspect system to find a match. |
Match the hash |
|
|
How does Pretty Good Privacy (PGP) encrypt data? |
- Takes plain data - Generates random key - Encrypt data using key - Encrypt the key using a public key - Send file and encrypted key. |
|
|
|
How does Pretty Good Privacy (PGP) decrypt data? |
- Decrypt senders key using receivers private key - Decrypt the encypted data using the decrypted key |
|
|
|
How does TrueCrypt work? |
It mounts a virtual encrypted disk within a file as a real disk. |
|
|
|
Explain data hiding in files and directories. |
- Change name to something misleading
- Change file extension |
|
|
|
Explain the bit shifting data hiding technique. |
Turning data into data that looks like binary executable code |
|
|
|
Explain the partition hiding technique. |
- Create a partition with data in it - Then use a tool to delete all references to that partition |
Digital equivalent of a secret stash |
|
|
Explain steganography. |
The hiding of plain text in an image or sound file - Sometimes that data will be encrypted when it is hidden in a file |
|
|
|
What is an index.dat file in Windows? |
A file used by internet explorer as an active database of web URL's, search queries and opened files |
|
|
|
Where is the index.dat file located in Windows XP? |
- C:\Documents and Settings\\Cookies\ - C:\Documents and Settings\\Local Settings - C:\Documents and Settings\\Temporary Internet Files |
There are 3 locations |
|
|
Where are the index.dat files located in Windows 7/8? |
- C:\users\ \AppData\Roaming\Microsoft\Windows\Cookies - " "\Windows\History - " "\Windows\Temporary Internet Files |
There are 3 locations |
|
|
Where are the index.dat files located in Windows 10? |
- C:\Users\AppData\ Local\Packages\ - C:\Users\AppData\ Local\Microsoft |
There are 2 locations |
|
|
What are the 5 forensically significant mail protocols? |
- SMTP - POP3 - IMAP - EMTP - MIME |
|
|
|
What are the 2 main forensically significant email environments? |
- LAN - WAN |
Local and Wide |
|
|
What are the 4 main email acronyms and what do they stand for? |
- MUA - Mail User Agent - MSA - Mail Submission Agent - MTA - Mail Transfer Agent - MDA - Mail Delivery Agent |
|
|
|
What are the characteristics of a LAN based email system? |
- Private, Local network - Localised admin - Cannot create own accounts - Universal naming convention |
|
|
|
What are the characteristics of an Internet based email system? |
- Public facility - Anyone can sign-up to it - Domain names vary - Global access |
|
|
|
What is forensically significant about an email header? |
It contains useful information: - Receiver/sender - Date/time stamps - IP addresses - Domain names - Traceroute |
Where its going, Where its from, Everything inbetween |
|
|
What does the Microsoft Computer Dictionary define the registry as? |
A central hierarchical database used in Microsoft Windows to store information that is necessary to configure the system |
|
|
|
What is the main weakness of the windows registry? |
It is a single point of failure in the Windows operating system. |
|
|
|
What is the danger associated with editing the Windows registry? |
If editing the registry deletes or corrupts the registry, then Windows will not function. |
|
|
|
What is the difference between a restore point and and backup? |
- Restore point rolls back the system to a particular point in time using previous registry entries - Backup is an image of the system stored separately |
One is a copy, the other reverses |
|
|
What were the 2 key files in the registry of MS-DOS? |
- config.sys - Autoexec.bat |
|
|
|
Windows 3 had the first GUI, what files did it use to configure displays for the GUI? |
.ini files |
|
|
|
What was significant about Windows 3.1? |
It was the first implementation of a rudimentary registry, which was used as a repository for config data |
|
|
|
What is the structure of a modern windows registry? |
5 HKEYS: - 2 primary keys - 3 derived/alias keys |
|
|
|
What do the 3 derived/alias keys in the windows registry do? |
They are shortcuts to branches within the 2 primary hives |
They are a bit like pointers
|
|
|
What are the names of the 2 primary keys in the windows registry? |
- HKEY_CLASS_ROOT (HKCR) - HKEY_LOCAL_MACHINE (HKLM) |
|
|
|
What are the names of the 3 secondary keys in the windows registry? |
- HKEY_CURRENT_USER (HKCU) - HKEY_USERS (HKU) - HKEY_CURRENT_CONFIG (HKCC) |
|
|
|
What are the characteristics of HKEY_CLASS_ROOT in the Windows registry? |
- Largest key in windows - Main function is to associate each extension with a program - Shortcut to 2 keys, HKCU and HKLM |
HKCU - HLEY_CURRENT_USER
HKLM - HKEY_LOCAL_MACHINE |
|
|
What are the characteristics of HKEY_CURRENT_USER in the Windows registry?
|
Establishes environment with 'per-user' settings |
|
|
|
What are the characteristics of HKEY_LOCAL_MACHINE in the Windows registry? |
Establishes environment with 'per-machine' settings |
|
|
|
What are the characteristics of HKEY_USERS in the Windows registry? |
- Contain user environment settings for all users on system - Storage of usernames and passwords as well as other data |
|
|
|
What are the main characteristics of HKEY_CURRENT_CONFIG in the Windows registry?
|
- Establish the current hardware configuration profile - Connects to hardware profiles stored in other keys |
|
|
|
Where is the registry located in Windows XP, Vista and 7? |
C:\windows\system32\config |
|
|
|
Where is the registry located in a windows network environment? |
\documents and settings\ NTUSER.DAT |
|
|
|
What is forensically significant about 'HKCU\ Software\ Microsoft\Protected storage system provider'? |
- This contains references to protected storage, where users may want to hide data. - It also contains encrypted passwords |
HKCU - HKEY_CURRENT_USER
|
|
|
What is forensically significant about 'HKCU\software \microsoft\internetExplorer\ main\TypedURLs'? |
Most recently typed and searched URLs from the user |
HKCU - HKEY_CURRENT_USER |
|
|
What is forensically significant about 'HKCU\software\ microsoft\internetExplorer\ Download Directory'? |
It is a pointer to the last directory used to download files |
HKCU - HKEY_CURRENT_USER |
|
|
What is forensically significant about 'HKCU\software\ microsoft\windows\currentversion\unreadmail\'? |
View Outlook Express entries |
HKCU - HKEY_CURRENT_USER |
|
|
When performing a forensics acquisition, what device is used to prevent the system from recording data on an evidence disk? |
A write-blocker |
Tableau |
|
|
In a computer forensics investigation, what records the route that evidence takes from the time you find it until the case is closed or goes to court? |
Chain of custody |
|
|
|
A __________ _________ is a precomputed table of hash values , usually for cracking passwords. |
Rainbow table |
What pink fluffy unicorns dance on |
|
|
Which file stores graphics, movie, and some document files then generates a preview of the folder contents using a thumbnail cache? |
Thumbs.db |
|
|
|
On a Windows system, how many bytes does a sector typically contain? |
512 |
Half a kilobyte |
|
|
The smallest addressable part of a disk is … |
A sector |
|
|
|
A disk image is best described as ... |
A bit-by-bit copy of a disk |
|
|
|
In the context of passwords, what is a brute force attack? |
You try every single possibility |
|
|
|
A standard EnCase evidence file format is ... |
.E01 |
|
|
|
An expert witness serves ... |
The court |
|
|
|
A password of substantial length is considered secure when it can only be cracked by what sort of password-cracking attack? |
Brute force attack |
Sometimes this attack uses a mask
|
|
|
Kruse and Heiser describe the computer forensics process as consisting of five steps. What are these steps? |
1) Preservation 2) Identification 3) Extraction 4) Interpretation 5) Documentation |
There are 5 answers in total, they have a particular order |
|
|
In EnCase, do both letters and numbers represent physical drives? |
No |
|
|
|
In EnCase, are Numbers reserved for logical drives only? |
No |
|
|
|
In EnCase, will there always be more drives labelled with letters that drives labelled with numbers? |
No |
|
|
|
In EnCase, is there any meaning as to whether a drive is labeled with a number vs. a letter? |
Yes
|
|
|
|
All the remaining bytes within a cluster, between the end of a file and the end of the sector, are termed ____ _____ |
RAM slack |
|
|
|
According to Nelson, when validating the results of a forensic analysis, you should do what? |
1) Calculate the hash using two different tools 2) Use a different tool to compare the results of the evidence you find. |
There are 2 answers |
|
|
What are MD5 and SHA-1 and how do the relate to Digital Forensics? |
They are hash algorithms, they are used to validate that a drive image is un-touched |
Hashy Smashy |
|
|
What is the new name for ACPO? |
NPCC - National Police Chiefs Council |
The Jedi Council of Police |
|
|
What is metadata? |
Data generated from the creation of editing of files and directories |
|
|
|
What are the 3 types of metadata? |
1) Descriptive 2) Standard 3) Administrative |
|
|
|
What is a UPS? |
Uninterruptible Power Supply |
|
|
|
What is the difference between logical and physical drives? |
- Logical drives are addressable by the OS - Physical drives are removable drives that you can hold in your hand |
|
|
|
What is a DD file? |
A raw file produced from a forensic copy of a dive |
|
|
|
What is PKI? |
Management of public/private key encryption |
|
|
|
What is phishing? |
Email marketing |
Apart from annoying... |
|
|
What is an intranet? |
A private network |
|
|
|
What is an extranet? |
An intranet with external access by authorised users |
|
|
|
According to Nelson, why is it easier to track emails on an Intranet?
|
Accounts are created with a standard naming policy |
Everyone has similar names... |
|
|
What is WHOIS? |
A lookup tool for domain names and their owners |
|
|
|
What is the difference between a preview and an image on EnCase? |
- Preview: Browsing through a drive as it is connected through a write blocker - Image: A bit-by-bit image of the suspect drive, acquired through EnCase |
|
|
|
What is the role of the forensic expert in a report? |
- To give their opinion or conclusion as a true expert |
|
|
|
What are the 2 types of forensic report?
|
1) Factual 2) Expert |
|
|
|
According to Nelson, what are the main sections of a forensic report? |
1) Abstract 2) Table of contents 3) Introduction 4) Body of report 5) Conclusion 6) References 7) Glossary 8) Acknowledgements 9) Appenixes |
There are 9 |
|
|
According to CF 4 dummies, what are the main sections of a forensic report? |
1) Introduction 2) Materials for review 3) Background 4) Analysis 5) Findings 6) Attachments |
There are 6 |
|
|
In the US, what are the 2 tests that any forensic expert must pass to be qualified as an expert witness? |
- Frye test 1923 - Daubert test 1993 |
|
|
|
What should be avoided in a forensic report? |
- Jargon - Slang - Colloquial terms |
|
|
|
Do technical terms need to be explicitly defined in a forensic report?
|
Yes, in as simple way as possible |
|
|
|
What are the advantages of a decimal numbering structure in a forensic report? |
- Divides material into sections - Readers can scan the headings - Readers can see how different sections relate to each other - Reduces confusion |
|
|
|
What should be justified and explained in a forensic report? |
- Provide supporting material for conclusion or opinion - Explanation of examination process and data collection methods |
|
