Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

47 Cards in this Set

  • Front
  • Back
What is a collection and analysis of data from computer systems, networks, communications streams (wireless) and storage media in a manner admissable in a court of law?
Computer Forensics
What are the three major phases of digital forensics?
System Presentation, Evidence Searching, and Event Reconstruction
What stage attempts to acquire, or copy, the data from device without modifying the original?
System Preservation
What should be used to prevent inadvertent writing to the source device?
Write blocking device
What stage do you view the copied data and find data that is significant to your requirements?
Evidence searching
What stage leads to prosecution in a court of law and is more for the intrusion analyst?
Event Intrusion
What are the steps of the standard practices?
Isolate systems, create hash and logging
Why should you isolate a system from outside connectivity?
Prevent virus's and tojan horses from connecting and prevent data deletion or corruption.
Where will info ultimately be logged with the image?
National media exploitation Center Database; NMEC
Where will documents and media files resulting from the forensics process be stored?
National ground Intelligence Center National Harmony database
What is the first 512 bytes (sector) of the disk reserved for?
Partitiion table and initial boot code
What are the two ways to acquire a disk drive?
By volume or physical device
What is the space left at the end of a file and end of a sector or cluster?
Slack space
What is the area of the drive that has not been used by the system but is allocated via the partition table?
Free space
What two ways is data stored on a disk drive?
Big Endian and Little Endian
What data storage does Microsoft typically use?
Little Endian
How do Sun Sparc, Motorola and POwer PC store data?
Big Endian
Byte order is read from left to right, most to least significant.
Big Endian
Byte order is read left to right with least to most significant.
Little Endian
What are Encases four major window panes?
Tree, Table, View and Filters
What are the methods that Encase can utilize to acquire info?
Parallel Port Cable, Network Cable, Drive to Drive and FastBlock
What is utilized when no other method is possible and is a direct connection from the examiners system to the other system?
Parallel Port Cable Acquisition
What utilizes the NIC of the examiners system and the subjects computer?
Network Cable Acquisition
What takes the subjects hard drive and places it in the examiners platform acting as a secondary hard drive?
Drive to Drive Acquisition
What involves plugging the hard drive into an external device?
FastBlock Acquisition
What are the two types of FastBlock Acquisition?
FastBlock Lab edition and FastBlock Field edition
Why would you use Parallel Port Cable Acquisition?
Hard drive can not be accessed, hard drive has no write blocking or hard drive does not have DOS supported network interface
This allows the user to view types of e-mail such as Outlook, Outlook express and other web based e-mail.
Sub Tabs Email
What additional tabs appear under the Email Sub Tab?
Home and Attachments
What is the function of the Home tab under the Email Sub Tab?
Displays all e-mail entries
What is the function of the attachments tab under Sub Tab Email?
Displays the associated attachments
Which tab displays info about the media such as acquisition notes, examiners name, hash values and disk configuration parameters?
Sub Tabs Devices
What verifies the header of a file ensuring someone does not hide something by changing the extension of a file?
Verify file signatures
What symbolizes that the header and the extension do not match the file signature?
!Bad Signature
What symbolizes that the header is in the file signature but the extension does not match?
What symbolizes the header is correct for the extension being utilized?
What symbolizes the header and extension are not in the file signature table?
The create hash sets "category" field is case sensitive. T/F
How must the words unknown and notable appear in the create hash sets "category" field?
Unknown and Notable
What is maintained by Heather Strong of the National Drug Intelligence Center and is available to law enforcement only?
What is similar to Hashkeeper but available to everyone?
National Software Reference Library (NSRL)
What is the final phase of Encase?
Producing the report
How is the report built?
Builds itself by book marking items of interest during analysis
What are the two options within the bookmark folder structure?
Include device info and columns
What reports on the physical media?
Include Device info
What determins how to display the directory structure of the file system?
In what process does Encase search through the unallocated clusters looking for the signature of the "dot space double dot" indicating a deleted directory?
Recovering folders