• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/203

Click to flip

203 Cards in this Set

  • Front
  • Back
What is Computer Forensics?
The procedural preservation, identification, extraction, documentation, and interpretation of computer media for evidence and/or root cause analysis.
What does Computer Forensics involve?
Involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court.
What is Computer Forensics?
The preservation, identification, extraction, documentation and interpretation of digital data.
What methods of Investigation do Computer Forensics and Network Forensics use, Differentiate them!
?
Where the partition table is located and how is it represented using EnCase?
?
What type of information is in the partition table?
?
What does a security incident comprises of?
An unexpected, unplanned event that could have a negative impact on IT resources, requires immediate action to prevent further negative impacts, and violates security policies of circumvents security mechanisms.
How can you tell if a partition is active?
byte offset 446 will have a hex value 80 denoting it is active
How can you tell if a partition is not active?
byte offset 446 will have a hex value of 0
What are the two types of incidents?
1.Examine computers used in committing a crime. (Computer provide a location for data relative to their criminal activities.)

2. Examine computers targeted in a crime.
(Victims)
How does an individual become EnCE certified?
-Possess licensed EnCase software with an order number.
-18 months total investigative experience with at least 6 months experience in computer forensic examinations.
-Experience must be verified via signed application and endorsement
-All application and supporting documents
-Complete Phase I and Phase II of Exam
or
80 hours of authorized classroom training with 18 months total investigative experience including 6 months of computer forensics examinations OR 3 hours of authorized classroom with 2years total investigative experience.
What are the 5 rules of evidence?
1.Admissible
2.Authentic
3.Complete
4.Reliable
5.Believable
Allocation unit
Same as a cluster
Cluster
1.Storage allocation units of 512, 1024, 2048, 4096, or more bytes
2. Assigned logical addresses as they are assigned by the OS vs. Sectors that are physical addresses.
Block
Data Storage Unit, AKA allocation unit or cluster.
Metadata
Data within Data describing Data
Volume
A collection of addressable sectors that are used by an OS or application to store data.
Partition
A collection of consecutive sectors within a VOLUME, and those sectors are addressable by a single file system specific to and contained within that partition!
BCD
Boot Configuration Data
MBR
Master Boot Record
VBR
Volume Boot Record
FAT12
Supports 2^12 clusters theoretically or 4,084 in reality
FAT16
Supports 2^16 clusters theoretically or 65,524 in reality
FAT32
Supports 2^32 clusters theoretically or 67,092,481 in reality
NTFS
New Technology File System
Who needs computer forensics and the general uses of computer forensics?
?
What is evidence and where it may be
?
Obfuscation
To obscure, or attempt to hide something
The different hardware components?
Basically all hardware that makes up a complete computer, IE Motherboard, CPU, Case, Heat sink, HDD, etc.
What is a file system?
A system or method of storing and retrieving data on a computer system that allows a hierarchy of directories, sub-directories, and files.
Power-up sequence
1. Power Button
2. BIOS
3. POST
4. BIOS From Add-in Cards
5. Load RAM with BIOS data
6 Check for boot sequence from either A drive or C drive
7. MBR (IF C)
8. Boot partition (If C)
9. Boot Record (If C)
10. IO.sys
11. Msdos.sys
12. Config.sys
13. Command.Com
14. Autoexec.bat
4th Amendment
Part of the Bill of Rights which guards against unreasonable searches and seizures, along with requiring any warrant to be judicially sanctioned and supported by probable cause.
What is Slack Space?
Data between the end of the logical file to the end of the cluster containing the data
What happens to deleted files?
Pointer to file is deleted and space is freed up as available by the OS
End of File
EOF or hex value of 0xFFFF
What does FAT consist of?
Consists of 2 major components:
1. Directory Entries
2. File Allocation Tables
What are the major components of FAT
1.Reserved area for Volume Boot Sector
2.File Allocation Table area
3.Data Storage Area
Advantages of using FAT?
?
Advantages of using NTFS?
?
ISO 9660
Revision of High Sierra, first standard of CDs
uses 8 dot 3 file naming (only 8 character names, no file extensions allowed)
Sub-directories only 8 deep
files had to be contiguous
Joilete
Microsoft extension to ISO 9660
Files can be 64 characters long
8 layer deep subdirectories
UDF
Universal Disk Format
Fairly new
Uses technique called packet writing
Allows for 255 character file names
What is Reserved area on a disk?
Consists of the volume boot sector, often abbreviated as simply boot sector.
What is reserved area on a disk used for?
?
Boot sectors 4 distinct segments?
1.Jump Instructions to the boot code
2.BIOS parameter block
3.Boot Code and Error Messages
4.Signatures such as the all important 55AA
What is FAT1?
File Allocation Table
Located at the beginning of a FAT volume, immediately following the volume boot record. File allocation table track the allocation status of all clusters and also track fragmentation.
What is FAT2?
Exact copy of Fat1
What are directory entries?
Critical for the FAT system
For every file and directory within a partition, a directory entry exists.
32 bytes long
What does Bookmarking do?
References to specific files or data
critical skill
File Directory Structure
Organization of files into a hierarchy of folders
Basics of NTFS
?
Maximum number of clusters supported by FAT
?
What is the #1 safety concern to all 1st responders?
Personal Safety
What is needed prior to an investigation?
?
What are you looking for in an investigation?
?
What items need to be brought along for an investigation?
?
Securing the scene?
?
Assessment Questions
?
What are the different search authorities?
Recorder
Photographer
Search and seizure specialist
Digital evidence search and seizure specialist
What teams are used in an investigation?
Security Team
Search Team
How do you create a bootdisk or boot CD in EnCase?
Tools>Create Boot Disk and choose to either create a floppy, or choose ISO image to create a CD
What files do we need to change to create a forensic boot disk?
?
What 3 options do we have for boot disks?
Floppy
CD
LinEn
What is HPA?
Host Protected Area
Purpose is to create a place at the end of the drive for vendors to store information (recovery, security, registration, and so on) that will not be seen by the BIOS and hence protected from user access or erasure
What is DCO?
Dynamic Configuration Overlay
Intended as a means of limiting the apparent capacity of a drive. DCO space will appear at the end of the drive and is not seen by the BIOS
DOS Boot Process?
?
Network Cable Acquisition?
?
What is error granularity?
?
What are the different types of FastBloc?
Fastbloc classic-SCSI interface with host
Fastbloc LE- Lab Edition IDE interface, better suited for permanent install
Fastbloc FE - Field Edition allows for USB2 or 1394a (Firewire) host interfaces
What is LinEn?
Linux EnCase
What is EE?
EnCase Enterprise (Civilian Version)
What is FIM?
Field Intelligence Model (Law Enforcement and Government)
What is the differences between EE and FIM?
EE can be purchased and used by anyone.
FIM is only for Law Enforcement and Government
SAFE
Secure Authentication For EnCase
What do drive acquisitions require?
?
What is Network Forensics?
The capture,recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
An Oath- A declaration in writing made upon oath before a person authorized to administer oaths. Especially used as evidence in court.
Affidavit
The act or process of bringing or contesting a legal action in court. Also known as a judicial proceeding or contest.
Litigation
VBR
Volume Boot Record (Volume Boot Sector) AKA "Boot Sector". It is the first sector of a logical volume.
Involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.
Computer Forensics
Yields information about how a perpetrator or hacker gained access to a network.
Network Forensics
Involves recovering information from a computer that was deleted by mistake or lost during a power surge.
Data Recovery
Popular Computer Forensics Tool
EnCase
In this type of case, a suspect is tried for a criminal offense, such as burglary, murder or molestation.
Criminal
Provides a record of clues to crimes that have been committed previously and is an aid for all current and future investigations.
Police blotter
Groups of sectors that hold content data.
Allocation units
The Master Boot Record on a hard drive.
MBR partition
Usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs the end user that the organization reserves the right to inspect computer systems and network traffic at will.
Warning banner
What is the difference between computer forensics and network forensics?
Computer forensics focus on end user systems and devices. Network forensics focus on information systems and communications in a networked environment.
How is computer forensics different than data recovery?
Data recovery is reconstruction and/ or retrieval of information lost by a user, software or mechanical failure. Forensics is a legally accepted practice of preserving and analysis of digital information.
What are 5 hardware components of a computer?
Chassis
Motherboard
RAM
Power Supply
Hard Drive
1.Admissible
2.Authentic
3.Complete
4.Reliable
5.Believable
The 5 rules of evidence
Formats that divide a disk drive into partitions. Examples include GUID partition table, NTFS MAster Boot Record, Apple Partition Table.
Partition Table
AKA "Allocation Unit". Unit of disk space allocation for files and directories. Smallest logical amount of disk space that can be allocated to hold a file.
Cluster
Can be used in place of the term "drive. A single accessible storage area with a single file system.
Volume
Any space left over between the last byte of the file and the first byte of the next cluster.
Slack Space
MFT
Master File Table
In NTFS, all file data are stored as metadata in the Master File Table.
First sector of the logical volume.
VBR
A volume that can store up to 4, 084 clusters.
FAT12
Overcame the limitation of 512 entries
FAT32
A revised High Sierra standard by the International Organization for Standardization.
ISO 9660
Signifying the end of a file.
EOF or FFFF
The most secure file system of all we have studied.
NTFS
The exact size of a file in bytes.
Files logical size
Boot Sector
55AA
16 bit FAT entry
FAT16
A system that has been around for a very long time that is used in floppy drives, flash media and CD's.
FAT
What is the reserved area on a hard drive?
This is the HPA (Host Protected Area or Hidden Protected Area) Not normally visible to the OS where booting, diagnosis, and recovery resides.
What is DOS 8 dot 3?
Short File Name/SFN. Used by old versions of DOS and Windows prior to Windows 95.
What happens when a file is deleted without going to the recycle bin?
Pointer to the file is deleted and space is marked as available by the OS. The data remains until overwriting.
What steps are taken when a file is read?
The OS calls for the files directory path and reads the information that constitutes the file.
What is the directory entry status byte?
First byte of the 32-byte directory entry. First character of a valid file or directory. Name may contain 0xE5, 0x05. 0x00 means not used.
Documentation showing the seizure, custody and control, and analysis of evidence.
Chain of Custody
The process of placing evidence into containers for transport and labeling said containers with contents and tracking.
Bagging and Tagging
Allows one to take snapshots of a system. Available only to Law Enforcement and Government.
Field Intelligence Model (FIM)
Evidence stored in RAM or otherwise lost when device loses power.
Volatile Digital Device
AKA "Search Warrant". Court order issued by a judge authorizing search for evidence.
Search Authorization
What is the most important consideration when responding to a forensic call?
Planning
What items would you take to a forensics call?
"Everything" Make a checklist including things such as toolkits,gloves, cameras.
What items are considered evidence?
Physical evidence = skin, hair, fingerprints, etc.
Digital evidence = Computer files, Computer logs and screen shots.
How do you prepare for a call to examine digital evidence?
Know as much information as possible before arriving to minimize unknowns.
Who are typically involved in a search and seizure process?
Security Team
Search Team
Who typically makes up a search team?
Recorder
Photographer
Search and seizure specialist
Digital evidence search and seizure specialist
What is the definition of a CPU?
A. The physical computer case that contains all its internal components
B.The computer's internal hard drive
C.A part of the computer whose function is to perform data processing
D. A part of the computer that stores and manages memory.
C. A CPU is the central processing unit, which means it's a microprocessor that performs data processing, in other words, interprets ans executes instructions.
What is the BIOS?
A. BIOS stands for Basic Input Output system and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system.
B. BIOS stands for Bootstrap Initialization Operating System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system.
C. BIOS stands for Boot-level Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system.
D. BIOS stands for Boot Initialization Operating System ans is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and it's operating system.
A. BIOS stands for Basic Input Output System ans consists of all the low-level software that is the interface between the system hardware and its operating system. It loads, typically, from three sources: The ROM/BIOS on the motherboard; the various BIOS ROMs on video cards, SCSI cards, and so forth; and finally. the device drivers.
What is the definition of POST?
A. A set of computer sequences the operating system executes upon a proper shutdown.
B. A diagnostic test of the computer's hardware and software for presence and operability during the boot sequence prior to running the operating system.
C. A diagnostic test of the computer's software for presence and operability during the boot sequence prior to running the operating system.
D. A diagnostic test of the computer's hardware for presence and operability during the boot sequence prior to running the operating system.
D. Power On Self-Test is a diagnostic test of the computer's hardware, such as the motherboard, memory, CD-ROM drive, and so forth. POST does not test the computer's software.
Is the information stored on a computer's ROM chip lost during a proper shutdown?
No, Information contained on a ROM chip, read-only memory, is not lost after the computer has been shutdown.
Is the information contained on a computer's RAM chip accessible after a proper shutdown?
No. Unlike a ROM chip, information contained on a computer's RAM chip is not readily accessible after proper shutdown.
Can information in the BIOS ever change?
Yes. Although not very common, information stored in the BIOS can change, such as when the BIOS needs to be upgraded to support new hardware.
What is the purpose or function of a computer's ROM chip?
A. Long-term or permanent storage of information and instructions.
B. Temporary storage area to run applications.
C. Permanent storage area for programs and files.
D. A portable storage device.
A. ROM (read-only memory) contains information about the computer, such as hardware configuration. Unlike RAM, the information is not lost once power is disconnected.
Information contained in RAM memory (system's main memory), which is located on the motherboard, is _____.
A. volatile
B. nonvolatile
A. Information contained in RAM memory is considered volatile, which means the data is lost after the computer has been disconnected.
What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?
A. 4
B. 16
C. 24
D. Infinity
C. The answer is 24 drive letter (C-Z), with drive letters A and B reserved for floppy driaves.
The smallest area on a drive that data can be written to is a _____, while the smallest area on a drive that a file can be written to is a _____.

A. bit and byte
B. sector and cluster
C. volume and drive
D. memory and disk
B. Data is written to sectors, and files are written to clusters.
The size of a physical hard drive can be determined by which of the following?

A. The cylinder x header x sector
B.The cylinder x head x sector x 512 bytes
C. The total LBA sectors x 512 bytes
D. Adding the total size of partitions
E. Both B and C
E. Multiplying C/H/S gives total amount of sectors in older systems if the number of sectors per track is constant. When it is not, total LBA sectors give total sectors. Multiplying the total number of sectors from the appropriate method by 512 bytes per sector gives the total number of bytes for the physical drive. Adding up the total size of partitions does not include areas outside the partitions, such as unused disk area.
Which is not considered an ouput device?
A. Monitor
B. Printer
C. CD-RW drive
D. Speaker
C. A CD-RW (rewritable) drive is both an input and output device, as opposed to a CD drive, which only reads and inputs data to the computer system.
The electrical pathway used to transport data from one computer component to another is called what?

A. Bus
B. RAM
C. CMOS
D. BIOS
A. A Bus performs two functions: it transports data from one place to another and directs the information where to go.
What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached?

A. BIOS
B. Motherboard
C. Expansion card
D. Processor
B. The motherboard is the main circuit board used to attach internal hardware devices to it's connectors.
IDE, SCSI, and SATA are different types of interfaces describing what device?

A. RAM chips
B. Flash memory
C. CPUs
D. Hard drives
D. IDE (Intergrated Drive Electronics), SCSI (Small Computer System Interface), and SATA (Serial ATA, or Serial Advanced Technology Attachment) describe different hard drive interfaces.
What do the terms master, slave, and cable select refer to?

A. External SCSI devices
B. Cable types for external hardware
C. Jumper settings for internal hardware such as IDE hard drives and CD drives.
D. Jumper settings for internal expansion cards.
C. Master, slave, and Cable Select are settings for internal devices such as IDE hard drives and CD drives to identify and differentiate the devices on the same channel.
What can you assume about a hard drive the is pinned as CS?

A. It's an IDE drive
B. It's a SATA drive
C. It's a SCSI drive
D. All of the above.
A. SATA and SCSI hard drives do not require jumper setting configurations.
What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?

A. Master boot record
B. Master file table
C. Volume boot record
D. Volume boot sector
A. The master boot record is always located at the first physical sector on a hard drive. This record stores key information about the drive itself, such as the master partition table and master boot code.
What is the first sector on a volume called?

A. File allocation table
B. Volume boot record or sector
C. Master boot record
D. Volume boot device
B. The first sector on a volume is called the volume boot record or volume boot sector. This sector contains the disk parameter block and volume boot code.
Which of the following is incorrect?

A. The MBR is typically written when the drive is partitioned with FDISK or DISKPART.
B. A file system is a system or method of storing and retrieving data on a computer system that allows for a hierarchy of directories, subdirectories, and files.
C. The VBR is typically written when the drive is high-level formatted with a utility such as format.
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so.
D. All are true statements, except for a portions of D. The partition table is contained within the MBR and consists of a total of 64 bytes, not 16 bytes, which describes up to four partitions using 16 bytes each to do so, not 4 bytes each.
FAT is defined as which of the following?

A. A table consisting of master boot record and logical partitions
B. A table created during the format that the operating system reads to locate data on a drive.
C. A table consisting of file names and file attributes
D. A table consisting of a file names, deleted file names, and their attributes.
B. The FAT (file allocation table) is created by the file system during format and contains pointers to clusters located on a drive.
How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT table?

A. It does not affect the corresponding cluster number on a FAT table; therefore, the rest of the sectors associated with the assigned cluster can still be written to.
B. It does not affect the corresponding cluster number on a FAT table; only the corrupted portion of the sector is prevented from being written to.
C. It does affect the FAT table. The corresponding cluster number is marked as bad; however, only the corrupted sector within the cluster is prevented from being written to.
D. It does not affect the FAT table. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.
D. When the FAT table marks a cluster as being bad, the entire cluster is prevented from being written to.
Which of the following describes a partition table?

A. It is located at cylinder 0, head 0, sector 1.
B. Is located in the master boot record.
C. It keeps track of the partitions on a hard drive.
D. All of the above.
D. A partition table is located in the master boot record and is always located in the very first sector of a physical drive. The partition table keeps track of the partitions located on the physical drive
Which selection keeps track of a fragmented file in a FAT file system?

A. File allocation table
B. Directory structure
C. Volume boot record
D. Master file table
A. The FAT table assigns numbers to each cluster entry pointing to the next cluster in the cluster run until the last cluster is reached, which is marked as EOF.
If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster?

A. It is blank and contains no data.
B. It is marked as bad and cannot be written to.
C. It is allocated to a file.
D. It is unallocated and is available to store data.
D. When the FAT table marks a cluster as 0, it is unallocated clusters, which means it is freely available to store data.
Which of the following is true about a volume boot record?

A. It is always located at the first sector of its logical partition.
B. It immediately follows the master boot record
C. It contains BIOS parameter block and volume boot code.
D. A and C.
D. The Volume Boot Record is always located at the first sector of its logical partition and contains the BIOS parameter block and volume boot code.
The NTFS file system does which of the following?

A. Supports long file names.
B. Compresses individual files and directories.
C. Supports large file sizes in excess of 4GB
D. All of the above.
D. The NTFS file system supports long file names, compresses files and directories, and supports file sizes in excess of 4 GB.
How many clusters can a FAT32 file system manage?

A. 2 x 32 = 64 clusters
B. 2^32 = 4,294,967,296 clusters
C. 2 x 28 = 56 clusters
D. 2^28 = 268, 435, 456 clusters
D. A FAT32 file system theoretically allows up to 228 = 268,435,456 clusters. The extra 4 bits are reserved by the file system, however, and there is an MBR-imposed limit of 67,092,481 clusters, which means FAT32 is capable of supporting a partition size of 2 terabytes.
The FAT tracks the _____ while the directory entry tracks the _____.

A. file name and file size.
B.file's starting cluster and file's last cluster (EOF)
C. file's last cluster (EOF) and file's starting cluster
D.file size and file fragmentation.
C. The FAT tracks the location of the last cluster for a file (EOF), while the directory entry maintains the file's starting cluster number.
How many copies of the FAT does each FAT32 volume maintain in its default configuration?

A. One
B. Two
C. Three
D. Four
B. EAch volume maintains two copies (one for backup):FAT1 and FAT2.
A file's logical size is displayed as?

A. The number of sectors needed that the logical file contains
B. The number of clusters that the logical file contains
C. The number of bytes that a logical file contains
D. The number of bits that the logical file contains.
C. A file's logical size is displayed as the actual number of bytes that the file contains.
A file's physical size is?

A. Always greater than the file's logical size
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster.
C. Both A and B
D. None of the above
B. A file's physical size is the number of bytes to the end of the last cluster, and a file's logical size is the amount of bytes that the actual file contains. A file's physical size can be the same as its logical size.
A directory entry in a FAT file system has a logical size of which of the following?

A. 0 bytes
B. 8 bytes
C 16 bytes
D. One sector
A. A directory entry in a FAT file system has no logical size.
Each directory entry in a FAT file system is _____ bytes in length.

A. 0
B. 8
C. 16
D. 32
D. In a FAT file system each directory entry is 32 bytes in length.
By default, what color does EnCase use to display directory entries within a directory structure?

A. Black
B. Red
C. Gray
D. Yellow
B. Because directory entries are just names with no logical size and because they do not contain any actual data, EnCase displays the information in red.
What is the area between the end of a file's logical size and the file's physical size called?

A. Unused disk area
B. Unallocated clusters
C. Unallocated sectors
D. Slack Space
D. The area between a file's logical size and its physical size is commonly referred to as slack space.
What three things occur when a file is created in a FAT32 file system?
A. Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters.
B. The file name is entered in to the FAT, the directory structure assigns the number of clusters, and the file's data is filled in to the assigned clusters.
C. The directory entry for the file is created, the number of clusters is assigned by the directory structure, and the file's data is filled in to the FAT
D. The directory structure maintains the amount of clusters needed, the file name is recorded in the FAT, and the file's data is filled in to the assigned clusters.
A. The directory structure records the file's information, the FAT tracks the number of clusters allocated to the file, and the file's data is filled in to the assigned clusters.
How does EnCase recover a deleted file?

A. It reads the deleted file name in the FAT and searches for the file by its starting cluster number and logical size.
B. It reads the deleted file name in the directory entry and searches for the corresponding file name in unallocated clusters.
C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required.
D. It obtains the deleted file's starting cluster number and size from the FAT to locate the starting location and amount of clusters needed.
C. EnCase recovers deleted files by first obtaining the file's starting cluster number and its size from the directory entry. EnCase determines the number of clusters needed based on the file's size and then attempts to recover the data from the starting extent through the amount of clusters needed.
What does EnCase do when a deleted file's starting number is assigned to another file?

A. EnCase reads the entire existing data as belonging to the deleted file
B. EnCase only reads the amount of data from the existing file that is associated with the deleted file.
C. EnCase marks the deleted file as being overwritten
D. EnCase does not display deleted file name when the data has been overwritten.
C. When EnCase determines that the starting cluster listed in the FAT has been reassigned to an existing file, it reports the previously deleted file as being overwritten.
What information does a file's directory entry in a FAT file system store about itself?

A. File name
B. Date/time
C. File extension
D. Starting cluster (extent)
D. All of the above
E. A file's directory entry stores almost everything about the file with the exception of the actual data itself.
What is the first consideration when responding to a scene?

A. Your safety
B. The safety of others
C. The preservation of evidence
D. Documentation
A. Without consideration for your own personal safety, none of the other considerations can be accomplished.
What are some variables regarding a facility that you should consider prior to responding to a scene?

A. what types of structure is it?
B. How large is the structure?
C. What are the hours of operation?
D. Is there a helpful person present to aid in your task?
E. All of the above
E. When responding to a facility, your most helpful ally is prior knowledge of the location, its hours of activity, and the people who occupy it.
What are some of the variables regarding items to be siezed that you should consider prior to responding to a scene?

A. Location(s) of computers
B. Type of operating system
C. Workstations or mainframes
D. System-critical or auxiliary machine
E. All of the above
E. When responding to a facility, having prior knowledge of the types and functions of the computers and their locations will help reduce any unforeseen complications, thus easing the task.
Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine.

A. Shut down using Windows XP
B. Shut down by pulling the power cord from the outlet
C. Shut down by pulling the plug from the computer box
D. All of the above
C. Pulling the plug on a workstation, unlike doing so on server, will not lose any critical information.
Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take down the machine?

A. Shut down using its operating system
B. Shut down by pulling the power cord from the outlet.
C. Shut down by pulling the plug from the computer box.
D. All of the above
A. Unlike with Windows desktop computer, certain information may not be recovered if a server is not properly shut down. It is best to properly shut down a Windows server and document your actions.
Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine?

A. Shut down using its operating system
B. Shut down by pulling the power cord from the outlet.
C. shut down by pulling the plug from the computer box.
D. All of the above.
A. Unix/Linux machines can store critical information that may be lost if the machine is improperly shut down.
When unplugging a desktop computer, from where is it best to pull the plug?

A. Unplug from the back of the computer
B. Unplug from the wall
C. Remove battery
D. Both A and C
A. When unplugging a desktop computer, it is best to unplug a power cord from the back of the computer at the power supply. Unplugging a cord from the outlet connected to an uninterrupted power supply (UPS) will not shut down the computer.
What is the best method to shut down a notebook computer?

A. Unplug from the back of the computer
B. Unplug from the wall
C. Remove the battery
D. Both A and C
D. Removing both the power cord (AC) and the battery (DC) will ensure that no electricity is being fed to the computer.
Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?

A. Shut down using the operating system
B. Shut down by pulling the power cord from the outlet.
C.Shut down by pulling the plug from the computer box
D. All of the above.
C. A MAC should generally be shut down by pulling the power plug from the back of the computer.
Which selection displays the incorrect method for shutting down a computer?

A. DOS: Pull the plug
B. Windows 2000: Pull the plug
C. Windows XP: Pull the plug
D. Linux: Pull the plug
D. The best way to shut down a Linux/Unix system is to perform a proper shutdown using the operating system.
When shutting down a computer, what information is typically lost?

A. Data in RAM memory
B. Running processes
C. Current network connections
D. Current logged-in users
E. All of the above
E. When the system is shut down normally or the plug is pulled, all the other live system-state data mentioned is lost.
Which of the following is not acceptable for "bagging" a computer workstation?

A. Large paper bag
B. Brown wrapping paper
C. Plastic garbage bag
D. Large antistatic plastic bag
E. All of the above are acceptable for bagging a workstation
C. A plastic garbage bag has properties that are conducive to static electricity discharge, which could damage sensitive computer components, including media
In which cicumstance is pulling the plug to shut down a computer system considered the best practice?

A. When OS is Linux/UNIX
B. When the OS is Windows 2000 and known to be running a large business database application
C. When the OS is Windows (NT/2K/2003) Server
D. When Mac OS X Server is running as a web server
E. None of the above
E. In all circumstances described, the best course of action would be a normal shutdown, and thus pulling the plug is considered best practice for any of these.
How is the chain of custody maintained?

A. By bagging evidence and sealing it to protect it from contamination or tampering
B. by documenting what,when, where, why, how, and by whom the evidence was removed from the evidence room
C.By documenting in a log the circumstances under which evidence was removed from the evidence control room.
D. By documenting the circumstances under which evidence was subjected to analysis
E. All of the above
E. The evidence steps described here are an important component in maintaining the chain of custody and hence the integrity of the evidence
It is always safe to pull the plug on a Windows 2000 Professional operating system.

A. True
B. False
B. In a business setting, anything is possible. A large business database could be hosted on a Windows 2000 operating system, as could a number of other critical applications, which include access control systems, critical process software, life-support systems, life-safety alarm monitoring , and so forth.
On a production Linux/Unix server, you must generally be which user to shut down the system?

A. sysadmin
B. administrator
C. root
D. system
C. Generally, unless configured otherwise, you must be root to shut down a Linux/Unix system in a production environment. This prevents a typical user from stopping the system and halting mission-critical computing processes.
When would it be acceptable to navigate through a live system.

A. To observe the operating system to determine the proper shutdown process
B. To document currently opened files (if Enterprise/FIM edition is not available)
C. To observe an encryption program running
D. To access virtual storage facility (if search warrant permits; some are very specific about physical location)
E. All of the above
E. Certain information may not be retrievable after the system has been shut down. Given that, it is acceptable to access a system to retrieve information of evidentiary value as long as the actions are justified, documented, and explained
A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following?

A. Red Hat Linux operating system
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS
D. Microsoft PC operating systems use backslashes for the directory path structure, whereas Linux/Unix uses forward slashes (/) for the same purpose.
When called to a large office complex with numerous networked machines, is it always a good idea to request the assistance of the network administrator?

A. True
B. False
B. Although most of the time the network administrator knows much more about the computers than the responding examiner and may be of great help, requesting that person's assistance may be detrimental to the investigation if the network administrator is the target of the investigation. As part of your preplanning. you must determine whether the administrator is part of the problem or part of the solution before you make such an approach.
Subsequent to a search warrant where evidence is seized, what items should be left behind?

A. Copy of the affidavit
B. Copy of the search warrant
C. List of items seized
D. A and B
E. B and C
E. Upon leaving the scene of a search, you should leave behind a copy of the signed search warrant and a list of items seized.
When acquiring a hard drive in DOS mode, what would be the cause of EnCase not detecting partition information?

A. The drive has been FDisked and the partition(s) removed.
B. The partition(s) are not recognized by DOS
C. Both A and B
D. None of the above
C. When partitions have been removed or the partitions are not recognized by DOS, EnCase still recognizes the physical drive and acquires it as such.
A standard DOS 6.22 boot disk does not make calls to the C: volume of a hard drive when the diskette is booted.

A. True
B. False
B. A standard DOS 6.22 boot disk accesses the C: volume of a Hard drive, thus causing changes to date/time stamps to certain files.
As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?

A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. Chain of evidence
E. No need to wipe
B. Although EnCase only examines the contents within the evidence files, it is still good forensic practice to wipe/sterilize each hard drive prior to reusing it to eliminate the argument of possible cross-contamination.
If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do?

A. Suspect HPA
B. Suspect DCO
C. Boot with EnCase for DOS and switch to Direct ATA access
D. Boot with LinEn in Linux
E. All of the above
E. You should suspect an HPA or a DCO, Booting with LinEn or booting with EnCase for DOS with Direct ATA access should enable you to see all sectors.
When acquiring digital evidence, why shouldn't the evidence be left unattended in an unsecured location?

A. Cross-contamination
B. Storage
C. Chain-of-custody
D. Not an issue
C. Digital evidence must be treated like any other evidence, whereas a chain of custody must be established to account for everyone who has access to the property.
Which describes an HPA? (Choose all that apply)

A. Stands for Host Protected Area
B. Is not normally seen by the BIOS
C. Is not normally seen through Direct ATA access
D. Was introduced in the ATA-6 specification
A and B. HPA stands for Host Protected Area and is not normally seen by the BIOS. It was introduced in the ATA-4 specification. not ATA-6, and is seen when directly accessed via the Direct ATA mode.
Which describes a DCO?

A. Was introduced in the ATA-6 specification
B. Stands for Device Configuration Overlay.
C. Is not normally seen by the BIOS
D. It may contain hidden data, which can be seen by switching to the Direct ATA mose in EnCase for DOS.
E. All of the above
E. All are correct statements with regard to DCO.
What system files are changed or in any way modified by EnCase when creating an EnCase boot disk?

A. IO.SYS
B. COMMAND.COM
C. DRVSPACE.BIN
D. All of the above
E. None of the above
D. EnCase will modify IO.SYS and COMMAND.COM to redirect any calls from the C: to A: drive. If DRVSPACE.BIN is present, it will be deleted.
Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.

A. True
B. False
B. When reacquiring an image, the MD5 of the original data stream remains the same despite the compression applied.
When reacquiring an image, you can change the name of the evidence.

A. True
B. False
B. When reacquiring, you can change the compresssion, you can add or remove a password, you can change the file segment size, you can change the block and error granularity sizes, or you can change the start and stop sectors. Other properties can't be changed.
Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn? (Choose all that apply)

A. Format the volume with the FAT file system.
B. Give the volume a unique label to identify it.
C. Wipe the volume before formatting to conform to best practices, and avoid claims of cross-contamination.
D. Create a directory to contain the evidence file.
E. Format the volume with the NTFS file system.
F. All of the above.
A, B, C, D. This is a case where you have to chose several correct answers, and there will be questions like this on the examination! All are correct except for E, therefore making F also Incorrect. DOS can't read or write to NTFS. Linux can read to NTFS but can't reliably write to it (translated as forensically sound), although that could change soon.
In Linux, what describes hdb2? ( choose all that apply.)

A. Refers to the primary master
B. Refers to the primary slave
C. Refers to hard drive number 2
D. Refers to the second partition
E. Refers to the secondary master
B and D. Here, hdb2 refers to the second partition on the primary slave.
In Linux, what describes sdb? (Choose all that apply.)

A. Refers to an IDE device
B. Refers to a SCSI device
C. Refers to a USB device
D. Refers to a FireWire device
B, C, and D. Linux will name an IDE device , normally with hda, hdb, hdc, or hdd, to denote their position on the ATA controller (primary master, primary slave, secondary master, secondary slave, respectively). sdb is the second SCSI device, and since LINUX calls USB or FireWire devices SCSI devices, any of the three (B,C, or D) could be represented by sdb
When acquiring USB flash memory, you should write-protect it by doing what?

A. Engaging the write-protect switch, if equipped.
B. Modifying the registry in Windows XP SP2 (or higher) to make USB read-only
C. Using ENBD/ENBCD USB DOS drivers and having EnCase for DOS "lock" the Flash media
D. Using LinEn in Linux with automount of file system disabled.
E. Using FastBloc SE to write-blcok USB, FireWire, SCSI drives
F. All of the above
F. All are methods of write-protecting USB devices, some arguably better than others, but methods nevertheless.
Which type or types of cables can be used in a network cable acquisition?

A. Standard network patch cable
B. CAT-6 network cable
C. Network crossover cable
D. Standard network patch cable used with a crossover adaptor
C and D. A and B are references to standard network cables with no crossover capability. To connect directly between two computers, a network crossover cable must be used, or you can use a regular cable with a crossover adapter, which achieves the same effect.
Should Zip/Jaz disks be acquired with EnCase in DOS or Windows?

A. DOS
B. Windows
A. Zip and Jaz disks should be acquired by EnCase in the DOS mode using the GUEST,EXE command.
When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what?

A. The drivers built into LinEn
B. The drivers provided with the ENBCD
C. The distribution of Linux being used
D. A and B
E. None of the above
C. The level of support for USB, FireWire, SCSI, and other devices is totally dependent on the Linux distribution being used to run LinEn. For the most support, try to use the latest Linux distribution available.
How should CDs be acquired using EnCase?

A. DOS
B. Windows
B. CDs can be safely acquired in the Windows enviroment
Select all that are true about EE and FIM.

A. They can acquire or preview a system live without shutting it down.
B. They can capture live system-state volatile data using the Snapshot feature.
C. With EE, the SAFE is on a seperate PC, administered by the keymaster.
D.With FIM, the SAFE is on the examiner's PC and the keymaster and the examiner are the same person.
E. FIM can be licensed to private individuals.
A, B, C, D. A FIM can be licensed only to law enforcement or military customers. All other statements are correct.
How does an EnCase boot disk differ from DOS 6.22 disk?
A. EnCase boot disk adds the EnCse executable, EN.EXE
B.EnCase boot disk switches all calls from C: to A:
C. Both A and B.
D. None of the above
C. An EnCase boot disk changes all calls to the C: volume to the A: volume and removes unnecessary files. It also adds the EN.EXE file so EnCase can run in the DOS version.