Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
80 Cards in this Set
- Front
- Back
|
affidavit
|
this document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation
|
|
|
allegation
|
a charge made against someone or something before proof has been found
|
|
|
authorized requestor
|
person who has the right to request an investigation, such as the chief security officer or chief intelligence officer
|
|
|
computer forensics
|
the process of applying scientific methods to collect and analyze data and information that can be used as evidence
|
|
|
computer investigations
|
conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime
|
|
|
Computer Technology Investigators Network
(CTIN) |
nonprofit group in seattle thats composed of law enforcement members, private corporation security professionals, whose aim is to improve the quality of high tech investigations in the pacific northwest
|
|
|
criminal case
|
a case in which criminal law must be applied
|
|
|
criminal law
|
statutes applicable to a jurisdiction that state offenses against the peace and dignity of the jurisdiction and the elements that define these offenses
|
|
|
data recovery
|
a specialty field in which companies retrieve files that were deleted accidentally or purposefully
|
|
|
disaster recovery
|
specialty field in which companies perform real time back ups, monitoring, data recovery, and hit site operations
|
|
|
enterprise network environment
|
large corporate computing system that can include formerly independent systems
|
|
|
two organizations that provide computer forensics training
|
CTIN
HTCIA |
|
|
T or F
Computer forensics and data recovery refer to the same activity |
F
|
|
|
The triad of computing security includes...
|
vulnerability assessment, intrusion response, and investigation
|
|
|
List three common types of digital crime.
|
fraud, e-mail harassment, cyberstalking, and embezzlement.
|
|
|
6. A corporate investigator must follow Fourth Amendment standards when conducting an investigation. True or False
|
False
|
|
|
7. What is the purpose of maintaining a network of other computer forensics specialists?
|
As you move ahead in the field, you need to develop a list of colleagues who specialize in different areas than you in the event you need help on a case
|
|
|
8. Policies can address rules for which of the following?
|
amount of personal email you can send
when you can log into company network from home internet sites you can or cannot access |
|
|
9. List two items that should appear on an internal warning banner.
|
Answers can include statements that the organization has the right to monitor what users do, that their e-mail is not personal, and so on.
|
|
|
10. Warning banners are often easier to present in court than policy manuals are. True or False?
|
True
|
|
|
11. Under normal circumstances, a corporate investigator is considered an agent of law enforcement. True or False?
|
False
|
|
|
12. List two types of computer investigations typically conducted in the corporate environment.
|
Fraud, embezzlement, insider trading, espionage, and e-mail harassment
|
|
|
13. What is professional conduct and why is it important?
|
Professional conduct includes ethics, morals, and standards of behavior. It affects your credibility.
|
|
|
14. What is the purpose of maintaining a professional journal?
|
It helps you remember what procedures were followed if the case ever goes to court. It can also be a useful reference if you need to remember how you solved a challenging problem.
|
|
|
15. Laws and procedures for PDAs are which of the following?
|
b. Still being debated
|
|
|
16. Why should companies appoint an authorized requester for computer investigations?
|
to reduce conflicts from competing interests among other organizations or departments and to avoid start-ing investigations based on innuendo or jealousy
|
|
|
17. What is the purpose of an affidavit?
|
It is to provide facts in support of evidence of a crime to submit to a judge when requesting a search war-rant.
|
|
|
18. What are the necessary components of a search warrant?
|
Who, what , when, and where. In many cases, a search warrant may be limiting in scope of what can be seized.
|
|
|
1. What are some initial assessments you should make for a computing investigation?
|
Talk to others involved in the case and ask about the incident.
Determine whether law enforcement or company security officers already seized the computer evidence. Determine whether the computer was used to commit a crime or contains evidence about the crime. |
|
|
2. What are some ways to determine the resources needed for an investigation?
|
Determine the OS of the suspect computer.
List the necessary software to use for the examination |
|
|
3. List three items that should be on an evidence custody form.
|
Possible answers include case number, name of the investigator assigned to the case, nature of the case, lo-cation where evidence was obtained, description of the evidence, and so on.
|
|
|
4. Why should you do a standard risk assessment to prepare for an investigation?
|
to list problems that might happen when conducting your investigation as an aid in planning your case
|
|
|
5. You should always prove the allegations made by the person who hired you. True or False?
|
False
|
|
|
6. For digital evidence, an evidence bag is typically made of antistatic material. True or False?
|
true
|
|
|
7. Who should have access to a secure container?
|
b. Only the investigators in the group
|
|
|
8. For employee termination cases, what types of investigations do you typically encounter?
|
hostile work environment caused by inappropriate Internet use
sending harassing e-mail messages |
|
|
9. Why should your evidence media be write-protected?
|
to ensure that data isn’t altered
|
|
|
10. List three items that should be in your case report.
|
Answers can include an explanation of basic computer and network processes, a narrative of what steps you took, a description of your findings, and log files generated from your analysis tools.
|
|
|
11. Why should you critique your case after it’s finished?
|
to improve your work
|
|
|
12. What do you call a list of people who have had physical possession of the evidence?
|
chain of custody
|
|
|
13. What two tasks is an acquisitions officer responsible for at a crime scene?
|
Answers can include providing a list of all components that were seized, noting whether the computer was running at the time it was taken into evidence, making notes of the computer’s state at the time it was ac-quired, noting the operating system if the computer is running, and photographing any open windows to document currently running programs.
|
|
|
14. What are some reasons that an employee might leak information to the press?
|
Reasons range from disgruntled employees wanting to embarrass the company to rival organizations com-peting against each other.
|
|
|
15. When might an interview turn into an interrogation?
|
Interviews are intended to collect facts about an investigation. An investigator might find that these facts warrant considering the witness to be a suspect, at which point the interview becomes an interrogation.
|
|
|
16. What is the most important point to remember when assigned to work on an attorney-client privi-lege case?
|
keeping all your finding confidential
|
|
|
17. What are the basic guidelines when working on an attorney-client privilege case?
|
Minimize written correspondence, make sure all written documentation and communication includes a la-bel stating that it’s privileged communications and confidential work product, and assisting the attorney and paralegal in analyzing data.
|
|
|
18. Data collected before an attorney issues a memorandum for an attorney-client privilege case is protected under the confidential work product rule. True or False?
|
False. All data collected before an attorney issues notice of attorney-client privilege is subject to discovery by opposing counsel.
|
|
|
1. What is the primary goal of a static acquisition?
|
preservation of digital evidence
|
|
|
2. Name the three formats for computer forensics data acquisitions.
|
raw format, proprietary formats, and Advanced Forensic Format (AFF)
|
|
|
3. What are two advantages and disadvantages of the raw format?
|
Advantages: faster data transfer speeds, ignores minor data errors, and most forensic analysis tools can read it. Disadvantages: requires equal or greater target disk space, does not contain hash values in the raw file (metadata), might have to run a separate hash program to validate raw format data, and might not collect marginal (bad) blocks.
|
|
|
4. List two features common with proprietary format acquisition files.
|
Can compress or not compress the acquisition data; can segment acquisition output files into smaller vol-umes, allowing them to be archived to CD or DVD; case metadata can be added to the acquisition file, eliminating the need to keep track of any additional validation documentation or files.
|
|
|
5. Of all the proprietary formats, which one is the unofficial standard?
|
Expert Witness, used by Guidance Software EnCase
|
|
|
6. Name two commercial tools that can make a forensic sector-by-sector duplicate of a drive to a larger drive.
|
EnCase, SafeBack, and SnapCopy.
|
|
|
7. What does a logical acquisition collect for an investigation?
|
only specific files of interest to the case
|
|
|
8. What does a sparse acquisition collect for an investigation?
|
fragments of unallocated data in addition to the logical allocated data
|
|
|
9. What should you consider when determining which data acquisition method to use?
|
size of the source drive, whether the source drive be retained as evidence, how long the acquisition will take, and where the disk evidence is located
|
|
|
10. What is the advantage of using a tape backup system for forensic acquisitions of large data sets?
|
There is no limit to the size of data you can write to magnetic tape.
|
|
|
11. When is a standard data backup tool, such as Norton Ghost, used for a computing investigation?
|
when the suspect computer can’t be taken offline for several hours but can be shut down long enough to switch disks with a Ghost backup, allowing the investigator to take the original disk and preserve it as digi-tal evidence
|
|
|
12. Why is it a good practice to make two images of a suspect drive in a critical investigation?
|
to ensure at least one good copy of the forensically collected data in case of any failures
|
|
|
13. When you perform an acquisition at a remote location, what should you consider to prepare for this task?
|
determining whether there’s sufficient electrical power and lighting and checking the temperature and hu-midity at the location
|
|
|
14. What is the disadvantage of using the Windows XP/Vista USB write-protection Registry method?
|
If the target drive is an external USB drive, the write-protect feature prevents data from being written to it.
|
|
|
15. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB thumb drive, containing evidence?
|
Newer Linux distributions automatically mount the USB device, which could alter data on it.
|
|
|
16. In a Linux shell, the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1
|
Wrong. This command reads the image_file.img file and writes it to the evidence drive’s /dev/hda1 parti-tion. The correct command is dcfldd if=/dev/hda1 of=image_file.img.
|
|
|
17. What is the most critical aspect of computer evidence?
|
validation
|
|
|
18. What is a hashing algorithm?
|
A program designed to create a binary or hexadecimal number that represents the uniqueness of a data set, file, or entire disk
|
|
|
19. Which hashing algorithm utilities can be run from a Linux shell prompt?
|
md5sum and sha1sum
|
|
|
20. In the Linux dcfldd command, which three options are used for validating data?
|
hash=, hashlog=, and vf=
|
|
|
21. What’s the maximum file size when writing data to a FAT32 drive?
|
2 GB (a limitation of FAT file systems
|
|
|
22. What are two concerns when acquiring data from a RAID server?
|
) amount of data storage needed. 2) the type of RAID server (0, 1, 5, etc.) 3) whether your acquisition tool can handle RAID acquisitions. 4) whether your analysis tool can handle RAID data 5) whether your analy-sis tool can split RAID data into separate disk drives, making it easier to distribute large data sets
|
|
|
23. R-Studio and DiskExplorer are used primarily for computer forensics. True or False?
|
False. They are designed as data recovery tools but are useful in rebuilding corrupt data when forensics tools fail.
|
|
|
24. With remote acquisitions, what problems should you be aware of?
|
data transfer speeds
access permissions over the network antivirus, antispyware, firewall programs |
|
|
25. How does ProDiscover Investigator encrypt the connection between the examiner’s and suspect’s computers?
|
ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the password on the suspect’s workstation.
|
|
|
26. What is the EnCase Enterprise remote access program?
|
ServLet
|
|
|
27. What is the ProDiscover remote access program?
|
PDServer
|
|
|
28. What is the Runtime Software utility used to acquire data over a network connection?
|
DiskExplorer for NTFS or DiskExplorer for FAT
|
|
|
29. HDHost is automatically encrypted when connected to another computer. True or False?
|
False
|
|
|
30. List the two types of connections in HDHost
|
TCP/IP and serial RS232 port
|
|
|
31. Which computer forensics tools can connect to a suspect’s remote computer and run surrepti-tiously?
|
EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
|
|
|
32. EnCase, FTK, SMART, and iLook treat the image file as though it were the original disk. True or False
|
true
|
|
|
33. When possible, you should make two copies of evidence. True or False?
|
true
|
|
|
34. FTK Imager can acquire data in a drive’s host protected area. True or False?
|
false
|
