Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
31 Cards in this Set
- Front
- Back
Rules of Evidence
|
Believable
Admissible Authentic Reliable Complete |
|
4 parts to Daubert Criteria
|
1. Must be Tested
2. Peer Reviewed 3. Error Rate Established 4. Accepted by Prof. Community |
|
What does the Daubert Criteria provide:
|
Sets a standard for expert testimony
Ensures methods have been tested. Allows evidence into court. |
|
Name three ways to write info to a CD
|
1. Track at Once
2. Disc at Once 3. Packet Writing |
|
Can call info on a CD be read by all OSs
|
No, it depends on how the file was written.
|
|
How do you verify the integrity of copied data
|
Compare hash values of the original to the copy. .
|
|
Why is it important to hash both the original and the copy?
|
This is important for ensuring you have an identical copy of the data to make it admissible in court.
|
|
Tell me about Raw Image Files
|
The image contains only the data from the source. Extra info (tags, details, etc) are not attached to the image itself.
|
|
Tell me about Embedded Image Files
|
Data is both of source and contains information about the acquisition like hash values, data, time, etc. There is compression so some data might be lost.
|
|
Do Floppy disks formatted for FAT12 have a partition table?
|
YES
|
|
Does the USB storage token have partitions?
|
YES
|
|
Does the Iomega zip disk have partitions?
|
Yes 1
|
|
Does RAID uses multiple disks to provide redundancy and performance?
|
Yes
|
|
Disk spanning uses multiple disks to form a larger single volume but not for redundancy or performance
|
Yes
|
|
What happens when disks are formatted quickly?
|
The file table on the the disk is cleared however the data remains behind.
|
|
How many partitions can be stored on a drive?
|
Up to 4 different partitions
|
|
Why is it benefitial to know how a suspect has paritioned his/her drive?
|
It allows you to get all the files on the system. It ensures you have copied the drive entirely.
|
|
How can a suspect hide a partition? (2 ways)
|
1. Change the partition type
2. Move the pointer of one partition and have it point to another. |
|
Why do we need to image memory?
|
To get a copy of the exact state of the system. Includes things like running processes, encryption keys, decrypted data, network settings/sockets, user input, screen captures, copy/paste etc.
|
|
Describe the direct access method of acquiring a disk image.
|
Accessing and copying the data while the system is still running/on.
|
|
Describe the method of using the BIOS to access data and perform a disk image.
|
Accessing the data through the bios in order to avoid the host os (typically used at boot up).
|
|
What was Mathieu Orfila famous for?
|
Poison detection and it's effect on animals
|
|
What was Francis Galton famous for?
|
Fingerprints
|
|
What was Leone Lattes famous for?
|
Blood groupings /types
A, AB, O etc. |
|
What was Calvin Gooddard famous for?
|
Ballistics, Firearms
|
|
What was Edmond Locard famous for?
|
Locard's Principle of Exchange - someone always leaves something at a crime scene.
|
|
What was Hans Gross famous for?
|
He was the father of Criminilistics. He applied science to criminal investigations.
|
|
Who was Robert Morris Sr?
|
Worked for NSA
|
|
Who was Robert Morris Jr?
|
Invented 1st internet worm, 1st person to be tried for computer crime.
|
|
What was Sir Alex Jeffreys famous for?
|
Fingerprinting and DNA
|
|
What are core dump files useful for?
What can be extracted from them? |
They are basically a recorded state of the computer. They can be useful in that they can provide evidence like encrypted passwords to files.
|