Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/21

Click to flip

21 Cards in this Set

  • Front
  • Back

What is the Chain of Custody?

Documentation that shows where evidence has been.

Collecting digital steps are?

  1. Seize the Evidence
  2. Acquire Evidence
  3. Verify the Evidence
  4. Analyze the Evidence
  5. File filtering
  6. RAID array
  7. Network traffic logs
  8. Witness
  9. Big data analysis
  10. Report on Findings

Creating a bit-level copy of drive ensures?

That the entire disk is captured.

The investigation is performed on the ___________ and not the _____________?

The Image, Original.

Performing a live acquisition allows for?

  1. Capturing the contents of memory
  2. Capture the contents of an encrypted drive.

It is a best practice to when acquiring evidence is to?

Create multiple copies of the forensic image using different imaging tools..

Where can evidence be found on a computer?

  1. Memory
  2. Swap file
  3. Hard drive
  4. DVD
  5. Mobile device

Where should you collect evidence from first?

From volatile memory areas then nonvolatile areas.


  1. RAM
  2. Swap file
  3. Hard disk
  4. CD/DVD-rom

The first step of the first responder is?

Assess the situation and contain the incident and determine what systems are affected.

What are the steps when responding to a Common Incident.

  1. Prepare for security incident
  2. Incident Identification
  3. Escalation and notification
  4. Mitigate

What are the steps when reviewing a Common Incident.

  1. Look at lessons learned
  2. Create a report
  3. Recovery/restoration procedures
  4. Incident isolation
  5. Quarantine
  6. Data breach
  7. Damage and loss control

What is a Hex editor?

Allows you to view the low-level content of a file or disk.

On mobile devices where you search for evidence?

  1. ROM
  2. EEPROM
  3. SIM card
  4. Memory

The three things to consider when performing mobile forensics?

  1. Maintaining power
  2. Prevent synchronization
  3. Prevent remote wipe

What is a Faraday bag used for?

To block any signal to a mobile device.

What is CIRT stand for?

Computer Incident Response Team

Who are the members of the CIRT

  1. Team Leader: organizes the team
  2. Technical Specialist: assess damage and fix
  3. Documentation Specialist: controls documentation
  4. Legal advisor: Knows the law and regulations

Name two password cracking tools?

  1. Cain and Abel
  2. Snadboy's Revelation

Name a Live Analysis tools?

Helix has tools that can monitor processes locate graphic files, view PST files, mail passwords and internet files.

What is ProDiscover?

A computer forensic analysis tool that includes methods of securely wiping a disk acquiring a bit-level copy of the disk and analyzing the evidence form the image file or disk directly.

A KFF is a what?

a Known File Filter that will block out operating system and other files using their hash values.