final Flashcards
chapter 6,8,9,10,12,13 review questions (188 cards)
1
Q
What are the functions required for digital forensics tools?
A
Acquisition, validation and verification, extraction, reconstruction, and reporting
2
Q
acquisition
A
the process of creating a duplicate image of data; one of the required functions of digital tools
3
Q
brute-force attack
A
the process of trying every combination of characters to find a matching password or passphrase value for an encrypted file
4
Q
Computer Forensics Tool Testing (CFTT)
A
a project sponsored by the National Institute of Standards and Technology (NIST) to manage research on digital forensics tools
5
Q
extraction
A
the process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools
6
Q
keyword search
A
a method of finding files or other information by entering relevant characters, words, or phrases in a search tool
7
Q
National Software Reference Library (NSRL)
A
a NIST project with the goal of collecting all known hash values for commercial software and OS files
8
Q
password dictionary attack
A
an attack that uses a collection of words or phrases that might be passwords for an encrypted file. password recovery programs can use this to compare potential passwords to an encrypted file’s password or passphrase hash values
9
Q
validation
A
a way to confirm that a tool is functioning as intended; one of the functions of digital forensics tools
9
Q
reconstruction
A
the process of rebuilding data files; one of the required functions of digital forensics tools
10
Q
verification
A
the process of proving that two sets of data are identical by calculating hash values or using another similar method
11
Q
write-blocker
A
a hardware device or software program that prevents a computer from writing data to an evidence drive. software write-blockers typically alter interrupt-13 write functions to a drive in a PC’s BIOS. hardware write-blockers are usually bridging devices between a drive and and the forensic workstation
12
Q
Forensics software tools are grouped into ____ and ___ applications.
A
command-line and GUI
13
Q
According to ISO standard 27037, which of the following is an important factor in data acquisition?
A
Digital Evidence First Responder (DEFR)’s competency and use of validated tools
14
Q
An encrypted drive is one reason to choose a logical acquisition. True or False?
A
True
15
Q
Hashing, filtering, and file header analysis make up which function of digital forensics tools?
A
Validation and verification
16
Q
Hardware acquisition tools typically have built-in software for data analysis. True or False?
A
False
17
Q
The reconstruction function is needed for which of the following purposes?
A
recreate a suspect drive to show what happened, create a copy of drive for other investigators, recreate a drive compromised by malwares
18
Q
List three subfunctions of the extraction function.
A
data viewing, keyword searching, decompressing/uncompressing, carving, decrypting, book marking/tagging
19
Q
Hash values are used for which of the following purposes?
A
filtering known good files from potentially suspicious data,
reconstructing file fragments, validating that the original data hasn’t changed
20
Q
In testing tools, the term “reproducible results” means that if you work in the same lab on the same machine, you generate the same results. True or false?
A
False
21
Q
The verification function does which of the following?
A
Proves that two sets of data are identical hash values
22
Q
What’s the advantage of a write-blocking device that connects to a computer through a FireWire or USB controller?
A
Not having to shut down your workstation when drives are disconnected
23
Q
Building a forensic workstation is more expensive than purchasing one. True or False?
A
True
24
A live acquisition can be replicated. True or false?
False
25
Which of the following is true about most drive-imaging tools?
They ensure that the original drive doesn't become corrupt and damage the digital evidence, they create a copy of the original drive
26
The standards for testing forensics tools are based on which criteria?
ISO 17025
27
A log report in forensics tools does which of the following?
Records an investigator's actions in examining a case
28
When validating the results of a forensic analysis, you should do which of the following?
Calculate the hash value with two different tools
29
The primary hashing algorithm the NSRL uses is SHA-1. True or False?
True
30
bitmap images
collections of dots, or pixels, in a grid format that forms a graphic
31
carving
the process of recovering file fragments that are scattered across a disk
32
data compression
the process of coding data from a larger form to a smaller form
33
demosaicing
the process of converting raw picture data to another format, such as JPEG or TIF
34
Exchangeable Image File (Exif)
a file format the Japan Electronics and Information Technology Industries Association (JEITA) developed as a standard for storing metadata in JPEG and TIF files
35
fair use
a guideline that describes the free use of copyrighted material for news reports, critiques, noncommercial use, and educational purposes
36
false positives
the result of keyword searches that contain the correct match but aren't relevant to the investigation
37
least significant bit (LSB)
the lowest bit value in a byte. in Microsoft OSs, bits are displayed from right to left, so the rightmost bit is the LSB
38
lossless compression
a compression method in which no data is lost. with this type of compression, a large file can be compressed to take up less space and then uncompressed without any loss of information
39
lossy compression
a compression method that permanently discards bits of information in a file. the removed bits of information reduce image quality
40
metafile graphics
graphics files that are combinations of bitmap and vector images
41
most significant bit (MSB)
the highest bit value in a byte
42
nonstandard graphics file formats
less common graphics file formats, including proprietary formats, newer formats, formats that most image viewers don't recognize, and old or obsolete formats
43
pixels
small dots used to create images; the term comes from "picture element"
44
raster images
collections of pixels stored in rows rather than a grid, as with bitmap images, to make graphics easier to print; usually created when a vector graphic is converted to a bitmap image
45
raw file format
a file format typically found on higher-end digital cameras; the camera performs no enhancement processing—hence the term “raw.” this format maintains the best picture quality, but because it’s a proprietary format, not all image viewers can display it
46
resolution
the density of pixels displayed onscreen, which governs image quality
47
salvaging
another term for carving
48
standard graphics file formats
common graphics file formats that most graphics programs and image viewers can open
49
vector graphics
graphics based on mathematical instructions to form lines, curves, text, and other geometric shapes
50
vector quantization (VQ)
a form of compression that uses an algorithm similar to rounding off decimal values to eliminate unnecessary bits of data
51
Graphics files stored on a computer can’t be recovered after they are deleted. True or False?
False
52
When you carve a graphics file, recovering the image depends on which of the following skills?
Recognizing the pattern of the file header content
53
Explain how to identify an unknown graphics file format that your digital forensics tool doesn’t recognize.
Find the hexadecimal for the first several bytes of the file from a hex editor. Compare other file formats with similar hex code in their headers
54
What type of compression uses an algorithm that allows viewing the graphics file without losing any portion of the data?
lossless
55
When investigating graphics files, you should convert them into one standard format. True or False?
False
56
Digital pictures use data compression to accomplish which of the following goals?
Save space on hard drive, provide a crisp and clear image, eliminate redundant data
57
The process of converting raw images to another format is called which of the following?
Demosaicing
58
In JPEG files, what’s the starting offset position for the JFIF label?
Offset 6
59
Each type of graphics file has a unique header containing information that distinguishes it from other types of graphics files. True or False?
True
60
Copyright laws don’t apply to Web sites. True or False?
False
61
When viewing a file header, you need to include hexadecimal information to view the image. True or False?
True
62
When recovering a file with ProDiscover, your first objective is to recover cluster values. True or False?
True
63
Bitmap (.bmp) files use which of the following types of compression?
Lossless
64
A JPEG file uses which type of compression?
Lossy
65
Only one file format can compress graphics files. True or False?
False
66
A JPEG file is an example of a vector graphic. True or False?
False
67
Which of the following is true about JPEG and TIF files?
They have different values for the first 2 bytes of their file headers
68
What methods do steganography programs use to hide data in graphics files?
Carving
69
Some clues left on a drive that might indicate steganography include which of the following?
Multiple copies of a graphics file, graphics files with the same name but different file sizes, steganography programs in the suspect’s All Programs list, graphics files with different timestamps
70
What methods are used for digital watermarking?
Invisible modification of the LSBs in the file, layering visible symbols on top of the image, using a hex editor to alter the image data
71
bit-shifting
the process of shifting one or more digits in a binary number to the left or right to produce a different value
72
block-wise hashing
the process of hashing all sectors of a file and then comparing them with sectors on a suspect’s drive to determine whether there are any remnants of the original file that couldn’t be recovered
73
cover-media
in steganalysis, the original file with no hidden message
74
key escrow
a technology designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure
75
Known File Filter (KFF)
an AccessData database containing the hash values of known legitimate and suspicious files. It’s used to identify files that are possible evidence or eliminate files from an investigation if they’re legitimate
76
rainbow table
a file containing the hash values for every possible password that can be generated from a computer’s keyboard
77
salting tables
adding bits to a password before it’s hashed so that a rainbow table can’t find a matching hash value to decipher the password
78
scope creep
the result of an investigation expanding beyond its original description because the discovery of unexpected evidence increases the amount of work required
79
steganography
a cryptographic technique for embedding information in another file for the purpose of hiding that information from casual observers
80
stego-media
in steganalysis, the file containing the hidden message
81
Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.)
Files associated with an application
System files the OS uses
82
For which of the following reasons should you wipe a target drive?
To ensure the quality of digital evidence you acquire
To make sure unwanted data isn’t retained on the drive
83
The Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.)
Filter known program files from view.
Compare hash values of known files with evidence files.
84
Password recovery is included in all forensics tools. True or False
False
85
After you shift a file’s bits, the hash value remains the same. True or False?
False
86
Which forensic image file format creates or incorporates a validation hash value in the image file? (Choose all that apply.)
Expert Witness, SMART
87
blank 1 happens when an investigation goes beyond the bounds of its original description.
scope creep
88
Suppose you’re investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation?
Internal corporate investigation because corporate investigators typically have ready access to company records
89
You’re using Disk Management to view primary and extended partitions on a suspect’s drive. The program reports the extended partition’s total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information?
There’s a hidden partition.
90
Steganography is used for which of the following purposes?
Hiding data
91
The National Software Reference Library provides what type of resource for digital forensics examiners?
B
92
In steganalysis, cover-media is which of the following?
The file a steganography tool uses to host a hidden message, such as a JPEG or an MP3 file
93
Rainbow tables serve what purpose for digital forensics examinations?
rainbow tables contain computed hashes of possible passwords that some password-recovery programs can use to crack passwords
94
The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False?
True
95
If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords?
Salting can make password recovery extremely difficult and time consuming.
96
Block-wise hashing has which of the following benefits for forensics examiners?
Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect’s drive
97
defense in depth (DiD)
The NSA’s approach to implementing a layered network defense strategy. It focuses on three modes of protection: people, technology, and operations.
98
distributed denial-of-service (DDoS)
A type of DoS attack in which other online machines are used, without the owners’ knowledge, to launch an attack.
99
honeypot
A computer or network set up to lure an attacker.
100
honeywalls
Intrusion prevention and monitoring systems that track what attackers do on honeypots.
101
layered network defense strategy
An approach to network hardening that sets up several network layers to place the most valuable data at the innermost part of the network.
102
network forensics
The process of collecting and analyzing raw network data and systematically tracking network traffic to determine how security incidents occur.
103
order of volatility (OOV)
A term indicating how long an item on a network lasts. RAM and running processes might last only milliseconds; data stored on hard drives can last for years.
104
packet analyzers
Devices and software used to examine network traffic. On TCP/IP networks, they examine packets (hence the name).
105
type 1 hypervisor
A virtual machine interface that loads on physical hardware and contains its own OS.
106
type 2 hypervisor
A virtual machine interface that’s loaded on top of an existing OS.
107
Virtualization Technology (VT)
Intel’s CPU design for security and performance enhancements that enable the BIOS to support virtualization.
108
Virtual Machine Extensions (VMX)
Instruction sets created for Intel processors to handle virtualization.
109
zero day attacks
Attacks launched before vendors or network administrators have discovered vulnerabilities and patches for them have been released.
110
zombies
Computers used without the owners’ knowledge in a DDoS attack.
111
Virtual Machine Extensions (VMX) are part of which of the following?
Intel Virtualized Technology
112
You can expect to find a type 2 hypervisor on what type of device? (Choose all that apply.)
Tablet, Desktop, Smartphone
113
Which of the following file extensions are associated with VMware virtual machines?
.vmx, .log, .nvram
114
In VirtualBox, a(n) blank 1 file contains settings for virtual hard drives.
.vbox
115
The number of VMs that can be supported per host by a type 1 hypervisor is generally determined by the amount of blank 1 and blank 2.
RAM and storage
116
A forensic image of a VM includes all snapshots. True or False?
False
117
Which Registry key contains associations for file extensions?
HKEY_CLASSES_ROOT
118
Which of the following is a clue that a virtual machine has been installed on a host system?
Virtual network adapter
119
To find network adapters, you use the blank 1 command in Windows and the blank 2 command in Linux.
ipconfig and ifconfig
120
What are the three modes of protection in the DiD strategy?
People, operations, technology
121
A layered network defense strategy puts the most valuable data where?
Innermost layer
122
Tcpslice can be used to retrieve specific timeframes of packet captures. True or False?
True
123
Packet analyzers examine what layers of the OSI model?
2 and 3
124
When do zero day attacks occur? (Choose all that apply.)
Before the vendor is aware of the vulnerability
Before it's patched
125
Code Division Multiple Access
A widely used digital cell phone technology that makes use of spread-spectrum modulation to spread the signal across a wide range of frequencies.
126
electronically erasable programmable read-only memory (EEPROM)
A type of nonvolatile memory that can be reprogrammed electrically, without having to physically access or remove the chip.
127
Enhanced Data GSM Environment (EDGE)
An improvement to GSM technology that enables it to deliver higher data rates. See also Global System for Mobile Communications (GSM).
128
fifth-generation (5G)
The coming generation of mobile device standards, expected to be finalized in 2020.
129
fourth-generation (4G)
The current generation of mobile phone standards, with technologies that improved speed and accuracy.
130
Global System for Mobile Communications (GSM)
A second-generation cellular network standard; currently the most used cellular network in the world.
131
International Telecommunication Union (ITU)
An international organization dedicated to creating telecommunications standards.
132
Orthogonal Frequency Division Multiplexing (OFDM)
A 4G technology that uses numerous parallel carriers instead of a single broad carrier and is less susceptible to interference.
133
smartphones
Mobile telephones with more features than a traditional phone has, including a camera, an e-mail client, a Web browser, a calendar, contact management software, an instant-messaging program, and more.
134
subscriber identity module (SIM) cards
Removable cards in GSM phones that contain information for identifying subscribers. They can also store other information, such as messages and call history.
135
Telecommunications Industry Association (TIA)
A U.S. trade association representing hundreds of telecommunications companies that works to establish and maintain telecommunications standards.
136
third-generation (3G)
The preceding generation of mobile phone standards and technology; had more advanced features and faster data rates than the older analog and personal communications service (PCS) technologies.
137
Time Division Multiple Access (TDMA)
The technique of dividing a radio frequency into time slots, used by GSM networks; also refers to a cellular network standard covered by Interim Standard (IS) 136. See also Global System for Mobile Communications (GSM).
138
List four places where mobile device information might be stored.
Internal Memory
- SIM card
- Removable storage
- Servers
139
Typically, you need a search warrant to retrieve information from a service provider. True or False?
True
140
The term TDMA refers to which of the following? (Choose all that apply.)
A technique of dividing a radio frequency so that multiple users share the same channel
141
What’s the most commonly used cellular network worldwide?
GSM
142
Which of the following relies on a central database that tracks account data, location data, and subscriber information?
MSC
143
GSM divides a mobile station into blank 1 and blank 2.
SIM and Mobile Equipment
144
SD cards have a capacity up to which of the following?
64 gb
145
Describe two ways you can isolate a mobile device from incoming signals.
Airplane mode or turn it off
146
Which of the following categories of information is stored on a SIM card? (Choose all that apply.)
Call data and service related data
147
Most SIM cards allow blank 1 access attempts before locking you out.
3
148
SIM card readers can alter evidence by showing that a message has been read when you view it. True or False?
True
149
The uRLLC 5G category focuses on communications in smart cities. True or False?
False
150
When acquiring a mobile device at an investigation scene, you should leave it connected to a laptop or tablet so that you can observe synchronization as it takes place. True or False?
False
151
Remote wiping of a mobile device can result in which of the following? (Choose all that apply.)
- (A) Removing account information
- (C) Returning the phone to the original factory settings
- (D) Deleting contacts
152
In which of the following cases did the U.S. Supreme Court require using a search warrant to examine the contents of mobile devices?
Riley v california
153
The Internet of Things includes blank 1 as well as wired, wireless, and mobile devices.
Radio Frequency Identification (RFID) sensors
154
Which of the following is a mobile forensics method listed in NIST guidelines? (Choose all that apply.)
Logical extraction
Physical extraction
Hex dumping
155
According to SANS DFIR Forensics, which of the following tasks should you perform if a mobile device is on and unlocked? (Choose all that apply.)
- (A) Isolate the device from the network
- (B) Disable the screen lock
- (C) Remove the passcode
156
Which organization is setting standards for 5G devices?
3GPP (3rd Generation Partnership Project)
157
cloud service agreements (CSAs)
Contracts between a cloud service provider and a cloud customer. Any additions or changes to a CSA can be made through an addendum. See also cloud service providers (CSPs).
158
cloud service providers (CSPs)
Vendors that provide on-demand network access to a shared pool of resources (typically remote data storage or Web applications).
159
community cloud
A shared cloud service that provides access to common or shared data.
160
deprovisioning
Deallocating cloud resources that were assigned to a user or an organization. See also provisioning.
161
hybrid cloud
A cloud deployment model that combines public, private, or community cloud services under one cloud. Segregation of data is used to protect private cloud storage and applications.
162
infrastructure as a service (IaaS)
With this cloud service level, an organization supplies its own OS, applications, databases, and operations staff, and the cloud provider is responsible only for selling or leasing the hardware.
163
management plane
A tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly.
164
multitenancy
A principle of software architecture in which a single installation of a program runs on a server accessed by multiple entities (tenants). When software is accessed by tenants in multiple jurisdictions, conflicts in copyright and licensing laws might result.
165
platform as a service (PaaS)
A cloud is a service that provides a platform in the cloud that has only an OS. The customer can use the platform to load their own applications and data. The CSP is responsible only for the OS and hardware it runs on; the customer is responsible for everything else that they have loaded on to it.
166
private cloud
A cloud service dedicated to a single organization.
167
public cloud
A cloud service that’s available to the general public.
168
software as a service (SaaS)
With this cloud service level, typically a Web hosting service provides applications for subscribers to use.
169
spoliation
Destroying, altering, hiding, or failing to preserve evidence, whether it’s intentional or a result of negligence.
170
Amazon was an early provider of Web-based services that eventually developed into the cloud concept. True or False?
True
171
What are the three levels of cloud services defined by NIST?
c. SaaS, PaaS, and IaaS
172
What capabilities should a forensics tool have to acquire data from a cloud?
a. Identify and acquire data from the cloud. b. Expand and contract data storage capabilities as needed for service changes. d. Examine virtual systems.
173
. Commingled data isn't a concern when acquiring cloud data. True or False?
False
174
A(n) ________________________ is a contract between a CSP and the customer that describes what services are being provided and at what level.
cloud service agreement
175
Which of the following is a mechanism the ECPA describes for the government to get electronic information from a provider? (Choose all that apply.)
a. Subpoenas with prior notice c. Search warrants d. Court orders
176
In which cloud service level can customers rent hardware and install whatever OSs and applications they need?
infrastructure as a service
177
What are the two states of encrypted data in a secure cloud?
Data in motion and data at rest
178
Evidence of cloud access found on a smartphone usually means which cloud service level was in use?
SaaS
179
Which of the following cloud deployment methods typically offers no security?
public cloud
180
The multitenancy nature of cloud environments means conflicts in privacy laws can occur. True or False?
True
181
To see Google Drive synchronization files, you need a SQL viewer. True or False?
true
182
A CSP's incident response team typically consists of which staff? List at least three positions.
system administrators, network administrators, and legal advisors
183
The cloud services Dropbox, Google Drive, and OneDrive have Registry entries. True or False?
true
184
When should a temporary restraining order be requested for cloud environments?
When a search warrant requires seizing a CSP's hardware and software used by other parties not involved in the case
185
Updates to the EU Data Protection Rules will affect how data is moved regardless of location. True or False?
True
186
NIST document SP 500-322 defines more than 75 cloud services, including which of the following? (Choose all that apply.)
a. Backup as a service b. Security as a service c. Drupal as a service
187
Public cloud services such as Dropbox and OneDrive use what encryption applications?
Sophos Safeguard and Sophos Mobile Control
