Final Flashcards
(99 cards)
1
Q
Forensics
A
The use of science and technology to investigate and establish facts in criminal or civil courts of law.
2
Q
Relevant evidence
A
- tendency to make a fact more or less probable then it would be without evidence. 2. the fact is of consequence in determining the action.
3
Q
digital evidence
A
information of probative value stored or transmitted in digital form
4
Q
digital media
A
physical objects where data is stored
5
Q
computer use in crime
A
contraband, tool for the crime, incidental to the Crime
6
Q
contraband
A
digital equipment etc was illegally obtained
7
Q
tool of crime
A
hacking
8
Q
incidental to the crime
A
digital media has evidence of the crime(phone contacts etc)
9
Q
types of investigations
A
internal, civil, criminal
10
Q
daubert standard
A
judge makes a call on if the scientific expert is basing their reason on proven scientific methodology. Daubert challenge is if you use anything thats not accepted by a majority of professionals
11
Q
Locard’s principle of Transference
A
you can’t interact with an environment without leaving something behind
12
Q
Inman-Rudin Paradigm
A
transfer, identification, individualization (narrowing evidence to certain classification), association (linking to a person or system), reconstruction (what happened), sixth principle (evidence must divide before transfer)
13
Q
cross validation
A
any forensic artifact must be discoverable with multiple tools and techniques
14
Q
6 As
A
Assessment (gathering information, chain of custody, determine scope, protect media), acquisition (make the copy of the data), authentication (verify copies), analysis (looking for the artifacts), articulation (drafting and submitting the report), archival (Storage of media, notes, and report).
15
Q
What are hashes used for
A
- determining if data is unique. 2. determine if data is the same. 3. determine if any changes have been made to the data
16
Q
Floppy disk life span
A
2 years
17
Q
CD-RW life span
A
3 years or up to 50 with proper storage
18
Q
USB drive life span
A
up to 10 if not heavily used
19
Q
hard drive life span
A
up to 34 years
20
Q
evidence
A
ANY INFORMATION OF PROBATIVE VALUE
21
Q
Best Evidence
A
most complete copy of evidence that was obtained that is most closely linked to the original evidence
22
Q
Computer components that hold evidence
A
hard drives, removable media, RAM (has to be collected through live analysis), motherboard BIOS, scanners, printers
23
Q
Network devices that hold evidence
A
clients, servers, routers, gateways, firewalls, network printers, NAS (network attached storage)
24
Q
magnetized media
A
holds a series of charges. Pro: very large storage capacity, data can be overwritten without being reset. Cons: slow access time, slow random read and write
25
Hard Drive Physical components
platters (magnetized surface containing charge), Read/Write heads (electromagnets used for reading or changing charges), Arm (moves read/write head towards the inside of the disk)
26
Hard Drive Logical Components
Tracks-rings that go completely around the center of the platter. Cylanders- tracks that line up on parallel platters
27
Hard Drive Sectors
Pie-Shaped wedge tracks (a sector is the smallest unit of data that can be read or written from magnetic storage media
28
Two Hard Drive Interfaces
IDE and SATA
29
Floppy disk forensics
treat like a single platter hard drive
30
magnetic media forensics
never truly wiped, data isn't erased before overwritten
31
optical media forensics
cd-rom, blue ray disk, DVD-rom. (inherently read only), writing data must be done to the entire disk at once
32
RAID
Redundant array of independent disks - used to prevent hardware failure
33
RAID Levels
0 - block stripping (data distributed among multiple drives) one drive fails all fail. 1 - disk mirroring data written to two disks simultaneously. onE disk fails the other comes online. 2- disk mirroring with ECC (NOT USED). 3- Byte stripping with parity. 4- block stripping with parity drive.
34
Three RAID implementations
Internal Hardware (RAID controller card), external hardware (enclosure in a separate cabinet), software, cannot boot off a software RAID volume
35
How to acquire RAID data?
boot the suspect computer into a forensically sound environment and acquire raid volume. In encase: device view, select drives, edit disk config, specify RAID
36
SSDs
uses modified transistors for non-volatile storage, very fast data access, issues with recovering deleted data.
37
Assembly
low level language for microprocessors
38
order of memory speed
registers, caches, main memory, disk storage
39
4 kinds of memory
Internal (registers and CPU cache), main memory (RAM), on-line mass storage (Hard drive, ssd, usb), offline bulk storage (tape arrays)
40
Computer Busses
single copper wire can transfer electrons, a bunch of wires doing this is a bus. Motherboards contain busses to communicate.
41
Power On
1. self test 2. microprocessor does ROM BIOS, microprocessor begins executing attached bios code, 4. POST, 5. BIOS locates CMOS (stores boot order etc), loads the OS
42
BIOS vs EFI
BIOS was the original way to interface with motherboard, EFI is the new replacement it has better GUI, multi language support, full networking, fully modular
43
Two Forensics systems' roles
Aquisition/duplication (make the copy), Analysis (parse it)
44
write blocker
device that stops the host system from sending a write signal to any connected device
45
Forensic Drive duplicator
device that makes a forensic image
46
Forensic Software
encase, SMART (asr data), FTK (windows), paraben, GetData, Blackbag
47
How to collect BIOS information
1. start computer with no drives. 2. hit a function key to load bios or ufi, record system date and time, record the boot order.
48
things that can ruin a forensic image
1. Booting drive into Windows without write protection.. 2. using an unmodified boot disk. 3. mounting the drive as read/write in linux, choosing the wrong drive as source or destination.
49
How are files stored on a disk?
files store bytes at a low level. bytes are displayed as hexadecimal. 2 hex digits for each byte.
50
Standard file metadata
FAT, file name, extension, attributes, creation date and time, access date, modification date and time
51
partition
set of consecutive sectors on a disk
52
Volume
partition with a single file system
53
initializing a disk
writes information in the beginning of the disk at the first physical sector
54
formatting a disk
writing a file system onto a partition. Turning a partition into a volume.
55
file system
organizes data on a disk. FAT & NTFS are cluster. EXT2,3,4 are Block. Keeps track of file allocation and file metadata.
56
FAT
File Allocation Table. For floppy disks, uses a file allocation table which keeps track of clusters.
57
FAT Directory
A file that contains a listing of the contents of the directory (directory table)
58
Where is the root directory stored?
FAT VBR
59
How to undelete a FAT file
go through the directory table, follow the cluster chain in FAT, and see if the clusters have the appropriate data. (When the file is deleted the entry is marked deleted)
60
How to undelete NTFS file
MFT contains a master record of every file on the drive, when a file is deleted it is marked as deleted, undeleting is changing the mark from deleted to not-deleted on the master record.
61
Linux File Systems
Ext2 (disk broke into partitions and groups) Inode table and bitmap. Ext3 same as before but with journaling - read and writes are done all at once or not at all. Ext4- large file size, better performance.
62
Inode
pointer. It points to a block on the disk.
63
Raw duplicate
exact binary copy from one disk to another. Fastest way to make a copy. Drawbacks: must use write blocker on copy at all times, must verify copy has not been altered, must treat entire disk as evidence
64
DD image file
contains the exact binary of the evidence disk. Ad: everything can read it, fast to create, can be segmented. Dis: no way to detect changes without re verification, metadata not stored.
65
Encase Image File
allows for compression and encryption of data, ad: single bit changes can be isolated. Dis: slower to create then dd file.
66
What are operating systems responsible for?
input/output, data management through file systems, Networking, memory, peripheral device management
67
multiuser
simultaneous users can run programs
68
multiprocessing
OS can run multiple processes on multiple processors
69
multitasking
OS can run concurrent programs on single processor
70
multi-threading
OS allows programs to be broken down into threads and run independently and dependently
71
OS kernal
low level input and output, handware interfaces, memory management, allows for program execution.
72
Interrupts
signal sent by hardware device to the kernal indicating that it needs attention
73
API
Application program interface. Allows programs to interact with the OS
74
How to recover a partition
look for the volume boot sector, for FAT and NTFS 55 AA
75
Master boot record location
On the first sector of the drive
76
Windows 7 App Data
Local (app data specific to computer) Local Low (internet browsers), Roaming (application data from a user account accross domain)
77
Windows swapfile
for when many things are open. Part of virtual memory, pagefile.sys
78
printer spool file
windows/system32/spool/printers
79
unallocated space
when a file is deleted in windows the clusters get grouped into the space available for file allocation
80
slack space
space between the logical end of the file and the actual end of the file
81
Recycle Bin
Everytime a file is deleted into the recycle bin two files are created $R (deleted file) and $I (metadata) preceding.
82
What times does windows track?
Created, Modified, accessed
83
FAT time stamps
stored in directory entries, stored in local time according to bios. If file is MOVED all times stay same. If file is copied all stay the same but the created.
84
NTFS
times stored UTC, registry settings for which the timezone is located, displayed times are based on stored times. If copied the created time changes and the accessed time, if moved the accessed time changes.
85
What if a FAT file has a created time after the modified and accessed time stamps?
file is a copy of another file
86
What if a FAT file is moved to NTFS? (time stamps)
accessed date changes. If copied then both the access date and the created date would change. (follows the rule of NTFS)
87
What if an NTFS file is moved to FAT? (Time stamps)
moved changes the accessed date. Copied would change the created and access date.
88
Registry
stores configuration settings and options for the systems and users. all windows specific settings are stored here. Key: container for either another key or value. Value: name and data (discriptors, bits, strings)
89
7 registry root keys
HKLM(local machine), HKCC(current config), HKCR(classes root), HKCU(current user), HKU (users),HKEY_performace_data, HKEY_dynamic_data.
90
Windows NT based registry locations
systemroot/system32/config - SAM, SECURITY, SOFTWARE, SYSTEM. also userprofile\ntuserdat
91
Windows USB device installation (registry)
windows\inf\usbstor.inf
92
DeviceInstanceID gives access to this registry key:
SYSTEM\CurrentControlSet\Enum\USB
93
How to find first time a USB was attached?
setupapi log (under inf)
94
How to find each time USB was attached?
enum/USB or enum/USBSTOR keep a permanent record of each USB attached. The last written time stamp is the last attachment
95
Internet Cache
allows a user to return to a website quickly if there is no new content
96
cookies
tracks user activity, stores session ID
97
where is internet data in directory?
documents and settings\username\appdata. Local (has history, cache, cookies), Local Low, roaming
98
email header
tells you the servers or routers the email took to get to you
99
User assist registry
ntuserdat - \Software\Microsoft\Windows\currentversion\explorer\userassist. Gives what programs or shortcuts a user has executed, time stamps, frequency of running a particular program (but not how many times it has been run).
