Pratice_Questions
pdf
keyboard_arrow_up
School
American Military University *
*We aren’t endorsed by this school
Course
C840
Subject
Information Systems
Date
Dec 6, 2023
Type
Pages
12
Uploaded by DeanGalaxyReindeer36
C840 - Digital Forensics
1
C840 - Digital Forensics
Which law requires a free opt-out option?
CAN-SPAM Act
The CAN-SPAM Act is a U.S. law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.
Which law led to the creation of the Electronic Crimes Task Force?
USA PATRIOT Act The USA PATRIOT Act included provisions for the establishment of the ECTF to combat electronic crimes, including cyberterrorism and other computer-
related offenses.
Where would they find logs about connections to remote computers?
The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.
A forensic specialist is getting ready to collect digital evidence. What should they do first?
Review the Chain of Custody The first step in collecting digital evidence is to carefully review and document the chain of custody. This involves documenting who has had access to the device or data, when it was accessed, and any changes made to it since the incident occurred. By carefully documenting the chain of custody, the specialist can ensure that the evidence is admissible in court and has not been tampered with.
Which law suggests setting up forensic laboratories?
C840 - Digital Forensics
2
US Patriot Act
The USA Patriot Act is a law passed by the US Congress in response to the 9/11 terrorist attacks. It includes provisions for the establishment and funding of forensic laboratories to assist law enforcement agencies in the investigation and prosecution of terrorism and other crimes. The Act also provides for the training and certification of forensic specialists and the development of standards and protocols for the collection and analysis of evidence.
What is steganography used for?
Steganography is the practice of concealing a message, image, or file within another message, image, or file in such a way that it is difficult to detect or decipher the hidden content. What would be used to make a bit-by-bit copy of a windows 8 computer?
FTK Imager can create a forensic disk image of a Windows 8 computer by creating a bit-by-bit copy of the entire hard drive or storage media, including any deleted or hidden data.
What would be used to detect files leaving the network using steganography?
FTK is likely to be most effective in detecting steganographically hidden files leaving the network.
What's inside an email header?
An email header is a section of an email message that contains metadata about the message, such as the sender and recipient information, date and time of sending, and information about the email server that handled the message.
Test Specific Question:
Which storage tech uses NAND?
NAND is a type of flash memory technology commonly used in SSDs, USB drives, and memory cards. How does NAND work?
C840 - Digital Forensics
3
Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power.
What uses AFF file format?
Autopsy and Sleuth Kit use the AFF format because it offers flexibility, scalability, compression, and encryption, which are important features for digital forensic investigations.
What is AFF??
The Advanced Forensic Format (AFF) is a file format used in digital forensics to store disk images, file systems, and other digital evidence.
What to unlock iphone?
XRY can be used to bruteforce IPhone devices it tries mutiple pins to gain access to device Which tool can do a workflow check of steganography?
StegExpose is an open-source steganalysis tool that can detect hidden information in image files. It can detect a wide range of steganographic techniques, including JSteg, F5, and OutGuess.
What’s Data Doctor?
Data Doctor Forensic Software is a powerful tool used in digital forensics investigations this product recovers all Inbox and Outbox data and all contact data
Whats /var/log/lpr?
Linux Printer Log
/var/log/lpr is a directory on Linux/Unix systems where log files related to the Line Printer (lpr) service are stored, containing information about printing jobs submitted to the system via the lpr service.
Where does windows store pw?
Windows stores hashed passwords in the SAM ( Security Accounts Manager ) Law for being able to collect GPS location?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
C840 - Digital Forensics
4
The Wireless Communications and Public Safety Act of 1999
Where do deleted Apple iphone/ipad files go?
/.Trashes/501
Which type of data are the authorities allowed to get from service providers? In general, authorities may be allowed to obtain basic subscriber information such as the name, address, and phone number of an account holder. This information may be obtained without a warrant in some cases, depending on the specific circumstances and applicable laws.
What is Transactional Data and does it require a warrant?
Transactional data such as call logs, text messages, and internet usage records may also be obtained by authorities in some cases, but typically require a warrant or court order. The specific requirements for obtaining this type of data will depend on the laws and regulations of the jurisdiction in question.
Remember not to change evidence, and to verify chain of custody (duh) Collect Volatile, then Temporary, then Permanent
Laws
What is CALEA?
The Communications Assistance for Law Enforcement Act (CALEA) is a US law that requires telecommunications companies to make their networks and services accessible to law enforcement agencies for lawful interception and surveillance of electronic. ( Wiretap )
What is COPPA?
C840 - Digital Forensics
5
The Children's Online Privacy Protection Act (COPPA) is a US law that requires website operators to obtain parental consent before collecting personal information from children under the age of 13.
What is CSA?
The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.
What is ECPA?
The Electronic Communications Privacy Act (ECPA) is a US law that governs the interception of electronic communications, including email, voicemail, and other forms of digital communication.
What is 8 US 2252B?
This is a section of US law that deals with the production, distribution, and possession of child pornography, and imposes criminal penalties for these activities.
What is 4th Amendment?
The Fourth Amendment to the US Constitution protects citizens from unreasonable searches and seizures by the government. In the context of digital forensics, this means that law enforcement must obtain a warrant before conducting a search of digital devices or networks.
What is SCA?
The focus of Chapter 31 is the Stored Communications Act, 18 U.S.C. §§ 2701-
12 (“SCA”). The SCA governs how investigators can obtain stored account records and contents from network service providers, including Internet service providers (“ISPs”), telephone companies, and cell phone service providers. SCA issues arise often in cases involving the Internet: when investigators seek stored information concerning Internet accounts from providers of Internet service [source: DOJ-Manual.pdf (clarkcunningham.org)]
C840 - Digital Forensics
6
Microsoft File Formats What is .pst? ( Outlook )
PST stands for "Personal Storage Table". It is a file format used by Microsoft Outlook to store email, calendar, and contact information. It can be exported from Exchange Server for backup or archiving purposes.
What is .ost? ( Offline Outlook Storage ) OST stands for "Offline Storage Table". It is a file format used by Microsoft Outlook to store a synchronized copy of a user's mailbox on their local computer. The OST file allows users to access their mailbox even when they are not connected to the Exchange Server.
What is .mbx or .dbx? ( Outlook Express )
are file formats used by older versions of Microsoft Outlook Express to store email messages. They have largely been replaced by newer file formats like .pst and .ost.
What is mbx? ( Eudora )
MBX is a file format used by Eudora email client to store email messages.
What is .emi?
EMI stands for "Exchange Message Interface". It is a proprietary file format used by Microsoft Exchange Server to store email messages and attachments.
What is .edb?
EDB stands for Exchange Database. It is a file format used by Microsoft Exchange Server to store mailbox data such as emails, calendar entries, contacts, and tasks.
What is .db?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
C840 - Digital Forensics
7
DB stands for Database. It is a generic file format used to store structured data in a database. The format may vary depending on the database management system (DBMS) being used.
What is .odt?
The OpenDocument Text (ODT) format is an open standard file format used for storing text documents. It is used by many word processing applications, including LibreOffice and OpenOffice.
Own Notes: What is Internet Forensics?
Internet forensics is the process of piecing together where and when a user has been on the internet. For example, you can use internet forensics to determine whether inappropriate internet content access and downloading were accidental.
What is The Wireless Communications and Public Safety Act of 1999
The Wireless Communications and Public Safety Act of 1999 allows for collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information.
What is The Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.
Are warrants needed when evidence in plain sight?
Warrants are not needed when evidence is in plain sight.
What is the legal requirement for granting consent for a property, according to court rulings?
Courts have held that only the actual owner of a property can grant consent, or someone who has legal guardianship of the owner
C840 - Digital Forensics
8
What are the five types of drive connections?
Integrated Drive Electronics (IDE) [spoiler answer]
Extended Integrated Drive Electronics (EIDE)
Parallel Advanced Technology Attachment (PATA)
Serial Advanced Technology Attachment (SATA)
Serial SCSI
What type of memory technology is commonly used in SSDs, and what unique feature does it possess that allows it to retain memory even without power?
Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power
What is AFF?
The Advanced Forensic Format (AFF) is a file format used in digital forensics to store disk images, file systems, and other digital evidence used by Sleuth Kit a
nd Autopsy
What is Encase?
This tool allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine.
What is the significance of EnCase's MD5 hash in relation to the evidence file and how is it used to ensure the integrity of the data on the hard drive?
The evidence file is an exact copy of the hard drive. EnCase calculates an MD5 hash when the drive is acquired. This hash is used to check for changes, alterations, or errors.
What is FTK ( The Forensic Toolkit )?
FTK (Forensic Toolkit) is a computer forensics software made by AccessData. It scans a hard drive looking for various information and can potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption1. It is intended to be a complete computer forensics solution
C840 - Digital Forensics
9
Can forensic tools be used for passoword cracking?
Forensic Toolkit is particularly useful at cracking passwords
What does FTK allow you to do in Windows?
FTK also provides tools to search and analyze the Windows Registry.
What is a common method of Steganography?
One of the most common methods of performing this technique is the least significant bit (LSB) method (when the last bit or least significant bit is used to store data).
What is Payload in Stegangraphy?
Payload is the information to be covertly communicated, basically the message you want to hide
What is Carrier in Stegangraphy?
The carrier (or carrier file) is the signal, stream, or file in which the payload is hidden.
What is Channel in Stegangraphy?
The channel is the type of medium used. This may be a passive channel, such as photos, video, or sound files, or even an active channel, such as a Voice over IP (VoIP) voice call or streaming video connection.
What is Steganalysis
?
Steganalysis is the process of analyzing a file or files for hidden content
What are the two modern forensics tools to check stegangraphy?
Forensic Toolkit (FTK) and EnCase both check for steganography
What is Cryptographic Hashes?
Cryptographic Hashes are how many systems including Windows store passwords in hash format.
Such as: 0BD181063899C9239016320B50D3E896693A96DF
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
C840 - Digital Forensics
10
Where does Window store hash?
Windows will then store that hash in the SAM (Security Accounts Manager) file in the Windows System directory.
What is Ophcarck?
Ophcarck is a popular hacking tool that depends on rainbows tables. Ophcrack is usually very sucessful at cracking Windows local machine passwords
Windows
What is the role of Windows Swap File?
The Windows swap file is used to augment the RAM. Essentially, it is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval
What is the role of Application log?
This log contains various events logged by applications or programs. Many applications record their errors here in the Application log
What is the role of System Log?
The System log contains events logged by Windows system components. This includes events like driver failures. This particular log is not as interesting from a forensics perspective as the other logs are.
What is the role The ForwardedEvents log?
The ForwardedEvents log is used to store events collected from remote computers. This has data in it only if event forwarding has been configured.
What are the supportin files of HKEY_LOCAL_MACHINE\SAM?
Sam, Sam.log, Sam.sav
MAC
What command prompt does MAC use?
C840 - Digital Forensics
11
Mac OS is a bash shell so you can execute Linux commands
What are GUID Partion Tables?
The GUID Partition Table is used primarily with computers that have an Intel-
based processor. It requires OS X v10.4 or later. Intel-based Mac OS machines can boot only from drives that use the GUID Partition Table.
What is one of the first steps in any forensic examination and why are logs important when examining a Windows, Linux or Apple computer?
One of the first steps in any forensic examination should be to check the logs. Remember that logs are very important when examining a Windows or a Linux computer. They are just as important when examining an Apple computer. This section examines the Mac OS logs and what is contained in them.
What does the The /Users/<user>/.bash_history Log do?
As you know, Mac OS is based on FreeBSD, a Unix variant. When you launch the terminal window, what you actually get is a BASH shell. So this particular log can be very interesting. It will show you a variety of commands. You might look for commands such as rm, which would be removing or deleting something, or commands like dd, indicating the user might have tried to make an image of the drive.
What is in The /etc Directory
Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later. The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File This file contains the network configuration data for each network card. This
C840 - Digital Forensics
12
is important information to document before beginning your search for evidence.
What can Forensics Toolkit and Encase do on phone?
Forensic Toolkit and EnCase can both image a phone for you
What are Data Doctor?
This product recovers all Inbox and Outbox data and all contacts data, and has an easy-to-use interface. Most important, it has a free trial version, but there is a cost for the full version. It is available from http://www.simrestore.com/
What is a tool used to breaking an Iphone passocde?
XRY is a tool the can break IPhone passcodes
Where do Deleted Files go?
When a file is deleted on the iPhone, iPad, or iPod, it is actually moved to the .Trashes\501 folder. Essentially, the data is still there until it is overwritten, so recently deleted files can be retrieved.
What does Pwnage do?
This utility allows you to unlock a locked iPod Touch and is available from https://pwnage.com/.
[know it as a spoiler answer]
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help