Exam 1 and 2
Computer Forensics 230 with Feehan at Bradley University
About this deck
By: Shinal Patel
Created: 2010-12-12
Size: 96 flashcards
Views: 266
Created: 2010-12-12
Size: 96 flashcards
Views: 266
About StudyBlue
STUDYBLUE makes things that make you better at school.
Things like online flashcards with photos and audio.
Things like personalized quizzes and friendly reminders about when (and what) to study next.
Think of it as a digital backpack™: access to all of your study materials online and on your phone.
STUDYBLUE exists to make studying efficient and effective for every student, for free. Join us.
“Simply amazing. The flash cards are smooth, there are many different types of studying tools, and there is a great search engine. I praise you on the awesomeness.”
Dennis
Dennis
Sign up (free) to study this.
To be successful computer forensics investigator, you must be familiar with more than one computing platform.
TRUE
Computer investigations and forensics fall into the same category: public investigations.
FALSE
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
FALSE
Chain of custody is also known as evidence.
TRUE
You cannot use both multi-evidence and single-evidence forms in your investigation.
FALSE
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several and often involves running imaging software overnight and on weekends.
TRUE
If damage occurs to the computer forensics lab, it does not need to be repaired immediately.
FALSE
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis task.
TRUE
Computing systems in a forensics lab should be able to process typical cases in a timely manner
TRUE
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
TRUE
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
TRUE
ISPs can investigate computer abuse committed by their customers.
FALSE
If a corporate investigator follows police instructions to gather additional evidence w/out a warrant, you run the risk of becoming an agent of law enforcement.
TRUE
A judge can exclude evidence obtained from a poorly worded warrant.
TRUE
A judge can exclude evidence obtained from a poorly worded warrant.
TRUE
Corporate investigators always have the authority to seize all computers equipments during a corporate investigation.
FALSE
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
Computer Analysis and Response Team (CART)
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
Data recovery
In general, a criminal case follows three stages: the compliant, the investigation, and the _____.
Prosecution
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney may direct you to submit a ___.
Affidavit
Without a warning banner, employees might have an assumed ___ when using a company's computer system and network accesses.
Right of Privacy
Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law officer
Silver-platter
Your ___ as a computer investigation and forensics analyst is critical because it determines your credibility.
Professional conduct
Maintaining ___ means you must form and sustain unbiased opinions of your cases.
Objectivity
The ___ is the route the evidence takes from the time you find it until the case is closed or goes to court.
Chain of custody.
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as _____.
A forensic workstation
A ___ is a bit-by-bit copy of the original storage medium.
Bit-stream copy
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ___, and windows file system.
NFTS
___ was created by police officers who wanted to formalize credentials in computing investigations
IACIS
Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. This shielding is called ___.
TEMPEST
For computer forensics, __ is the task of collecting digital evidence from electronic media
Data acquistion
The most common and flexible data-acquisition method is ____.
Disk-to-image file copy
Image files can be reduced by as much as ___% of the original
50
Microsoft has recently added ___ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
Whole disk encryption
___ records are data the system maintains, such as system log files and proxy server logs
Computer generated
Confidential business data included with the criminal evidence are referred to as ____ data.
commingled
___ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
Probable cause
Environmental and __ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
Safety
Courts consider evidence data in a computer as ___ evidence
Physical
Evidence is commonly lost of corrupted through ___, which involves police officers and other professionals who aren't pat of the crime scene processing team.
Professional curiosity
When seizing computer evidence in criminal investigations, follow the ___ standards for seizing digital data.
United States Department of Justice
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ___ or MS-DOS system.
Windows 9x
Real-time surveillance requires ___ data transmissions between a suspect's computer and a network server.
Sniffing
The most common computer-related crime is ___.
Fraud
The ___ gives the operating system a road map to data on a disk.
File System
Computer stores system configuration and date and time information in the ___.
CMOS
Disk drives are made up of one or more platters coated with ____ material.
Magnetic
In Microsoft file structures, sectors are grouped to form ____, which are defined as storage allocation units of one or more sectors.
Clusters
The smallest area on a disk drive to which data can be written is called a ____.
Sector
The first ____ of all disks contains a system area, the boot record, and a file structure database.
Sector
The unused space between partitions is called the ____.
Partition gap
Norton DiskEdit, WinHex Workshop are all examples of ____.
Disk editor utilities
The ____ stores information about partitions on a disk and their locations, size, and other important items.
Master Boot Record (MBR)
Which of the following is the file structure database that Microsoft designed for floppy disks?
File Allocation table (FAT)
File Allocation Table (FAT) database is typically written to a disk's outermost track and contains the following:
All of the above.
filenames
directory names
date and time stamps
starting cluster number
In Microsoft OSs, after a file is deleted, the area of the disk where the deleted file resides becomes ___.
unallocated disk space
The MFT contains information about all files on the disk
TRUE
File or folder information is typically stored in one of two ways in an MFT record.
Allocated and unallocated
The following whole disk encryption utility implements a public key and private key method of encrypting files, folders, or disk volumes.
Encrypted File System
Microsoft BitLocker is an example of a ____.
Whole disk encryption utility
Microsoft BitLocker is only available in which of the following operating systems:
Windows Vista Enterprise and Ultimate editions
A database that stores hardware and software configuration information, network connections, user preferences, and setup information is called the ____.
Registry
Software forensic utilities can be divided into how many types?
two
Discrimination of data Involves sorting and searching through all investigation data?
TRUE
Which of the following are tasks performed by computer forensic tools?
(All of the above)
disk-to-disk copy
image-to-disk copy
partition-to-partition copy
image-to-partition copy
Which of the following is not an example of a forensic utility?
TrueCrypt
______ prevents data writes to a hard disk.
Write-blocker
Vector graphics are a collection of dots.
FALSE
Which of the following are not common computer forensics tools functions?
Command-line applications and GUI applications
Most forensics disk examinations involve EIDE and SATA drives?
TRUE
Norton Disk Edit cannot change the disk partition table
FALSE
When using target drives, forensics examiners should only use only recently wiped media that have been reformatted.
TRUE
What is one of the most critical aspects of computer forensics?
Validating all forensic data
Hex Workshop provides the following hashing algorithms (all that apply)
SHA 1
MD5
Commercial computer forensics programs do not have built-in validation features.
FALSE
Using a disk editor to mark space as a bad cluster is known as ____
a common data hiding technique
Steganography tools were created to protect open source utilities
FALSE
Suspect can hide information on image or text document files through the use of ___.
Steganography
___ are useful for making an image of a drive when the computer is far away from your location or when you don't want a suspect to be aware of an ongoing investigation
Remote acquisitions
Finds whether image files hide information:
Steganalysis
Which of the following formats is not a common image type?
QuickView
Which of the following formats is commonly used to store digital pictures?
EXIF
Which of these compression methods permanently discards bits of information?
Lossy compression
Which of these image file formates do not compress their data?
BMP
Which of these image file formats was developed by JEIDA as a standard for storing metadata in JPEG and TIFF files?
EXIF
Most JPEG files also include JFIF string
TRUE
Raster images are better for printing than Bitmap images
TRUE
Computer forensics tools do not have limitations in performing hashing
False
Ensuring the integrity of data you collect is essential for presenting evidence in court
True
Hex Workshop cannot generate the hash value of selected data sets in a file or sector
FALSE
The type of file system an OS uses determines how data is stored on the disk
True
A computer forensic examiner does not need to be familiar with the computer's platform when accessing a suspect's computer to acquire or inspect data
FALSe
Hex Workshop allows you to identify only file headers
true
Which FAT version is only utilized on floppy disks?
FAT 16
Files larger than ___ bytes are stored outside the MFT.
512
The encrypting file system (EFS) was first introduces with what Microsoft Operating System?
Windows 2000
About this deck
By: Shinal Patel
Created: 2010-12-12
Size: 96 flashcards
Views: 266
Created: 2010-12-12
Size: 96 flashcards
Views: 266
About StudyBlue
STUDYBLUE makes things that make you better at school.
Things like online flashcards with photos and audio.
Things like personalized quizzes and friendly reminders about when (and what) to study next.
Think of it as a digital backpack™: access to all of your study materials online and on your phone.
STUDYBLUE exists to make studying efficient and effective for every student, for free. Join us.
“Simply amazing. The flash cards are smooth, there are many different types of studying tools, and there is a great search engine. I praise you on the awesomeness.”
Dennis
Dennis