To be successful computer forensics investigator, you must be familiar with more than one computing platform.
Computer investigations and forensics fall into the same category: public investigations.
The law of search and seizure protects the rights of all people, excluding people suspected of crimes.
Chain of custody is also known as evidence.
You cannot use both multi-evidence and single-evidence forms in your investigation.
Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several and often involves running imaging software overnight and on weekends.
If damage occurs to the computer forensics lab, it does not need to be repaired immediately.
A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis task.
Computing systems in a forensics lab should be able to process typical cases in a timely manner
The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file.
Many acquisition tools don't copy data in the host protected area (HPA) of a disk drive.
ISPs can investigate computer abuse committed by their customers.
If a corporate investigator follows police instructions to gather additional evidence w/out a warrant, you run the risk of becoming an agent of law enforcement.
A judge can exclude evidence obtained from a poorly worded warrant.
A judge can exclude evidence obtained from a poorly worded warrant.
Corporate investigators always have the authority to seize all computers equipments during a corporate investigation.
The FBI ____ was formed in 1984 to handle the increasing number of cases involving digital evidence.
Computer Analysis and Response Team (CART)
____ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example.
In general, a criminal case follows three stages: the compliant, the investigation, and the _____.
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney may direct you to submit a ___.
Without a warning banner, employees might have an assumed ___ when using a company's computer system and network accesses.
Right of Privacy
Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law officer
Your ___ as a computer investigation and forensics analyst is critical because it determines your credibility.
Maintaining ___ means you must form and sustain unbiased opinions of your cases.
The ___ is the route the evidence takes from the time you find it until the case is closed or goes to court.
Chain of custody.
To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as _____.
A forensic workstation
A ___ is a bit-by-bit copy of the original storage medium.
Windows hard disks can now use a variety of file systems, including FAT16, FAT32, ___, and windows file system.
___ was created by police officers who wanted to formalize credentials in computing investigations
Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. This shielding is called ___.
For computer forensics, __ is the task of collecting digital evidence from electronic media
The most common and flexible data-acquisition method is ____.
Disk-to-image file copy
Image files can be reduced by as much as ___% of the original
Microsoft has recently added ___ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult.
Whole disk encryption
___ records are data the system maintains, such as system log files and proxy server logs
Confidential business data included with the criminal evidence are referred to as ____ data.
___ is facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed.
Environmental and __ issues are your primary concerns when you're working at the scene to gather information about an incident or a crime.
Courts consider evidence data in a computer as ___ evidence
Evidence is commonly lost of corrupted through ___, which involves police officers and other professionals who aren't pat of the crime scene processing team.
When seizing computer evidence in criminal investigations, follow the ___ standards for seizing digital data.
United States Department of Justice
During an investigation involving a live computer, do not cut electrical power to the running system unless it's an older ___ or MS-DOS system.
Real-time surveillance requires ___ data transmissions between a suspect's computer and a network server.
The most common computer-related crime is ___.
The ___ gives the operating system a road map to data on a disk.
Computer stores system configuration and date and time information in the ___.
Disk drives are made up of one or more platters coated with ____ material.
In Microsoft file structures, sectors are grouped to form ____, which are defined as storage allocation units of one or more sectors.
The smallest area on a disk drive to which data can be written is called a ____.
The first ____ of all disks contains a system area, the boot record, and a file structure database.
The unused space between partitions is called the ____.
Norton DiskEdit, WinHex Workshop are all examples of ____.
Disk editor utilities
The ____ stores information about partitions on a disk and their locations, size, and other important items.
Master Boot Record (MBR)
Which of the following is the file structure database that Microsoft designed for floppy disks?
File Allocation table (FAT)
File Allocation Table (FAT) database is typically written to a disk's outermost track and contains the following:
All of the above.
date and time stamps
starting cluster number
In Microsoft OSs, after a file is deleted, the area of the disk where the deleted file resides becomes ___.
unallocated disk space
The MFT contains information about all files on the disk
File or folder information is typically stored in one of two ways in an MFT record.
Allocated and unallocated
The following whole disk encryption utility implements a public key and private key method of encrypting files, folders, or disk volumes.
Encrypted File System
Microsoft BitLocker is an example of a ____.
Whole disk encryption utility
Microsoft BitLocker is only available in which of the following operating systems:
Windows Vista Enterprise and Ultimate editions
A database that stores hardware and software configuration information, network connections, user preferences, and setup information is called the ____.
Software forensic utilities can be divided into how many types?
Discrimination of data Involves sorting and searching through all investigation data?
Which of the following are tasks performed by computer forensic tools?
(All of the above)
Which of the following is not an example of a forensic utility?
______ prevents data writes to a hard disk.
Vector graphics are a collection of dots.
Which of the following are not common computer forensics tools functions?
Command-line applications and GUI applications
Most forensics disk examinations involve EIDE and SATA drives?
Norton Disk Edit cannot change the disk partition table
When using target drives, forensics examiners should only use only recently wiped media that have been reformatted.
What is one of the most critical aspects of computer forensics?
Validating all forensic data
Hex Workshop provides the following hashing algorithms (all that apply)
Commercial computer forensics programs do not have built-in validation features.
Using a disk editor to mark space as a bad cluster is known as ____
a common data hiding technique
Steganography tools were created to protect open source utilities
Suspect can hide information on image or text document files through the use of ___.
___ are useful for making an image of a drive when the computer is far away from your location or when you don't want a suspect to be aware of an ongoing investigation
Finds whether image files hide information:
Which of the following formats is not a common image type?
Which of the following formats is commonly used to store digital pictures?
Which of these compression methods permanently discards bits of information?
Which of these image file formates do not compress their data?
Which of these image file formats was developed by JEIDA as a standard for storing metadata in JPEG and TIFF files?
Most JPEG files also include JFIF string
Raster images are better for printing than Bitmap images
Computer forensics tools do not have limitations in performing hashing
Ensuring the integrity of data you collect is essential for presenting evidence in court
Hex Workshop cannot generate the hash value of selected data sets in a file or sector
The type of file system an OS uses determines how data is stored on the disk
A computer forensic examiner does not need to be familiar with the computer's platform when accessing a suspect's computer to acquire or inspect data
Hex Workshop allows you to identify only file headers
Which FAT version is only utilized on floppy disks?
Files larger than ___ bytes are stored outside the MFT.
The encrypting file system (EFS) was first introduces with what Microsoft Operating System?
Want to see the other 96 Flashcards in Exam 1 and 2?JOIN TODAY FOR FREE!