SECR250JUS Computer Forensics

FINAL

There are ____ tracks available for the program area on a CD. 99 ____ of data involves sorting and searching through all investigation data. Discrimination All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard ____ ribbon or shielded cable. 40-pin ATA-66,ATA-____, and ATA-133 can use the newer 40-pin/80-wire cable. 100 Many vendors have developed write-blocking devices that connect to a computer through FireWire,____ 2.0,and SCSI controllers. USB ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. Write-blockers The primary hash algorithm used by the NSRL project is ____. SHA-1 On older Macintosh OSs all information about the volume is stored in the ____. Master Directory Block (MDB) The final component in the UNIX and Linux file system is a(n) ____, which is where directories and files are stored on a disk drive. Data block Raw data is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux ____ command. dd The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files is ____. NSRL Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the ____ agreement. GPL On a Linux computer, ____ is the path for the first partition on the primary master IDE disk drive. /dev/hda1

In general, forensics workstations can be divided into ____ categories.

3 Macintosh OS X is built on a core called ____. Darwin IDE ATA controller on an old 486 PC doesnt recognize disk drives larger than 8.4 ____. GB The simplest method of duplicating a disk drive is using a tool that does a direct ____ copy from the original disk to the target disk.

The standard Linux file system is ____. Ext2fs With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Volume Bitmap A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. Portable workstation To complete a forensic disk analysis and examination, you need to create a ____. Report For computer forensics, ____ is the task of collecting digital evidence from electronic media. Data acquisition A ____ is a column of tracks on two or more disk platters. Cylinder ____ can be the most time-consuming task, even when you know exactly what to look for in the evidence. Data analysis A ____ plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive youre analyzing. Disaster recovery ____ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. Write-blockers A forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation is also known as a ____. Portable workstation Although a disk editor gives you the most flexibility in ____, it might not be capable of examining a ____ files contents. Testing, compressed The most common and flexible data-acquisition method is ____.

Disk-to-image file copy Published company policies provide a(n) ____ for a business to conduct internal investigations. Line of authority One major disadvantage of ____ format acquisitions is the inability to share an image between different vendors computer forensics analysis tools. Proprietary Maintaining ____ means you must form and sustain unbiased opinions of your cases. Objectivity Many password recovery tools have a feature that allows generating potential lists for a ____ attack. Password dictionary The list of problems you normally expect in the type of case you are handling is known as the ____. Standard risk assessment The file or folders MFT record provides cluster addresses where the file is stored on the drives partition. These cluster addresses are referred to as ____. Data runs The primary hash algorithm used by the NSRL project is ____. SHA-1 Floors and carpets on your computer forensic lab should be cleaned at least ____ a week to help minimize dust that can cause static electricity. Once To begin conducting an investigation, you start by ____ the evidence using a variety of methods. Copying Corporations often follow the ____ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. Silver-platter Every business or organization must have a well defined process that describes when an investigation can be initiated. At a minimum, most corporate policies require that employers have a ____ that a law or policy is being violated. Reasonable suspicion If you cant open an image file in an image viewer, the next step is to examine the files ____. Header data In FTK ____ search mode, you can also look for files that were accessed or changed during a certain time period. Indexed The image format XIF is derived from the more common ____ file format. TIFF The ____ search feature allows you to look for words with extensions such as ing,ed, and so forth.

Stemming ____ are handy when you need to image the drive of a computer far away from your location or when you dont want a suspect to be aware of an ongoing investigation. Remote acquisitions Recovering pieces of a file is called ____. Carving ____ recovery is a fairly easy task in computer forensic analysis. Password Marking bad clusters data-hiding technique is more common with ____ file systems. FAT Data ____ involves changing or manipulating a file to conceal information. Hiding ____ has also been used to protect copyrighted material by inserting digital watermarks into a file. Steganography ____ images store graphics information as grids of individual pixels. Bitmap You use ____ to create, modify, and save bitmap, vector, and metafile graphics files. Graphics editors The process of converting raw picture data to another format is referred to as ____. Demosaicing The term ____ comes from the Greek word for hidden writing. Steganography ____ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search. Live The majority of digital cameras use the ____ format to store digital pictures. EXIF Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure. Key escrow ____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. Brute-force ____ steganography replaces bits of the host file with other bits of data. Substitution You begin any computer forensics case by creating a(n) ____.

Investigation plan For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command. Print ____ is a Sysinternals command that shows all Registry data in real time on a Windows computer. RegMon The files that provide helpful information to an e-mail investigation are log files and ____ files. Configuration ____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. Network forensics ____ is the U.S. DoD computer forensics labs version of the dd command that comes with Knoppix-STD. dcfldd A common way of examining network traffic is by running the ____ program. Tcpdump ____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. Circular logging In a(n) ____ attack, the attacker keeps asking your server to establish a connection. SYN flood Exchange logs information about changes to its data in a(n) ____ log. Transaction E-mail messages are distributed from one central server to many connected client computers, a configuration called ____. Client/server architecture ____ are devices and/or software placed on a network to monitor traffic. Packet sniffers Most packet sniffer tools can read anything captured in ____ format. PCAP With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk. GUI ____ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. www.freeality.com

____ can be used to create a bootable forensic CD and perform a live acquisition.

Helix In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. Checkpoint ____ is a popular network intrusion detection system that performs packet capture and analysis in real time. Snort Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. mbox In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. .pst The GroupWise logs are maintained in a standard log format in the ____ folders. GroupWise FRE ____ describes whether basis for the testimony is adequate. 703 Validate your tools and verify your evidence with ____ to ensure its integrity. Hashing algorithms There are two types of depositions: ____ and testimony preservation. Discovery When you give ____ testimony, you present this evidence and explain what it is and how it was obtained. Technical/Scientific Discuss any potential problems with your attorney ____ a deposition. Before The most important laws applying to attorneys and witnesses are the ____. Rules of evidence For forensics specialists, keeping the ____ updated and complete is crucial to supporting your role as an expert and showing that youre constantly enhancing your skills through training, teaching, and experience. CV ____ is a written list of objections to certain testimony or exhibits. Motion in limine ____ is an attempt by opposing attorneys to prevent you from serving on an important case. Conflicting out The ____ Ethics Code cautions psychologists about the limitations of assessment tools. APAs

____ are the experts who testify most often.

Medical professionals Attorneys search ____ for information on expert witnesses. Deposition banks ____ questions can give you the factual structure to support and defend your opinion. Hypothetical A(n) ____ hearing generally addresses the administrative agencys subject matter and seeks evidence in your testimony on a subject for which its contemplating making a rule. Administrative Computer forensics examiners have two roles: scientific/technical witness and ____ witness. Expert ____ are devices and/or software placed on a network to monitor traffic. Packet sniffers You can use the ____ to help your attorney learn the terms and functions used in computer forensics. Examination plan ____ questions can give you the factual structure to support and defend your opinion. Hypothetical ____ evidence is evidence that exonerates or diminishes the defendants liability. Exculpatory Regarding a trial, the term ____ means rejecting potential jurors. Strikes ____ can still be found as separate devices from mobile phones. Most users carry them instead of a laptop to keep track of appointments, deadlines, address books, and so forth. PDAs Remember that anything you write down as part of your examination for a report is subject to ____ from the opposing attorney. Discovery ____ offers the most comprehensive regulations of any professional organization and devote an entire section to forensics activities. APAs Ethics Code

9. The majority of digital cameras use the ____ format to store digital pictures. EXIF In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. Subpoenas

A common way of examining network traffic is by running the ____ program. Tcpdump Validate your tools and verify your evidence with ____ to ensure its integrity. Hashing algorithms The most important laws applying to attorneys and witnesses are the ____. Rules of evidence Data ____ involves changing or manipulating a file to conceal information. Hiding The files that provide helpful information to an e-mail investigation are log files and ____ files. Configuration A(n) ____ is a document that lets you know what questions to expect when you are testifying. Examination plan Typically, phones store system data in ____, which enables service providers to reprogram phones without having to physically access memory chips. EEPROM ____ increases the time and resources needed to extract,analyze,and present evidence. Scope creep With Mac OSs, a system application called ____ tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Volume Bitmap Computer forensics examiners have two roles: scientific/technical witness and ____ witness. Expert The standard Linux file system is ____. Ext2fs Typically, UNIX installations are set to store logs such as maillog in the ____ directory. /var/log For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ____ command. Print On Mac OSs, File Manager uses the ____ to store any information not in the MDB or Volume Control Block (VCB). Extents overflow file ____ are the experts who testify most often. Medical professionals ____ images store graphics information as grids of individual pixels. Bitmap

The SIM file structure begins with the root of the system (____). MF Most packet sniffer tools can read anything captured in ____ format. PCAP Attorneys search ____ for information on expert witnesses. Deposition banks ____ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Vector graphics