Term
| _________prevents damage to the evidence as ycu transport it to your secure evidence locker, evidence room, or computer lab. |
|
Definition
|
|
Term
| T or F. After a judge approves and signs a search warrant, it's ready to be executed, meaning you can collect evidence as defined by the warrant. |
|
Definition
|
|
Term
| Corporations often follow the ______ doctrine, which is what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer |
|
Definition
|
|
Term
| T or F. The law of search and seizure protects the rights of all people, excluding people suspected of crimes. |
|
Definition
|
|
Term
| A(n) ______ is a person using a computer to perform routine tasks other than systems administration. |
|
Definition
|
|
Term
| When you write your final report, state what you did and what you ______. |
|
Definition
|
|
Term
| ________ i n v o l v e s p r e v e n t i n g d a t a l o s s b y u s i n g b a c k u p s , u n i n t e r r u p t i b l e p o w e r su p p l y ( U P S ) d e v i c e s , a n d o f f - s i t e m o n i t o r i n g . |
|
Definition
| D i s a s t e r r e c o v e ry |
|
|
Term
| Y o u r _______ as a c o m p u t e r i n v e s t i g a t i o n a n d f o r e n s i c s a n a l y s t i s c r i t i c a l b e c a u s e i t d e t e r m i n e s y o u r c r e d i b i l i t y. |
|
Definition
| p r o f e s s i o n a l c o n d u ct |
|
|
Term
| T h e t e r m _________ refers t o l a r g e c o r p o r a t e c o m p u t i n g s y s t e m s t h a t m i g h t i n c l u d e d i s p a r a t e o r f o r m e r l y i n d e p e n d e n t s y s t e m s . |
|
Definition
| enterprise network environment |
|
|
Term
| P u b l i s h e d c o m p a n y p o l i c i e s p r o v i d e a ( n ) __________ for a b u s i n e s s t o c o n d u c t i n t e r n a l i n v e s t i g a t i o n s . |
|
Definition
| l i n e o f a u t h o r i t y |
|
|
Term
| To create an exact image cf an evidence disk, copying the ______ to a target work disk that's identical to the evidence disk is preferable. |
|
Definition
|
|
Term
| Wh a t s h o u l d y o u d o t o h a n d l e e v i d e n c e c o n t a i n e d i n l a r g e c o m p u t e r c o m p o n e n t s? |
|
Definition
To secure and cataloq the evidence contained in large computer components, you can use large evidence bags, tape, tags, labels, and other products available from police supply vendors or office supply stores. When qathering products to secure your computer evidence, make sure they are safe and effective to use on computer components. Be cautious when handling any computer component to avoid damaging the component or coming into contact with static electricity,which can destroy digital data. When collecting computer evidence, make sure you use antistatic bags.
Be sure to place computer evidence in a well-padded container. Padding prevents damage to the evidence as you transport it to vour secure evidence locker, evidence room, or computer lab. Save discarded hard disk drive boxes, antistatic bags, and packing material for computer hardware when you or others acquire computer devices. |
|
|
Term
| When you work in the ________ group, you test and verify the integrity of standalone workstations and network servers. |
|
Definition
| vulnerability assessment and risk management |
|
|
Term
| W h a t i s r e q u i r e d t o c o n d u c t a n i n v e s t i g a t i o n i n v o l v i n g e - m a i l a b u s e ? |
|
Definition
T h e f o l l o w i n g l i s t i s w h a t y o u n e e d f o r a n i n v e s t i g a t i o n i n v o l v i n g e - m a i l a b u s e :
* A n e l e c t r o n i c c o p y c f t h e o f f e n d i n g e - m a i l t h a t c o n t a i n s m e s s a g e h e a d e r d a t a ; c o n s u l t w i t h y o u r e - m a i l s e r v e r a d m i n i s t r a t o r
* I f a v a i l a b l e , e - m a i l s e r v e r l o g r e c o r d s ; c o n s u l t w i t h y o u r e - m a i l s e r v e r a d m i n i s t r a t o r t o s e e w h e t h e r t h e v a r e a v a i l a b l e
* F o r e - m a i l s v s t e m s t h a t s t o r e u s e r s ' m e s s a g e s o n a c e n t r a l s e r v e r , a c c e s s t o t h e s e r v e r ; c o n s u l t w i t h y o u r e - m a i l s e r v e r a d m i n i s t r a t o r
* F o r e - m a i l s y s t e m s t h a t s t o r e u s e r s ' m e s s a g e s o n a c o m p u t e r a s a n O u t l o o k . p s t o r . o s t f i l e , f o r e x a m p l e , a c c e s s t o t h e c o m p u t e r s o t h a t y o u c a n p e r f o r m a f o r e n s i c a n a l y s i s o n it
* Y o u r p r e f e r r e d c o m p u t e r f o r e n s i c s a n a l y s i s t o o l , s u c h a s F o r e n s i c T o o l k i t o r P r o D i s c o v e r |
|
|
Term
| I n g e n e r a l , a c r i m i n a l c a s e f o l l o w s t h r e e s t a g e s : t h e c o m p l a i n t , t h e i n v e s t i g a t i o n , a n d t h e _________ |
|
Definition
|
|
Term
| A ( n ) _______ lists e a c h p i e c e o f e v i d e n c e o n a s e p a r a t e p a g e , |
|
Definition
| s i n g l e - e v i d e n c e f o rm |
|
|
Term
| A ( n ) _________ is u s u a l l y c o n d u c t e d t o c o l l e c t i n f o r m a t i o n f r o m a w i t n e s s o r s u s p e c t a b o u t s p e c i f i c f a c t s r e l a t e d t o a n i n v e s t i g a t i o n . |
|
Definition
|
|
Term
| I n a c r i m i n a l o r p u b l i c c a s e , i f y o u h a v e e n o u g h i n f o r m a t i o n t o s u p p o r t a s e a r c h w a r r a n t , t h e p r o s e c u t i n g a t t o r n e y m i g h t d i r e c t y o u t o s u b m i t a ( n )___________ |
|
Definition
|
|
Term
| In a _______ case, a suspect is tried for a criminal offense, such as burglary, murder, or molestation |
|
Definition
|
|
Term
| By the early 1990s, the ________ introduced training on software for forensics investigations |
|
Definition
|
|
Term
| T or F. To be a successful computer forensics investigator, you must be familiar with more than one computing platform |
|
Definition
|
|
Term
| T or F. A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the original disk whenever possible. |
|
Definition
|
|
Term
| A bit-stream image is also known as a(n)________ |
|
Definition
|
|
Term
| The basic plan for your investigation includes gathering the evidence, establishing the ______, and performing the forensic analysis |
|
Definition
|
|
Term
| Its the investigator's responsibility to write the affidavit, which must include ________ (evidence) that support the allegation to justify the warrant, |
|
Definition
|
|
Term
| Without a warning banner, employees might have an assumed _________ when using a company's computer systems and network accesses. |
|
Definition
|
|
Term
| The _______ is the route the evidence takes from the time you find it until the case is closed or goes to court. |
|
Definition
|
|
Term
| Wmk are the three levels of law enforcement expertice established by CTIN? |
|
Definition
To differentiate the training and experience law officers have, CTIN has established three levels cf law enforcement expertise: Level i-Acquiring and seizing digital evidence, normallv performed bv a street police officer.
Level 2-Managing high-tech investigations, teaching investigators what to ask for, and understanding computer terminology and what can and can't be retrieved from digital evidence. The assigned detectives usually handle the case.
Level 3-Specialist training in retrieving digital evidence, normally performed bv a data recovery or computer forensics expert, network forensics expert, or Internet fraud investiqatcr. This person might also be qualified to manage a case, depending on his or her background. |
|
|
Term
| T or F. Computer investigations and forensics fall into the same category: public investigations |
|
Definition
|
|
Term
| T or F. You cannot use both multi-evidence and single-evidence forms in your investigation |
|
Definition
|
|
Term
| A _________ usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. |
|
Definition
|
|
Term
| In the Pacific Northwest, _______ meets monthly to discuss problems that law enforcement and corporations face |
|
Definition
|
|
Term
| __________ involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example |
|
Definition
|
|
Term
| B r i e f l y d e s c r i b e t h e t r i a d t h a t m a k e s u p c o m p u t e r s e c u r i t y. |
|
Definition
Investigators often work as a team to make computers and networks secure in an organization. The computer investigations function is one cf three in a triad that makes up computing security. In an enterprise network environment, the triad consists of the folio wing parts:
* Vulnerability assessment and risk management
* Network intrusion detection and incident response
* Computer investigations |
|
|
Term
| When analyzing digital evidence, your job is to______ |
|
Definition
|
|
Term
| T or F. Employees surfing the Internet can cost companies millions cf dollars |
|
Definition
|
|
Term
| You can use ________ to boot to Windows without writing any data to the evidence disk. |
|
Definition
|
|
Term
| T or F. Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages cf data |
|
Definition
|
|
Term
| The FBI _______ was formed in 1984 to handle the increasing number of cases involving digital evidence |
|
Definition
| Computer Analysis and Response Team (CART) |
|
|
Term
| To begin conducting an investigation, you start by ________ the evidence using a variety of methods |
|
Definition
|
|
Term
| What are the differences between computer forensics and data recovery? |
|
Definition
In data recovery, vou don't necessarily need a sterile target drive when restoring the forensics image. Typically, the customer or your companv just wants the data back. The other key difference is that in data recovery, you usually know what you're trying to retrieve. In computer forensics, you might have an idea of what you're searching for, but not necessarily.
Be aware that seme companies that perform computer investigations alsc do data recovery, which is the more well-known and lucrative side cf the business. |
|
|
Term
| ________ involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases |
|
Definition
|
|
Term
| A(n) _________ helps you document what has and has not been done with both the original evidence and forensic copies cf the evidence |
|
Definition
|
|
Term
| __________ investigations typically include spam, inappropriate and offensive message content, and harassment or threats |
|
Definition
|
|
Term
| Maintaining _________ means you must form and sustain unbiased opinions of your cases. |
|
Definition
|
|
Term
| T or F. Chain cf custody is also known as chain cf evidence |
|
Definition
|
|
Term
| To conduct your investigation and analysis, you must have a specially configured personal computer (PC) known as a _________ |
|
Definition
|
|
Term
| Based on the incident or crime, the complainant makes a(n) ________ , an accusation or supposition of fact that a crime has been committed |
|
Definition
|
|
Term
| T or F. By the 1970s, electronic crimes were increasing, especially in the financial sector |
|
Definition
|
|
Term
| ________ can be the most time-consuming task, even when you know exactly what to look for in the evidence |
|
Definition
|
|
Term
| You should have at least one copy of vour backups onsite and a duplicate copy or a previous copy of your backups stored in a safe ______ facility |
|
Definition
|
|
Term
| A ______ plan also specifies how to rebuild a forensic workstation after it has been severelv contaminated by a virus from a drive you're analvzing , |
|
Definition
| d i s a s t e r r e c o v e r y |
|
|
Term
| T or F. Many acquisition tools don't copy data in the host protected area ( H P A ) of a disk drive |
|
Definition
|
|
Term
| ___________ is t h e o n l v a u t o m a t e d d i s k - t o - d i s k t o o l t h a t a l l o w s v o u t o c o p y d a t a t o a s l i g h t l y s m a l l e r t a r g e t d r i v e t h a n t h e o r i g i n a l s u s p e c t ' s d r i v e |
|
Definition
|
|
Term
| C o m p u t i n g c o m p o n e n t s a r e d e s i g n e d t o l a s t 18 t o _________ months i n n o r m a l b u s i n e s s o p e r a t i o n s |
|
Definition
|
|
Term
| T or F. Performing a forensic analysis of a disk 200 GB or larger can take several days and often involves running imaging software overnight and on weekends |
|
Definition
|
|
Term
| Current distributions of Linux include two hashing algorithm utilities: md5sum and ________ |
|
Definition
|
|
Term
| SnapBack DatArrest can perform a data copy of an evidence drive in _____ ways |
|
Definition
|
|
Term
Dr. Simson L. Garf Advanced Forensic Fc
inkel cf Basis Technology Corporation recently developed a new open-source acquisition format called _______ |
|
Definition
| Advanced Forensic Format (AFF) |
|
|
Term
| ________ is the default format for acquisitions for Guidance Software EnCase |
|
Definition
|
|
Term
| W h a t a r e t h e q u e s t i o n s y o u n e e d t o a s k w h e n p l a n n i n g t h e j u s t i f i c a t i o n s t e p o f a b u s i n e s s c a s e? |
|
Definition
Before vcu can start, you need to justify to the person controlling the budget the reason a lab is needed. This justification step requires asking the following questions:
* Whattvpe of computing investigation service is needed fcr your organization? Who are the potential customers for this service, and how will it be budgeted-as an internal operation (police department or company security department, for instance)-or an external operation (a for-profit business venture)?
* How will ycu advertise your services to customers?
* What time-management techniques will you use?
51 Where will the initial and sustaining budget for business operations come from? |
|
|
Term
| T or F. If damage occurs to the floor, walls, ceilings, or furniture on your computer forensics lab, it does not need to be repaired immediately |
|
Definition
|
|
Term
| SafeBack and SnapCopy must run from a(n) ______ system. |
|
Definition
|
|
Term
| Defense contractors during the Cold War were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding________ |
|
Definition
|
|
Term
| _______ involves determining how much risk is acceptable For any process or operation, such as replacing equipment. |
|
Definition
|
|
Term
| Illustrate a proper way of disposing materials on your computer investigation lab. |
|
Definition
| Maintain two separate trash containers, one to store items unrelated to an investigation, such as discarded CDs cr magnetic tapes, and the other for sensitive material that requires special handling to ensure that it's destroyed. Using separate trash containers maintains the integrity of criminal investigation processes and protects trade secrets and attornev-client privileged communications in a private corporation. Several commercially bonded firms specialize in disposing of sensitive materials. Ycur lab shculd have access to these services to maintain the integrity of your investigations. |
|
|
Term
| Microsoft has recently added ________ in its Vista Ultimate and Enterprise editions, which makes performing static acquisitions more difficult. |
|
Definition
|
|
Term
| What are the four levels cf certification offered by HTCN? |
|
Definition
1> Certified Computer Crime Investigator (Basic)
2) Cert-f^ed Computer Crime Investigator (Advanced)
3) Certified Computer Forensic Technician (Basic)
4) Certified Computer Forensic Technician (Advanced) |
|
|
Term
| Typically, a(n) _______ acquisition is done on a computer seized during a police raid, for example. |
|
Definition
|
|
Term
| Provide a brief explanation of how to plan a lab budget. |
|
Definition
| Lab costs can be broken down into daily, quarterly, and annual expenses. The better vou understand these expenses, the better vou can delegate resources for each investigation. Using a spreadsheet program helps you keep track of past investigation expenses. From past expenses, vou can extrapolate expected future costs. Remember, expenses for a lab include computer hardware and software, facility space, and trained personnel. When creating a budget, start by estimating the number cf computer cases your lab expects to examine and identifying the types of computers you're likely to examine, such as Windows PCs or Linux workstations. |
|
|
Term
| T or F. Unlike RAID 0, RAID 3 stripes tracks across all disks that make up one volume |
|
Definition
|
|
Term
| IACIS requires recertification every _____ years to demonstrate continuing work in the field of computer forensics. |
|
Definition
|
|
Term
| What are some of the features offered by proprietary data acquisition formats? |
|
Definition
| Proprietary data aquisition formats only work with those pieces of software, however, they do offer some distinct advantages over the rest of the tools and utilities. Namely, the option tc compress files cr not to compress them, splitting images into smaller segmented files, and the ability to incorporate the metadata into a file such as date and time it was acquired and such. |
|
|
Term
| Bit-stream data to files copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a(n)_______ format. |
|
Definition
|
|
Term
| The lab ______ sets up processes for manaoinq cases and reviews them reqularlv |
|
Definition
|
|
Term
| T or F. FTK Imager requires that you use a device such as a USB or parallel port dongle for licensing. |
|
Definition
|
|
Term
| SnapBack DatArrest runs from a true ____ boot floppy |
|
Definition
|
|
Term
| _______ are generated at the federal, state, and local levels to show the types and frequency of crimes committed. |
|
Definition
|
|
Term
| T or F. One advantage with live acquisitions is that you are able to perform repeatable processes |
|
Definition
|
|
Term
| Popular archiving tools, such as PKZip and WinZip, use an algorithm referred to as ________ compression |
|
Definition
|
|
Term
| One way to investigate older and unusual computing systems is to keep track of ______ that still use these systems |
|
Definition
|
|
Term
| T or F. A good working practice is to use less powerful workstations for mundane tasks and multipurpose workstations for the higher-end analysis tasks. |
|
Definition
|
|
Term
| If your time is limited, consider using a logical acquisition or ______ acquisition data copy method. |
|
Definition
|
|
Term
| Image files can be reduced by as much as ______ % of the original |
|
Definition
|
|
Term
| The EMR from a computer monitor can be picked up as far away as ____ mile. |
|
Definition
|
|
Term
| T or F. Computing systems in a forensics lab should be able to process typical cases in a timely manner |
|
Definition
|
|
Term
| What peripheral devices should be stocked in your computer forensics lab? |
|
Definition
In addition tc workstations and software, all labs should have a wide assortment of cables and spare expansion slot cards. Consider stocking your computer forensics lab with the following peripheral devices:
* 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster
* Ribbon cables for floppy disks
*: Extra SCSI cards, preferably ultra-wide
* Graphics cards, both Peripheral Component Interconnect (PCI) and Accelerated Graphics Port (AGP)
* Extra power cords
* A variety of hard drives (as many as you can afford and in as wide a variety as possible)
* At least two 2.5-inch adapters from notebook IDE hard drives tc standard IDE,.'ATA drives. SATA drives, and so on
* Computer hand tools, such as Phillips and flathead screwdrivers, a socket wrench, and a small flashlight |
|
|
Term
| T or F. Requirements for taking the EnCE certification exam depend on taking the Guidance Software EnCase training courses. |
|
Definition
|
|
Term
| Linux ISO images are referred to as _____ |
|
Definition
|
|
Term
| T or F. The most common and time-consuming technique for preserving evidence is creating a duplicate copy of your evidence image file. |
|
Definition
|
|
Term
| For labs using high-end _______ servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets. |
|
Definition
|
|
Term
| For daily work production, several examiners can work together in a large open area, as long as they all have ________ level of authority and access need. |
|
Definition
|
|
Term
| ________ was created by police officers who wanted to formalize credentials in computing investigations |
|
Definition
|
|
Term
| W h a t a r e t h e s t e p s t o u p d a t e t h e R e g i s t r y f o r W i n d o w s X P S P 2 t o e n a b l e w r i t e - p r o t e c t i o n w i t h U S B d e v i c e s? |
|
Definition
To update the Registry for Windows XP SP2, you need to perform three tasks. First, back up the Registry in case something fails while vou're modifying automate switching between enabling and disabling writes tc the USB device. Befcre starting these tasks, make sure your workstation is running Windows XP SP2.
it. Second, modify the Registry with the write-protection feature. Third, create two desktop icons to |
|
|
Term
| The _______ provides guidelines for managing a forensics lab and for acquiring official crime-lab certification. |
|
Definition
| American Society of Crime Laboratory Directors (ASCLD) |
|
|
Term
| The _________ command, works similarly to the dd command but has many features designed for computer forensics acquisitions |
|
Definition
|
|
Term
| The _____ DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable. |
|
Definition
|
|
Term
| There are two types cf acquisitions; static acquisitions and _______ acquisitions. |
|
Definition
|
|
Term
| What are the minimum requirements for a computer investigation and forensics lab? |
|
Definition
Small room with true floor-to-ceiling walls Door access with a locking mechanism
Secure container, such as a safe or heavy-dutv file cabinet with a quality padlock Visitor s leg listing all people who have accessed your lab |
|
|
Term
| One major disadvantage of ______ format acquisitions is the inability tc share an image between different vendors' computer forensics analysis tools. |
|
Definition
|
|
Term
| _________ records are data the system maintains, such as system leg files and proxy server logs |
|
Definition
|
|
Term
| How can you secure a computer incident or crime scene? |
|
Definition
| Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could easilv jeopardize the investigation. If you're in charge of securing a computer incident cr crime scene, use yellow barrier tape to prevent bystanders from accidentally entering the scene.Use police officers or security guards enforcing legal authority to prevent others from entering the scene. Legal authority for a corporate incident scene includes trespassing violations; for a crime scene, it includes obstructing justice or failing tc comply with a police officer. Access to the scene should be restricted to only those people who have a specific reason tc be there. The reason for the standard practice of securing an incident cr crime scene is to expand the area of control beyond the scene's immediate location. In this way, you avoid overlooking an area that might be part of the scene. Shrinking the scene's perimeter is easier than expanding it. |
|
|
Term
| When Microsoft created Windows 95, it consolidated initialization (.ini) files into the __________ |
|
Definition
|
|
Term
| Real-time surveillance requires ________ data transmissions between a suspect's computer and a network server. |
|
Definition
|
|
Term
| When Microsoft introduced Windows 2000,. it added built-in encryption to NTFS called ______ |
|
Definition
|
|
Term
| Describe the process of preparing an investigation team. |
|
Definition
Eefore you initiate the search and seizure of digital evidence at an incident or crime scene, you must review all the available facts, plans, and objectives with the investigation team vcu have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan tc collect data.
Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make vour plan, gather the needed resources, and collect data from the incident or crime scene. In some computing investigations, responding slowly might result in the loss of important evidence for the case. |
|
|
Term
On Windows and DOS computer systems, the ________ stores information about partitions on a disk and their locations, size, and other important items.
Master Boot Record |
|
Definition
|
|
Term
| ______________refers to a disk's structure of platters, tracks, and sectors. |
|
Definition
|
|
Term
| Describe some cf the open source whole disk encryption tools |
|
Definition
The following list describes some available open-source encryption tools:
* TrueCrypt (ww.rruecrypr.org) creates a virtual encrypted volume-a file mounted as though it were a disk drive. Data is encrypted automatically and in real time.
* CrossCrypt (www.scnerrer.cr/crypr/) also creates a virtual encrypted volume and provides filedisk, a command-line utility with options for creating, mounting, dismounting, and encrypting volumes,
* FreeOTFE (cn-the-fly encryption, www. freeotte,org),, like other open-source encryption tools, creates a virtual disk that can encrypt data with several popular algorithms, FreeOTFE can be used in Windows 2000 and XP as well as with PDAs. |
|
|
Term
| The most common computer-related crime is ________ |
|
Definition
|
|
Term
| __________ is a column of tracks on two cr more disk platters. |
|
Definition
|
|
Term
| The purpose of the ________ is to provide a mechanism for recovering encrypted files under EFS if there's a problem with the user's original private key. |
|
Definition
|
|
Term
| __________ ,located in the root folder of the system partition, is the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS. |
|
Definition
|
|
Term
| _____________ is a batch file containing customized settings for MS-DOS that runs automatically. |
|
Definition
|
|
Term
| If a ccmpanv does not publish a policy statinq that it reserves the right to inspect computing assets at will or display a warninq banner, employees have a(n)______________ |
|
Definition
|
|
Term
| When recovering evidence from a contaminated crime scene, if the temperature in the contaminated room is higher than ________ degrees, you should take measures to prevent a hard disk from overheating to prevent damage. |
|
Definition
|
|
Term
| What are some of the features offered by current whole disk encryption tools? |
|
Definition
Current whole disk encryption tools offer the following features that computer forensics examiners should be aware of:
* Prebcct authentication, such as a single sign-cn password, fingerprint scan, or token (USE thumb drive device)"
* Full or partial disk encryption with secure hibernation, such as activating a password-protected screen saver
* Advanced encryption algorithms, such as AES and IDEA
* Kev management function that uses a challenge-and-response method to reset passwords or passphrases
* A Trusted Flatfcrm Module (TPM) microchip to generate encryption keys and authenticate login |
|
|
Term
| When seizing computer evidence in criminal investigations, follow the _________ standards for seizing digital data. |
|
Definition
|
|
Term
| T or F. The type of file system an OS uses determines how data is stored on the disk |
|
Definition
|
|
Term
| In the NTFS MFT, all files and folders are stored in separate records cf ______ bytes each. |
|
Definition
|
|
Term
| Courts consider evidence data in a computer as _______ evidence. |
|
Definition
|
|
Term
| T or F. A judge can exclude evidence obtained from a poorly worded warrant |
|
Definition
|
|
Term
| Private-sector organizations include businesses and _______________ that aren't involved in law enforcement |
|
Definition
|
|
Term
| __________ contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %sysrem-roof%\Windows\System32\Drivers folder, |
|
Definition
|
|
Term
| In Microsoft file structures, sectors are grouped to form ________ , which are storage allocation units cf one cr more sectors |
|
Definition
|
|
Term
| When an investigator finds a mix cf information, judges often issue a(n) _______ to the warrant, which allows the police to separate innocent information from evidence. |
|
Definition
|
|
Term
| Certain files, such as the ____________ and Security log in Windows XP, might lose essential network activity records if the power is terminated without a proper shutdown |
|
Definition
|
|
Term
| __________ is the file structure database that Microsoft originally designed for floppy disks, |
|
Definition
|
|
Term
| __________ can be any information stored or transmitted in digital form. |
|
Definition
|
|
Term
| T or F. ISPs can investigate computer abuse committed by their customers. |
|
Definition
|
|
Term
| What are some of the components of a disk drive? |
|
Definition
Following is a list of disk drive components:
* Geometry-Gecmetrv refers to a disk's structure of platters, tracks, and sectors.
* Head-The head is the device that reads and writes data to a drive. There's one head per platter.
* Traces-Tracks are concentric circles on a disk platter where data is located..
* Cylinders-A cylinder is a column of tracks on two or more disk platters. Tvpically, each platter has two surfaces: top and bottom. 5: Ssctars-i sector is a section on a track, usually made up of 512 bytes. |
|
|
Term
| ________ , located in the root folder of the system partition, specifies the Windows XP path installation and contains options for selecting the Windows version. |
|
Definition
|
|
Term
| On an NTFS disk, immediately after the Partition Boot Sector is the _________ |
|
Definition
|
|
Term
| The ________ file provides a command prompt when booting to MS-DCS mode (DPMI). |
|
Definition
|
|
Term
| __________ refers to the number cf bits in one square inch of a disk platter. |
|
Definition
|
|
Term
| T or F. Data streams can obscure valuable evidentiary data, intentionally or by coincidence |
|
Definition
|
|
Term
| With a(n) ______ you can arrive at a scene, acquire the data you need, and return tc the lab as quickly as possible. |
|
Definition
| initial-response field kit |
|
|
Term
| One technique for extracting evidence from large systems is called ________ |
|
Definition
|
|
Term
| How can you make sure a subject's computer boots to a forensic flcppv disk or CD? |
|
Definition
When a subject's computer starts, vou must make sure it boots to a forensic floppy disk or CD, because booting to the hard disk overwrites and changes evidentiary data. To do this, vcu access the CMOS setup bv monitoring the subject's computer during the initial bootstrap process tc identify the correct key or keys to use. The bootstrap process is contained in ROM and tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. You can also try unhooking the keyboard to force the system to tell you what keys to use. The key you press to access CMOS depends on the computer's BIOS.
If necessary, vou can change the boot sequence so that the OS accesses the CD/DVD drive cr a floppy drive (if available1! before any other boot device. Each BIOS vendor's screen is different, but you can refer tc the vendor's documentation or Web site for instructions on changing the boot sequence |
|
|
Term
| Law enforcement investigators need a(n) ________ to remove computers from a crime scene and transport them tc a lab. |
|
Definition
|
|
Term
| ___________ is a text file containing commands that typically run only at system startup to enhance the computer's DOS configuration. |
|
Definition
|
|
Term
| Seme computer cases involve dangerous settings. For these types of investigations, you must rely on the skills of __________ teams to recover evidence from the scene. |
|
Definition
|
|
Term
| ___________ was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista. |
|
Definition
|
|
Term
| Evidence is commonly lost or corrupted through ___________ which involves police officers and other professionals who aren't part of the crime scene processing team. |
|
Definition
|
|
Term
| Illustrate with an example the problems caused by commingled data |
|
Definition
S u p p o s e t h a t d u r i n g a n e x a m i n a t i o n , y o u f i n d a d u l t a n d c h i l d p o r n o g r a p h y . F u r t h e r e x a m i n a t i o n o f t h e s u b j e c t ' s h a r d d i s k r e v e a l s t h a t t h e e m p l o y e e h a s b e e n c o l l e c t i n g c h i l d p o r n o g r a p h y in s e p a r a t e f o l d e r s o n h i s w o r k s t a t i o n ' s h a r d d i s k . I n t h e U n i t e d S t a t e s ,
p o s s e s s i n g c h i l d p o r n o g r a p h y is a c r i m e u n d e r f e d e r a l a n d s t a t e c r i m i n a l s t a t u t e s .
Y o u s u r v e y t h e r e m a i n i n g c o n t e n t o f t h e s u b j e c t ' s d i s k a n d f i n d t h a t h e ' s a l e a d e n g i n e e r f o r t h e t e a m d e v e l o p i n g v c u r c o m p a n y ' s l a t e s t h i g h - t e c h b i c v c l e . H e h a s p l a c e d t h e c h i l d p o r n o g r a p h y i m a g e s i n a s u b f o l d e r w h e r e t h e b i c y c l e p l a n s a r e s t o r e d . B v d o i n g s o , h e h a s
c o m m i n g l e d c o n t r a b a n d w i t h c o m p a n y ' s c o m p e t i t i v e l y s e n s i t i v e d e s i g n p l a n s f o r t h e n e w h i g h - t e c h b i c y c l e . Y o u r d i s c o v e r y p o s e s t w o p r o b l e m s a b o u t h o w t o d e a l w i t h t h i s c o n t r a b a n d e v i d e n c e . F i r s t , y o u m u s t r e p o r t t h e c r i m e t c t h e p o l i c e . M a n y s t a t e s r e q u i r e r e p o r t i ng
e v i d e n c e o f s e x u a l e x p l o i t a t i o n c f c h i l d r e n . T h e s e c o n d p r o b l e m is t h a t y o u m u s t a l s o p r o t e c t s e n s i t i v e c o m p a n y i n f o r m a t i o n . L e t t i n g t h e h i g h - t e c h b i c v c l e i n f o r m a t i o n b e c o m e p a r t c f t h e c r i m i n a l e v i d e n c e m i g h t m a k e i t p u b l i c r e c o r d , a n d t h e d e s i g n w o r k w i l l t h e n be
a v a i l a b l e t o c o m p e t i t o r s . Y o u r f i r s t s t e p is t o n o t i f y y o u r c o r p o r a t e a t t o r n e y t o g e t d i r e c t i o n s o n h e w t o d e a l w i t h t h e c o m m i n g l e d c o n t r a b a n d d a t a a n d s e n s i t i v e d e s i g n p l a n s. |
|
|
Term
| A ( n ) __________ should i n c l u d e a l l t h e t o o l s y o u c a n a f f o r d t o t a k e t o t h e f i e l d . |
|
Definition
| e x t e n s i v e - r e s p o n s e f i e l d k i t |
|
|
Term
| ________ is h o w m o s t m a n u f a c t u r e r s d e a l w i t h a p l a t t e r ' s i n n e r t r a c k s b e i n g s h o r t e r t h a n i t s o u t e r t r a c k s . |
|
Definition
|
|
Term
| T or F. One way to examine a partition's physical level is to use a disk editor, such as Norton DiskEdit, WinHex, cr Hex Workshop. |
|
Definition
|
|
Term
| _________is a hidden text file containing startup options for Windows 9x. |
|
Definition
|
|
Term
| __________ is facts cr circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed. |
|
Definition
|
|
Term
| Briefly describe how to use steganography for creating digital watermarks. |
|
Definition
| The term steganography comes from the Greek word for'hidden writing/It's defined as hiding messages in such a wav that only the intended recipient knows the message is there. Many steganographv tools were created to protect copyrighted material by inserting digital watermarks into a file. Seme digital watermarks are designed to be visible-for example, to notify users that an image is copyrighted. The tvpe of digital watermarks used for steganographv aren't usually visible, however, when you view the file in its usual application and might even be difficult to find with a disk editor. A nonstegancgraphic graphics file is the same size as an identical steganographic graphics file, and they look the same when you examine them in a graphics viewing utilitv, such as IrfanView. However, if ycu run an MD5 or SHA-1 hash comparison on both files,ycu'll find that the hash values aren't equal |
|
|
Term
| The data-hiding technique _______ changes data from readable code to data that looks like binary executable cede. |
|
Definition
|
|
Term
| T or F. In software acquisition, there are three types cf data-ccpying methods. |
|
Definition
|
|
Term
| ________ search can locate items such as text hidden in unallocated space that might not turn up in an indexed search, |
|
Definition
|
|
Term
| Describe some of the problems you may encounter if you decide to build your own forensics workstation. |
|
Definition
| Tc decide whether vou want tc build vour own workstation, first ask^How much do I have tc spend?" Building a forensic workstation isn't as difficult as it sounds but can quicklv beccme expensive if vcu aren't careful. If you have the time and skill to build your own forensic workstation, vou can customize it to vour needs and save monev, although vcu might have trouble finding support for problems that develop. For example, peripheral devices might conflict with one another, or components might fail. If vou build your own forensic workstation, you should be able to support the hardware. Vou also need tc identify what vou intend tc analyze. If you're analyzing SPARC disks from workstations in a corporate network, for example, you need to include a SPARC drive with a write-protector on your forensic workstation. |
|
|
Term
| The term _________ comes from the Greek word forbidden writing." |
|
Definition
|
|
Term
| The Windows application cf EnCase requires a(n) _________ device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect disk drive. |
|
Definition
|
|
Term
| _________ increases the time and resources needed tc extract,analyze,and present evidence. |
|
Definition
|
|
Term
| __________ is defined as the art and science of hiding messages in such a way that only the intended recipient knows the message is there |
|
Definition
|
|
Term
| FTK and other computer forensics programs use _________ to tag and document digital evidence |
|
Definition
|
|
Term
| Many vendors have developed write.-blocking devices that connect tc a computer through Fire Wire, _______ 2.0,and SCSI controllers. |
|
Definition
|
|
Term
| Cne way to hide partitions is to create a partition on a disk, and then use a disk editor such as _______ to manually delete any reference to it. |
|
Definition
|
|
Term
| Getting a hash value with a ________ is much faster and easier than with a(n) _________ |
|
Definition
| hexadecimal editor; computer forensics tool |
|
|
Term
| In general, forensics workstations can be divided into ___ categories. |
|
Definition
|
|
Term
| The primary hash algorithm used by the NSRL project is _________ |
|
Definition
|
|
Term
| You begin any computer forensics case by creating a(n) ____________ |
|
Definition
|
|
Term
| T or F. FTK cannot analyze data from image files from other vendors. |
|
Definition
|
|
Term
| _______ recovery is a fairly easy task in computer forensic analysis |
|
Definition
|
|
Term
| There are __ searching options for keywords which FTK offers. |
|
Definition
|
|
Term
| Explain the validation of evidence data process. |
|
Definition
| Validating data is done bv obtaining hash values. As a standard feature, most forensics tools and manv disk editors have one or more tvpes of data hashing. How data hashing is used depends on the investigation, but using a hashing algorithm on the entire original drive and all its files is a good idea. This method produces a unique hexadecimal value for data, used to make sure the original data hasn't changed |
|
|
Term
| The NIST project that has as a goal tc collect all known hash values for commercial software applications and OS files is ___________ |
|
Definition
|
|
Term
| Hardware manufacturers have designed most computer components to last about ___ months between failures |
|
Definition
|
|
Term
| Software forensic tools are grouped into command-line applications and ___________ applications |
|
Definition
| GUI (Graphical User Interface) |
|
|
Term
| How does the Known File Filter program work? |
|
Definition
| AccessData has a separate program called the Known File Filter (KFF), which integrates only with FTK, KFF filters known application software files from view, such as MSWord.exe, and identifies known illegal images, such as child pornography. KFF compares known file hash digital signatures to files on your evidence disk drive or bit-stream image file to see whether it contains contraband images. Periodically, AccessData updates the known digital signatures and pests an updated KFF. There is also a national database {www.nsri.nist.gov} ccntainina the updated hashes. |
|
|
Term
| ____________ search catalogs all words on the evidence disk so that FTK can find them quickly, |
|
Definition
|
|
Term
| Software forensics tools are commonly used to copy data from a suspect's disk drive to a(n) _________ |
|
Definition
|
|
Term
| _____________ are handy when you need to image the drive of a computer far away from your location or when you don't want a suspect to be aware cf an ongoing investigation |
|
Definition
|
|
Term
| _____________ can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk. |
|
Definition
|
|
Term
| Raw data is a direct copy cf a disk drive. An example cf a Raw image is output from the UNIX/Linux ___ command, |
|
Definition
|
|
Term
| Illustrate how to consider hardware needs when planning your lab budget. |
|
Definition
| You should plan your hardware needs carefully, especially if you're dealing with budget limitations. Include in your planning the amount of time vcu expect the forensic workstation tc be running, how often you expect hardware failures, consultant and vender fees to support the hardware when it does fail, and how often tc anticipate replacinq the forensic workstation. The longer you expect the forensic workstation to be running, the more ycu need to anticipate physical equipment failure and the expense cf replacement equipment. |
|
|
Term
| To complete a forensic disk analysis and examination, you need to create a ________ |
|
Definition
|
|
Term
| Harking bad clusters data-hiding technique is more common with _______ file systems. |
|
Definition
|
|
Term
| The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for _______ PC file systems. |
|
Definition
|
|
Term
| People who want to hide data can also use advanced encryption programs, such as PGP or __________ |
|
Definition
|
|
Term
| Explain the advantages and disadvantages of GUI forensics tools. |
|
Definition
| GUI tools have several advantages, such as ease of use, the capability to perform multiple tasks, and no requirement to learn older OSs. Their disadvantages range from excessive resource requirements (such as needing large amounts of RAM) and producing inconsistent results because of the type cf OS used, such as Windows XP Professional or Home Edition. Another concern with using GUI tools is that thev create investigator dependencies on using cnlv one tool. In seme situations, GUI tools wont work and a command-line tool is required |
|
|
Term
| __________ is a simple drive-imaging station |
|
Definition
|
|
Term
| T or F. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses |
|
Definition
|
|
Term
| T or F. The Windows platforms have long been the primary command-line interface OSs |
|
Definition
|
|
Term
| The ______ search feature allows ycu tc lock for words with extensions such as ^ing,™ed," and so forth. |
|
Definition
|
|
Term
| A f o r e n s i c s w o r k s t a t i o n c o n s i s t i n g o f a l a p t o p c o m p u t e r w i t h a b u i l t - i n L C D m o n i t o r a n d a l m o s t a s m a n y b a y s a n d p e r i p h e r a l s a s a s t a t i o n a r y w o r k s t a t i o n i s a l s o k n o w n a s a ___________ |
|
Definition
| p o r t a b l e w o r k s t a t i o n |
|
|
Term
| H o w s h o u l d y o u a p p r o a c h a c a s e i n w h i c h a n e m p l o y e e i s s u s p e c t e d o f i n d u s t r i a l e s p i o n a g e? |
|
Definition
A n e m p l o y e e s u s p e c t e d o f i n d u s t r i a l e s p i o n a g e c a n r e q u i r e t h e m o s t w o r k . A s m a l l c a m e r a m i g h t n e e d t o b e s e t u p t o m o n i t o r h i s c r h e r p h y s i c a l a c t i v i t i e s i n t h e o f f i c e . Y o u m i g h t n e e d t o p l a n t a s o f t w a r e o r h a r d w a r e k e y l o g g e r , a n d y c u n e e d t o e n g a g e t h e
s e r v i c e s o f t h e n e t w o r k a d m i n i s t r a t o r t o m o n i t o r I n t e r n e t a n d n e t w o r k a c t i v i t i e s . I n t h i s s i t u a t i o n , y o u m i g h t w a n t t o r e m o t e l y i m a g e t h e e m p l o y e e ' s d r i v e a n d t h e n u s e F T K R e g i s t r y V i e w e r t o d e t e r m i n e w h a t p e r i p h e r a l d e v i c e s h a v e b e e n a c c e s s e d |
|
|
Term
| F T K p r o v i d e s t w o o p t i o n s f o r s e a r c h i n g f o r k e y w o r d s : i n d e x e d s e a r c h a n d __________ search. |
|
Definition
|
|
Term
| T or F. A n o n s t e g a n o g r a p h i c g r a p h i c s f i l e h a s a d i f f e r e n t s i z e t h a n a n i d e n t i c a l s t e g a n o g r a p h i c g r a p h i c s f i l e, |
|
Definition
|
|
Term
| To generate reports with the FTK ReportWizard,. first you need to _______ files during an examination |
|
Definition
|
|
Term
| _______ attacks use every possible letter, number, and character found on a keyboard when cracking a password. |
|
Definition
|
|
Term
| Although a disk editor gives you the most flexibility in ______ , it might not be capable of examining a __________ file's contents |
|
Definition
|
|
Term
| O n e w a y t o c o m p a r e y o u r r e s u l t s a n d v e r i f y y o u r n e w f o r e n s i c t o o l i s b y u s i n g a ___________ , s u c h a s H e x W o r k s h o p , o r W i n H e x |
|
Definition
|
|
Term
B e c a u s e t h e r e a r e a n u m b e r of d i f f e r e n t v e r s i o n s o f U N I X a n d L i n u x , t h e s e p l a t f o r m s a r e r e f e r r e d t o a s _______
p l a t f o r m s . |
|
Definition
|
|
Term
| Data ______ involves changing or manipulating a file tc conceal information. |
|
Definition
|
|
Term
| The simplest method of duplicating a disk drive is using a tool that does a direct ____________ copy from the original disk to the target disk |
|
Definition
|
|
Term
| In Microsoft Outlook,, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of _____ |
|
Definition
|
|
Term
| T or F. All e-mail servers are databases that store multiple users' e-mails |
|
Definition
|
|
Term
| The two major forms of steganography are _________ and substitution. |
|
Definition
|
|
Term
| All ___________ files start at position zero (offset 0 is the first byte cf a file) with hexadecimal 49 49 2A. |
|
Definition
|
|
Term
| Under copyright laws, computer programs mav be registered as ___________ |
|
Definition
|
|
Term
| ___________ allocates space for a log file en the server, and then starts overwriting from the beginning when legging reaches the end cf the time frame or the specified leg size |
|
Definition
| C i r c u l a r l o g g i ng |
|
|
Term
| To view e-mail headers on Yahoo! click the _______ link in the Mail Options window, and then click Show all headers on incoming messages |
|
Definition
|
|
Term
| In UNIX e-mail servers,, the ___________ file simply specifies where to save different types of e-mail log files. |
|
Definition
|
|
Term
| ___________ is the art of hiding information inside image files. |
|
Definition
|
|
Term
| What kind of information can you find in an e-mail header? |
|
Definition
| You can use the e-mail header to gather supporting evidence and ultimately track the suspect to the e-mail's originating locaticn. The primary piece of information you're locking for is the originating e-mail's domain address cr an IF address. Other helpful pieces of information in the header include the date and time the message was sent, the file names of any attachments, and the unique message number for the message, if it's supplied |
|
|
Term
| The simplest way to access a file header is tc use a(n) ________ editor |
|
Definition
|
|
Term
| R e c o v e r i n g p i e c e s o f a f i l e i s c a l l ed _______________ |
|
Definition
|
|
Term
| T or F. L i k e U N I X e - m a i l s e r v e r s , E x c h a n g e m a i n t a i n s l o g s t o t r a c k e - m a i l c o m m u n i c a t i o n . |
|
Definition
|
|
Term
| E x c h a n g e l o g s i n f o r m a t i o n a b o u t c h a n g e s t o i t s d a t a i n a ( n ) _________ log. |
|
Definition
|
|
Term
| T or F. Bitmap images are collections of dots, or pixels, that form an image |
|
Definition
|
|
Term
| B r i e f l y d e s c r i b e t h e E x c h a n g e a b l e I m a g e F i l e ( E X I F ) f o r m a t . |
|
Definition
| The majority cf digital cameras use the Exchangeable Image File (EXIF) format to store digital pictures. The Japanese Electronic Industry Development Association (JEIDA) developed it as a standard for storing metadata in JPEG and TIFF files. When a digital picture is taken, information about the camera, such as model, make, and serial number, and settings, such as shutter speed, focal length, resolution, date, and time, are stored in the graphics file. Most digital cameras store graphics files as EXIF JPEG files. |
|
|
Term
| What are the steps for retrieving e-mail headers on Pine? |
|
Definition
F o l l o w t h e s e s t e p s t c r e t r i e v e e - m a i l h e a d e r s u s i n g P i n e f o r U N I X :
1 . S t a r t P i n e b y t y p i n g p i n e a t t h e c o m m a n d p r o m p t a n d t h e n p r e s s i n g E n t e r.
2 . T y p e s t c d i s p l a y t h e s e t u p o p t i o n s .
3 . T y p e c t o c o n f i g u r e t h e e - m a i l c o n f i g u r a t i o n o p t i o n s .
4 . S c r o l l t h e l i s t o f o p t i o n s , a n d t h e n u s e t h e a r r o w k e y s t c h i g h l i g h t t h e [ ] e n a b l e - f u l l - h e a d e r o p t i o n . T h e n t y p e x t c s e l e c t t h e o p t i o n ,
5 . T y p e e t o e x i t c o n f i g u r a t i o n m o d e .
6 . W h e n a s k e d i f y o u w a n t t o s a v e o r c o m m i t t h e c h a n g e s , t y p e y . Y c u r e t u r n t o t h e P i n e m a i n o p t i o n s ,
7 . U s e t h e a r r o w k e y s t o s e l e c t a n e - m a i l m e s s a g e , a n d t h e n s e l e c t O i n t h e o p t i o n s a t t h e b o t t o m o f t h e s c r e e n .
3 . T y p e h t o o p e n t h e e - m a i l h e a d e r f o r t h i s m e s s a g e .
9 . T y p e q t o e x i t P i n e ( a n d y t o c o n f i r m , i f n e c e s s a r y ) . |
|
|
Term
| A g r a p h i c s p r o g r a m c r e a t e s a n d s a v e s o n e o f t h r e e t y p e s o f i m a g e f i l e s : b i t m a p , v e c t o r , o r .___________ |
|
Definition
|
|
Term
| The majority of digital cameras use the ____ format to store digital pictures |
|
Definition
|
|
Term
| The ________ is the best source for learning more about file formats and their associated extensions |
|
Definition
|
|
Term
| Explain how steganalysis tools work. |
|
Definition
| Steganalysis tools usually compare a suspect file to a known good version cr a known bad version of the graphics file. Seme recent tccls can detect stegancgraphy without a known good or had file, however, Eecause graphics files are binary, these tools perform complex mathematical calculations to verify a file's authenticity by checking file size and palette color. Other tools compare the hash value of a known good cr bad file to the suspect file to determine whether steganography was used |
|
|
Term
| ___________ is a comprehensive Web site that has options for searching for a suspect, including by e-mail address, phone numbers, and names. |
|
Definition
|
|
Term
| Under copyright laws, maps and architectural plans mav be registered as __________ |
|
Definition
| pictorial, graphic, and sculptural works |
|
|
Term
| _____________compression compresses data by permanently discarding bits of information in the file. |
|
Definition
|
|
Term
| An e-mail address in the Return-Path line cf an e-mail header is usually indicated as the _______ field in an e-mail message. |
|
Definition
|
|
Term
| When working with image files, computer investigators also need to be aware of_______ laws to guard aqainst copyright violations |
|
Definition
|
|
Term
| The uppercase letter __ has a hexadecimal value of 41. |
|
Definition
|
|
Term
| T or F. Operating systems do not have tools for recovering image files. |
|
Definition
|
|
Term
| The files that provide helpful information to an e-mail investigation are log files and _____ files. |
|
Definition
|
|
Term
| Explain how lossless compression relates tc image file formats |
|
Definition
| Lossless compression techniques reduce file size without removing data. When ycu uncompress a file that uses lossless compression, you restore all its information. GIF and Portable Network Graphics (PNG) are image file formats that reduce file size with lossless compression. Lossless compression saves file space by using mathematical formulas to represent the data in a file. These formulas generally use cne cf two algorithms: Huffman coding or Lempel-Ziv-Welch (LZW) coding. Each algorithm uses a code to represent redundant bits of data. For example, if an image file contains a large area of the color red, instead cf having to store 200 bytes all colored red, the algorithm can set one byte to red and then have another byte specify that there are 200 of those bytes. Therefore, only two bytes are used. |
|
|
Term
| With many ___ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or disk |
|
Definition
|
|
Term
| In Exchange, to prevent loss cf data from the last backup, a __________ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk |
|
Definition
|
|
Term
| You can send and receive e-mail in two environments: via _________ the or an intranet (an internal network). |
|
Definition
|
|
Term
| A(n) ______ file has a hexadecimal header value cf FF D8 FF E0 00 10. |
|
Definition
|
|
Term
| In the following list, ________ is the only steg tool. |
|
Definition
|
|
Term
| GroupWise has ___ ways of organizing the mailboxes on the server. |
|
Definition
|
|
Term
| When working on a Windows environment you can press ________ to copy the selected text to the clipboard. |
|
Definition
|
|
Term
| __________ steganography replaces bits of the host file with other bits of data, |
|
Definition
|
|
Term
| T or F. If a graphics file is fragmented across areas on a disk, first ycu must recover all the fragments to re-create the file |
|
Definition
|
|
Term
| To retrieve e-mail headers in Microsoft Outlook, right-click the e-mail message, and then click ______ to open the Message Options dialog box. The Internet headers text box at the bottom of the dialcg box contains the message header, |
|
Definition
|
|
Term
| _________ images store graphics information as grids cf individual pixels. |
|
Definition
|
|
Term
| The Novell e-mail server software is called _______ |
|
Definition
|
|
Term
| The ___ header starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 65SE 6465 6420 03. |
|
Definition
|
|
Term
| Present a list of categories covered under copyright laws in the U.S. |
|
Definition
Copyrightable works include the following categories:
1. literary works;
2. musical works, including any accompanying words;
3. dramatic works, including any accompanying music;
4. pantomimes and choreographic works;
5. pictorial, graphic, and sculptural works;
6. motion pictures and ether audiovisual works;
7. sound recordings; 3. architectural works. |
|
|
Term
| Vendor-unique e-mail file systems, such as Microsoft .pst or .est, typically use __________ formatting, which can be difficult to read with a text or hexadecimal editor |
|
Definition
| Multipurpose Internet Mail Extensions (MIME) |
|
|
Term
| To retrieve an Outlook Express e-mail header right-click the message, and then click ________ to open a dialog box showing general information about the message |
|
Definition
|
|
Term
| For older UNIX applications, such as mail or mailx, you can print the e-mail headers by using the ______ command. |
|
Definition
|
|
Term
| _________ are based on mathematical instructions that define lines, curves, text, cvals, and other geometric shapes |
|
Definition
|
|
Term
| You use __________ to create, modify, and save bitmap, vector, and metafile graphics files. |
|
Definition
|
|
Term
| Explain how someone can use a disk editor tool tc mark clusters as "bad" clusters |
|
Definition
| In addition to the natural occurrence cf file fragmentation, sometimes suspects intentionally corrupt cluster links in a disk's FAT. Anyone can use a disk-editing tool, such as Norton DiskEdit, to access the FAT and mark specific clusters as bad by typing the letter "E" at the cluster. After you mark a cluster as bad, it's displayed with a 0 value in a disk editor. The OS ignores clusters marked in this manner and dcesn't use them, which makes it possible tc hide data in these clusters |
|
|
