Term
| Innocent Images National Initiative (IINI) was developed by: |
|
Definition
| Innocent Images National Initiative (IINI) was developed by the FBI as part of its Cybercrimes Program for the purpose of identifying, investigating and prosecuting those who use computers for child sexual exploitation and child pornography. |
|
|
Term
The Department of Justice created ICAC and PSC.
Internet Crimes Against Children (ICAC) is |
|
Definition
| Internet Crimes Against Children (ICAC) is a network of regional task forces to provide federal assistance to state and local law enforcement so they could better investigate computer and internet-based crimes that sexually exploit children. |
|
|
Term
The Department of Justice created ICAC and PSC.
Project Safe Childhood (PSC) is |
|
Definition
| Project Safe Childhood (PSC) is an initiative developed to provide a corrdinated effort in combating child porn. It strives to help local communities create programs to investigate child exploitation and identify and rescue victims. |
|
|
Term
|
Definition
a volunteer organization focused on issues related to child porn.
Reference: Kleiman, D., et al (2007). The official CHFI Exam 312-49 Burlington, MA: Syngress Publishing, Inc. p. 781-783. |
|
|
Term
| What are the FRE Article VII rules of evidence? |
|
Definition
In the U.S, Congress adopted the Federal Rules of Evidence as a set of standards that determine how evidence is presented and deemed admissible in court.
Article VII deals with opinions and expert testimony:
Rule 701 - Opinion Testimony by Lay Witness
Rule 702 - Testimony by Experts
Rule 703 - Basis of Opinion Testimony by Experts
Rule 704 - Opinion on Ultimate Issue
Rule 705 - Disclosure of Facts or Data Underlying Expert Opinion
Rule 706 - Court Appointed Experts |
|
|
Term
| Rule 701. Opinion Testimony by Lay Witnesses |
|
Definition
Rule 701. Opinion Testimony by Lay Witnesses
If a witness is not testifying as an expert, testimony in the form of an opinion is limited to one that is:
(a) rationally based on the witness’s perception;
(b) helpful to clearly understanding the witness’s testimony or to determining a fact in issue; and
(c) not based on scientific, technical, or other specialized knowledge within the scope of Rule 702.
(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Mar. 2, 1987, eff. Oct. 1, 1987; Apr. 17, 2000,
eff. Dec. 1, 2000; Apr. 26, 2011, eff. Dec. 1, 2011.)
http://federalevidence.com/downloads/rules.of.evidence.pdf |
|
|
Term
Rule 702. Testimony by Expert Witnesses
VERY IMPORTANT REVIEW ON TEST DAY |
|
Definition
Rule 702. Testimony by Expert Witnesses A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if: (a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) the testimony is based on sufficient facts or data; (c) the testimony is the product of reliable principles and methods; and (d) the expert has reliably applied the principles and methods to the facts of the case. (Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Apr. 17, 2000, eff. Dec. 1, 2000; Apr. 26, 2011, eff. Dec. 1, 2011.)
http://federalevidence.com/downloads/rules.of.evidence.pdf |
|
|
Term
Rule 703. Bases of an Expert’s Opinion Testimony
VERY IMPORTANT REVIEW ON TEST DAY
|
|
Definition
Rule 703. Bases of an Expert’s Opinion Testimony
An expert may base an opinion on facts or data in the case that the expert has been made aware of or personally
observed. If experts in the particular field would reasonably rely on those kinds of facts or data
in forming an opinion on the subject, they need not be admissible for the opinion to be admitted. But if
the facts or data would otherwise be inadmissible, the proponent of the opinion may disclose them to the
jury only if their probative value in helping the jury evaluate the opinion substantially outweighs their
prejudicial effect.
(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Mar. 2, 1987, eff. Oct. 1, 1987; Apr. 17, 2000, eff. Dec. 1, 2000;
Apr. 26, 2011, eff. Dec. 1, 2011. ) http://federalevidence.com/downloads/rules.of.evidence.pdf |
|
|
Term
| Rule 704. Opinion on an Ultimate Issue |
|
Definition
Rule 704. Opinion on an Ultimate Issue
(a) In General — Not Automatically Objectionable. An opinion is not objectionable just because it
embraces an ultimate issue.
(b) Exception. In a criminal case, an expert witness must not state an opinion about whether the defendant
did or did not have a mental state or condition that constitutes an element of the crime charged or of a
defense. Those matters are for the trier of fact alone.
(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Pub. L. 98-473, Sept. 12, 1994;
Apr. 26, 2011, eff. Dec. 1, 2011.) |
|
|
Term
| Rule 705. Disclosing the Facts or Data Underlying an Expert’s Opinion |
|
Definition
Rule 705. Disclosing the Facts or Data Underlying an Expert’s Opinion
Unless the court orders otherwise, an expert may state an opinion — and give the reasons for it — without
first testifying to the underlying facts or data. But the expert may be required to disclose those facts or data
on cross-examination.
(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Mar. 2, 1987, eff. Oct. 1, 1987; Apr. 29, 1994, eff. Dec. 1, 1994;
Apr. 26, 2011, eff. Dec. 1, 2011.) |
|
|
Term
Rule 706. Court-Appointed Expert Witnesses
|
|
Definition
Rule 706. Court-Appointed Expert Witnesses
(a) Appointment Process. On a party’s motion or on its own, the court may order the parties to show
cause why expert witnesses should not be appointed and may ask the parties to submit nominations. The
court may appoint any expert that the parties agree on and any of its own choosing. But the court may only
appoint someone who consents to act.
(b) Expert’s Role. The court must inform the expert of the expert’s duties. The court may do so in writing
and have a copy filed with the clerk or may do so orally at a conference in which the parties have an
opportunity to participate. The expert:
(1) must advise the parties of any findings the expert makes;
(2) may be deposed by any party;
(3) may be called to testify by the court or any party; and
(4) may be cross-examined by any party, including the party that called the expert.
(c) Compensation. The expert is entitled to a reasonable compensation, as set by the court. The compensation
is payable as follows:
(1) in a criminal case or in a civil case involving just compensation under the Fifth Amendment, from
any funds that are provided by law; and
(2) in any other civil case, by the parties in the proportion and at the time that the court direct — and
the compensation is then charged like other costs.Federal Rules of Evidence Federal Evidence Review 2014
32 www.FederalEvidence.com
(d) Disclosing the Appointment to the Jury. The court may authorize disclosure to the jury that the court
appointed the expert.
(e) Parties’ Choice of Their Own Experts. This rule does not limit a party in calling its own experts.
(Legislative History Links: Pub. L. 93-595, Jan. 2, 1975; Apr. 17, 2000, eff. Dec. 1, 2000; Apr. 26, 2011,
eff. Dec. 1, 2011.) |
|
|
Term
Admissibility of Evidence:
DO NOT confuse FRE Rule 401 with the Frye Standard... |
|
Definition
Rule 401: (the relevancy test) addresses the RELEVANCE of evidence to a TRIAL
Frye Standard: (the general acceptance test) addresses the ACCEPTABILITY of TECHNIQUES in obtaining evidence or information |
|
|
Term
Admissibility of Evidence:
evidence must be C.R.M
|
|
Definition
competent: reliable/credible
relevant: tend to prove a fact of the case
material: substantiate an issue in question in the case
and
in the USA evidence must be obtained legally |
|
|
Term
| Choose USA sexual harassment laws: |
|
Definition
Equal Protection Clause of the 14th Amendment
Civil Rights Act of 1991
1964 Civil Rights Act, Title VII |
|
|
Term
| What is the difference between an evidentiary and an expert witness? |
|
Definition
Evidentiary witness is limited to presenting facts of the case
Expert witness can testify as an evidentiary witness and also make opinons based on scientific, technical or other expert knowledge
The Rules of Evidence provide a framework of what a witness can and cannot discuss |
|
|
Term
| File types for Linux are: |
|
Definition
File types for Linux are:
d - directory
- - regular file
c - character
b - block
s - Unix domain socket
p - named pipe
l - symbolic link |
|
|
Term
Application Password crackers
Windows password recovery tools |
|
Definition
Windows password recovery tools
- Windows XP/2000/NT Key Generator - resets the domain adminstrator password for Active Directory
- ERD Commander 2005 - boots systems into a Windows-like repair environment giving complete control over the system
- Active@ Password Changer - DOS-based solution for resetting local administrator and user passwords in XP, Vista, 2003, 2000 and NT
- Cain & Abel
- LCP
- SID&USER
- ophcrack - uses rainbow tables
- RockXP
- Magical Jelly Bean Keyfinder |
|
|
Term
Application Password Crackers
Office |
|
Definition
Office
- Advanced Office XP Password Recovery - Microsoft Office
- Word Password Recovery Master
- Office Password Recovery Toolbox
- Passware Kit - 25 password recovery programs
- PstPassword - Outlook
- Access PassView - Microsoft Access |
|
|
Term
| Application password crackers |
|
Definition
Other
- Advanced ZIP password recovery - zip file passwords
- PicoZip Recovery - zip file passwords
- PDF Password Crackers - pdf file passwords
- Default Password Databases
- Dialupass - dial-up passwords
- Database Sleuth
Network Password Recovery - network passwords
- SniffPass - captures password that pass through the network adapter (POP3, IMAP4, SMTP, FTP, HTTP)
- Asterisk Key - reveals asterisks that hide passwords
- Asterisk Logger - reveals asterisks that hide passwords
- Password Spectator - reveals asterisks that hide passwords
Linux
- John the Ripper
- DJohn
Unix
- Crack
HTTP, POP3, FTP, Telnet
- Brutus
Email, Instant Messaging...
- Mail PassView - email
- Messenger Key - instant messaging
- MessenPass
- Mail Recovery |
|
|
Term
Which statement is used to see the contents of the MBR?
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
dd if=/dev/hda of=mbr.bin bs=512 count=1
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc |
|
Definition
dd if=/dev/hda of=mbr.bin bs=512 count=1
used to see contents of the master boot record. Must be run as root. Reads the first 512 bytes from /dev/hda (the first IDE drive) and writes them to a file named mbr.bin
Reference: EC Council Press. (2010). Computer Forensics: Investigating Data and Image Files, 1st Edition. Clifton Park, NY: Cengage Learning. P. 2-4 and 2-5. |
|
|
Term
Which statement is used to partition an image on another machine?
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc |
|
Definition
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
used to partition an image on another machine. Run on the target machine |
|
|
Term
What are types of search warrants? Select the most comprehensive answer.
Electronic storage device search warrant
Service provider search warrant and electronic storage device search warrant
Service provider search warrant |
|
Definition
Service provider search warrant and electronic storage device search warrant
Electronic storage device search warrant allows for search and seizure of computer components such as hardware, software, storage devices and documentation
Service provider search warrant allows the first responder to get information such as service records, billing records and subscriber information if the crime is committed through the internet. |
|
|
Term
| What is the best way to deal with powered-off computers? |
|
Definition
| Do not change the state of any electronic device. Leave the computer off |
|
|
Term
| What is the best way to deal with powered-on computers? |
|
Definition
Do not change the state of any electronic device.
Leave the computer on, unplug the network cable and photograph the screen |
|
|
Term
What techniques can be used to detect wireless access points?
CHOOSE ONE
Manual detection, active wireless scanning, passive wireless scanning, Nessus vulnerability scanning
Manual detection, Nessus vulnerability scanning
Active and passive wireless scanning |
|
Definition
Manual detection - physically visit the area where a WAP is likely to be and use wardriving techniques to attempt to detect the rogue access point
Active wireless scanning technique - broadcasting a probe message and waiting for a response from devices in the range
Passive wireless scannin technique - identifies the presence of any wireless communication to find identify active WAP connections
Nessus vulnerability scanner |
|
|
Term
DNS Cache Poisoning : One way to _______ a host,
DNS cache stores _______of websites recently _______. |
|
Definition
DNS Cache Poisoning
One way to misdirect a host, is DNS cache poisoning. The DNS cache stores IP addresses of websites recently resolved. It is possible for a hacker to insert fake mappings into DNS server by using buffer overflow or other means. The SOA record tells how long the DNS cache poisoning will last.
In order to make the DNS server secure from the DNS cache poisoning attack, enable DNS socket pool on the DNS server. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute the attack. The DNS socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks. |
|
|
Term
Address Resolution Protocol (ARP) Spoofing
ARP spoofing is also known as ARP cache poisoning or ARP poison routing. It is a technique used to |
|
Definition
ARP spoofing is also known as ARP cache poisoning or ARP poison routing.
used to attack a local-area network. ARP spoofing can allow an attacker to intercept data and modify or halt network traffic. ARP spoofing can be used to attack an Ethernet wired or wireless network.
During normal functioning, ARP sends a broadcast with the IP address asking for the associated MAC address. A host having said IP address replies with its MAC address. Thus the ARP cache gains an entry matching IP address with MAC address.
During ARP spoofing or ARP poisoning, ARP sends the same broadcast but an attacker replies with fake MAC address. Now the ARP cache has a false entry and all communication from the host will go to the fake MAC address
One defense against ARP spoofing is placing static ARP entries on servers, workstations, and routers using the ARPWALL system. |
|
|
Term
The most common way to use this command is with
-ano switches or -r switch.
CHOOSE ONE:
Netcat
Netstat
Nmap |
|
Definition
netstat -ano
displays TCP and UDP network connections, the listening ports and process identifiers (PID) using those network connections
netstat - r
displays the routing table |
|
|
Term
Which of the statements is true about the Mac OS?
CHOOSE ONE:
Based on BSD Darwin engine
Startup items in /System/Library/StartupItems or /Library/StatupItems
uses .hidden to maintain a list of hidden files
All of the Above |
|
Definition
|
|
Term
What three things does the Mac OS X depend on?
CHOOSE ONE:
*Open firmware, boot loader, typical Mac OS X boot sequence
*Proprietary firmware, boot loader, boot sequence
*BIOS, boot loader, autoexec.bat |
|
Definition
Open firmware, boot loader, typical Mac OS X boot sequence :
Open Firmware is a nonproprietary platform-independent boot firmware similar to PC BIOS.
It is stored in ROM and is the first program executed at power up.
Press Command-Option-O-F |
|
|
Term
What are two ways to display Open Firmware?
CHOOSE ONE
F8 or telnet
Command-Option-O-F or telnet
Apple key or telnet |
|
Definition
Command-Option-O-F or telnet
Reference: EC Council Press. (2010). Computer Forensics: Hard Disk and operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. P. 3-12. |
|
|
Term
Which statement is true about BootX?
CHOOSE ONE
BootX is the default boot loader for Mac OS X
BootX cannot load kernals from HFS+, HFS, UFS, ext2 or TFTP
BootX is similar to BIOS |
|
Definition
BootX is the default boot loader for Mac OS X.
BootX can load kernals from HFS+, HFS, UFS, ext2 or TFTP |
|
|
Term
| What is the difference between big endian and little endian? |
|
Definition
A big-endian machine stores the
most significant byte
first.
A little-endian machine stores the
least significant byte
first. |
|
|
Term
Mac OS X boot process
- BootX ...?
- Kernel...?
- Mac OS X desktop is loaded with login window by default |
|
Definition
Mac OS X boot process
- BootX initialized Open Firmware
- BootX creates a pseudodevice called sl_words (secondary loader)
- BootX looks up device options properties (little endian, real mode...)
- BootX looks up the chosen device handles
- BootX initialized handles to memory, keyboard, display
- BootX checks the security mode
- BootX finds the kernel and constructs the path to the kernel
- BootX draws Apple logo splash screen
- BootX decodes the kernel
- BootX saves the file system cache data and sets up various boot arguments
- Kernel executes
- Kernel determines the root device
- Kernel initializes BSD data structures, I/O kit
- Kernel starts /sbin/mach_init which maintains mappings between service names and Mach ports that provide those services
- Mac OS X desktop is loaded with login window by default |
|
|
Term
WHICH type of DoS attack sends ICMP echo packets with spoofed source address.
Fraggle ?
Smurf ?
Land ? |
|
Definition
| Smurf attack sends ICMP packets with spoofed source addresses |
|
|
Term
WHICH type of DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses
Fraggle ?
Smurf ?
Land ? |
|
Definition
| In a fraggle DoS attack, the attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses |
|
|
Term
This type of DoS attack does the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it.
Teardrop ?
Jolt ?
Reflective DDoS? |
|
Definition
| In a Jolt attack the attacker fragments the ICMP packet in such a manner that the target computer cannot reassemble it. |
|
|
Term
This type of DDoS the attacks usually spoof the originating IP addresses and send the requests at reflectors.
Teardrop ?
Jolt ?
Reflective DDoS ? |
|
Definition
Reflective DDoS,
the attacks usually spoof the originating IP addresses and send the requests at reflectors. |
|
|
Term
This type of DoS attack involves
sending a spoofed TCP SYN packet
to an open port
with the host IP address as both source and destination.
This causes the host to reply to itself continuously:
Fraggle?
Smurf?
Land? |
|
Definition
| Land attack involves sending a spoofed TCP SYN packet to an open port with the host IP address as both source and destination. This causes the host to reply to itself continuously |
|
|
Term
What type of virus can redirect the disk head to read another sector?
|
|
Definition
| A stealth virus is a virus that can redirect the disk head to read another sector |
|
|
Term
| What type of virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files. |
|
Definition
| A multipartite virus first infects files, and then works as a boot sector virus. It ultimately changes the Master Boot Record (MBR) of the hard disk. Once the boot sector is infected, the virus loads into memory and begins to infect all the program files. |
|
|
Term
| What type of scan sends a SYN flag, receives an SYN/ACK then sends a RST? |
|
Definition
| The SYN scan creates a half-open TCP/IP connection. An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. |
|
|
Term
What type of scan sends FIN, URG, PSH flags?
XMAS ?
FIN ?
Half-open ? |
|
Definition
XMAS scan sends FIN, URG, PSH
http://nmap.org/book/man-port-scanning-techniques.html |
|
|
Term
Which nmap scan is a slow scan to avoid detection?
nmap -sS -PT -PI -O -T1 122.13.145.15
nmap –sP 10.1.2.0/24
nmap -sS -O www.somewebsite.com/24 |
|
Definition
nmap -sS -PT -PI -O -T1 122.13.145.15
slow scan to avoid detection |
|
|
Term
Which netcat command is an example of port scanning?
nc -l -p port_number > /test/outfile.txt
nc www.targethost.com 80
nc -v -z target port-range |
|
Definition
| nc -l -p port_number > /test/outfile.txt |
|
|
Term
Which command provides a history of commands?
Doskey /history
Dos - history
Ls - history |
|
Definition
Doskey /history
prints recent commands |
|
|
Term
Which port does SSL typically use?
|
|
Definition
Secure Sockets layer typically runs on port 443
|
|
|
Term
Which port does IS typically used?
SMB on port ? |
|
Definition
|
|
Term
| How many keys does asymmetric encryption have? |
|
Definition
two keys:
Asymmetric encryption has a public key and a private key |
|
|
Term
Which key is used to encrypt an email to be sent....in asymmetric encryption?
|
|
Definition
- The recipient’s public key encrypts the message
E-mail digital signatures
- The sender’s private key encrypts (or signs) a hash of the message.
- The sender’s public key decrypts the hash of the message
E-mail encryption
- The recipient’s public key encrypts the message
- The recipient’s private key decrypts the message
It's important to realize that these are two completely separate instances. An email can be encrypted only, digitally signed only, or encrypted and digitally signed.
- If the public key encrypts information, only the matching private key can decrypt the same information.
- If the private key encrypts information, only the matching public key can decrypt the same information.
- Private keys are always kept private and never shared.
- Public keys are freely shared by embedding them in a certificate.
As mentioned by the other two replies, the CA verifies the certificate (and in turn the public key).
|
|
|
Term
Which encryption algorithm is streaming?
FISH
AES
DES |
|
Definition
FISH swim in a stream.....FISH = streaming
FISH - FISH (FIbonacci SHrinking) stream cipher [http://www.google.com/#hl=en&sclient=psy-ab&q=stream+cipher+fish&oq=stream+cipher+fish&gs_l=serp.3...2118.6551.0.6803.25.16.0.0.0.0.1123.3003.5-2j1j1.4.0.les%3B..0.0...1c.1.2.serp.2leYPHYeYtI&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=785d3bc0fb80a0d7&biw=708&bih=643]
AES (Advanced Encryption Standard) is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. [http://en.wikipedia.org/wiki/Advanced_Encryption_Standard]
DES predessor of AES |
|
|
Term
|
Definition
| Port 7777 is the correct port for Tini, reference here: http://www.ntsecurity.nu/toolbox/tini/ |
|
|
Term
| What is computer forensics? |
|
Definition
Preservation, identification, extraction, interpretation and documentation of computer evidence.
PIE-ID |
|
|
Term
Computer forensics includes: WHICH ?
- Rules of evidence
- Legal processes
- Integrity of evidence
- Factual reporting of information found
- Expert opinion about findings presented in a court of law, or other legal or administrative hearing |
|
Definition
|
|
Term
| Which event was instrumental to the evolution of computer forensics? |
|
Definition
| 1888: Francis Galton made first recorded study of fingerprints to catch potential criminals |
|
|
Term
| Which event was instrumental to the evolution of computer forensics? |
|
Definition
| 1893: Hans Gross was first to apply science to criminal investigation. |
|
|
Term
| Which event was instrumental to the evolution of computer forensics? 1915 Leone Lattes was first to |
|
|
Definition
Leone Lattes was first to
use blood groupings to connect criminal to crime. |
|
|
Term
| Which event was instrumental to the evolution of computer forensics? 1910: Albert Osbron was first to |
|
|
Definition
| Albert Osbron was first to develop methodology for documenting evidence during examination process. |
|
|
Term
Which event was instrumental to the evolution of computer forensics?
1925: Calvin Goddard was first to |
|
Definition
1925: Calvin Goddard was first to make use of
bullet comparisons. |
|
|
Term
| Which event was instrumental to the evolution of computer forensics? |
1932: FBI set up a... |
|
Definition
| 1932: FBI set up a... forensic services laboratory for field agents and law authorities. |
|
|
Term
|
Which event was instrumental to the evolution of computer forensics?
1984: (CART) was developed:
|
|
|
Definition
| 1984: (CART) was developed: Computer Analysis & Response Team |
|
|
Term
Which event was instrumental to the evolution of computer forensics?
1993: first international conference on computer evidence was held in.... |
|
Definition
|
|
Term
Which one is NOT an objective of computer forensics?
To recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law
To identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator
To recover and identify the evidence quickly |
|
Definition
NOT :To recover and identify the evidence quickly
Recovering and identifying evidence quickly is not a primary objective of computer forensics. Working too quickly can lead to mistakes that might compromise the evidence.
There are two objectives of computer forensics:
- Recover, analyze, and preserve computer related materials in a manner so they can be presented as evidence in a court of law
- Identify the evidence quickly, estimate the malicious impact on the victim, and determine the intent and identify of the perpetrator
|
|
|
Term
| What is forensic readiness? |
|
|
Definition
| Organization has specific incident response procedures and designated trained personnel assigned to handle any investigation |
|
|
Term
Which item is NOT part of forensic readiness planning?
Define business scenarios that require collection of digital evidence
Identify potential available evidence
Identify crime scene
Determine evidence collection requirements
Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice
Establish a policy for securely handling and storing collected evidence |
|
Definition
Identifying a crime scene is not part of forensic readiness planning. Forensic readiness planning includes:
- Define business scenarios that require collection of digital evidence
- Identify potential available evidence
- Determine evidence collection requirements
- Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice
- Establish a policy for securely handling and storing collected evidence |
|
|
Term
Which item is NOT part of forensic readiness planning?
Develop a plan to investigate team members
Develop a plan to make sure investigative team members are properly trained
Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities
Determine evidence collection requirements
Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice
Establish a policy for securely handling and storing collected evidence |
|
Definition
Developing a plan to investigate team members is not part of forensic readiness planning The following are part of forensic readiness planning:
- Develop a plan to make sure investigative team members are properly trained
- Develop a process for step-by-step documentation of all activities performed during examination of evidence and the impact of said activities
- Determine evidence collection requirements
- Develop procedures for securely collecting evidence that meets defined requirement in accordance with forensics good practice
- Establish a policy for securely handling and storing collected evidence |
|
|
Term
What is the definition of cybercrime?
Cybercrime means any illegal act that involves a computer or the systems and applications associated with it?
Cybercrime is the same as identity theft?
Cybercrime is any illegal act that involves a criminal using a computer? |
|
Definition
| Cybercrime means any illegal act that involves a computer or the systems and applications associated with it |
|
|
Term
| two categories of cybercrime. |
|
Definition
Tools of crime and Target of crime are two categories of cybercrime.
Reference: EC Council Press. (2010). Computer Forensics: Investigation Procedures and Response, 1st Edition. ( Page 1-12 ) Clifton Park, NY: Cengage Learning |
|
|
Term
|
Definition
| Insider attack and External attack are two modes of attack |
|
|
Term
Computer crimes include all but which of the following?
Fraud via manipulation of computer records
Performing vulnerability assessment for a client
Spam
Deliberate avoidance of computer security systems
Unauthorized access
Unauthorized modification of software |
|
Definition
Performing vulnerability assessment for a client with permission is NOT a computer crime. Computer crimes include:
- Fraud via manipulation of computer records
- Performing vulnerability assessment for a client
- Spam
- Deliberate avoidance of computer security systems
- Unauthorized access
- Unauthorized modification of software |
|
|
Term
CHFI v8.0 Training Course Outline
Module 01: Computer Forensics in Today’s World
Module 02: Computer Forensics Investigation Process
Module 03: Searching and Seizing Computers
Module 04: Digital Evidence
Module 05: First Responder Procedures
Module 06: Computer Forensics Lab
Module 07: Understanding Hard Disks and File Systems
Module 08: Windows Forensics
Module 09: Data Acquisition and Duplication
Module 10: Recovering Deleted Files and Partitions
Module 11: Using AccessData FTK
Module 12: Using EnCase
Module 13: Steganography and Image File Forensics
Module 14: Application Password Crackers
Module 15: Log Capturing and Event Correlation
Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic
Module 17: Wireless Attacks
Module 18: Web Attacks
Module 19: Emails
Module 20: Mobile
Module 21: Investigative Reports
Module 22: Expert Witness |
|
Definition
|
|
Term
Authorized penetration testing is NOT a computer crime. Computer crimes include:
|
|
Definition
- Intellectual property theft
- Industrial espionage by means of access to the computer
- Identify theft
- Spreading viruses or worms
- Authorized penetration testing
- Denial of Service or DDoS
|
|
|
Term
What is cybercrime investigation:
Collecting clues and forensic evidence about a cybercrime?
Securing the crime scene?
Disassembing a computer and carefully packaging the harddrive for further investigation? |
|
Definition
| Collecting clues and forensic evidence about a cybercrime |
|
|
Term
When does the investigation begin:
When the police arrive?
When the crime scene technician arrives?
When the crime is suspected? |
|
Definition
| When the crime is suspected |
|
|
Term
What occurs immediately after the investigation begins?
Immediate response to preliminary evidence including photographing the scene and marking evidence?
Immediately determine the damage from the crime?
Immediately call the police? |
|
Definition
| Immediately after the investigation begins, collect preliminary evidence including photographing the scene and marking evidence |
|
|
Term
| When is a search warrant NOT required? |
|
Definition
| A search warrent is not required when law enforcement witnesses the crime |
|
|
Term
| the proper order for response to a crime by first responders: |
|
Definition
This is the proper order for response to a crime by first responders:
1. Begin investigation the moment a crime is suspected
2. Response to preliminary evidence by photographing the scene and marking evidence
3. Obtain search warrant, if needed
4. Follow first responder procedures
5. Seize evidence seized at crime scene then safely number and secure it
6. Transport evidence to forensic laboratory
7. Make two bit-stream copies of evidence
8. Generate a checksum (generally MD5) on the bit-stream images
9. Prepare chain of custody
10. Store the original disk so that time stamps and evidence remain intact
11. Use image copy to analyze the evidence
12. Prepare a forensic report describing the forensic method and recovery tools
13. Submit the forensic report
14. Testify as expert witness, if needed |
|
|
Term
| How many bit-stream copies are made of the original evidence? |
|
Definition
| Two copies are made of the original evidence using two different software packages. |
|
|
Term
| Which copy is analyzed, the original or the bit-stream? |
|
Definition
| The bit-stream copy is analyzed. The original is stored in a safe location so no one can tamper with it. Initially, two copies are made. Then, if the first bit-stream copy is damaged, the second copy can be sued. If the second copy is damaged then another copy can be made from the original. |
|
|
Term
What is part of the role of a forensics investigator?
Recover data
Determine damage from crime
Gather evidence based on forensic guidelines
Protect evidence
All of the above |
|
Definition
All of the above
The role of a forensics investigator is to:
- Recover data
- Determine damage from crime
- Gather evidence based on forensic guidelines
- Protect evidence
- Create images of original evidence
- Guide officials in managing investigation
- Reconstruct damaged media
- Analyze data and prepares report
- Address the issues in court, if necessary. May act as expert witness. |
|
|
Term
| There are two associations that can help forensics investigators: |
|
Definition
There is much information on the internet to assist forensics investigators. Two helpful associations are:
- Computer Technology Investigators Networkhttp://www.ctin.org/
- High Technology Crime Investigators Associationhttp://www.htcia.org/ |
|
|
Term
What is the role of digital evidence in forensic investigation?
Provide material for investigative report in lawsuit?
Provide clues to identify the criminal?
Support expert witness testimony? |
|
Definition
| The role of digital evidence in forensic investigation is to provide clues to identify the criminal |
|
|
Term
Which of the following is NOT part of corporate investigation?
Business must continue during the forensic investigation
Generally address policy violations or legal disputes
May address wrongful termination
Must carefully follow government regulations
May address industrial espionage |
|
Definition
Following government regulations is not the primary part of corporate investigation although corporations must adhere to appropriate government regulations. Corporate investigation is generally looking into the following:
- Business must continue during the forensic investigation
- Generally address policy violations or legal disputes
- May address wrongful termination
- Must carefully follow government regulations
- May address industrial espionage |
|
|
Term
What is generally part of corporate investigation?
|
|
Definition
Email harassment
Falsification of information
Embezzlement
Fraud
Corporate sabatage
|
|
|
Term
| A good investigative report includes: |
|
Definition
Router settings may be too detailed for an investigative report
IDS/IPS may be too detailed for an investigative report.
A good investigative report includes:
- Methods of investigation
- Adequate supporting data
- Description of data collection techniques
- Calculations used
- Error analysis
- Results and comments
- Graphs and statistics explaining results
- References
- Appendices
- Acknowledgments
- Litigation support reports |
|
|
Term
FTP - Ports and
SSH - Port
SMTP - Port
SFTP - Port (Simple File Transfer Protocol)
LDAP - Port
SSL - Port
SMB - Port (--- NetBIOS Name Service, --- NetBIOS Datagram Service) |
|
Definition
FTP - Ports 20 and 21
SSH - Port 22
SMTP - Port 25
SFTP - Port 115 (Simple File Transfer Protocol)
LDAP - Port 389
SSL - Port 443
SMB - Port 445 (137 - NetBIOS Name Service, 139 - NetBIOS Datagram Service) |
|
|
Term
Where is the startup-configuration file for a Cisco router?
ROM ?
RAM ?
NVRAM ? |
|
Definition
| Startup-configuration file is in NVRAM |
|
|
Term
Where is the running-configuration file for a Cisco router?
ROM ?
RAM ?
NVRAM ? |
|
Definition
the running-configuration file for a Cisco router
Running-configuration file is in RAM |
|
|
Term
Which range of HTTP Status Codes
reveals client error status? |
|
Definition
| HTTP Status Codes 100-101 - Informational Status Codes HTTP Status Codes 200-206 - Successful Status Codes HTTP Status Codes 300-307 - Redirection Status Codes HTTP Status Codes 400-416 - Client Error Status Codes HTTP Status Codes 500-505 - Server Error Status Codes |
|
|
Term
Which statements are true regarding EFS?
|
|
Definition
EFS encyrpts files stored on Windows 2000, XP Pro and Server 2003. It is NOT designed to protect data in transit from one system to another.
EFS uses symmetric and asymmetric cryptography.
EFS encyryption occurs at the file system level not the application level. It is transparent to the user and to the application.
If a folder marked for encryption, then every file created in or moved to said folder will be encrypted.
There is no back door. File encryption uses a symmetric key. This symmetric key is then encrypted with an asymmetric public key.
EFS keys are protected by the user's password
EFS-encrypted files do not remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext and if saved to a folder with encryption, re-encrypted. |
|
|
Term
|
Definition
EnCase organizes evidence into cases.
Evidence can be viewed in various formats:
Evidence can be viewed in table, gallery, timeline or report formats .
Evidence data can be view as text, hex or picture . |
|
|
Term
From which devices can EnCase acquire data?
Evidence file (E01), raw image or dd image ?
Local Device ?
Smartphones? |
|
Definition
Local Device
Smartphones
...
Technically, EnCase would not acquire data from a raw image file or evidence file but these can be viewed in EnCase |
|
|
Term
| EnCase is divided into three* panes. What are the names of these panes * |
|
|
Definition
Tree - Case information
Table, Timeline, Gallery
View - text, hex, picture, fields...
fourth pane = filter pane
(Computer Crime, Investigation, and the Law
By Chuck Easttom)
|
|
|
Term
|
Definition
MD5 produces 128-bit hash value
The size of the hash value (128 bits) is small enough to contemplate a birthday attack.
(SHA-1 produces 160-bit has value).
MD5 is used to check data integrity.
MD5 is typically expressed as a 32-digit hexadecimal number
MD5 is not collision resistant- As such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property for digital security
http://en.wikipedia.org/wiki/MD5 |
|
|
Term
|
Definition
FAT32 is the 32-bit version of the FAT file system .
that uses smaller clusters which results in more efficient storage capacity.
It supports drives up to 2 TB. It can relocate the root directory and use the backup copy rather than the default copy. It can dynamically resize a partition. |
|
|
Term
|
Definition
| Complementary Metal-Oxide Semiconductor (CMOS) is a chip powered by a CMOS battery inside computers that stores information such as the system time and date and system hardware settings. |
|
|
Term
File Systems
?- Sun Solaris
?- Mac OS
? - iPod sync'd to MAC
?- iPod sync'd to Windows
?- Windows
?- Unix
? - Linux |
|
Definition
ZFS - Sun Solaris
HFS - Mac OS
HFS+ - iPod sync'd to MAC
FAT32 - iPod sync'd to Windows
NTFS - Windows
UFS - Unix
ext1, ext2, ext3 - Linux |
|
|
Term
Which dd command is used to make a complete physical backup of a hard disk?
dd if=/dev/? |
|
Definition
dd if=/dev/hda of=/dev/case5img1
|
|
|
Term
| Which dd command is used to copy one hard disk partition to another hard disk? |
|
|
Definition
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
Copy one hard disk partition to another hard disk |
|
|
Term
| What directory is used to store commands needed for system operability? |
|
Definition
/bin - commands needed for minimal system operability
/dev - devices for terminals, disks...
/etc - critical startup and configuration files
/lib - libraries
/sbin - commands for booting, repairing aor recovering the system |
|
|
Term
| Which dd command is used to make an image of a CD? |
|
Definition
dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc
Make an image of a CD |
|
|
Term
Which dd command is used to copy a floppy?
|
|
Definition
| dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc |
|
|
Term
| Which dd command is used to copy RAM memory to a file? |
|
Definition
dd if=/dev/mem of=/home/sam/mem.bin bs=1024
Used to copy RAM memory to a file |
|
|
Term
| Which dd command is used to restore a disk partiiton from an image file? |
|
Definition
dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
Used to restore a disk partition from an image file |
|
|
|
Term
| From largest to smallest what is the platter organization? |
|
Definition
Platter, track, sector
Each platter has two read-write heads - one on top and one on bottom. Platters are divided into tracks. Tracks are concentric circles that are divided into sectors. Each sector holds 512 bytes.
Clusters are groups of sectors, eg. 128-sector cluster would have about 65536 bytes. Clusters are the smallest logical storage units on a hard disk.
|
|
|
Term
The forensics laboratory must have :
|
|
Definition
office space,
storage for evidentiary materials,
interview facility,
and operational laboratory
( a vault protects against flood, fire, theft...)
|
|
|
Term
|
Definition
...system-specific data and configuration files .
Nemeth, E., Snyder, G., and Hein, T. (2002). Linux Adminstration Handbook Upper Saddle River, Nj: Prentice Hall PTR. p. 68. |
|
|
Term
Choose the true statements about SIMPLE:
|
|
Definition
Developed by Australian university students using Linux Live CD
Customized kernal and OS so it is impossible to write to the hard disk
SIMPLE launches from a CD |
|
|
Term
| Which are true about X-Ways Forensics? |
|
Definition
X-Ways Forensics is a work environment including:
Disk cloning and imaging
Examining complete directory structure and disk space including slack space
Viewing and dumping memory including virtual memory
Support for FAT, NTFS, ext2/3 |
|
|
Term
|
Definition
Search text on hard disks and retrieves the context of keyword occurrences on computer media
Examines entire allocated space including swap space, hibernate files and unallocated space on Local hard drives
Evidor cannot access remote networked hard disks
|
|
|
Term
| What are some standard /usr sub-directories? |
|
Definition
Typical /user sub-directories include:
bin - support files for programs
local - software (stuff you install)
sbin - more commands for system adminstration and repair
share - items common to multiple systems
src - source code for nonlocal software
(NOT "dev")
Reference: Nemeth, E., Snyder, G., and Hein, T. (2002). Linux Adminstration Handbook Upper Saddle River, Nj: Prentice Hall PTR. p. 68. |
|
|
Term
| Which are true about EasyRecovery? |
|
Definition
Repairs and restores corrupt or inaccessible Microsoft Office and Zip files
Includes EmailRepair
EasyRecovery does not do disk imaging
ref chp 13 Official CHFI study guide |
|
|
Term
Which of these statements are true regarding
18 U.S.C. 2318? |
|
Definition
18 U.S.C. 2318 involves trafficking in
counterfeit phone records,
computer programs,
motion pictures,
audio visual works
or computer program documentation |
|
|
Term
|
Definition
| trafficking in unauthorized sound recordings and music video of live musical performances |
|
|
Term
Decipher the results of ls -l. (Choose all that apply)
drwxr-xr-x 27 root root 4096 Apr 15 2012 /usr/include
This is a directory
Owner can read, write and execute files
This is a regular file |
|
Definition
The file type is "d" meaning directory.
The first group of rwx means the owner can read, write and execute files
Reference: Nemeth, E., Snyder, G., and Hein, T. (2002). Linux Adminstration Handbook Upper Saddle River, Nj: Prentice Hall PTR. p. 68. |
|
|
Term
Which of these statements are true regarding 18 U.S.C. 2320?
Unauthorized distribution of computer programs
Trafficking in counterfeit goods
Trafficking in counterfeit services |
|
Definition
18 U.S.C. 2320 involves trafficking in
counterfeit goods
or
services |
|
|
Term
18 U.S.C. 1832 -applies to
18 U.S.C. 1833 - exceptions to
18 U.S.C. 1834 - applies to |
|
Definition
18 U.S.C. 1832 -applies to theft of trade secrets
18 U.S.C. 1833 - exceptions to prohibitions
18 U.S.C. 1834 - criminal forfeiture |
|
|
Term
| 17 U.S.C. 506(c-d) applies to |
|
Definition
| 17 U.S.C. 506(c-d) applies to fraudulent copyright notice |
|
|
Term
two laws applicable to cyberstalking
18 U.S.C ?
18 U.S.C. ? |
|
Definition
18 U.S.C 875 - interstate communications applies to transmitting any communication containing any demand for ransom, threat to kidnap or injure a person
18 U.S.C. 2261A - interstate stalking |
|
|
Term
Choose all true about the USA PATRIOT Act:
Greater authority to track and intercept communications for law enforcement and foreign intelligence gathering
Made wiretapping illegal
Passed in response to 911 terrorist attack |
|
Definition
Greater authority to track and intercept communications for law enforcement and foreign intelligence gathering
Passed in response to 911 terrorist attack |
|
|
Term
Which pertains to federal information security? (Choose one)
CAN-SPAM
GLB
FISMA |
|
Definition
FISMA
Federal Information Security Management Act requires federal agencies to develop, document and implement an agency-wide program to provide information security
Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act) includes provision to protect consumer's personal financial information
CAN-SPAM Act of 2003 (controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirments for those sending commerical email and gives consumers the right to ask emailers to stop spamming them |
|
|
Term
Which acts pertain to privacy:
CAN-SPAM ?
PIPEDA ?
Data Protection Act 1998 Section 55 ? |
|
Definition
PIPEDA
Data Protection Act 1998 Section 55
===
Personal Information Protection and Electronic Documents Act
Data Protection Act 1998 Section 55: Unlawful obtaining of personal data |
|
|
Term
Which statutes are used by the FBI to investigate computer-related crimes? CHOOSE ALL THAT APPLY:
18 U.S.C. 875
18 U.S.C. 1029 and 1030
18 U.S.C. 1343, 1361, 1362
18 U.S.C. 1831 and 1832
FISMA
US Patriot Act |
|
Definition
18 U.S.C. 875
18 U.S.C. 1029 and 1030
18 U.S.C. 1343, 1361, 1362
18 U.S.C. 1831 and 1832 |
|
|
Term
Which statements are true regarding the BIOS password?
BIOS manufacturers do not provide a backup password in case the password is lost
BIOS will lock the system completely if the password is typed wrong three times
The BIOS password for Dell is Dell
The BIOS password for Compaq is centra |
|
Definition
BIOS will lock the system completely if the password is typed wrong three times
The BIOS password for Dell is Dell
====
BIOS manufacturers do provide backdoor passwords in case the BIOS password is lost.
The Dell password is Dell and the Compaq password is Compaq.
The Epox password is central.
BIOS will lock after three invalid password attempts. |
|
|
Term
| What are steps to removing the CMOS battery and why remove it? |
|
Definition
If the CMOS battery is removed and replaced after about 30 minutes, the password will reset itself.
Turn the computer off and unplug the power cord
Locate the battery on the motherboard
Carefully lift the battery from the socket
Wait 30 minutes and replace the battery
Reboot the computer and enter BIOS
Set the default settings, save the settings and start the computer
Reference: EC Council Press. (2010). Computer Forensics: Investigating Data and Image Files, 1st Edition. Clifton Park, NY: Cengage Learning. P. 7-5 and 7-6. |
|
|
Term
Which statement is used to partition an image on another machine?
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc |
|
Definition
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
used to partition an image on another machine. Run on the source machine |
|
|
Term
|
Definition
Windows password recovery tools
- Windows XP/2000/NT Key Generator - resets the domain adminstrator password for Active Directory
- ERD Commander 2005 - boots systems into a Windows-like repair environment giving complete control over the system
- Active@ Password Changer - DOS-based solution for resetting local administrator and user passwords in XP, Vista, 2003, 2000 and NT
- Cain & Abel
- LCP
- SID&USER
- ophcrack - uses rainbow tables
- RockXP
- Magical Jelly Bean Keyfinder
Office
- Advanced Office XP Password Recovery - Microsoft Office
- Word Password Recovery Master
- Office Password Recovery Toolbox
- Passware Kit - 25 password recovery programs
- PstPassword - Outlook
- Access PassView - Microsoft Access
Other
- Advanced ZIP password recovery - zip file passwords
- PicoZip Recovery - zip file passwords
- PDF Password Crackers - pdf file passwords
- Default Password Databases
- Dialupass - dial-up passwords
- Database Sleuth
Network Password Recovery - network passwords
- SniffPass - captures password that pass through the network adapter (POP3, IMAP4, SMTP, FTP, HTTP)
- Asterisk Key - reveals asterisks that hide passwords
- Asterisk Logger - reveals asterisks that hide passwords
- Password Spectator - reveals asterisks that hide passwords
Linux
- John the Ripper
- DJohn
Unix
- Crack
HTTP, POP3, FTP, Telnet
- Brutus
Email, Instant Messaging...
- Mail PassView - email
- Messenger Key - instant messaging
- MessenPass
- Mail Recovery
Reference: EC Council Press. (2010). Computer Forensics: Hard Disk and Operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. Chapter 7. |
|
|
Term
Which statement is used to see the contents of the MBR?
dd if=/dev/hda bs=16065b | netcat targethost-IP 1234
dd if=/dev/hda of=mbr.bin bs=512 count=1
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc |
|
Definition
dd if=/dev/hda of=mbr.bin bs=512 count=1
used to see contents of the master boot record. Must be run as root. Reads the first 512 bytes from /dev/hda (the first IDE drive) and writes them to a file named mbr.bin |
|
|
Term
Which statement is used to partition an image on another machine?
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc |
|
Definition
netcat -l -p 1234 | dd of=/dev/hdc bs=16065b
used to partition an image on another machine.
Run on the target machine
|
|
|
Term
| two types of search warrants |
|
Definition
Electronic storage device search warrant allows for search and seizure of computer components such as hardware, software, storage devices and documentation
Service provider search warrant allows the first responder to get information such as service records, billing records and subscriber information if the crime is committed through the internet. |
|
|
Term
A forensic investigator wants to find some information on a computer running Linux. He wants to find the computer name and version of Linux. Then he wants to list the files in the root directory Finally, he wants to see protocol information. What commands should he use to accomplish these three tasks?
uname -a
ls -l
netstat -s
dir |
|
Definition
uname -a
ls -l
netstat -s
can be used to get the required information.
Reference: EC Council Press. (2010). Computer Forensics: Hard Disk and Operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. P. 6-2 |
|
|
Term
|
Definition
Lilo and grub are two Linux boot loaders. Details about each are found using
more /etc/lilo.conf
more /etc/grub.conf |
|
|
Term
A forensic investigator types sfdisk -l
Part of the output lists four devices: /dev/hda1, /dev/hda2, /dev/hda3, and /dev/hda4
What is an hda device?
There are four types of partitions in Linux: |
|
Definition
There are four types of partitions in Linux:
hda - primary master
hdb - primary slave
hdc - secondary master
hdd - secondary slave |
|
|
Term
A forensic investigator types: file CopyInstall.log
What is the response?
- ASCII text (if the file is ASCII) .
- Length of CopyInstall.log .
- ELF 32-bit LSB executable... (if the file is actually an executable) .
|
|
Definition
What is the response?
- ASCII text (if the file is ASCII) .
- xno
- ELF 32-bit LSB executable... (if the file is actually an executable)
file command returns the type of file. Attackers may hide files with names or extensions design to fool investigators |
|
|
Term
The forensic investigator made a copy of the CopyInstall.log in the root directory and wants to see the contents in hex because he believes this file may not be what it seems. What Linux command line tool could he use?
- xxd -l CopyInstall.log
- xxd -l CopyInstall.log HexOutput.log
- notepad
|
|
Definition
- xxd -l CopyInstall.log
- xxd -l CopyInstall.log HexOutput.log
xxd is a command line hex dump tool that can dump hex values to the console or a fil |
|
|
Term
What is the size of a hard drive having the following:
16384 cylinders/disk
80 heads/cylinder
63 sectors/track
512 bytes/sector |
|
Definition
About 39 GB
Capacity Calculator |
|
|
Term
| Computer Forensics: Hard Disk and Operating Systems, 1st Edition. Clifton Park, NY: Cengage Learning. P. 6-9 |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Network forensics is capturing, recording and analysis of network events in order to discover the source of security attacks. |
|
|
Term
How does a network intruder enter a system? (Choose all that apply)
Enumeration
Vulnerabilities
Viruses, Trojans, Email infection
Logging on
Router attacks
Password cracking |
|
Definition
Network intruders can enter a system using the following techniques:
Enumeration yielding topology of network, list of live hosts, network architecture, types of traffic, potential vulnerabilities of host systems
Vulnerabilities
Virus, Trojans, Email infection and other malware
Router attacks
Password cracking
Hint: Take into account that logging on can only be accomplished if the attacker knows the username and password. How would they know this unless they performed some other activitie such as social engineering or password cracking first. All other answers are correct. |
|
|
Term
What are some pitfalls of network evidence collection?
Gaps in evidence
Other nations may be involved creating legal and political challenges
Locating evidence is only local
Logs change rapidly and some information may be lost before permission is granted to analyze the log
Logs may be housed at ISP which requires special permission (such as a search warrant) to view
End-to-end investigation is fairly simple |
|
Definition
Evidence can be lost quickly during log analysis becuase logs change rapidly.
There may be gaps in evidence.
Sometimes other nations are involved in the investigation resulting in legal and political issues.
Logs may be ambiguous, incomplete or missing. |
|
|
Term
| What is required for computer records to be admissible in court of law? |
|
Definition
Prosecution must present appropriate testimony to show logs are accurate, reliable, fully intact
Witness must authenticate computer records presented as evidence |
|
|
Term
| Random compliations of data are not admissible. Logs must be kept as a regular business practice. Logs instituted after an incident has commenced ______________ under the business records exception. |
|
Definition
| Under the business records exception, logs instituted after an incident has commenced do NOT qualify because they do not reflect customary practice of an organization |
|
|
Term
Will record of failures or security breaches on the machine creating logs impeach the evidence?
|
|
Definition
Generally, yes
Failures and security breaches tend to impeach evidence |
|
|
Term
|
Definition
| Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs or audit data |
|
|
Term
which three types of logs that can be used together to provide more compelling evidence.
Router logs
IDS logs
TCPDump output
Firewall logs
Event logs |
|
Definition
Firewall logs,
IDS logs
and TCPDump output
can contain evidence of an internet user connecting to a specific server at a given time. |
|
|
Term
What causes an IIS log to be suspect?
Full and complete log
Any modification to the log
Carefully implemented log |
|
Definition
| Any modification to the log |
|
|
Term
SYSTEM\CurrentControlSet\W32Time\Parameters is part of the registry key used for _______________?
Setting time
Loading NTP
Timing logs |
|
Definition
Loading NTP :
Windows time service can be used to synchronize IIS servers by connecting them to external time source. To accomplish this SYSTEM\CurrentControlSet\W32Time\Parameters can be set to NTP. |
|
|
Term
| does UTC follow daylight savings time? |
|
Definition
| UTC does NOT follow daylight savings time. |
|
|
Term
| _________ is a process in which many web sites write binary log data. |
|
Definition
| Centralized binary logging is a process in which many web sites write binary log data. |
|
|
Term
types of IIS logging:
IIS standard logs
ODBC logging
System Event log
Centralized binary logging
IISLogger tool |
|
Definition
System Event logs are for the operating system.
All other answers are correct.
IIS standard log, ODBC logging (disables HTTP.sys kernal-mode cache and degrades server performance), centralized binary logging and IISLogger (provides additional functionality on top of IIS standard logging) |
|
|
Term
Which of the following statements are true about syslog?
Controlled on per-machine basis with /etc/syslog.conf
Space key used to define white space
Local and remote log collection
Facility, level and action are included
Audit mechanism used by Linux |
|
Definition
Controlled on per-machine basis with /etc/syslog.conf
Local and remote log collection
Facility, level and action are included
Audit mechanism used by Linux
Syslog is the audit mechanism used by Linux.
It permits both local and remote logging.
Syslog is controlled on a per-machine basis by /etc/syslog.conf.
Tab key is used to define white space between the selector (left) and the action (right) |
|
|
Term
| What are the severity levels of syslog? |
|
Definition
The list of severity Levels:
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
Recommended practice is to use the Notice or Informational level for normal messages.
Log is not a syslog level |
|
|
Term
|
Definition
|
|
Term
What files must be changed for remote logging?
/etc/rc.d/init.d/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r"
/etc/sysconfig/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r"
/etc/services files. Syslog 514/udp
/sbin/service syslog restart |
|
Definition
/etc/rc.d/init.d/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r"
/etc/sysconfig/syslog add -r to SYSLOGD_OPTIONS="-m 0 -r"
/etc/services files. Syslog 514/udp
After the three files have been changed, the administrator must run /sbin/service syslog restart .
Hint: /sbin/service syslog restart is a command not a file. The other three files must be changed before this command can be executed. |
|
|
Term
| What port does native Windows remote logging run on? |
|
|
Definition
| Windows does not support remote logging. Third-pary utilites like NTsyslog are required to enable remote logging in Windows. |
|
|
Term
Which statements are true regarding NTP?
Network Time Protocol - internet standard protocol built on UDP
Synchronizes clocks on client computers
Fault tolerant and dynamically autoconfiguring
Use UTC time |
|
Definition
all.
Technically, NTP runs over UDP or TCP/IP as explained in these references:
http://tools.ietf.org/html/rfc5905
http://en.wikipedia.org/wiki/Network_Time_Protocol |
|
|
Term
| Which NTP stratum level is most accurate? |
|
Definition
| Stratum levels reflect the distance from the reference clock. Stratum-0 is the reference clock so it is the most accurate and has little delay. Stratum-0 servers are not directly used on the network. They connect to computers in stratum-1. |
|
|
Term
| Which are types of MAC address? |
|
Definition
Static address is the 48-bit unique address programmed by the Ethernet board manufacturer
Configurable address is programmed into the NIC during initial installtion then becomes static
Dynamic address is obtained when the computer is powered on. There may be a number of systems having the same address |
|
|
Term
OSI model has seven layers that use the following to exchange data
|
|
Definition
Application - messages
Presentation - messages
Session - messages
Transport - segments
Network - packets
Data Link - frames
Physical - frames |
|
|
Term
HTTP, SMTP, NNTP, Telnet, FTP, SNMP, and TFTP are the main protocols for the Session, Presentation and Application Layers
UDP and TCP are the main protocols for the Transport layer
RARP, ICMP, IGMP, IP the main protocols for Network layer
PPP, SLIP, ARP are the main protocols for the Data Link layer
|
|
Definition
|
|
Term
What regular expression :
is a way to detect Cross-Site Scripting attacks.
It checks for the opening and closing HTML tags (< and >) and the text between them so it can catch < script > |
|
Definition
/((\%3C)|<)((\%2F)|\/)*(a-z0-9\%]+((\%3E)|>/ix is a way to detect Cross-Site Scripting attacks.
It checks for the opening and closing HTML tags (< and >) and the text between them so it can catch < script >
((\%3C)|<) - checks for the opening angle
((\%2F)||?)* - checks for the forward slash
(a-z0-9\%]+ - checks for alphanumeric string inside an HTML tag
((\%3E)|> - checks for the closing angle |
|
|
Term
| What can be used to detect cookie poisoning |
|
Definition
| Intrustion prevention tools trace the cookie's set command given by the Web server. Then, the intrusion prevention catches every HTTP request sent to the webserver and compares any cookie information. If an attacker changes the cookie's contents the replay cookie will not match the stored cookie. |
|
|
Term
| Nebula (NEtwork-based BUffer overfLow) attack detection detects buffer overflows by monitoring the traffic of the packets into the buffer without making any changes to the end hosts. It uses a signature-based comparison to reduce the number of false positives. |
|
Definition
|
|
Term
| Apache server has two logs: |
|
Definition
error log and access log.
Error log contains diagnostic information and error messages
Access log contains requests processed by the Apache server |
|
|
Term
Task manager lists running proccesses. Why does Helix have a viewer for running processes?
Task manager only shows processes in Windows
Task manager loads too slow
Task manager may be corrupt. Helix runs from a CD so it cannot be modified; therefore, it should display an accurate list of current processes |
|
Definition
Task manager may be corrupt. Helix runs from a CD so it cannot be modified; therefore, it should display an accurate list of current processes
Reference:Gleason, B. and Fahey, D. (2006). Helix 1.7 for Beginners. Retrieved from Helix v1.8 Software. p. 29. |
|
|
Term
| What are options using dd in Helix? |
|
Definition
What are options using dd in Helix?
Netbios/Local, Netcat, Split image |
|
|
Term
| What are two imagers in Helix? |
|
Definition
| dd and FTK Imager come packaged in Helx v1.8. |
|
|
Term
| There are many incident response tools in Helix including: |
|
Definition
Windows Forensics Toolchest (WFT)
-Incident Response Colelction Report - snapshot of system
-First Responder's Evidence Disk (FRED) - snapshot of system
-First Reponder Utility (FRU) - retrieve volatile data
-Security Reports (SecReport) - collects security-related information - network configuration, audit policy, event log configuration
-MD5 Generator
-Command Shell - forensically sound
-File Recovery
-Rootkit Revealer - registry and system API discrepanices that may indicate a user-mode or kernal-mode rootkit
-VNC Server - Virtual Network Computing Server. Remote control software for viewing and interacting with one computer anywhere on the internet
-Putty SSH - Telnet and SSh for Win32 and Unix
-Screen Capture
-Messenger password - reveals passwords for MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ lite, AOL, Trillian, Miranda, GAIM
-Mail Password Viewer - reveals passwords for Outlook Express, Outlook, Eudora, Netscape, Mozilla Thunderbird, Yahoo mail, Hotmail, Gmail
-Protected Storage Viewer - reveals passwords stored by Internet Explorer
-Network Password viewer - Windows Xp allows passwords to be saved in .NET Passport. This utilite recovers passwords for current user
-Registry Viewer
-Asterisk Logger - Reveals passwords covered by asterisks
-IE History Viewer
-IE Cookie Viewer
-Mozilla Cookie Viewer |
|
|
Term
| Ping of Death and Teardrop are two types of DoS attacks. What is a main difference? |
|
|
Definition
Ping of Death deals with IP fragmentation. When Ethernet maximum transmission unit (MTU) exceeds the limit then fragmentation occurs. The Ping of Death uses an oversized packet that can be up to 65535 octets long which is greater than the maximum size allowed (65507 octets)
Teardrop attack uses overlapping fragments to slip past an IDS or Firewall. The victim cannot process these overlapping packets so it locks up or crashes |
|
|
Term
| The Department of Justice created: |
|
Definition
The Department of Justice created ICAC and PSC.
Internet Crimes Against Children (ICAC) is a network of regional task forces to provide federal assistance to state and local law enforcement so they could better investigate computer and internet-based crimes that sexually exploit children.
Project Safe Childhood (PSC) is an initiative developed to provide a corrdinated effort in combating child porn. It strives to help local communities create programs to investigate child exploitation and identify and rescue victims. |
|
|
Term
| Swap file is space on a hard disk (nonvolatile memory) used as a virtual memory extension for RAM. |
|
Definition
|
|
Term
System time, wall time and length of time the system has been running should be recorded.
Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time |
|
|
Definition
|
|
Term
Net file reveals names of all open shared files and the number of file locks
PsFile shows list of files open remotely
openfiles can be used to list or disconnect all open files and folders |
|
Definition
|
|
Term
True!
A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to.
nbtstat -c can be used to view the cache of NetBIOS names on the host operating system |
|
Definition
| When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected. |
|
|
Term
| What are two commands to obtain network information? |
|
Definition
netstat -ano shows active connections including protocol, local address, foreign address, state and PID
netstat -r shows the routing table
netstat -b displays the executable involved in creating the connection ....netstat -b shows the executable involved in creating each connection (Windows XP)
netstat -v is used in conjunction with -b to show sequence of components involved |
|
|
Term
| View Windows processes in TaskManager or by typing tasklist from the command prompt |
|
Definition
|
|
Term
| When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port? |
|
Definition
netstat -o shows process to port mappings
fport shows process-to-port mappings but must be executed with administrator privileges |
|
|
Term
What command can be used to view command history?
doskey /history
show history
scroll up in the command window |
|
Definition
doskey /history
scroll up in the command window
If a command window is open, the investigator can scroll up to see command history. But the attacker may have typed cls to clear the screen. Then, the investigator can use the doskey /history command to see the history. |
|
|
Term
ClearPageFileAtShutdown - tells the OS to clear the page file when the system is shut down. This will clear virtual memory in the swap file
DisableLastAccess - disables updating of the last access times on files so the timestamp might not be accurate |
|
Definition
|
|
Term
index.dat is used for redundant information such as AutoComplete information.
Index.dat can be found in the History folder for Internet Explorer |
|
Definition
|
|
Term
|
Definition
| The swap file can be organized as a contiguous space so fewer I/O operations are required to read and write. It is a hidden file in the root directory called pagefile.sys. |
|
|
Term
| Each process on a Windows system is represented as an executive process or EProcess. EProcess block is a data structure containing attributes of the process and pointers to threads and process environment blocks |
|
Definition
|
|
Term
|
Definition
view EProcess block
-a show each array element on a new line
-b displays blocks recursively
-v verbose mode |
|
|
Term
What is the most important element of EProcess?
|
|
Definition
PEB - Process Environment Block contains:
-pointer to loader data PPEB_LDR_DATA contains pointers to DLLs
-pointer to image base address used to find the beginning of an executable image file
-pointer to process parameters structure which maintains the DLL path, path to executable image and command line used to launch the process |
|
|
Term
the six stages of process creation
1. Launch .exe: File Execution Options registry key is checked for debugger value. If yes, process starts over
2. EProcess object created along with KProcess, PEB, and initial address space
3. Initial thread created
4. Windows subsystem is notified of new process and thread
5. Execution of initial thread starts
6. Initialization of address space is complete for new process and thread |
|
Definition
|
|
Term
| The EProcess object is created along with KProcess, PEB, and initial address space |
|
Definition
|
|
Term
What tool can parse memory:
Lsproc.pl d:\dumps\test-mem.dmp |
|
Definition
Lsproc locates processes but not thread
Lsproc.pl d:\dumps\test-mem.dmp
Lspd allows a user to list the details of a process:
Lspd.pl d:\dumps\test-mem.dmp 0x0414dd60
|
|
|
Term
What files contains pool headers?
Pooltag.txt |
|
Definition
| Windows memory manager generally allocates memory in 4KB pages. Sometimes, 4K would be too large and waste memory. So memory manager allocates several pages ahead of time thus keeping an available pool of memory. |
|
|
Term
REG_BINARY - raw binary data
REG_DWORD - 32-bit integer
REG_SZ - fixed length text string
REG_EXPAND_SZ - variable length text string
REG_MULTI_SZ - multiple strings separated by delimiter
REG_NONE - no data type
REG_QWORD - 64-bit integer
REG_LINK - unicode string naming a symbolic link
REG_RESOURCE_LIST - series of nested arrays storing a resource list
REG_RESOURCE_REQUIREMENTS_LIST - series of nested arrays storing a device driver's list
REG_FULL_RESOURCE_DESCRIPTOR - series of nested arrays storing a resource list used by physical hardware device |
|
Definition
|
|
Term
Key cell - contains registry key including offsets to other cells and LastWrite time for the key
Value cell - holds a value
Subkey list cell - series of indexes pointing to parent key cells
Value list cell values of common key cell
Security descriptor cell - security descriptor information for key cell |
|
Definition
|
|
Term
| What are signatures for the cells in the registry? |
|
Definition
Key cell - kn
Value cell - kv
Security descriptor cell - ks |
|
|
Term
Key cell - 76 bytes
Value cell - 18 bytes |
|
Definition
|
|
Term
| Where is the last time the system was shut down? |
|
|
Definition
SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName - Computer name
SYSTEM\ControlSet00x\Control\Windows - Last Time Shutdown
SYSTEM\CurrentControlSet\Control\TimeZoneInformation - time zone |
|
|
Term
SECURITY\Policy\PolAdtEv - audit policy
SYSTEM\CurrentControlSet\lanmanserver\parameters - shares
SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\(GUID) - wireless SSID |
|
Definition
|
|
Term
Which registry key is NOT accessed and parsed when a user logs into a system?
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\PoliciesExplorer\Run
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce
All of the above are parsed when a user logs into a system |
|
Definition
All of the above are parsed when a user logs into a system
Run means the values in this key execute at system startup
Runonce means the values in this key execute once at system startup then they are deleted |
|
|
Term
What steganography methods are used in audio files?
Frequencies inaudible to human ear
White space
LSB
Substitution |
|
Definition
Steganography methods for audio files:
ALL ABOVE EXCEPT White space (which is for Text)
Substitution scheme
For example, suppose note F = 0 and note C = 1. Using this scheme, music could be composed with a secret message.
Low-Bit Encoding
Artifacts such as bitmaps and audio files often contain redundant information
DigSteg can replace redundant information with a message
Phase Coding
Original sound sequence is shortened into segments
New phases are generated for each segment with the message
The new phase is combined with the original magnitude to create the encoded output
Echo Data Hiding
Echo is introduced into the original signal
Properties of echo are manipulated to hide data. Properties include initial amplitude, decay rate, and offset
|
|
|
