Click On The Link Below To
Purchase A+ Graded Material
Instant Download
Chapters 7 Through 16
Chapter
7: Current Computer Forensics Tools
TRUE/FALSE
1. When you research for computer forensics
tools, strive for versatile, flexible, and robust tools that provide technical
support.
2. In software acquisition, there are three
types of data-copying methods.
3. To help determine what computer forensics
tool to purchase, a comparison table of functions, subfunctions, and vendor
products is useful.
4. The Windows platforms have long been the
primary command-line interface OSs.
5. After retrieving and examining evidence data
with one tool, you should verify your results by performing the same tasks with
other similar forensics tools.
MULTIPLE
CHOICE
1. Computer forensics tools are divided into
____ major categories.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
2. Software forensics tools are commonly used to
copy data from a suspect’s disk drive to a(n) ____.
|
a.
|
backup
file
|
c.
|
image
file
|
|
b.
|
firmware
|
d.
|
recovery
copy
|
3. To make a disk acquisition with En.exe
requires only a PC running ____ with a 12-volt power connector and an IDE, a
SATA, or a SCSI connector cable.
|
a.
|
UNIX
|
c.
|
Linux
|
|
b.
|
MAC
OS X
|
d.
|
MS-DOS
|
4. Raw data is a direct copy of a disk drive. An
example of a Raw image is output from the UNIX/Linux ____ command.
|
a.
|
rawcp
|
c.
|
d2dump
|
|
b.
|
dd
|
d.
|
dhex
|
5. ____ of data involves sorting and searching
through all investigation data.
|
a.
|
Validation
|
c.
|
Acquisition
|
|
b.
|
Discrimination
|
d.
|
Reconstruction
|
6. Many password recovery tools have a feature
that allows generating potential lists for a ____attack.
|
a.
|
brute-force
|
c.
|
birthday
|
|
b.
|
password
dictionary
|
d.
|
salting
|
7. The simplest method of duplicating a disk
drive is using a tool that does a direct ____ copy from the original disk to
the target disk.
|
a.
|
partition-to-partition
|
c.
|
disk-to-disk
|
|
b.
|
image-to-partition
|
d.
|
image-to-disk
|
8. To complete a forensic disk analysis and
examination, you need to create a ____.
|
a.
|
forensic
disk copy
|
c.
|
budget
plan
|
|
b.
|
risk
assessment
|
d.
|
report
|
9. The first tools that analyzed and extracted
data from floppy disks and hard disks were MS-DOS tools for ____ PC file
systems.
|
a.
|
Apple
|
c.
|
Commodore
|
|
b.
|
Atari
|
d.
|
IBM
|
10. In Windows 2000 and XP, the ____ command
shows you the owner of a file if you have multiple users on the system or
network.
|
a.
|
Dir
|
c.
|
Copy
|
|
b.
|
ls
|
d.
|
owner
|
11. In general, forensics workstations can be
divided into ____ categories.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
12. A forensics workstation consisting of a
laptop computer with a built-in LCD monitor and almost as many bays and
peripherals as a stationary workstation is also known as a ____.
|
a.
|
stationary
workstation
|
c.
|
lightweight
workstation
|
|
b.
|
field
workstation
|
d.
|
portable
workstation
|
13. ____ is a simple drive-imaging station.
|
a.
|
F.R.E.D.
|
c.
|
FIRE
IDE
|
|
b.
|
SPARC
|
d.
|
DiskSpy
|
14. ____ can be software or hardware and are used
to protect evidence disks by preventing you from writing any data to the
evidence disk.
|
a.
|
Drive-imaging
|
c.
|
Workstations
|
|
b.
|
Disk
editors
|
d.
|
Write-blockers
|
15. Many vendors have developed write-blocking
devices that connect to a computer through FireWire,____ 2.0,and SCSI
controllers.
|
a.
|
USB
|
c.
|
LCD
|
|
b.
|
IDE
|
d.
|
PCMCIA
|
16. The ____ publishes articles, provides
tools, and creates procedures for testing and validating computer forensics
software.
|
a.
|
CFTT
|
c.
|
FS-TST
|
|
b.
|
NIST
|
d.
|
NSRL
|
17. The standards document, ____, demands
accuracy for all aspects of the testing process, meaning that the results must
be repeatable and reproducible.
|
a.
|
ISO
3657
|
c.
|
ISO
5725
|
|
b.
|
ISO
5321
|
d.
|
ISO
17025
|
18. The NIST project that has as a goal to
collect all known hash values for commercial software applications and OS files
is ____.
|
a.
|
NSRL
|
c.
|
FS-TST
|
|
b.
|
CFTT
|
d.
|
PARTAB
|
19. The primary hash algorithm used by the NSRL
project is ____.
|
a.
|
MD5
|
c.
|
CRC-32
|
|
b.
|
SHA-1
|
d.
|
RC4
|
20. One way to compare your results and verify
your new forensic tool is by using a ____, such as HexWorkshop, or WinHex.
|
a.
|
disk
imager
|
c.
|
bit-stream
copier
|
|
b.
|
write-blocker
|
d.
|
disk
editor
|
21. Although a disk editor gives you the most
flexibility in ____, it might not be capable of examining a ____ file’s
contents.
|
a.
|
testing,
compressed
|
c.
|
testing,
pdf
|
|
b.
|
scanning,
text
|
d.
|
testing,
doc
|
COMPLETION
1. Software forensic tools are grouped into
command-line applications and ____________________ applications.
2. The Windows application of EnCase requires
a(n) ____________________ device, such as FastBloc, to prevent Windows from
accessing and corrupting a suspect disk drive.
3. The ____________________ function is the most
demanding of all tasks for computer investigators to master.
4. Because there are a number of different
versions of UNIX and Linux, these platforms are referred to as
____________________ platforms.
5. Hardware manufacturers have designed most
computer components to last about ____________________ months between failures.
MATCHING
Match
each item with a statement below
|
a.
|
JFIF
|
f.
|
PDBlock
|
|
b.
|
Lightweight
workstation
|
g.
|
Norton
DiskEdit
|
|
c.
|
Pagefile.sys
|
h.
|
Stationary
workstation
|
|
d.
|
Salvaging
|
i.
|
SafeBack
|
|
e.
|
Raw
data
|
|
|
1. letters embedded near the beginning of all
JPEG files
2. European term for carving
3. a direct copy of a disk drive
4. usually a laptop computer built into a
carrying case with a small selection of peripheral options
5. one of the first MS-DOS tools used for a
computer investigation
6. software-enabled write-blocker
7. system file where passwords may have been
written temporarily
8. a tower with several bays and many peripheral
devices
9. command-line disk acquisition tool from New
Technologies, Inc.
SHORT
ANSWER
1. What are the five major function categories
of any computer forensics tool?
2. Explain the validation of evidence data
process.
3. What are some of the advantages of using
command-line forensics tools?
4. Explain the advantages and disadvantages of
GUI forensics tools.
5. Illustrate how to consider hardware needs
when planning your lab budget.
6. Describe some of the problems you may
encounter if you decide to build your own forensics workstation.
7. Illustrate the use of a write-blocker on a
Windows environment.
8. Briefly explain the NIST general approach for
testing computer forensics tools.
9. Explain the difference between repeatable
results and reproducible results.
10. Briefly explain the purpose of the NIST NSRL
project.
Chapter
8: Macintosh and Linux Boot Processes and File Systems
TRUE/FALSE
1. If a file contains information, it always
occupies at least one allocation block.
2. Older Macintosh computers use the same type
of BIOS firmware commonly found in PC-based systems.
3. GPL and BSD variations are examples of open-source
software.
4. A UNIX or Linux computer has two boot blocks,
which are located on the main hard disk.
5. Under ISO 9660 for DVDs, the Micro-UDF
(M-UDF) function has been added to allow for long filenames.
MULTIPLE
CHOICE
1. Macintosh OS X is built on a core called
____.
|
a.
|
Phantom
|
c.
|
Darwin
|
|
b.
|
Panther
|
d.
|
Tiger
|
2. In older Mac OSs, a file consists of two
parts: a data fork, where data is stored, and a ____ fork, where file metadata
and application information are stored.
|
a.
|
resource
|
c.
|
blocks
|
|
b.
|
node
|
d.
|
inodes
|
3. The maximum number of allocation blocks per
volume that File Manager can access on a Mac OS system is ____.
|
a.
|
32,768
|
c.
|
58,745
|
|
b.
|
45,353
|
d.
|
65,535
|
4. On older Macintosh OSs all information about
the volume is stored in the ____.
|
a.
|
Master
Directory Block (MDB)
|
c.
|
Extents
Overflow File (EOF)
|
|
b.
|
Volume
Control Block (VCB)
|
d.
|
Volume
Bitmap (VB)
|
5. With Mac OSs, a system application called
____ tracks each block on a volume to determine which blocks are in use and
which ones are available to receive data.
|
a.
|
Extents
overflow file
|
c.
|
Master
Directory Block
|
|
b.
|
Volume
Bitmap
|
d.
|
Volume
Control Block
|
6. On Mac OSs, File Manager uses the ____to
store any information not in the MDB or Volume Control Block (VCB).
|
a.
|
volume
information block
|
c.
|
catalog
|
|
b.
|
extents
overflow file
|
d.
|
master
directory block
|
7. Linux is probably the most consistent
UNIX-like OS because the Linux kernel is regulated under the ____ agreement.
|
a.
|
AIX
|
c.
|
GPL
|
|
b.
|
BSD
|
d.
|
GRUB
|
8. The standard Linux file system is ____.
|
a.
|
NTFS
|
c.
|
HFS+
|
|
b.
|
Ext3fs
|
d.
|
Ext2fs
|
9. Ext2fs can support disks as large as ____ TB
and files as large as 2 GB.
|
a.
|
4
|
c.
|
10
|
|
b.
|
8
|
d.
|
12
|
10. Linux is unique in that it uses ____, or
information nodes, that contain descriptive information about each file or
directory.
|
a.
|
xnodes
|
c.
|
infNodes
|
|
b.
|
extnodes
|
d.
|
inodes
|
11. To find deleted files during a forensic
investigation on a Linux computer, you search for inodes that contain some data
and have a link count of ____.
|
a.
|
-1
|
c.
|
1
|
|
b.
|
0
|
d.
|
2
|
12. ____ components define the file system on
UNIX.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
13. The final component in the UNIX and Linux
file system is a(n) ____, which is where directories and files are stored on a
disk drive.
|
a.
|
superblock
|
c.
|
boot
block
|
|
b.
|
data
block
|
d.
|
inode
block
|
14. LILO uses a configuration file named ____
located in the /Etc directory.
|
a.
|
Lilo.conf
|
c.
|
Lilo.config
|
|
b.
|
Boot.conf
|
d.
|
Boot.config
|
15. Erich Boleyn created GRUB in ____ to deal with
multiboot processes and a variety of OSs.
|
a.
|
1989
|
c.
|
1994
|
|
b.
|
1991
|
d.
|
1995
|
16. On a Linux computer, ____ is the path for the first partition on the
primary master IDE disk drive.
|
a.
|
/dev/sda1
|
c.
|
/dev/hda1
|
|
b.
|
/dev/hdb1
|
d.
|
/dev/ide1
|
17. There are ____ tracks available for the program area on a
CD.
|
a.
|
45
|
c.
|
99
|
|
b.
|
50
|
d.
|
100
|
18. The ____provides several software drivers
that allow communication between the OS and the SCSI component.
|
a.
|
International
Organization of Standardization (ISO)
|
|
b.
|
Advanced
SCSI Programming Interface (ASPI)
|
|
c.
|
CLV
|
|
d.
|
EIDE
|
19. All Advanced Technology Attachment (ATA)
drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard
____ ribbon or shielded cable.
|
a.
|
40-pin
|
c.
|
80-pin
|
|
b.
|
60-pin
|
d.
|
120-pin
|
20. ATA-66,ATA-____, and ATA-133 can use the
newer 40-pin/80-wire cable.
|
a.
|
70
|
c.
|
96
|
|
b.
|
83
|
d.
|
100
|
21. IDE ATA controller on an old 486 PC doesn’t
recognize disk drives larger than 8.4 ____.
|
a.
|
KB
|
c.
|
GB
|
|
b.
|
MB
|
d.
|
TB
|
COMPLETION
1. Before OS X, Macintosh uses the
____________________, in which files are stored in directories, or folders,
that can be nested in other folders.
2. The Macintosh file system has
____________________ descriptors for the end of file (EOF).
3. ____________________ is a journaling version
of Ext2fs that reduces file recovery time after a crash.
4. When you turn on the power to a UNIX
workstation, instruction code located in firmware on the system’s CPU loads
into RAM. This firmware is called ____________________ code because it’s
located in ROM.
5. CD players that are 12X or faster read discs
by using a(n) _____________________ system.
MATCHING
Match
each item with a statement below
|
a.
|
File
Manager
|
f.
|
Volume
|
|
b.
|
Inode
blocks
|
g.
|
ls
|
|
c.
|
ISO
9660
|
h.
|
Catalog
|
|
d.
|
LILO
|
i.
|
Finder
|
|
e.
|
Clumps
|
|
|
1. older Linux boot manager utility
2. Macintosh tool that works with the OS to keep
track of files and maintain users’ desktops
3. any storage medium used to store files
4. the list command on Linux
5. maintains relationships between files and
directories on a volume on a Mac OS
6. the first data after the superblock on a UNIX
or Linux file system
7. ISO standard for CDs
8. Mac OS utility that handles reading, writing,
and storing data to physical media
9. groups of contiguous allocation blocks
SHORT
ANSWER
1. Explain the relation between allocation
blocks and logical block on a Mac OS file system.
2. Explain the use of B*-trees on Mac OS 9 file
system.
3. Explain the use of forensic tools for
Macintosh systems.
4. What are the functions of the superblock on a
UNIX or Linux file system?
5. What is a bad block inode on Linux?
6. What is a continuation inode?
7. Describe the CD creation process.
8. Write a brief history of SCSI.
9. Explain the problems you can encounter with
pre-ATA-33 devices when connecting them to current PCs.
10. What problems can hidden partitions on IDE
devices cause to forensic investigators?
Chapter
9: Computer Forensics Analysis and Validation
TRUE/FALSE
1. The defense request for full discovery of
digital evidence applies only to criminal cases in the United States.
2. For target drives, use only recently wiped
media that have been reformatted and inspected for computer viruses.
3. FTK cannot perform forensics analysis on
FAT12 file systems.
4. FTK cannot analyze data from image files from
other vendors.
5. A nonsteganographic graphics file has a
different size than an identical steganographic graphics file.
MULTIPLE
CHOICE
1. ____ increases the time and resources needed
to extract,analyze,and present evidence.
|
a.
|
Investigation
plan
|
c.
|
Litigation
path
|
|
b.
|
Scope
creep
|
d.
|
Court
order for discovery
|
2. You begin any computer forensics case by
creating a(n) ____.
|
a.
|
investigation
plan
|
c.
|
evidence
custody form
|
|
b.
|
risk
assessment report
|
d.
|
investigation
report
|
3. In civil and criminal cases, the scope is
often defined by search warrants or ____, which specify what data you can
recover.
|
a.
|
risk
assessment reports
|
c.
|
scope
creeps
|
|
b.
|
investigation
plans
|
d.
|
subpoenas
|
4. There are ____ searching options for keywords which FTK
offers.
|
a.
|
2
|
c.
|
4
|
|
b.
|
3
|
d.
|
5
|
5. ____ search can locate items such as text
hidden in unallocated space that might not turn up in an indexed search.
|
a.
|
Online
|
c.
|
Active
|
|
b.
|
Inline
|
d.
|
Live
|
6. The ____ search feature allows you to look
for words with extensions such as “ing,”“ed,” and so forth.
|
a.
|
fuzzy
|
c.
|
permutation
|
|
b.
|
stemming
|
d.
|
similar-sounding
|
7. In FTK ____ search mode, you can also look
for files that were accessed or changed during a certain time period.
|
a.
|
live
|
c.
|
active
|
|
b.
|
indexed
|
d.
|
inline
|
8. FTK and other computer forensics programs use
____ to tag and document digital evidence.
|
a.
|
tracers
|
c.
|
bookmarks
|
|
b.
|
hyperlinks
|
d.
|
indents
|
9. Getting a hash value with a ____ is much
faster and easier than with a(n) ____.
|
a.
|
high-level
language, assembler
|
|
b.
|
HTML
editor, hexadecimal editor
|
|
c.
|
computer
forensics tool, hexadecimal editor
|
|
d.
|
hexadecimal
editor, computer forensics tool
|
10. AccessData ____ compares known file hash
values to files on your evidence drive or image files to see whether they
contain suspicious data.
|
a.
|
KFF
|
c.
|
NTI
|
|
b.
|
PKFT
|
d.
|
NSRL
|
11. Data ____ involves changing or manipulating a
file to conceal information.
|
a.
|
recovery
|
c.
|
integrity
|
|
b.
|
creep
|
d.
|
hiding
|
12. One way to hide partitions is to create a
partition on a disk, and then use a disk editor such as ____ to manually delete
any reference to it.
|
a.
|
Norton
DiskEdit
|
c.
|
System
Commander
|
|
b.
|
PartitionMagic
|
d.
|
LILO
|
13. Marking bad clusters data-hiding technique is
more common with ____ file systems.
|
a.
|
NTFS
|
c.
|
HFS
|
|
b.
|
FAT
|
d.
|
Ext2fs
|
14. The term ____ comes from the Greek word
for“hidden writing.”
|
a.
|
creep
|
c.
|
escrow
|
|
b.
|
steganography
|
d.
|
hashing
|
15. ____ is defined as the art and science of
hiding messages in such a way that only the intended recipient knows the
message is there.
|
a.
|
Bit
shifting
|
c.
|
Marking
bad clusters
|
|
b.
|
Encryption
|
d.
|
Steganography
|
16. Many commercial encryption programs use a
technology called ____, which is designed to recover encrypted data if users
forget their passphrases or if the user key is corrupted after a system data
failure.
|
a.
|
steganography
|
c.
|
password
backup
|
|
b.
|
key
escrow
|
d.
|
key
splitting
|
17. People who want to hide data can also use
advanced encryption programs, such as PGP or ____.
|
a.
|
NTI
|
c.
|
FTK
|
|
b.
|
BestCrypt
|
d.
|
PRTK
|
18. ____ recovery is a fairly easy task in
computer forensic analysis.
|
a.
|
Data
|
c.
|
Password
|
|
b.
|
Partition
|
d.
|
Image
|
19. ____ attacks use every possible letter,
number, and character found on a keyboard when cracking a password.
|
a.
|
Brute-force
|
c.
|
Profile
|
|
b.
|
Dictionary
|
d.
|
Statistics
|
20. ____ are handy when you need to image the
drive of a computer far away from your location or when you don’t want a
suspect to be aware of an ongoing investigation.
|
a.
|
Scope
creeps
|
c.
|
Password
recovery tools
|
|
b.
|
Remote
acquisitions
|
d.
|
Key
escrow utilities
|
21. ____ is a remote access program for
communication between two computers. The connection is established by using the
DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote)
computer’s file system.
|
a.
|
HDHOST
|
c.
|
DiskEdit
|
|
b.
|
DiskHost
|
d.
|
HostEditor
|
COMPLETION
1. For most law-enforcement-related computing
investigations, the investigator is limited to working with data defined in the
search ____________________.
2. FTK provides two options for searching for
keywords: indexed search and ____________________ search.
3. ____________________ search catalogs all
words on the evidence disk so that FTK can find them quickly.
4. To generate reports with the FTK
ReportWizard, first you need to ____________________ files during an
examination.
5. The data-hiding technique
____________________ changes data from readable code to data that looks like
binary executable code.
No comments:
Post a Comment