Computer Forensics: Understanding Digital Evidence and File Systems, Exams of Nursing

Download Computer Forensics: Understanding Digital Evidence and File Systems and more Exams Nursing in PDF only on Docsity! C702-FORENSICS AND NETWORK INTRUSION REAL EXAM QUESTIONS AND ANSWERS//GRADED A+ What is the vital role of computer forensics? - answer-The investigation and prosecution of cyber criminals. What is the process of computer forensics? - answer-finding evidence related to a digital crime to find the culprits and initiate legal action against them. What does cybercrime refer to? - answer-any illegal act that involves a computer, its systems, or its applications What does the tools of the crime refer to? - answer-The various hacking tools used to commit the crime; i.e. workstation, mouse, keyboard, monitors. What does the target of the crime refer to? - answer-The victim, which can be corporate organizations, websites, consulting agencies, and government bodies. What is an internal or insider attack? - answer-Attacks by disgruntled individuals working in the same firm or same household as the victim. i.e. espionage, theft of intellectual property, manipulation of records, and Trojan horse attack. What is an external attack? - answer-originates from outside of an organization or can be remote in nature. i.e. SQL attack, brute force cracking, identity theft, phishing/spoofing, denial of service attack, and cyber defamation. What is cybercrime investigation? - answer-The process of studying a digital crime, its impact and other details to identify the source and perpetrators of the attack and prove their guilt. What is a civil case? - answer-involves disputes between two parties What is a criminal case? - answer-includes crimes that are considered harmful to the society What is an administrative investigation - answer-refers to an internal investigation by an organization to discover if its employees, clients and partners are abiding by the rules or policies. T/F - The forensic examiner must make duplicate copies of the original evidence and start by examining only the duplicates. - answer-True - The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. What is Enterprise Theory of Investigation (ETI)? - answer-A methodology for investigating criminal activity; adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act. What is the benefit of applying ETI with favorable state and federal legislation? - answer-Law enforcement agencies can target and dismantle the entire criminal enterprise in one criminal indictment. What does digital evidence include? - answer-All such information that is either stored or transmitted in digital form and has probative value, thus helping investigators find the perpetrator. What is volatile data? - answer-Refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. What is non-volatile data? - answer-Refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards. Evidence that is to be present in court must comply with the rules of evidence, which are based on what? - answer-English common law What is the best evidence rule? - answer-The best evidence rule is designed to prevent any alteration of digital evidence, either intentionally or unintentionally; ensures that the court considers only the best evidence related to a specific matter or particular computer crime case. What is Forensics Readiness Planning? - answer-the process of building a structure that enables an organization to deal with legal procedures following a criminal offense. What is a sparse file? - answer-a type of computer file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty. What is Filesystem Hierarchy Standard? - answer-defines the directory structure and its contents in Linux and Unix-like operating systems. In the FHS, all files and directories are present under the root directory (represented by /) Apple had developed the _____ _____ _____ in September 1985 to support the MAC OS in its proprietary Macintosh system and as a replacement for the Macintosh File System (MFS). - answer- Hierarchical File System (HFS) What is a Redundant Array of Independent Disks (RAID)? - answer-a technology that uses multiple smaller disks simultaneously, which function as a single large volume. What is RAID 0? - answer-does not involve any redundancy and fragments the file into user-defined stripe size of the array... offers the best overall performance characteristics of the single RAID levels What is RAID 1? - answer-executes mirroring as it duplicates or copies the drive data on to two different drives using a hardware RAID controller or a software. What is RAID 2? - answer-the only level among all the RAID levels that does not implement even one of the standard techniques of parity, mirroring or striping... includes splitting of data at the bit level and distributing it to numerous data disks and redundancy disks. What is RAID 3? - answer-uses byte-level stripping with a dedicated parity disk, which stores checksums. It also supports a special processor for parity codes calculation. What is RAID 5? - answer-Uses byte level data striping across multiple drives, and distributes the parity information among all member drives... requires a minimum of three drives to set up. What is RAID 10? - answer-also known as RAID 1+0, is a combination of RAID 0 (Striping Volume Data) and RAID 1 (Disk Mirroring) to protect data... it requires at least four drives to implement. Hard disk drives and other storage media can have hidden areas such as ______ and ______. - answer- Host Protected Areas (HPA) and Device Configuration Overlays (DCO) What is American Standard Code for Information Interchange (ASCII)? - answer-a character encoding standard used in digital devices such as computers. What is Unicode? - answer-a computing standard, developed along with the Universal Coded Character Set (UCS) standard for encoding, representation, and management of texts, which most of the world's writing systems use. What is an offset? - answer-refers to either the start of a file or the start of a memory address. What is a hex editor? - answer-a program that allows users to modify the fundamental binary data of a file. What is file carving? - answer-the process of recovering files from their fragments and pieces from unallocated space of the hard disk in the absence of file system metadata. What binary value does JPEG files start with? - answer-0xffd8 What binary value does JPEG files end with? - answer-0xffd9 What is Bitmap image file, AKA BMP file format? - answer-a standard graphics image file format used to store images on Windows operating systems. What is The Sleuth Kit® (TSK)? - answer-a library and collection of command line tools that allow you to investigate disk images. What is Autopsy? - answer-a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. What is data acquisition? - answer-the use of established methods to extract the Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident. What is the goal of data acquisition? - answer-extract every bit of information present on the victim's hard disk and create a forensic copy to use it as evidence in the court. What is live data acquisition? - answer-It is the process of acquiring volatile data from a working computer (either locked or in sleep condition) that is already powered on. What is static data acquisition? - answer-It is the process of acquiring the non-volatile or unaltered data remains in the system even after shutdown. What is the order of volatility? - answer-Cache, memory, temp file systems, disk/storage media, remote logging, physical configuration, and archival media. What is the step-by-step procedure of the volatile data collection methodology? - answer-Incident response preparation, Incident documentation, Policy verification, Volatile data collection strategy, Volatile data collection setup, Volatile data collection process, How many copies of the original media should be produced before starting the investigation process? - answer-Two What is a bit-stream image? - answer-the process of creating a duplicate of a hard disk through bit-by- bit copying of its data onto another storage media; also known as Mirror Images & Evidence Grade Backups. Why is a chain of custody important? - answer-it tracks collected information and preserves the integrity of the collected evidence. What is write protection? - answer-the ability of a hardware device or a software program to restrict itself from writing any new data to a computer or modifying the data on it. What is a stego-only attack? - answer-the steganalyst or the attacker does not have access to any information except the stego-medium or stego-object. What is a known-stego attack? - answer-allows attacker to know the steganographic algorithm as well as original and stego-object. What is a known-message attack? - answer-presumes that the message and the stego-medium are available. What is a known-cover attack? - answer-when attackers have knowledge of both the stego-object and the original cover-medium. What is a chosen-message attack? - answer-The steganalyst uses known message to generate a stego- object by using some steganography tool in order to find the steganography algorithm used to hide the information. What is a chosen-stego attack? - answer-takes place when the steganalyst knows both the stego-object and steganographic tool or algorithm used to hide the message. What is trail obfuscation? - answer-attackers delete or modify metadata of some important files in order to confuse the investigators. What is artifact wiping? - answer-the process of deleting or destroying the evidence files permanently using various tools and techniques, such as disk-cleaning utilities file-wiping utilities and disk degaussing/destruction techniques. How can files be recovered using EFS-encryption in case of a damaged or lost encryption key? - answer- Recovery certificate T/F - Regarding the Advanced EFS Data Recovery Tool, recovery of the data is still possible even when the system is damaged, is not bootable, or when some encryption keys have been tampered with - answer-True What is onion routing? - answer-the technique used for secret communication over a computer network; this network encapsulates messages in layers of encryption and employs a worldwide volunteer network of routers that serve to anonymize the source and destination of communications. What are program packers? - answer-The packers compress the files using various methods called algorithms; there are many different algorithms and unless the investigators know the one used to pack and have a tool to unpack it, they will not be able to access the file. What are rootkits? - answer-Software that is intended to hide processes that could reveal an attack from the OS itself; Rootkits allow viruses and malware to "hide in plain sight" by concealing files in ways that antivirus software might overlook them, disguising files as legitimate system files, through unlinking processes, and even hiding from detection by the OS. What is operating system forensics? - answer-refers to the process of finding, extracting and analyzing evidences present in the operating system of any computerized device used by the victim, or suspected computer system involved in any security incident. What is volatile information? - answer-refers to the data stored in the registries, cache, and RAM of digital devices. What is the first step of OS forensics while investigating an incident? - answer-Collection of the system time What is non-volatile information? - answer-sort of permanent data that would remain on the system even after the use switches it off, but the system is easy to manipulate through online and direct access. What are the five sections of file systems? - answer-file system data, content data, metadata, file name, and file system application data. What is the Extensible Storage Engine (ESE)? - answer-the Microsoft Edge browser built-in feature, which is a data storage technology made to store and retrieve data sequential access. What is swap space? - answer-Linux operating system allocates certain amount of storage space on a hard disk Why is hibernate mode crucial from a forensics point of view? - answer-hiberfil.sys files are created and a crucial source of evidence, as it consists of information of all programs, applications , files and processes that were running on the RAM at a given time What is a page file, AKA pagefile.sys? - answer-a hidden file on the Windows operating system, which is used as virtual memory to expand the physical memory of a system. What is the alternate data stream (ADS)? - answer-a NTFS file system feature, which helps users to find a file using alternate metadata information such as author title. What is a memory dump or crash dump? - answer-a storage space, where the system stores a memory backup, in case of a system failure. What is an executive process or EProcess Structure? - answer-the basic data structure that stores various attributes of the process and the pointer to the other attributes and data structures related to the process. What Windows registry key contains information about all the currently active user profiles on the computer? - answer-HKEY_USERS What Windows registry key contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data? - answer-HKEY_CLASSES_ROOT What Windows registry key contains the configuration information related to the user currently logged on? - answer-HKEY_CURRENT_USER What Windows registry key stores information about the current hardware profile of the system? - answer-HKEY_CURRENT_CONFIG What is eavesdropping? - answer-a technique used in intercepting the unsecured connections in order to steal personal information, which is illegal. What is data modification? - answer-Once the intruder gets access to sensitive information, his or her first step is to alter the data. What is IP spoofing? - answer-the attacker sends messages to the computer with an IP address that indicates the messages are coming from a trusted host. What is a Denial of Service (DoS)? - answer-the attacker floods the target with huge amount of invalid traffic, thereby leading to exhaustion of the resources available on the target. What is a Man-in-the-Middle attack? - answer-the attacker makes independent connections with the users/victims and relays messages between them, making them believe that their conversation is direct. What is packet sniffing? - answer-refers to the process of capturing traffic flowing through a network, with the aim of gaining sensitive information such as usernames and passwords and using them for illegitimate purposes. What is enumeration? - answer-the process of gathering information about a network that may help in an attacking the network. What is session hijacking? - answer-refers to the exploitation of a session-token generation mechanism or token security controls What is a buffer overflow? - answer-occurs when the data count exceeds the original storage capacity of a buffer What is malware? - answer-a kind of malicious code or software designed to damage the system. What is a password-based attack? - answer-a process where the attacker performs numerous login attempts on a system or an application to duplicate the valid login and gain access to it. What is a rouge access point attack? - answer-Attackers or insiders create a backdoor into a trusted network by installing an unsecured access point inside a firewall; they then use any software or hardware access point to perform this kind of attack. What is Client Mis-association? - answer-The client may connect or associate with an AP outside the legitimate network either intentionally or accidentally. An attacker who can connect to that network intentionally and proceed with malicious activities can misuse this situation. What is an unauthorized association? - answer-the attacker takes advantage of soft access points, which are WLAN radios present in some laptops; the attacker can activate these access points in the victim's system through a malicious program and gain access to the networ What is an Ad Hoc Connection Attack? - answer-the attacker carries out the attack using an USB adapter or wireless card; in this method, the host connects with an unsecured station to attack a particular station or evade access point security. What is a HoneySpot Access Point Attack? - answer-An attacker takes advantage of this behavior of wireless clients by setting up an unauthorized wireless network using a rogue AP. This AP has high- power (high gain) antennas and uses the same SSID of the target network. What is AP MAC spoofing? - answer-Using the MAC spoofing technique, the attacker can reconfigure the MAC address in such a way that it appears as an authorized access point to a host on a trusted network. What is a Jamming Signal Attack? - answer-the attacker jams the WiFi signals to stop the all the legitimate traffic from using the access point. The attacker blocks the signals by sending huge amounts of illegitimate traffic to the access point by using certain tools What is FISMA? - answer-Federal Information Security Management Act of 2002 that states several key security standards and guidelines, as required by Congressional legislation. What is the Gramm-Leach-Bliley (GLBA)? - answer-requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to protect their customers' information against security threats. What is HIPAA? - answer-The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes security standards health information. What is Sarbanes-Oxley Act (SOX)? - answer-The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations What is the Payment Card Industry Data Security Standard (PCI DSS)? - answer-The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. What is event correlation? - answer-a technique used to assign a new meaning for relating a set of events that occur in a fixed amount of time. What is event aggregation? - answer-It compiles the repeated events to a single event and avoids duplication of the same event. What is event masking? - answer-refers to missing events related to systems that are downstream of a failed system. What is event filtering? - answer-the event correlator filters or discards the irrelevant events What is root cause analysis? - answer-the event correlator identifies all the devices that became inaccessible due to network failures What are the three tiers of log management infrastructure? - answer-Log generation, log analysis & storage, and log monitoring. What is log parsing? - answer-refers to extracting data from a log so that the parsed values can be used as input for another logging process.