Shared Flashcard Set

Details

Access Data ACE Certification
For Computer Forensics
50
Computer Science
12th Grade
06/04/2014

Additional Computer Science Flashcards

 


 

Cards

Term

FTK Imager supports the encryption of forensic image files.

 

What two methods may be used for encryption?

Definition
  • Password
  • Certificate (.p12,.pfx,.pem)
Term
When creating a File Hash List in Imager, what information is included in the resulting file?
Definition
  • MD5 hash
  • SHA1 hash
  • File Names (including path)
Term
Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2?
Definition
Properties Pane
Term

FTK Imager allows what type of evidence to be added? 

 
Definition

- Physical Drive

- Logical Drive

- Image File

- Contents of a folder

Term
Name three features of the Image Mounting function in Imager and in FTK
Definition

- Navigate file systems in Windows Explorer (Ext2, HFS+, etc) normally not recognized.

- Run antivirus software against mounted images

- Make “virtual writes” to the mounted image using a cache file

- Run third party software against the mounted image

- Navigate the directory structure without making changes using the “Read-Only” mounting 

 option.

 
Term

What types of image file formats can be created by Imager?

 
Definition

- RAW(DD) - *.001

- SMART - *.S01

- EnCase - *.E01

- Advanced Forensic Format - *.AFF

- AD Custom Content (Logical Image) - *.AD1

 
Term
Name four characteristics of Custom Content Images
Definition

- File extension of *.AD1

- Logical files only – no file slack

- Can include recursive subdirectories

- Can include unallocated space

 
Term
Which AccessData forensic tools have Hex Value Interpreter functionality?
Definition

- FTK Imager

- FTK

- Registry Viewer

Term
Name three functions of a Registry Viewer Summary Report
Definition

- Can display specific values within a registry key

- Wildcard function allows creation of registry templates

- Multiple areas of a registry file can be documented.

Term
Name two functions of a Registry Viewer Common Area?
Definition

- Provides shortcuts or bookmarks for frequently accessed registry keys

- Additional keys can be added by the user for customization

Term

Name three fields shown for a Windows user's account in the Registry Viewer Properties pane 

when viewing the SAM file

Definition

- SID Unique Identifier

- Last Logon Time

- User Name

- Logon Count

- Last Password Change

- Password Required

Term

What types of searches can be performed in Registry Viewer?

 
Definition

- Standard Search - next occurrence of a search term

- Advanced Search - all occurrences of a search term

- Search for key with a last written date:

i. during a date range

ii. during and after a given date

iii. during and before a given date

 
Term
How is the Golden Dictionary in PRTK created?
Definition
- It is auto-generated from successfully recovered passwords on the local computer
Term

Name the four types of attacks listed in the PRTK Help > Recovery Modules menu?

 
Definition

- Dictionary

- Decryption

- Keyspace

- Reset

 
Term
Name the four major sections of a PRTK Attack Profile
Definition

- Dictionaries

- Rules (levels)

- Languages

- Character Groups

 
Term

Which of the 5 registry files (SAM, SYSTEM, SECURITY, SOFTWARE, NTUSER.DAT) can be 

attacked by PRTK for possible encrypted information or passwords?

 
Definition
SAM, SECURITY, NTUSER.DAT
Term
What types of fields are available in the PRTK Biographical Dictionary?
Definition

- Name, Address, City, State, Zip Code, Country, Phone Number, Date, Number, Word, 

 Phrase.

 
Term
What three types of "traditional" hashing can be done in FTK pre-processing?
Definition

- MD5

- SHA1

- SHA256

Term

How can an automatically carved item's location and parent be determined in FTK?

 
Definition

- When clicking on the newly carved item, its parent will be listed in the path shown at the 

 bottom of the screen. The parent name is to the left of the child name.

- The carved item's location (offset/cursor position) within the parent is indicated by the 

 number in the file name.

Term
What are the major sections in the FTK report?
Definition

- Case Information

- Bookmarks

- Graphics

- Videos

- File Paths

- File Properties

- Registry Selections

- Screen Capture

Term

Name three restrictions of a user assigned Case Reviewer status in FTK

 
Definition

- Cannot view Privileged Files

- Cannot Add Evidence

- Cannot perform Additional Analysis

- Cannot Decrypt Files

- Cannot create filters.

Term

When can Data Carving be performed in FTK?

 
Definition

- During Pre-processing

- After case creation

Term
What would be the advantage of performing Data Carving after case creation?
Definition

- It can be performed on a smaller group of files (checked, Quick Picked) instead of on the 

entire case.

Term

Which of the following files would NOT be found in the Internet/Chat files container in the FTK 

Overview Tab?

Definition
Skype main.db
Term
The numerical string "123-422-17365" would be found by which Regular Expression?
Definition
(\d{3}[\- ]){2}\d{5}
Term
What are the advantages of importing a list of search terms into FTK's Indexed Search Tab?
Definition

- Faster than manual entry

- A list of commonly searched terms can be used in multiple cases.

Term

 List the steps needed for recovery of an EFS encrypted file in FTK.

 
Definition

1. Identify the encrypted file (Overview > File Status > Encrypted Files)

2. View the file in the Explore Tab tree; view the $EFS stream in File List

3. Note the Windows user who in encrypted the file in $EFS stream

4. Export the SAM and SYSTEM files for decryption in PRTK. (dictionary attack)

5. After obtaining Windows password from SAM file, input the password into FTK

6. View decrypted file as a subitem of encrypted file or File Status > Decrypted Files

Term
When can the Expand Compound Files processing option be performed?
Definition

- In pre-processing 

- After case creation - Evidence > Additional Analysis

 
Term
What types of files benefit from the Expand Compound Files processing option?
Definition

- Zip files, EVTX, Mail (PST, mbox, msg, NSF), MS Office OLE, Registry, SQLite)

 
Term
What five types of customized settings can be shared among cases via the Manage menu in FTK?
Definition

- KFF Hash Sets and Groups

- Labels

- Carvers

- Filters

- Columns

Term

What are the two options for generating thumbnails of video files in FTK?

 
Definition

- Percentage (Every "n" percent)

- Interval (Every "n" seconds)

 
Term

How is the Volatile tab in FTK populated?

 
Definition

- Through the Manage > Add Remote Data menu

- Through the Manage > Import Memory Dump

 
Term

Name two ways the scope of an Indexed search in FTK can be limited?

 
Definition

- Use filters

- Use checked files

 
Term
What is the advantage of opening registry files using Registry Viewer within a case in FTK?
Definition

- A more detailed view is available than the FTK default view.

- Reports generated in Registry Viewer can be linked to the FTK report.

 
Term
Which applications can be launched from within FTK?
Definition

- FTK Imager

- Registry Viewer

- PRTK

- License Manager

- Language Selector

Term
Which registry files will display content in a HTML table in FTK using default processing?
Definition

- SAM (User account info)

- SOFTWARE (install info)

- SYSTEM (time zone info)

 
Term
What is the purpose of the Registry Reports processing option in FTK?
Definition

- Auto-processes Registry Summary Reports

- File Signature Analysis must be selected

- Only RSR files in the designated directory are run.

- Can be incorporated into FTK report.

 
Term
What formats of hash sets can be imported into FTK?
Definition

- AccessData Hash Database (*.HDB) 

- FTK Imager Hash List (*.CSV) 

- FTK Copy Special Hash List (tab-delimited) 

- HashKeeper Hash Set (*.HKE, HKT.TXT) 

- National Software Reference Library (NSRL)

- Tab-delimited files (TSV)

- Hash file (.hash) 

- FTK (KFF)

 
Term
Additional Knowledge Points to be familiar with:
Definition

1. How to access EXIF information for a graphic file in FTK

2. Use the Filter Manager to apply multiple filters in FTK.

3. How to run a Regular Expression and examine the results.

4. Recognizing files which are email attachments.

5. Determining the actual File Type of a file with an incorrect file extension.

6. Capturing RAM – changes may occur to source ( no write protection)

7. Visualization and Social Analyzer screen capture
8. PhotoDNA – general concept
9. Language ID – Options, multiple languages within document.
10. Decrypting Files within PRTK
11. Sending files directly to PRTK from FTK
12. RSR File pre-processing in FTK
Term
How many questions are on the quiz?
Definition
40 questions
Term
How much time do you have to take the quiz?
Definition
90 minutes
Term
How much does it cost to take the quiz?
Definition
It's free
Term
How many knowledge based questions are there?
Definition
30 questions
Term
How many Practical-Based Questions are there?
Definition
10 questions
Term
What percentage correct do you need on the quiz to pass?
Definition
75%
Term
How many times can you take it and fail before you have to wait 3 months for a re-take?
Definition
Two
Term
Do you need FTK to complete the exam?
Definition
Yes
Term
Will you need to register on the Access Data Website before taking the quiz?
Definition
Yes
Term
Can you download FTK for free and get a free 30 day MPE license that later will expire but allow you to continue with a MPE+ Essentials License for FREE?
Definition
Yeah, that is true
Term
What website has all the information you need for the FTK Certification?
Definition
http://www.accessdata.com/training/certifications
Supporting users have an ad free experience!